OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
7 | 7 |
8 #include "base/basictypes.h" | 8 #include "base/basictypes.h" |
9 #include "base/compiler_specific.h" | 9 #include "base/compiler_specific.h" |
10 #include "net/base/net_export.h" | 10 #include "net/base/net_export.h" |
11 #include "net/der/input.h" | 11 #include "net/der/input.h" |
12 #include "net/der/parse_values.h" | 12 #include "net/der/parse_values.h" |
13 | 13 |
14 namespace net { | 14 namespace net { |
15 | 15 |
16 struct ParsedCertificate; | 16 struct ParsedCertificate; |
| 17 struct ParsedTbsCertificate; |
17 | 18 |
18 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on | 19 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on |
19 // success and sets the results in |out|. | 20 // success and sets the results in |out|. |
20 // | 21 // |
21 // Note that on success |out| aliases data from the input |certificate_tlv|. | 22 // Note that on success |out| aliases data from the input |certificate_tlv|. |
22 // Hence the fields of the ParsedCertificate are only valid as long as | 23 // Hence the fields of the ParsedCertificate are only valid as long as |
23 // |certificate_tlv| remains valid. | 24 // |certificate_tlv| remains valid. |
24 // | 25 // |
25 // On failure |out| has an undefined state. Some of its fields may have been | 26 // On failure |out| has an undefined state. Some of its fields may have been |
26 // updated during parsing, whereas others were not changed. | 27 // updated during parsing, whereas others may not have been changed. |
27 // | 28 // |
28 // Refer to the per-field documention of the ParsedCertificate structure for | 29 // Refer to the per-field documention of the ParsedCertificate structure for |
29 // details on what validity checks parsing performs. | 30 // details on what validity checks parsing performs. |
30 // | 31 // |
31 // Certificate ::= SEQUENCE { | 32 // Certificate ::= SEQUENCE { |
32 // tbsCertificate TBSCertificate, | 33 // tbsCertificate TBSCertificate, |
33 // signatureAlgorithm AlgorithmIdentifier, | 34 // signatureAlgorithm AlgorithmIdentifier, |
34 // signatureValue BIT STRING } | 35 // signatureValue BIT STRING } |
35 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, | 36 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, |
36 ParsedCertificate* out) WARN_UNUSED_RESULT; | 37 ParsedCertificate* out) WARN_UNUSED_RESULT; |
37 | 38 |
| 39 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true |
| 40 // on success and sets the results in |out|. |
| 41 // |
| 42 // Note that on success |out| aliases data from the input |tbs_tlv|. |
| 43 // Hence the fields of the ParsedTbsCertificate are only valid as long as |
| 44 // |tbs_tlv| remains valid. |
| 45 // |
| 46 // On failure |out| has an undefined state. Some of its fields may have been |
| 47 // updated during parsing, whereas others may not have been changed. |
| 48 // |
| 49 // Refer to the per-field documentation of ParsedTbsCertificate for details on |
| 50 // what validity checks parsing performs. |
| 51 // |
| 52 // TBSCertificate ::= SEQUENCE { |
| 53 // version [0] EXPLICIT Version DEFAULT v1, |
| 54 // serialNumber CertificateSerialNumber, |
| 55 // signature AlgorithmIdentifier, |
| 56 // issuer Name, |
| 57 // validity Validity, |
| 58 // subject Name, |
| 59 // subjectPublicKeyInfo SubjectPublicKeyInfo, |
| 60 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| 61 // -- If present, version MUST be v2 or v3 |
| 62 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| 63 // -- If present, version MUST be v2 or v3 |
| 64 // extensions [3] EXPLICIT Extensions OPTIONAL |
| 65 // -- If present, version MUST be v3 |
| 66 // } |
| 67 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv, |
| 68 ParsedTbsCertificate* out) |
| 69 WARN_UNUSED_RESULT; |
| 70 |
| 71 // Represents a "Version" from RFC 5280: |
| 72 // Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| 73 enum class CertificateVersion { |
| 74 V1, |
| 75 V2, |
| 76 V3, |
| 77 }; |
| 78 |
38 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC | 79 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC |
39 // 5280 "Certificate". | 80 // 5280 "Certificate". |
40 // | 81 // |
41 // ParsedCertificate is expected to be filled by ParseCertificate(), so | 82 // ParsedCertificate is expected to be filled by ParseCertificate(), so |
42 // subsequent field descriptions are in terms of what ParseCertificate() sets. | 83 // subsequent field descriptions are in terms of what ParseCertificate() sets. |
43 struct NET_EXPORT ParsedCertificate { | 84 struct NET_EXPORT ParsedCertificate { |
44 // Corresponds with "tbsCertificate" from RFC 5280: | 85 // Corresponds with "tbsCertificate" from RFC 5280: |
45 // tbsCertificate TBSCertificate, | 86 // tbsCertificate TBSCertificate, |
46 // | 87 // |
47 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | 88 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
48 // guarantees are made regarding the value of this SEQUENCE. | 89 // guarantees are made regarding the value of this SEQUENCE. |
| 90 // |
| 91 // This can be further parsed using ParseTbsCertificate(). |
49 der::Input tbs_certificate_tlv; | 92 der::Input tbs_certificate_tlv; |
50 | 93 |
51 // Corresponds with "signatureAlgorithm" from RFC 5280: | 94 // Corresponds with "signatureAlgorithm" from RFC 5280: |
52 // signatureAlgorithm AlgorithmIdentifier, | 95 // signatureAlgorithm AlgorithmIdentifier, |
53 // | 96 // |
54 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | 97 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
55 // guarantees are made regarding the value of this SEQUENCE. | 98 // guarantees are made regarding the value of this SEQUENCE. |
56 // | 99 // |
57 // This can be further parsed using SignatureValue::CreateFromDer(). | 100 // This can be further parsed using SignatureValue::CreateFromDer(). |
58 der::Input signature_algorithm_tlv; | 101 der::Input signature_algorithm_tlv; |
59 | 102 |
60 // Corresponds with "signatureValue" from RFC 5280: | 103 // Corresponds with "signatureValue" from RFC 5280: |
61 // signatureValue BIT STRING } | 104 // signatureValue BIT STRING } |
62 // | 105 // |
63 // Parsing guarantees that this is a valid BIT STRING. | 106 // Parsing guarantees that this is a valid BIT STRING. |
64 der::BitString signature_value; | 107 der::BitString signature_value; |
65 }; | 108 }; |
66 | 109 |
| 110 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded |
| 111 // RFC 5280 "TBSCertificate". |
| 112 // |
| 113 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so |
| 114 // subsequent field descriptions are in terms of what ParseTbsCertificate() |
| 115 // sets. |
| 116 struct NET_EXPORT ParsedTbsCertificate { |
| 117 ParsedTbsCertificate(); |
| 118 ~ParsedTbsCertificate(); |
| 119 |
| 120 // Corresponds with "version" from RFC 5280: |
| 121 // version [0] EXPLICIT Version DEFAULT v1, |
| 122 // |
| 123 // Parsing guarantees that the version is one of v1, v2, or v3. |
| 124 CertificateVersion version = CertificateVersion::V1; |
| 125 |
| 126 // Corresponds with "serialNumber" from RFC 5280: |
| 127 // serialNumber CertificateSerialNumber, |
| 128 // |
| 129 // This field specifically contains the content bytes of the INTEGER. So for |
| 130 // instance if the serial number was 1000 then this would contain bytes |
| 131 // {0x03, 0xE8}. |
| 132 // |
| 133 // In addition to being a valid DER-encoded INTEGER, parsing guarantees that |
| 134 // the serial number is at most 20 bytes long. Parsing does NOT guarantee |
| 135 // that the integer is positive (might be zero or negative). |
| 136 der::Input serial_number; |
| 137 |
| 138 // Corresponds with "signatureAlgorithm" from RFC 5280: |
| 139 // signatureAlgorithm AlgorithmIdentifier, |
| 140 // |
| 141 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 142 // guarantees are made regarding the value of this SEQUENCE. |
| 143 // |
| 144 // This can be further parsed using SignatureValue::CreateFromDer(). |
| 145 der::Input signature_algorithm_tlv; |
| 146 |
| 147 // Corresponds with "issuer" from RFC 5280: |
| 148 // issuer Name, |
| 149 // |
| 150 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 151 // guarantees are made regarding the value of this SEQUENCE. |
| 152 der::Input issuer_tlv; |
| 153 |
| 154 // Corresponds with "validity" from RFC 5280: |
| 155 // validity Validity, |
| 156 // |
| 157 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 158 // guarantees are made regarding the value of this SEQUENCE. |
| 159 der::Input validity_tlv; |
| 160 |
| 161 // Corresponds with "subject" from RFC 5280: |
| 162 // subject Name, |
| 163 // |
| 164 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 165 // guarantees are made regarding the value of this SEQUENCE. |
| 166 der::Input subject_tlv; |
| 167 |
| 168 // Corresponds with "subjectPublicKeyInfo" from RFC 5280: |
| 169 // subjectPublicKeyInfo SubjectPublicKeyInfo, |
| 170 // |
| 171 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 172 // guarantees are made regarding the value of this SEQUENCE. |
| 173 der::Input spki_tlv; |
| 174 |
| 175 // Corresponds with "issuerUniqueID" from RFC 5280: |
| 176 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| 177 // -- If present, version MUST be v2 or v3 |
| 178 // |
| 179 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT |
| 180 // STRING, and that the version is either v2 or v3 |
| 181 bool has_issuer_unique_id = false; |
| 182 der::BitString issuer_unique_id; |
| 183 |
| 184 // Corresponds with "subjectUniqueID" from RFC 5280: |
| 185 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| 186 // -- If present, version MUST be v2 or v3 |
| 187 // |
| 188 // Parsing guarantees that if subject_unique_id is present it is a valid BIT |
| 189 // STRING, and that the version is either v2 or v3 |
| 190 bool has_subject_unique_id = false; |
| 191 der::BitString subject_unique_id; |
| 192 |
| 193 // Corresponds with "extensions" from RFC 5280: |
| 194 // extensions [3] EXPLICIT Extensions OPTIONAL |
| 195 // -- If present, version MUST be v3 |
| 196 // |
| 197 // |
| 198 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
| 199 // guarantees are made regarding the value of this SEQUENCE. (Note that the |
| 200 // EXPLICIT outer tag is stripped.) |
| 201 // |
| 202 // Parsing guarantees that if extensions is present the version is v3. |
| 203 bool has_extensions = false; |
| 204 der::Input extensions_tlv; |
| 205 }; |
| 206 |
67 } // namespace net | 207 } // namespace net |
68 | 208 |
69 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 209 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
OLD | NEW |