Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Side by Side Diff: net/cert/internal/parse_certificate.h

Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate". (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_mapper
Patch Set: one more comment fix Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
7 7
8 #include "base/basictypes.h" 8 #include "base/basictypes.h"
9 #include "base/compiler_specific.h" 9 #include "base/compiler_specific.h"
10 #include "net/base/net_export.h" 10 #include "net/base/net_export.h"
11 #include "net/der/input.h" 11 #include "net/der/input.h"
12 #include "net/der/parse_values.h" 12 #include "net/der/parse_values.h"
13 13
14 namespace net { 14 namespace net {
15 15
16 struct ParsedCertificate; 16 struct ParsedCertificate;
17 struct ParsedTbsCertificate;
17 18
18 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on 19 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on
19 // success and sets the results in |out|. 20 // success and sets the results in |out|.
20 // 21 //
21 // Note that on success |out| aliases data from the input |certificate_tlv|. 22 // Note that on success |out| aliases data from the input |certificate_tlv|.
22 // Hence the fields of the ParsedCertificate are only valid as long as 23 // Hence the fields of the ParsedCertificate are only valid as long as
23 // |certificate_tlv| remains valid. 24 // |certificate_tlv| remains valid.
24 // 25 //
25 // On failure |out| has an undefined state. Some of its fields may have been 26 // On failure |out| has an undefined state. Some of its fields may have been
26 // updated during parsing, whereas others were not changed. 27 // updated during parsing, whereas others may not have been changed.
27 // 28 //
28 // Refer to the per-field documention of the ParsedCertificate structure for 29 // Refer to the per-field documention of the ParsedCertificate structure for
29 // details on what validity checks parsing performs. 30 // details on what validity checks parsing performs.
30 // 31 //
31 // Certificate ::= SEQUENCE { 32 // Certificate ::= SEQUENCE {
32 // tbsCertificate TBSCertificate, 33 // tbsCertificate TBSCertificate,
33 // signatureAlgorithm AlgorithmIdentifier, 34 // signatureAlgorithm AlgorithmIdentifier,
34 // signatureValue BIT STRING } 35 // signatureValue BIT STRING }
35 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, 36 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,
36 ParsedCertificate* out) WARN_UNUSED_RESULT; 37 ParsedCertificate* out) WARN_UNUSED_RESULT;
37 38
39 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true
40 // on success and sets the results in |out|.
41 //
42 // Note that on success |out| aliases data from the input |tbs_tlv|.
43 // Hence the fields of the ParsedTbsCertificate are only valid as long as
44 // |tbs_tlv| remains valid.
45 //
46 // On failure |out| has an undefined state. Some of its fields may have been
47 // updated during parsing, whereas others may not have been changed.
48 //
49 // Refer to the per-field documentation of ParsedTbsCertificate for details on
50 // what validity checks parsing performs.
51 //
52 // TBSCertificate ::= SEQUENCE {
53 // version [0] EXPLICIT Version DEFAULT v1,
54 // serialNumber CertificateSerialNumber,
55 // signature AlgorithmIdentifier,
56 // issuer Name,
57 // validity Validity,
58 // subject Name,
59 // subjectPublicKeyInfo SubjectPublicKeyInfo,
60 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
61 // -- If present, version MUST be v2 or v3
62 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
63 // -- If present, version MUST be v2 or v3
64 // extensions [3] EXPLICIT Extensions OPTIONAL
65 // -- If present, version MUST be v3
66 // }
67 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,
68 ParsedTbsCertificate* out)
69 WARN_UNUSED_RESULT;
70
71 // Represents a "Version" from RFC 5280:
72 // Version ::= INTEGER { v1(0), v2(1), v3(2) }
73 enum class CertificateVersion {
74 V1,
75 V2,
76 V3,
77 };
78
38 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC 79 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC
39 // 5280 "Certificate". 80 // 5280 "Certificate".
40 // 81 //
41 // ParsedCertificate is expected to be filled by ParseCertificate(), so 82 // ParsedCertificate is expected to be filled by ParseCertificate(), so
42 // subsequent field descriptions are in terms of what ParseCertificate() sets. 83 // subsequent field descriptions are in terms of what ParseCertificate() sets.
43 struct NET_EXPORT ParsedCertificate { 84 struct NET_EXPORT ParsedCertificate {
44 // Corresponds with "tbsCertificate" from RFC 5280: 85 // Corresponds with "tbsCertificate" from RFC 5280:
45 // tbsCertificate TBSCertificate, 86 // tbsCertificate TBSCertificate,
46 // 87 //
47 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 88 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
48 // guarantees are made regarding the value of this SEQUENCE. 89 // guarantees are made regarding the value of this SEQUENCE.
90 //
91 // This can be further parsed using ParseTbsCertificate().
49 der::Input tbs_certificate_tlv; 92 der::Input tbs_certificate_tlv;
50 93
51 // Corresponds with "signatureAlgorithm" from RFC 5280: 94 // Corresponds with "signatureAlgorithm" from RFC 5280:
52 // signatureAlgorithm AlgorithmIdentifier, 95 // signatureAlgorithm AlgorithmIdentifier,
53 // 96 //
54 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 97 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
55 // guarantees are made regarding the value of this SEQUENCE. 98 // guarantees are made regarding the value of this SEQUENCE.
56 // 99 //
57 // This can be further parsed using SignatureValue::CreateFromDer(). 100 // This can be further parsed using SignatureValue::CreateFromDer().
58 der::Input signature_algorithm_tlv; 101 der::Input signature_algorithm_tlv;
59 102
60 // Corresponds with "signatureValue" from RFC 5280: 103 // Corresponds with "signatureValue" from RFC 5280:
61 // signatureValue BIT STRING } 104 // signatureValue BIT STRING }
62 // 105 //
63 // Parsing guarantees that this is a valid BIT STRING. 106 // Parsing guarantees that this is a valid BIT STRING.
64 der::BitString signature_value; 107 der::BitString signature_value;
65 }; 108 };
66 109
110 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded
111 // RFC 5280 "TBSCertificate".
112 //
113 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so
114 // subsequent field descriptions are in terms of what ParseTbsCertificate()
115 // sets.
116 struct NET_EXPORT ParsedTbsCertificate {
117 ParsedTbsCertificate();
118 ~ParsedTbsCertificate();
119
120 // Corresponds with "version" from RFC 5280:
121 // version [0] EXPLICIT Version DEFAULT v1,
122 //
123 // Parsing guarantees that the version is one of v1, v2, or v3.
124 CertificateVersion version = CertificateVersion::V1;
125
126 // Corresponds with "serialNumber" from RFC 5280:
127 // serialNumber CertificateSerialNumber,
128 //
129 // This field specifically contains the content bytes of the INTEGER. So for
130 // instance if the serial number was 1000 then this would contain bytes
131 // {0x03, 0xE8}.
132 //
133 // In addition to being a valid DER-encoded INTEGER, parsing guarantees that
134 // the serial number is at most 20 bytes long. Parsing does NOT guarantee
135 // that the integer is positive (might be zero or negative).
136 der::Input serial_number;
137
138 // Corresponds with "signatureAlgorithm" from RFC 5280:
139 // signatureAlgorithm AlgorithmIdentifier,
140 //
141 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
142 // guarantees are made regarding the value of this SEQUENCE.
143 //
144 // This can be further parsed using SignatureValue::CreateFromDer().
145 der::Input signature_algorithm_tlv;
146
147 // Corresponds with "issuer" from RFC 5280:
148 // issuer Name,
149 //
150 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
151 // guarantees are made regarding the value of this SEQUENCE.
152 der::Input issuer_tlv;
153
154 // Corresponds with "validity" from RFC 5280:
155 // validity Validity,
156 //
157 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
158 // guarantees are made regarding the value of this SEQUENCE.
159 der::Input validity_tlv;
160
161 // Corresponds with "subject" from RFC 5280:
162 // subject Name,
163 //
164 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
165 // guarantees are made regarding the value of this SEQUENCE.
166 der::Input subject_tlv;
167
168 // Corresponds with "subjectPublicKeyInfo" from RFC 5280:
169 // subjectPublicKeyInfo SubjectPublicKeyInfo,
170 //
171 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
172 // guarantees are made regarding the value of this SEQUENCE.
173 der::Input spki_tlv;
174
175 // Corresponds with "issuerUniqueID" from RFC 5280:
176 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
177 // -- If present, version MUST be v2 or v3
178 //
179 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT
180 // STRING, and that the version is either v2 or v3
181 bool has_issuer_unique_id = false;
182 der::BitString issuer_unique_id;
183
184 // Corresponds with "subjectUniqueID" from RFC 5280:
185 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
186 // -- If present, version MUST be v2 or v3
187 //
188 // Parsing guarantees that if subject_unique_id is present it is a valid BIT
189 // STRING, and that the version is either v2 or v3
190 bool has_subject_unique_id = false;
191 der::BitString subject_unique_id;
192
193 // Corresponds with "extensions" from RFC 5280:
194 // extensions [3] EXPLICIT Extensions OPTIONAL
195 // -- If present, version MUST be v3
196 //
197 //
198 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
199 // guarantees are made regarding the value of this SEQUENCE. (Note that the
200 // EXPLICIT outer tag is stripped.)
201 //
202 // Parsing guarantees that if extensions is present the version is v3.
203 bool has_extensions = false;
204 der::Input extensions_tlv;
205 };
206
67 } // namespace net 207 } // namespace net
68 208
69 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 209 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
OLDNEW
« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698