| Index: net/cert/internal/parse_certificate.h
|
| diff --git a/net/cert/internal/parse_certificate.h b/net/cert/internal/parse_certificate.h
|
| index ebf1b1a957b4d75622cdb6a316f178921d5c2bb4..3a417ff92b102b94e938f6581a551dd31f4f82d7 100644
|
| --- a/net/cert/internal/parse_certificate.h
|
| +++ b/net/cert/internal/parse_certificate.h
|
| @@ -14,6 +14,7 @@
|
| namespace net {
|
|
|
| struct ParsedCertificate;
|
| +struct ParsedTbsCertificate;
|
|
|
| // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on
|
| // success and sets the results in |out|.
|
| @@ -23,7 +24,7 @@ struct ParsedCertificate;
|
| // |certificate_tlv| remains valid.
|
| //
|
| // On failure |out| has an undefined state. Some of its fields may have been
|
| -// updated during parsing, whereas others were not changed.
|
| +// updated during parsing, whereas others may not have been changed.
|
| //
|
| // Refer to the per-field documention of the ParsedCertificate structure for
|
| // details on what validity checks parsing performs.
|
| @@ -35,6 +36,46 @@ struct ParsedCertificate;
|
| NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,
|
| ParsedCertificate* out) WARN_UNUSED_RESULT;
|
|
|
| +// Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true
|
| +// on success and sets the results in |out|.
|
| +//
|
| +// Note that on success |out| aliases data from the input |tbs_tlv|.
|
| +// Hence the fields of the ParsedTbsCertificate are only valid as long as
|
| +// |tbs_tlv| remains valid.
|
| +//
|
| +// On failure |out| has an undefined state. Some of its fields may have been
|
| +// updated during parsing, whereas others may not have been changed.
|
| +//
|
| +// Refer to the per-field documentation of ParsedTbsCertificate for details on
|
| +// what validity checks parsing performs.
|
| +//
|
| +// TBSCertificate ::= SEQUENCE {
|
| +// version [0] EXPLICIT Version DEFAULT v1,
|
| +// serialNumber CertificateSerialNumber,
|
| +// signature AlgorithmIdentifier,
|
| +// issuer Name,
|
| +// validity Validity,
|
| +// subject Name,
|
| +// subjectPublicKeyInfo SubjectPublicKeyInfo,
|
| +// issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
| +// -- If present, version MUST be v2 or v3
|
| +// subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
| +// -- If present, version MUST be v2 or v3
|
| +// extensions [3] EXPLICIT Extensions OPTIONAL
|
| +// -- If present, version MUST be v3
|
| +// }
|
| +NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,
|
| + ParsedTbsCertificate* out)
|
| + WARN_UNUSED_RESULT;
|
| +
|
| +// Represents a "Version" from RFC 5280:
|
| +// Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
| +enum class CertificateVersion {
|
| + V1,
|
| + V2,
|
| + V3,
|
| +};
|
| +
|
| // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC
|
| // 5280 "Certificate".
|
| //
|
| @@ -46,6 +87,8 @@ struct NET_EXPORT ParsedCertificate {
|
| //
|
| // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| // guarantees are made regarding the value of this SEQUENCE.
|
| + //
|
| + // This can be further parsed using ParseTbsCertificate().
|
| der::Input tbs_certificate_tlv;
|
|
|
| // Corresponds with "signatureAlgorithm" from RFC 5280:
|
| @@ -64,6 +107,103 @@ struct NET_EXPORT ParsedCertificate {
|
| der::BitString signature_value;
|
| };
|
|
|
| +// ParsedTbsCertificate contains pointers to the main fields of a DER-encoded
|
| +// RFC 5280 "TBSCertificate".
|
| +//
|
| +// ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so
|
| +// subsequent field descriptions are in terms of what ParseTbsCertificate()
|
| +// sets.
|
| +struct NET_EXPORT ParsedTbsCertificate {
|
| + ParsedTbsCertificate();
|
| + ~ParsedTbsCertificate();
|
| +
|
| + // Corresponds with "version" from RFC 5280:
|
| + // version [0] EXPLICIT Version DEFAULT v1,
|
| + //
|
| + // Parsing guarantees that the version is one of v1, v2, or v3.
|
| + CertificateVersion version = CertificateVersion::V1;
|
| +
|
| + // Corresponds with "serialNumber" from RFC 5280:
|
| + // serialNumber CertificateSerialNumber,
|
| + //
|
| + // This field specifically contains the content bytes of the INTEGER. So for
|
| + // instance if the serial number was 1000 then this would contain bytes
|
| + // {0x03, 0xE8}.
|
| + //
|
| + // In addition to being a valid DER-encoded INTEGER, parsing guarantees that
|
| + // the serial number is at most 20 bytes long. Parsing does NOT guarantee
|
| + // that the integer is positive (might be zero or negative).
|
| + der::Input serial_number;
|
| +
|
| + // Corresponds with "signatureAlgorithm" from RFC 5280:
|
| + // signatureAlgorithm AlgorithmIdentifier,
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE.
|
| + //
|
| + // This can be further parsed using SignatureValue::CreateFromDer().
|
| + der::Input signature_algorithm_tlv;
|
| +
|
| + // Corresponds with "issuer" from RFC 5280:
|
| + // issuer Name,
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE.
|
| + der::Input issuer_tlv;
|
| +
|
| + // Corresponds with "validity" from RFC 5280:
|
| + // validity Validity,
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE.
|
| + der::Input validity_tlv;
|
| +
|
| + // Corresponds with "subject" from RFC 5280:
|
| + // subject Name,
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE.
|
| + der::Input subject_tlv;
|
| +
|
| + // Corresponds with "subjectPublicKeyInfo" from RFC 5280:
|
| + // subjectPublicKeyInfo SubjectPublicKeyInfo,
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE.
|
| + der::Input spki_tlv;
|
| +
|
| + // Corresponds with "issuerUniqueID" from RFC 5280:
|
| + // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
| + // -- If present, version MUST be v2 or v3
|
| + //
|
| + // Parsing guarantees that if issuer_unique_id is present it is a valid BIT
|
| + // STRING, and that the version is either v2 or v3
|
| + bool has_issuer_unique_id = false;
|
| + der::BitString issuer_unique_id;
|
| +
|
| + // Corresponds with "subjectUniqueID" from RFC 5280:
|
| + // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
| + // -- If present, version MUST be v2 or v3
|
| + //
|
| + // Parsing guarantees that if subject_unique_id is present it is a valid BIT
|
| + // STRING, and that the version is either v2 or v3
|
| + bool has_subject_unique_id = false;
|
| + der::BitString subject_unique_id;
|
| +
|
| + // Corresponds with "extensions" from RFC 5280:
|
| + // extensions [3] EXPLICIT Extensions OPTIONAL
|
| + // -- If present, version MUST be v3
|
| + //
|
| + //
|
| + // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
|
| + // guarantees are made regarding the value of this SEQUENCE. (Note that the
|
| + // EXPLICIT outer tag is stripped.)
|
| + //
|
| + // Parsing guarantees that if extensions is present the version is v3.
|
| + bool has_extensions = false;
|
| + der::Input extensions_tlv;
|
| +};
|
| +
|
| } // namespace net
|
|
|
| #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
|
|
|
Chromium Code Reviews
Issue 1279963003:
Add a function for parsing RFC 5280's "TBSCertificate". (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_mapper