OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/parse_certificate.h" | 5 #include "net/cert/internal/parse_certificate.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "net/der/input.h" | 9 #include "net/der/input.h" |
10 #include "net/der/parse_values.h" | 10 #include "net/der/parse_values.h" |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
61 default: | 61 default: |
62 // Don't allow any other version identifier. | 62 // Don't allow any other version identifier. |
63 return false; | 63 return false; |
64 } | 64 } |
65 | 65 |
66 // By definition the input to this function was a single INTEGER, so there | 66 // By definition the input to this function was a single INTEGER, so there |
67 // shouldn't be anything else after it. | 67 // shouldn't be anything else after it. |
68 return !parser.HasMore(); | 68 return !parser.HasMore(); |
69 } | 69 } |
70 | 70 |
71 // Returns true if the given serial number (CertificateSerialNumber in RFC 5280) | |
72 // is valid: | |
73 // | |
74 // CertificateSerialNumber ::= INTEGER | |
75 // | |
76 // The input to this function is the (unverified) value octets of the INTEGER. | |
77 // This function will verify that: | |
78 // | |
79 // * The octets are a valid DER-encoding of an INTEGER (for instance, minimal | |
80 // encoding length). | |
81 // | |
82 // * No more than 20 octets are used. | |
83 // | |
84 // Note that it DOES NOT reject non-positive values (zero or negative). | |
85 // | |
86 // For reference, here is what RFC 5280 section 4.1.2.2 says: | |
87 // | |
88 // Given the uniqueness requirements above, serial numbers can be | |
89 // expected to contain long integers. Certificate users MUST be able to | |
90 // handle serialNumber values up to 20 octets. Conforming CAs MUST NOT | |
91 // use serialNumber values longer than 20 octets. | |
92 // | |
93 // Note: Non-conforming CAs may issue certificates with serial numbers | |
94 // that are negative or zero. Certificate users SHOULD be prepared to | |
95 // gracefully handle such certificates. | |
96 WARN_UNUSED_RESULT bool VerifySerialNumber(const der::Input& value) { | |
97 bool unused_negative; | |
98 if (!der::IsValidInteger(value, &unused_negative)) | |
99 return false; | |
100 | |
101 // Check if the serial number is too long per RFC 5280. | |
102 if (value.Length() > 20) | |
103 return false; | |
104 | |
105 return true; | |
106 } | |
107 | |
108 // Consumes a "Time" value (as defined by RFC 5280) from |parser|. On success | 71 // Consumes a "Time" value (as defined by RFC 5280) from |parser|. On success |
109 // writes the result to |*out| and returns true. On failure no guarantees are | 72 // writes the result to |*out| and returns true. On failure no guarantees are |
110 // made about the state of |parser|. | 73 // made about the state of |parser|. |
111 // | 74 // |
112 // From RFC 5280: | 75 // From RFC 5280: |
113 // | 76 // |
114 // Time ::= CHOICE { | 77 // Time ::= CHOICE { |
115 // utcTime UTCTime, | 78 // utcTime UTCTime, |
116 // generalTime GeneralizedTime } | 79 // generalTime GeneralizedTime } |
117 WARN_UNUSED_RESULT bool ReadTime(der::Parser* parser, | 80 WARN_UNUSED_RESULT bool ReadTime(der::Parser* parser, |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
184 } | 147 } |
185 return true; | 148 return true; |
186 } | 149 } |
187 | 150 |
188 } // namespace | 151 } // namespace |
189 | 152 |
190 ParsedTbsCertificate::ParsedTbsCertificate() {} | 153 ParsedTbsCertificate::ParsedTbsCertificate() {} |
191 | 154 |
192 ParsedTbsCertificate::~ParsedTbsCertificate() {} | 155 ParsedTbsCertificate::~ParsedTbsCertificate() {} |
193 | 156 |
| 157 bool VerifySerialNumber(const der::Input& value) { |
| 158 bool unused_negative; |
| 159 if (!der::IsValidInteger(value, &unused_negative)) |
| 160 return false; |
| 161 |
| 162 // Check if the serial number is too long per RFC 5280. |
| 163 if (value.Length() > 20) |
| 164 return false; |
| 165 |
| 166 return true; |
| 167 } |
| 168 |
194 bool ParseCertificate(const der::Input& certificate_tlv, | 169 bool ParseCertificate(const der::Input& certificate_tlv, |
195 ParsedCertificate* out) { | 170 ParsedCertificate* out) { |
196 der::Parser parser(certificate_tlv); | 171 der::Parser parser(certificate_tlv); |
197 | 172 |
198 // Certificate ::= SEQUENCE { | 173 // Certificate ::= SEQUENCE { |
199 der::Parser certificate_parser; | 174 der::Parser certificate_parser; |
200 if (!parser.ReadSequence(&certificate_parser)) | 175 if (!parser.ReadSequence(&certificate_parser)) |
201 return false; | 176 return false; |
202 | 177 |
203 // tbsCertificate TBSCertificate, | 178 // tbsCertificate TBSCertificate, |
(...skipping 390 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
594 // | 569 // |
595 // When the keyUsage extension appears in a certificate, at least | 570 // When the keyUsage extension appears in a certificate, at least |
596 // one of the bits MUST be set to 1. | 571 // one of the bits MUST be set to 1. |
597 if (BitStringIsAllZeros(*key_usage)) | 572 if (BitStringIsAllZeros(*key_usage)) |
598 return false; | 573 return false; |
599 | 574 |
600 return true; | 575 return true; |
601 } | 576 } |
602 | 577 |
603 } // namespace net | 578 } // namespace net |
OLD | NEW |