Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(395)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/parse_certificate.h

Issue 1690123002: Reduce Certificate Parsing Strictness (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Removing 21 octet weakness. Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
7 7
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 #include <map> 10 #include <map>
11 11
12 #include "base/compiler_specific.h" 12 #include "base/compiler_specific.h"
13 #include "net/base/net_export.h" 13 #include "net/base/net_export.h"
14 #include "net/der/input.h" 14 #include "net/der/input.h"
15 #include "net/der/parse_values.h" 15 #include "net/der/parse_values.h"
16 16
17 namespace net { 17 namespace net {
18 18
19 struct ParsedCertificate; 19 struct ParsedCertificate;
20 struct ParsedTbsCertificate; 20 struct ParsedTbsCertificate;
21 21
22 // Returns true if the given serial number (CertificateSerialNumber in RFC 5280)
23 // is valid:
24 //
25 // CertificateSerialNumber ::= INTEGER
26 //
27 // The input to this function is the (unverified) value octets of the INTEGER.
28 // This function will verify that:
29 //
30 // * The octets are a valid DER-encoding of an INTEGER (for instance, minimal
31 // encoding length).
32 //
33 // * No more than 20 octets are used.
34 //
35 // Note that it DOES NOT reject non-positive values (zero or negative).
36 //
37 // For reference, here is what RFC 5280 section 4.1.2.2 says:
38 //
39 // Given the uniqueness requirements above, serial numbers can be
40 // expected to contain long integers. Certificate users MUST be able to
41 // handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
42 // use serialNumber values longer than 20 octets.
43 //
44 // Note: Non-conforming CAs may issue certificates with serial numbers
45 // that are negative or zero. Certificate users SHOULD be prepared to
46 // gracefully handle such certificates.
47 bool VerifySerialNumber(const der::Input& value) WARN_UNUSED_RESULT;
48
22 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on 49 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on
23 // success and sets the results in |out|. 50 // success and sets the results in |out|.
24 // 51 //
25 // Note that on success |out| aliases data from the input |certificate_tlv|. 52 // Note that on success |out| aliases data from the input |certificate_tlv|.
26 // Hence the fields of the ParsedCertificate are only valid as long as 53 // Hence the fields of the ParsedCertificate are only valid as long as
27 // |certificate_tlv| remains valid. 54 // |certificate_tlv| remains valid.
28 // 55 //
29 // On failure |out| has an undefined state. Some of its fields may have been 56 // On failure |out| has an undefined state. Some of its fields may have been
30 // updated during parsing, whereas others may not have been changed. 57 // updated during parsing, whereas others may not have been changed.
31 // 58 //
(...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after
364 // be set. 391 // be set.
365 // 392 //
366 // To test if a particular key usage is set, call, e.g.: 393 // To test if a particular key usage is set, call, e.g.:
367 // key_usage->AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE); 394 // key_usage->AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE);
368 NET_EXPORT bool ParseKeyUsage(const der::Input& key_usage_tlv, 395 NET_EXPORT bool ParseKeyUsage(const der::Input& key_usage_tlv,
369 der::BitString* key_usage) WARN_UNUSED_RESULT; 396 der::BitString* key_usage) WARN_UNUSED_RESULT;
370 397
371 } // namespace net 398 } // namespace net
372 399
373 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 400 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
OLDNEW
« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698