net/cert/x509_util_nss.h - Issue 1720653002: Add new functions to handle UPN and email addresses

Side by Side Diff: net/cert/x509_util_nss.h

Issue 1720653002: Add new functions to handle UPN and email addresses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rename function; reorder NET_EXPORT Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_X509_UTIL_NSS_H_	5 #ifndef NET_CERT_X509_UTIL_NSS_H_

6 #define NET_CERT_X509_UTIL_NSS_H_	6 #define NET_CERT_X509_UTIL_NSS_H_

7	7

8 #include <stddef.h>	8 #include <stddef.h>

9	9

10 #include <string>	10 #include <string>

(...skipping 11 matching lines...) Expand all Loading...
22 typedef struct CERTNameStr CERTName;	22 typedef struct CERTNameStr CERTName;

23 typedef struct PK11SlotInfoStr PK11SlotInfo;	23 typedef struct PK11SlotInfoStr PK11SlotInfo;

24 typedef struct PLArenaPool PLArenaPool;	24 typedef struct PLArenaPool PLArenaPool;

25 typedef struct SECItemStr SECItem;	25 typedef struct SECItemStr SECItem;

26	26

27 namespace net {	27 namespace net {

28	28

29 namespace x509_util {	29 namespace x509_util {

30	30

31 #if defined(USE_NSS_CERTS) \|\| defined(OS_IOS)	31 #if defined(USE_NSS_CERTS) \|\| defined(OS_IOS)

	32 // Allows the caller to filter the subjectAltName list and return only

	33 // a specific data type (e.g. email addresses or Microsoft User Principal

	34 // Name).
	Ryan Sleevi 2016/03/01 00:28:28 While not wanting to seem too aggressive in this C While not wanting to seem too aggressive in this CL, I do want to highlight that this isn't a good comment; it doesn't describe what it does or what the values are, and instead provides an 'example usage' which is really just documenting the existing code. However, please see my comments below for greater context. Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:28, Ryan Sleevi wrote: > While not wanting to seem too aggressive in this CL, I do want to highlight that > this isn't a good comment; it doesn't describe what it does or what the values > are, and instead provides an 'example usage' which is really just documenting > the existing code. > > However, please see my comments below for greater context. Done.
	35 enum SubjectAltNameType {

	36 SAN_RFC822_NAME,

	37 SAN_DNS_NAME,

	38 SAN_URI,

	39 SAN_IP_ADDRESS,

	40 SAN_UPN,
	Ryan Sleevi 2016/03/01 00:28:28 I highlighted this in a previous CL, but I do want I highlighted this in a previous CL, but I do want to restate: 1) I'm opposed to exposing SAN_URI 2) I'm not a fan of adding a separate, duplicate method of exposing DNS & IPAddress SANs Ryan Sleevi 2016/03/01 00:28:28 SAN_UPN explicitly is the sort of thing that shoul SAN_UPN explicitly is the sort of thing that should be documented. Each of these really should be documented, ideally with a spec-citation inline For example // The type of subjectAltName to return. // RFC 5280, Section 4.2.1.6 defines subjectAltName as: // SubjectAltName ::= GeneralNames // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName // GeneralName ::= CHOICE { // otherName [0] OtherName, // rfc822Name [1] IA5String, // dNSName [2] IA5String, // x400Address [3] ORAddress, // directoryName [4] Name, // ediPartyName [5] EDIPartyName, // uniformResourceIdentifier [6] IA5String, // iPAddress [7] OCTET STRING, // registeredID [8] OBJECT IDENTIFIER } // OtherName ::= SEQUENCE { // type-id OBJECT IDENTIFIER, // value [0] EXPLICIT ANY DEFINED BY type-id } // // This enum only supports the subset of types that are relevant // to GetSubjectAltNameByType(). enum SubjectAltNameType { // rfc822Name [1] IA5String, SAN_RFC822_NAME, // dNSName [2] IA5String, SAN_DNS_NAME, ... // An OtherName value whose type-id is equal to // 1.3.6.1.4.1.311.20.2.3 (known as either id-ms-san-sc-logon-upn, // as described in RFC 4556, or as szOID_NT_PRINCIPAL_NAME, as // documented in Microsoft KB287547). // The value field is a UTF8String literal. // For more information: // https://www.ietf.org/mail-archive/web/pkix/current/msg03145.html // https://www.ietf.org/proceedings/65/slides/pkix-4/sld1.htm // https://tools.ietf.org/html/rfc4556 SAN_UPN } The goal is to be explicit and thorough in documentation, so that everyone following has enough context to understand what's going on. However, please take this suggestion in broader context of this CL. Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:28, Ryan Sleevi wrote: > I highlighted this in a previous CL, but I do want to restate: > > 1) I'm opposed to exposing SAN_URI > 2) I'm not a fan of adding a separate, duplicate method of exposing DNS & > IPAddress SANs Done.
	41 };

	42

32 // Parses the Principal attribute from \|name\| and outputs the result in	43 // Parses the Principal attribute from \|name\| and outputs the result in

33 // \|principal\|.	44 // \|principal\|.

34 void ParsePrincipal(CERTName* name,	45 void ParsePrincipal(CERTName* name,

35 CertPrincipal* principal);	46 CertPrincipal* principal);

36	47

37 // Parses the date from \|der_date\| and outputs the result in \|result\|.	48 // Parses the date from \|der_date\| and outputs the result in \|result\|.

38 void ParseDate(const SECItem* der_date, base::Time* result);	49 void ParseDate(const SECItem* der_date, base::Time* result);

39	50

40 // Parses the serial number from \|certificate\|.	51 // Parses the serial number from \|certificate\|.

41 std::string ParseSerialNumber(const CERTCertificate* certificate);	52 std::string ParseSerialNumber(const CERTCertificate* certificate);

42	53

43 // Gets the subjectAltName extension field from the certificate, if any.	54 // Gets the subjectAltName extension field from the certificate, if any.
	Ryan Sleevi 2016/03/01 00:28:28 // Gets the dNSName and iPAddress name types from // Gets the dNSName and iPAddress name types from the subjectAltName // extension of \|cert_handle\|, storing them in \|dns_names\| and // \|ip_addrs\|, respectively. // If no subjectAltName is present, or no names of that type are // present, the relevant vectors are cleared. Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:28, Ryan Sleevi wrote: > // Gets the dNSName and iPAddress name types from the subjectAltName > // extension of \|cert_handle\|, storing them in \|dns_names\| and > // \|ip_addrs\|, respectively. > // If no subjectAltName is present, or no names of that type are > // present, the relevant vectors are cleared. Done.
44 void GetSubjectAltName(CERTCertificate* cert_handle,	55 void GetSubjectAltName(CERTCertificate* cert_handle,

45 std::vector<std::string>* dns_names,	56 std::vector<std::string>* dns_names,

46 std::vector<std::string>* ip_addrs);	57 std::vector<std::string>* ip_addrs);

47	58

	59 // Filters subjectAltName list by type. Only implemented for NSS, to

	60 // support wifi on CrOS.
	Ryan Sleevi 2016/03/01 00:28:28 1) It's obvious this is only implemented for NSS, 1) It's obvious this is only implemented for NSS, by virtue of this being in _nss.h 2) "to support wifi on CrOS" is the sort of bad comment trifecta a) Abbreviates ChromeOS b) Explains an implementation detail (of code far away) c) grammar nit (only a single space after the period, wifi -> WiFi \|\| wireless) Ryan Sleevi 2016/03/01 00:28:28 DESIGN: This design really gets to the crux of the DESIGN: This design really gets to the crux of the matter. Nothing uses the URI type, nor do you have any unittests to ensure the URI is returned. It does type erasure (collapsing all name types to std::string, but of unclear contents, especially for types that can be ambiguous - like directoryName: Would this be the DER or the string form? And which string form - prepped or not?) The concrete suggestion is this: // Stores the values of all rfc822Name subjectAltNames from \|cert_handle\| // into \|names\|. If no names are present, clears \|names\|. // WARNING: This method does not validate that the rfc822Name is // properly encoded; it MAY contain embedded NULs or other illegal // characters; care should be taken to validate the well-formedness // before using. NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, std::vector<std::string>* names); // Clear documentation goes here NET_EXPORT void GetUPNSubjectAltNames(...); Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:28, Ryan Sleevi wrote: > DESIGN: This design really gets to the crux of the matter. Nothing uses the URI > type, nor do you have any unittests to ensure the URI is returned. It does type > erasure (collapsing all name types to std::string, but of unclear contents, > especially for types that can be ambiguous - like directoryName: Would this be > the DER or the string form? And which string form - prepped or not?) > > The concrete suggestion is this: > > // Stores the values of all rfc822Name subjectAltNames from \|cert_handle\| > // into \|names\|. If no names are present, clears \|names\|. > // WARNING: This method does not validate that the rfc822Name is > // properly encoded; it MAY contain embedded NULs or other illegal > // characters; care should be taken to validate the well-formedness > // before using. > NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, > std::vector<std::string>* names); > > // Clear documentation goes here > NET_EXPORT void GetUPNSubjectAltNames(...); Done.
	61 NET_EXPORT void GetSubjectAltNameByType(CERTCertificate* cert_handle,

	62 SubjectAltNameType type,

	63 std::vector<std::string>* names);

	64

48 // Creates all possible OS certificate handles from \|data\| encoded in a specific	65 // Creates all possible OS certificate handles from \|data\| encoded in a specific

49 // \|format\|. Returns an empty collection on failure.	66 // \|format\|. Returns an empty collection on failure.

50 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(	67 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(

51 const char* data,	68 const char* data,

52 size_t length,	69 size_t length,

53 X509Certificate::Format format);	70 X509Certificate::Format format);

54	71

55 // Reads a single certificate from \|pickle_iter\| and returns a platform-specific	72 // Reads a single certificate from \|pickle_iter\| and returns a platform-specific

56 // certificate handle. Returns an invalid handle, NULL, on failure.	73 // certificate handle. Returns an invalid handle, NULL, on failure.

57 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle(	74 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle(

(...skipping 36 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
94 std::string GetUniqueNicknameForSlot(const std::string& nickname,	111 std::string GetUniqueNicknameForSlot(const std::string& nickname,

95 const SECItem* subject,	112 const SECItem* subject,

96 PK11SlotInfo* slot);	113 PK11SlotInfo* slot);

97 #endif // defined(USE_NSS_CERTS) \|\| defined(OS_IOS)	114 #endif // defined(USE_NSS_CERTS) \|\| defined(OS_IOS)

98	115

99 } // namespace x509_util	116 } // namespace x509_util

100	117

101 } // namespace net	118 } // namespace net

102	119

103 #endif // NET_CERT_X509_UTIL_NSS_H_	120 #endif // NET_CERT_X509_UTIL_NSS_H_

OLD	NEW

« no previous file with comments | « no previous file | net/cert/x509_util_nss_certs.cc » ('j') | net/cert/x509_util_nss_certs.cc » ('J')