net/cert/asn1_util.h - Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses

Side by Side Diff: net/cert/asn1_util.h

Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts

Patch Set: review comments Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_ASN1_UTIL_H_	5 #ifndef NET_CERT_ASN1_UTIL_H_

6 #define NET_CERT_ASN1_UTIL_H_	6 #define NET_CERT_ASN1_UTIL_H_

7	7

8 #include <vector>	8 #include <vector>

9	9

10 #include "base/strings/string_piece.h"	10 #include "base/strings/string_piece.h"

11 #include "net/base/net_export.h"	11 #include "net/base/net_export.h"

12	12

13 namespace net {	13 namespace net {

14	14

15 namespace asn1 {	15 namespace asn1 {

16	16

17 // These are the DER encodings of the tag byte for ASN.1 objects.	17 // These are the DER encodings of the tag byte for ASN.1 objects.

18 static const unsigned kBOOLEAN = 0x01;	18 static const unsigned kBOOLEAN = 0x01;

19 static const unsigned kINTEGER = 0x02;	19 static const unsigned kINTEGER = 0x02;

20 static const unsigned kBITSTRING = 0x03;	20 static const unsigned kBITSTRING = 0x03;

21 static const unsigned kOCTETSTRING = 0x04;	21 static const unsigned kOCTETSTRING = 0x04;

22 static const unsigned kOID = 0x06;	22 static const unsigned kOID = 0x06;

	23 static const unsigned kENUMERATED = 0x0a;

	24 static const unsigned kGENERALIZEDTIME = 0x18;

23 static const unsigned kSEQUENCE = 0x30;	25 static const unsigned kSEQUENCE = 0x30;

24	26

25 // These are flags that can be ORed with the above tag numbers.	27 // These are flags that can be ORed with the above tag numbers.

26 static const unsigned kContextSpecific = 0x80;	28 static const unsigned kContextSpecific = 0x80;

27 static const unsigned kConstructed = 0x20;	29 static const unsigned kConstructed = 0x20;

28	30

29 // kAny matches any tag value;	31 // kAny matches any tag value;

30 static const unsigned kAny = 0x10000;	32 static const unsigned kAny = 0x10000;

31 // kOptional denotes an optional element.	33 // kOptional denotes an optional element.

32 static const unsigned kOptional = 0x20000;	34 static const unsigned kOptional = 0x20000;

(...skipping 46 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
79 //	81 //

80 // CRLs that use an alternative issuer are also omitted.	82 // CRLs that use an alternative issuer are also omitted.

81 //	83 //

82 // The nested set of GeneralNames is flattened into a single list because	84 // The nested set of GeneralNames is flattened into a single list because

83 // having several CRLs with one location is equivalent to having one CRL with	85 // having several CRLs with one location is equivalent to having one CRL with

84 // several locations as far as a CRL filter is concerned.	86 // several locations as far as a CRL filter is concerned.

85 NET_EXPORT_PRIVATE bool ExtractCRLURLsFromDERCert(	87 NET_EXPORT_PRIVATE bool ExtractCRLURLsFromDERCert(

86 base::StringPiece cert,	88 base::StringPiece cert,

87 std::vector<base::StringPiece>* urls_out);	89 std::vector<base::StringPiece>* urls_out);

88	90

	91 // ExtractSCTExtensionFromOCSPResponse parses the DER encoded OCSP response in

	92 // \|ocsp_response\| and extracts the SignedCertificateTimestampList matching the

	93 // serial number given in \|cert_serial_number\|. On successful return, the

	94 // \|sct_list_out\| is either empty (no response found), or points into

	95 // \|ocsp_response\|.

	96 NET_EXPORT_PRIVATE bool ExtractSCTExtensionFromOCSPResponse(
	Ryan Sleevi 2013/12/03 21:03:18 Not LGTM here. We should not be doing this using a Not LGTM here. We should not be doing this using asn1_util. asn1_util is only meant to be used over trusted data (eg: validated to some root of trust). The SCT extraction, by definition, happens before the OCSP validity checks.
	97 base::StringPiece ocsp_response,

	98 base::StringPiece cert_serial_number,

	99 base::StringPiece* sct_list_out);

	100

89 } // namespace asn1	101 } // namespace asn1

90	102

91 } // namespace net	103 } // namespace net

92	104

93 #endif // NET_CERT_ASN1_UTIL_H_	105 #endif // NET_CERT_ASN1_UTIL_H_

OLD	NEW

« no previous file with comments | « no previous file | net/cert/asn1_util.cc » ('j') | net/cert/asn1_util.cc » ('J')