Home | History | Annotate | Download | only in base 
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_BASE_X509_CERT_TYPES_H_
      6 #define NET_BASE_X509_CERT_TYPES_H_
      7 #pragma once
      8 
      9 #include <string.h>
     10 
     11 #include <set>
     12 #include <string>
     13 #include <vector>
     14 
     15 #include "build/build_config.h"
     16 
     17 #if defined(OS_MACOSX)
     18 #include <Security/x509defs.h>
     19 #endif
     20 
     21 namespace base {
     22 class Time;
     23 class StringPiece;
     24 }  // namespace base
     25 
     26 namespace net {
     27 
     28 class X509Certificate;
     29 
     30 // SHA-1 fingerprint (160 bits) of a certificate.
     31 struct SHA1Fingerprint {
     32   bool Equals(const SHA1Fingerprint& other) const {
     33     return memcmp(data, other.data, sizeof(data)) == 0;
     34   }
     35 
     36   unsigned char data[20];
     37 };
     38 
     39 class SHA1FingerprintLessThan {
     40  public:
     41   bool operator() (const SHA1Fingerprint& lhs,
     42                    const SHA1Fingerprint& rhs) const {
     43     return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0;
     44   }
     45 };
     46 
     47 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
     48 struct CertPrincipal {
     49   CertPrincipal();
     50   explicit CertPrincipal(const std::string& name);
     51   ~CertPrincipal();
     52 
     53 #if defined(OS_MACOSX)
     54   // Parses a BER-format DistinguishedName.
     55   bool ParseDistinguishedName(const void* ber_name_data, size_t length);
     56 
     57   // Parses a CSSM_X509_NAME struct.
     58   void Parse(const CSSM_X509_NAME* name);
     59 
     60   // Compare this CertPrincipal with |against|, returning true if they're
     61   // equal enough to be a possible match. This should NOT be used for any
     62   // security relevant decisions.
     63   // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
     64   bool Matches(const CertPrincipal& against) const;
     65 #endif
     66 
     67   // Returns a name that can be used to represent the issuer.  It tries in this
     68   // order: CN, O and OU and returns the first non-empty one found.
     69   std::string GetDisplayName() const;
     70 
     71   // The different attributes for a principal.  They may be "".
     72   // Note that some of them can have several values.
     73 
     74   std::string common_name;
     75   std::string locality_name;
     76   std::string state_or_province_name;
     77   std::string country_name;
     78 
     79   std::vector<std::string> street_addresses;
     80   std::vector<std::string> organization_names;
     81   std::vector<std::string> organization_unit_names;
     82   std::vector<std::string> domain_components;
     83 };
     84 
     85 // This class is useful for maintaining policies about which certificates are
     86 // permitted or forbidden for a particular purpose.
     87 class CertPolicy {
     88  public:
     89   // The judgments this policy can reach.
     90   enum Judgment {
     91     // We don't have policy information for this certificate.
     92     UNKNOWN,
     93 
     94     // This certificate is allowed.
     95     ALLOWED,
     96 
     97     // This certificate is denied.
     98     DENIED,
     99   };
    100 
    101   CertPolicy();
    102   ~CertPolicy();
    103 
    104   // Returns the judgment this policy makes about this certificate.
    105   Judgment Check(X509Certificate* cert) const;
    106 
    107   // Causes the policy to allow this certificate.
    108   void Allow(X509Certificate* cert);
    109 
    110   // Causes the policy to deny this certificate.
    111   void Deny(X509Certificate* cert);
    112 
    113   // Returns true if this policy has allowed at least one certificate.
    114   bool HasAllowedCert() const;
    115 
    116   // Returns true if this policy has denied at least one certificate.
    117   bool HasDeniedCert() const;
    118 
    119  private:
    120   // The set of fingerprints of allowed certificates.
    121   std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_;
    122 
    123   // The set of fingerprints of denied certificates.
    124   std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_;
    125 };
    126 
    127 #if defined(OS_MACOSX)
    128 // Compares two OIDs by value.
    129 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
    130   return oid1->Length == oid2->Length &&
    131   (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
    132 }
    133 #endif
    134 
    135 // A list of ASN.1 date/time formats that ParseCertificateDate() supports,
    136 // encoded in the canonical forms specified in RFC 2459/3280/5280.
    137 enum CertDateFormat {
    138   // UTCTime: Format is YYMMDDHHMMSSZ
    139   CERT_DATE_FORMAT_UTC_TIME,
    140 
    141   // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
    142   CERT_DATE_FORMAT_GENERALIZED_TIME,
    143 };
    144 
    145 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
    146 // |format|, and writes the result into |*time|. If an invalid date is
    147 // specified, or if parsing fails, returns false, and |*time| will not be
    148 // updated.
    149 bool ParseCertificateDate(const base::StringPiece& raw_date,
    150                           CertDateFormat format,
    151                           base::Time* time);
    152 }  // namespace net
    153 
    154 #endif  // NET_BASE_X509_CERT_TYPES_H_
    155