Home | History | Annotate | Download | only in cert
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_CERT_X509_CERT_TYPES_H_
      6 #define NET_CERT_X509_CERT_TYPES_H_
      7 
      8 #include <string.h>
      9 
     10 #include <map>
     11 #include <set>
     12 #include <string>
     13 #include <vector>
     14 
     15 #include "base/logging.h"
     16 #include "base/strings/string_piece.h"
     17 #include "build/build_config.h"
     18 #include "net/base/hash_value.h"
     19 #include "net/base/net_export.h"
     20 #include "net/cert/cert_status_flags.h"
     21 
     22 #if defined(OS_MACOSX) && !defined(OS_IOS)
     23 #include <Security/x509defs.h>
     24 #endif
     25 
     26 namespace base {
     27 class Time;
     28 }  // namespace base
     29 
     30 namespace net {
     31 
     32 class X509Certificate;
     33 
     34 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
     35 struct NET_EXPORT CertPrincipal {
     36   CertPrincipal();
     37   explicit CertPrincipal(const std::string& name);
     38   ~CertPrincipal();
     39 
     40 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
     41   // Parses a BER-format DistinguishedName.
     42   bool ParseDistinguishedName(const void* ber_name_data, size_t length);
     43 #endif
     44 
     45 #if defined(OS_MACOSX) && !defined(OS_IOS)
     46   // Compare this CertPrincipal with |against|, returning true if they're
     47   // equal enough to be a possible match. This should NOT be used for any
     48   // security relevant decisions.
     49   // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
     50   bool Matches(const CertPrincipal& against) const;
     51 #endif
     52 
     53   // Returns a name that can be used to represent the issuer.  It tries in this
     54   // order: CN, O and OU and returns the first non-empty one found.
     55   std::string GetDisplayName() const;
     56 
     57   // The different attributes for a principal, stored in UTF-8.  They may be "".
     58   // Note that some of them can have several values.
     59 
     60   std::string common_name;
     61   std::string locality_name;
     62   std::string state_or_province_name;
     63   std::string country_name;
     64 
     65   std::vector<std::string> street_addresses;
     66   std::vector<std::string> organization_names;
     67   std::vector<std::string> organization_unit_names;
     68   std::vector<std::string> domain_components;
     69 };
     70 
     71 // This class is useful for maintaining policies about which certificates are
     72 // permitted or forbidden for a particular purpose.
     73 class NET_EXPORT CertPolicy {
     74  public:
     75   // The judgments this policy can reach.
     76   enum Judgment {
     77     // We don't have policy information for this certificate.
     78     UNKNOWN,
     79 
     80     // This certificate is allowed.
     81     ALLOWED,
     82 
     83     // This certificate is denied.
     84     DENIED,
     85   };
     86 
     87   CertPolicy();
     88   ~CertPolicy();
     89 
     90   // Returns the judgment this policy makes about this certificate.
     91   // For a certificate to be allowed, it must not have any *additional* errors
     92   // from when it was allowed. For a certificate to be denied, it need only
     93   // match *any* of the errors that caused it to be denied. We check denial
     94   // first, before checking whether it's been allowed.
     95   Judgment Check(X509Certificate* cert, CertStatus error) const;
     96 
     97   // Causes the policy to allow this certificate for a given |error|.
     98   void Allow(X509Certificate* cert, CertStatus error);
     99 
    100   // Causes the policy to deny this certificate for a given |error|.
    101   void Deny(X509Certificate* cert, CertStatus error);
    102 
    103   // Returns true if this policy has allowed at least one certificate.
    104   bool HasAllowedCert() const;
    105 
    106   // Returns true if this policy has denied at least one certificate.
    107   bool HasDeniedCert() const;
    108 
    109  private:
    110   // The set of fingerprints of allowed certificates.
    111   std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> allowed_;
    112 
    113   // The set of fingerprints of denied certificates.
    114   std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> denied_;
    115 };
    116 
    117 #if defined(OS_MACOSX) && !defined(OS_IOS)
    118 // Compares two OIDs by value.
    119 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
    120   return oid1->Length == oid2->Length &&
    121   (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
    122 }
    123 #endif
    124 
    125 // A list of ASN.1 date/time formats that ParseCertificateDate() supports,
    126 // encoded in the canonical forms specified in RFC 2459/3280/5280.
    127 enum CertDateFormat {
    128   // UTCTime: Format is YYMMDDHHMMSSZ
    129   CERT_DATE_FORMAT_UTC_TIME,
    130 
    131   // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
    132   CERT_DATE_FORMAT_GENERALIZED_TIME,
    133 };
    134 
    135 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
    136 // |format|, and writes the result into |*time|. If an invalid date is
    137 // specified, or if parsing fails, returns false, and |*time| will not be
    138 // updated.
    139 NET_EXPORT_PRIVATE bool ParseCertificateDate(const base::StringPiece& raw_date,
    140                                              CertDateFormat format,
    141                                              base::Time* time);
    142 }  // namespace net
    143 
    144 #endif  // NET_CERT_X509_CERT_TYPES_H_
    145