1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_X509_CERT_TYPES_H_
#define NET_CERT_X509_CERT_TYPES_H_
#include <string.h>
#include <map>
#include <set>
#include <string>
#include <vector>
#include "base/logging.h"
#include "base/strings/string_piece.h"
#include "build/build_config.h"
#include "net/base/hash_value.h"
#include "net/base/net_export.h"
#include "net/cert/cert_status_flags.h"
#if defined(OS_MACOSX) && !defined(OS_IOS)
#include <Security/x509defs.h>
#endif
namespace base {
class Time;
} // namespace base
namespace net {
class X509Certificate;
// CertPrincipal represents the issuer or subject field of an X.509 certificate.
struct NET_EXPORT CertPrincipal {
CertPrincipal();
explicit CertPrincipal(const std::string& name);
~CertPrincipal();
#if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
// Parses a BER-format DistinguishedName.
bool ParseDistinguishedName(const void* ber_name_data, size_t length);
#endif
#if defined(OS_MACOSX) && !defined(OS_IOS)
// Compare this CertPrincipal with |against|, returning true if they're
// equal enough to be a possible match. This should NOT be used for any
// security relevant decisions.
// TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
bool Matches(const CertPrincipal& against) const;
#endif
// Returns a name that can be used to represent the issuer. It tries in this
// order: CN, O and OU and returns the first non-empty one found.
std::string GetDisplayName() const;
// The different attributes for a principal, stored in UTF-8. They may be "".
// Note that some of them can have several values.
std::string common_name;
std::string locality_name;
std::string state_or_province_name;
std::string country_name;
std::vector<std::string> street_addresses;
std::vector<std::string> organization_names;
std::vector<std::string> organization_unit_names;
std::vector<std::string> domain_components;
};
// This class is useful for maintaining policies about which certificates are
// permitted or forbidden for a particular purpose.
class NET_EXPORT CertPolicy {
public:
// The judgments this policy can reach.
enum Judgment {
// We don't have policy information for this certificate.
UNKNOWN,
// This certificate is allowed.
ALLOWED,
// This certificate is denied.
DENIED,
};
CertPolicy();
~CertPolicy();
// Returns the judgment this policy makes about this certificate.
// For a certificate to be allowed, it must not have any *additional* errors
// from when it was allowed. For a certificate to be denied, it need only
// match *any* of the errors that caused it to be denied. We check denial
// first, before checking whether it's been allowed.
Judgment Check(X509Certificate* cert, CertStatus error) const;
// Causes the policy to allow this certificate for a given |error|.
void Allow(X509Certificate* cert, CertStatus error);
// Causes the policy to deny this certificate for a given |error|.
void Deny(X509Certificate* cert, CertStatus error);
// Returns true if this policy has allowed at least one certificate.
bool HasAllowedCert() const;
// Returns true if this policy has denied at least one certificate.
bool HasDeniedCert() const;
private:
// The set of fingerprints of allowed certificates.
std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> allowed_;
// The set of fingerprints of denied certificates.
std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> denied_;
};
#if defined(OS_MACOSX) && !defined(OS_IOS)
// Compares two OIDs by value.
inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
return oid1->Length == oid2->Length &&
(memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
}
#endif
// A list of ASN.1 date/time formats that ParseCertificateDate() supports,
// encoded in the canonical forms specified in RFC 2459/3280/5280.
enum CertDateFormat {
// UTCTime: Format is YYMMDDHHMMSSZ
CERT_DATE_FORMAT_UTC_TIME,
// GeneralizedTime: Format is YYYYMMDDHHMMSSZ
CERT_DATE_FORMAT_GENERALIZED_TIME,
};
// Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
// |format|, and writes the result into |*time|. If an invalid date is
// specified, or if parsing fails, returns false, and |*time| will not be
// updated.
NET_EXPORT_PRIVATE bool ParseCertificateDate(const base::StringPiece& raw_date,
CertDateFormat format,
base::Time* time);
} // namespace net
#endif // NET_CERT_X509_CERT_TYPES_H_
|
