• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
6 #define NET_CERT_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
7 
8 #include <stddef.h>
9 
10 #include "net/base/net_export.h"
11 #include "net/cert/pki/path_builder.h"
12 #include "net/cert/pki/signature_algorithm.h"
13 #include "net/cert/pki/signature_verify_cache.h"
14 
15 namespace net {
16 
17 class CertErrors;
18 
19 // SimplePathBuilderDelegate is an implementation of CertPathBuilderDelegate
20 // that uses some default policies:
21 //
22 //   * RSA public keys must be >= |min_rsa_modulus_length_bits|.
23 //   * Signature algorithm can be RSA PKCS#1, RSASSA-PSS or ECDSA
24 //   * Digest algorithm can be SHA256, SHA348 or SHA512.
25 //       * If the |digest_policy| was set to kAllowSha1, then SHA1 is
26 //         additionally accepted.
27 //   * EC named curve can be P-256, P-384, P-521.
28 class NET_EXPORT SimplePathBuilderDelegate : public CertPathBuilderDelegate {
29  public:
30   enum class DigestPolicy {
31     // Accepts digests of SHA256, SHA348 or SHA512
32     kStrong,
33 
34     // Accepts everything that kStrong does, plus SHA1.
35     kWeakAllowSha1,
36 
37     kMaxValue = kWeakAllowSha1
38   };
39 
40   // Error emitted when a public key is rejected because it is an RSA key with a
41   // modulus size that is too small.
42   static const CertErrorId kRsaModulusTooSmall;
43 
44   SimplePathBuilderDelegate(size_t min_rsa_modulus_length_bits,
45                             DigestPolicy digest_policy);
46 
47   // Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
48   // (including SHA1).
49   bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
50                                       CertErrors* errors) override;
51 
52   // Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
53   bool IsPublicKeyAcceptable(EVP_PKEY* public_key, CertErrors* errors) override;
54 
55   // No-op implementation.
56   void CheckPathAfterVerification(const CertPathBuilder& path_builder,
57                                   CertPathBuilderResultPath* path) override;
58 
59   // No-op implementation.
60   bool IsDeadlineExpired() override;
61 
62   // No-op implementation.
63   SignatureVerifyCache* GetVerifyCache() override;
64 
65  private:
66   const size_t min_rsa_modulus_length_bits_;
67   const DigestPolicy digest_policy_;
68 };
69 
70 }  // namespace net
71 
72 #endif  // NET_CERT_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
73