1 // Copyright 2015 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_PARSE_CERTIFICATE_H_ 6 #define NET_CERT_PKI_PARSE_CERTIFICATE_H_ 7 8 #include <stdint.h> 9 10 #include <map> 11 #include <memory> 12 #include <vector> 13 14 #include "net/base/net_export.h" 15 #include "net/cert/pki/general_names.h" 16 #include "net/der/input.h" 17 #include "net/der/parse_values.h" 18 #include "third_party/abseil-cpp/absl/types/optional.h" 19 20 namespace net { 21 22 namespace der { 23 class Parser; 24 } 25 26 class CertErrors; 27 struct ParsedTbsCertificate; 28 29 // Returns true if the given serial number (CertificateSerialNumber in RFC 5280) 30 // is valid: 31 // 32 // CertificateSerialNumber ::= INTEGER 33 // 34 // The input to this function is the (unverified) value octets of the INTEGER. 35 // This function will verify that: 36 // 37 // * The octets are a valid DER-encoding of an INTEGER (for instance, minimal 38 // encoding length). 39 // 40 // * No more than 20 octets are used. 41 // 42 // Note that it DOES NOT reject non-positive values (zero or negative). 43 // 44 // For reference, here is what RFC 5280 section 4.1.2.2 says: 45 // 46 // Given the uniqueness requirements above, serial numbers can be 47 // expected to contain long integers. Certificate users MUST be able to 48 // handle serialNumber values up to 20 octets. Conforming CAs MUST NOT 49 // use serialNumber values longer than 20 octets. 50 // 51 // Note: Non-conforming CAs may issue certificates with serial numbers 52 // that are negative or zero. Certificate users SHOULD be prepared to 53 // gracefully handle such certificates. 54 // 55 // |errors| must be a non-null destination for any errors/warnings. If 56 // |warnings_only| is set to true, then what would ordinarily be errors are 57 // instead added as warnings. 58 [[nodiscard]] NET_EXPORT bool VerifySerialNumber(const der::Input& value, 59 bool warnings_only, 60 CertErrors* errors); 61 62 // Consumes a "Time" value (as defined by RFC 5280) from |parser|. On success 63 // writes the result to |*out| and returns true. On failure no guarantees are 64 // made about the state of |parser|. 65 // 66 // From RFC 5280: 67 // 68 // Time ::= CHOICE { 69 // utcTime UTCTime, 70 // generalTime GeneralizedTime } 71 [[nodiscard]] NET_EXPORT bool ReadUTCOrGeneralizedTime( 72 der::Parser* parser, 73 der::GeneralizedTime* out); 74 75 // Parses a DER-encoded "Validity" as specified by RFC 5280. Returns true on 76 // success and sets the results in |not_before| and |not_after|: 77 // 78 // Validity ::= SEQUENCE { 79 // notBefore Time, 80 // notAfter Time } 81 // 82 // Note that upon success it is NOT guaranteed that |*not_before <= *not_after|. 83 [[nodiscard]] NET_EXPORT bool ParseValidity(const der::Input& validity_tlv, 84 der::GeneralizedTime* not_before, 85 der::GeneralizedTime* not_after); 86 87 struct NET_EXPORT ParseCertificateOptions { 88 // If set to true, then parsing will skip checks on the certificate's serial 89 // number. The only requirement will be that the serial number is an INTEGER, 90 // however it is not required to be a valid DER-encoding (i.e. minimal 91 // encoding), nor is it required to be constrained to any particular length. 92 bool allow_invalid_serial_numbers = false; 93 }; 94 95 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on 96 // success and sets the results in the |out_*| parameters. On both the failure 97 // and success case, if |out_errors| was non-null it may contain extra error 98 // information. 99 // 100 // Note that on success the out parameters alias data from the input 101 // |certificate_tlv|. Hence the output values are only valid as long as 102 // |certificate_tlv| remains valid. 103 // 104 // On failure the out parameters have an undefined state, except for 105 // out_errors. Some of them may have been updated during parsing, whereas 106 // others may not have been changed. 107 // 108 // The out parameters represent each field of the Certificate SEQUENCE: 109 // Certificate ::= SEQUENCE { 110 // 111 // The |out_tbs_certificate_tlv| parameter corresponds with "tbsCertificate" 112 // from RFC 5280: 113 // tbsCertificate TBSCertificate, 114 // 115 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 116 // guarantees are made regarding the value of this SEQUENCE. 117 // This can be further parsed using ParseTbsCertificate(). 118 // 119 // The |out_signature_algorithm_tlv| parameter corresponds with 120 // "signatureAlgorithm" from RFC 5280: 121 // signatureAlgorithm AlgorithmIdentifier, 122 // 123 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 124 // guarantees are made regarding the value of this SEQUENCE. 125 // This can be further parsed using SignatureValue::Create(). 126 // 127 // The |out_signature_value| parameter corresponds with "signatureValue" from 128 // RFC 5280: 129 // signatureValue BIT STRING } 130 // 131 // Parsing guarantees that this is a valid BIT STRING. 132 [[nodiscard]] NET_EXPORT bool ParseCertificate( 133 const der::Input& certificate_tlv, 134 der::Input* out_tbs_certificate_tlv, 135 der::Input* out_signature_algorithm_tlv, 136 der::BitString* out_signature_value, 137 CertErrors* out_errors); 138 139 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true 140 // on success and sets the results in |out|. Certain invalid inputs may 141 // be accepted based on the provided |options|. 142 // 143 // If |errors| was non-null then any warnings/errors that occur during parsing 144 // are added to it. 145 // 146 // Note that on success |out| aliases data from the input |tbs_tlv|. 147 // Hence the fields of the ParsedTbsCertificate are only valid as long as 148 // |tbs_tlv| remains valid. 149 // 150 // On failure |out| has an undefined state. Some of its fields may have been 151 // updated during parsing, whereas others may not have been changed. 152 // 153 // Refer to the per-field documentation of ParsedTbsCertificate for details on 154 // what validity checks parsing performs. 155 // 156 // TBSCertificate ::= SEQUENCE { 157 // version [0] EXPLICIT Version DEFAULT v1, 158 // serialNumber CertificateSerialNumber, 159 // signature AlgorithmIdentifier, 160 // issuer Name, 161 // validity Validity, 162 // subject Name, 163 // subjectPublicKeyInfo SubjectPublicKeyInfo, 164 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 165 // -- If present, version MUST be v2 or v3 166 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 167 // -- If present, version MUST be v2 or v3 168 // extensions [3] EXPLICIT Extensions OPTIONAL 169 // -- If present, version MUST be v3 170 // } 171 [[nodiscard]] NET_EXPORT bool ParseTbsCertificate( 172 const der::Input& tbs_tlv, 173 const ParseCertificateOptions& options, 174 ParsedTbsCertificate* out, 175 CertErrors* errors); 176 177 // Represents a "Version" from RFC 5280: 178 // Version ::= INTEGER { v1(0), v2(1), v3(2) } 179 enum class CertificateVersion { 180 V1, 181 V2, 182 V3, 183 }; 184 185 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded 186 // RFC 5280 "TBSCertificate". 187 // 188 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so 189 // subsequent field descriptions are in terms of what ParseTbsCertificate() 190 // sets. 191 struct NET_EXPORT ParsedTbsCertificate { 192 ParsedTbsCertificate(); 193 ParsedTbsCertificate(ParsedTbsCertificate&& other); 194 ParsedTbsCertificate& operator=(ParsedTbsCertificate&& other) = default; 195 ~ParsedTbsCertificate(); 196 197 // Corresponds with "version" from RFC 5280: 198 // version [0] EXPLICIT Version DEFAULT v1, 199 // 200 // Parsing guarantees that the version is one of v1, v2, or v3. 201 CertificateVersion version = CertificateVersion::V1; 202 203 // Corresponds with "serialNumber" from RFC 5280: 204 // serialNumber CertificateSerialNumber, 205 // 206 // This field specifically contains the content bytes of the INTEGER. So for 207 // instance if the serial number was 1000 then this would contain bytes 208 // {0x03, 0xE8}. 209 // 210 // The serial number may or may not be a valid DER-encoded INTEGER: 211 // 212 // If the option |allow_invalid_serial_numbers=true| was used during 213 // parsing, then nothing further can be assumed about these bytes. 214 // 215 // Otherwise if |allow_invalid_serial_numbers=false| then in addition 216 // to being a valid DER-encoded INTEGER, parsing guarantees that 217 // the serial number is at most 20 bytes long. Parsing does NOT guarantee 218 // that the integer is positive (might be zero or negative). 219 der::Input serial_number; 220 221 // Corresponds with "signatureAlgorithm" from RFC 5280: 222 // signatureAlgorithm AlgorithmIdentifier, 223 // 224 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 225 // guarantees are made regarding the value of this SEQUENCE. 226 // 227 // This can be further parsed using SignatureValue::Create(). 228 der::Input signature_algorithm_tlv; 229 230 // Corresponds with "issuer" from RFC 5280: 231 // issuer Name, 232 // 233 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 234 // guarantees are made regarding the value of this SEQUENCE. 235 der::Input issuer_tlv; 236 237 // Corresponds with "validity" from RFC 5280: 238 // validity Validity, 239 // 240 // Where Validity is defined as: 241 // 242 // Validity ::= SEQUENCE { 243 // notBefore Time, 244 // notAfter Time } 245 // 246 // Parsing guarantees that notBefore (validity_not_before) and notAfter 247 // (validity_not_after) are valid DER-encoded dates, however it DOES NOT 248 // gurantee anything about their values. For instance notAfter could be 249 // before notBefore, or the dates could indicate an expired certificate. 250 // Consumers are responsible for testing expiration. 251 der::GeneralizedTime validity_not_before; 252 der::GeneralizedTime validity_not_after; 253 254 // Corresponds with "subject" from RFC 5280: 255 // subject Name, 256 // 257 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 258 // guarantees are made regarding the value of this SEQUENCE. 259 der::Input subject_tlv; 260 261 // Corresponds with "subjectPublicKeyInfo" from RFC 5280: 262 // subjectPublicKeyInfo SubjectPublicKeyInfo, 263 // 264 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 265 // guarantees are made regarding the value of this SEQUENCE. 266 der::Input spki_tlv; 267 268 // Corresponds with "issuerUniqueID" from RFC 5280: 269 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 270 // -- If present, version MUST be v2 or v3 271 // 272 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT 273 // STRING, and that the version is either v2 or v3 274 absl::optional<der::BitString> issuer_unique_id; 275 276 // Corresponds with "subjectUniqueID" from RFC 5280: 277 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 278 // -- If present, version MUST be v2 or v3 279 // 280 // Parsing guarantees that if subject_unique_id is present it is a valid BIT 281 // STRING, and that the version is either v2 or v3 282 absl::optional<der::BitString> subject_unique_id; 283 284 // Corresponds with "extensions" from RFC 5280: 285 // extensions [3] EXPLICIT Extensions OPTIONAL 286 // -- If present, version MUST be v3 287 // 288 // 289 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 290 // guarantees are made regarding the value of this SEQUENCE. (Note that the 291 // EXPLICIT outer tag is stripped.) 292 // 293 // Parsing guarantees that if extensions is present the version is v3. 294 absl::optional<der::Input> extensions_tlv; 295 }; 296 297 // ParsedExtension represents a parsed "Extension" from RFC 5280. It contains 298 // der:Inputs which are not owned so the associated data must be kept alive. 299 // 300 // Extension ::= SEQUENCE { 301 // extnID OBJECT IDENTIFIER, 302 // critical BOOLEAN DEFAULT FALSE, 303 // extnValue OCTET STRING 304 // -- contains the DER encoding of an ASN.1 value 305 // -- corresponding to the extension type identified 306 // -- by extnID 307 // } 308 struct NET_EXPORT ParsedExtension { 309 der::Input oid; 310 // |value| will contain the contents of the OCTET STRING. For instance for 311 // basicConstraints it will be the TLV for a SEQUENCE. 312 der::Input value; 313 bool critical = false; 314 }; 315 316 // Parses a DER-encoded "Extension" as specified by RFC 5280. Returns true on 317 // success and sets the results in |out|. 318 // 319 // Note that on success |out| aliases data from the input |extension_tlv|. 320 // Hence the fields of the ParsedExtension are only valid as long as 321 // |extension_tlv| remains valid. 322 // 323 // On failure |out| has an undefined state. Some of its fields may have been 324 // updated during parsing, whereas others may not have been changed. 325 [[nodiscard]] NET_EXPORT bool ParseExtension(const der::Input& extension_tlv, 326 ParsedExtension* out); 327 328 // From RFC 5280: 329 // 330 // id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 331 // 332 // In dotted notation: 2.5.29.14 333 inline constexpr uint8_t kSubjectKeyIdentifierOid[] = {0x55, 0x1d, 0x0e}; 334 335 // From RFC 5280: 336 // 337 // id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 338 // 339 // In dotted notation: 2.5.29.15 340 inline constexpr uint8_t kKeyUsageOid[] = {0x55, 0x1d, 0x0f}; 341 342 // From RFC 5280: 343 // 344 // id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 345 // 346 // In dotted notation: 2.5.29.17 347 inline constexpr uint8_t kSubjectAltNameOid[] = {0x55, 0x1d, 0x11}; 348 349 // From RFC 5280: 350 // 351 // id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 352 // 353 // In dotted notation: 2.5.29.19 354 inline constexpr uint8_t kBasicConstraintsOid[] = {0x55, 0x1d, 0x13}; 355 356 // From RFC 5280: 357 // 358 // id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 359 // 360 // In dotted notation: 2.5.29.30 361 inline constexpr uint8_t kNameConstraintsOid[] = {0x55, 0x1d, 0x1e}; 362 363 // From RFC 5280: 364 // 365 // id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 366 // 367 // In dotted notation: 2.5.29.32 368 inline constexpr uint8_t kCertificatePoliciesOid[] = {0x55, 0x1d, 0x20}; 369 370 // From RFC 5280: 371 // 372 // id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 373 // 374 // In dotted notation: 2.5.29.35 375 inline constexpr uint8_t kAuthorityKeyIdentifierOid[] = {0x55, 0x1d, 0x23}; 376 377 // From RFC 5280: 378 // 379 // id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 380 // 381 // In dotted notation: 2.5.29.36 382 inline constexpr uint8_t kPolicyConstraintsOid[] = {0x55, 0x1d, 0x24}; 383 384 // From RFC 5280: 385 // 386 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } 387 // 388 // In dotted notation: 2.5.29.37 389 inline constexpr uint8_t kExtKeyUsageOid[] = {0x55, 0x1d, 0x25}; 390 391 // From RFC 5280: 392 // 393 // id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 394 // 395 // In dotted notation: 1.3.6.1.5.5.7.1.1 396 inline constexpr uint8_t kAuthorityInfoAccessOid[] = {0x2B, 0x06, 0x01, 0x05, 397 0x05, 0x07, 0x01, 0x01}; 398 399 // From RFC 5280: 400 // 401 // id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 402 // 403 // In dotted notation: 1.3.6.1.5.5.7.48.2 404 inline constexpr uint8_t kAdCaIssuersOid[] = {0x2B, 0x06, 0x01, 0x05, 405 0x05, 0x07, 0x30, 0x02}; 406 407 // From RFC 5280: 408 // 409 // id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 410 // 411 // In dotted notation: 1.3.6.1.5.5.7.48.1 412 inline constexpr uint8_t kAdOcspOid[] = {0x2B, 0x06, 0x01, 0x05, 413 0x05, 0x07, 0x30, 0x01}; 414 415 // From RFC 5280: 416 // 417 // id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } 418 // 419 // In dotted notation: 2.5.29.31 420 inline constexpr uint8_t kCrlDistributionPointsOid[] = {0x55, 0x1d, 0x1f}; 421 422 // Parses the Extensions sequence as defined by RFC 5280. Extensions are added 423 // to the map |extensions| keyed by the OID. Parsing guarantees that each OID 424 // is unique. Note that certificate verification must consume each extension 425 // marked as critical. 426 // 427 // Returns true on success and fills |extensions|. The output will reference 428 // bytes in |extensions_tlv|, so that data must be kept alive. 429 // On failure |extensions| may be partially written to and should not be used. 430 [[nodiscard]] NET_EXPORT bool ParseExtensions( 431 const der::Input& extensions_tlv, 432 std::map<der::Input, ParsedExtension>* extensions); 433 434 // Removes the extension with OID |oid| from |unconsumed_extensions| and fills 435 // |extension| with the matching extension value. If there was no extension 436 // matching |oid| then returns |false|. 437 [[nodiscard]] NET_EXPORT bool ConsumeExtension( 438 const der::Input& oid, 439 std::map<der::Input, ParsedExtension>* unconsumed_extensions, 440 ParsedExtension* extension); 441 442 struct ParsedBasicConstraints { 443 bool is_ca = false; 444 bool has_path_len = false; 445 uint8_t path_len = 0; 446 }; 447 448 // Parses the BasicConstraints extension as defined by RFC 5280: 449 // 450 // BasicConstraints ::= SEQUENCE { 451 // cA BOOLEAN DEFAULT FALSE, 452 // pathLenConstraint INTEGER (0..MAX) OPTIONAL } 453 // 454 // The maximum allowed value of pathLenConstraints will be whatever can fit 455 // into a uint8_t. 456 [[nodiscard]] NET_EXPORT bool ParseBasicConstraints( 457 const der::Input& basic_constraints_tlv, 458 ParsedBasicConstraints* out); 459 460 // KeyUsageBit contains the index for a particular key usage. The index is 461 // measured from the most significant bit of a bit string. 462 // 463 // From RFC 5280 section 4.2.1.3: 464 // 465 // KeyUsage ::= BIT STRING { 466 // digitalSignature (0), 467 // nonRepudiation (1), -- recent editions of X.509 have 468 // -- renamed this bit to contentCommitment 469 // keyEncipherment (2), 470 // dataEncipherment (3), 471 // keyAgreement (4), 472 // keyCertSign (5), 473 // cRLSign (6), 474 // encipherOnly (7), 475 // decipherOnly (8) } 476 enum KeyUsageBit { 477 KEY_USAGE_BIT_DIGITAL_SIGNATURE = 0, 478 KEY_USAGE_BIT_NON_REPUDIATION = 1, 479 KEY_USAGE_BIT_KEY_ENCIPHERMENT = 2, 480 KEY_USAGE_BIT_DATA_ENCIPHERMENT = 3, 481 KEY_USAGE_BIT_KEY_AGREEMENT = 4, 482 KEY_USAGE_BIT_KEY_CERT_SIGN = 5, 483 KEY_USAGE_BIT_CRL_SIGN = 6, 484 KEY_USAGE_BIT_ENCIPHER_ONLY = 7, 485 KEY_USAGE_BIT_DECIPHER_ONLY = 8, 486 }; 487 488 // Parses the KeyUsage extension as defined by RFC 5280. Returns true on 489 // success, and |key_usage| will alias data in |key_usage_tlv|. On failure 490 // returns false, and |key_usage| may have been modified. 491 // 492 // In addition to validating that key_usage_tlv is a BIT STRING, this does 493 // additional KeyUsage specific validations such as requiring at least 1 bit to 494 // be set. 495 // 496 // To test if a particular key usage is set, call, e.g.: 497 // key_usage->AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE); 498 [[nodiscard]] NET_EXPORT bool ParseKeyUsage(const der::Input& key_usage_tlv, 499 der::BitString* key_usage); 500 501 struct AuthorityInfoAccessDescription { 502 // The accessMethod DER OID value. 503 der::Input access_method_oid; 504 // The accessLocation DER TLV. 505 der::Input access_location; 506 }; 507 // Parses the Authority Information Access extension defined by RFC 5280. 508 // Returns true on success, and |out_access_descriptions| will alias data 509 // in |authority_info_access_tlv|.On failure returns false, and 510 // out_access_descriptions may have been partially filled. 511 // 512 // No validation is performed on the contents of the 513 // AuthorityInfoAccessDescription fields. 514 [[nodiscard]] NET_EXPORT bool ParseAuthorityInfoAccess( 515 const der::Input& authority_info_access_tlv, 516 std::vector<AuthorityInfoAccessDescription>* out_access_descriptions); 517 518 // Parses the Authority Information Access extension defined by RFC 5280, 519 // extracting the caIssuers URIs and OCSP URIs. 520 // 521 // Returns true on success, and |out_ca_issuers_uris| and |out_ocsp_uris| will 522 // alias data in |authority_info_access_tlv|. On failure returns false, and 523 // |out_ca_issuers_uris| and |out_ocsp_uris| may have been partially filled. 524 // 525 // |out_ca_issuers_uris| is filled with the accessLocations of type 526 // uniformResourceIdentifier for the accessMethod id-ad-caIssuers. 527 // |out_ocsp_uris| is filled with the accessLocations of type 528 // uniformResourceIdentifier for the accessMethod id-ad-ocsp. 529 // 530 // The values in |out_ca_issuers_uris| and |out_ocsp_uris| are checked to be 531 // IA5String (ASCII strings), but no other validation is performed on them. 532 // 533 // accessMethods other than id-ad-caIssuers and id-ad-ocsp are silently ignored. 534 // accessLocation types other than uniformResourceIdentifier are silently 535 // ignored. 536 [[nodiscard]] NET_EXPORT bool ParseAuthorityInfoAccessURIs( 537 const der::Input& authority_info_access_tlv, 538 std::vector<std::string_view>* out_ca_issuers_uris, 539 std::vector<std::string_view>* out_ocsp_uris); 540 541 // ParsedDistributionPoint represents a parsed DistributionPoint from RFC 5280. 542 // 543 // DistributionPoint ::= SEQUENCE { 544 // distributionPoint [0] DistributionPointName OPTIONAL, 545 // reasons [1] ReasonFlags OPTIONAL, 546 // cRLIssuer [2] GeneralNames OPTIONAL } 547 struct NET_EXPORT ParsedDistributionPoint { 548 ParsedDistributionPoint(); 549 ParsedDistributionPoint(ParsedDistributionPoint&& other); 550 ~ParsedDistributionPoint(); 551 552 // The parsed fullName, if distributionPoint was present and was a fullName. 553 std::unique_ptr<GeneralNames> distribution_point_fullname; 554 555 // If present, the DER encoded value of the nameRelativeToCRLIssuer field. 556 // This should be a RelativeDistinguishedName, but the parser does not 557 // validate it. 558 absl::optional<der::Input> distribution_point_name_relative_to_crl_issuer; 559 560 // If present, the DER encoded value of the reasons field. This should be a 561 // ReasonFlags bitString, but the parser does not validate it. 562 absl::optional<der::Input> reasons; 563 564 // If present, the DER encoded value of the cRLIssuer field. This should be a 565 // GeneralNames, but the parser does not validate it. 566 absl::optional<der::Input> crl_issuer; 567 }; 568 569 // Parses the value of a CRL Distribution Points extension (sequence of 570 // DistributionPoint). Return true on success, and fills |distribution_points| 571 // with values that reference data in |distribution_points_tlv|. 572 [[nodiscard]] NET_EXPORT bool ParseCrlDistributionPoints( 573 const der::Input& distribution_points_tlv, 574 std::vector<ParsedDistributionPoint>* distribution_points); 575 576 // Represents the AuthorityKeyIdentifier extension defined by RFC 5280 section 577 // 4.2.1.1. 578 // 579 // AuthorityKeyIdentifier ::= SEQUENCE { 580 // keyIdentifier [0] KeyIdentifier OPTIONAL, 581 // authorityCertIssuer [1] GeneralNames OPTIONAL, 582 // authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 583 // 584 // KeyIdentifier ::= OCTET STRING 585 struct NET_EXPORT ParsedAuthorityKeyIdentifier { 586 ParsedAuthorityKeyIdentifier(); 587 ~ParsedAuthorityKeyIdentifier(); 588 ParsedAuthorityKeyIdentifier(ParsedAuthorityKeyIdentifier&& other); 589 ParsedAuthorityKeyIdentifier& operator=(ParsedAuthorityKeyIdentifier&& other); 590 591 // The keyIdentifier, which is an OCTET STRING. 592 absl::optional<der::Input> key_identifier; 593 594 // The authorityCertIssuer, which should be a GeneralNames, but this is not 595 // enforced by ParseAuthorityKeyIdentifier. 596 absl::optional<der::Input> authority_cert_issuer; 597 598 // The DER authorityCertSerialNumber, which should be a 599 // CertificateSerialNumber (an INTEGER) but this is not enforced by 600 // ParseAuthorityKeyIdentifier. 601 absl::optional<der::Input> authority_cert_serial_number; 602 }; 603 604 // Parses the value of an authorityKeyIdentifier extension. Returns true on 605 // success and fills |authority_key_identifier| with values that reference data 606 // in |extension_value|. On failure the state of |authority_key_identifier| is 607 // not guaranteed. 608 [[nodiscard]] NET_EXPORT bool ParseAuthorityKeyIdentifier( 609 const der::Input& extension_value, 610 ParsedAuthorityKeyIdentifier* authority_key_identifier); 611 612 // Parses the value of a subjectKeyIdentifier extension. Returns true on 613 // success and |subject_key_identifier| references data in |extension_value|. 614 // On failure the state of |subject_key_identifier| is not guaranteed. 615 [[nodiscard]] NET_EXPORT bool ParseSubjectKeyIdentifier( 616 const der::Input& extension_value, 617 der::Input* subject_key_identifier); 618 619 } // namespace net 620 621 #endif // NET_CERT_PKI_PARSE_CERTIFICATE_H_ 622