1 // Copyright 2015 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_EXTENDED_KEY_USAGE_H_ 6 #define NET_CERT_PKI_EXTENDED_KEY_USAGE_H_ 7 8 #include <vector> 9 10 #include "net/base/net_export.h" 11 #include "net/der/input.h" 12 13 namespace net { 14 15 // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc, 16 // defined in section 4.2.1 of RFC 5280: 17 // id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } 18 // 19 // From RFC 5280 section 4.2.1.12: 20 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } 21 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 22 // In dotted notation: 2.5.29.37.0 23 inline constexpr uint8_t kAnyEKU[] = {0x55, 0x1d, 0x25, 0x00}; 24 25 // All other key usage purposes defined in RFC 5280 are found in the id-kp 26 // arc, defined in section 4.2.1.12 as: 27 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 28 // 29 // With id-pkix defined in RFC 5280 section 4.2.2 as: 30 // id-pkix OBJECT IDENTIFIER ::= 31 // { iso(1) identified-organization(3) dod(6) internet(1) 32 // security(5) mechanisms(5) pkix(7) } 33 // 34 // From RFC 5280 section 4.2.1.12: 35 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 36 // In dotted notation: 1.3.6.1.5.5.7.3.1 37 inline constexpr uint8_t kServerAuth[] = {0x2b, 0x06, 0x01, 0x05, 38 0x05, 0x07, 0x03, 0x01}; 39 40 // From RFC 5280 section 4.2.1.12: 41 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 42 // In dotted notation: 1.3.6.1.5.5.7.3.2 43 inline constexpr uint8_t kClientAuth[] = {0x2b, 0x06, 0x01, 0x05, 44 0x05, 0x07, 0x03, 0x02}; 45 46 // From RFC 5280 section 4.2.1.12: 47 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 48 // In dotted notation: 1.3.6.1.5.5.7.3.3 49 inline constexpr uint8_t kCodeSigning[] = {0x2b, 0x06, 0x01, 0x05, 50 0x05, 0x07, 0x03, 0x03}; 51 52 // From RFC 5280 section 4.2.1.12: 53 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 54 // In dotted notation: 1.3.6.1.5.5.7.3.4 55 inline constexpr uint8_t kEmailProtection[] = {0x2b, 0x06, 0x01, 0x05, 56 0x05, 0x07, 0x03, 0x04}; 57 58 // From RFC 5280 section 4.2.1.12: 59 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 60 // In dotted notation: 1.3.6.1.5.5.7.3.8 61 inline constexpr uint8_t kTimeStamping[] = {0x2b, 0x06, 0x01, 0x05, 62 0x05, 0x07, 0x03, 0x08}; 63 64 // From RFC 5280 section 4.2.1.12: 65 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 66 // In dotted notation: 1.3.6.1.5.5.7.3.9 67 inline constexpr uint8_t kOCSPSigning[] = {0x2b, 0x06, 0x01, 0x05, 68 0x05, 0x07, 0x03, 0x09}; 69 70 // Netscape Server Gated Crypto (2.16.840.1.113730.4.1) is a deprecated OID 71 // which in some situations is considered equivalent to the serverAuth key 72 // purpose. 73 inline constexpr uint8_t kNetscapeServerGatedCrypto[] = { 74 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01}; 75 76 // Parses |extension_value|, which contains the extnValue field of an X.509v3 77 // Extended Key Usage extension, and populates |eku_oids| with the list of 78 // DER-encoded OID values (that is, without tag and length). Returns false if 79 // |extension_value| is improperly encoded. 80 // 81 // Note: The returned OIDs are only as valid as long as the data pointed to by 82 // |extension_value| is valid. 83 NET_EXPORT bool ParseEKUExtension(const der::Input& extension_value, 84 std::vector<der::Input>* eku_oids); 85 86 } // namespace net 87 88 #endif // NET_CERT_PKI_EXTENDED_KEY_USAGE_H_ 89