• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_PKI_SIGNATURE_ALGORITHM_H_
6 #define NET_CERT_PKI_SIGNATURE_ALGORITHM_H_
7 
8 #include <stdint.h>
9 
10 #include "net/base/net_export.h"
11 #include "third_party/abseil-cpp/absl/types/optional.h"
12 #include "third_party/boringssl/src/include/openssl/evp.h"
13 
14 namespace net {
15 
16 namespace der {
17 class Input;
18 }  // namespace der
19 
20 // The digest algorithm used within a signature.
21 enum class DigestAlgorithm {
22   Md2,
23   Md4,
24   Md5,
25   Sha1,
26   Sha256,
27   Sha384,
28   Sha512,
29 };
30 
31 // The signature algorithm used within a certificate.
32 enum class SignatureAlgorithm {
33   kRsaPkcs1Sha1,
34   kRsaPkcs1Sha256,
35   kRsaPkcs1Sha384,
36   kRsaPkcs1Sha512,
37   kEcdsaSha1,
38   kEcdsaSha256,
39   kEcdsaSha384,
40   kEcdsaSha512,
41   // These RSA-PSS constants match RFC 8446 and refer to RSASSA-PSS with MGF-1,
42   // using the specified hash as both the signature and MGF-1 hash, and the hash
43   // length as the salt length.
44   kRsaPssSha256,
45   kRsaPssSha384,
46   kRsaPssSha512,
47 };
48 
49 // Parses AlgorithmIdentifier as defined by RFC 5280 section 4.1.1.2:
50 //
51 //     AlgorithmIdentifier  ::=  SEQUENCE  {
52 //          algorithm               OBJECT IDENTIFIER,
53 //          parameters              ANY DEFINED BY algorithm OPTIONAL  }
54 [[nodiscard]] NET_EXPORT bool ParseAlgorithmIdentifier(const der::Input& input,
55                                                        der::Input* algorithm,
56                                                        der::Input* parameters);
57 
58 // Parses a HashAlgorithm as defined by RFC 5912:
59 //
60 //     HashAlgorithm  ::=  AlgorithmIdentifier{DIGEST-ALGORITHM,
61 //                             {HashAlgorithms}}
62 //
63 //     HashAlgorithms DIGEST-ALGORITHM ::=  {
64 //         { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } |
65 //         { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } |
66 //         { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } |
67 //         { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } |
68 //         { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent }
69 //     }
70 [[nodiscard]] bool ParseHashAlgorithm(const der::Input& input,
71                                       DigestAlgorithm* out);
72 
73 // Parses an AlgorithmIdentifier into a signature algorithm and returns it, or
74 // returns `absl::nullopt` if `algorithm_identifer` either cannot be parsed or
75 // is not a recognized signature algorithm.
76 NET_EXPORT absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
77     const der::Input& algorithm_identifier);
78 
79 // Returns the hash to be used with the tls-server-end-point channel binding
80 // (RFC 5929) or `absl::nullopt`, if not supported for this signature algorithm.
81 absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm(
82     SignatureAlgorithm alg);
83 
84 }  // namespace net
85 
86 #endif  // NET_CERT_PKI_SIGNATURE_ALGORITHM_H_
87