1 // Copyright 2015 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_CERTIFICATE_POLICIES_H_ 6 #define NET_CERT_PKI_CERTIFICATE_POLICIES_H_ 7 8 #include <stdint.h> 9 10 #include <vector> 11 12 #include "net/base/net_export.h" 13 #include "net/der/input.h" 14 #include "third_party/abseil-cpp/absl/types/optional.h" 15 16 namespace net { 17 18 class CertErrors; 19 20 // Returns the DER-encoded OID, without tag or length, of the anyPolicy 21 // certificate policy defined in RFC 5280 section 4.2.1.4. 22 inline constexpr uint8_t kAnyPolicyOid[] = {0x55, 0x1D, 0x20, 0x00}; 23 24 // From RFC 5280: 25 // 26 // id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 27 // 28 // In dotted notation: 2.5.29.54 29 inline constexpr uint8_t kInhibitAnyPolicyOid[] = {0x55, 0x1d, 0x36}; 30 31 // From RFC 5280: 32 // 33 // id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 34 // 35 // In dotted notation: 2.5.29.33 36 inline constexpr uint8_t kPolicyMappingsOid[] = {0x55, 0x1d, 0x21}; 37 38 // -- policyQualifierIds for Internet policy qualifiers 39 // 40 // id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 41 // id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 42 // 43 // In dotted decimal form: 1.3.6.1.5.5.7.2.1 44 inline constexpr uint8_t kCpsPointerId[] = {0x2b, 0x06, 0x01, 0x05, 45 0x05, 0x07, 0x02, 0x01}; 46 47 // id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 48 // 49 // In dotted decimal form: 1.3.6.1.5.5.7.2.2 50 inline constexpr uint8_t kUserNoticeId[] = {0x2b, 0x06, 0x01, 0x05, 51 0x05, 0x07, 0x02, 0x02}; 52 53 struct PolicyQualifierInfo { 54 der::Input qualifier_oid; 55 der::Input qualifier; 56 }; 57 58 struct NET_EXPORT PolicyInformation { 59 PolicyInformation(); 60 ~PolicyInformation(); 61 PolicyInformation(const PolicyInformation&); 62 PolicyInformation(PolicyInformation&&); 63 64 der::Input policy_oid; 65 std::vector<PolicyQualifierInfo> policy_qualifiers; 66 }; 67 68 // Parses a certificatePolicies extension and stores the policy information 69 // |*policies|, in the order presented in |extension_value|. 70 // 71 // Returns true on success. On failure returns false and may add errors to 72 // |errors|, which must be non-null. 73 // 74 // The values in |policies| are only valid as long as |extension_value| is (as 75 // it references data). 76 NET_EXPORT bool ParseCertificatePoliciesExtension( 77 const der::Input& extension_value, 78 std::vector<PolicyInformation>* policies, 79 CertErrors* errors); 80 81 // Parses a certificatePolicies extension and stores the policy OIDs in 82 // |*policy_oids|, in sorted order. 83 // 84 // If policyQualifiers for User Notice or CPS are present then they are 85 // ignored (RFC 5280 section 4.2.1.4 says "optional qualifiers, which MAY 86 // be present, are not expected to change the definition of the policy." 87 // 88 // If a policy qualifier other than User Notice/CPS is present, parsing 89 // will fail if |fail_parsing_unknown_qualifier_oids| was set to true, 90 // otherwise the unrecognized qualifiers wil be skipped and not parsed 91 // any further. 92 // 93 // Returns true on success. On failure returns false and may add errors to 94 // |errors|, which must be non-null. 95 // 96 // The values in |policy_oids| are only valid as long as |extension_value| is 97 // (as it references data). 98 NET_EXPORT bool ParseCertificatePoliciesExtensionOids( 99 const der::Input& extension_value, 100 bool fail_parsing_unknown_qualifier_oids, 101 std::vector<der::Input>* policy_oids, 102 CertErrors* errors); 103 104 struct ParsedPolicyConstraints { 105 absl::optional<uint8_t> require_explicit_policy; 106 107 absl::optional<uint8_t> inhibit_policy_mapping; 108 }; 109 110 // Parses a PolicyConstraints SEQUENCE as defined by RFC 5280. Returns true on 111 // success, and sets |out|. 112 [[nodiscard]] NET_EXPORT bool ParsePolicyConstraints( 113 const der::Input& policy_constraints_tlv, 114 ParsedPolicyConstraints* out); 115 116 // Parses an InhibitAnyPolicy as defined by RFC 5280. Returns true on success, 117 // and sets |num_certs|. 118 [[nodiscard]] NET_EXPORT bool ParseInhibitAnyPolicy( 119 const der::Input& inhibit_any_policy_tlv, 120 uint8_t* num_certs); 121 122 struct ParsedPolicyMapping { 123 der::Input issuer_domain_policy; 124 der::Input subject_domain_policy; 125 }; 126 127 // Parses a PolicyMappings SEQUENCE as defined by RFC 5280. Returns true on 128 // success, and sets |mappings|. 129 [[nodiscard]] NET_EXPORT bool ParsePolicyMappings( 130 const der::Input& policy_mappings_tlv, 131 std::vector<ParsedPolicyMapping>* mappings); 132 133 } // namespace net 134 135 #endif // NET_CERT_PKI_CERTIFICATE_POLICIES_H_ 136