1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_PARSED_CERTIFICATE_H_ 6 #define NET_CERT_PKI_PARSED_CERTIFICATE_H_ 7 8 #include <map> 9 #include <memory> 10 #include <vector> 11 12 #include "net/base/net_export.h" 13 #include "net/cert/pki/certificate_policies.h" 14 #include "net/cert/pki/parse_certificate.h" 15 #include "net/cert/pki/signature_algorithm.h" 16 #include "net/der/input.h" 17 #include "third_party/abseil-cpp/absl/types/optional.h" 18 #include "third_party/boringssl/src/include/openssl/base.h" 19 20 namespace net { 21 22 struct GeneralNames; 23 class NameConstraints; 24 class ParsedCertificate; 25 class CertErrors; 26 27 using ParsedCertificateList = 28 std::vector<std::shared_ptr<const ParsedCertificate>>; 29 30 // Represents an X.509 certificate, including Certificate, TBSCertificate, and 31 // standard extensions. 32 // Creating a ParsedCertificate does not completely parse and validate the 33 // certificate data. Presence of a member in this class implies the DER was 34 // parsed successfully to that level, but does not imply the contents of that 35 // member are valid, unless otherwise specified. See the documentation for each 36 // member or the documentation of the type it returns. 37 class NET_EXPORT ParsedCertificate { 38 private: 39 // Used to make constructors private while still being compatible with 40 // |std::make_shared|. 41 class PrivateConstructor { 42 private: 43 friend ParsedCertificate; 44 PrivateConstructor() = default; 45 }; 46 47 public: 48 // Map from OID to ParsedExtension. 49 using ExtensionsMap = std::map<der::Input, ParsedExtension>; 50 51 // Creates a ParsedCertificate given a DER-encoded Certificate. Returns 52 // nullptr on failure. Failure will occur if the standard certificate fields 53 // and supported extensions cannot be parsed. 54 // On either success or failure, if |errors| is non-null it may have error 55 // information added to it. 56 static std::shared_ptr<const ParsedCertificate> Create( 57 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 58 const ParseCertificateOptions& options, 59 CertErrors* errors); 60 61 // Creates a ParsedCertificate by copying the provided |data|, and appends it 62 // to |chain|. Returns true if the certificate was successfully parsed and 63 // added. If false is return, |chain| is unmodified. 64 // 65 // On either success or failure, if |errors| is non-null it may have error 66 // information added to it. 67 static bool CreateAndAddToVector( 68 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 69 const ParseCertificateOptions& options, 70 std::vector<std::shared_ptr<const net::ParsedCertificate>>* chain, 71 CertErrors* errors); 72 73 explicit ParsedCertificate(PrivateConstructor); 74 ~ParsedCertificate(); 75 ParsedCertificate(const ParsedCertificate&) = delete; 76 ParsedCertificate& operator=(const ParsedCertificate&) = delete; 77 78 // Returns the DER-encoded certificate data for this cert. der_cert()79 const der::Input& der_cert() const { return cert_; } 80 81 // Returns the CRYPTO_BUFFER backing this object. cert_buffer()82 CRYPTO_BUFFER* cert_buffer() const { return cert_data_.get(); } 83 84 // Accessors for raw fields of the Certificate. tbs_certificate_tlv()85 const der::Input& tbs_certificate_tlv() const { return tbs_certificate_tlv_; } 86 signature_algorithm_tlv()87 const der::Input& signature_algorithm_tlv() const { 88 return signature_algorithm_tlv_; 89 } 90 signature_value()91 const der::BitString& signature_value() const { return signature_value_; } 92 93 // Accessor for struct containing raw fields of the TbsCertificate. tbs()94 const ParsedTbsCertificate& tbs() const { return tbs_; } 95 96 // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate). 97 // If the signature algorithm is unknown/unsupported, this returns nullopt. signature_algorithm()98 absl::optional<SignatureAlgorithm> signature_algorithm() const { 99 return signature_algorithm_; 100 } 101 102 // Returns the DER-encoded raw subject value (including the outer sequence 103 // tag). This is guaranteed to be valid DER, though the contents of unhandled 104 // string types are treated as raw bytes. subject_tlv()105 der::Input subject_tlv() const { return tbs_.subject_tlv; } 106 // Returns the DER-encoded normalized subject value (not including outer 107 // Sequence tag). This is guaranteed to be valid DER, though the contents of 108 // unhandled string types are treated as raw bytes. normalized_subject()109 der::Input normalized_subject() const { 110 return der::Input(&normalized_subject_); 111 } 112 // Returns the DER-encoded raw issuer value (including the outer sequence 113 // tag). This is guaranteed to be valid DER, though the contents of unhandled 114 // string types are treated as raw bytes. issuer_tlv()115 der::Input issuer_tlv() const { return tbs_.issuer_tlv; } 116 // Returns the DER-encoded normalized issuer value (not including outer 117 // Sequence tag). This is guaranteed to be valid DER, though the contents of 118 // unhandled string types are treated as raw bytes. normalized_issuer()119 der::Input normalized_issuer() const { 120 return der::Input(&normalized_issuer_); 121 } 122 123 // Returns true if the certificate has a BasicConstraints extension. has_basic_constraints()124 bool has_basic_constraints() const { return has_basic_constraints_; } 125 126 // Returns the ParsedBasicConstraints struct. Caller must check 127 // has_basic_constraints() before accessing this. basic_constraints()128 const ParsedBasicConstraints& basic_constraints() const { 129 DCHECK(has_basic_constraints_); 130 return basic_constraints_; 131 } 132 133 // Returns true if the certificate has a KeyUsage extension. has_key_usage()134 bool has_key_usage() const { return has_key_usage_; } 135 136 // Returns the KeyUsage BitString. Caller must check 137 // has_key_usage() before accessing this. key_usage()138 const der::BitString& key_usage() const { 139 DCHECK(has_key_usage_); 140 return key_usage_; 141 } 142 143 // Returns true if the certificate has a ExtendedKeyUsage extension. has_extended_key_usage()144 bool has_extended_key_usage() const { return has_extended_key_usage_; } 145 146 // Returns the ExtendedKeyUsage key purpose OIDs. Caller must check 147 // has_extended_key_usage() before accessing this. extended_key_usage()148 const std::vector<der::Input>& extended_key_usage() const { 149 DCHECK(has_extended_key_usage_); 150 return extended_key_usage_; 151 } 152 153 // Returns true if the certificate has a SubjectAltName extension. has_subject_alt_names()154 bool has_subject_alt_names() const { return subject_alt_names_ != nullptr; } 155 156 // Returns the ParsedExtension struct for the SubjectAltName extension. 157 // If the cert did not have a SubjectAltName extension, this will be a 158 // default-initialized ParsedExtension struct. subject_alt_names_extension()159 const ParsedExtension& subject_alt_names_extension() const { 160 return subject_alt_names_extension_; 161 } 162 163 // Returns the GeneralNames class parsed from SubjectAltName extension, or 164 // nullptr if no SubjectAltName extension was present. subject_alt_names()165 const GeneralNames* subject_alt_names() const { 166 return subject_alt_names_.get(); 167 } 168 169 // Returns true if the certificate has a NameConstraints extension. has_name_constraints()170 bool has_name_constraints() const { return name_constraints_ != nullptr; } 171 172 // Returns the parsed NameConstraints extension. Must not be called if 173 // has_name_constraints() is false. name_constraints()174 const NameConstraints& name_constraints() const { 175 DCHECK(name_constraints_); 176 return *name_constraints_; 177 } 178 179 // Returns true if the certificate has an AuthorityInfoAccess extension. has_authority_info_access()180 bool has_authority_info_access() const { return has_authority_info_access_; } 181 182 // Returns the ParsedExtension struct for the AuthorityInfoAccess extension. authority_info_access_extension()183 const ParsedExtension& authority_info_access_extension() const { 184 return authority_info_access_extension_; 185 } 186 187 // Returns any caIssuers URIs from the AuthorityInfoAccess extension. ca_issuers_uris()188 const std::vector<std::string_view>& ca_issuers_uris() const { 189 return ca_issuers_uris_; 190 } 191 192 // Returns any OCSP URIs from the AuthorityInfoAccess extension. ocsp_uris()193 const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; } 194 195 // Returns true if the certificate has a Policies extension. has_policy_oids()196 bool has_policy_oids() const { return has_policy_oids_; } 197 198 // Returns the policy OIDs. Caller must check has_policy_oids() before 199 // accessing this. policy_oids()200 const std::vector<der::Input>& policy_oids() const { 201 DCHECK(has_policy_oids()); 202 return policy_oids_; 203 } 204 205 // Returns true if the certificate has a PolicyConstraints extension. has_policy_constraints()206 bool has_policy_constraints() const { return has_policy_constraints_; } 207 208 // Returns the ParsedPolicyConstraints struct. Caller must check 209 // has_policy_constraints() before accessing this. policy_constraints()210 const ParsedPolicyConstraints& policy_constraints() const { 211 DCHECK(has_policy_constraints_); 212 return policy_constraints_; 213 } 214 215 // Returns true if the certificate has a PolicyMappings extension. has_policy_mappings()216 bool has_policy_mappings() const { return has_policy_mappings_; } 217 218 // Returns the PolicyMappings extension. Caller must check 219 // has_policy_mappings() before accessing this. policy_mappings()220 const std::vector<ParsedPolicyMapping>& policy_mappings() const { 221 DCHECK(has_policy_mappings_); 222 return policy_mappings_; 223 } 224 225 // Returns true if the certificate has a InhibitAnyPolicy extension. has_inhibit_any_policy()226 bool has_inhibit_any_policy() const { return has_inhibit_any_policy_; } 227 228 // Returns the Inhibit Any Policy extension. Caller must check 229 // has_inhibit_any_policy() before accessing this. inhibit_any_policy()230 uint8_t inhibit_any_policy() const { 231 DCHECK(has_inhibit_any_policy_); 232 return inhibit_any_policy_; 233 } 234 235 // Returns the AuthorityKeyIdentifier extension, or nullopt if there wasn't 236 // one. authority_key_identifier()237 const absl::optional<ParsedAuthorityKeyIdentifier>& authority_key_identifier() 238 const { 239 return authority_key_identifier_; 240 } 241 242 // Returns the SubjectKeyIdentifier extension, or nullopt if there wasn't 243 // one. subject_key_identifier()244 const absl::optional<der::Input>& subject_key_identifier() const { 245 return subject_key_identifier_; 246 } 247 248 // Returns a map of all the extensions in the certificate. extensions()249 const ExtensionsMap& extensions() const { return extensions_; } 250 251 // Gets the value for extension matching |extension_oid|. Returns false if the 252 // extension is not present. 253 bool GetExtension(const der::Input& extension_oid, 254 ParsedExtension* parsed_extension) const; 255 256 private: 257 // The backing store for the certificate data. 258 bssl::UniquePtr<CRYPTO_BUFFER> cert_data_; 259 260 // Points to the raw certificate DER. 261 der::Input cert_; 262 263 der::Input tbs_certificate_tlv_; 264 der::Input signature_algorithm_tlv_; 265 der::BitString signature_value_; 266 ParsedTbsCertificate tbs_; 267 268 // The signatureAlgorithm from the Certificate. 269 absl::optional<SignatureAlgorithm> signature_algorithm_; 270 271 // Normalized DER-encoded Subject (not including outer Sequence tag). 272 std::string normalized_subject_; 273 // Normalized DER-encoded Issuer (not including outer Sequence tag). 274 std::string normalized_issuer_; 275 276 // BasicConstraints extension. 277 bool has_basic_constraints_ = false; 278 ParsedBasicConstraints basic_constraints_; 279 280 // KeyUsage extension. 281 bool has_key_usage_ = false; 282 der::BitString key_usage_; 283 284 // ExtendedKeyUsage extension. 285 bool has_extended_key_usage_ = false; 286 std::vector<der::Input> extended_key_usage_; 287 288 // Raw SubjectAltName extension. 289 ParsedExtension subject_alt_names_extension_; 290 // Parsed SubjectAltName extension. 291 std::unique_ptr<GeneralNames> subject_alt_names_; 292 293 // NameConstraints extension. 294 std::unique_ptr<NameConstraints> name_constraints_; 295 296 // AuthorityInfoAccess extension. 297 bool has_authority_info_access_ = false; 298 ParsedExtension authority_info_access_extension_; 299 // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note 300 // that the AuthorityInfoAccess may have contained other AccessDescriptions 301 // which are not represented here. 302 std::vector<std::string_view> ca_issuers_uris_; 303 std::vector<std::string_view> ocsp_uris_; 304 305 // Policies extension. This list will already have been checked for 306 // duplicates. 307 bool has_policy_oids_ = false; 308 std::vector<der::Input> policy_oids_; 309 310 // Policy constraints extension. 311 bool has_policy_constraints_ = false; 312 ParsedPolicyConstraints policy_constraints_; 313 314 // Policy mappings extension. 315 bool has_policy_mappings_ = false; 316 std::vector<ParsedPolicyMapping> policy_mappings_; 317 318 // Inhibit Any Policy extension. 319 bool has_inhibit_any_policy_ = false; 320 uint8_t inhibit_any_policy_; 321 322 // AuthorityKeyIdentifier extension. 323 absl::optional<ParsedAuthorityKeyIdentifier> authority_key_identifier_; 324 325 // SubjectKeyIdentifier extension. 326 absl::optional<der::Input> subject_key_identifier_; 327 328 // All of the extensions. 329 ExtensionsMap extensions_; 330 }; 331 332 } // namespace net 333 334 #endif // NET_CERT_PKI_PARSED_CERTIFICATE_H_ 335