• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2019 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_
6 #define CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_
7 
8 #include <openssl/x509.h>
9 
10 #include <string>
11 #include <vector>
12 
13 #include "absl/strings/string_view.h"
14 #include "platform/base/error.h"
15 namespace openscreen {
16 namespace cast {
17 
18 struct TrustStore {
19   enum class Mode {
20     // In strict mode, only certificates signed by a CA will be accepted as
21     // part of authentication. Note that if a self-signed certificate is placed
22     // in a strict mode TrustStore, it cannot be used for authentication.
23     kStrict,
24 
25     // In allow self signed mode, certificates signed by an arbitrary private
26     // key that have been placed in this trust store will be allowed. Note
27     // that certificates must still otherwise be valid.
28     kAllowSelfSigned
29   };
30 
31   static TrustStore CreateInstanceFromPemFile(absl::string_view file_path);
32 
33   std::vector<bssl::UniquePtr<X509>> certs;
34 };
35 
36 // Adds a trust anchor given a DER-encoded certificate from static
37 // storage.
38 template <size_t N>
MakeTrustAnchor(const uint8_t (& data)[N])39 bssl::UniquePtr<X509> MakeTrustAnchor(const uint8_t (&data)[N]) {
40   const uint8_t* dptr = data;
41   return bssl::UniquePtr<X509>{d2i_X509(nullptr, &dptr, N)};
42 }
43 
MakeTrustAnchor(const std::vector<uint8_t> & data)44 inline bssl::UniquePtr<X509> MakeTrustAnchor(const std::vector<uint8_t>& data) {
45   const uint8_t* dptr = data.data();
46   return bssl::UniquePtr<X509>{d2i_X509(nullptr, &dptr, data.size())};
47 }
48 
49 struct ConstDataSpan;
50 struct DateTime;
51 
52 bool VerifySignedData(const EVP_MD* digest,
53                       EVP_PKEY* public_key,
54                       const ConstDataSpan& data,
55                       const ConstDataSpan& signature);
56 
57 // Parses DateTime with additional restrictions laid out by RFC 5280
58 // 4.1.2.5.2.
59 bool ParseAsn1GeneralizedTime(ASN1_GENERALIZEDTIME* time, DateTime* out);
60 bool GetCertValidTimeRange(X509* cert,
61                            DateTime* not_before,
62                            DateTime* not_after);
63 
64 struct CertificatePathResult {
65   bssl::UniquePtr<X509> target_cert;
66   std::vector<bssl::UniquePtr<X509>> intermediate_certs;
67   std::vector<X509*> path;
68 };
69 
70 Error FindCertificatePath(const std::vector<std::string>& der_certs,
71                           const DateTime& time,
72                           CertificatePathResult* result_path,
73                           TrustStore* trust_store);
74 
75 }  // namespace cast
76 }  // namespace openscreen
77 
78 #endif  // CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_
79