• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_PKI_NAME_CONSTRAINTS_H_
6 #define NET_CERT_PKI_NAME_CONSTRAINTS_H_
7 
8 #include <stdint.h>
9 
10 #include <memory>
11 
12 #include "net/base/ip_address.h"
13 #include "net/base/net_export.h"
14 #include "net/cert/pki/general_names.h"
15 
16 namespace net {
17 
18 class CertErrors;
19 
20 namespace der {
21 class Input;
22 }  // namespace der
23 
24 // Parses a NameConstraints extension value and allows testing whether names are
25 // allowed under those constraints as defined by RFC 5280 section 4.2.1.10.
26 class NET_EXPORT NameConstraints {
27  public:
28   ~NameConstraints();
29 
30   // Parses a DER-encoded NameConstraints extension and initializes this object.
31   // |extension_value| should be the extnValue from the extension (not including
32   // the OCTET STRING tag). |is_critical| should be true if the extension was
33   // marked critical. Returns nullptr if parsing the the extension failed.
34   // The object may reference data from |extension_value|, so is only valid as
35   // long as |extension_value| is.
36   static std::unique_ptr<NameConstraints> Create(
37       const der::Input& extension_value,
38       bool is_critical,
39       CertErrors* errors);
40 
41   // Tests if a certificate is allowed by the name constraints.
42   // |subject_rdn_sequence| should be the DER-encoded value of the subject's
43   // RDNSequence (not including Sequence tag), and may be an empty ASN.1
44   // sequence. |subject_alt_names| should be the parsed representation of the
45   // subjectAltName extension or nullptr if the extension was not present.
46   // If the certificate is not allowed, an error will be added to |errors|.
47   // Note that this method does not check hostname or IP address in commonName,
48   // which is deprecated (crbug.com/308330).
49   void IsPermittedCert(const der::Input& subject_rdn_sequence,
50                        const GeneralNames* subject_alt_names,
51                        CertErrors* errors) const;
52 
53   // Returns true if the ASCII hostname |name| is permitted.
54   // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com"
55   // would not be permitted if "bar.com" is permitted and "foo.bar.com" is
56   // excluded, while "*.baz.com" would only be permitted if "baz.com" is
57   // permitted.
58   bool IsPermittedDNSName(std::string_view name) const;
59 
60   // Returns true if the directoryName |name_rdn_sequence| is permitted.
61   // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
62   // including the Sequence tag.)
63   bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const;
64 
65   // Returns true if the iPAddress |ip| is permitted.
66   bool IsPermittedIP(const IPAddress& ip) const;
67 
68   // Returns a bitfield of GeneralNameTypes of all the types constrained by this
69   // NameConstraints. Name types that aren't supported will only be present if
70   // the name constraint they appeared in was marked critical.
71   //
72   // RFC 5280 section 4.2.1.10 says:
73   // Applications conforming to this profile MUST be able to process name
74   // constraints that are imposed on the directoryName name form and SHOULD be
75   // able to process name constraints that are imposed on the rfc822Name,
76   // uniformResourceIdentifier, dNSName, and iPAddress name forms.
77   // If a name constraints extension that is marked as critical
78   // imposes constraints on a particular name form, and an instance of
79   // that name form appears in the subject field or subjectAltName
80   // extension of a subsequent certificate, then the application MUST
81   // either process the constraint or reject the certificate.
constrained_name_types()82   int constrained_name_types() const { return constrained_name_types_; }
83 
permitted_subtrees()84   const GeneralNames& permitted_subtrees() const { return permitted_subtrees_; }
excluded_subtrees()85   const GeneralNames& excluded_subtrees() const { return excluded_subtrees_; }
86 
87  private:
88   [[nodiscard]] bool Parse(const der::Input& extension_value,
89                            bool is_critical,
90                            CertErrors* errors);
91 
92   GeneralNames permitted_subtrees_;
93   GeneralNames excluded_subtrees_;
94   int constrained_name_types_ = GENERAL_NAME_NONE;
95 };
96 
97 }  // namespace net
98 
99 #endif  // NET_CERT_PKI_NAME_CONSTRAINTS_H_
100