• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_SIGNATURE_ALGORITHM_H_
6 #define BSSL_PKI_SIGNATURE_ALGORITHM_H_
7 
8 #include "fillins/openssl_util.h"
9 #include <stdint.h>
10 
11 
12 #include <optional>
13 #include <openssl/evp.h>
14 
15 namespace bssl {
16 
17 namespace der {
18 class Input;
19 }  // namespace der
20 
21 // The digest algorithm used within a signature.
22 enum class DigestAlgorithm {
23   Md2,
24   Md4,
25   Md5,
26   Sha1,
27   Sha256,
28   Sha384,
29   Sha512,
30 };
31 
32 // The signature algorithm used within a certificate.
33 enum class SignatureAlgorithm {
34   kRsaPkcs1Sha1,
35   kRsaPkcs1Sha256,
36   kRsaPkcs1Sha384,
37   kRsaPkcs1Sha512,
38   kEcdsaSha1,
39   kEcdsaSha256,
40   kEcdsaSha384,
41   kEcdsaSha512,
42   // These RSA-PSS constants match RFC 8446 and refer to RSASSA-PSS with MGF-1,
43   // using the specified hash as both the signature and MGF-1 hash, and the hash
44   // length as the salt length.
45   kRsaPssSha256,
46   kRsaPssSha384,
47   kRsaPssSha512,
48   kMaxValue = kRsaPssSha512,
49 };
50 
51 // Parses AlgorithmIdentifier as defined by RFC 5280 section 4.1.1.2:
52 //
53 //     AlgorithmIdentifier  ::=  SEQUENCE  {
54 //          algorithm               OBJECT IDENTIFIER,
55 //          parameters              ANY DEFINED BY algorithm OPTIONAL  }
56 [[nodiscard]] OPENSSL_EXPORT bool ParseAlgorithmIdentifier(const der::Input& input,
57                                                        der::Input* algorithm,
58                                                        der::Input* parameters);
59 
60 // Parses a HashAlgorithm as defined by RFC 5912:
61 //
62 //     HashAlgorithm  ::=  AlgorithmIdentifier{DIGEST-ALGORITHM,
63 //                             {HashAlgorithms}}
64 //
65 //     HashAlgorithms DIGEST-ALGORITHM ::=  {
66 //         { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent } |
67 //         { IDENTIFIER id-sha224 PARAMS TYPE NULL ARE preferredPresent } |
68 //         { IDENTIFIER id-sha256 PARAMS TYPE NULL ARE preferredPresent } |
69 //         { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } |
70 //         { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent }
71 //     }
72 [[nodiscard]] bool ParseHashAlgorithm(const der::Input& input,
73                                       DigestAlgorithm* out);
74 
75 // Parses an AlgorithmIdentifier into a signature algorithm and returns it, or
76 // returns `std::nullopt` if `algorithm_identifer` either cannot be parsed or
77 // is not a recognized signature algorithm.
78 OPENSSL_EXPORT std::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
79     const der::Input& algorithm_identifier);
80 
81 // Returns the hash to be used with the tls-server-end-point channel binding
82 // (RFC 5929) or `std::nullopt`, if not supported for this signature algorithm.
83 OPENSSL_EXPORT std::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm(
84     SignatureAlgorithm alg);
85 
86 }  // namespace net
87 
88 #endif  // BSSL_PKI_SIGNATURE_ALGORITHM_H_
89