• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
6 #define BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
7 
8 #include "fillins/openssl_util.h"
9 #include <stddef.h>
10 
11 
12 #include "path_builder.h"
13 #include "signature_algorithm.h"
14 #include "signature_verify_cache.h"
15 
16 namespace bssl {
17 
18 class CertErrors;
19 
20 // SimplePathBuilderDelegate is an implementation of CertPathBuilderDelegate
21 // that uses some default policies:
22 //
23 //   * RSA public keys must be >= |min_rsa_modulus_length_bits|.
24 //   * Signature algorithm can be RSA PKCS#1, RSASSA-PSS or ECDSA
25 //   * Digest algorithm can be SHA256, SHA348 or SHA512.
26 //       * If the |digest_policy| was set to kAllowSha1, then SHA1 is
27 //         additionally accepted.
28 //   * EC named curve can be P-256, P-384, P-521.
29 class OPENSSL_EXPORT SimplePathBuilderDelegate : public CertPathBuilderDelegate {
30  public:
31   enum class DigestPolicy {
32     // Accepts digests of SHA256, SHA348 or SHA512
33     kStrong,
34 
35     // Accepts everything that kStrong does, plus SHA1.
36     kWeakAllowSha1,
37 
38     kMaxValue = kWeakAllowSha1
39   };
40 
41   // Error emitted when a public key is rejected because it is an RSA key with a
42   // modulus size that is too small.
43   static const CertErrorId kRsaModulusTooSmall;
44 
45   SimplePathBuilderDelegate(size_t min_rsa_modulus_length_bits,
46                             DigestPolicy digest_policy);
47 
48   // Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
49   // (including SHA1).
50   bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
51                                       CertErrors* errors) override;
52 
53   // Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
54   bool IsPublicKeyAcceptable(EVP_PKEY* public_key, CertErrors* errors) override;
55 
56   // No-op implementation.
57   void CheckPathAfterVerification(const CertPathBuilder& path_builder,
58                                   CertPathBuilderResultPath* path) override;
59 
60   // No-op implementation.
61   bool IsDeadlineExpired() override;
62 
63   // No-op implementation.
64   SignatureVerifyCache* GetVerifyCache() override;
65 
66  private:
67   const size_t min_rsa_modulus_length_bits_;
68   const DigestPolicy digest_policy_;
69 };
70 
71 }  // namespace net
72 
73 #endif  // BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
74