• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_GENERAL_NAMES_H_
6 #define BSSL_PKI_GENERAL_NAMES_H_
7 
8 #include "fillins/openssl_util.h"
9 #include <memory>
10 #include <string_view>
11 #include <vector>
12 
13 
14 #include "cert_error_id.h"
15 
16 namespace bssl {
17 
18 class CertErrors;
19 
20 OPENSSL_EXPORT extern const CertErrorId kFailedParsingGeneralName;
21 
22 namespace der {
23 class Input;
24 }  // namespace der
25 
26 // Bitfield values for the GeneralName types defined in RFC 5280. The ordering
27 // and exact values are not important, but match the order from the RFC for
28 // convenience.
29 enum GeneralNameTypes {
30   GENERAL_NAME_NONE = 0,
31   GENERAL_NAME_OTHER_NAME = 1 << 0,
32   GENERAL_NAME_RFC822_NAME = 1 << 1,
33   GENERAL_NAME_DNS_NAME = 1 << 2,
34   GENERAL_NAME_X400_ADDRESS = 1 << 3,
35   GENERAL_NAME_DIRECTORY_NAME = 1 << 4,
36   GENERAL_NAME_EDI_PARTY_NAME = 1 << 5,
37   GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER = 1 << 6,
38   GENERAL_NAME_IP_ADDRESS = 1 << 7,
39   GENERAL_NAME_REGISTERED_ID = 1 << 8,
40   GENERAL_NAME_ALL_TYPES = (1 << 9) - 1,
41 };
42 
43 // Represents a GeneralNames structure. When processing GeneralNames, it is
44 // often necessary to know which types of names were present, and to check
45 // all the names of a certain type. Therefore, a bitfield of all the name
46 // types is kept, and the names are split into members for each type.
47 struct OPENSSL_EXPORT GeneralNames {
48   // Controls parsing of iPAddress names in ParseGeneralName.
49   // IP_ADDRESS_ONLY parses the iPAddress names as a 4 or 16 byte IP address.
50   // IP_ADDRESS_AND_NETMASK parses the iPAddress names as 8 or 32 bytes
51   // containing an IP address followed by a netmask.
52   enum ParseGeneralNameIPAddressType {
53     IP_ADDRESS_ONLY,
54     IP_ADDRESS_AND_NETMASK,
55   };
56 
57   GeneralNames();
58   ~GeneralNames();
59 
60   // Create a GeneralNames object representing the DER-encoded
61   // |general_names_tlv|. The returned object may reference data from
62   // |general_names_tlv|, so is only valid as long as |general_names_tlv| is.
63   // Returns nullptr on failure, and may fill |errors| with
64   // additional information. |errors| must be non-null.
65   static std::unique_ptr<GeneralNames> Create(
66       const der::Input& general_names_tlv,
67       CertErrors* errors);
68 
69   // As above, but takes the GeneralNames sequence value, without the tag and
70   // length.
71   static std::unique_ptr<GeneralNames> CreateFromValue(
72       const der::Input& general_names_value,
73       CertErrors* errors);
74 
75   // DER-encoded OtherName values.
76   std::vector<der::Input> other_names;
77 
78   // ASCII rfc822names.
79   std::vector<std::string_view> rfc822_names;
80 
81   // ASCII hostnames.
82   std::vector<std::string_view> dns_names;
83 
84   // DER-encoded ORAddress values.
85   std::vector<der::Input> x400_addresses;
86 
87   // DER-encoded Name values (not including the Sequence tag).
88   std::vector<der::Input> directory_names;
89 
90   // DER-encoded EDIPartyName values.
91   std::vector<der::Input> edi_party_names;
92 
93   // ASCII URIs.
94   std::vector<std::string_view> uniform_resource_identifiers;
95 
96   // iPAddresses as sequences of octets in network byte order. This will be
97   // populated if the GeneralNames represents a Subject Alternative Name. Each
98   // address is guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long.
99   std::vector<der::Input> ip_addresses;
100 
101   // iPAddress ranges, as <IP, mask> pairs. This will be populated
102   // if the GeneralNames represents a Name Constraints. Each address is
103   // guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long. The mask
104   // half is guaranteed to be the same size, and consist of some number of 1
105   // bits, followed by some number of 0 bits.
106   //
107   // WARNING: It is not guaranteed that the masked portions of the address are
108   // zero.
109   //
110   // TODO(davidben): Should addresses with non-zero masked portions be rejected?
111   std::vector<std::pair<der::Input, der::Input>> ip_address_ranges;
112 
113   // DER-encoded OBJECT IDENTIFIERs.
114   std::vector<der::Input> registered_ids;
115 
116   // Which name types were present, as a bitfield of GeneralNameTypes.
117   int present_name_types = GENERAL_NAME_NONE;
118 };
119 
120 // Parses a GeneralName value and adds it to |subtrees|.
121 // |ip_address_type| specifies how to parse iPAddress names.
122 // Returns false on failure, and may fill |errors| with additional information.
123 // |errors| must be non-null.
124 // TODO(mattm): should this be a method on GeneralNames?
125 [[nodiscard]] OPENSSL_EXPORT bool ParseGeneralName(
126     const der::Input& input,
127     GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
128     GeneralNames* subtrees,
129     CertErrors* errors);
130 
131 }  // namespace net
132 
133 #endif  // BSSL_PKI_GENERAL_NAMES_H_
134