1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_PARSED_CERTIFICATE_H_ 6 #define BSSL_PKI_PARSED_CERTIFICATE_H_ 7 8 #include "fillins/openssl_util.h" 9 #include <map> 10 #include <memory> 11 #include <vector> 12 13 14 #include "certificate_policies.h" 15 #include "parse_certificate.h" 16 #include "signature_algorithm.h" 17 #include "input.h" 18 #include <optional> 19 #include <openssl/base.h> 20 21 namespace bssl { 22 23 struct GeneralNames; 24 class NameConstraints; 25 class ParsedCertificate; 26 class CertErrors; 27 28 using ParsedCertificateList = 29 std::vector<std::shared_ptr<const ParsedCertificate>>; 30 31 // Represents an X.509 certificate, including Certificate, TBSCertificate, and 32 // standard extensions. 33 // Creating a ParsedCertificate does not completely parse and validate the 34 // certificate data. Presence of a member in this class implies the DER was 35 // parsed successfully to that level, but does not imply the contents of that 36 // member are valid, unless otherwise specified. See the documentation for each 37 // member or the documentation of the type it returns. 38 class OPENSSL_EXPORT ParsedCertificate { 39 private: 40 // Used to make constructors private while still being compatible with 41 // |std::make_shared|. 42 class PrivateConstructor { 43 private: 44 friend ParsedCertificate; 45 PrivateConstructor() = default; 46 }; 47 48 public: 49 ~ParsedCertificate(); 50 // Map from OID to ParsedExtension. 51 using ExtensionsMap = std::map<der::Input, ParsedExtension>; 52 53 // Creates a ParsedCertificate given a DER-encoded Certificate. Returns 54 // nullptr on failure. Failure will occur if the standard certificate fields 55 // and supported extensions cannot be parsed. 56 // On either success or failure, if |errors| is non-null it may have error 57 // information added to it. 58 static std::shared_ptr<const ParsedCertificate> Create( 59 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 60 const ParseCertificateOptions& options, 61 CertErrors* errors); 62 63 // Creates a ParsedCertificate by copying the provided |data|, and appends it 64 // to |chain|. Returns true if the certificate was successfully parsed and 65 // added. If false is return, |chain| is unmodified. 66 // 67 // On either success or failure, if |errors| is non-null it may have error 68 // information added to it. 69 static bool CreateAndAddToVector( 70 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 71 const ParseCertificateOptions& options, 72 std::vector<std::shared_ptr<const bssl::ParsedCertificate>>* chain, 73 CertErrors* errors); 74 75 explicit ParsedCertificate(PrivateConstructor); 76 77 ParsedCertificate(const ParsedCertificate&) = delete; 78 ParsedCertificate& operator=(const ParsedCertificate&) = delete; 79 80 // Returns the DER-encoded certificate data for this cert. der_cert()81 const der::Input& der_cert() const { return cert_; } 82 83 // Returns the CRYPTO_BUFFER backing this object. cert_buffer()84 CRYPTO_BUFFER* cert_buffer() const { return cert_data_.get(); } 85 86 // Accessors for raw fields of the Certificate. tbs_certificate_tlv()87 const der::Input& tbs_certificate_tlv() const { return tbs_certificate_tlv_; } 88 signature_algorithm_tlv()89 const der::Input& signature_algorithm_tlv() const { 90 return signature_algorithm_tlv_; 91 } 92 signature_value()93 const der::BitString& signature_value() const { return signature_value_; } 94 95 // Accessor for struct containing raw fields of the TbsCertificate. tbs()96 const ParsedTbsCertificate& tbs() const { return tbs_; } 97 98 // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate). 99 // If the signature algorithm is unknown/unsupported, this returns nullopt. signature_algorithm()100 std::optional<SignatureAlgorithm> signature_algorithm() const { 101 return signature_algorithm_; 102 } 103 104 // Returns the DER-encoded raw subject value (including the outer sequence 105 // tag). This is guaranteed to be valid DER, though the contents of unhandled 106 // string types are treated as raw bytes. subject_tlv()107 der::Input subject_tlv() const { return tbs_.subject_tlv; } 108 // Returns the DER-encoded normalized subject value (not including outer 109 // Sequence tag). This is guaranteed to be valid DER, though the contents of 110 // unhandled string types are treated as raw bytes. normalized_subject()111 der::Input normalized_subject() const { 112 return der::Input(normalized_subject_); 113 } 114 // Returns the DER-encoded raw issuer value (including the outer sequence 115 // tag). This is guaranteed to be valid DER, though the contents of unhandled 116 // string types are treated as raw bytes. issuer_tlv()117 der::Input issuer_tlv() const { return tbs_.issuer_tlv; } 118 // Returns the DER-encoded normalized issuer value (not including outer 119 // Sequence tag). This is guaranteed to be valid DER, though the contents of 120 // unhandled string types are treated as raw bytes. normalized_issuer()121 der::Input normalized_issuer() const { 122 return der::Input(normalized_issuer_); 123 } 124 125 // Returns true if the certificate has a BasicConstraints extension. has_basic_constraints()126 bool has_basic_constraints() const { return has_basic_constraints_; } 127 128 // Returns the ParsedBasicConstraints struct. Caller must check 129 // has_basic_constraints() before accessing this. basic_constraints()130 const ParsedBasicConstraints& basic_constraints() const { 131 BSSL_CHECK(has_basic_constraints_); 132 return basic_constraints_; 133 } 134 135 // Returns true if the certificate has a KeyUsage extension. has_key_usage()136 bool has_key_usage() const { return has_key_usage_; } 137 138 // Returns the KeyUsage BitString. Caller must check 139 // has_key_usage() before accessing this. key_usage()140 const der::BitString& key_usage() const { 141 BSSL_CHECK(has_key_usage_); 142 return key_usage_; 143 } 144 145 // Returns true if the certificate has a ExtendedKeyUsage extension. has_extended_key_usage()146 bool has_extended_key_usage() const { return has_extended_key_usage_; } 147 148 // Returns the ExtendedKeyUsage key purpose OIDs. Caller must check 149 // has_extended_key_usage() before accessing this. extended_key_usage()150 const std::vector<der::Input>& extended_key_usage() const { 151 BSSL_CHECK(has_extended_key_usage_); 152 return extended_key_usage_; 153 } 154 155 // Returns true if the certificate has a SubjectAltName extension. has_subject_alt_names()156 bool has_subject_alt_names() const { return subject_alt_names_ != nullptr; } 157 158 // Returns the ParsedExtension struct for the SubjectAltName extension. 159 // If the cert did not have a SubjectAltName extension, this will be a 160 // default-initialized ParsedExtension struct. subject_alt_names_extension()161 const ParsedExtension& subject_alt_names_extension() const { 162 return subject_alt_names_extension_; 163 } 164 165 // Returns the GeneralNames class parsed from SubjectAltName extension, or 166 // nullptr if no SubjectAltName extension was present. subject_alt_names()167 const GeneralNames* subject_alt_names() const { 168 return subject_alt_names_.get(); 169 } 170 171 // Returns true if the certificate has a NameConstraints extension. has_name_constraints()172 bool has_name_constraints() const { return name_constraints_ != nullptr; } 173 174 // Returns the parsed NameConstraints extension. Must not be called if 175 // has_name_constraints() is false. name_constraints()176 const NameConstraints& name_constraints() const { 177 BSSL_CHECK(name_constraints_); 178 return *name_constraints_; 179 } 180 181 // Returns true if the certificate has an AuthorityInfoAccess extension. has_authority_info_access()182 bool has_authority_info_access() const { return has_authority_info_access_; } 183 184 // Returns the ParsedExtension struct for the AuthorityInfoAccess extension. authority_info_access_extension()185 const ParsedExtension& authority_info_access_extension() const { 186 return authority_info_access_extension_; 187 } 188 189 // Returns any caIssuers URIs from the AuthorityInfoAccess extension. ca_issuers_uris()190 const std::vector<std::string_view>& ca_issuers_uris() const { 191 return ca_issuers_uris_; 192 } 193 194 // Returns any OCSP URIs from the AuthorityInfoAccess extension. ocsp_uris()195 const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; } 196 197 // Returns true if the certificate has a Policies extension. has_policy_oids()198 bool has_policy_oids() const { return has_policy_oids_; } 199 200 // Returns the policy OIDs. Caller must check has_policy_oids() before 201 // accessing this. policy_oids()202 const std::vector<der::Input>& policy_oids() const { 203 BSSL_CHECK(has_policy_oids()); 204 return policy_oids_; 205 } 206 207 // Returns true if the certificate has a PolicyConstraints extension. has_policy_constraints()208 bool has_policy_constraints() const { return has_policy_constraints_; } 209 210 // Returns the ParsedPolicyConstraints struct. Caller must check 211 // has_policy_constraints() before accessing this. policy_constraints()212 const ParsedPolicyConstraints& policy_constraints() const { 213 BSSL_CHECK(has_policy_constraints_); 214 return policy_constraints_; 215 } 216 217 // Returns true if the certificate has a PolicyMappings extension. has_policy_mappings()218 bool has_policy_mappings() const { return has_policy_mappings_; } 219 220 // Returns the PolicyMappings extension. Caller must check 221 // has_policy_mappings() before accessing this. policy_mappings()222 const std::vector<ParsedPolicyMapping>& policy_mappings() const { 223 BSSL_CHECK(has_policy_mappings_); 224 return policy_mappings_; 225 } 226 227 // Returns the Inhibit Any Policy extension. inhibit_any_policy()228 const std::optional<uint8_t>& inhibit_any_policy() const { 229 return inhibit_any_policy_; 230 } 231 232 // Returns the AuthorityKeyIdentifier extension, or nullopt if there wasn't 233 // one. authority_key_identifier()234 const std::optional<ParsedAuthorityKeyIdentifier>& authority_key_identifier() 235 const { 236 return authority_key_identifier_; 237 } 238 239 // Returns the SubjectKeyIdentifier extension, or nullopt if there wasn't 240 // one. subject_key_identifier()241 const std::optional<der::Input>& subject_key_identifier() const { 242 return subject_key_identifier_; 243 } 244 245 // Returns a map of all the extensions in the certificate. extensions()246 const ExtensionsMap& extensions() const { return extensions_; } 247 248 // Gets the value for extension matching |extension_oid|. Returns false if the 249 // extension is not present. 250 bool GetExtension(const der::Input& extension_oid, 251 ParsedExtension* parsed_extension) const; 252 253 private: 254 // The backing store for the certificate data. 255 bssl::UniquePtr<CRYPTO_BUFFER> cert_data_; 256 257 // Points to the raw certificate DER. 258 der::Input cert_; 259 260 der::Input tbs_certificate_tlv_; 261 der::Input signature_algorithm_tlv_; 262 der::BitString signature_value_; 263 ParsedTbsCertificate tbs_; 264 265 // The signatureAlgorithm from the Certificate. 266 std::optional<SignatureAlgorithm> signature_algorithm_; 267 268 // Normalized DER-encoded Subject (not including outer Sequence tag). 269 std::string normalized_subject_; 270 // Normalized DER-encoded Issuer (not including outer Sequence tag). 271 std::string normalized_issuer_; 272 273 // BasicConstraints extension. 274 bool has_basic_constraints_ = false; 275 ParsedBasicConstraints basic_constraints_; 276 277 // KeyUsage extension. 278 bool has_key_usage_ = false; 279 der::BitString key_usage_; 280 281 // ExtendedKeyUsage extension. 282 bool has_extended_key_usage_ = false; 283 std::vector<der::Input> extended_key_usage_; 284 285 // Raw SubjectAltName extension. 286 ParsedExtension subject_alt_names_extension_; 287 // Parsed SubjectAltName extension. 288 std::unique_ptr<GeneralNames> subject_alt_names_; 289 290 // NameConstraints extension. 291 std::unique_ptr<NameConstraints> name_constraints_; 292 293 // AuthorityInfoAccess extension. 294 bool has_authority_info_access_ = false; 295 ParsedExtension authority_info_access_extension_; 296 // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note 297 // that the AuthorityInfoAccess may have contained other AccessDescriptions 298 // which are not represented here. 299 std::vector<std::string_view> ca_issuers_uris_; 300 std::vector<std::string_view> ocsp_uris_; 301 302 // Policies extension. This list will already have been checked for 303 // duplicates. 304 bool has_policy_oids_ = false; 305 std::vector<der::Input> policy_oids_; 306 307 // Policy constraints extension. 308 bool has_policy_constraints_ = false; 309 ParsedPolicyConstraints policy_constraints_; 310 311 // Policy mappings extension. 312 bool has_policy_mappings_ = false; 313 std::vector<ParsedPolicyMapping> policy_mappings_; 314 315 // Inhibit Any Policy extension. 316 std::optional<uint8_t> inhibit_any_policy_; 317 318 // AuthorityKeyIdentifier extension. 319 std::optional<ParsedAuthorityKeyIdentifier> authority_key_identifier_; 320 321 // SubjectKeyIdentifier extension. 322 std::optional<der::Input> subject_key_identifier_; 323 324 // All of the extensions. 325 ExtensionsMap extensions_; 326 }; 327 328 } // namespace net 329 330 #endif // BSSL_PKI_PARSED_CERTIFICATE_H_ 331