• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_BASE_X509_CERT_TYPES_H_
6 #define NET_BASE_X509_CERT_TYPES_H_
7 #pragma once
8 
9 #include <string.h>
10 
11 #include <set>
12 #include <string>
13 #include <vector>
14 
15 #include "build/build_config.h"
16 
17 #if defined(OS_MACOSX)
18 #include <Security/x509defs.h>
19 #endif
20 
21 namespace base {
22 class Time;
23 class StringPiece;
24 }  // namespace base
25 
26 namespace net {
27 
28 class X509Certificate;
29 
30 // SHA-1 fingerprint (160 bits) of a certificate.
31 struct SHA1Fingerprint {
EqualsSHA1Fingerprint32   bool Equals(const SHA1Fingerprint& other) const {
33     return memcmp(data, other.data, sizeof(data)) == 0;
34   }
35 
36   unsigned char data[20];
37 };
38 
39 class SHA1FingerprintLessThan {
40  public:
operator()41   bool operator() (const SHA1Fingerprint& lhs,
42                    const SHA1Fingerprint& rhs) const {
43     return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0;
44   }
45 };
46 
47 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
48 struct CertPrincipal {
49   CertPrincipal();
50   explicit CertPrincipal(const std::string& name);
51   ~CertPrincipal();
52 
53 #if defined(OS_MACOSX)
54   // Parses a BER-format DistinguishedName.
55   bool ParseDistinguishedName(const void* ber_name_data, size_t length);
56 
57   // Parses a CSSM_X509_NAME struct.
58   void Parse(const CSSM_X509_NAME* name);
59 
60   // Compare this CertPrincipal with |against|, returning true if they're
61   // equal enough to be a possible match. This should NOT be used for any
62   // security relevant decisions.
63   // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
64   bool Matches(const CertPrincipal& against) const;
65 #endif
66 
67   // Returns a name that can be used to represent the issuer.  It tries in this
68   // order: CN, O and OU and returns the first non-empty one found.
69   std::string GetDisplayName() const;
70 
71   // The different attributes for a principal.  They may be "".
72   // Note that some of them can have several values.
73 
74   std::string common_name;
75   std::string locality_name;
76   std::string state_or_province_name;
77   std::string country_name;
78 
79   std::vector<std::string> street_addresses;
80   std::vector<std::string> organization_names;
81   std::vector<std::string> organization_unit_names;
82   std::vector<std::string> domain_components;
83 };
84 
85 // This class is useful for maintaining policies about which certificates are
86 // permitted or forbidden for a particular purpose.
87 class CertPolicy {
88  public:
89   // The judgments this policy can reach.
90   enum Judgment {
91     // We don't have policy information for this certificate.
92     UNKNOWN,
93 
94     // This certificate is allowed.
95     ALLOWED,
96 
97     // This certificate is denied.
98     DENIED,
99   };
100 
101   CertPolicy();
102   ~CertPolicy();
103 
104   // Returns the judgment this policy makes about this certificate.
105   Judgment Check(X509Certificate* cert) const;
106 
107   // Causes the policy to allow this certificate.
108   void Allow(X509Certificate* cert);
109 
110   // Causes the policy to deny this certificate.
111   void Deny(X509Certificate* cert);
112 
113   // Returns true if this policy has allowed at least one certificate.
114   bool HasAllowedCert() const;
115 
116   // Returns true if this policy has denied at least one certificate.
117   bool HasDeniedCert() const;
118 
119  private:
120   // The set of fingerprints of allowed certificates.
121   std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_;
122 
123   // The set of fingerprints of denied certificates.
124   std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_;
125 };
126 
127 #if defined(OS_MACOSX)
128 // Compares two OIDs by value.
CSSMOIDEqual(const CSSM_OID * oid1,const CSSM_OID * oid2)129 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
130   return oid1->Length == oid2->Length &&
131   (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
132 }
133 #endif
134 
135 // A list of ASN.1 date/time formats that ParseCertificateDate() supports,
136 // encoded in the canonical forms specified in RFC 2459/3280/5280.
137 enum CertDateFormat {
138   // UTCTime: Format is YYMMDDHHMMSSZ
139   CERT_DATE_FORMAT_UTC_TIME,
140 
141   // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
142   CERT_DATE_FORMAT_GENERALIZED_TIME,
143 };
144 
145 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
146 // |format|, and writes the result into |*time|. If an invalid date is
147 // specified, or if parsing fails, returns false, and |*time| will not be
148 // updated.
149 bool ParseCertificateDate(const base::StringPiece& raw_date,
150                           CertDateFormat format,
151                           base::Time* time);
152 }  // namespace net
153 
154 #endif  // NET_BASE_X509_CERT_TYPES_H_
155