13345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick// Copyright (c) 2010 The Chromium Authors. All rights reserved. 2c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Use of this source code is governed by a BSD-style license that can be 3c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// found in the LICENSE file. 4c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 5c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#ifndef NET_BASE_X509_CERT_TYPES_H_ 6c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#define NET_BASE_X509_CERT_TYPES_H_ 73345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick#pragma once 8c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 9c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <string.h> 10c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 11c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <set> 12c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <string> 13c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <vector> 14c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 15201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch#include "build/build_config.h" 16c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 17201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch#if defined(OS_MACOSX) 18c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <Security/x509defs.h> 19c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#endif 20c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 2121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsennamespace base { 2221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsenclass Time; 2321d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsenclass StringPiece; 2421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen} // namespace base 2521d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 26c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochnamespace net { 27c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 28c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochclass X509Certificate; 29c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 30c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// SHA-1 fingerprint (160 bits) of a certificate. 31c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct SHA1Fingerprint { 32c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool Equals(const SHA1Fingerprint& other) const { 33c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return memcmp(data, other.data, sizeof(data)) == 0; 34c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch } 35c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 36c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch unsigned char data[20]; 37c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 38c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 393345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrickclass SHA1FingerprintLessThan { 40c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch public: 41c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool operator() (const SHA1Fingerprint& lhs, 42c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const SHA1Fingerprint& rhs) const { 43c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; 44c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch } 45c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 46c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 47c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// CertPrincipal represents the issuer or subject field of an X.509 certificate. 48c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct CertPrincipal { 493345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick CertPrincipal(); 503345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick explicit CertPrincipal(const std::string& name); 513345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick ~CertPrincipal(); 52c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 53201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch#if defined(OS_MACOSX) 54c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Parses a BER-format DistinguishedName. 55c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool ParseDistinguishedName(const void* ber_name_data, size_t length); 56c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 57c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Parses a CSSM_X509_NAME struct. 58c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch void Parse(const CSSM_X509_NAME* name); 59c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 60201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch // Compare this CertPrincipal with |against|, returning true if they're 61201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch // equal enough to be a possible match. This should NOT be used for any 62201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch // security relevant decisions. 63201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison. 64c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool Matches(const CertPrincipal& against) const; 65201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch#endif 66c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 673345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Returns a name that can be used to represent the issuer. It tries in this 683345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // order: CN, O and OU and returns the first non-empty one found. 693345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick std::string GetDisplayName() const; 703345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 71c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // The different attributes for a principal. They may be "". 72c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Note that some of them can have several values. 73c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 74c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string common_name; 75c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string locality_name; 76c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string state_or_province_name; 77c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string country_name; 78c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 79c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::vector<std::string> street_addresses; 80c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::vector<std::string> organization_names; 81c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::vector<std::string> organization_unit_names; 82c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::vector<std::string> domain_components; 83c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 84c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 85c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// This class is useful for maintaining policies about which certificates are 86c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// permitted or forbidden for a particular purpose. 87c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochclass CertPolicy { 88c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch public: 89c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // The judgments this policy can reach. 90c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch enum Judgment { 91c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // We don't have policy information for this certificate. 92c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch UNKNOWN, 93c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 94c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // This certificate is allowed. 95c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch ALLOWED, 96c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 97c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // This certificate is denied. 98c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DENIED, 99c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch }; 100c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 1013345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick CertPolicy(); 1023345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick ~CertPolicy(); 1033345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 104c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns the judgment this policy makes about this certificate. 105c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch Judgment Check(X509Certificate* cert) const; 106c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 107c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Causes the policy to allow this certificate. 108c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch void Allow(X509Certificate* cert); 109c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 110c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Causes the policy to deny this certificate. 111c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch void Deny(X509Certificate* cert); 112c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 113c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns true if this policy has allowed at least one certificate. 114c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool HasAllowedCert() const; 115c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 116c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns true if this policy has denied at least one certificate. 117c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool HasDeniedCert() const; 118c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 119c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch private: 120c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // The set of fingerprints of allowed certificates. 121c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_; 122c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 123c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // The set of fingerprints of denied certificates. 124c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_; 125c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 126c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 127c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#if defined(OS_MACOSX) 128c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Compares two OIDs by value. 129c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochinline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { 130c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return oid1->Length == oid2->Length && 131c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0); 132c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} 133c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#endif 134c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 13521d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// A list of ASN.1 date/time formats that ParseCertificateDate() supports, 13621d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// encoded in the canonical forms specified in RFC 2459/3280/5280. 13721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsenenum CertDateFormat { 13821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // UTCTime: Format is YYMMDDHHMMSSZ 13921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen CERT_DATE_FORMAT_UTC_TIME, 14021d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 14121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // GeneralizedTime: Format is YYYYMMDDHHMMSSZ 14221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen CERT_DATE_FORMAT_GENERALIZED_TIME, 14321d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen}; 14421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 14521d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// Attempts to parse |raw_date|, an ASN.1 date/time string encoded as 14621d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// |format|, and writes the result into |*time|. If an invalid date is 14721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// specified, or if parsing fails, returns false, and |*time| will not be 14821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen// updated. 14921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsenbool ParseCertificateDate(const base::StringPiece& raw_date, 15021d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen CertDateFormat format, 15121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen base::Time* time); 152c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} // namespace net 153c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 154c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#endif // NET_BASE_X509_CERT_TYPES_H_ 155