1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_X509_CERT_TYPES_H_
6#define NET_CERT_X509_CERT_TYPES_H_
7
8#include <string.h>
9
10#include <map>
11#include <set>
12#include <string>
13#include <vector>
14
15#include "base/logging.h"
16#include "base/strings/string_piece.h"
17#include "build/build_config.h"
18#include "net/base/hash_value.h"
19#include "net/base/net_export.h"
20#include "net/cert/cert_status_flags.h"
21
22#if defined(OS_MACOSX) && !defined(OS_IOS)
23#include <Security/x509defs.h>
24#endif
25
26namespace base {
27class Time;
28}  // namespace base
29
30namespace net {
31
32class X509Certificate;
33
34// CertPrincipal represents the issuer or subject field of an X.509 certificate.
35struct NET_EXPORT CertPrincipal {
36  CertPrincipal();
37  explicit CertPrincipal(const std::string& name);
38  ~CertPrincipal();
39
40#if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
41  // Parses a BER-format DistinguishedName.
42  bool ParseDistinguishedName(const void* ber_name_data, size_t length);
43#endif
44
45#if defined(OS_MACOSX) && !defined(OS_IOS)
46  // Compare this CertPrincipal with |against|, returning true if they're
47  // equal enough to be a possible match. This should NOT be used for any
48  // security relevant decisions.
49  // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
50  bool Matches(const CertPrincipal& against) const;
51#endif
52
53  // Returns a name that can be used to represent the issuer.  It tries in this
54  // order: CN, O and OU and returns the first non-empty one found.
55  std::string GetDisplayName() const;
56
57  // The different attributes for a principal, stored in UTF-8.  They may be "".
58  // Note that some of them can have several values.
59
60  std::string common_name;
61  std::string locality_name;
62  std::string state_or_province_name;
63  std::string country_name;
64
65  std::vector<std::string> street_addresses;
66  std::vector<std::string> organization_names;
67  std::vector<std::string> organization_unit_names;
68  std::vector<std::string> domain_components;
69};
70
71// This class is useful for maintaining policies about which certificates are
72// permitted or forbidden for a particular purpose.
73class NET_EXPORT CertPolicy {
74 public:
75  // The judgments this policy can reach.
76  enum Judgment {
77    // We don't have policy information for this certificate.
78    UNKNOWN,
79
80    // This certificate is allowed.
81    ALLOWED,
82
83    // This certificate is denied.
84    DENIED,
85  };
86
87  CertPolicy();
88  ~CertPolicy();
89
90  // Returns the judgment this policy makes about this certificate.
91  // For a certificate to be allowed, it must not have any *additional* errors
92  // from when it was allowed. For a certificate to be denied, it need only
93  // match *any* of the errors that caused it to be denied. We check denial
94  // first, before checking whether it's been allowed.
95  Judgment Check(X509Certificate* cert, CertStatus error) const;
96
97  // Causes the policy to allow this certificate for a given |error|.
98  void Allow(X509Certificate* cert, CertStatus error);
99
100  // Causes the policy to deny this certificate for a given |error|.
101  void Deny(X509Certificate* cert, CertStatus error);
102
103  // Returns true if this policy has allowed at least one certificate.
104  bool HasAllowedCert() const;
105
106  // Returns true if this policy has denied at least one certificate.
107  bool HasDeniedCert() const;
108
109 private:
110  // The set of fingerprints of allowed certificates.
111  std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> allowed_;
112
113  // The set of fingerprints of denied certificates.
114  std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> denied_;
115};
116
117#if defined(OS_MACOSX) && !defined(OS_IOS)
118// Compares two OIDs by value.
119inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
120  return oid1->Length == oid2->Length &&
121  (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
122}
123#endif
124
125// A list of ASN.1 date/time formats that ParseCertificateDate() supports,
126// encoded in the canonical forms specified in RFC 2459/3280/5280.
127enum CertDateFormat {
128  // UTCTime: Format is YYMMDDHHMMSSZ
129  CERT_DATE_FORMAT_UTC_TIME,
130
131  // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
132  CERT_DATE_FORMAT_GENERALIZED_TIME,
133};
134
135// Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
136// |format|, and writes the result into |*time|. If an invalid date is
137// specified, or if parsing fails, returns false, and |*time| will not be
138// updated.
139NET_EXPORT_PRIVATE bool ParseCertificateDate(const base::StringPiece& raw_date,
140                                             CertDateFormat format,
141                                             base::Time* time);
142}  // namespace net
143
144#endif  // NET_CERT_X509_CERT_TYPES_H_
145