1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_CERT_X509_CERT_TYPES_H_ 6#define NET_CERT_X509_CERT_TYPES_H_ 7 8#include <string.h> 9 10#include <map> 11#include <set> 12#include <string> 13#include <vector> 14 15#include "base/logging.h" 16#include "base/strings/string_piece.h" 17#include "build/build_config.h" 18#include "net/base/hash_value.h" 19#include "net/base/net_export.h" 20#include "net/cert/cert_status_flags.h" 21 22#if defined(OS_MACOSX) && !defined(OS_IOS) 23#include <Security/x509defs.h> 24#endif 25 26namespace base { 27class Time; 28} // namespace base 29 30namespace net { 31 32class X509Certificate; 33 34// CertPrincipal represents the issuer or subject field of an X.509 certificate. 35struct NET_EXPORT CertPrincipal { 36 CertPrincipal(); 37 explicit CertPrincipal(const std::string& name); 38 ~CertPrincipal(); 39 40#if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN) 41 // Parses a BER-format DistinguishedName. 42 bool ParseDistinguishedName(const void* ber_name_data, size_t length); 43#endif 44 45#if defined(OS_MACOSX) && !defined(OS_IOS) 46 // Compare this CertPrincipal with |against|, returning true if they're 47 // equal enough to be a possible match. This should NOT be used for any 48 // security relevant decisions. 49 // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison. 50 bool Matches(const CertPrincipal& against) const; 51#endif 52 53 // Returns a name that can be used to represent the issuer. It tries in this 54 // order: CN, O and OU and returns the first non-empty one found. 55 std::string GetDisplayName() const; 56 57 // The different attributes for a principal, stored in UTF-8. They may be "". 58 // Note that some of them can have several values. 59 60 std::string common_name; 61 std::string locality_name; 62 std::string state_or_province_name; 63 std::string country_name; 64 65 std::vector<std::string> street_addresses; 66 std::vector<std::string> organization_names; 67 std::vector<std::string> organization_unit_names; 68 std::vector<std::string> domain_components; 69}; 70 71// This class is useful for maintaining policies about which certificates are 72// permitted or forbidden for a particular purpose. 73class NET_EXPORT CertPolicy { 74 public: 75 // The judgments this policy can reach. 76 enum Judgment { 77 // We don't have policy information for this certificate. 78 UNKNOWN, 79 80 // This certificate is allowed. 81 ALLOWED, 82 83 // This certificate is denied. 84 DENIED, 85 }; 86 87 CertPolicy(); 88 ~CertPolicy(); 89 90 // Returns the judgment this policy makes about this certificate. 91 // For a certificate to be allowed, it must not have any *additional* errors 92 // from when it was allowed. For a certificate to be denied, it need only 93 // match *any* of the errors that caused it to be denied. We check denial 94 // first, before checking whether it's been allowed. 95 Judgment Check(X509Certificate* cert, CertStatus error) const; 96 97 // Causes the policy to allow this certificate for a given |error|. 98 void Allow(X509Certificate* cert, CertStatus error); 99 100 // Causes the policy to deny this certificate for a given |error|. 101 void Deny(X509Certificate* cert, CertStatus error); 102 103 // Returns true if this policy has allowed at least one certificate. 104 bool HasAllowedCert() const; 105 106 // Returns true if this policy has denied at least one certificate. 107 bool HasDeniedCert() const; 108 109 private: 110 // The set of fingerprints of allowed certificates. 111 std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> allowed_; 112 113 // The set of fingerprints of denied certificates. 114 std::map<SHA1HashValue, CertStatus, SHA1HashValueLessThan> denied_; 115}; 116 117#if defined(OS_MACOSX) && !defined(OS_IOS) 118// Compares two OIDs by value. 119inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { 120 return oid1->Length == oid2->Length && 121 (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0); 122} 123#endif 124 125// A list of ASN.1 date/time formats that ParseCertificateDate() supports, 126// encoded in the canonical forms specified in RFC 2459/3280/5280. 127enum CertDateFormat { 128 // UTCTime: Format is YYMMDDHHMMSSZ 129 CERT_DATE_FORMAT_UTC_TIME, 130 131 // GeneralizedTime: Format is YYYYMMDDHHMMSSZ 132 CERT_DATE_FORMAT_GENERALIZED_TIME, 133}; 134 135// Attempts to parse |raw_date|, an ASN.1 date/time string encoded as 136// |format|, and writes the result into |*time|. If an invalid date is 137// specified, or if parsing fails, returns false, and |*time| will not be 138// updated. 139NET_EXPORT_PRIVATE bool ParseCertificateDate(const base::StringPiece& raw_date, 140 CertDateFormat format, 141 base::Time* time); 142} // namespace net 143 144#endif // NET_CERT_X509_CERT_TYPES_H_ 145