// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_BASE_X509_CERT_TYPES_H_ #define NET_BASE_X509_CERT_TYPES_H_ #include #include #include #include #include "base/logging.h" #include "base/string_piece.h" #include "build/build_config.h" #include "net/base/net_export.h" #if defined(OS_MACOSX) && !defined(OS_IOS) #include #endif namespace base { class Time; } // namespace base namespace net { class X509Certificate; // SHA-1 fingerprint (160 bits) of a certificate. struct NET_EXPORT SHA1HashValue { bool Equals(const SHA1HashValue& other) const { return memcmp(data, other.data, sizeof(data)) == 0; } unsigned char data[20]; }; class NET_EXPORT SHA1HashValueLessThan { public: bool operator()(const SHA1HashValue& lhs, const SHA1HashValue& rhs) const { return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; } }; struct NET_EXPORT SHA256HashValue { bool Equals(const SHA256HashValue& other) const { return memcmp(data, other.data, sizeof(data)) == 0; } unsigned char data[32]; }; class NET_EXPORT SHA256HashValueLessThan { public: bool operator()(const SHA256HashValue& lhs, const SHA256HashValue& rhs) const { return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; } }; enum HashValueTag { HASH_VALUE_SHA1, HASH_VALUE_SHA256, // This must always be last. HASH_VALUE_TAGS_COUNT }; class NET_EXPORT HashValue { public: explicit HashValue(HashValueTag tag) : tag(tag) {} HashValue() : tag(HASH_VALUE_SHA1) {} bool Equals(const HashValue& other) const; size_t size() const; unsigned char* data(); const unsigned char* data() const; HashValueTag tag; private: union { SHA1HashValue sha1; SHA256HashValue sha256; } fingerprint; }; class NET_EXPORT HashValueLessThan { public: bool operator()(const HashValue& lhs, const HashValue& rhs) const { size_t lhs_size = lhs.size(); size_t rhs_size = rhs.size(); if (lhs_size != rhs_size) return lhs_size < rhs_size; return memcmp(lhs.data(), rhs.data(), lhs_size) < 0; } }; typedef std::vector HashValueVector; // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted // array of SHA1 hashes. bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1HashValue& hash, const uint8* array, size_t array_byte_len); // CertPrincipal represents the issuer or subject field of an X.509 certificate. struct NET_EXPORT CertPrincipal { CertPrincipal(); explicit CertPrincipal(const std::string& name); ~CertPrincipal(); #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN) // Parses a BER-format DistinguishedName. bool ParseDistinguishedName(const void* ber_name_data, size_t length); #endif #if defined(OS_MACOSX) // Compare this CertPrincipal with |against|, returning true if they're // equal enough to be a possible match. This should NOT be used for any // security relevant decisions. // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison. bool Matches(const CertPrincipal& against) const; #endif // Returns a name that can be used to represent the issuer. It tries in this // order: CN, O and OU and returns the first non-empty one found. std::string GetDisplayName() const; // The different attributes for a principal, stored in UTF-8. They may be "". // Note that some of them can have several values. std::string common_name; std::string locality_name; std::string state_or_province_name; std::string country_name; std::vector street_addresses; std::vector organization_names; std::vector organization_unit_names; std::vector domain_components; }; // This class is useful for maintaining policies about which certificates are // permitted or forbidden for a particular purpose. class NET_EXPORT CertPolicy { public: // The judgments this policy can reach. enum Judgment { // We don't have policy information for this certificate. UNKNOWN, // This certificate is allowed. ALLOWED, // This certificate is denied. DENIED, }; CertPolicy(); ~CertPolicy(); // Returns the judgment this policy makes about this certificate. Judgment Check(X509Certificate* cert) const; // Causes the policy to allow this certificate. void Allow(X509Certificate* cert); // Causes the policy to deny this certificate. void Deny(X509Certificate* cert); // Returns true if this policy has allowed at least one certificate. bool HasAllowedCert() const; // Returns true if this policy has denied at least one certificate. bool HasDeniedCert() const; private: // The set of fingerprints of allowed certificates. std::set allowed_; // The set of fingerprints of denied certificates. std::set denied_; }; #if defined(OS_MACOSX) && !defined(OS_IOS) // Compares two OIDs by value. inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { return oid1->Length == oid2->Length && (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0); } #endif // A list of ASN.1 date/time formats that ParseCertificateDate() supports, // encoded in the canonical forms specified in RFC 2459/3280/5280. enum CertDateFormat { // UTCTime: Format is YYMMDDHHMMSSZ CERT_DATE_FORMAT_UTC_TIME, // GeneralizedTime: Format is YYYYMMDDHHMMSSZ CERT_DATE_FORMAT_GENERALIZED_TIME, }; // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as // |format|, and writes the result into |*time|. If an invalid date is // specified, or if parsing fails, returns false, and |*time| will not be // updated. bool ParseCertificateDate(const base::StringPiece& raw_date, CertDateFormat format, base::Time* time); } // namespace net #endif // NET_BASE_X509_CERT_TYPES_H_