net/cert/x509_cert_types.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_X509_CERT_TYPES_H_
   6 #define NET_CERT_X509_CERT_TYPES_H_
   7
   8 #include <string.h>
   9
  10 #include <set>
  11 #include <string>
  12 #include <vector>
  13
  14 #include "base/logging.h"
  15 #include "base/strings/string_piece.h"
  16 #include "build/build_config.h"
  17 #include "net/base/hash_value.h"
  18 #include "net/base/net_export.h"
  19
  20 #if defined(OS_MACOSX) && !defined(OS_IOS)
  21 #include <Security/x509defs.h>
  22 #endif
  23
  24 namespace base {
  25 class Time;
  26 }  // namespace base
  27
  28 namespace net {
  29
  30 class X509Certificate;
  31
  32 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
  33 struct NET_EXPORT CertPrincipal {
  34   CertPrincipal();
  35   explicit CertPrincipal(const std::string& name);
  36   ~CertPrincipal();
  37
  38 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
  39   // Parses a BER-format DistinguishedName.
  40   bool ParseDistinguishedName(const void* ber_name_data, size_t length);
  41 #endif
  42
  43 #if defined(OS_MACOSX)
  44   // Compare this CertPrincipal with |against|, returning true if they're
  45   // equal enough to be a possible match. This should NOT be used for any
  46   // security relevant decisions.
  47   // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
  48   bool Matches(const CertPrincipal& against) const;
  49 #endif
  50
  51   // Returns a name that can be used to represent the issuer.  It tries in this
  52   // order: CN, O and OU and returns the first non-empty one found.
  53   std::string GetDisplayName() const;
  54
  55   // The different attributes for a principal, stored in UTF-8.  They may be "".
  56   // Note that some of them can have several values.
  57
  58   std::string common_name;
  59   std::string locality_name;
  60   std::string state_or_province_name;
  61   std::string country_name;
  62
  63   std::vector<std::string> street_addresses;
  64   std::vector<std::string> organization_names;
  65   std::vector<std::string> organization_unit_names;
  66   std::vector<std::string> domain_components;
  67 };
  68
  69 // This class is useful for maintaining policies about which certificates are
  70 // permitted or forbidden for a particular purpose.
  71 class NET_EXPORT CertPolicy {
  72  public:
  73   // The judgments this policy can reach.
  74   enum Judgment {
  75     // We don't have policy information for this certificate.
  76     UNKNOWN,
  77
  78     // This certificate is allowed.
  79     ALLOWED,
  80
  81     // This certificate is denied.
  82     DENIED,
  83   };
  84
  85   CertPolicy();
  86   ~CertPolicy();
  87
  88   // Returns the judgment this policy makes about this certificate.
  89   Judgment Check(X509Certificate* cert) const;
  90
  91   // Causes the policy to allow this certificate.
  92   void Allow(X509Certificate* cert);
  93
  94   // Causes the policy to deny this certificate.
  95   void Deny(X509Certificate* cert);
  96
  97   // Returns true if this policy has allowed at least one certificate.
  98   bool HasAllowedCert() const;
  99
 100   // Returns true if this policy has denied at least one certificate.
 101   bool HasDeniedCert() const;
 102
 103  private:
 104   // The set of fingerprints of allowed certificates.
 105   std::set<SHA1HashValue, SHA1HashValueLessThan> allowed_;
 106
 107   // The set of fingerprints of denied certificates.
 108   std::set<SHA1HashValue, SHA1HashValueLessThan> denied_;
 109 };
 110
 111 #if defined(OS_MACOSX) && !defined(OS_IOS)
 112 // Compares two OIDs by value.
 113 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
 114   return oid1->Length == oid2->Length &&
 115   (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
 116 }
 117 #endif
 118
 119 // A list of ASN.1 date/time formats that ParseCertificateDate() supports,
 120 // encoded in the canonical forms specified in RFC 2459/3280/5280.
 121 enum CertDateFormat {
 122   // UTCTime: Format is YYMMDDHHMMSSZ
 123   CERT_DATE_FORMAT_UTC_TIME,
 124
 125   // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
 126   CERT_DATE_FORMAT_GENERALIZED_TIME,
 127 };
 128
 129 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
 130 // |format|, and writes the result into |*time|. If an invalid date is
 131 // specified, or if parsing fails, returns false, and |*time| will not be
 132 // updated.
 133 bool ParseCertificateDate(const base::StringPiece& raw_date,
 134                           CertDateFormat format,
 135                           base::Time* time);
 136 }  // namespace net
 137
 138 #endif  // NET_CERT_X509_CERT_TYPES_H_