1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_INTERNAL_SIGNATURE_POLICY_H_
6 #define NET_CERT_INTERNAL_SIGNATURE_POLICY_H_
8 #include "base/compiler_specific.h"
9 #include "net/base/net_export.h"
10 #include "net/cert/internal/signature_algorithm.h"
14 class SignatureAlgorithm
;
16 // SignaturePolicy is an interface (and base implementation) for applying
17 // policies when verifying signed data. It lets callers override which
18 // algorithms, named curves, and key sizes to allow.
19 class NET_EXPORT SignaturePolicy
{
21 virtual ~SignaturePolicy() {}
23 // Implementations should return true if |algorithm| is acceptable. For
24 // instance, implementations could reject any signature algorithms that used
27 // The default implementation accepts all signature algorithms.
28 virtual bool IsAcceptableSignatureAlgorithm(
29 const SignatureAlgorithm
& algorithm
) const;
31 // Implementations should return true if |curve_nid| is an allowed
32 // elliptical curve. |curve_nid| is an object ID from BoringSSL (for example
35 // The default implementation accepts secp256r1, secp384r1, secp521r1 only.
36 virtual bool IsAcceptableCurveForEcdsa(int curve_nid
) const;
38 // Implementations should return true if |modulus_length_bits| is an allowed
39 // RSA key size in bits.
41 // The default implementation accepts any modulus length >= 2048 bits.
42 virtual bool IsAcceptableModulusLengthForRsa(
43 size_t modulus_length_bits
) const;
46 // SimpleSignaturePolicy modifies the base SignaturePolicy by allowing the
47 // minimum RSA key length to be specified (rather than hard coded to 2048).
49 // TODO(eroman): This is currently just used by a test. If it ends up being
50 // only useful for the unit-test then move it directly to that test file.
51 class NET_EXPORT SimpleSignaturePolicy
: public SignaturePolicy
{
53 explicit SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits
);
55 bool IsAcceptableModulusLengthForRsa(
56 size_t modulus_length_bits
) const override
;
59 const size_t min_rsa_modulus_length_bits_
;
64 #endif // NET_CERT_INTERNAL_SIGNATURE_POLICY_H_