Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / net / cert / internal / extended_key_usage.cc
blobd351600df648baf97d40743d219e4e82d8eeb318
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/internal/extended_key_usage.h"
7 #include "base/macros.h"
8 #include "net/der/input.h"
9 #include "net/der/parser.h"
10 #include "net/der/tag.h"
12 namespace net {
14 const der::Input AnyEKU() {
15 // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
16 // defined in section 4.2.1 of RFC 5280:
17 // id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
19 // From RFC 5280 section 4.2.1.12:
20 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
21 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
22 // In dotted notation: 2.5.29.37.0
23 static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
24 return der::Input(any_eku);
27 const der::Input ServerAuth() {
28 // All other key usage purposes defined in RFC 5280 are found in the id-kp
29 // arc, defined in section 4.2.1.12 as:
30 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
32 // With id-pkix defined in RFC 5280 section 4.2.2 as:
33 // id-pkix OBJECT IDENTIFIER ::=
34 // { iso(1) identified-organization(3) dod(6) internet(1)
35 // security(5) mechanisms(5) pkix(7) }
37 // From RFC 5280 section 4.2.1.12:
38 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
39 // In dotted notation: 1.3.6.1.5.5.7.3.1
40 static const uint8_t server_auth[] = {
41 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
42 return der::Input(server_auth);
45 const der::Input ClientAuth() {
46 // From RFC 5280 section 4.2.1.12:
47 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
48 // In dotted notation: 1.3.6.1.5.5.7.3.2
49 static const uint8_t client_auth[] = {
50 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
51 return der::Input(client_auth);
54 const der::Input CodeSigning() {
55 // From RFC 5280 section 4.2.1.12:
56 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
57 // In dotted notation: 1.3.6.1.5.5.7.3.3
58 static const uint8_t code_signing[] = {
59 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
60 return der::Input(code_signing);
63 const der::Input EmailProtection() {
64 // From RFC 5280 section 4.2.1.12:
65 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
66 // In dotted notation: 1.3.6.1.5.5.7.3.4
67 static const uint8_t email_protection[] = {
68 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
69 return der::Input(email_protection);
72 const der::Input TimeStamping() {
73 // From RFC 5280 section 4.2.1.12:
74 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
75 // In dotted notation: 1.3.6.1.5.5.7.3.8
76 static const uint8_t time_stamping[] = {
77 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
78 return der::Input(time_stamping);
81 const der::Input OCSPSigning() {
82 // From RFC 5280 section 4.2.1.12:
83 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
84 // In dotted notation: 1.3.6.1.5.5.7.3.9
85 static const uint8_t ocsp_signing[] = {
86 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
87 return der::Input(ocsp_signing);
90 bool ParseEKUExtension(const der::Input& extension_value,
91 std::vector<der::Input>* eku_oids) {
92 der::Parser extension_parser(extension_value);
93 der::Parser sequence_parser;
94 if (!extension_parser.ReadSequence(&sequence_parser))
95 return false;
97 // Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
98 // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
100 // Therefore, the sequence must contain at least one KeyPurposeId.
101 if (!sequence_parser.HasMore())
102 return false;
103 while (sequence_parser.HasMore()) {
104 der::Input eku_oid;
105 if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
106 // The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
107 return false;
108 eku_oids->push_back(eku_oid);
110 if (extension_parser.HasMore())
111 // The extension value must follow ExtKeyUsageSyntax - there is no way that
112 // it could be extended to allow for something after the SEQUENCE OF.
113 return false;
114 return true;
117 } // namespace net