net/cert/internal/extended_key_usage.cc

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/internal/extended_key_usage.h"
   6
   7 #include "base/macros.h"
   8 #include "net/der/input.h"
   9 #include "net/der/parser.h"
  10 #include "net/der/tag.h"
  11
  12 namespace net {
  13
  14 const der::Input AnyEKU() {
  15   // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
  16   // defined in section 4.2.1 of RFC 5280:
  17   // id-ce   OBJECT IDENTIFIER ::=  { joint-iso-ccitt(2) ds(5) 29 }
  18   //
  19   // From RFC 5280 section 4.2.1.12:
  20   // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
  21   // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
  22   // In dotted notation: 2.5.29.37.0
  23   static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
  24   return der::Input(any_eku);
  25 }
  26
  27 const der::Input ServerAuth() {
  28   // All other key usage purposes defined in RFC 5280 are found in the id-kp
  29   // arc, defined in section 4.2.1.12 as:
  30   // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
  31   //
  32   // With id-pkix defined in RFC 5280  section 4.2.2 as:
  33   // id-pkix  OBJECT IDENTIFIER  ::=
  34   //          { iso(1) identified-organization(3) dod(6) internet(1)
  35   //                  security(5) mechanisms(5) pkix(7) }
  36   //
  37   // From RFC 5280 section 4.2.1.12:
  38   // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
  39   // In dotted notation: 1.3.6.1.5.5.7.3.1
  40   static const uint8_t server_auth[] = {
  41       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
  42   return der::Input(server_auth);
  43 }
  44
  45 const der::Input ClientAuth() {
  46   // From RFC 5280 section 4.2.1.12:
  47   // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
  48   // In dotted notation: 1.3.6.1.5.5.7.3.2
  49   static const uint8_t client_auth[] = {
  50       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
  51   return der::Input(client_auth);
  52 }
  53
  54 const der::Input CodeSigning() {
  55   // From RFC 5280 section 4.2.1.12:
  56   // id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
  57   // In dotted notation: 1.3.6.1.5.5.7.3.3
  58   static const uint8_t code_signing[] = {
  59       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
  60   return der::Input(code_signing);
  61 }
  62
  63 const der::Input EmailProtection() {
  64   // From RFC 5280 section 4.2.1.12:
  65   // id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
  66   // In dotted notation: 1.3.6.1.5.5.7.3.4
  67   static const uint8_t email_protection[] = {
  68       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
  69   return der::Input(email_protection);
  70 }
  71
  72 const der::Input TimeStamping() {
  73   // From RFC 5280 section 4.2.1.12:
  74   // id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
  75   // In dotted notation: 1.3.6.1.5.5.7.3.8
  76   static const uint8_t time_stamping[] = {
  77       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
  78   return der::Input(time_stamping);
  79 }
  80
  81 const der::Input OCSPSigning() {
  82   // From RFC 5280 section 4.2.1.12:
  83   // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
  84   // In dotted notation: 1.3.6.1.5.5.7.3.9
  85   static const uint8_t ocsp_signing[] = {
  86       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
  87   return der::Input(ocsp_signing);
  88 }
  89
  90 bool ParseEKUExtension(const der::Input& extension_value,
  91                        std::vector<der::Input>* eku_oids) {
  92   der::Parser extension_parser(extension_value);
  93   der::Parser sequence_parser;
  94   if (!extension_parser.ReadSequence(&sequence_parser))
  95     return false;
  96
  97   // Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
  98   // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  99   //
 100   // Therefore, the sequence must contain at least one KeyPurposeId.
 101   if (!sequence_parser.HasMore())
 102     return false;
 103   while (sequence_parser.HasMore()) {
 104     der::Input eku_oid;
 105     if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
 106       // The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
 107       return false;
 108     eku_oids->push_back(eku_oid);
 109   }
 110   if (extension_parser.HasMore())
 111     // The extension value must follow ExtKeyUsageSyntax - there is no way that
 112     // it could be extended to allow for something after the SEQUENCE OF.
 113     return false;
 114   return true;
 115 }
 116
 117 }  // namespace net