/src/boringssl/pki/name_constraints.h
Line | Count | Source |
1 | | // Copyright 2015 The Chromium Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #ifndef BSSL_PKI_NAME_CONSTRAINTS_H_ |
16 | | #define BSSL_PKI_NAME_CONSTRAINTS_H_ |
17 | | |
18 | | #include <memory> |
19 | | |
20 | | #include <openssl/base.h> |
21 | | |
22 | | #include "general_names.h" |
23 | | |
24 | | BSSL_NAMESPACE_BEGIN |
25 | | |
26 | | class CertErrors; |
27 | | |
28 | | namespace der { |
29 | | class Input; |
30 | | } // namespace der |
31 | | |
32 | | // Parses a NameConstraints extension value and allows testing whether names are |
33 | | // allowed under those constraints as defined by RFC 5280 section 4.2.1.10. |
34 | | class OPENSSL_EXPORT NameConstraints { |
35 | | public: |
36 | | ~NameConstraints(); |
37 | | |
38 | | // Parses a DER-encoded NameConstraints extension and initializes this object. |
39 | | // |extension_value| should be the extnValue from the extension (not including |
40 | | // the OCTET STRING tag). |is_critical| should be true if the extension was |
41 | | // marked critical. Returns nullptr if parsing the the extension failed. |
42 | | // The object may reference data from |extension_value|, so is only valid as |
43 | | // long as |extension_value| is. |
44 | | static std::unique_ptr<NameConstraints> Create(der::Input extension_value, |
45 | | bool is_critical, |
46 | | CertErrors *errors); |
47 | | |
48 | | // Create a NameConstraints object with only permitted names from the passed |
49 | | // in |permitted_subtrees|. Should never return nullptr. |
50 | | static std::unique_ptr<NameConstraints> CreateFromPermittedSubtrees( |
51 | | GeneralNames permitted_subtrees); |
52 | | |
53 | | // Tests if a certificate is allowed by the name constraints. |
54 | | // |subject_rdn_sequence| should be the DER-encoded value of the subject's |
55 | | // RDNSequence (not including Sequence tag), and may be an empty ASN.1 |
56 | | // sequence. |subject_alt_names| should be the parsed representation of the |
57 | | // subjectAltName extension or nullptr if the extension was not present. |
58 | | // If the certificate is not allowed, an error will be added to |errors|. |
59 | | // Note that this method does not check hostname or IP address in commonName, |
60 | | // which is deprecated (crbug.com/308330). |
61 | | void IsPermittedCert(der::Input subject_rdn_sequence, |
62 | | const GeneralNames *subject_alt_names, |
63 | | CertErrors *errors) const; |
64 | | |
65 | | // Returns true if the ASCII email address |name| is permitted. |name| should |
66 | | // be a "mailbox" as specified by RFC 2821, with the additional restriction |
67 | | // that quoted names and whitespace are not allowed by this implementation. |
68 | | bool IsPermittedRfc822Name(std::string_view name, |
69 | | bool case_insensitive_exclude_localpart) const; |
70 | | |
71 | | // Returns true if the ASCII hostname |name| is permitted. |
72 | | // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com" |
73 | | // would not be permitted if "bar.com" is permitted and "foo.bar.com" is |
74 | | // excluded, while "*.baz.com" would only be permitted if "baz.com" is |
75 | | // permitted. |
76 | | bool IsPermittedDNSName(std::string_view name) const; |
77 | | |
78 | | // Returns true if the directoryName |name_rdn_sequence| is permitted. |
79 | | // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not |
80 | | // including the Sequence tag.) |
81 | | bool IsPermittedDirectoryName(der::Input name_rdn_sequence) const; |
82 | | |
83 | | // Returns true if the iPAddress |ip| is permitted. |
84 | | bool IsPermittedIP(der::Input ip) const; |
85 | | |
86 | | // Returns a bitfield of GeneralNameTypes of all the types constrained by this |
87 | | // NameConstraints. Name types that aren't supported will only be present if |
88 | | // the name constraint they appeared in was marked critical. |
89 | | // |
90 | | // RFC 5280 section 4.2.1.10 says: |
91 | | // Applications conforming to this profile MUST be able to process name |
92 | | // constraints that are imposed on the directoryName name form and SHOULD be |
93 | | // able to process name constraints that are imposed on the rfc822Name, |
94 | | // uniformResourceIdentifier, dNSName, and iPAddress name forms. |
95 | | // If a name constraints extension that is marked as critical |
96 | | // imposes constraints on a particular name form, and an instance of |
97 | | // that name form appears in the subject field or subjectAltName |
98 | | // extension of a subsequent certificate, then the application MUST |
99 | | // either process the constraint or reject the certificate. |
100 | 0 | int constrained_name_types() const { return constrained_name_types_; } |
101 | | |
102 | 0 | const GeneralNames &permitted_subtrees() const { return permitted_subtrees_; } |
103 | 0 | const GeneralNames &excluded_subtrees() const { return excluded_subtrees_; } |
104 | | |
105 | | private: |
106 | | [[nodiscard]] bool Parse(der::Input extension_value, bool is_critical, |
107 | | CertErrors *errors); |
108 | | |
109 | | GeneralNames permitted_subtrees_; |
110 | | GeneralNames excluded_subtrees_; |
111 | | int constrained_name_types_ = GENERAL_NAME_NONE; |
112 | | }; |
113 | | |
114 | | BSSL_NAMESPACE_END |
115 | | |
116 | | #endif // BSSL_PKI_NAME_CONSTRAINTS_H_ |