1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_X509_CERT_TYPES_H_
6 #define NET_CERT_X509_CERT_TYPES_H_
15 #include "base/logging.h"
16 #include "base/strings/string_piece.h"
17 #include "build/build_config.h"
18 #include "net/base/hash_value.h"
19 #include "net/base/net_export.h"
20 #include "net/cert/cert_status_flags.h"
22 #if defined(OS_MACOSX) && !defined(OS_IOS)
23 #include <Security/x509defs.h>
32 class X509Certificate
;
34 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
35 struct NET_EXPORT CertPrincipal
{
37 explicit CertPrincipal(const std::string
& name
);
40 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
41 // Parses a BER-format DistinguishedName.
42 bool ParseDistinguishedName(const void* ber_name_data
, size_t length
);
45 #if defined(OS_MACOSX) && !defined(OS_IOS)
46 // Compare this CertPrincipal with |against|, returning true if they're
47 // equal enough to be a possible match. This should NOT be used for any
48 // security relevant decisions.
49 // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
50 bool Matches(const CertPrincipal
& against
) const;
53 // Returns a name that can be used to represent the issuer. It tries in this
54 // order: CN, O and OU and returns the first non-empty one found.
55 std::string
GetDisplayName() const;
57 // The different attributes for a principal, stored in UTF-8. They may be "".
58 // Note that some of them can have several values.
60 std::string common_name
;
61 std::string locality_name
;
62 std::string state_or_province_name
;
63 std::string country_name
;
65 std::vector
<std::string
> street_addresses
;
66 std::vector
<std::string
> organization_names
;
67 std::vector
<std::string
> organization_unit_names
;
68 std::vector
<std::string
> domain_components
;
71 // This class is useful for maintaining policies about which certificates are
72 // permitted or forbidden for a particular purpose.
73 class NET_EXPORT CertPolicy
{
75 // The judgments this policy can reach.
77 // We don't have policy information for this certificate.
80 // This certificate is allowed.
83 // This certificate is denied.
90 // Returns the judgment this policy makes about this certificate.
91 // For a certificate to be allowed, it must not have any *additional* errors
92 // from when it was allowed. For a certificate to be denied, it need only
93 // match *any* of the errors that caused it to be denied. We check denial
94 // first, before checking whether it's been allowed.
95 Judgment
Check(X509Certificate
* cert
, CertStatus error
) const;
97 // Causes the policy to allow this certificate for a given |error|.
98 void Allow(X509Certificate
* cert
, CertStatus error
);
100 // Causes the policy to deny this certificate for a given |error|.
101 void Deny(X509Certificate
* cert
, CertStatus error
);
103 // Returns true if this policy has allowed at least one certificate.
104 bool HasAllowedCert() const;
106 // Returns true if this policy has denied at least one certificate.
107 bool HasDeniedCert() const;
110 // The set of fingerprints of allowed certificates.
111 std::map
<SHA1HashValue
, CertStatus
, SHA1HashValueLessThan
> allowed_
;
113 // The set of fingerprints of denied certificates.
114 std::map
<SHA1HashValue
, CertStatus
, SHA1HashValueLessThan
> denied_
;
117 #if defined(OS_MACOSX) && !defined(OS_IOS)
118 // Compares two OIDs by value.
119 inline bool CSSMOIDEqual(const CSSM_OID
* oid1
, const CSSM_OID
* oid2
) {
120 return oid1
->Length
== oid2
->Length
&&
121 (memcmp(oid1
->Data
, oid2
->Data
, oid1
->Length
) == 0);
125 // A list of ASN.1 date/time formats that ParseCertificateDate() supports,
126 // encoded in the canonical forms specified in RFC 2459/3280/5280.
127 enum CertDateFormat
{
128 // UTCTime: Format is YYMMDDHHMMSSZ
129 CERT_DATE_FORMAT_UTC_TIME
,
131 // GeneralizedTime: Format is YYYYMMDDHHMMSSZ
132 CERT_DATE_FORMAT_GENERALIZED_TIME
,
135 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
136 // |format|, and writes the result into |*time|. If an invalid date is
137 // specified, or if parsing fails, returns false, and |*time| will not be
139 NET_EXPORT_PRIVATE
bool ParseCertificateDate(const base::StringPiece
& raw_date
,
140 CertDateFormat format
,
144 #endif // NET_CERT_X509_CERT_TYPES_H_