| blob | 7285bf90d5eae2d95f10804a39e35cf9d2bffe2b |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 #include <limits>
10 #include <vector>
21 // Holds a non-owning pointer to a byte buffer and allows writing chunks of data
22 // to the buffer, placing the later chunks after the earlier ones
23 // in a stream-like fashion.
24 // Note that writing to Output always succeeds. If the internal buffer
25 // overflows, an error flag is turned on and you won't be able to retrieve
26 // the final data.
47 }
50 }
64 }
68 }
71 }
74 }
75 };
77 // For reference:
78 //
79 // Certificate ::= SEQUENCE {
80 // tbsCertificate TBSCertificate,
81 // signatureAlgorithm AlgorithmIdentifier,
82 // signatureValue BIT STRING }
83 //
84 // TBSCertificate ::= SEQUENCE {
85 // version [0] EXPLICIT Version DEFAULT v1,
86 // serialNumber CertificateSerialNumber,
87 // signature AlgorithmIdentifier,
88 // issuer Name,
89 // validity Validity,
90 // subject Name,
91 // subjectPublicKeyInfo SubjectPublicKeyInfo,
92 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
93 // -- If present, version MUST be v2 or v3
94 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
95 // -- If present, version MUST be v2 or v3
96 // extensions [3] EXPLICIT Extensions OPTIONAL
97 // -- If present, version MUST be v3
98 // }
100 // python DottedOIDToCode.py id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
101 // See Section 3.3 of RFC 6962.
104 // Maximum length of DER TLV header
106 // DER tag of the "extensions [3]" field from TBSCertificate
113 }
115 }
117 // Given a leaf certificate, extracts the DER-encoded TBSCertificate component
118 // of the corresponding Precertificate.
119 // Basically, the extractor needs to remove the embedded SCTs extension
120 // from the certificate and return its TBSCertificate. We do it in an ad hoc
121 // manner by breaking the source DER into several parts and then joining
122 // the right parts, taking care to update the relevant TLV headers.
123 // See WriteOutput for more details on the parts involved.
126 // |buffer| is the buffer to be used for writing the output. Since the
127 // required buffer size is not generally known in advance, it's best
128 // to use at least the size of the input certificate DER.
132 // Performs the extraction.
134 Reader tbsReader;
138 }
143 }
148 }
151 }
153 // Use to retrieve the result after a successful call to Init.
154 // The returned Input points to the buffer supplied in the constructor.
159 Reader certificateReader;
160 Result rv =
164 }
166 }
173 }
175 Input tagValue;
179 }
180 }
182 }
187 }
189 Reader extensionsContextReader;
194 }
196 Reader extensionsReader;
198 extensionsReader);
201 }
205 Reader extension;
206 rv =
210 }
211 Reader extensionID;
215 }
217 Input extensionTLV;
221 }
223 }
224 }
226 }
229 // What should be written here:
230 //
231 // TBSCertificate ::= SEQUENCE (TLV with header |tbsHeader|)
232 // dump of |mTLVsBeforeExtensions|
233 // extensions [3] OPTIONAL (TLV with header |extensionsContextHeader|)
234 // SEQUENCE (TLV with with header |extensionsHeader|)
235 // dump of |mExtensionTLVs|
237 Result rv;
243 Input tbsHeader;
244 Input extensionsContextHeader;
245 Input extensionsHeader;
247 // Count the total size of the extensions. Note that since
248 // the extensions data is contained within mDER (an Input),
249 // their combined length won't overflow Input::size_type.
253 }
259 }
260 // Since we're getting these extensions from a certificate that has
261 // already fit in an Input, this shouldn't overflow.
268 }
271 rv =
276 }
285 }
291 }
299 }
302 Input tbsHeader;
307 }
310 }
313 }
331 }
333 }
335 Input mDER;
336 Input mTLVsBeforeExtensions;
338 Output mOutput;
339 Input mPrecertTBS;
340 };
348 Buffer precertTBSBuffer;
356 }
368 }
375 }