src/net/cert/internal/extended_key_usage.cc - cobalt - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/internal/extended_key_usage.h"

 #include "base/macros.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "net/der/tag.h"

 namespace net {

 const der::Input AnyEKU() {
   // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
   // defined in section 4.2.1 of RFC 5280:
   // id-ce   OBJECT IDENTIFIER ::=  { joint-iso-ccitt(2) ds(5) 29 }
   //
   // From RFC 5280 section 4.2.1.12:
   // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
   // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   // In dotted notation: 2.5.29.37.0
   static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
   return der::Input(any_eku);
 }

 const der::Input ServerAuth() {
   // All other key usage purposes defined in RFC 5280 are found in the id-kp
   // arc, defined in section 4.2.1.12 as:
   // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   //
   // With id-pkix defined in RFC 5280 section 4.2.2 as:
   // id-pkix  OBJECT IDENTIFIER  ::=
   //          { iso(1) identified-organization(3) dod(6) internet(1)
   //                  security(5) mechanisms(5) pkix(7) }
   //
   // From RFC 5280 section 4.2.1.12:
   // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   // In dotted notation: 1.3.6.1.5.5.7.3.1
   static const uint8_t server_auth[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
   return der::Input(server_auth);
 }

 // In dotted notation: 2.16.840.1.113730.4.1
 const der::Input NetscapeServerGatedCrypto() {
   static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,
                                  0xf8, 0x42, 0x04, 0x01};
   return der::Input(data);
 }

 const der::Input ClientAuth() {
   // From RFC 5280 section 4.2.1.12:
   // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   // In dotted notation: 1.3.6.1.5.5.7.3.2
   static const uint8_t client_auth[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
   return der::Input(client_auth);
 }

 const der::Input CodeSigning() {
   // From RFC 5280 section 4.2.1.12:
   // id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
   // In dotted notation: 1.3.6.1.5.5.7.3.3
   static const uint8_t code_signing[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
   return der::Input(code_signing);
 }

 const der::Input EmailProtection() {
   // From RFC 5280 section 4.2.1.12:
   // id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
   // In dotted notation: 1.3.6.1.5.5.7.3.4
   static const uint8_t email_protection[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
   return der::Input(email_protection);
 }

 const der::Input TimeStamping() {
   // From RFC 5280 section 4.2.1.12:
   // id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
   // In dotted notation: 1.3.6.1.5.5.7.3.8
   static const uint8_t time_stamping[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
   return der::Input(time_stamping);
 }

 const der::Input OCSPSigning() {
   // From RFC 5280 section 4.2.1.12:
   // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   // In dotted notation: 1.3.6.1.5.5.7.3.9
   static const uint8_t ocsp_signing[] = {
       0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
   return der::Input(ocsp_signing);
 }

 bool ParseEKUExtension(const der::Input& extension_value,
                        std::vector<der::Input>* eku_oids) {
   der::Parser extension_parser(extension_value);
   der::Parser sequence_parser;
   if (!extension_parser.ReadSequence(&sequence_parser))
     return false;

   // Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
   // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
   //
   // Therefore, the sequence must contain at least one KeyPurposeId.
   if (!sequence_parser.HasMore())
     return false;
   while (sequence_parser.HasMore()) {
     der::Input eku_oid;
     if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
       // The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
       return false;
     eku_oids->push_back(eku_oid);
   }
   if (extension_parser.HasMore())
     // The extension value must follow ExtKeyUsageSyntax - there is no way that
     // it could be extended to allow for something after the SEQUENCE OF.
     return false;
   return true;
 }

 }  // namespace net
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/internal/extended_key_usage.h"

	#include "base/macros.h"
	#include "net/der/input.h"
	#include "net/der/parser.h"
	#include "net/der/tag.h"

	namespace net {

	const der::Input AnyEKU() {
	// The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
	// defined in section 4.2.1 of RFC 5280:
	// id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
	//
	// From RFC 5280 section 4.2.1.12:
	// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
	// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
	// In dotted notation: 2.5.29.37.0
	static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
	return der::Input(any_eku);
	}

	const der::Input ServerAuth() {
	// All other key usage purposes defined in RFC 5280 are found in the id-kp
	// arc, defined in section 4.2.1.12 as:
	// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
	//
	// With id-pkix defined in RFC 5280 section 4.2.2 as:
	// id-pkix OBJECT IDENTIFIER ::=
	// { iso(1) identified-organization(3) dod(6) internet(1)
	// security(5) mechanisms(5) pkix(7) }
	//
	// From RFC 5280 section 4.2.1.12:
	// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
	// In dotted notation: 1.3.6.1.5.5.7.3.1
	static const uint8_t server_auth[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
	return der::Input(server_auth);
	}

	// In dotted notation: 2.16.840.1.113730.4.1
	const der::Input NetscapeServerGatedCrypto() {
	static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,
	0xf8, 0x42, 0x04, 0x01};
	return der::Input(data);
	}

	const der::Input ClientAuth() {
	// From RFC 5280 section 4.2.1.12:
	// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
	// In dotted notation: 1.3.6.1.5.5.7.3.2
	static const uint8_t client_auth[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
	return der::Input(client_auth);
	}

	const der::Input CodeSigning() {
	// From RFC 5280 section 4.2.1.12:
	// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
	// In dotted notation: 1.3.6.1.5.5.7.3.3
	static const uint8_t code_signing[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
	return der::Input(code_signing);
	}

	const der::Input EmailProtection() {
	// From RFC 5280 section 4.2.1.12:
	// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
	// In dotted notation: 1.3.6.1.5.5.7.3.4
	static const uint8_t email_protection[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
	return der::Input(email_protection);
	}

	const der::Input TimeStamping() {
	// From RFC 5280 section 4.2.1.12:
	// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
	// In dotted notation: 1.3.6.1.5.5.7.3.8
	static const uint8_t time_stamping[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
	return der::Input(time_stamping);
	}

	const der::Input OCSPSigning() {
	// From RFC 5280 section 4.2.1.12:
	// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
	// In dotted notation: 1.3.6.1.5.5.7.3.9
	static const uint8_t ocsp_signing[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
	return der::Input(ocsp_signing);
	}

	bool ParseEKUExtension(const der::Input& extension_value,
	std::vector<der::Input>* eku_oids) {
	der::Parser extension_parser(extension_value);
	der::Parser sequence_parser;
	if (!extension_parser.ReadSequence(&sequence_parser))
	return false;

	// Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
	// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
	//
	// Therefore, the sequence must contain at least one KeyPurposeId.
	if (!sequence_parser.HasMore())
	return false;
	while (sequence_parser.HasMore()) {
	der::Input eku_oid;
	if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
	// The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
	return false;
	eku_oids->push_back(eku_oid);
	}
	if (extension_parser.HasMore())
	// The extension value must follow ExtKeyUsageSyntax - there is no way that
	// it could be extended to allow for something after the SEQUENCE OF.
	return false;
	return true;
	}

	} // namespace net