blob: cebcbce0899065794021aa0f58b661de42f4d92e [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string.h>
#include <set>
#include <string>
#include <vector>
#include "base/logging.h"
#include "base/string_piece.h"
#include "build/build_config.h"
#include "net/base/net_export.h"
#if defined(OS_MACOSX) && !defined(OS_IOS)
#include <Security/x509defs.h>
namespace base {
class Time;
} // namespace base
namespace net {
class X509Certificate;
// SHA-1 fingerprint (160 bits) of a certificate.
struct NET_EXPORT SHA1HashValue {
bool Equals(const SHA1HashValue& other) const {
return memcmp(data,, sizeof(data)) == 0;
unsigned char data[20];
class NET_EXPORT SHA1HashValueLessThan {
bool operator()(const SHA1HashValue& lhs,
const SHA1HashValue& rhs) const {
return memcmp(,, sizeof( < 0;
struct NET_EXPORT SHA256HashValue {
bool Equals(const SHA256HashValue& other) const {
return memcmp(data,, sizeof(data)) == 0;
unsigned char data[32];
class NET_EXPORT SHA256HashValueLessThan {
bool operator()(const SHA256HashValue& lhs,
const SHA256HashValue& rhs) const {
return memcmp(,, sizeof( < 0;
enum HashValueTag {
// This must always be last.
class NET_EXPORT HashValue {
explicit HashValue(HashValueTag tag) : tag(tag) {}
HashValue() : tag(HASH_VALUE_SHA1) {}
bool Equals(const HashValue& other) const;
size_t size() const;
unsigned char* data();
const unsigned char* data() const;
HashValueTag tag;
union {
SHA1HashValue sha1;
SHA256HashValue sha256;
} fingerprint;
class NET_EXPORT HashValueLessThan {
bool operator()(const HashValue& lhs,
const HashValue& rhs) const {
size_t lhs_size = lhs.size();
size_t rhs_size = rhs.size();
if (lhs_size != rhs_size)
return lhs_size < rhs_size;
return memcmp(,, lhs_size) < 0;
typedef std::vector<HashValue> HashValueVector;
// IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
// array of SHA1 hashes.
bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1HashValue& hash,
const uint8* array,
size_t array_byte_len);
// CertPrincipal represents the issuer or subject field of an X.509 certificate.
struct NET_EXPORT CertPrincipal {
explicit CertPrincipal(const std::string& name);
#if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
// Parses a BER-format DistinguishedName.
bool ParseDistinguishedName(const void* ber_name_data, size_t length);
#if defined(OS_MACOSX)
// Compare this CertPrincipal with |against|, returning true if they're
// equal enough to be a possible match. This should NOT be used for any
// security relevant decisions.
// TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
bool Matches(const CertPrincipal& against) const;
// Returns a name that can be used to represent the issuer. It tries in this
// order: CN, O and OU and returns the first non-empty one found.
std::string GetDisplayName() const;
// The different attributes for a principal, stored in UTF-8. They may be "".
// Note that some of them can have several values.
std::string common_name;
std::string locality_name;
std::string state_or_province_name;
std::string country_name;
std::vector<std::string> street_addresses;
std::vector<std::string> organization_names;
std::vector<std::string> organization_unit_names;
std::vector<std::string> domain_components;
// This class is useful for maintaining policies about which certificates are
// permitted or forbidden for a particular purpose.
class NET_EXPORT CertPolicy {
// The judgments this policy can reach.
enum Judgment {
// We don't have policy information for this certificate.
// This certificate is allowed.
// This certificate is denied.
// Returns the judgment this policy makes about this certificate.
Judgment Check(X509Certificate* cert) const;
// Causes the policy to allow this certificate.
void Allow(X509Certificate* cert);
// Causes the policy to deny this certificate.
void Deny(X509Certificate* cert);
// Returns true if this policy has allowed at least one certificate.
bool HasAllowedCert() const;
// Returns true if this policy has denied at least one certificate.
bool HasDeniedCert() const;
// The set of fingerprints of allowed certificates.
std::set<SHA1HashValue, SHA1HashValueLessThan> allowed_;
// The set of fingerprints of denied certificates.
std::set<SHA1HashValue, SHA1HashValueLessThan> denied_;
#if defined(OS_MACOSX) && !defined(OS_IOS)
// Compares two OIDs by value.
inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
return oid1->Length == oid2->Length &&
(memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
// A list of ASN.1 date/time formats that ParseCertificateDate() supports,
// encoded in the canonical forms specified in RFC 2459/3280/5280.
enum CertDateFormat {
// GeneralizedTime: Format is YYYYMMDDHHMMSSZ
// Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
// |format|, and writes the result into |*time|. If an invalid date is
// specified, or if parsing fails, returns false, and |*time| will not be
// updated.
bool ParseCertificateDate(const base::StringPiece& raw_date,
CertDateFormat format,
base::Time* time);
} // namespace net
#endif // NET_BASE_X509_CERT_TYPES_H_