naiveproxy/net/cert/internal/extended_key_usage.cc

// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/cert/internal/extended_key_usage.h"

#include "base/macros.h"
#include "net/der/input.h"
#include "net/der/parser.h"
#include "net/der/tag.h"

namespace net {

const der::Input AnyEKU() {
  // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
  // defined in section 4.2.1 of RFC 5280:
  // id-ce   OBJECT IDENTIFIER ::=  { joint-iso-ccitt(2) ds(5) 29 }
  //
  // From RFC 5280 section 4.2.1.12:
  // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
  // In dotted notation: 2.5.29.37.0
  static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
  return der::Input(any_eku);
}

const der::Input ServerAuth() {
  // All other key usage purposes defined in RFC 5280 are found in the id-kp
  // arc, defined in section 4.2.1.12 as:
  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
  //
  // With id-pkix defined in RFC 5280 section 4.2.2 as:
  // id-pkix  OBJECT IDENTIFIER  ::=
  //          { iso(1) identified-organization(3) dod(6) internet(1)
  //                  security(5) mechanisms(5) pkix(7) }
  //
  // From RFC 5280 section 4.2.1.12:
  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
  // In dotted notation: 1.3.6.1.5.5.7.3.1
  static const uint8_t server_auth[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
  return der::Input(server_auth);
}

// In dotted notation: 2.16.840.1.113730.4.1
const der::Input NetscapeServerGatedCrypto() {
  static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,
                                 0xf8, 0x42, 0x04, 0x01};
  return der::Input(data);
}

const der::Input ClientAuth() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
  // In dotted notation: 1.3.6.1.5.5.7.3.2
  static const uint8_t client_auth[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
  return der::Input(client_auth);
}

const der::Input CodeSigning() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
  // In dotted notation: 1.3.6.1.5.5.7.3.3
  static const uint8_t code_signing[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
  return der::Input(code_signing);
}

const der::Input EmailProtection() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
  // In dotted notation: 1.3.6.1.5.5.7.3.4
  static const uint8_t email_protection[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
  return der::Input(email_protection);
}

const der::Input TimeStamping() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
  // In dotted notation: 1.3.6.1.5.5.7.3.8
  static const uint8_t time_stamping[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
  return der::Input(time_stamping);
}

const der::Input OCSPSigning() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
  // In dotted notation: 1.3.6.1.5.5.7.3.9
  static const uint8_t ocsp_signing[] = {
      0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
  return der::Input(ocsp_signing);
}

bool ParseEKUExtension(const der::Input& extension_value,
                       std::vector<der::Input>* eku_oids) {
  der::Parser extension_parser(extension_value);
  der::Parser sequence_parser;
  if (!extension_parser.ReadSequence(&sequence_parser))
    return false;

  // Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
  // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  //
  // Therefore, the sequence must contain at least one KeyPurposeId.
  if (!sequence_parser.HasMore())
    return false;
  while (sequence_parser.HasMore()) {
    der::Input eku_oid;
    if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
      // The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
      return false;
    eku_oids->push_back(eku_oid);
  }
  if (extension_parser.HasMore())
    // The extension value must follow ExtKeyUsageSyntax - there is no way that
    // it could be extended to allow for something after the SEQUENCE OF.
    return false;
  return true;
}

}  // namespace net
Import chromium-68.0.3440.106 2018-08-11 08:35:24 +03:00			`// Copyright 2015 The Chromium Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`#include "net/cert/internal/extended_key_usage.h"`

			`#include "base/macros.h"`
			`#include "net/der/input.h"`
			`#include "net/der/parser.h"`
			`#include "net/der/tag.h"`

			`namespace net {`

			`const der::Input AnyEKU() {`
			`// The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,`
			`// defined in section 4.2.1 of RFC 5280:`
			`// id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }`
			`//`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }`
			`// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }`
			`// In dotted notation: 2.5.29.37.0`
			`static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};`
			`return der::Input(any_eku);`
			`}`

			`const der::Input ServerAuth() {`
			`// All other key usage purposes defined in RFC 5280 are found in the id-kp`
			`// arc, defined in section 4.2.1.12 as:`
			`// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }`
			`//`
			`// With id-pkix defined in RFC 5280 section 4.2.2 as:`
			`// id-pkix OBJECT IDENTIFIER ::=`
			`// { iso(1) identified-organization(3) dod(6) internet(1)`
			`// security(5) mechanisms(5) pkix(7) }`
			`//`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.1`
			`static const uint8_t server_auth[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};`
			`return der::Input(server_auth);`
			`}`

			`// In dotted notation: 2.16.840.1.113730.4.1`
			`const der::Input NetscapeServerGatedCrypto() {`
			`static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,`
			`0xf8, 0x42, 0x04, 0x01};`
			`return der::Input(data);`
			`}`

			`const der::Input ClientAuth() {`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.2`
			`static const uint8_t client_auth[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};`
			`return der::Input(client_auth);`
			`}`

			`const der::Input CodeSigning() {`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.3`
			`static const uint8_t code_signing[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};`
			`return der::Input(code_signing);`
			`}`

			`const der::Input EmailProtection() {`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.4`
			`static const uint8_t email_protection[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};`
			`return der::Input(email_protection);`
			`}`

			`const der::Input TimeStamping() {`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.8`
			`static const uint8_t time_stamping[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};`
			`return der::Input(time_stamping);`
			`}`

			`const der::Input OCSPSigning() {`
			`// From RFC 5280 section 4.2.1.12:`
			`// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }`
			`// In dotted notation: 1.3.6.1.5.5.7.3.9`
			`static const uint8_t ocsp_signing[] = {`
			`0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};`
			`return der::Input(ocsp_signing);`
			`}`

			`bool ParseEKUExtension(const der::Input& extension_value,`
			`std::vector<der::Input>* eku_oids) {`
			`der::Parser extension_parser(extension_value);`
			`der::Parser sequence_parser;`
			`if (!extension_parser.ReadSequence(&sequence_parser))`
			`return false;`

			`// Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:`
			`// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId`
			`//`
			`// Therefore, the sequence must contain at least one KeyPurposeId.`
			`if (!sequence_parser.HasMore())`
			`return false;`
			`while (sequence_parser.HasMore()) {`
			`der::Input eku_oid;`
			`if (!sequence_parser.ReadTag(der::kOid, &eku_oid))`
			`// The SEQUENCE OF must contain only KeyPurposeIds (OIDs).`
			`return false;`
			`eku_oids->push_back(eku_oid);`
			`}`
			`if (extension_parser.HasMore())`
			`// The extension value must follow ExtKeyUsageSyntax - there is no way that`
			`// it could be extended to allow for something after the SEQUENCE OF.`
			`return false;`
			`return true;`
			`}`

			`} // namespace net`