// Copyright 2015 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_ #define NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_ #include #include #include "base/compiler_specific.h" #include "base/strings/string_piece_forward.h" #include "net/base/ip_address.h" #include "net/base/net_export.h" #include "net/cert/internal/general_names.h" namespace net { class CertErrors; namespace der { class Input; } // namespace der // Parses a NameConstraints extension value and allows testing whether names are // allowed under those constraints as defined by RFC 5280 section 4.2.1.10. class NET_EXPORT NameConstraints { public: ~NameConstraints(); // Parses a DER-encoded NameConstraints extension and initializes this object. // |extension_value| should be the extnValue from the extension (not including // the OCTET STRING tag). |is_critical| should be true if the extension was // marked critical. Returns nullptr if parsing the the extension failed. // The object may reference data from |extension_value|, so is only valid as // long as |extension_value| is. static std::unique_ptr Create( const der::Input& extension_value, bool is_critical, CertErrors* errors); // Tests if a certificate is allowed by the name constraints. // |subject_rdn_sequence| should be the DER-encoded value of the subject's // RDNSequence (not including Sequence tag), and may be an empty ASN.1 // sequence. |subject_alt_names| should be the parsed representation of the // subjectAltName extension or nullptr if the extension was not present. // Note that this method does not check hostname or IP address in commonName, // which is deprecated (crbug.com/308330). bool IsPermittedCert(const der::Input& subject_rdn_sequence, const GeneralNames* subject_alt_names) const; // Returns true if the ASCII hostname |name| is permitted. // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com" // would not be permitted if "bar.com" is permitted and "foo.bar.com" is // excluded, while "*.baz.com" would only be permitted if "baz.com" is // permitted. bool IsPermittedDNSName(base::StringPiece name) const; // Returns true if the directoryName |name_rdn_sequence| is permitted. // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not // including the Sequence tag.) bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const; // Returns true if the iPAddress |ip| is permitted. bool IsPermittedIP(const IPAddress& ip) const; // Returns a bitfield of GeneralNameTypes of all the types constrained by this // NameConstraints. Name types that aren't supported will only be present if // the name constraint they appeared in was marked critical. // // RFC 5280 section 4.2.1.10 says: // Applications conforming to this profile MUST be able to process name // constraints that are imposed on the directoryName name form and SHOULD be // able to process name constraints that are imposed on the rfc822Name, // uniformResourceIdentifier, dNSName, and iPAddress name forms. // If a name constraints extension that is marked as critical // imposes constraints on a particular name form, and an instance of // that name form appears in the subject field or subjectAltName // extension of a subsequent certificate, then the application MUST // either process the constraint or reject the certificate. int constrained_name_types() const { return constrained_name_types_; } private: bool Parse(const der::Input& extension_value, bool is_critical, CertErrors* errors) WARN_UNUSED_RESULT; GeneralNames permitted_subtrees_; GeneralNames excluded_subtrees_; int constrained_name_types_ = GENERAL_NAME_NONE; }; } // namespace net #endif // NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_