mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-12-01 01:36:09 +03:00
125 lines
4.3 KiB
C++
125 lines
4.3 KiB
C++
// Copyright 2015 The Chromium Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "net/cert/internal/extended_key_usage.h"
|
|
|
|
#include "base/macros.h"
|
|
#include "net/der/input.h"
|
|
#include "net/der/parser.h"
|
|
#include "net/der/tag.h"
|
|
|
|
namespace net {
|
|
|
|
const der::Input AnyEKU() {
|
|
// The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
|
|
// defined in section 4.2.1 of RFC 5280:
|
|
// id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
|
|
//
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
|
|
// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
|
|
// In dotted notation: 2.5.29.37.0
|
|
static const uint8_t any_eku[] = {0x55, 0x1d, 0x25, 0x00};
|
|
return der::Input(any_eku);
|
|
}
|
|
|
|
const der::Input ServerAuth() {
|
|
// All other key usage purposes defined in RFC 5280 are found in the id-kp
|
|
// arc, defined in section 4.2.1.12 as:
|
|
// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
|
|
//
|
|
// With id-pkix defined in RFC 5280 section 4.2.2 as:
|
|
// id-pkix OBJECT IDENTIFIER ::=
|
|
// { iso(1) identified-organization(3) dod(6) internet(1)
|
|
// security(5) mechanisms(5) pkix(7) }
|
|
//
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.1
|
|
static const uint8_t server_auth[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
|
|
return der::Input(server_auth);
|
|
}
|
|
|
|
// In dotted notation: 2.16.840.1.113730.4.1
|
|
const der::Input NetscapeServerGatedCrypto() {
|
|
static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,
|
|
0xf8, 0x42, 0x04, 0x01};
|
|
return der::Input(data);
|
|
}
|
|
|
|
const der::Input ClientAuth() {
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.2
|
|
static const uint8_t client_auth[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
|
|
return der::Input(client_auth);
|
|
}
|
|
|
|
const der::Input CodeSigning() {
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.3
|
|
static const uint8_t code_signing[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
|
|
return der::Input(code_signing);
|
|
}
|
|
|
|
const der::Input EmailProtection() {
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.4
|
|
static const uint8_t email_protection[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
|
|
return der::Input(email_protection);
|
|
}
|
|
|
|
const der::Input TimeStamping() {
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.8
|
|
static const uint8_t time_stamping[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
|
|
return der::Input(time_stamping);
|
|
}
|
|
|
|
const der::Input OCSPSigning() {
|
|
// From RFC 5280 section 4.2.1.12:
|
|
// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
|
// In dotted notation: 1.3.6.1.5.5.7.3.9
|
|
static const uint8_t ocsp_signing[] = {
|
|
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
|
|
return der::Input(ocsp_signing);
|
|
}
|
|
|
|
bool ParseEKUExtension(const der::Input& extension_value,
|
|
std::vector<der::Input>* eku_oids) {
|
|
der::Parser extension_parser(extension_value);
|
|
der::Parser sequence_parser;
|
|
if (!extension_parser.ReadSequence(&sequence_parser))
|
|
return false;
|
|
|
|
// Section 4.2.1.12 of RFC 5280 defines ExtKeyUsageSyntax as:
|
|
// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
|
//
|
|
// Therefore, the sequence must contain at least one KeyPurposeId.
|
|
if (!sequence_parser.HasMore())
|
|
return false;
|
|
while (sequence_parser.HasMore()) {
|
|
der::Input eku_oid;
|
|
if (!sequence_parser.ReadTag(der::kOid, &eku_oid))
|
|
// The SEQUENCE OF must contain only KeyPurposeIds (OIDs).
|
|
return false;
|
|
eku_oids->push_back(eku_oid);
|
|
}
|
|
if (extension_parser.HasMore())
|
|
// The extension value must follow ExtKeyUsageSyntax - there is no way that
|
|
// it could be extended to allow for something after the SEQUENCE OF.
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
} // namespace net
|