Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
Mirror of BoringSSL (grpc依赖) https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1629 Commits
59 Branches
16 Tags
480 MiB
Tag: Branch: Tree: dd68e4bb4d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dd68e4bb4d'
${ noResults }
boringssl/pki/certificate_policies.h

136 lines
4.4 KiB
Raw Normal View History Unescape

Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
2 years ago
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_PKI_CERTIFICATE_POLICIES_H_
#define BSSL_PKI_CERTIFICATE_POLICIES_H_
#include "fillins/openssl_util.h"
#include <stdint.h>
#include <vector>
#include "input.h"
#include <optional>
namespace bssl {
class CertErrors;
// Returns the DER-encoded OID, without tag or length, of the anyPolicy
// certificate policy defined in RFC 5280 section 4.2.1.4.
inline constexpr uint8_t kAnyPolicyOid[] = {0x55, 0x1D, 0x20, 0x00};
// From RFC 5280:
//
// id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
//
// In dotted notation: 2.5.29.54
inline constexpr uint8_t kInhibitAnyPolicyOid[] = {0x55, 0x1d, 0x36};
// From RFC 5280:
//
// id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
//
// In dotted notation: 2.5.29.33
inline constexpr uint8_t kPolicyMappingsOid[] = {0x55, 0x1d, 0x21};
// -- policyQualifierIds for Internet policy qualifiers
//
// id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
// id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
//
// In dotted decimal form: 1.3.6.1.5.5.7.2.1
inline constexpr uint8_t kCpsPointerId[] = {0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x02, 0x01};
// id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
//
// In dotted decimal form: 1.3.6.1.5.5.7.2.2
inline constexpr uint8_t kUserNoticeId[] = {0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x02, 0x02};
struct PolicyQualifierInfo {
der::Input qualifier_oid;
der::Input qualifier;
};
struct OPENSSL_EXPORT PolicyInformation {
PolicyInformation();
~PolicyInformation();
PolicyInformation(const PolicyInformation&);
PolicyInformation(PolicyInformation&&);
der::Input policy_oid;
std::vector<PolicyQualifierInfo> policy_qualifiers;
};
// Parses a certificatePolicies extension and stores the policy information
// |*policies|, in the order presented in |extension_value|.
//
// Returns true on success. On failure returns false and may add errors to
// |errors|, which must be non-null.
//
// The values in |policies| are only valid as long as |extension_value| is (as
// it references data).
OPENSSL_EXPORT bool ParseCertificatePoliciesExtension(
const der::Input& extension_value,
std::vector<PolicyInformation>* policies,
CertErrors* errors);
// Parses a certificatePolicies extension and stores the policy OIDs in
// |*policy_oids|, in sorted order.
//
// If policyQualifiers for User Notice or CPS are present then they are
// ignored (RFC 5280 section 4.2.1.4 says "optional qualifiers, which MAY
// be present, are not expected to change the definition of the policy."
//
// If a policy qualifier other than User Notice/CPS is present, parsing
// will fail if |fail_parsing_unknown_qualifier_oids| was set to true,
// otherwise the unrecognized qualifiers wil be skipped and not parsed
// any further.
//
// Returns true on success. On failure returns false and may add errors to
// |errors|, which must be non-null.
//
// The values in |policy_oids| are only valid as long as |extension_value| is
// (as it references data).
OPENSSL_EXPORT bool ParseCertificatePoliciesExtensionOids(
const der::Input& extension_value,
bool fail_parsing_unknown_qualifier_oids,
std::vector<der::Input>* policy_oids,
CertErrors* errors);
struct ParsedPolicyConstraints {
std::optional<uint8_t> require_explicit_policy;
std::optional<uint8_t> inhibit_policy_mapping;
};
// Parses a PolicyConstraints SEQUENCE as defined by RFC 5280. Returns true on
// success, and sets |out|.
[[nodiscard]] OPENSSL_EXPORT bool ParsePolicyConstraints(
const der::Input& policy_constraints_tlv,
ParsedPolicyConstraints* out);
Sync pki to chromium eddbcb143c7462e0b8d60e859b96d678ca0c013c This removes one more patch, and adapts import to deal with gmock from chrome which is now included in boring. Bug: chromium:1322914 Change-Id: I2a5957f741252941fea76205a21e98fd655f8cae Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63225 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
1 year ago
// Parses an InhibitAnyPolicy as defined by RFC 5280. Returns num certs on
// success, or empty if parser fails.
[[nodiscard]] OPENSSL_EXPORT std::optional<uint8_t> ParseInhibitAnyPolicy(
const der::Input& inhibit_any_policy_tlv);
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
2 years ago
struct ParsedPolicyMapping {
der::Input issuer_domain_policy;
der::Input subject_domain_policy;
};
// Parses a PolicyMappings SEQUENCE as defined by RFC 5280. Returns true on
// success, and sets |mappings|.
[[nodiscard]] OPENSSL_EXPORT bool ParsePolicyMappings(
const der::Input& policy_mappings_tlv,
std::vector<ParsedPolicyMapping>* mappings);
} // namespace net
#endif // BSSL_PKI_CERTIFICATE_POLICIES_H_