1 // Copyright 2017 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_GENERAL_NAMES_H_
16 #define BSSL_PKI_GENERAL_NAMES_H_
17 
18 #include <memory>
19 #include <string_view>
20 #include <vector>
21 
22 #include <openssl/base.h>
23 
24 
25 #include "cert_error_id.h"
26 
27 BSSL_NAMESPACE_BEGIN
28 
29 class CertErrors;
30 
31 OPENSSL_EXPORT extern const CertErrorId kFailedParsingGeneralName;
32 
33 namespace der {
34 class Input;
35 }  // namespace der
36 
37 // Bitfield values for the GeneralName types defined in RFC 5280. The ordering
38 // and exact values are not important, but match the order from the RFC for
39 // convenience.
40 enum GeneralNameTypes {
41   GENERAL_NAME_NONE = 0,
42   GENERAL_NAME_OTHER_NAME = 1 << 0,
43   GENERAL_NAME_RFC822_NAME = 1 << 1,
44   GENERAL_NAME_DNS_NAME = 1 << 2,
45   GENERAL_NAME_X400_ADDRESS = 1 << 3,
46   GENERAL_NAME_DIRECTORY_NAME = 1 << 4,
47   GENERAL_NAME_EDI_PARTY_NAME = 1 << 5,
48   GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER = 1 << 6,
49   GENERAL_NAME_IP_ADDRESS = 1 << 7,
50   GENERAL_NAME_REGISTERED_ID = 1 << 8,
51   GENERAL_NAME_ALL_TYPES = (1 << 9) - 1,
52 };
53 
54 // Represents a GeneralNames structure. When processing GeneralNames, it is
55 // often necessary to know which types of names were present, and to check
56 // all the names of a certain type. Therefore, a bitfield of all the name
57 // types is kept, and the names are split into members for each type.
58 struct OPENSSL_EXPORT GeneralNames {
59   // Controls parsing of iPAddress names in ParseGeneralName.
60   // IP_ADDRESS_ONLY parses the iPAddress names as a 4 or 16 byte IP address.
61   // IP_ADDRESS_AND_NETMASK parses the iPAddress names as 8 or 32 bytes
62   // containing an IP address followed by a netmask.
63   enum ParseGeneralNameIPAddressType {
64     IP_ADDRESS_ONLY,
65     IP_ADDRESS_AND_NETMASK,
66   };
67 
68   GeneralNames();
69   ~GeneralNames();
70 
71   // Create a GeneralNames object representing the DER-encoded
72   // |general_names_tlv|. The returned object may reference data from
73   // |general_names_tlv|, so is only valid as long as |general_names_tlv| is.
74   // Returns nullptr on failure, and may fill |errors| with
75   // additional information. |errors| must be non-null.
76   static std::unique_ptr<GeneralNames> Create(der::Input general_names_tlv,
77                                               CertErrors *errors);
78 
79   // As above, but takes the GeneralNames sequence value, without the tag and
80   // length.
81   static std::unique_ptr<GeneralNames> CreateFromValue(
82       der::Input general_names_value, CertErrors *errors);
83 
84   // DER-encoded OtherName values.
85   std::vector<der::Input> other_names;
86 
87   // ASCII rfc822names.
88   std::vector<std::string_view> rfc822_names;
89 
90   // ASCII hostnames.
91   std::vector<std::string_view> dns_names;
92 
93   // DER-encoded ORAddress values.
94   std::vector<der::Input> x400_addresses;
95 
96   // DER-encoded Name values (not including the Sequence tag).
97   std::vector<der::Input> directory_names;
98 
99   // DER-encoded EDIPartyName values.
100   std::vector<der::Input> edi_party_names;
101 
102   // ASCII URIs.
103   std::vector<std::string_view> uniform_resource_identifiers;
104 
105   // iPAddresses as sequences of octets in network byte order. This will be
106   // populated if the GeneralNames represents a Subject Alternative Name. Each
107   // address is guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long.
108   std::vector<der::Input> ip_addresses;
109 
110   // iPAddress ranges, as <IP, mask> pairs. This will be populated
111   // if the GeneralNames represents a Name Constraints. Each address is
112   // guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long. The mask
113   // half is guaranteed to be the same size, and consist of some number of 1
114   // bits, followed by some number of 0 bits.
115   //
116   // WARNING: It is not guaranteed that the masked portions of the address are
117   // zero.
118   //
119   // TODO(davidben): Should addresses with non-zero masked portions be rejected?
120   std::vector<std::pair<der::Input, der::Input>> ip_address_ranges;
121 
122   // DER-encoded OBJECT IDENTIFIERs.
123   std::vector<der::Input> registered_ids;
124 
125   // Which name types were present, as a bitfield of GeneralNameTypes.
126   int present_name_types = GENERAL_NAME_NONE;
127 };
128 
129 // Parses a GeneralName value and adds it to |subtrees|.
130 // |ip_address_type| specifies how to parse iPAddress names.
131 // Returns false on failure, and may fill |errors| with additional information.
132 // |errors| must be non-null.
133 // TODO(mattm): should this be a method on GeneralNames?
134 [[nodiscard]] OPENSSL_EXPORT bool ParseGeneralName(
135     der::Input input,
136     GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
137     GeneralNames *subtrees, CertErrors *errors);
138 
139 BSSL_NAMESPACE_END
140 
141 #endif  // BSSL_PKI_GENERAL_NAMES_H_
142