1 // Copyright 2015 The Chromium Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef BSSL_PKI_CERTIFICATE_POLICIES_H_ 16 #define BSSL_PKI_CERTIFICATE_POLICIES_H_ 17 18 #include <stdint.h> 19 #include <vector> 20 21 22 #include <optional> 23 #include "input.h" 24 25 BSSL_NAMESPACE_BEGIN 26 27 class CertErrors; 28 29 // Returns the DER-encoded OID, without tag or length, of the anyPolicy 30 // certificate policy defined in RFC 5280 section 4.2.1.4. 31 inline constexpr uint8_t kAnyPolicyOid[] = {0x55, 0x1D, 0x20, 0x00}; 32 33 // From RFC 5280: 34 // 35 // id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 36 // 37 // In dotted notation: 2.5.29.54 38 inline constexpr uint8_t kInhibitAnyPolicyOid[] = {0x55, 0x1d, 0x36}; 39 40 // From RFC 5280: 41 // 42 // id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 43 // 44 // In dotted notation: 2.5.29.33 45 inline constexpr uint8_t kPolicyMappingsOid[] = {0x55, 0x1d, 0x21}; 46 47 // -- policyQualifierIds for Internet policy qualifiers 48 // 49 // id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 50 // id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 51 // 52 // In dotted decimal form: 1.3.6.1.5.5.7.2.1 53 inline constexpr uint8_t kCpsPointerId[] = {0x2b, 0x06, 0x01, 0x05, 54 0x05, 0x07, 0x02, 0x01}; 55 56 // id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 57 // 58 // In dotted decimal form: 1.3.6.1.5.5.7.2.2 59 inline constexpr uint8_t kUserNoticeId[] = {0x2b, 0x06, 0x01, 0x05, 60 0x05, 0x07, 0x02, 0x02}; 61 62 struct PolicyQualifierInfo { 63 der::Input qualifier_oid; 64 der::Input qualifier; 65 }; 66 67 struct OPENSSL_EXPORT PolicyInformation { 68 PolicyInformation(); 69 ~PolicyInformation(); 70 PolicyInformation(const PolicyInformation &); 71 PolicyInformation(PolicyInformation &&); 72 73 der::Input policy_oid; 74 std::vector<PolicyQualifierInfo> policy_qualifiers; 75 }; 76 77 // Parses a certificatePolicies extension and stores the policy information 78 // |*policies|, in the order presented in |extension_value|. 79 // 80 // Returns true on success. On failure returns false and may add errors to 81 // |errors|, which must be non-null. 82 // 83 // The values in |policies| are only valid as long as |extension_value| is (as 84 // it references data). 85 OPENSSL_EXPORT bool ParseCertificatePoliciesExtension( 86 der::Input extension_value, std::vector<PolicyInformation> *policies, 87 CertErrors *errors); 88 89 // Parses a certificatePolicies extension and stores the policy OIDs in 90 // |*policy_oids|, in sorted order. 91 // 92 // If policyQualifiers for User Notice or CPS are present then they are 93 // ignored (RFC 5280 section 4.2.1.4 says "optional qualifiers, which MAY 94 // be present, are not expected to change the definition of the policy." 95 // 96 // If a policy qualifier other than User Notice/CPS is present, parsing 97 // will fail if |fail_parsing_unknown_qualifier_oids| was set to true, 98 // otherwise the unrecognized qualifiers wil be skipped and not parsed 99 // any further. 100 // 101 // Returns true on success. On failure returns false and may add errors to 102 // |errors|, which must be non-null. 103 // 104 // The values in |policy_oids| are only valid as long as |extension_value| is 105 // (as it references data). 106 OPENSSL_EXPORT bool ParseCertificatePoliciesExtensionOids( 107 der::Input extension_value, bool fail_parsing_unknown_qualifier_oids, 108 std::vector<der::Input> *policy_oids, CertErrors *errors); 109 110 struct ParsedPolicyConstraints { 111 std::optional<uint8_t> require_explicit_policy; 112 113 std::optional<uint8_t> inhibit_policy_mapping; 114 }; 115 116 // Parses a PolicyConstraints SEQUENCE as defined by RFC 5280. Returns true on 117 // success, and sets |out|. 118 [[nodiscard]] OPENSSL_EXPORT bool ParsePolicyConstraints( 119 der::Input policy_constraints_tlv, ParsedPolicyConstraints *out); 120 121 // Parses an InhibitAnyPolicy as defined by RFC 5280. Returns num certs on 122 // success, or empty if parser fails. 123 [[nodiscard]] OPENSSL_EXPORT std::optional<uint8_t> ParseInhibitAnyPolicy( 124 der::Input inhibit_any_policy_tlv); 125 126 struct ParsedPolicyMapping { 127 der::Input issuer_domain_policy; 128 der::Input subject_domain_policy; 129 }; 130 131 // Parses a PolicyMappings SEQUENCE as defined by RFC 5280. Returns true on 132 // success, and sets |mappings|. 133 [[nodiscard]] OPENSSL_EXPORT bool ParsePolicyMappings( 134 der::Input policy_mappings_tlv, std::vector<ParsedPolicyMapping> *mappings); 135 136 BSSL_NAMESPACE_END 137 138 #endif // BSSL_PKI_CERTIFICATE_POLICIES_H_ 139