1 // Copyright 2015 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_NAME_CONSTRAINTS_H_
16 #define BSSL_PKI_NAME_CONSTRAINTS_H_
17 
18 #include <memory>
19 
20 #include <openssl/base.h>
21 
22 #include "general_names.h"
23 
24 BSSL_NAMESPACE_BEGIN
25 
26 class CertErrors;
27 
28 namespace der {
29 class Input;
30 }  // namespace der
31 
32 // Parses a NameConstraints extension value and allows testing whether names are
33 // allowed under those constraints as defined by RFC 5280 section 4.2.1.10.
34 class OPENSSL_EXPORT NameConstraints {
35  public:
36   ~NameConstraints();
37 
38   // Parses a DER-encoded NameConstraints extension and initializes this object.
39   // |extension_value| should be the extnValue from the extension (not including
40   // the OCTET STRING tag). |is_critical| should be true if the extension was
41   // marked critical. Returns nullptr if parsing the the extension failed.
42   // The object may reference data from |extension_value|, so is only valid as
43   // long as |extension_value| is.
44   static std::unique_ptr<NameConstraints> Create(der::Input extension_value,
45                                                  bool is_critical,
46                                                  CertErrors *errors);
47 
48   // Create a NameConstraints object with only permitted names from the passed
49   // in |permitted_subtrees|. Should never return nullptr.
50   static std::unique_ptr<NameConstraints> CreateFromPermittedSubtrees(
51       GeneralNames permitted_subtrees);
52 
53   // Tests if a certificate is allowed by the name constraints.
54   // |subject_rdn_sequence| should be the DER-encoded value of the subject's
55   // RDNSequence (not including Sequence tag), and may be an empty ASN.1
56   // sequence. |subject_alt_names| should be the parsed representation of the
57   // subjectAltName extension or nullptr if the extension was not present.
58   // If the certificate is not allowed, an error will be added to |errors|.
59   // Note that this method does not check hostname or IP address in commonName,
60   // which is deprecated (crbug.com/308330).
61   void IsPermittedCert(der::Input subject_rdn_sequence,
62                        const GeneralNames *subject_alt_names,
63                        CertErrors *errors) const;
64 
65   // Returns true if the ASCII email address |name| is permitted. |name| should
66   // be a "mailbox" as specified by RFC 2821, with the additional restriction
67   // that quoted names and whitespace are not allowed by this implementation.
68   bool IsPermittedRfc822Name(std::string_view name,
69                              bool case_insensitive_exclude_localpart) const;
70 
71   // Returns true if the ASCII hostname |name| is permitted.
72   // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com"
73   // would not be permitted if "bar.com" is permitted and "foo.bar.com" is
74   // excluded, while "*.baz.com" would only be permitted if "baz.com" is
75   // permitted.
76   bool IsPermittedDNSName(std::string_view name) const;
77 
78   // Returns true if the directoryName |name_rdn_sequence| is permitted.
79   // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
80   // including the Sequence tag.)
81   bool IsPermittedDirectoryName(der::Input name_rdn_sequence) const;
82 
83   // Returns true if the iPAddress |ip| is permitted.
84   bool IsPermittedIP(der::Input ip) const;
85 
86   // Returns a bitfield of GeneralNameTypes of all the types constrained by this
87   // NameConstraints. Name types that aren't supported will only be present if
88   // the name constraint they appeared in was marked critical.
89   //
90   // RFC 5280 section 4.2.1.10 says:
91   // Applications conforming to this profile MUST be able to process name
92   // constraints that are imposed on the directoryName name form and SHOULD be
93   // able to process name constraints that are imposed on the rfc822Name,
94   // uniformResourceIdentifier, dNSName, and iPAddress name forms.
95   // If a name constraints extension that is marked as critical
96   // imposes constraints on a particular name form, and an instance of
97   // that name form appears in the subject field or subjectAltName
98   // extension of a subsequent certificate, then the application MUST
99   // either process the constraint or reject the certificate.
constrained_name_types()100   int constrained_name_types() const { return constrained_name_types_; }
101 
permitted_subtrees()102   const GeneralNames &permitted_subtrees() const { return permitted_subtrees_; }
excluded_subtrees()103   const GeneralNames &excluded_subtrees() const { return excluded_subtrees_; }
104 
105  private:
106   [[nodiscard]] bool Parse(der::Input extension_value, bool is_critical,
107                            CertErrors *errors);
108 
109   GeneralNames permitted_subtrees_;
110   GeneralNames excluded_subtrees_;
111   int constrained_name_types_ = GENERAL_NAME_NONE;
112 };
113 
114 BSSL_NAMESPACE_END
115 
116 #endif  // BSSL_PKI_NAME_CONSTRAINTS_H_
117