1 // Copyright 2017 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
16 #define BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
17 
18 #include <stddef.h>
19 
20 #include <openssl/base.h>
21 #include <openssl/pki/signature_verify_cache.h>
22 
23 #include "path_builder.h"
24 #include "signature_algorithm.h"
25 
26 BSSL_NAMESPACE_BEGIN
27 
28 class CertErrors;
29 
30 // SimplePathBuilderDelegate is an implementation of CertPathBuilderDelegate
31 // that uses some default policies:
32 //
33 //   * RSA public keys must be >= |min_rsa_modulus_length_bits|.
34 //   * Signature algorithm can be RSA PKCS#1, RSASSA-PSS or ECDSA
35 //   * Digest algorithm can be SHA256, SHA348 or SHA512.
36 //       * If the |digest_policy| was set to kAllowSha1, then SHA1 is
37 //         additionally accepted.
38 //   * EC named curve can be P-256, P-384, P-521.
39 class OPENSSL_EXPORT SimplePathBuilderDelegate
40     : public CertPathBuilderDelegate {
41  public:
42   enum class DigestPolicy {
43     // Accepts digests of SHA256, SHA348 or SHA512
44     kStrong,
45 
46     // Accepts everything that kStrong does, plus SHA1.
47     kWeakAllowSha1,
48 
49     kMaxValue = kWeakAllowSha1
50   };
51 
52   // Error emitted when a public key is rejected because it is an RSA key with a
53   // modulus size that is too small.
54   static const CertErrorId kRsaModulusTooSmall;
55 
56   SimplePathBuilderDelegate(size_t min_rsa_modulus_length_bits,
57                             DigestPolicy digest_policy);
58 
59   // Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
60   // (including SHA1).
61   bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
62                                       CertErrors *errors) override;
63 
64   // Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
65   bool IsPublicKeyAcceptable(EVP_PKEY *public_key, CertErrors *errors) override;
66 
67   // No-op implementation.
68   void CheckPathAfterVerification(const CertPathBuilder &path_builder,
69                                   CertPathBuilderResultPath *path) override;
70 
71   // No-op implementation.
72   bool IsDeadlineExpired() override;
73 
74   // No-op implementation.
75   SignatureVerifyCache *GetVerifyCache() override;
76 
77   // No-op implementation.
78   bool IsDebugLogEnabled() override;
79 
80   // No-op implementation.
81   void DebugLog(std::string_view msg) override;
82 
83   // No-op implementation.
84   bool AcceptPreCertificates() override;
85 
86  private:
87   const size_t min_rsa_modulus_length_bits_;
88   const DigestPolicy digest_policy_;
89 };
90 
91 BSSL_NAMESPACE_END
92 
93 #endif  // BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
94