1 // Copyright 2015 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_VERIFY_NAME_MATCH_H_
16 #define BSSL_PKI_VERIFY_NAME_MATCH_H_
17 
18 #include <string>
19 #include <vector>
20 
21 #include <openssl/base.h>
22 
23 BSSL_NAMESPACE_BEGIN
24 
25 class CertErrors;
26 
27 namespace der {
28 class Input;
29 }  // namespace der
30 
31 // Normalizes DER-encoded X.501 Name |name_rdn_sequence| (which should not
32 // include the Sequence tag).  If successful, returns true and stores the
33 // normalized DER-encoded Name into |normalized_rdn_sequence| (not including an
34 // outer Sequence tag). Returns false if there was an error parsing or
35 // normalizing the input, and adds error information to |errors|. |errors| must
36 // be non-null.
37 OPENSSL_EXPORT bool NormalizeName(der::Input name_rdn_sequence,
38                                   std::string *normalized_rdn_sequence,
39                                   CertErrors *errors);
40 
41 // Compares DER-encoded X.501 Name values according to RFC 5280 rules.
42 // |a_rdn_sequence| and |b_rdn_sequence| should be the DER-encoded RDNSequence
43 // values (not including the Sequence tag).
44 // Returns true if |a_rdn_sequence| and |b_rdn_sequence| match.
45 OPENSSL_EXPORT bool VerifyNameMatch(der::Input a_rdn_sequence,
46                                     der::Input b_rdn_sequence);
47 
48 // Compares |name_rdn_sequence| and |parent_rdn_sequence| and return true if
49 // |name_rdn_sequence| is within the subtree defined by |parent_rdn_sequence| as
50 // defined by RFC 5280 section 7.1. |name_rdn_sequence| and
51 // |parent_rdn_sequence| should be the DER-encoded sequence values (not
52 // including the Sequence tag).
53 OPENSSL_EXPORT bool VerifyNameInSubtree(der::Input name_rdn_sequence,
54                                         der::Input parent_rdn_sequence);
55 
56 // Helper functions:
57 
58 // Find all emailAddress attribute values in |name_rdn_sequence|.
59 // Returns true if parsing was successful, in which case
60 // |*contained_email_address| will contain zero or more values.  The values
61 // returned in |*contained_email_addresses| will be UTF8 strings and have been
62 // checked that they were valid strings for the string type of the attribute
63 // tag, but otherwise have not been validated.
64 // Returns false if there was a parsing error.
65 [[nodiscard]] bool FindEmailAddressesInName(
66     der::Input name_rdn_sequence,
67     std::vector<std::string> *contained_email_addresses);
68 
69 BSSL_NAMESPACE_END
70 
71 #endif  // BSSL_PKI_VERIFY_NAME_MATCH_H_
72