xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/general_names.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_GENERAL_NAMES_H_
6 #define BSSL_PKI_GENERAL_NAMES_H_
7 
8 #include <memory>
9 #include <string_view>
10 #include <vector>
11 
12 #include <openssl/base.h>
13 
14 
15 #include "cert_error_id.h"
16 
17 namespace bssl {
18 
19 class CertErrors;
20 
21 OPENSSL_EXPORT extern const CertErrorId kFailedParsingGeneralName;
22 
23 namespace der {
24 class Input;
25 }  // namespace der
26 
27 // Bitfield values for the GeneralName types defined in RFC 5280. The ordering
28 // and exact values are not important, but match the order from the RFC for
29 // convenience.
30 enum GeneralNameTypes {
31   GENERAL_NAME_NONE = 0,
32   GENERAL_NAME_OTHER_NAME = 1 << 0,
33   GENERAL_NAME_RFC822_NAME = 1 << 1,
34   GENERAL_NAME_DNS_NAME = 1 << 2,
35   GENERAL_NAME_X400_ADDRESS = 1 << 3,
36   GENERAL_NAME_DIRECTORY_NAME = 1 << 4,
37   GENERAL_NAME_EDI_PARTY_NAME = 1 << 5,
38   GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER = 1 << 6,
39   GENERAL_NAME_IP_ADDRESS = 1 << 7,
40   GENERAL_NAME_REGISTERED_ID = 1 << 8,
41   GENERAL_NAME_ALL_TYPES = (1 << 9) - 1,
42 };
43 
44 // Represents a GeneralNames structure. When processing GeneralNames, it is
45 // often necessary to know which types of names were present, and to check
46 // all the names of a certain type. Therefore, a bitfield of all the name
47 // types is kept, and the names are split into members for each type.
48 struct OPENSSL_EXPORT GeneralNames {
49   // Controls parsing of iPAddress names in ParseGeneralName.
50   // IP_ADDRESS_ONLY parses the iPAddress names as a 4 or 16 byte IP address.
51   // IP_ADDRESS_AND_NETMASK parses the iPAddress names as 8 or 32 bytes
52   // containing an IP address followed by a netmask.
53   enum ParseGeneralNameIPAddressType {
54     IP_ADDRESS_ONLY,
55     IP_ADDRESS_AND_NETMASK,
56   };
57 
58   GeneralNames();
59   ~GeneralNames();
60 
61   // Create a GeneralNames object representing the DER-encoded
62   // |general_names_tlv|. The returned object may reference data from
63   // |general_names_tlv|, so is only valid as long as |general_names_tlv| is.
64   // Returns nullptr on failure, and may fill |errors| with
65   // additional information. |errors| must be non-null.
66   static std::unique_ptr<GeneralNames> Create(der::Input general_names_tlv,
67                                               CertErrors *errors);
68 
69   // As above, but takes the GeneralNames sequence value, without the tag and
70   // length.
71   static std::unique_ptr<GeneralNames> CreateFromValue(
72       der::Input general_names_value, CertErrors *errors);
73 
74   // DER-encoded OtherName values.
75   std::vector<der::Input> other_names;
76 
77   // ASCII rfc822names.
78   std::vector<std::string_view> rfc822_names;
79 
80   // ASCII hostnames.
81   std::vector<std::string_view> dns_names;
82 
83   // DER-encoded ORAddress values.
84   std::vector<der::Input> x400_addresses;
85 
86   // DER-encoded Name values (not including the Sequence tag).
87   std::vector<der::Input> directory_names;
88 
89   // DER-encoded EDIPartyName values.
90   std::vector<der::Input> edi_party_names;
91 
92   // ASCII URIs.
93   std::vector<std::string_view> uniform_resource_identifiers;
94 
95   // iPAddresses as sequences of octets in network byte order. This will be
96   // populated if the GeneralNames represents a Subject Alternative Name. Each
97   // address is guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long.
98   std::vector<der::Input> ip_addresses;
99 
100   // iPAddress ranges, as <IP, mask> pairs. This will be populated
101   // if the GeneralNames represents a Name Constraints. Each address is
102   // guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long. The mask
103   // half is guaranteed to be the same size, and consist of some number of 1
104   // bits, followed by some number of 0 bits.
105   //
106   // WARNING: It is not guaranteed that the masked portions of the address are
107   // zero.
108   //
109   // TODO(davidben): Should addresses with non-zero masked portions be rejected?
110   std::vector<std::pair<der::Input, der::Input>> ip_address_ranges;
111 
112   // DER-encoded OBJECT IDENTIFIERs.
113   std::vector<der::Input> registered_ids;
114 
115   // Which name types were present, as a bitfield of GeneralNameTypes.
116   int present_name_types = GENERAL_NAME_NONE;
117 };
118 
119 // Parses a GeneralName value and adds it to |subtrees|.
120 // |ip_address_type| specifies how to parse iPAddress names.
121 // Returns false on failure, and may fill |errors| with additional information.
122 // |errors| must be non-null.
123 // TODO(mattm): should this be a method on GeneralNames?
124 [[nodiscard]] OPENSSL_EXPORT bool ParseGeneralName(
125     der::Input input,
126     GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
127     GeneralNames *subtrees, CertErrors *errors);
128 
129 }  // namespace bssl
130 
131 #endif  // BSSL_PKI_GENERAL_NAMES_H_
132