xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/extended_key_usage.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_EXTENDED_KEY_USAGE_H_
6 #define BSSL_PKI_EXTENDED_KEY_USAGE_H_
7 
8 #include <vector>
9 
10 #include <openssl/base.h>
11 
12 #include "input.h"
13 
14 namespace bssl {
15 
16 // The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
17 // defined in section 4.2.1 of RFC 5280:
18 // id-ce   OBJECT IDENTIFIER ::=  { joint-iso-ccitt(2) ds(5) 29 }
19 //
20 // From RFC 5280 section 4.2.1.12:
21 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
22 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
23 // In dotted notation: 2.5.29.37.0
24 inline constexpr uint8_t kAnyEKU[] = {0x55, 0x1d, 0x25, 0x00};
25 
26 // All other key usage purposes defined in RFC 5280 are found in the id-kp
27 // arc, defined in section 4.2.1.12 as:
28 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
29 //
30 // With id-pkix defined in RFC 5280 section 4.2.2 as:
31 // id-pkix  OBJECT IDENTIFIER  ::=
32 //          { iso(1) identified-organization(3) dod(6) internet(1)
33 //                  security(5) mechanisms(5) pkix(7) }
34 //
35 // From RFC 5280 section 4.2.1.12:
36 // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
37 // In dotted notation: 1.3.6.1.5.5.7.3.1
38 inline constexpr uint8_t kServerAuth[] = {0x2b, 0x06, 0x01, 0x05,
39                                           0x05, 0x07, 0x03, 0x01};
40 
41 // From RFC 5280 section 4.2.1.12:
42 // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
43 // In dotted notation: 1.3.6.1.5.5.7.3.2
44 inline constexpr uint8_t kClientAuth[] = {0x2b, 0x06, 0x01, 0x05,
45                                           0x05, 0x07, 0x03, 0x02};
46 
47 // From RFC 5280 section 4.2.1.12:
48 // id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
49 // In dotted notation: 1.3.6.1.5.5.7.3.3
50 inline constexpr uint8_t kCodeSigning[] = {0x2b, 0x06, 0x01, 0x05,
51                                            0x05, 0x07, 0x03, 0x03};
52 
53 // From RFC 5280 section 4.2.1.12:
54 // id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
55 // In dotted notation: 1.3.6.1.5.5.7.3.4
56 inline constexpr uint8_t kEmailProtection[] = {0x2b, 0x06, 0x01, 0x05,
57                                                0x05, 0x07, 0x03, 0x04};
58 
59 // From RFC 5280 section 4.2.1.12:
60 // id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
61 // In dotted notation: 1.3.6.1.5.5.7.3.8
62 inline constexpr uint8_t kTimeStamping[] = {0x2b, 0x06, 0x01, 0x05,
63                                             0x05, 0x07, 0x03, 0x08};
64 
65 // From RFC 5280 section 4.2.1.12:
66 // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
67 // In dotted notation: 1.3.6.1.5.5.7.3.9
68 inline constexpr uint8_t kOCSPSigning[] = {0x2b, 0x06, 0x01, 0x05,
69                                            0x05, 0x07, 0x03, 0x09};
70 
71 // Parses |extension_value|, which contains the extnValue field of an X.509v3
72 // Extended Key Usage extension, and populates |eku_oids| with the list of
73 // DER-encoded OID values (that is, without tag and length). Returns false if
74 // |extension_value| is improperly encoded.
75 //
76 // Note: The returned OIDs are only as valid as long as the data pointed to by
77 // |extension_value| is valid.
78 OPENSSL_EXPORT bool ParseEKUExtension(der::Input extension_value,
79                                       std::vector<der::Input> *eku_oids);
80 
81 }  // namespace bssl
82 
83 #endif  // BSSL_PKI_EXTENDED_KEY_USAGE_H_
84