xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/name_constraints.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_NAME_CONSTRAINTS_H_
6 #define BSSL_PKI_NAME_CONSTRAINTS_H_
7 
8 #include <memory>
9 
10 #include <openssl/base.h>
11 
12 #include "general_names.h"
13 
14 namespace bssl {
15 
16 class CertErrors;
17 
18 namespace der {
19 class Input;
20 }  // namespace der
21 
22 // Parses a NameConstraints extension value and allows testing whether names are
23 // allowed under those constraints as defined by RFC 5280 section 4.2.1.10.
24 class OPENSSL_EXPORT NameConstraints {
25  public:
26   ~NameConstraints();
27 
28   // Parses a DER-encoded NameConstraints extension and initializes this object.
29   // |extension_value| should be the extnValue from the extension (not including
30   // the OCTET STRING tag). |is_critical| should be true if the extension was
31   // marked critical. Returns nullptr if parsing the the extension failed.
32   // The object may reference data from |extension_value|, so is only valid as
33   // long as |extension_value| is.
34   static std::unique_ptr<NameConstraints> Create(der::Input extension_value,
35                                                  bool is_critical,
36                                                  CertErrors *errors);
37 
38   // Create a NameConstraints object with only permitted names from the passed
39   // in |permitted_subtrees|. Should never return nullptr.
40   static std::unique_ptr<NameConstraints> CreateFromPermittedSubtrees(
41       GeneralNames permitted_subtrees);
42 
43   // Tests if a certificate is allowed by the name constraints.
44   // |subject_rdn_sequence| should be the DER-encoded value of the subject's
45   // RDNSequence (not including Sequence tag), and may be an empty ASN.1
46   // sequence. |subject_alt_names| should be the parsed representation of the
47   // subjectAltName extension or nullptr if the extension was not present.
48   // If the certificate is not allowed, an error will be added to |errors|.
49   // Note that this method does not check hostname or IP address in commonName,
50   // which is deprecated (crbug.com/308330).
51   void IsPermittedCert(der::Input subject_rdn_sequence,
52                        const GeneralNames *subject_alt_names,
53                        CertErrors *errors) const;
54 
55   // Returns true if the ASCII email address |name| is permitted. |name| should
56   // be a "mailbox" as specified by RFC 2821, with the additional restriction
57   // that quoted names and whitespace are not allowed by this implementation.
58   bool IsPermittedRfc822Name(std::string_view name,
59                              bool case_insensitive_exclude_localpart) const;
60 
61   // Returns true if the ASCII hostname |name| is permitted.
62   // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com"
63   // would not be permitted if "bar.com" is permitted and "foo.bar.com" is
64   // excluded, while "*.baz.com" would only be permitted if "baz.com" is
65   // permitted.
66   bool IsPermittedDNSName(std::string_view name) const;
67 
68   // Returns true if the directoryName |name_rdn_sequence| is permitted.
69   // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
70   // including the Sequence tag.)
71   bool IsPermittedDirectoryName(der::Input name_rdn_sequence) const;
72 
73   // Returns true if the iPAddress |ip| is permitted.
74   bool IsPermittedIP(der::Input ip) const;
75 
76   // Returns a bitfield of GeneralNameTypes of all the types constrained by this
77   // NameConstraints. Name types that aren't supported will only be present if
78   // the name constraint they appeared in was marked critical.
79   //
80   // RFC 5280 section 4.2.1.10 says:
81   // Applications conforming to this profile MUST be able to process name
82   // constraints that are imposed on the directoryName name form and SHOULD be
83   // able to process name constraints that are imposed on the rfc822Name,
84   // uniformResourceIdentifier, dNSName, and iPAddress name forms.
85   // If a name constraints extension that is marked as critical
86   // imposes constraints on a particular name form, and an instance of
87   // that name form appears in the subject field or subjectAltName
88   // extension of a subsequent certificate, then the application MUST
89   // either process the constraint or reject the certificate.
constrained_name_types()90   int constrained_name_types() const { return constrained_name_types_; }
91 
permitted_subtrees()92   const GeneralNames &permitted_subtrees() const { return permitted_subtrees_; }
excluded_subtrees()93   const GeneralNames &excluded_subtrees() const { return excluded_subtrees_; }
94 
95  private:
96   [[nodiscard]] bool Parse(der::Input extension_value, bool is_critical,
97                            CertErrors *errors);
98 
99   GeneralNames permitted_subtrees_;
100   GeneralNames excluded_subtrees_;
101   int constrained_name_types_ = GENERAL_NAME_NONE;
102 };
103 
104 }  // namespace bssl
105 
106 #endif  // BSSL_PKI_NAME_CONSTRAINTS_H_
107