1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_PARSED_CERTIFICATE_H_ 6 #define BSSL_PKI_PARSED_CERTIFICATE_H_ 7 8 #include <map> 9 #include <memory> 10 #include <optional> 11 #include <vector> 12 13 #include <openssl/base.h> 14 15 #include "certificate_policies.h" 16 #include "input.h" 17 #include "parse_certificate.h" 18 #include "signature_algorithm.h" 19 20 namespace bssl { 21 22 struct GeneralNames; 23 class NameConstraints; 24 class ParsedCertificate; 25 class CertErrors; 26 27 using ParsedCertificateList = 28 std::vector<std::shared_ptr<const ParsedCertificate>>; 29 30 // Represents an X.509 certificate, including Certificate, TBSCertificate, and 31 // standard extensions. 32 // Creating a ParsedCertificate does not completely parse and validate the 33 // certificate data. Presence of a member in this class implies the DER was 34 // parsed successfully to that level, but does not imply the contents of that 35 // member are valid, unless otherwise specified. See the documentation for each 36 // member or the documentation of the type it returns. 37 class OPENSSL_EXPORT ParsedCertificate { 38 private: 39 // Used to make constructors private while still being compatible with 40 // |std::make_shared|. 41 class PrivateConstructor { 42 private: 43 friend ParsedCertificate; 44 PrivateConstructor() = default; 45 }; 46 47 public: 48 ~ParsedCertificate(); 49 // Map from OID to ParsedExtension. 50 using ExtensionsMap = std::map<der::Input, ParsedExtension>; 51 52 // Creates a ParsedCertificate given a DER-encoded Certificate. Returns 53 // nullptr on failure. Failure will occur if the standard certificate fields 54 // and supported extensions cannot be parsed. 55 // On either success or failure, if |errors| is non-null it may have error 56 // information added to it. 57 static std::shared_ptr<const ParsedCertificate> Create( 58 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 59 const ParseCertificateOptions &options, CertErrors *errors); 60 61 // Creates a ParsedCertificate by copying the provided |data|, and appends it 62 // to |chain|. Returns true if the certificate was successfully parsed and 63 // added. If false is return, |chain| is unmodified. 64 // 65 // On either success or failure, if |errors| is non-null it may have error 66 // information added to it. 67 static bool CreateAndAddToVector( 68 bssl::UniquePtr<CRYPTO_BUFFER> cert_data, 69 const ParseCertificateOptions &options, 70 std::vector<std::shared_ptr<const bssl::ParsedCertificate>> *chain, 71 CertErrors *errors); 72 73 explicit ParsedCertificate(PrivateConstructor); 74 75 ParsedCertificate(const ParsedCertificate &) = delete; 76 ParsedCertificate &operator=(const ParsedCertificate &) = delete; 77 78 // Returns the DER-encoded certificate data for this cert. der_cert()79 der::Input der_cert() const { return cert_; } 80 81 // Returns the CRYPTO_BUFFER backing this object. cert_buffer()82 CRYPTO_BUFFER *cert_buffer() const { return cert_data_.get(); } 83 84 // Accessors for raw fields of the Certificate. tbs_certificate_tlv()85 der::Input tbs_certificate_tlv() const { return tbs_certificate_tlv_; } 86 signature_algorithm_tlv()87 der::Input signature_algorithm_tlv() const { 88 return signature_algorithm_tlv_; 89 } 90 signature_value()91 const der::BitString &signature_value() const { return signature_value_; } 92 93 // Accessor for struct containing raw fields of the TbsCertificate. tbs()94 const ParsedTbsCertificate &tbs() const { return tbs_; } 95 96 // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate). 97 // If the signature algorithm is unknown/unsupported, this returns nullopt. signature_algorithm()98 std::optional<SignatureAlgorithm> signature_algorithm() const { 99 return signature_algorithm_; 100 } 101 102 // Returns the DER-encoded raw subject value (including the outer sequence 103 // tag). This is guaranteed to be valid DER, though the contents of unhandled 104 // string types are treated as raw bytes. subject_tlv()105 der::Input subject_tlv() const { return tbs_.subject_tlv; } 106 // Returns the DER-encoded normalized subject value (not including outer 107 // Sequence tag). This is guaranteed to be valid DER, though the contents of 108 // unhandled string types are treated as raw bytes. normalized_subject()109 der::Input normalized_subject() const { 110 return der::Input(normalized_subject_); 111 } 112 // Returns the DER-encoded raw issuer value (including the outer sequence 113 // tag). This is guaranteed to be valid DER, though the contents of unhandled 114 // string types are treated as raw bytes. issuer_tlv()115 der::Input issuer_tlv() const { return tbs_.issuer_tlv; } 116 // Returns the DER-encoded normalized issuer value (not including outer 117 // Sequence tag). This is guaranteed to be valid DER, though the contents of 118 // unhandled string types are treated as raw bytes. normalized_issuer()119 der::Input normalized_issuer() const { 120 return der::Input(normalized_issuer_); 121 } 122 123 // Returns true if the certificate has a BasicConstraints extension. has_basic_constraints()124 bool has_basic_constraints() const { return has_basic_constraints_; } 125 126 // Returns the ParsedBasicConstraints struct. Caller must check 127 // has_basic_constraints() before accessing this. basic_constraints()128 const ParsedBasicConstraints &basic_constraints() const { 129 BSSL_CHECK(has_basic_constraints_); 130 return basic_constraints_; 131 } 132 133 // Returns true if the certificate has a KeyUsage extension. has_key_usage()134 bool has_key_usage() const { return has_key_usage_; } 135 136 // Returns the KeyUsage BitString. Caller must check 137 // has_key_usage() before accessing this. key_usage()138 const der::BitString &key_usage() const { 139 BSSL_CHECK(has_key_usage_); 140 return key_usage_; 141 } 142 143 // Returns true if the certificate has a ExtendedKeyUsage extension. has_extended_key_usage()144 bool has_extended_key_usage() const { return has_extended_key_usage_; } 145 146 // Returns the ExtendedKeyUsage key purpose OIDs. Caller must check 147 // has_extended_key_usage() before accessing this. extended_key_usage()148 const std::vector<der::Input> &extended_key_usage() const { 149 BSSL_CHECK(has_extended_key_usage_); 150 return extended_key_usage_; 151 } 152 153 // Returns true if the certificate has a SubjectAltName extension. has_subject_alt_names()154 bool has_subject_alt_names() const { return subject_alt_names_ != nullptr; } 155 156 // Returns the ParsedExtension struct for the SubjectAltName extension. 157 // If the cert did not have a SubjectAltName extension, this will be a 158 // default-initialized ParsedExtension struct. subject_alt_names_extension()159 const ParsedExtension &subject_alt_names_extension() const { 160 return subject_alt_names_extension_; 161 } 162 163 // Returns the GeneralNames class parsed from SubjectAltName extension, or 164 // nullptr if no SubjectAltName extension was present. subject_alt_names()165 const GeneralNames *subject_alt_names() const { 166 return subject_alt_names_.get(); 167 } 168 169 // Returns true if the certificate has a NameConstraints extension. has_name_constraints()170 bool has_name_constraints() const { return name_constraints_ != nullptr; } 171 172 // Returns the parsed NameConstraints extension. Must not be called if 173 // has_name_constraints() is false. name_constraints()174 const NameConstraints &name_constraints() const { 175 BSSL_CHECK(name_constraints_); 176 return *name_constraints_; 177 } 178 179 // Returns true if the certificate has an AuthorityInfoAccess extension. has_authority_info_access()180 bool has_authority_info_access() const { return has_authority_info_access_; } 181 182 // Returns the ParsedExtension struct for the AuthorityInfoAccess extension. authority_info_access_extension()183 const ParsedExtension &authority_info_access_extension() const { 184 return authority_info_access_extension_; 185 } 186 187 // Returns any caIssuers URIs from the AuthorityInfoAccess extension. ca_issuers_uris()188 const std::vector<std::string_view> &ca_issuers_uris() const { 189 return ca_issuers_uris_; 190 } 191 192 // Returns any OCSP URIs from the AuthorityInfoAccess extension. ocsp_uris()193 const std::vector<std::string_view> &ocsp_uris() const { return ocsp_uris_; } 194 195 // Returns true if the certificate has a Policies extension. has_policy_oids()196 bool has_policy_oids() const { return has_policy_oids_; } 197 198 // Returns the policy OIDs. Caller must check has_policy_oids() before 199 // accessing this. policy_oids()200 const std::vector<der::Input> &policy_oids() const { 201 BSSL_CHECK(has_policy_oids()); 202 return policy_oids_; 203 } 204 205 // Returns true if the certificate has a PolicyConstraints extension. has_policy_constraints()206 bool has_policy_constraints() const { return has_policy_constraints_; } 207 208 // Returns the ParsedPolicyConstraints struct. Caller must check 209 // has_policy_constraints() before accessing this. policy_constraints()210 const ParsedPolicyConstraints &policy_constraints() const { 211 BSSL_CHECK(has_policy_constraints_); 212 return policy_constraints_; 213 } 214 215 // Returns true if the certificate has a PolicyMappings extension. has_policy_mappings()216 bool has_policy_mappings() const { return has_policy_mappings_; } 217 218 // Returns the PolicyMappings extension. Caller must check 219 // has_policy_mappings() before accessing this. policy_mappings()220 const std::vector<ParsedPolicyMapping> &policy_mappings() const { 221 BSSL_CHECK(has_policy_mappings_); 222 return policy_mappings_; 223 } 224 225 // Returns the Inhibit Any Policy extension. inhibit_any_policy()226 const std::optional<uint8_t> &inhibit_any_policy() const { 227 return inhibit_any_policy_; 228 } 229 230 // Returns the AuthorityKeyIdentifier extension, or nullopt if there wasn't 231 // one. authority_key_identifier()232 const std::optional<ParsedAuthorityKeyIdentifier> &authority_key_identifier() 233 const { 234 return authority_key_identifier_; 235 } 236 237 // Returns the SubjectKeyIdentifier extension, or nullopt if there wasn't 238 // one. subject_key_identifier()239 const std::optional<der::Input> &subject_key_identifier() const { 240 return subject_key_identifier_; 241 } 242 243 // Returns a map of all the extensions in the certificate. extensions()244 const ExtensionsMap &extensions() const { return extensions_; } 245 246 // Gets the value for extension matching |extension_oid|. Returns false if the 247 // extension is not present. 248 bool GetExtension(der::Input extension_oid, 249 ParsedExtension *parsed_extension) const; 250 251 private: 252 // The backing store for the certificate data. 253 bssl::UniquePtr<CRYPTO_BUFFER> cert_data_; 254 255 // Points to the raw certificate DER. 256 der::Input cert_; 257 258 der::Input tbs_certificate_tlv_; 259 der::Input signature_algorithm_tlv_; 260 der::BitString signature_value_; 261 ParsedTbsCertificate tbs_; 262 263 // The signatureAlgorithm from the Certificate. 264 std::optional<SignatureAlgorithm> signature_algorithm_; 265 266 // Normalized DER-encoded Subject (not including outer Sequence tag). 267 std::string normalized_subject_; 268 // Normalized DER-encoded Issuer (not including outer Sequence tag). 269 std::string normalized_issuer_; 270 271 // BasicConstraints extension. 272 bool has_basic_constraints_ = false; 273 ParsedBasicConstraints basic_constraints_; 274 275 // KeyUsage extension. 276 bool has_key_usage_ = false; 277 der::BitString key_usage_; 278 279 // ExtendedKeyUsage extension. 280 bool has_extended_key_usage_ = false; 281 std::vector<der::Input> extended_key_usage_; 282 283 // Raw SubjectAltName extension. 284 ParsedExtension subject_alt_names_extension_; 285 // Parsed SubjectAltName extension. 286 std::unique_ptr<GeneralNames> subject_alt_names_; 287 288 // NameConstraints extension. 289 std::unique_ptr<NameConstraints> name_constraints_; 290 291 // AuthorityInfoAccess extension. 292 bool has_authority_info_access_ = false; 293 ParsedExtension authority_info_access_extension_; 294 // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note 295 // that the AuthorityInfoAccess may have contained other AccessDescriptions 296 // which are not represented here. 297 std::vector<std::string_view> ca_issuers_uris_; 298 std::vector<std::string_view> ocsp_uris_; 299 300 // Policies extension. This list will already have been checked for 301 // duplicates. 302 bool has_policy_oids_ = false; 303 std::vector<der::Input> policy_oids_; 304 305 // Policy constraints extension. 306 bool has_policy_constraints_ = false; 307 ParsedPolicyConstraints policy_constraints_; 308 309 // Policy mappings extension. 310 bool has_policy_mappings_ = false; 311 std::vector<ParsedPolicyMapping> policy_mappings_; 312 313 // Inhibit Any Policy extension. 314 std::optional<uint8_t> inhibit_any_policy_; 315 316 // AuthorityKeyIdentifier extension. 317 std::optional<ParsedAuthorityKeyIdentifier> authority_key_identifier_; 318 319 // SubjectKeyIdentifier extension. 320 std::optional<der::Input> subject_key_identifier_; 321 322 // All of the extensions. 323 ExtensionsMap extensions_; 324 }; 325 326 } // namespace bssl 327 328 #endif // BSSL_PKI_PARSED_CERTIFICATE_H_ 329