xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/simple_path_builder_delegate.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
6 #define BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
7 
8 #include <stddef.h>
9 
10 #include <openssl/base.h>
11 #include <openssl/pki/signature_verify_cache.h>
12 
13 #include "path_builder.h"
14 #include "signature_algorithm.h"
15 
16 namespace bssl {
17 
18 class CertErrors;
19 
20 // SimplePathBuilderDelegate is an implementation of CertPathBuilderDelegate
21 // that uses some default policies:
22 //
23 //   * RSA public keys must be >= |min_rsa_modulus_length_bits|.
24 //   * Signature algorithm can be RSA PKCS#1, RSASSA-PSS or ECDSA
25 //   * Digest algorithm can be SHA256, SHA348 or SHA512.
26 //       * If the |digest_policy| was set to kAllowSha1, then SHA1 is
27 //         additionally accepted.
28 //   * EC named curve can be P-256, P-384, P-521.
29 class OPENSSL_EXPORT SimplePathBuilderDelegate
30     : public CertPathBuilderDelegate {
31  public:
32   enum class DigestPolicy {
33     // Accepts digests of SHA256, SHA348 or SHA512
34     kStrong,
35 
36     // Accepts everything that kStrong does, plus SHA1.
37     kWeakAllowSha1,
38 
39     kMaxValue = kWeakAllowSha1
40   };
41 
42   // Error emitted when a public key is rejected because it is an RSA key with a
43   // modulus size that is too small.
44   static const CertErrorId kRsaModulusTooSmall;
45 
46   SimplePathBuilderDelegate(size_t min_rsa_modulus_length_bits,
47                             DigestPolicy digest_policy);
48 
49   // Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
50   // (including SHA1).
51   bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
52                                       CertErrors *errors) override;
53 
54   // Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
55   bool IsPublicKeyAcceptable(EVP_PKEY *public_key, CertErrors *errors) override;
56 
57   // No-op implementation.
58   void CheckPathAfterVerification(const CertPathBuilder &path_builder,
59                                   CertPathBuilderResultPath *path) override;
60 
61   // No-op implementation.
62   bool IsDeadlineExpired() override;
63 
64   // No-op implementation.
65   SignatureVerifyCache *GetVerifyCache() override;
66 
67   // No-op implementation.
68   bool IsDebugLogEnabled() override;
69 
70   // No-op implementation.
71   void DebugLog(std::string_view msg) override;
72 
73   // No-op implementation.
74   bool AcceptPreCertificates() override;
75 
76  private:
77   const size_t min_rsa_modulus_length_bits_;
78   const DigestPolicy digest_policy_;
79 };
80 
81 }  // namespace bssl
82 
83 #endif  // BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
84