xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/certificate_policies.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_CERTIFICATE_POLICIES_H_
6 #define BSSL_PKI_CERTIFICATE_POLICIES_H_
7 
8 #include <stdint.h>
9 #include <vector>
10 
11 
12 #include <optional>
13 #include "input.h"
14 
15 namespace bssl {
16 
17 class CertErrors;
18 
19 // Returns the DER-encoded OID, without tag or length, of the anyPolicy
20 // certificate policy defined in RFC 5280 section 4.2.1.4.
21 inline constexpr uint8_t kAnyPolicyOid[] = {0x55, 0x1D, 0x20, 0x00};
22 
23 // From RFC 5280:
24 //
25 //     id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }
26 //
27 // In dotted notation: 2.5.29.54
28 inline constexpr uint8_t kInhibitAnyPolicyOid[] = {0x55, 0x1d, 0x36};
29 
30 // From RFC 5280:
31 //
32 //     id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
33 //
34 // In dotted notation: 2.5.29.33
35 inline constexpr uint8_t kPolicyMappingsOid[] = {0x55, 0x1d, 0x21};
36 
37 // -- policyQualifierIds for Internet policy qualifiers
38 //
39 // id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
40 // id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
41 //
42 // In dotted decimal form: 1.3.6.1.5.5.7.2.1
43 inline constexpr uint8_t kCpsPointerId[] = {0x2b, 0x06, 0x01, 0x05,
44                                             0x05, 0x07, 0x02, 0x01};
45 
46 // id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
47 //
48 // In dotted decimal form: 1.3.6.1.5.5.7.2.2
49 inline constexpr uint8_t kUserNoticeId[] = {0x2b, 0x06, 0x01, 0x05,
50                                             0x05, 0x07, 0x02, 0x02};
51 
52 struct PolicyQualifierInfo {
53   der::Input qualifier_oid;
54   der::Input qualifier;
55 };
56 
57 struct OPENSSL_EXPORT PolicyInformation {
58   PolicyInformation();
59   ~PolicyInformation();
60   PolicyInformation(const PolicyInformation &);
61   PolicyInformation(PolicyInformation &&);
62 
63   der::Input policy_oid;
64   std::vector<PolicyQualifierInfo> policy_qualifiers;
65 };
66 
67 // Parses a certificatePolicies extension and stores the policy information
68 // |*policies|, in the order presented in |extension_value|.
69 //
70 // Returns true on success. On failure returns false and may add errors to
71 // |errors|, which must be non-null.
72 //
73 // The values in |policies| are only valid as long as |extension_value| is (as
74 // it references data).
75 OPENSSL_EXPORT bool ParseCertificatePoliciesExtension(
76     der::Input extension_value, std::vector<PolicyInformation> *policies,
77     CertErrors *errors);
78 
79 // Parses a certificatePolicies extension and stores the policy OIDs in
80 // |*policy_oids|, in sorted order.
81 //
82 // If policyQualifiers for User Notice or CPS are present then they are
83 // ignored (RFC 5280 section 4.2.1.4 says "optional qualifiers, which MAY
84 // be present, are not expected to change the definition of the policy."
85 //
86 // If a policy qualifier other than User Notice/CPS is present, parsing
87 // will fail if |fail_parsing_unknown_qualifier_oids| was set to true,
88 // otherwise the unrecognized qualifiers wil be skipped and not parsed
89 // any further.
90 //
91 // Returns true on success. On failure returns false and may add errors to
92 // |errors|, which must be non-null.
93 //
94 // The values in |policy_oids| are only valid as long as |extension_value| is
95 // (as it references data).
96 OPENSSL_EXPORT bool ParseCertificatePoliciesExtensionOids(
97     der::Input extension_value, bool fail_parsing_unknown_qualifier_oids,
98     std::vector<der::Input> *policy_oids, CertErrors *errors);
99 
100 struct ParsedPolicyConstraints {
101   std::optional<uint8_t> require_explicit_policy;
102 
103   std::optional<uint8_t> inhibit_policy_mapping;
104 };
105 
106 // Parses a PolicyConstraints SEQUENCE as defined by RFC 5280. Returns true on
107 // success, and sets |out|.
108 [[nodiscard]] OPENSSL_EXPORT bool ParsePolicyConstraints(
109     der::Input policy_constraints_tlv, ParsedPolicyConstraints *out);
110 
111 // Parses an InhibitAnyPolicy as defined by RFC 5280. Returns num certs on
112 // success, or empty if parser fails.
113 [[nodiscard]] OPENSSL_EXPORT std::optional<uint8_t> ParseInhibitAnyPolicy(
114     der::Input inhibit_any_policy_tlv);
115 
116 struct ParsedPolicyMapping {
117   der::Input issuer_domain_policy;
118   der::Input subject_domain_policy;
119 };
120 
121 // Parses a PolicyMappings SEQUENCE as defined by RFC 5280. Returns true on
122 // success, and sets |mappings|.
123 [[nodiscard]] OPENSSL_EXPORT bool ParsePolicyMappings(
124     der::Input policy_mappings_tlv, std::vector<ParsedPolicyMapping> *mappings);
125 
126 }  // namespace bssl
127 
128 #endif  // BSSL_PKI_CERTIFICATE_POLICIES_H_
129