Add public_key_type() accessor to quic::CertificateView.
This will be used later to disallow RSA certificates in WebTransport hash-based verifier.
PiperOrigin-RevId: 416387139
diff --git a/quic/core/crypto/certificate_view.cc b/quic/core/crypto/certificate_view.cc
index f0b1c18..e920cdb 100644
--- a/quic/core/crypto/certificate_view.cc
+++ b/quic/core/crypto/certificate_view.cc
@@ -49,14 +49,6 @@
// 2.5.29.17
constexpr uint8_t kSubjectAltNameOid[] = {0x55, 0x1d, 0x11};
-enum class PublicKeyType {
- kRsa,
- kP256,
- kP384,
- kEd25519,
- kUnknown,
-};
-
PublicKeyType PublicKeyTypeFromKey(EVP_PKEY* public_key) {
switch (EVP_PKEY_id(public_key)) {
case EVP_PKEY_RSA:
@@ -469,11 +461,13 @@
}
}
+PublicKeyType CertificateView::public_key_type() {
+ return PublicKeyTypeFromKey(public_key_.get());
+}
+
bool CertificateView::ValidatePublicKeyParameters() {
- // The profile here affects what certificates can be used:
- // (1) when QUIC is used as a server library without any custom certificate
- // provider logic,
- // (2) when QuicTransport is handling self-signed certificates.
+ // The profile here affects what certificates can be used when QUIC is used as
+ // a server library without any custom certificate provider logic.
// The goal is to allow at minimum any certificate that would be allowed on a
// regular Web session over TLS 1.3 while ensuring we do not expose any
// algorithms we don't want to support long-term.
diff --git a/quic/core/crypto/certificate_view.h b/quic/core/crypto/certificate_view.h
index f2826cd..4249258 100644
--- a/quic/core/crypto/certificate_view.h
+++ b/quic/core/crypto/certificate_view.h
@@ -34,6 +34,15 @@
// Reads |input| line-by-line and returns the next available PEM message.
QUIC_EXPORT_PRIVATE PemReadResult ReadNextPemMessage(std::istream* input);
+// Cryptograhpic algorithms recognized in X.509.
+enum class PublicKeyType {
+ kRsa,
+ kP256,
+ kP384,
+ kEd25519,
+ kUnknown,
+};
+
// CertificateView represents a parsed version of a single X.509 certificate. As
// the word "view" implies, it does not take ownership of the underlying strings
// and consists primarily of pointers into the certificate that is passed into
@@ -69,6 +78,9 @@
absl::string_view signature,
uint16_t signature_algorithm) const;
+ // Returns the type of the key used in the certificate's SPKI.
+ PublicKeyType public_key_type();
+
private:
CertificateView() = default;
diff --git a/quic/core/crypto/certificate_view_test.cc b/quic/core/crypto/certificate_view_test.cc
index 5d743b2..33514f2 100644
--- a/quic/core/crypto/certificate_view_test.cc
+++ b/quic/core/crypto/certificate_view_test.cc
@@ -58,6 +58,7 @@
const QuicWallTime validity_end = QuicWallTime::FromUNIXSeconds(
*quiche::QuicheUtcDateTimeToUnixSeconds(2020, 2, 2, 18, 13, 59));
EXPECT_EQ(view->validity_end(), validity_end);
+ EXPECT_EQ(view->public_key_type(), PublicKeyType::kRsa);
EXPECT_EQ("C=US,ST=California,L=Mountain View,O=QUIC Server,CN=127.0.0.1",
view->GetHumanReadableSubject());