| // Copyright 2020 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef QUICHE_QUIC_CORE_CRYPTO_CERTIFICATE_VIEW_H_ |
| #define QUICHE_QUIC_CORE_CRYPTO_CERTIFICATE_VIEW_H_ |
| |
| #include <istream> |
| #include <memory> |
| #include <vector> |
| |
| #include "absl/strings/string_view.h" |
| #include "absl/types/optional.h" |
| #include "third_party/boringssl/src/include/openssl/base.h" |
| #include "third_party/boringssl/src/include/openssl/bytestring.h" |
| #include "third_party/boringssl/src/include/openssl/evp.h" |
| #include "quic/core/crypto/boring_utils.h" |
| #include "quic/core/quic_time.h" |
| #include "quic/core/quic_types.h" |
| #include "quic/platform/api/quic_export.h" |
| #include "quic/platform/api/quic_ip_address.h" |
| |
| namespace quic { |
| |
| struct QUIC_EXPORT_PRIVATE PemReadResult { |
| enum Status { kOk, kEof, kError }; |
| Status status; |
| std::string contents; |
| // The type of the PEM message (e.g., if the message starts with |
| // "-----BEGIN CERTIFICATE-----", the |type| would be "CERTIFICATE"). |
| std::string type; |
| }; |
| |
| // Reads |input| line-by-line and returns the next available PEM message. |
| QUIC_EXPORT_PRIVATE PemReadResult ReadNextPemMessage(std::istream* input); |
| |
| // Cryptograhpic algorithms recognized in X.509. |
| enum class PublicKeyType { |
| kRsa, |
| kP256, |
| kP384, |
| kEd25519, |
| kUnknown, |
| }; |
| QUIC_EXPORT_PRIVATE std::string PublicKeyTypeToString(PublicKeyType type); |
| |
| // CertificateView represents a parsed version of a single X.509 certificate. As |
| // the word "view" implies, it does not take ownership of the underlying strings |
| // and consists primarily of pointers into the certificate that is passed into |
| // the parser. |
| class QUIC_EXPORT_PRIVATE CertificateView { |
| public: |
| // Parses a single DER-encoded X.509 certificate. Returns nullptr on parse |
| // error. |
| static std::unique_ptr<CertificateView> ParseSingleCertificate( |
| absl::string_view certificate); |
| |
| // Loads all PEM-encoded X.509 certificates found in the |input| stream |
| // without parsing them. Returns an empty vector if any parsing error occurs. |
| static std::vector<std::string> LoadPemFromStream(std::istream* input); |
| |
| QuicWallTime validity_start() const { return validity_start_; } |
| QuicWallTime validity_end() const { return validity_end_; } |
| const EVP_PKEY* public_key() const { return public_key_.get(); } |
| |
| const std::vector<absl::string_view>& subject_alt_name_domains() const { |
| return subject_alt_name_domains_; |
| } |
| const std::vector<QuicIpAddress>& subject_alt_name_ips() const { |
| return subject_alt_name_ips_; |
| } |
| |
| // Returns a human-readable representation of the Subject field. The format |
| // is similar to RFC 2253, but does not match it exactly. |
| absl::optional<std::string> GetHumanReadableSubject() const; |
| |
| // |signature_algorithm| is a TLS signature algorithm ID. |
| bool VerifySignature(absl::string_view data, |
| absl::string_view signature, |
| uint16_t signature_algorithm) const; |
| |
| // Returns the type of the key used in the certificate's SPKI. |
| PublicKeyType public_key_type() const; |
| |
| private: |
| CertificateView() = default; |
| |
| QuicWallTime validity_start_ = QuicWallTime::Zero(); |
| QuicWallTime validity_end_ = QuicWallTime::Zero(); |
| absl::string_view subject_der_; |
| |
| // Public key parsed from SPKI. |
| bssl::UniquePtr<EVP_PKEY> public_key_; |
| |
| // SubjectAltName, https://tools.ietf.org/html/rfc5280#section-4.2.1.6 |
| std::vector<absl::string_view> subject_alt_name_domains_; |
| std::vector<QuicIpAddress> subject_alt_name_ips_; |
| |
| // Called from ParseSingleCertificate(). |
| bool ParseExtensions(CBS extensions); |
| bool ValidatePublicKeyParameters(); |
| }; |
| |
| // CertificatePrivateKey represents a private key that can be used with an X.509 |
| // certificate. |
| class QUIC_EXPORT_PRIVATE CertificatePrivateKey { |
| public: |
| explicit CertificatePrivateKey(bssl::UniquePtr<EVP_PKEY> private_key) |
| : private_key_(std::move(private_key)) {} |
| |
| // Loads a DER-encoded PrivateKeyInfo structure (RFC 5958) as a private key. |
| static std::unique_ptr<CertificatePrivateKey> LoadFromDer( |
| absl::string_view private_key); |
| |
| // Loads a private key from a PEM file formatted according to RFC 7468. Also |
| // supports legacy OpenSSL RSA key format ("BEGIN RSA PRIVATE KEY"). |
| static std::unique_ptr<CertificatePrivateKey> LoadPemFromStream( |
| std::istream* input); |
| |
| // |signature_algorithm| is a TLS signature algorithm ID. |
| std::string Sign(absl::string_view input, uint16_t signature_algorithm) const; |
| |
| // Verifies that the private key in question matches the public key of the |
| // certificate |view|. |
| bool MatchesPublicKey(const CertificateView& view) const; |
| |
| // Verifies that the private key can be used with the specified TLS signature |
| // algorithm. |
| bool ValidForSignatureAlgorithm(uint16_t signature_algorithm) const; |
| |
| EVP_PKEY* private_key() const { return private_key_.get(); } |
| |
| private: |
| CertificatePrivateKey() = default; |
| |
| bssl::UniquePtr<EVP_PKEY> private_key_; |
| }; |
| |
| // Parses a DER-encoded X.509 NameAttribute. Exposed primarily for testing. |
| QUIC_EXPORT_PRIVATE absl::optional<std::string> X509NameAttributeToString( |
| CBS input); |
| |
| // Parses a DER time based on the specified ASN.1 tag. Exposed primarily for |
| // testing. |
| QUIC_EXPORT_PRIVATE absl::optional<quic::QuicWallTime> ParseDerTime( |
| unsigned tag, |
| absl::string_view payload); |
| |
| } // namespace quic |
| |
| #endif // QUICHE_QUIC_CORE_CRYPTO_CERTIFICATE_VIEW_H_ |
