OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_ | 5 #ifndef NET_CERT_INTERNAL_OCSP_H_ |
6 #define NET_CERT_INTERNAL_PARSE_OCSP_H_ | 6 #define NET_CERT_INTERNAL_OCSP_H_ |
7 | 7 |
8 #include <memory> | 8 #include <memory> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "net/base/hash_value.h" | 12 #include "net/base/hash_value.h" |
13 #include "net/cert/internal/parse_certificate.h" | 13 #include "net/cert/internal/parse_certificate.h" |
14 #include "net/cert/internal/signature_algorithm.h" | 14 #include "net/cert/internal/signature_algorithm.h" |
15 #include "net/cert/internal/signature_policy.h" | |
15 #include "net/der/input.h" | 16 #include "net/der/input.h" |
16 #include "net/der/parse_values.h" | 17 #include "net/der/parse_values.h" |
17 #include "net/der/parser.h" | 18 #include "net/der/parser.h" |
18 #include "net/der/tag.h" | 19 #include "net/der/tag.h" |
19 | 20 |
20 namespace net { | 21 namespace net { |
21 | 22 |
22 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID". | 23 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID". |
23 // | 24 // |
24 // CertID ::= SEQUENCE { | 25 // CertID ::= SEQUENCE { |
(...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
217 bool has_certs; | 218 bool has_certs; |
218 std::vector<der::Input> certs; | 219 std::vector<der::Input> certs; |
219 }; | 220 }; |
220 | 221 |
221 // From RFC 6960: | 222 // From RFC 6960: |
222 // | 223 // |
223 // id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | 224 // id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } |
224 // id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | 225 // id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } |
225 // | 226 // |
226 // In dotted notation: 1.3.6.1.5.5.7.48.1.1 | 227 // In dotted notation: 1.3.6.1.5.5.7.48.1.1 |
227 NET_EXPORT der::Input BasicOCSPResponseOid(); | 228 NET_EXPORT der::Input BasicOCSPResponseOid() WARN_UNUSED_RESULT; |
228 | 229 |
229 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on | 230 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on |
230 // success and sets the results in |out|. | 231 // success and sets the results in |out|. |
231 // | 232 // |
232 // On failure |out| has an undefined state. Some of its fields may have been | 233 // On failure |out| has an undefined state. Some of its fields may have been |
233 // updated during parsing, whereas others may not have been changed. | 234 // updated during parsing, whereas others may not have been changed. |
234 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, | 235 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, |
235 OCSPCertID* out); | 236 OCSPCertID* out) WARN_UNUSED_RESULT; |
236 | 237 |
237 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns | 238 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns |
238 // true on success and sets the results in |out|. The resulting |out| | 239 // true on success and sets the results in |out|. The resulting |out| |
239 // references data from |raw_tlv| and is only valid for the lifetime of | 240 // references data from |raw_tlv| and is only valid for the lifetime of |
240 // |raw_tlv|. | 241 // |raw_tlv|. |
241 // | 242 // |
242 // On failure |out| has an undefined state. Some of its fields may have been | 243 // On failure |out| has an undefined state. Some of its fields may have been |
243 // updated during parsing, whereas others may not have been changed. | 244 // updated during parsing, whereas others may not have been changed. |
244 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, | 245 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, |
245 OCSPSingleResponse* out); | 246 OCSPSingleResponse* out) |
247 WARN_UNUSED_RESULT; | |
246 | 248 |
247 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns | 249 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns |
248 // true on success and sets the results in |out|. The resulting |out| | 250 // true on success and sets the results in |out|. The resulting |out| |
249 // references data from |raw_tlv| and is only valid for the lifetime of | 251 // references data from |raw_tlv| and is only valid for the lifetime of |
250 // |raw_tlv|. | 252 // |raw_tlv|. |
251 // | 253 // |
252 // On failure |out| has an undefined state. Some of its fields may have been | 254 // On failure |out| has an undefined state. Some of its fields may have been |
253 // updated during parsing, whereas others may not have been changed. | 255 // updated during parsing, whereas others may not have been changed. |
254 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, | 256 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, |
255 OCSPResponseData* out); | 257 OCSPResponseData* out) |
258 WARN_UNUSED_RESULT; | |
256 | 259 |
257 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true | 260 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true |
258 // on success and sets the results in |out|. The resulting |out| | 261 // on success and sets the results in |out|. The resulting |out| |
259 // references data from |raw_tlv| and is only valid for the lifetime of | 262 // references data from |raw_tlv| and is only valid for the lifetime of |
260 // |raw_tlv|. | 263 // |raw_tlv|. |
261 // | 264 // |
262 // On failure |out| has an undefined state. Some of its fields may have been | 265 // On failure |out| has an undefined state. Some of its fields may have been |
263 // updated during parsing, whereas others may not have been changed. | 266 // updated during parsing, whereas others may not have been changed. |
264 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, | 267 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, |
265 OCSPResponse* out); | 268 OCSPResponse* out) WARN_UNUSED_RESULT; |
266 | 269 |
267 // Checks the certificate status of |cert| based on the OCSPResponseData | 270 // Checks the certificate status of |cert| based on the OCSPResponseData |
268 // |response_data| and issuer |issuer| and sets the results in |out|. In the | 271 // |response_data| and issuer |issuer| and sets the results in |out|. In the |
269 // case that there are multiple responses for a given certificate, as a result | 272 // case that there are multiple responses for a given certificate, as a result |
270 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is | 273 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is |
271 // returned (REVOKED > UNKNOWN > GOOD). | 274 // returned (REVOKED > UNKNOWN > GOOD). |
272 // | 275 // |
273 // On failure |out| has an undefined state. Some of its fields may have been | 276 // On failure |out| has an undefined state. Some of its fields may have been |
274 // updated during parsing, whereas others may not have been changed. | 277 // updated during parsing, whereas others may not have been changed. |
275 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, | 278 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, |
276 const ParsedCertificate& issuer, | 279 const ParsedCertificate& issuer, |
277 const ParsedCertificate& cert, | 280 const ParsedCertificate& cert, |
278 OCSPCertStatus* out); | 281 OCSPCertStatus* out) |
282 WARN_UNUSED_RESULT; | |
283 | |
284 // Verifies that the OCSP Response |response| is signed and has a valid trust | |
285 // path to the issuer |issuer_cert|, and returns whether the verification was | |
286 // successful. |signature_policy| is the policy to be applied to the signature | |
287 // verification of the trust path and OCSP response. The verification is | |
288 // performed as per RFC 6960. | |
289 NET_EXPORT_PRIVATE bool VerifyOCSPResponse( | |
eroman
2016/05/31 19:12:46
IMPORTANT: How does this prevent replay attacks?
| |
290 const OCSPResponse& response, | |
291 const ParsedCertificate& issuer_cert, | |
292 const SignaturePolicy& signature_policy) WARN_UNUSED_RESULT; | |
279 | 293 |
280 } // namespace net | 294 } // namespace net |
281 | 295 |
282 #endif // NET_CERT_INTERNAL_PARSE_OCSP_H_ | 296 #endif // NET_CERT_INTERNAL_OCSP_H_ |
OLD | NEW |