1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_ASN1_UTIL_H_
6#define NET_CERT_ASN1_UTIL_H_
7
8#include <vector>
9
10#include "base/strings/string_piece.h"
11#include "net/base/net_export.h"
12
13namespace net {
14
15namespace asn1 {
16
17// ExtractSubjectFromDERCert parses the DER encoded certificate in |cert| and
18// extracts the bytes of the X.501 Subject. On successful return, |subject_out|
19// is set to contain the Subject, pointing into |cert|.
20NET_EXPORT_PRIVATE bool ExtractSubjectFromDERCert(
21 base::StringPiece cert,
22 base::StringPiece* subject_out);
23
24// ExtractSPKIFromDERCert parses the DER encoded certificate in |cert| and
25// extracts the bytes of the SubjectPublicKeyInfo. On successful return,
26// |spki_out| is set to contain the SPKI, pointing into |cert|.
27NET_EXPORT_PRIVATE bool ExtractSPKIFromDERCert(base::StringPiece cert,
28 base::StringPiece* spki_out);
29
30// ExtractSubjectPublicKeyFromSPKI parses the DER encoded SubjectPublicKeyInfo
31// in |spki| and extracts the bytes of the SubjectPublicKey. On successful
32// return, |spk_out| is set to contain the public key, pointing into |spki|.
33NET_EXPORT_PRIVATE bool ExtractSubjectPublicKeyFromSPKI(
34 base::StringPiece spki,
35 base::StringPiece* spk_out);
36
37// HasTLSFeatureExtension parses the DER encoded certificate in |cert|
38// and extracts the TLS feature extension
39// (https://tools.ietf.org/html/rfc7633) if present. Returns true if the
40// TLS feature extension was present, and false if the extension was not
41// present or if there was a parsing failure.
42NET_EXPORT_PRIVATE bool HasTLSFeatureExtension(base::StringPiece cert);
43
44// HasCanSignHttpExchangesDraftExtension parses the DER encoded certificate
45// in |cert| and extracts the canSignHttpExchangesDraft extension
46// (https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html)
47// if present. Returns true if the extension was present, and false if
48// the extension was not present or if there was a parsing failure.
49NET_EXPORT bool HasCanSignHttpExchangesDraftExtension(base::StringPiece cert);
50
51// Extracts the two (SEQUENCE) tag-length-values for the signature
52// AlgorithmIdentifiers in a DER encoded certificate. Does not use strict
53// parsing or validate the resulting AlgorithmIdentifiers.
54//
55// On success returns true, and assigns |cert_signature_algorithm_sequence| and
56// |tbs_signature_algorithm_sequence| to point into |cert|:
57//
58// * |cert_signature_algorithm_sequence| points at the TLV for
59// Certificate.signatureAlgorithm.
60//
61// * |tbs_signature_algorithm_sequence| points at the TLV for
62// TBSCertificate.algorithm.
63NET_EXPORT_PRIVATE bool ExtractSignatureAlgorithmsFromDERCert(
64 base::StringPiece cert,
65 base::StringPiece* cert_signature_algorithm_sequence,
66 base::StringPiece* tbs_signature_algorithm_sequence);
67
68// Extracts the contents of the extension (if any) with OID |extension_oid| from
69// the DER-encoded, X.509 certificate in |cert|.
70//
71// Returns false on parse error or true if the parse was successful. Sets
72// |*out_extension_present| to whether or not the extension was found. If found,
73// sets |*out_extension_critical| to match the extension's "critical" flag, and
74// sets |*out_contents| to the contents of the extension (after unwrapping the
75// OCTET STRING).
76NET_EXPORT bool ExtractExtensionFromDERCert(base::StringPiece cert,
77 base::StringPiece extension_oid,
78 bool* out_extension_present,
79 bool* out_extension_critical,
80 base::StringPiece* out_contents);
81
82} // namespace asn1
83
84} // namespace net
85
86#endif // NET_CERT_ASN1_UTIL_H_
87