| // Copyright 2019 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_ |
| #define CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_ |
| |
| #include <openssl/x509.h> |
| |
| #include <string> |
| #include <vector> |
| |
| #include "absl/strings/string_view.h" |
| #include "platform/base/error.h" |
| namespace openscreen { |
| namespace cast { |
| |
| struct TrustStore { |
| enum class Mode { |
| // In strict mode, only certificates signed by a CA will be accepted as |
| // part of authentication. Note that if a self-signed certificate is placed |
| // in a strict mode TrustStore, it cannot be used for authentication. |
| kStrict, |
| |
| // In allow self signed mode, certificates signed by an arbitrary private |
| // key that have been placed in this trust store will be allowed. Note |
| // that certificates must still otherwise be valid. |
| kAllowSelfSigned |
| }; |
| |
| static TrustStore CreateInstanceFromPemFile(absl::string_view file_path); |
| |
| std::vector<bssl::UniquePtr<X509>> certs; |
| }; |
| |
| // Adds a trust anchor given a DER-encoded certificate from static |
| // storage. |
| template <size_t N> |
| bssl::UniquePtr<X509> MakeTrustAnchor(const uint8_t (&data)[N]) { |
| const uint8_t* dptr = data; |
| return bssl::UniquePtr<X509>{d2i_X509(nullptr, &dptr, N)}; |
| } |
| |
| inline bssl::UniquePtr<X509> MakeTrustAnchor(const std::vector<uint8_t>& data) { |
| const uint8_t* dptr = data.data(); |
| return bssl::UniquePtr<X509>{d2i_X509(nullptr, &dptr, data.size())}; |
| } |
| |
| struct ConstDataSpan; |
| struct DateTime; |
| |
| bool VerifySignedData(const EVP_MD* digest, |
| EVP_PKEY* public_key, |
| const ConstDataSpan& data, |
| const ConstDataSpan& signature); |
| |
| // Parses DateTime with additional restrictions laid out by RFC 5280 |
| // 4.1.2.5.2. |
| bool ParseAsn1GeneralizedTime(ASN1_GENERALIZEDTIME* time, DateTime* out); |
| bool GetCertValidTimeRange(X509* cert, |
| DateTime* not_before, |
| DateTime* not_after); |
| |
| struct CertificatePathResult { |
| bssl::UniquePtr<X509> target_cert; |
| std::vector<bssl::UniquePtr<X509>> intermediate_certs; |
| std::vector<X509*> path; |
| }; |
| |
| Error FindCertificatePath(const std::vector<std::string>& der_certs, |
| const DateTime& time, |
| CertificatePathResult* result_path, |
| TrustStore* trust_store); |
| |
| } // namespace cast |
| } // namespace openscreen |
| |
| #endif // CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_INTERNAL_H_ |