forked from google/boringssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsimple_path_builder_delegate.h
74 lines (55 loc) · 2.29 KB
/
simple_path_builder_delegate.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
#define BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
#include <stddef.h>
#include <openssl/base.h>
#include "path_builder.h"
#include "signature_algorithm.h"
#include "signature_verify_cache.h"
namespace bssl {
class CertErrors;
// SimplePathBuilderDelegate is an implementation of CertPathBuilderDelegate
// that uses some default policies:
//
// * RSA public keys must be >= |min_rsa_modulus_length_bits|.
// * Signature algorithm can be RSA PKCS#1, RSASSA-PSS or ECDSA
// * Digest algorithm can be SHA256, SHA348 or SHA512.
// * If the |digest_policy| was set to kAllowSha1, then SHA1 is
// additionally accepted.
// * EC named curve can be P-256, P-384, P-521.
class OPENSSL_EXPORT SimplePathBuilderDelegate
: public CertPathBuilderDelegate {
public:
enum class DigestPolicy {
// Accepts digests of SHA256, SHA348 or SHA512
kStrong,
// Accepts everything that kStrong does, plus SHA1.
kWeakAllowSha1,
kMaxValue = kWeakAllowSha1
};
// Error emitted when a public key is rejected because it is an RSA key with a
// modulus size that is too small.
static const CertErrorId kRsaModulusTooSmall;
SimplePathBuilderDelegate(size_t min_rsa_modulus_length_bits,
DigestPolicy digest_policy);
// Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
// (including SHA1).
bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
CertErrors *errors) override;
// Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
bool IsPublicKeyAcceptable(EVP_PKEY *public_key, CertErrors *errors) override;
// No-op implementation.
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override;
// No-op implementation.
bool IsDeadlineExpired() override;
// No-op implementation.
SignatureVerifyCache *GetVerifyCache() override;
private:
const size_t min_rsa_modulus_length_bits_;
const DigestPolicy digest_policy_;
};
} // namespace bssl
#endif // BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_