Google Git
Sign in
boringssl / boringssl.git / 9b34a3224062c456ff0d0b77fd9a34c5ad08dfea / . / pki / extended_key_usage.h
blob: c78f157032002ddbc46a17d4a1439d8cf914d458 [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2015 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef BSSL_PKI_EXTENDED_KEY_USAGE_H_
6#define BSSL_PKI_EXTENDED_KEY_USAGE_H_
7
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]8#include <vector>
9
Bob Beck3cd30cc2023-11-22 16:59:00 -0700[diff] [blame]10#include <openssl/base.h>
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]11
12#include "input.h"
13
14namespace bssl {
15
16// The arc for the anyExtendedKeyUsage OID is found under the id-ce arc,
17// defined in section 4.2.1 of RFC 5280:
18// id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
19//
20// From RFC 5280 section 4.2.1.12:
21// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
22// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
23// In dotted notation: 2.5.29.37.0
24inline constexpr uint8_t kAnyEKU[] = {0x55, 0x1d, 0x25, 0x00};
25
26// All other key usage purposes defined in RFC 5280 are found in the id-kp
27// arc, defined in section 4.2.1.12 as:
28// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
29//
30// With id-pkix defined in RFC 5280 section 4.2.2 as:
31// id-pkix OBJECT IDENTIFIER ::=
32// { iso(1) identified-organization(3) dod(6) internet(1)
33// security(5) mechanisms(5) pkix(7) }
34//
35// From RFC 5280 section 4.2.1.12:
36// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
37// In dotted notation: 1.3.6.1.5.5.7.3.1
38inline constexpr uint8_t kServerAuth[] = {0x2b, 0x06, 0x01, 0x05,
39 0x05, 0x07, 0x03, 0x01};
40
41// From RFC 5280 section 4.2.1.12:
42// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
43// In dotted notation: 1.3.6.1.5.5.7.3.2
44inline constexpr uint8_t kClientAuth[] = {0x2b, 0x06, 0x01, 0x05,
45 0x05, 0x07, 0x03, 0x02};
46
47// From RFC 5280 section 4.2.1.12:
48// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
49// In dotted notation: 1.3.6.1.5.5.7.3.3
50inline constexpr uint8_t kCodeSigning[] = {0x2b, 0x06, 0x01, 0x05,
51 0x05, 0x07, 0x03, 0x03};
52
53// From RFC 5280 section 4.2.1.12:
54// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
55// In dotted notation: 1.3.6.1.5.5.7.3.4
56inline constexpr uint8_t kEmailProtection[] = {0x2b, 0x06, 0x01, 0x05,
57 0x05, 0x07, 0x03, 0x04};
58
59// From RFC 5280 section 4.2.1.12:
60// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
61// In dotted notation: 1.3.6.1.5.5.7.3.8
62inline constexpr uint8_t kTimeStamping[] = {0x2b, 0x06, 0x01, 0x05,
63 0x05, 0x07, 0x03, 0x08};
64
65// From RFC 5280 section 4.2.1.12:
66// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
67// In dotted notation: 1.3.6.1.5.5.7.3.9
68inline constexpr uint8_t kOCSPSigning[] = {0x2b, 0x06, 0x01, 0x05,
69 0x05, 0x07, 0x03, 0x09};
70
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]71// Parses |extension_value|, which contains the extnValue field of an X.509v3
72// Extended Key Usage extension, and populates |eku_oids| with the list of
73// DER-encoded OID values (that is, without tag and length). Returns false if
74// |extension_value| is improperly encoded.
75//
76// Note: The returned OIDs are only as valid as long as the data pointed to by
77// |extension_value| is valid.
David Benjamin81138bc2024-01-23 14:53:40 -0500[diff] [blame]78OPENSSL_EXPORT bool ParseEKUExtension(der::Input extension_value,
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]79 std::vector<der::Input> *eku_oids);
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]80
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]81} // namespace bssl
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]82
83#endif // BSSL_PKI_EXTENDED_KEY_USAGE_H_