Bring the handling of <keygen> and support for the application/x-x509-user-ce...

net/base/x509_certificate.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 
 #include <string.h>
 
 #include <map>
@@ skipping 64 matching lines @@
     SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
                                   // its intermediate CA certificates.
     SOURCE_FROM_NETWORK = 2,      // From the network.
   };
 
   enum VerifyFlags {
     VERIFY_REV_CHECKING_ENABLED = 1 << 0,
     VERIFY_EV_CERT = 1 << 1,
   };
 
+  // The format of the certificate, when using CreateFromBytes(). For formats
+  // which permit sequences of certificates, the first certificate encountered
+  // will be used to initialize the returned X509Certificate, while each
+  // additional certificate will be added as intermediate certificates. The
+  // certificates should be ordered from most specific (EE) to least specific
+  // (Root, if included)
+  enum CertificateFormat {
+    // The data contains a single DER-encoded certificate.
+    FORMAT_DER = 1 << 1,
+
+    // The data contains one or more PEM wrapped certificates. Each
+    // certificate will be marked using the PEM encoding block name of
+    // CERTIFICATE.
+    FORMAT_PEM = 1 << 2,
+
+    // The data contains a PKCS#7 SignedData structure, whose certificates
+    // member is to be used to initialize the certificate and intermediates.
+    // This format MAY be further wrapped via PEM encoding, using the PEM
+    // encoding block names of PKCS7 or CERTIFICATE
+    FORMAT_PKCS7 = 1 << 3,
+
+    // The data contains a PKCS#7 ContentInfo structure with the OID set to
+    // 2.16.840.1.113730.2.5, which is the OID for netscape-cert-sequence
+    // (see https://wiki.mozilla.org/CA:Certificate_Download_Specification).
+    FORMAT_LEGACY_NETSCAPE = 1 << 5,
+
+    // Automatically detect the format. Any other format flags will be
+    // ignored.
+    FORMAT_AUTO = FORMAT_DER | FORMAT_PEM | FORMAT_PKCS7 |
+                  FORMAT_LEGACY_NETSCAPE
+  };
+
   // Create an X509Certificate from a handle to the certificate object
   // in the underlying crypto library. This is a transfer of ownership;
   // X509Certificate will properly dispose of |cert_handle| for you.
   // |source| specifies where |cert_handle| comes from.  Given two
   // certificate handles for the same certificate, our certificate cache
   // prefers the handle from the network because our HTTP cache isn't
   // caching the corresponding intermediate CA certificates yet
   // (http://crbug.com/7065).
-  // The list of intermediate certificates is ignored under NSS (i.e. Linux.)
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
       Source source,
       const OSCertHandles& intermediates);
 
-  // Create an X509Certificate from the BER-encoded representation.
-  // Returns NULL on failure.
+  // Create an X509Certificate from |data| in a specified |format|, which is
+  // the bitwise OR of X509Certificate::CertificateFormat. If multiple
+  // certificates are present, additional certificates will be stored in the
+  // |intermediate_ca_certs_| member.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
-  static X509Certificate* CreateFromBytes(const char* data, int length);
+  static X509Certificate* CreateFromBytes(const char* data, size_t length,
+                                          int format);
 
   // Create an X509Certificate from the representation stored in the given
   // pickle.  The data for this object is found relative to the given
   // pickle_iter, which should be passed to the pickle's various Read* methods.
   // Returns NULL on failure.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
                                            void** pickle_iter);
 
@@ skipping 27 matching lines @@
   // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
   // Server Identity, if the certificate has a subjectAltName extension of
   // type dNSName, this method gets the DNS names in that extension.
   // Otherwise, it gets the common name in the subject field.
   void GetDNSNames(std::vector<std::string>* dns_names) const;
 
   // Convenience method that returns whether this certificate has expired as of
   // now.
   bool HasExpired() const;
 
-#if defined(OS_MACOSX) || defined(OS_WIN)
-  // Returns intermediate certificates added via AddIntermediateCertificate().
-  // Ownership follows the "get" rule: it is the caller's responsibility to
-  // retain the elements of the result.
+  // Returns intermediate certificates. Ownership follows the "get" rule: it
+  // is the caller's responsibility to retain the elements of the result.
   const OSCertHandles& GetIntermediateCertificates() const {
     return intermediate_ca_certs_;
   }
-#endif
 
   // Returns true if I already contain the given intermediate cert.
   bool HasIntermediateCertificate(OSCertHandle cert);
 
   // Returns true if I already contain all the given intermediate certs.
   bool HasIntermediateCertificates(const OSCertHandles& certs);
 
 #if defined(OS_MACOSX)
   // Does this certificate's usage allow SSL client authentication?
   bool SupportsSSLClientAuth() const;
@@ skipping 37 matching lines @@
              CertVerifyResult* verify_result) const;
 
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
   // Creates an OS certificate handle from the BER-encoded representation.
   // Returns NULL on failure.
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
-                                                  int length);
+                                                  size_t length);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
+  // Attempts to create one or more OS certificate handles from data encoded
+  // in a particular certificate transport format. Returns an empty collection
+  // on failure.
+  static OSCertHandles CreateOSCertHandlesFromBytes(const char* data,
+      size_t length, CertificateFormat format);
+
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   FRIEND_TEST(X509CertificateTest, Cache);
   FRIEND_TEST(X509CertificateTest, IntermediateCertificates);
 
   // A cache of X509Certificate objects.
   class Cache {
@@ skipping 48 matching lines @@
 
   // This certificate is not valid after |valid_expiry_|
   base::Time valid_expiry_;
 
   // The fingerprint of this certificate.
   Fingerprint fingerprint_;
 
   // A handle to the certificate object in the underlying crypto library.
   OSCertHandle cert_handle_;
 
-#if defined(OS_MACOSX) || defined(OS_WIN)
   // Untrusted intermediate certificates associated with this certificate
-  // that may be needed for chain building. (NSS impl does not need these.)
+  // that may be needed for chain building.
   OSCertHandles intermediate_ca_certs_;
-#endif
 
 #if defined(OS_MACOSX)
   // Blocks multiple threads from verifying the cert simultaneously.
   // (Marked mutable because it's used in a const method.)
   mutable Lock verification_lock_;
 #endif
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_