OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
75 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without | 75 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without |
76 // its intermediate CA certificates. | 76 // its intermediate CA certificates. |
77 SOURCE_FROM_NETWORK = 2, // From the network. | 77 SOURCE_FROM_NETWORK = 2, // From the network. |
78 }; | 78 }; |
79 | 79 |
80 enum VerifyFlags { | 80 enum VerifyFlags { |
81 VERIFY_REV_CHECKING_ENABLED = 1 << 0, | 81 VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
82 VERIFY_EV_CERT = 1 << 1, | 82 VERIFY_EV_CERT = 1 << 1, |
83 }; | 83 }; |
84 | 84 |
| 85 // The format of the certificate, when using CreateFromBytes(). For formats |
| 86 // which permit sequences of certificates, the first certificate encountered |
| 87 // will be used to initialize the returned X509Certificate, while each |
| 88 // additional certificate will be added as intermediate certificates. The |
| 89 // certificates should be ordered from most specific (EE) to least specific |
| 90 // (Root, if included) |
| 91 enum CertificateFormat { |
| 92 // The data contains a single DER-encoded certificate. |
| 93 FORMAT_DER = 1 << 1, |
| 94 |
| 95 // The data contains one or more PEM wrapped certificates. Each |
| 96 // certificate will be marked using the PEM encoding block name of |
| 97 // CERTIFICATE. |
| 98 FORMAT_PEM = 1 << 2, |
| 99 |
| 100 // The data contains a PKCS#7 SignedData structure, whose certificates |
| 101 // member is to be used to initialize the certificate and intermediates. |
| 102 // This format MAY be further wrapped via PEM encoding, using the PEM |
| 103 // encoding block names of PKCS7 or CERTIFICATE |
| 104 FORMAT_PKCS7 = 1 << 3, |
| 105 |
| 106 // The data contains a PKCS#7 ContentInfo structure with the OID set to |
| 107 // 2.16.840.1.113730.2.5, which is the OID for netscape-cert-sequence |
| 108 // (see https://wiki.mozilla.org/CA:Certificate_Download_Specification). |
| 109 FORMAT_LEGACY_NETSCAPE = 1 << 5, |
| 110 |
| 111 // Automatically detect the format. Any other format flags will be |
| 112 // ignored. |
| 113 FORMAT_AUTO = FORMAT_DER | FORMAT_PEM | FORMAT_PKCS7 | |
| 114 FORMAT_LEGACY_NETSCAPE |
| 115 }; |
| 116 |
85 // Create an X509Certificate from a handle to the certificate object | 117 // Create an X509Certificate from a handle to the certificate object |
86 // in the underlying crypto library. This is a transfer of ownership; | 118 // in the underlying crypto library. This is a transfer of ownership; |
87 // X509Certificate will properly dispose of |cert_handle| for you. | 119 // X509Certificate will properly dispose of |cert_handle| for you. |
88 // |source| specifies where |cert_handle| comes from. Given two | 120 // |source| specifies where |cert_handle| comes from. Given two |
89 // certificate handles for the same certificate, our certificate cache | 121 // certificate handles for the same certificate, our certificate cache |
90 // prefers the handle from the network because our HTTP cache isn't | 122 // prefers the handle from the network because our HTTP cache isn't |
91 // caching the corresponding intermediate CA certificates yet | 123 // caching the corresponding intermediate CA certificates yet |
92 // (http://crbug.com/7065). | 124 // (http://crbug.com/7065). |
93 // The list of intermediate certificates is ignored under NSS (i.e. Linux.) | |
94 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 125 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
95 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, | 126 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
96 Source source, | 127 Source source, |
97 const OSCertHandles& intermediates); | 128 const OSCertHandles& intermediates); |
98 | 129 |
99 // Create an X509Certificate from the BER-encoded representation. | 130 // Create an X509Certificate from |data| in a specified |format|, which is |
100 // Returns NULL on failure. | 131 // the bitwise OR of X509Certificate::CertificateFormat. If multiple |
| 132 // certificates are present, additional certificates will be stored in the |
| 133 // |intermediate_ca_certs_| member. |
101 // | 134 // |
102 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 135 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
103 static X509Certificate* CreateFromBytes(const char* data, int length); | 136 static X509Certificate* CreateFromBytes(const char* data, size_t length, |
| 137 int format); |
104 | 138 |
105 // Create an X509Certificate from the representation stored in the given | 139 // Create an X509Certificate from the representation stored in the given |
106 // pickle. The data for this object is found relative to the given | 140 // pickle. The data for this object is found relative to the given |
107 // pickle_iter, which should be passed to the pickle's various Read* methods. | 141 // pickle_iter, which should be passed to the pickle's various Read* methods. |
108 // Returns NULL on failure. | 142 // Returns NULL on failure. |
109 // | 143 // |
110 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 144 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
111 static X509Certificate* CreateFromPickle(const Pickle& pickle, | 145 static X509Certificate* CreateFromPickle(const Pickle& pickle, |
112 void** pickle_iter); | 146 void** pickle_iter); |
113 | 147 |
(...skipping 27 matching lines...) Expand all Loading... |
141 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 | 175 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 |
142 // Server Identity, if the certificate has a subjectAltName extension of | 176 // Server Identity, if the certificate has a subjectAltName extension of |
143 // type dNSName, this method gets the DNS names in that extension. | 177 // type dNSName, this method gets the DNS names in that extension. |
144 // Otherwise, it gets the common name in the subject field. | 178 // Otherwise, it gets the common name in the subject field. |
145 void GetDNSNames(std::vector<std::string>* dns_names) const; | 179 void GetDNSNames(std::vector<std::string>* dns_names) const; |
146 | 180 |
147 // Convenience method that returns whether this certificate has expired as of | 181 // Convenience method that returns whether this certificate has expired as of |
148 // now. | 182 // now. |
149 bool HasExpired() const; | 183 bool HasExpired() const; |
150 | 184 |
151 #if defined(OS_MACOSX) || defined(OS_WIN) | 185 // Returns intermediate certificates. Ownership follows the "get" rule: it |
152 // Returns intermediate certificates added via AddIntermediateCertificate(). | 186 // is the caller's responsibility to retain the elements of the result. |
153 // Ownership follows the "get" rule: it is the caller's responsibility to | |
154 // retain the elements of the result. | |
155 const OSCertHandles& GetIntermediateCertificates() const { | 187 const OSCertHandles& GetIntermediateCertificates() const { |
156 return intermediate_ca_certs_; | 188 return intermediate_ca_certs_; |
157 } | 189 } |
158 #endif | |
159 | 190 |
160 // Returns true if I already contain the given intermediate cert. | 191 // Returns true if I already contain the given intermediate cert. |
161 bool HasIntermediateCertificate(OSCertHandle cert); | 192 bool HasIntermediateCertificate(OSCertHandle cert); |
162 | 193 |
163 // Returns true if I already contain all the given intermediate certs. | 194 // Returns true if I already contain all the given intermediate certs. |
164 bool HasIntermediateCertificates(const OSCertHandles& certs); | 195 bool HasIntermediateCertificates(const OSCertHandles& certs); |
165 | 196 |
166 #if defined(OS_MACOSX) | 197 #if defined(OS_MACOSX) |
167 // Does this certificate's usage allow SSL client authentication? | 198 // Does this certificate's usage allow SSL client authentication? |
168 bool SupportsSSLClientAuth() const; | 199 bool SupportsSSLClientAuth() const; |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
206 CertVerifyResult* verify_result) const; | 237 CertVerifyResult* verify_result) const; |
207 | 238 |
208 OSCertHandle os_cert_handle() const { return cert_handle_; } | 239 OSCertHandle os_cert_handle() const { return cert_handle_; } |
209 | 240 |
210 // Returns true if two OSCertHandles refer to identical certificates. | 241 // Returns true if two OSCertHandles refer to identical certificates. |
211 static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); | 242 static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); |
212 | 243 |
213 // Creates an OS certificate handle from the BER-encoded representation. | 244 // Creates an OS certificate handle from the BER-encoded representation. |
214 // Returns NULL on failure. | 245 // Returns NULL on failure. |
215 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, | 246 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, |
216 int length); | 247 size_t length); |
217 | 248 |
218 // Duplicates (or adds a reference to) an OS certificate handle. | 249 // Duplicates (or adds a reference to) an OS certificate handle. |
219 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 250 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
220 | 251 |
| 252 // Attempts to create one or more OS certificate handles from data encoded |
| 253 // in a particular certificate transport format. Returns an empty collection |
| 254 // on failure. |
| 255 static OSCertHandles CreateOSCertHandlesFromBytes(const char* data, |
| 256 size_t length, CertificateFormat format); |
| 257 |
221 // Frees (or releases a reference to) an OS certificate handle. | 258 // Frees (or releases a reference to) an OS certificate handle. |
222 static void FreeOSCertHandle(OSCertHandle cert_handle); | 259 static void FreeOSCertHandle(OSCertHandle cert_handle); |
223 | 260 |
224 private: | 261 private: |
225 friend class base::RefCountedThreadSafe<X509Certificate>; | 262 friend class base::RefCountedThreadSafe<X509Certificate>; |
226 FRIEND_TEST(X509CertificateTest, Cache); | 263 FRIEND_TEST(X509CertificateTest, Cache); |
227 FRIEND_TEST(X509CertificateTest, IntermediateCertificates); | 264 FRIEND_TEST(X509CertificateTest, IntermediateCertificates); |
228 | 265 |
229 // A cache of X509Certificate objects. | 266 // A cache of X509Certificate objects. |
230 class Cache { | 267 class Cache { |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
279 | 316 |
280 // This certificate is not valid after |valid_expiry_| | 317 // This certificate is not valid after |valid_expiry_| |
281 base::Time valid_expiry_; | 318 base::Time valid_expiry_; |
282 | 319 |
283 // The fingerprint of this certificate. | 320 // The fingerprint of this certificate. |
284 Fingerprint fingerprint_; | 321 Fingerprint fingerprint_; |
285 | 322 |
286 // A handle to the certificate object in the underlying crypto library. | 323 // A handle to the certificate object in the underlying crypto library. |
287 OSCertHandle cert_handle_; | 324 OSCertHandle cert_handle_; |
288 | 325 |
289 #if defined(OS_MACOSX) || defined(OS_WIN) | |
290 // Untrusted intermediate certificates associated with this certificate | 326 // Untrusted intermediate certificates associated with this certificate |
291 // that may be needed for chain building. (NSS impl does not need these.) | 327 // that may be needed for chain building. |
292 OSCertHandles intermediate_ca_certs_; | 328 OSCertHandles intermediate_ca_certs_; |
293 #endif | |
294 | 329 |
295 #if defined(OS_MACOSX) | 330 #if defined(OS_MACOSX) |
296 // Blocks multiple threads from verifying the cert simultaneously. | 331 // Blocks multiple threads from verifying the cert simultaneously. |
297 // (Marked mutable because it's used in a const method.) | 332 // (Marked mutable because it's used in a const method.) |
298 mutable Lock verification_lock_; | 333 mutable Lock verification_lock_; |
299 #endif | 334 #endif |
300 | 335 |
301 // Where the certificate comes from. | 336 // Where the certificate comes from. |
302 Source source_; | 337 Source source_; |
303 | 338 |
304 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 339 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
305 }; | 340 }; |
306 | 341 |
307 } // namespace net | 342 } // namespace net |
308 | 343 |
309 #endif // NET_BASE_X509_CERTIFICATE_H_ | 344 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |