OLD | NEW |
---|---|
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
11 #include <string> | 11 #include <string> |
12 #include <vector> | 12 #include <vector> |
13 | 13 |
14 #include "base/gtest_prod_util.h" | 14 #include "base/gtest_prod_util.h" |
15 #include "base/ref_counted.h" | 15 #include "base/ref_counted.h" |
16 #include "base/string_piece.h" | 16 #include "base/string_piece.h" |
17 #include "base/time.h" | 17 #include "base/time.h" |
18 #include "net/base/x509_cert_types.h" | 18 #include "net/base/x509_cert_types.h" |
19 | 19 |
20 #if defined(OS_WIN) | 20 #if defined(OS_WIN) |
21 #include <windows.h> | 21 #include <windows.h> |
22 #include <wincrypt.h> | 22 #include <wincrypt.h> |
23 #elif defined(OS_MACOSX) | 23 #elif defined(OS_MACOSX) |
24 #include <CoreFoundation/CFArray.h> | 24 #include <CoreFoundation/CFArray.h> |
25 #include <Security/SecBase.h> | 25 #include <Security/SecBase.h> |
26 | 26 |
27 #include "base/lock.h" | 27 #include "base/lock.h" |
28 #elif defined(USE_OPENSSL) | 28 #elif defined(USE_OPENSSL) |
29 #include <openssl/safestack.h> | |
29 // Forward declaration; real one in <x509.h> | 30 // Forward declaration; real one in <x509.h> |
30 struct x509_st; | 31 typedef struct x509_st X509; |
32 PREDECLARE_STACK_OF(X509); | |
31 typedef struct x509_store_st X509_STORE; | 33 typedef struct x509_store_st X509_STORE; |
32 #elif defined(USE_NSS) | 34 #elif defined(USE_NSS) |
33 // Forward declaration; real one in <cert.h> | 35 // Forward declaration; real one in <cert.h> |
34 struct CERTCertificateStr; | 36 struct CERTCertificateStr; |
35 #endif | 37 #endif |
36 | 38 |
37 class Pickle; | 39 class Pickle; |
38 | 40 |
39 namespace base { | 41 namespace base { |
40 class RSAPrivateKey; | 42 class RSAPrivateKey; |
41 } // namespace base | 43 } // namespace base |
42 | 44 |
43 namespace net { | 45 namespace net { |
44 | 46 |
45 class CertVerifyResult; | 47 class CertVerifyResult; |
46 | 48 |
47 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 49 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
48 | 50 |
49 // X509Certificate represents an X.509 certificate used by SSL. | 51 // X509Certificate represents an X.509 certificate, which is comprised a |
agl
2011/04/11 16:50:50
s/a/of a/ (not sure about that grammar so ignore i
| |
52 // particular identity or end-entity certificate, such as an SSL server | |
53 // identity or an SSL client certificate, and zero or more intermediate | |
54 // certificates that may be used to build a path to a root certificate. | |
50 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { | 55 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
51 public: | 56 public: |
52 // A handle to the certificate object in the underlying crypto library. | 57 // An OSCertHandle is a handle to the certificate object in the underlying |
53 // We assume that OSCertHandle is a pointer type on all platforms and | 58 // crypo library. We assume that OSCertHandle is a pointer type on all |
agl
2011/04/11 16:50:50
typo: crypto
| |
54 // NULL is an invalid OSCertHandle. | 59 // platforms and that NULL represents an invalid OSCertHandle. |
60 // An OSCertListHandle is a handle to the underlying crypto library that | |
61 // represents a collection of certificates, with one of the certificates | |
62 // marked as an identity certificate and the remaining certificates marked | |
63 // as supplementary certificates for path building. Like OSCertHandle, it | |
64 // is assumed to be a pointer type on all platforms and that NULL | |
65 // represents an invalid OSCertListHandle. | |
66 // | |
67 // It should be noted that depending on the underlying cryptographic | |
68 // library, an OSCertHandle or OSCertListHandle may not be thread-safe. | |
55 #if defined(OS_WIN) | 69 #if defined(OS_WIN) |
56 typedef PCCERT_CONTEXT OSCertHandle; | 70 typedef PCCERT_CONTEXT OSCertHandle; |
71 // Though the same type as an OSCertHandle, a unique HCERTSTORE member is | |
72 // used for the certificate containing just the subset of related | |
73 // certificates. | |
74 typedef PCCERT_CONTEXT OSCertListHandle; | |
57 #elif defined(OS_MACOSX) | 75 #elif defined(OS_MACOSX) |
58 typedef SecCertificateRef OSCertHandle; | 76 typedef SecCertificateRef OSCertHandle; |
77 typedef CFArrayRef OSCertListHandle; | |
59 #elif defined(USE_OPENSSL) | 78 #elif defined(USE_OPENSSL) |
60 typedef struct x509_st* OSCertHandle; | 79 typedef struct x509_st* OSCertHandle; |
80 typedef STACK_OF(X509)* OSCertListHandle; | |
61 #elif defined(USE_NSS) | 81 #elif defined(USE_NSS) |
62 typedef struct CERTCertificateStr* OSCertHandle; | 82 typedef struct CERTCertificateStr* OSCertHandle; |
83 // TODO(rsleevi): With NSS, it is not currently necessary to use a | |
84 // separate type, because of how certificate path building/verification is | |
85 // implemented. | |
86 typedef OSCertHandle OSCertListHandle; | |
63 #else | 87 #else |
64 // TODO(ericroman): not implemented | 88 // TODO(ericroman): not implemented |
65 typedef void* OSCertHandle; | 89 typedef void* OSCertHandle; |
90 typedef void* OSCertListHandle; | |
66 #endif | 91 #endif |
67 | 92 |
68 typedef std::vector<OSCertHandle> OSCertHandles; | 93 typedef std::vector<OSCertHandle> OSCertHandles; |
69 | 94 |
70 // Predicate functor used in maps when X509Certificate is used as the key. | 95 // Predicate functor used in maps when X509Certificate is used as the key. |
71 class LessThan { | 96 class LessThan { |
72 public: | 97 public: |
73 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 98 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
74 }; | 99 }; |
75 | 100 |
76 // Where the certificate comes from. The enumeration constants are | |
77 // listed in increasing order of preference. | |
78 enum Source { | |
79 SOURCE_UNUSED = 0, // The source_ member is not used. | |
80 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without | |
81 // any intermediate CA certificates. | |
82 SOURCE_FROM_CACHE = 2, // From the disk cache - which contains | |
83 // intermediate CA certificates, but may be | |
84 // stale. | |
85 SOURCE_FROM_NETWORK = 3, // From the network. | |
86 }; | |
87 | |
88 enum VerifyFlags { | 101 enum VerifyFlags { |
89 VERIFY_REV_CHECKING_ENABLED = 1 << 0, | 102 VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
90 VERIFY_EV_CERT = 1 << 1, | 103 VERIFY_EV_CERT = 1 << 1, |
91 }; | 104 }; |
92 | 105 |
93 enum Format { | 106 enum Format { |
94 // The data contains a single DER-encoded certificate, or a PEM-encoded | 107 // The data contains a single DER-encoded certificate, or a PEM-encoded |
95 // DER certificate with the PEM encoding block name of "CERTIFICATE". | 108 // DER certificate with the PEM encoding block name of "CERTIFICATE". |
96 // Any subsequent blocks will be ignored. | 109 // Any subsequent blocks will be ignored. |
97 FORMAT_SINGLE_CERTIFICATE = 1 << 0, | 110 FORMAT_SINGLE_CERTIFICATE = 1 << 0, |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
129 base::Time start_date, base::Time expiration_date); | 142 base::Time start_date, base::Time expiration_date); |
130 | 143 |
131 // Create an X509Certificate from a handle to the certificate object in the | 144 // Create an X509Certificate from a handle to the certificate object in the |
132 // underlying crypto library. |source| specifies where |cert_handle| comes | 145 // underlying crypto library. |source| specifies where |cert_handle| comes |
133 // from. Given two certificate handles for the same certificate, our | 146 // from. Given two certificate handles for the same certificate, our |
134 // certificate cache prefers the handle from the network because our HTTP | 147 // certificate cache prefers the handle from the network because our HTTP |
135 // cache isn't caching the corresponding intermediate CA certificates yet | 148 // cache isn't caching the corresponding intermediate CA certificates yet |
136 // (http://crbug.com/7065). | 149 // (http://crbug.com/7065). |
137 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 150 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
138 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, | 151 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
139 Source source, | |
140 const OSCertHandles& intermediates); | 152 const OSCertHandles& intermediates); |
141 | 153 |
142 // Create an X509Certificate from a chain of DER encoded certificates. The | 154 // Create an X509Certificate from a chain of DER encoded certificates. The |
143 // first certificate in the chain is the end-entity certificate to which a | 155 // first certificate in the chain is the end-entity certificate to which a |
144 // handle is returned. The other certificates in the chain are intermediate | 156 // handle is returned. The other certificates in the chain are intermediate |
145 // certificates. See the comment for |CreateFromHandle| about the |source| | 157 // certificates. See the comment for |CreateFromHandle| about the |source| |
146 // argument. | 158 // argument. |
147 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 159 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
148 static X509Certificate* CreateFromDERCertChain( | 160 static X509Certificate* CreateFromDERCertChain( |
149 const std::vector<base::StringPiece>& der_certs); | 161 const std::vector<base::StringPiece>& der_certs); |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
236 const OSCertHandles& GetIntermediateCertificates() const { | 248 const OSCertHandles& GetIntermediateCertificates() const { |
237 return intermediate_ca_certs_; | 249 return intermediate_ca_certs_; |
238 } | 250 } |
239 | 251 |
240 // Returns true if I already contain the given intermediate cert. | 252 // Returns true if I already contain the given intermediate cert. |
241 bool HasIntermediateCertificate(OSCertHandle cert); | 253 bool HasIntermediateCertificate(OSCertHandle cert); |
242 | 254 |
243 // Returns true if I already contain all the given intermediate certs. | 255 // Returns true if I already contain all the given intermediate certs. |
244 bool HasIntermediateCertificates(const OSCertHandles& certs); | 256 bool HasIntermediateCertificates(const OSCertHandles& certs); |
245 | 257 |
258 // Returns a new OSCertListHandle representing the certificate and any | |
259 // associated intermediates, or NULL on failure. Ownership is transferred | |
260 // to the caller and may be released by calling FreeOSCertListHandle() | |
261 // with the returned value. | |
262 OSCertListHandle CreateOSCertListHandle() const; | |
263 | |
246 #if defined(OS_MACOSX) | 264 #if defined(OS_MACOSX) |
247 // Does this certificate's usage allow SSL client authentication? | 265 // Does this certificate's usage allow SSL client authentication? |
248 bool SupportsSSLClientAuth() const; | 266 bool SupportsSSLClientAuth() const; |
249 | 267 |
250 // Do any of the given issuer names appear in this cert's chain of trust? | 268 // Do any of the given issuer names appear in this cert's chain of trust? |
251 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); | 269 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); |
252 | 270 |
253 // Creates a security policy for SSL client certificates. | 271 // Creates a security policy for SSL client certificates. |
254 static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy); | 272 static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy); |
255 | 273 |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
321 // specific |format|. Returns an empty collection on failure. | 339 // specific |format|. Returns an empty collection on failure. |
322 static OSCertHandles CreateOSCertHandlesFromBytes( | 340 static OSCertHandles CreateOSCertHandlesFromBytes( |
323 const char* data, int length, Format format); | 341 const char* data, int length, Format format); |
324 | 342 |
325 // Duplicates (or adds a reference to) an OS certificate handle. | 343 // Duplicates (or adds a reference to) an OS certificate handle. |
326 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 344 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
327 | 345 |
328 // Frees (or releases a reference to) an OS certificate handle. | 346 // Frees (or releases a reference to) an OS certificate handle. |
329 static void FreeOSCertHandle(OSCertHandle cert_handle); | 347 static void FreeOSCertHandle(OSCertHandle cert_handle); |
330 | 348 |
349 // Frees (or releases a reference to) an OS certificate list handle. | |
350 static void FreeOSCertListHandle(OSCertListHandle cert_list); | |
351 | |
352 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | |
353 // (all zero) fingerprint on failure. | |
354 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); | |
355 | |
331 private: | 356 private: |
332 friend class base::RefCountedThreadSafe<X509Certificate>; | 357 friend class base::RefCountedThreadSafe<X509Certificate>; |
333 friend class TestRootCerts; // For unit tests | 358 friend class TestRootCerts; // For unit tests |
334 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); | 359 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); |
335 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); | 360 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); |
336 | 361 |
337 // Construct an X509Certificate from a handle to the certificate object | 362 // Construct an X509Certificate from a handle to the certificate object |
338 // in the underlying crypto library. | 363 // in the underlying crypto library. |
339 X509Certificate(OSCertHandle cert_handle, Source source, | 364 X509Certificate(OSCertHandle cert_handle, |
340 const OSCertHandles& intermediates); | 365 const OSCertHandles& intermediates); |
341 | 366 |
342 ~X509Certificate(); | 367 ~X509Certificate(); |
343 | 368 |
344 // Common object initialization code. Called by the constructors only. | 369 // Common object initialization code. Called by the constructors only. |
345 void Initialize(); | 370 void Initialize(); |
346 | 371 |
347 #if defined(OS_WIN) | 372 #if defined(OS_WIN) |
348 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, | 373 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, |
349 const char* policy_oid) const; | 374 const char* policy_oid) const; |
350 #endif | 375 #endif |
351 bool VerifyEV() const; | 376 bool VerifyEV() const; |
352 | 377 |
353 #if defined(USE_OPENSSL) | 378 #if defined(USE_OPENSSL) |
354 // Resets the store returned by cert_store() to default state. Used by | 379 // Resets the store returned by cert_store() to default state. Used by |
355 // TestRootCerts to undo modifications. | 380 // TestRootCerts to undo modifications. |
356 static void ResetCertStore(); | 381 static void ResetCertStore(); |
357 #endif | 382 #endif |
358 | 383 |
359 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | |
360 // (all zero) fingerprint on failure. | |
361 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); | |
362 | |
363 // Reads a single certificate from |pickle| and returns a platform-specific | 384 // Reads a single certificate from |pickle| and returns a platform-specific |
364 // certificate handle. The format of the certificate stored in |pickle| is | 385 // certificate handle. The format of the certificate stored in |pickle| is |
365 // not guaranteed to be the same across different underlying cryptographic | 386 // not guaranteed to be the same across different underlying cryptographic |
366 // libraries, nor acceptable to CreateFromBytes(). Returns an invalid | 387 // libraries, nor acceptable to CreateFromBytes(). Returns an invalid |
367 // handle, NULL, on failure. | 388 // handle, NULL, on failure. |
368 static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle, | 389 static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle, |
369 void** pickle_iter); | 390 void** pickle_iter); |
370 | 391 |
371 // Writes a single certificate to |pickle|. Returns false on failure. | 392 // Writes a single certificate to |pickle|. Returns false on failure. |
372 static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle); | 393 static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle); |
(...skipping 19 matching lines...) Expand all Loading... | |
392 // Untrusted intermediate certificates associated with this certificate | 413 // Untrusted intermediate certificates associated with this certificate |
393 // that may be needed for chain building. | 414 // that may be needed for chain building. |
394 OSCertHandles intermediate_ca_certs_; | 415 OSCertHandles intermediate_ca_certs_; |
395 | 416 |
396 #if defined(OS_MACOSX) | 417 #if defined(OS_MACOSX) |
397 // Blocks multiple threads from verifying the cert simultaneously. | 418 // Blocks multiple threads from verifying the cert simultaneously. |
398 // (Marked mutable because it's used in a const method.) | 419 // (Marked mutable because it's used in a const method.) |
399 mutable Lock verification_lock_; | 420 mutable Lock verification_lock_; |
400 #endif | 421 #endif |
401 | 422 |
402 // Where the certificate comes from. | |
403 Source source_; | |
404 | |
405 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 423 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
406 }; | 424 }; |
407 | 425 |
408 } // namespace net | 426 } // namespace net |
409 | 427 |
410 #endif // NET_BASE_X509_CERTIFICATE_H_ | 428 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |