OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 30 matching lines...) Expand all Loading... |
41 class StringPiece; | 41 class StringPiece; |
42 class RSAPrivateKey; | 42 class RSAPrivateKey; |
43 } // namespace crypto | 43 } // namespace crypto |
44 | 44 |
45 namespace net { | 45 namespace net { |
46 | 46 |
47 class CertVerifyResult; | 47 class CertVerifyResult; |
48 | 48 |
49 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 49 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
50 | 50 |
51 // X509Certificate represents an X.509 certificate used by SSL. | 51 // X509Certificate represents a X.509 certificate, which is comprised a |
| 52 // particular identity or end-entity certificate, such as an SSL server |
| 53 // identity or an SSL client certificate, and zero or more intermediate |
| 54 // certificates that may be used to build a path to a root certificate. |
52 class NET_API X509Certificate | 55 class NET_API X509Certificate |
53 : public base::RefCountedThreadSafe<X509Certificate> { | 56 : public base::RefCountedThreadSafe<X509Certificate> { |
54 public: | 57 public: |
55 // A handle to the certificate object in the underlying crypto library. | 58 // A handle to the certificate object in the underlying crypto library. |
56 // We assume that OSCertHandle is a pointer type on all platforms and | 59 // We assume that OSCertHandle is a pointer type on all platforms and |
57 // NULL is an invalid OSCertHandle. | 60 // NULL is an invalid OSCertHandle. |
58 #if defined(OS_WIN) | 61 #if defined(OS_WIN) |
59 typedef PCCERT_CONTEXT OSCertHandle; | 62 typedef PCCERT_CONTEXT OSCertHandle; |
60 #elif defined(OS_MACOSX) | 63 #elif defined(OS_MACOSX) |
61 typedef SecCertificateRef OSCertHandle; | 64 typedef SecCertificateRef OSCertHandle; |
62 #elif defined(USE_OPENSSL) | 65 #elif defined(USE_OPENSSL) |
63 typedef struct x509_st* OSCertHandle; | 66 typedef struct x509_st* OSCertHandle; |
64 #elif defined(USE_NSS) | 67 #elif defined(USE_NSS) |
65 typedef struct CERTCertificateStr* OSCertHandle; | 68 typedef struct CERTCertificateStr* OSCertHandle; |
66 #else | 69 #else |
67 // TODO(ericroman): not implemented | 70 // TODO(ericroman): not implemented |
68 typedef void* OSCertHandle; | 71 typedef void* OSCertHandle; |
69 #endif | 72 #endif |
70 | 73 |
71 typedef std::vector<OSCertHandle> OSCertHandles; | 74 typedef std::vector<OSCertHandle> OSCertHandles; |
72 | 75 |
73 // Predicate functor used in maps when X509Certificate is used as the key. | 76 // Predicate functor used in maps when X509Certificate is used as the key. |
74 class NET_API LessThan { | 77 class NET_API LessThan { |
75 public: | 78 public: |
76 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 79 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
77 }; | 80 }; |
78 | 81 |
79 // Where the certificate comes from. The enumeration constants are | |
80 // listed in increasing order of preference. | |
81 enum Source { | |
82 SOURCE_UNUSED = 0, // The source_ member is not used. | |
83 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without | |
84 // any intermediate CA certificates. | |
85 SOURCE_FROM_CACHE = 2, // From the disk cache - which contains | |
86 // intermediate CA certificates, but may be | |
87 // stale. | |
88 SOURCE_FROM_NETWORK = 3, // From the network. | |
89 }; | |
90 | |
91 enum VerifyFlags { | 82 enum VerifyFlags { |
92 VERIFY_REV_CHECKING_ENABLED = 1 << 0, | 83 VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
93 VERIFY_EV_CERT = 1 << 1, | 84 VERIFY_EV_CERT = 1 << 1, |
94 }; | 85 }; |
95 | 86 |
96 enum Format { | 87 enum Format { |
97 // The data contains a single DER-encoded certificate, or a PEM-encoded | 88 // The data contains a single DER-encoded certificate, or a PEM-encoded |
98 // DER certificate with the PEM encoding block name of "CERTIFICATE". | 89 // DER certificate with the PEM encoding block name of "CERTIFICATE". |
99 // Any subsequent blocks will be ignored. | 90 // Any subsequent blocks will be ignored. |
100 FORMAT_SINGLE_CERTIFICATE = 1 << 0, | 91 FORMAT_SINGLE_CERTIFICATE = 1 << 0, |
(...skipping 28 matching lines...) Expand all Loading... |
129 // |intermediate_ca_certificates_| at the time it was serialized. | 120 // |intermediate_ca_certificates_| at the time it was serialized. |
130 PICKLETYPE_CERTIFICATE_CHAIN, | 121 PICKLETYPE_CERTIFICATE_CHAIN, |
131 }; | 122 }; |
132 | 123 |
133 // Creates a X509Certificate from the ground up. Used by tests that simulate | 124 // Creates a X509Certificate from the ground up. Used by tests that simulate |
134 // SSL connections. | 125 // SSL connections. |
135 X509Certificate(const std::string& subject, const std::string& issuer, | 126 X509Certificate(const std::string& subject, const std::string& issuer, |
136 base::Time start_date, base::Time expiration_date); | 127 base::Time start_date, base::Time expiration_date); |
137 | 128 |
138 // Create an X509Certificate from a handle to the certificate object in the | 129 // Create an X509Certificate from a handle to the certificate object in the |
139 // underlying crypto library. |source| specifies where |cert_handle| comes | 130 // underlying crypto library. The returned pointer must be stored in a |
140 // from. Given two certificate handles for the same certificate, our | 131 // scoped_refptr<X509Certificate>. |
141 // certificate cache prefers the handle from the network because our HTTP | |
142 // cache isn't caching the corresponding intermediate CA certificates yet | |
143 // (http://crbug.com/7065). | |
144 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | |
145 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, | 132 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
146 Source source, | |
147 const OSCertHandles& intermediates); | 133 const OSCertHandles& intermediates); |
148 | 134 |
149 // Create an X509Certificate from a chain of DER encoded certificates. The | 135 // Create an X509Certificate from a chain of DER encoded certificates. The |
150 // first certificate in the chain is the end-entity certificate to which a | 136 // first certificate in the chain is the end-entity certificate to which a |
151 // handle is returned. The other certificates in the chain are intermediate | 137 // handle is returned. The other certificates in the chain are intermediate |
152 // certificates. See the comment for |CreateFromHandle| about the |source| | 138 // certificates. The returned pointer must be stored in a |
153 // argument. | 139 // scoped_refptr<X509Certificate>. |
154 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | |
155 static X509Certificate* CreateFromDERCertChain( | 140 static X509Certificate* CreateFromDERCertChain( |
156 const std::vector<base::StringPiece>& der_certs); | 141 const std::vector<base::StringPiece>& der_certs); |
157 | 142 |
158 // Create an X509Certificate from the DER-encoded representation. | 143 // Create an X509Certificate from the DER-encoded representation. |
159 // Returns NULL on failure. | 144 // Returns NULL on failure. |
160 // | 145 // |
161 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 146 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
162 static X509Certificate* CreateFromBytes(const char* data, int length); | 147 static X509Certificate* CreateFromBytes(const char* data, int length); |
163 | 148 |
164 // Create an X509Certificate from the representation stored in the given | 149 // Create an X509Certificate from the representation stored in the given |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
294 // by one of the given names will be included in the list. | 279 // by one of the given names will be included in the list. |
295 static bool GetSSLClientCertificates( | 280 static bool GetSSLClientCertificates( |
296 const std::string& server_domain, | 281 const std::string& server_domain, |
297 const std::vector<CertPrincipal>& valid_issuers, | 282 const std::vector<CertPrincipal>& valid_issuers, |
298 CertificateList* certs); | 283 CertificateList* certs); |
299 | 284 |
300 // Creates the chain of certs to use for this client identity cert. | 285 // Creates the chain of certs to use for this client identity cert. |
301 CFArrayRef CreateClientCertificateChain() const; | 286 CFArrayRef CreateClientCertificateChain() const; |
302 #endif | 287 #endif |
303 | 288 |
304 #if defined(OS_WIN) | |
305 // Returns a handle to a global, in-memory certificate store. We use it for | |
306 // two purposes: | |
307 // 1. Import server certificates into this store so that we can verify and | |
308 // display the certificates using CryptoAPI. | |
309 // 2. Copy client certificates from the "MY" system certificate store into | |
310 // this store so that we can close the system store when we finish | |
311 // searching for client certificates. | |
312 static HCERTSTORE cert_store(); | |
313 #endif | |
314 | |
315 #if defined(USE_OPENSSL) | 289 #if defined(USE_OPENSSL) |
316 // Returns a handle to a global, in-memory certificate store. We | 290 // Returns a handle to a global, in-memory certificate store. We |
317 // use it for test code, e.g. importing the test server's certificate. | 291 // use it for test code, e.g. importing the test server's certificate. |
318 static X509_STORE* cert_store(); | 292 static X509_STORE* cert_store(); |
319 #endif | 293 #endif |
320 | 294 |
321 // Verifies the certificate against the given hostname. Returns OK if | 295 // Verifies the certificate against the given hostname. Returns OK if |
322 // successful or an error code upon failure. | 296 // successful or an error code upon failure. |
323 // | 297 // |
324 // The |*verify_result| structure, including the |verify_result->cert_status| | 298 // The |*verify_result| structure, including the |verify_result->cert_status| |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
364 // specific |format|. Returns an empty collection on failure. | 338 // specific |format|. Returns an empty collection on failure. |
365 static OSCertHandles CreateOSCertHandlesFromBytes( | 339 static OSCertHandles CreateOSCertHandlesFromBytes( |
366 const char* data, int length, Format format); | 340 const char* data, int length, Format format); |
367 | 341 |
368 // Duplicates (or adds a reference to) an OS certificate handle. | 342 // Duplicates (or adds a reference to) an OS certificate handle. |
369 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 343 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
370 | 344 |
371 // Frees (or releases a reference to) an OS certificate handle. | 345 // Frees (or releases a reference to) an OS certificate handle. |
372 static void FreeOSCertHandle(OSCertHandle cert_handle); | 346 static void FreeOSCertHandle(OSCertHandle cert_handle); |
373 | 347 |
| 348 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
| 349 // (all zero) fingerprint on failure. |
| 350 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
| 351 |
374 private: | 352 private: |
375 friend class base::RefCountedThreadSafe<X509Certificate>; | 353 friend class base::RefCountedThreadSafe<X509Certificate>; |
376 friend class TestRootCerts; // For unit tests | 354 friend class TestRootCerts; // For unit tests |
377 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); | 355 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); |
378 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); | 356 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); |
379 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); | 357 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); |
380 FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); | 358 FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); |
381 | 359 |
382 // Construct an X509Certificate from a handle to the certificate object | 360 // Construct an X509Certificate from a handle to the certificate object |
383 // in the underlying crypto library. | 361 // in the underlying crypto library. |
384 X509Certificate(OSCertHandle cert_handle, Source source, | 362 X509Certificate(OSCertHandle cert_handle, |
385 const OSCertHandles& intermediates); | 363 const OSCertHandles& intermediates); |
386 | 364 |
387 ~X509Certificate(); | 365 ~X509Certificate(); |
388 | 366 |
389 // Common object initialization code. Called by the constructors only. | 367 // Common object initialization code. Called by the constructors only. |
390 void Initialize(); | 368 void Initialize(); |
391 | 369 |
392 #if defined(OS_WIN) | 370 #if defined(OS_WIN) |
393 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, | 371 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, |
394 const char* policy_oid) const; | 372 const char* policy_oid) const; |
395 static bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context); | 373 static bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context); |
396 #endif | 374 #endif |
397 #if defined(OS_MACOSX) | 375 #if defined(OS_MACOSX) |
398 static bool IsIssuedByKnownRoot(CFArrayRef chain); | 376 static bool IsIssuedByKnownRoot(CFArrayRef chain); |
399 #endif | 377 #endif |
400 #if defined(USE_NSS) | 378 #if defined(USE_NSS) |
401 bool VerifyEV() const; | 379 bool VerifyEV() const; |
402 #endif | 380 #endif |
403 #if defined(USE_OPENSSL) | 381 #if defined(USE_OPENSSL) |
404 // Resets the store returned by cert_store() to default state. Used by | 382 // Resets the store returned by cert_store() to default state. Used by |
405 // TestRootCerts to undo modifications. | 383 // TestRootCerts to undo modifications. |
406 static void ResetCertStore(); | 384 static void ResetCertStore(); |
407 #endif | 385 #endif |
408 | 386 |
409 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | |
410 // (all zero) fingerprint on failure. | |
411 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); | |
412 | |
413 // Verifies that |hostname| matches one of the certificate names or IP | 387 // Verifies that |hostname| matches one of the certificate names or IP |
414 // addresses supplied, based on TLS name matching rules - specifically, | 388 // addresses supplied, based on TLS name matching rules - specifically, |
415 // following http://tools.ietf.org/html/rfc6125. | 389 // following http://tools.ietf.org/html/rfc6125. |
416 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). | 390 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). |
417 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled | 391 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled |
418 // from the dNSName and iPAddress components of the subject alternative name | 392 // from the dNSName and iPAddress components of the subject alternative name |
419 // extension, if present. Note these IP addresses are NOT ascii-encoded: | 393 // extension, if present. Note these IP addresses are NOT ascii-encoded: |
420 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 | 394 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 |
421 // addresses, respectively. | 395 // addresses, respectively. |
422 static bool VerifyHostname(const std::string& hostname, | 396 static bool VerifyHostname(const std::string& hostname, |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
484 // Untrusted intermediate certificates associated with this certificate | 458 // Untrusted intermediate certificates associated with this certificate |
485 // that may be needed for chain building. | 459 // that may be needed for chain building. |
486 OSCertHandles intermediate_ca_certs_; | 460 OSCertHandles intermediate_ca_certs_; |
487 | 461 |
488 #if defined(OS_MACOSX) | 462 #if defined(OS_MACOSX) |
489 // Blocks multiple threads from verifying the cert simultaneously. | 463 // Blocks multiple threads from verifying the cert simultaneously. |
490 // (Marked mutable because it's used in a const method.) | 464 // (Marked mutable because it's used in a const method.) |
491 mutable base::Lock verification_lock_; | 465 mutable base::Lock verification_lock_; |
492 #endif | 466 #endif |
493 | 467 |
494 // Where the certificate comes from. | |
495 Source source_; | |
496 | |
497 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 468 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
498 }; | 469 }; |
499 | 470 |
500 } // namespace net | 471 } // namespace net |
501 | 472 |
502 #endif // NET_BASE_X509_CERTIFICATE_H_ | 473 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |