Chromium Code Reviews Chromium Code Reviews
Issue 2944008:
Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate (Closed)
| Index: net/base/x509_certificate.h |
| diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h |
| index 6abfff01b44967d6988b8aff5ffb6e5b98198865..ad72d46b7ab2f80c82886339d0e53e31b1c06612 100644 |
| --- a/net/base/x509_certificate.h |
| +++ b/net/base/x509_certificate.h |
| @@ -26,8 +26,10 @@ |
| #include "base/lock.h" |
| #elif defined(USE_OPENSSL) |
| +#include <openssl/safestack.h> |
| // Forward declaration; real one in <x509.h> |
| -struct x509_st; |
| +typedef struct x509_st X509; |
| +PREDECLARE_STACK_OF(X509); |
| typedef struct x509_store_st X509_STORE; |
| #elif defined(USE_NSS) |
| // Forward declaration; real one in <cert.h> |
| @@ -46,23 +48,46 @@ class CertVerifyResult; |
| typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
| -// X509Certificate represents an X.509 certificate used by SSL. |
| +// X509Certificate represents an X.509 certificate, which is comprised a |
|
agl
2011/04/11 16:50:50
s/a/of a/ (not sure about that grammar so ignore i
|
| +// particular identity or end-entity certificate, such as an SSL server |
| +// identity or an SSL client certificate, and zero or more intermediate |
| +// certificates that may be used to build a path to a root certificate. |
| class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| public: |
| - // A handle to the certificate object in the underlying crypto library. |
| - // We assume that OSCertHandle is a pointer type on all platforms and |
| - // NULL is an invalid OSCertHandle. |
| + // An OSCertHandle is a handle to the certificate object in the underlying |
| + // crypo library. We assume that OSCertHandle is a pointer type on all |
|
agl
2011/04/11 16:50:50
typo: crypto
|
| + // platforms and that NULL represents an invalid OSCertHandle. |
| + // An OSCertListHandle is a handle to the underlying crypto library that |
| + // represents a collection of certificates, with one of the certificates |
| + // marked as an identity certificate and the remaining certificates marked |
| + // as supplementary certificates for path building. Like OSCertHandle, it |
| + // is assumed to be a pointer type on all platforms and that NULL |
| + // represents an invalid OSCertListHandle. |
| + // |
| + // It should be noted that depending on the underlying cryptographic |
| + // library, an OSCertHandle or OSCertListHandle may not be thread-safe. |
| #if defined(OS_WIN) |
| typedef PCCERT_CONTEXT OSCertHandle; |
| + // Though the same type as an OSCertHandle, a unique HCERTSTORE member is |
| + // used for the certificate containing just the subset of related |
| + // certificates. |
| + typedef PCCERT_CONTEXT OSCertListHandle; |
| #elif defined(OS_MACOSX) |
| typedef SecCertificateRef OSCertHandle; |
| + typedef CFArrayRef OSCertListHandle; |
| #elif defined(USE_OPENSSL) |
| typedef struct x509_st* OSCertHandle; |
| + typedef STACK_OF(X509)* OSCertListHandle; |
| #elif defined(USE_NSS) |
| typedef struct CERTCertificateStr* OSCertHandle; |
| + // TODO(rsleevi): With NSS, it is not currently necessary to use a |
| + // separate type, because of how certificate path building/verification is |
| + // implemented. |
| + typedef OSCertHandle OSCertListHandle; |
| #else |
| // TODO(ericroman): not implemented |
| typedef void* OSCertHandle; |
| + typedef void* OSCertListHandle; |
| #endif |
| typedef std::vector<OSCertHandle> OSCertHandles; |
| @@ -73,18 +98,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
| }; |
| - // Where the certificate comes from. The enumeration constants are |
| - // listed in increasing order of preference. |
| - enum Source { |
| - SOURCE_UNUSED = 0, // The source_ member is not used. |
| - SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without |
| - // any intermediate CA certificates. |
| - SOURCE_FROM_CACHE = 2, // From the disk cache - which contains |
| - // intermediate CA certificates, but may be |
| - // stale. |
| - SOURCE_FROM_NETWORK = 3, // From the network. |
| - }; |
| - |
| enum VerifyFlags { |
| VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
| VERIFY_EV_CERT = 1 << 1, |
| @@ -136,7 +149,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| // (http://crbug.com/7065). |
| // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
| static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
| - Source source, |
| const OSCertHandles& intermediates); |
| // Create an X509Certificate from a chain of DER encoded certificates. The |
| @@ -243,6 +255,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| // Returns true if I already contain all the given intermediate certs. |
| bool HasIntermediateCertificates(const OSCertHandles& certs); |
| + // Returns a new OSCertListHandle representing the certificate and any |
| + // associated intermediates, or NULL on failure. Ownership is transferred |
| + // to the caller and may be released by calling FreeOSCertListHandle() |
| + // with the returned value. |
| + OSCertListHandle CreateOSCertListHandle() const; |
| + |
| #if defined(OS_MACOSX) |
| // Does this certificate's usage allow SSL client authentication? |
| bool SupportsSSLClientAuth() const; |
| @@ -328,6 +346,13 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| // Frees (or releases a reference to) an OS certificate handle. |
| static void FreeOSCertHandle(OSCertHandle cert_handle); |
| + // Frees (or releases a reference to) an OS certificate list handle. |
| + static void FreeOSCertListHandle(OSCertListHandle cert_list); |
| + |
| + // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
| + // (all zero) fingerprint on failure. |
| + static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
| + |
| private: |
| friend class base::RefCountedThreadSafe<X509Certificate>; |
| friend class TestRootCerts; // For unit tests |
| @@ -336,7 +361,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| // Construct an X509Certificate from a handle to the certificate object |
| // in the underlying crypto library. |
| - X509Certificate(OSCertHandle cert_handle, Source source, |
| + X509Certificate(OSCertHandle cert_handle, |
| const OSCertHandles& intermediates); |
| ~X509Certificate(); |
| @@ -356,10 +381,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| static void ResetCertStore(); |
| #endif |
| - // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
| - // (all zero) fingerprint on failure. |
| - static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
| - |
| // Reads a single certificate from |pickle| and returns a platform-specific |
| // certificate handle. The format of the certificate stored in |pickle| is |
| // not guaranteed to be the same across different underlying cryptographic |
| @@ -399,9 +420,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| mutable Lock verification_lock_; |
| #endif |
| - // Where the certificate comes from. |
| - Source source_; |
| - |
| DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
| }; |
