Index: net/base/x509_certificate.h |
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h |
index 6abfff01b44967d6988b8aff5ffb6e5b98198865..ad72d46b7ab2f80c82886339d0e53e31b1c06612 100644 |
--- a/net/base/x509_certificate.h |
+++ b/net/base/x509_certificate.h |
@@ -26,8 +26,10 @@ |
#include "base/lock.h" |
#elif defined(USE_OPENSSL) |
+#include <openssl/safestack.h> |
// Forward declaration; real one in <x509.h> |
-struct x509_st; |
+typedef struct x509_st X509; |
+PREDECLARE_STACK_OF(X509); |
typedef struct x509_store_st X509_STORE; |
#elif defined(USE_NSS) |
// Forward declaration; real one in <cert.h> |
@@ -46,23 +48,46 @@ class CertVerifyResult; |
typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
-// X509Certificate represents an X.509 certificate used by SSL. |
+// X509Certificate represents an X.509 certificate, which is comprised a |
agl
2011/04/11 16:50:50
s/a/of a/ (not sure about that grammar so ignore i
|
+// particular identity or end-entity certificate, such as an SSL server |
+// identity or an SSL client certificate, and zero or more intermediate |
+// certificates that may be used to build a path to a root certificate. |
class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
public: |
- // A handle to the certificate object in the underlying crypto library. |
- // We assume that OSCertHandle is a pointer type on all platforms and |
- // NULL is an invalid OSCertHandle. |
+ // An OSCertHandle is a handle to the certificate object in the underlying |
+ // crypo library. We assume that OSCertHandle is a pointer type on all |
agl
2011/04/11 16:50:50
typo: crypto
|
+ // platforms and that NULL represents an invalid OSCertHandle. |
+ // An OSCertListHandle is a handle to the underlying crypto library that |
+ // represents a collection of certificates, with one of the certificates |
+ // marked as an identity certificate and the remaining certificates marked |
+ // as supplementary certificates for path building. Like OSCertHandle, it |
+ // is assumed to be a pointer type on all platforms and that NULL |
+ // represents an invalid OSCertListHandle. |
+ // |
+ // It should be noted that depending on the underlying cryptographic |
+ // library, an OSCertHandle or OSCertListHandle may not be thread-safe. |
#if defined(OS_WIN) |
typedef PCCERT_CONTEXT OSCertHandle; |
+ // Though the same type as an OSCertHandle, a unique HCERTSTORE member is |
+ // used for the certificate containing just the subset of related |
+ // certificates. |
+ typedef PCCERT_CONTEXT OSCertListHandle; |
#elif defined(OS_MACOSX) |
typedef SecCertificateRef OSCertHandle; |
+ typedef CFArrayRef OSCertListHandle; |
#elif defined(USE_OPENSSL) |
typedef struct x509_st* OSCertHandle; |
+ typedef STACK_OF(X509)* OSCertListHandle; |
#elif defined(USE_NSS) |
typedef struct CERTCertificateStr* OSCertHandle; |
+ // TODO(rsleevi): With NSS, it is not currently necessary to use a |
+ // separate type, because of how certificate path building/verification is |
+ // implemented. |
+ typedef OSCertHandle OSCertListHandle; |
#else |
// TODO(ericroman): not implemented |
typedef void* OSCertHandle; |
+ typedef void* OSCertListHandle; |
#endif |
typedef std::vector<OSCertHandle> OSCertHandles; |
@@ -73,18 +98,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
}; |
- // Where the certificate comes from. The enumeration constants are |
- // listed in increasing order of preference. |
- enum Source { |
- SOURCE_UNUSED = 0, // The source_ member is not used. |
- SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without |
- // any intermediate CA certificates. |
- SOURCE_FROM_CACHE = 2, // From the disk cache - which contains |
- // intermediate CA certificates, but may be |
- // stale. |
- SOURCE_FROM_NETWORK = 3, // From the network. |
- }; |
- |
enum VerifyFlags { |
VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
VERIFY_EV_CERT = 1 << 1, |
@@ -136,7 +149,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
// (http://crbug.com/7065). |
// The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
- Source source, |
const OSCertHandles& intermediates); |
// Create an X509Certificate from a chain of DER encoded certificates. The |
@@ -243,6 +255,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
// Returns true if I already contain all the given intermediate certs. |
bool HasIntermediateCertificates(const OSCertHandles& certs); |
+ // Returns a new OSCertListHandle representing the certificate and any |
+ // associated intermediates, or NULL on failure. Ownership is transferred |
+ // to the caller and may be released by calling FreeOSCertListHandle() |
+ // with the returned value. |
+ OSCertListHandle CreateOSCertListHandle() const; |
+ |
#if defined(OS_MACOSX) |
// Does this certificate's usage allow SSL client authentication? |
bool SupportsSSLClientAuth() const; |
@@ -328,6 +346,13 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
// Frees (or releases a reference to) an OS certificate handle. |
static void FreeOSCertHandle(OSCertHandle cert_handle); |
+ // Frees (or releases a reference to) an OS certificate list handle. |
+ static void FreeOSCertListHandle(OSCertListHandle cert_list); |
+ |
+ // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
+ // (all zero) fingerprint on failure. |
+ static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
+ |
private: |
friend class base::RefCountedThreadSafe<X509Certificate>; |
friend class TestRootCerts; // For unit tests |
@@ -336,7 +361,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
// Construct an X509Certificate from a handle to the certificate object |
// in the underlying crypto library. |
- X509Certificate(OSCertHandle cert_handle, Source source, |
+ X509Certificate(OSCertHandle cert_handle, |
const OSCertHandles& intermediates); |
~X509Certificate(); |
@@ -356,10 +381,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
static void ResetCertStore(); |
#endif |
- // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
- // (all zero) fingerprint on failure. |
- static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
- |
// Reads a single certificate from |pickle| and returns a platform-specific |
// certificate handle. The format of the certificate stored in |pickle| is |
// not guaranteed to be the same across different underlying cryptographic |
@@ -399,9 +420,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
mutable Lock verification_lock_; |
#endif |
- // Where the certificate comes from. |
- Source source_; |
- |
DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
}; |