Chromium Code Reviews Chromium Code Reviews
Issue 2963:
Bring X.509 cert handling (at least preliminarily) to the Mac. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
| 6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
| 7 | 7 |
| 8 #include <set> | 8 #include <set> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| 11 | 11 |
| 12 #include "base/ref_counted.h" | 12 #include "base/ref_counted.h" |
| 13 #include "base/time.h" | 13 #include "base/time.h" |
| 14 | 14 |
| 15 #if defined(OS_WIN) | 15 #if defined(OS_WIN) |
| 16 #include <windows.h> | 16 #include <windows.h> |
| 17 #include <wincrypt.h> | 17 #include <wincrypt.h> |
| 18 #elif defined(OS_MACOSX) | |
| 19 #include <Security/Security.h> | |
| 18 #endif | 20 #endif |
| 19 | 21 |
| 20 class Pickle; | 22 class Pickle; |
| 21 | 23 |
| 22 namespace net { | 24 namespace net { |
| 23 | 25 |
| 24 // X509Certificate represents an X.509 certificate used by SSL. | 26 // X509Certificate represents an X.509 certificate used by SSL. |
| 25 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { | 27 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { |
| 26 public: | 28 public: |
| 27 // SHA-1 fingerprint (160 bits) of a certificate. | 29 // SHA-1 fingerprint (160 bits) of a certificate. |
| 28 struct Fingerprint { | 30 struct Fingerprint { |
| 29 unsigned char data[20]; | 31 unsigned char data[20]; |
| 30 }; | 32 }; |
| 31 | 33 |
| 32 class FingerprintLessThan | 34 class FingerprintLessThan |
| 33 : public std::binary_function<Fingerprint, Fingerprint, bool> { | 35 : public std::binary_function<Fingerprint, Fingerprint, bool> { |
| 34 public: | 36 public: |
| 35 bool operator() (const Fingerprint& lhs, const Fingerprint& rhs) const; | 37 bool operator() (const Fingerprint& lhs, const Fingerprint& rhs) const; |
| 36 }; | 38 }; |
| 37 | 39 |
| 38 // Predicate functor used in maps when X509Certificate is used as the key. | 40 // Predicate functor used in maps when X509Certificate is used as the key. |
| 39 class LessThan | 41 class LessThan |
| 40 : public std::binary_function<X509Certificate*, X509Certificate*, bool> { | 42 : public std::binary_function<X509Certificate*, X509Certificate*, bool> { |
| 41 public: | 43 public: |
| 42 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 44 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
| 43 }; | 45 }; |
| 44 | 46 |
| 45 #if defined(OS_WIN) | 47 #if defined(OS_WIN) |
| 46 typedef PCCERT_CONTEXT OSCertHandle; | 48 typedef PCCERT_CONTEXT OSCertHandle; |
| 49 #elif defined(OS_MACOSX) | |
| 50 typedef SecCertificateRef OSCertHandle; | |
| 47 #else | 51 #else |
| 48 // TODO(ericroman): not implemented | 52 // TODO(ericroman): not implemented |
| 49 typedef void* OSCertHandle; | 53 typedef void* OSCertHandle; |
| 50 #endif | 54 #endif |
| 51 | 55 |
| 52 // Principal represent an X.509 principal. | 56 // Principal represent an X.509 principal. |
| 53 struct Principal { | 57 struct Principal { |
| 54 Principal() { } | 58 Principal() { } |
| 55 explicit Principal(std::string name) : common_name(name) { } | 59 explicit Principal(std::string name) : common_name(name) { } |
| 56 | 60 |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 95 | 99 |
| 96 private: | 100 private: |
| 97 // The set of fingerprints of allowed certificates. | 101 // The set of fingerprints of allowed certificates. |
| 98 std::set<Fingerprint, FingerprintLessThan> allowed_; | 102 std::set<Fingerprint, FingerprintLessThan> allowed_; |
| 99 | 103 |
| 100 // The set of fingerprints of denied certificates. | 104 // The set of fingerprints of denied certificates. |
| 101 std::set<Fingerprint, FingerprintLessThan> denied_; | 105 std::set<Fingerprint, FingerprintLessThan> denied_; |
| 102 }; | 106 }; |
| 103 | 107 |
| 104 // Create an X509Certificate from a handle to the certificate object | 108 // Create an X509Certificate from a handle to the certificate object |
| 105 // in the underlying crypto library. | 109 // in the underlying crypto library. This is a transfer of ownership; |
| 110 // X509Certificate will properly dispose of |cert_handle| for you. | |
| 106 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle); | 111 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle); |
| 107 | 112 |
| 108 // Create an X509Certificate from the representation stored in the given | 113 // Create an X509Certificate from the representation stored in the given |
| 109 // pickle. The data for this object is found relative to the given | 114 // pickle. The data for this object is found relative to the given |
| 110 // pickle_iter, which should be passed to the pickle's various Read* methods. | 115 // pickle_iter, which should be passed to the pickle's various Read* methods. |
| 116 // Returns NULL on failure. | |
| 111 static X509Certificate* CreateFromPickle(const Pickle& pickle, | 117 static X509Certificate* CreateFromPickle(const Pickle& pickle, |
| 112 void** pickle_iter); | 118 void** pickle_iter); |
| 113 | 119 |
| 114 // Creates a X509Certificate from the ground up. Used by tests that simulate | 120 // Creates a X509Certificate from the ground up. Used by tests that simulate |
| 115 // SSL connections. | 121 // SSL connections. |
| 116 X509Certificate(std::string subject, std::string issuer, | 122 X509Certificate(std::string subject, std::string issuer, |
| 117 Time start_date, Time expiration_date); | 123 Time start_date, Time expiration_date); |
| 118 | 124 |
| 119 // Appends a representation of this object to the given pickle. | 125 // Appends a representation of this object to the given pickle. |
| 120 void Persist(Pickle* pickle); | 126 void Persist(Pickle* pickle); |
| 121 | 127 |
| 122 // The subject of the certificate. For HTTPS server certificates, this | 128 // The subject of the certificate. For HTTPS server certificates, this |
| 123 // represents the web server. The common name of the subject should match | 129 // represents the web server. The common name of the subject should match |
| 124 // the host name of the web server. | 130 // the host name of the web server. |
| 125 const Principal& subject() const { return subject_; } | 131 const Principal& subject() const { return subject_; } |
| 126 | 132 |
| 127 // The issuer of the certificate. | 133 // The issuer of the certificate. |
| 128 const Principal& issuer() const { return issuer_; } | 134 const Principal& issuer() const { return issuer_; } |
| 129 | 135 |
| 136 #if defined(OS_WIN) | |
|
Amanda Walker
2008/09/18 16:14:43
Since you wrote code to extract individual fields
wtc
2008/09/18 20:37:55
I believe the valid_start() and valid_expiry() met
Avi (use Gerrit)
2008/09/18 20:48:17
No, they are not. valid_start() isn't used anywher
| |
| 130 // Time period during which the certificate is valid. More precisely, this | 137 // Time period during which the certificate is valid. More precisely, this |
| 131 // certificate is invalid before the |valid_start| date and invalid after | 138 // certificate is invalid before the |valid_start| date and invalid after |
| 132 // the |valid_expiry| date. | 139 // the |valid_expiry| date. |
| 133 // If we were unable to parse either date from the certificate (or if the cert | 140 // If we were unable to parse either date from the certificate (or if the cert |
| 134 // lacks either date), the date will be null (i.e., is_null() will be true). | 141 // lacks either date), the date will be null (i.e., is_null() will be true). |
| 135 const Time& valid_start() const { return valid_start_; } | 142 const Time& valid_start() const { return valid_start_; } |
| 136 const Time& valid_expiry() const { return valid_expiry_; } | 143 const Time& valid_expiry() const { return valid_expiry_; } |
| 144 #endif | |
| 137 | 145 |
| 138 // The fingerprint of this certificate. | 146 // The fingerprint of this certificate. |
| 139 const Fingerprint& fingerprint() const { return fingerprint_; } | 147 const Fingerprint& fingerprint() const { return fingerprint_; } |
| 140 | 148 |
| 141 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 | 149 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 |
| 142 // Server Identity, if the certificate has a subjectAltName extension of | 150 // Server Identity, if the certificate has a subjectAltName extension of |
| 143 // type dNSName, this method gets the DNS names in that extension. | 151 // type dNSName, this method gets the DNS names in that extension. |
| 144 // Otherwise, it gets the common name in the subject field. | 152 // Otherwise, it gets the common name in the subject field. |
| 145 void GetDNSNames(std::vector<std::string>* dns_names) const; | 153 void GetDNSNames(std::vector<std::string>* dns_names) const; |
| 146 | 154 |
| 155 #if defined(OS_WIN) | |
|
Amanda Walker
2008/09/18 16:14:43
Same comment as above: we should either implement
| |
| 147 // Convenience method that returns whether this certificate has expired as of | 156 // Convenience method that returns whether this certificate has expired as of |
| 148 // now. | 157 // now. |
| 149 bool HasExpired() const; | 158 bool HasExpired() const; |
| 159 #endif | |
| 150 | 160 |
| 151 // Returns true if the certificate is an extended-validation (EV) | 161 // Returns true if the certificate is an extended-validation (EV) |
| 152 // certificate. | 162 // certificate. |
| 153 bool IsEV(int cert_status) const; | 163 bool IsEV(int cert_status) const; |
| 154 | 164 |
| 155 OSCertHandle os_cert_handle() const { return cert_handle_; } | 165 OSCertHandle os_cert_handle() const { return cert_handle_; } |
| 156 | 166 |
| 157 private: | 167 private: |
| 158 // A cache of X509Certificate objects. | 168 // A cache of X509Certificate objects. |
| 159 class Cache; | 169 class Cache; |
| 160 | 170 |
| 161 // Construct an X509Certificate from a handle to the certificate object | 171 // Construct an X509Certificate from a handle to the certificate object |
| 162 // in the underlying crypto library. | 172 // in the underlying crypto library. |
| 163 explicit X509Certificate(OSCertHandle cert_handle); | 173 explicit X509Certificate(OSCertHandle cert_handle); |
| 164 | 174 |
| 165 friend class base::RefCountedThreadSafe<X509Certificate>; | 175 friend class base::RefCountedThreadSafe<X509Certificate>; |
| 166 ~X509Certificate(); | 176 ~X509Certificate(); |
| 167 | 177 |
| 168 // Common object initialization code. Called by the constructors only. | 178 // Common object initialization code. Called by the constructors only. |
| 169 void Initialize(); | 179 void Initialize(); |
| 170 | 180 |
| 181 #if defined(OS_WIN) | |
| 171 // Helper function to parse a principal from a WinInet description of that | 182 // Helper function to parse a principal from a WinInet description of that |
| 172 // principal. | 183 // principal. |
| 173 static void ParsePrincipal(const std::string& description, | 184 static void ParsePrincipal(const std::string& description, |
| 174 Principal* principal); | 185 Principal* principal); |
| 186 #endif | |
|
Amanda Walker
2008/09/18 16:14:43
Add a declaration for the Mac version, mostly to k
| |
| 175 | 187 |
| 176 // The subject of the certificate. | 188 // The subject of the certificate. |
| 177 Principal subject_; | 189 Principal subject_; |
| 178 | 190 |
| 179 // The issuer of the certificate. | 191 // The issuer of the certificate. |
| 180 Principal issuer_; | 192 Principal issuer_; |
| 181 | 193 |
| 194 #if defined(OS_WIN) | |
| 182 // This certificate is not valid before |valid_start_| | 195 // This certificate is not valid before |valid_start_| |
| 183 Time valid_start_; | 196 Time valid_start_; |
| 184 | 197 |
| 185 // This certificate is not valid after |valid_expiry_| | 198 // This certificate is not valid after |valid_expiry_| |
| 186 Time valid_expiry_; | 199 Time valid_expiry_; |
| 200 #endif | |
| 187 | 201 |
| 188 // The fingerprint of this certificate. | 202 // The fingerprint of this certificate. |
| 189 Fingerprint fingerprint_; | 203 Fingerprint fingerprint_; |
| 190 | 204 |
| 191 // A handle to the certificate object in the underlying crypto library. | 205 // A handle to the certificate object in the underlying crypto library. |
| 192 OSCertHandle cert_handle_; | 206 OSCertHandle cert_handle_; |
| 193 | 207 |
| 194 DISALLOW_EVIL_CONSTRUCTORS(X509Certificate); | 208 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
| 195 }; | 209 }; |
| 196 | 210 |
| 197 } // namespace net | 211 } // namespace net |
| 198 | 212 |
| 199 #endif // NET_BASE_X509_CERTIFICATE_H_ | 213 #endif // NET_BASE_X509_CERTIFICATE_H_ |
| 200 | 214 |
| OLD | NEW |
