Move chain building/verification out of X509Certificate

net/base/x509_certificate.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 74 matching lines @@
 #endif
 
   typedef std::vector<OSCertHandle> OSCertHandles;
 
   // Predicate functor used in maps when X509Certificate is used as the key.
   class LessThan {
    public:
     bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
   };
 
-  enum VerifyFlags {
-    VERIFY_REV_CHECKING_ENABLED = 1 << 0,
-    VERIFY_EV_CERT = 1 << 1,
-  };
-
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
     FORMAT_SINGLE_CERTIFICATE = 1 << 0,
 
     // The data contains a sequence of one or more PEM-encoded, DER
     // certificates, with the PEM encoding block name of "CERTIFICATE".
     // All PEM blocks will be parsed, until the first error is encountered.
     FORMAT_PEM_CERT_SEQUENCE = 1 << 1,
@@ skipping 126 matching lines @@
   // one of the given names will be included in the list.
   static bool GetSSLClientCertificates(
       const std::string& server_domain,
       const std::vector<CertPrincipal>& valid_issuers,
       std::vector<scoped_refptr<X509Certificate> >* certs);
 
   // Creates the chain of certs to use for this client identity cert.
   CFArrayRef CreateClientCertificateChain() const;
 #endif
 
-  // Verifies the certificate against the given hostname.  Returns OK if
-  // successful or an error code upon failure.
-  //
-  // The |*verify_result| structure, including the |verify_result->cert_status|
-  // bitmask, is always filled out regardless of the return value.  If the
-  // certificate has multiple errors, the corresponding status flags are set in
-  // |verify_result->cert_status|, and the error code for the most serious
-  // error is returned.
-  //
-  // |flags| is bitwise OR'd of VerifyFlags.
-  // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
-  // checking is performed.  If VERIFY_EV_CERT is set in |flags| too,
-  // EV certificate verification is performed.
-  int Verify(const std::string& hostname,
-             int flags,
-             CertVerifyResult* verify_result) const;
-
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
   // Creates an OS certificate handle from the BER-encoded representation.
   // Returns NULL on failure.
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
                                                   int length);
 
   // Creates all possible OS certificate handles from |data| encoded in a
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate list handle
   static void FreeOSCertListHandle(OSCertListHandle cert_list);
 
+  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
 
   class Cache;
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
   X509Certificate(OSCertHandle cert_handle,
                   const OSCertHandles& intermediates);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
-  bool VerifyEV() const;
-
   // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
   // (all zero) fingerprint on failure.
   static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
 
   // Reads a single certificate from |pickle| and returns a platform
   // specific certificate handle. The format of the certificate stored in
   // the Pickle is not guaranteed to be a cross-platform format or acceptable
   // to CreateFromBytes. Returns an invalid handle (NULL) on failure.
   static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle,
                                                void** pickle_iter);
@@ skipping 18 matching lines @@
   // The fingerprint of this certificate.
   SHA1Fingerprint fingerprint_;
 
   // A handle to the certificate object in the underlying crypto library.
   OSCertHandle cert_handle_;
 
   // Untrusted intermediate certificates associated with this certificate
   // that may be needed for chain building. (NSS impl does not need these.)
   OSCertHandles intermediate_ca_certs_;
 
-#if defined(OS_MACOSX)
-  // Blocks multiple threads from verifying the cert simultaneously.
-  // (Marked mutable because it's used in a const method.)
-  mutable Lock verification_lock_;
-#endif
-
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_