OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
11 #include <string> | 11 #include <string> |
12 #include <vector> | 12 #include <vector> |
13 | 13 |
14 #include "base/gtest_prod_util.h" | 14 #include "base/gtest_prod_util.h" |
15 #include "base/memory/ref_counted.h" | 15 #include "base/memory/ref_counted.h" |
16 #include "base/string_piece.h" | 16 #include "base/string_piece.h" |
17 #include "base/time.h" | 17 #include "base/time.h" |
18 #include "net/base/net_api.h" | 18 #include "net/base/net_api.h" |
19 #include "net/base/x509_cert_types.h" | 19 #include "net/base/x509_cert_types.h" |
20 | 20 |
21 #if defined(OS_WIN) | 21 #if defined(OS_WIN) |
22 #include <windows.h> | 22 #include <windows.h> |
23 #include <wincrypt.h> | 23 #include <wincrypt.h> |
24 #elif defined(OS_MACOSX) | 24 #elif defined(OS_MACOSX) |
25 #include <CoreFoundation/CFArray.h> | 25 #include <CoreFoundation/CFArray.h> |
26 #include <Security/SecBase.h> | 26 #include <Security/SecBase.h> |
27 | 27 |
28 #include "base/synchronization/lock.h" | 28 #include "base/synchronization/lock.h" |
29 #elif defined(USE_OPENSSL) | 29 #elif defined(USE_OPENSSL) |
30 #include <openssl/safestack.h> | |
30 // Forward declaration; real one in <x509.h> | 31 // Forward declaration; real one in <x509.h> |
31 struct x509_st; | 32 typedef struct x509_st X509; |
33 PREDECLARE_STACK_OF(X509); | |
32 typedef struct x509_store_st X509_STORE; | 34 typedef struct x509_store_st X509_STORE; |
33 #elif defined(USE_NSS) | 35 #elif defined(USE_NSS) |
34 // Forward declaration; real one in <cert.h> | 36 // Forward declaration; real one in <cert.h> |
35 struct CERTCertificateStr; | 37 struct CERTCertificateStr; |
36 #endif | 38 #endif |
37 | 39 |
38 class Pickle; | 40 class Pickle; |
39 | 41 |
40 namespace crypto { | 42 namespace crypto { |
41 class StringPiece; | 43 class StringPiece; |
42 class RSAPrivateKey; | 44 class RSAPrivateKey; |
43 } // namespace crypto | 45 } // namespace crypto |
44 | 46 |
45 namespace net { | 47 namespace net { |
46 | 48 |
47 class CertVerifyResult; | 49 class CertVerifyResult; |
48 | 50 |
49 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 51 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
50 | 52 |
51 // X509Certificate represents a X.509 certificate, which is comprised a | 53 // X509Certificate represents a X.509 certificate, which is comprised a |
52 // particular identity or end-entity certificate, such as an SSL server | 54 // particular identity or end-entity certificate, such as an SSL server |
53 // identity or an SSL client certificate, and zero or more intermediate | 55 // identity or an SSL client certificate, and zero or more intermediate |
54 // certificates that may be used to build a path to a root certificate. | 56 // certificates that may be used to build a path to a root certificate. |
55 class NET_API X509Certificate | 57 class NET_API X509Certificate |
56 : public base::RefCountedThreadSafe<X509Certificate> { | 58 : public base::RefCountedThreadSafe<X509Certificate> { |
57 public: | 59 public: |
58 // A handle to the certificate object in the underlying crypto library. | 60 // An OSCertHandle is a handle to the certificate object in the underlying |
59 // We assume that OSCertHandle is a pointer type on all platforms and | 61 // crypto library. We assume that OSCertHandle is a pointer type on all |
60 // NULL is an invalid OSCertHandle. | 62 // platforms and that NULL represents an invalid OSCertHandle. |
63 // | |
64 // An OSCertListHandle is a handle to the underlying crypto library that | |
wtc
2011/10/04 00:26:34
Add "the object in" before "the underlying crypto
| |
65 // represents a collection of certificates, with one of the certificates | |
66 // marked as an identity certificate and the remaining certificates marked | |
wtc
2011/10/04 00:26:34
I suggest changing "an identity certificate" to
"a
Ryan Sleevi
2011/10/04 03:38:07
Does the explanation on line 53-54 provide the nec
wtc
2011/10/04 18:00:51
This is fine. My complaint about this comment is
| |
67 // as supplementary certificates for path building. Like OSCertHandle, it | |
68 // is assumed to be a pointer type on all platforms and that NULL | |
69 // represents an invalid OSCertListHandle. | |
70 // | |
71 // It should be noted that depending on the underlying cryptographic | |
wtc
2011/10/04 00:26:34
Nit: for brevity, change "It should be noted that"
| |
72 // library, an OSCertHandle or OSCertListHandle may not be thread-safe. | |
wtc
2011/10/04 00:26:34
Please add a comment to motivate OSCertListHandle.
| |
61 #if defined(OS_WIN) | 73 #if defined(OS_WIN) |
62 typedef PCCERT_CONTEXT OSCertHandle; | 74 typedef PCCERT_CONTEXT OSCertHandle; |
75 // Though the same type as an OSCertHandle, a unique HCERTSTORE member is | |
76 // used for the certificate containing just the subset of related | |
wtc
2011/10/04 00:26:34
Add "store" after "certificate".
Change "related"
| |
77 // certificates. | |
78 typedef PCCERT_CONTEXT OSCertListHandle; | |
63 #elif defined(OS_MACOSX) | 79 #elif defined(OS_MACOSX) |
64 typedef SecCertificateRef OSCertHandle; | 80 typedef SecCertificateRef OSCertHandle; |
81 typedef CFArrayRef OSCertListHandle; | |
65 #elif defined(USE_OPENSSL) | 82 #elif defined(USE_OPENSSL) |
66 typedef struct x509_st* OSCertHandle; | 83 typedef struct x509_st* OSCertHandle; |
wtc
2011/10/04 00:26:34
Change "struct x509_st" to X509.
| |
84 typedef STACK_OF(X509)* OSCertListHandle; | |
67 #elif defined(USE_NSS) | 85 #elif defined(USE_NSS) |
68 typedef struct CERTCertificateStr* OSCertHandle; | 86 typedef struct CERTCertificateStr* OSCertHandle; |
87 // TODO(rsleevi): With NSS, it is not currently necessary to use a | |
88 // separate type, because of how certificate path building/verification is | |
89 // implemented. | |
90 typedef OSCertHandle OSCertListHandle; | |
69 #else | 91 #else |
70 // TODO(ericroman): not implemented | 92 // TODO(ericroman): not implemented |
71 typedef void* OSCertHandle; | 93 typedef void* OSCertHandle; |
94 typedef void* OSCertListHandle; | |
wtc
2011/10/04 00:26:34
Nit: it would be nice to use the same style of typ
| |
72 #endif | 95 #endif |
73 | 96 |
74 typedef std::vector<OSCertHandle> OSCertHandles; | 97 typedef std::vector<OSCertHandle> OSCertHandles; |
75 | 98 |
76 // Predicate functor used in maps when X509Certificate is used as the key. | 99 // Predicate functor used in maps when X509Certificate is used as the key. |
77 class NET_API LessThan { | 100 class NET_API LessThan { |
78 public: | 101 public: |
79 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 102 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
80 }; | 103 }; |
81 | 104 |
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
228 const OSCertHandles& GetIntermediateCertificates() const { | 251 const OSCertHandles& GetIntermediateCertificates() const { |
229 return intermediate_ca_certs_; | 252 return intermediate_ca_certs_; |
230 } | 253 } |
231 | 254 |
232 // Returns true if I already contain the given intermediate cert. | 255 // Returns true if I already contain the given intermediate cert. |
233 bool HasIntermediateCertificate(OSCertHandle cert); | 256 bool HasIntermediateCertificate(OSCertHandle cert); |
234 | 257 |
235 // Returns true if I already contain all the given intermediate certs. | 258 // Returns true if I already contain all the given intermediate certs. |
236 bool HasIntermediateCertificates(const OSCertHandles& certs); | 259 bool HasIntermediateCertificates(const OSCertHandles& certs); |
237 | 260 |
261 // Returns a new OSCertListHandle representing the certificate and any | |
262 // associated intermediates, or NULL on failure. Ownership is transferred | |
wtc
2011/10/04 00:26:34
Nit: intermediates => intermediate certificates
| |
263 // to the caller and may be released by calling FreeOSCertListHandle() | |
264 // with the returned value. | |
265 OSCertListHandle CreateOSCertListHandle() const; | |
266 | |
238 #if defined(OS_MACOSX) | 267 #if defined(OS_MACOSX) |
239 // Does this certificate's usage allow SSL client authentication? | 268 // Does this certificate's usage allow SSL client authentication? |
240 bool SupportsSSLClientAuth() const; | 269 bool SupportsSSLClientAuth() const; |
241 | 270 |
242 // Do any of the given issuer names appear in this cert's chain of trust? | 271 // Do any of the given issuer names appear in this cert's chain of trust? |
243 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); | 272 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); |
244 | 273 |
245 // Creates a security policy for certificates used as client certificates | 274 // Creates a security policy for certificates used as client certificates |
246 // in SSL. | 275 // in SSL. |
247 // If a policy is successfully created, it will be stored in | 276 // If a policy is successfully created, it will be stored in |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
338 // specific |format|. Returns an empty collection on failure. | 367 // specific |format|. Returns an empty collection on failure. |
339 static OSCertHandles CreateOSCertHandlesFromBytes( | 368 static OSCertHandles CreateOSCertHandlesFromBytes( |
340 const char* data, int length, Format format); | 369 const char* data, int length, Format format); |
341 | 370 |
342 // Duplicates (or adds a reference to) an OS certificate handle. | 371 // Duplicates (or adds a reference to) an OS certificate handle. |
343 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 372 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
344 | 373 |
345 // Frees (or releases a reference to) an OS certificate handle. | 374 // Frees (or releases a reference to) an OS certificate handle. |
346 static void FreeOSCertHandle(OSCertHandle cert_handle); | 375 static void FreeOSCertHandle(OSCertHandle cert_handle); |
347 | 376 |
377 // Frees (or releases a reference to) an OS certificate list handle. | |
378 static void FreeOSCertListHandle(OSCertListHandle cert_list); | |
wtc
2011/10/04 00:26:34
cert_list => cert_list_handle
| |
379 | |
348 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | 380 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
349 // (all zero) fingerprint on failure. | 381 // (all zero) fingerprint on failure. |
350 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); | 382 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
351 | 383 |
352 private: | 384 private: |
353 friend class base::RefCountedThreadSafe<X509Certificate>; | 385 friend class base::RefCountedThreadSafe<X509Certificate>; |
354 friend class TestRootCerts; // For unit tests | 386 friend class TestRootCerts; // For unit tests |
355 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); | 387 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); |
356 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); | 388 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); |
357 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); | 389 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
460 // (Marked mutable because it's used in a const method.) | 492 // (Marked mutable because it's used in a const method.) |
461 mutable base::Lock verification_lock_; | 493 mutable base::Lock verification_lock_; |
462 #endif | 494 #endif |
463 | 495 |
464 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 496 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
465 }; | 497 }; |
466 | 498 |
467 } // namespace net | 499 } // namespace net |
468 | 500 |
469 #endif // NET_BASE_X509_CERTIFICATE_H_ | 501 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |