OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
11 #include <string> | 11 #include <string> |
12 #include <vector> | 12 #include <vector> |
13 | 13 |
14 #include "base/gtest_prod_util.h" | 14 #include "base/gtest_prod_util.h" |
15 #include "base/memory/ref_counted.h" | 15 #include "base/memory/ref_counted.h" |
16 #include "base/string_piece.h" | 16 #include "base/string_piece.h" |
17 #include "base/time.h" | 17 #include "base/time.h" |
18 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
19 #include "net/base/x509_cert_types.h" | 19 #include "net/base/x509_cert_types.h" |
20 | 20 |
21 #if defined(OS_WIN) | 21 #if defined(OS_WIN) |
22 #include <windows.h> | 22 #include <windows.h> |
23 #include <wincrypt.h> | 23 #include <wincrypt.h> |
24 #elif defined(OS_MACOSX) | 24 #elif defined(OS_MACOSX) |
25 #include <CoreFoundation/CFArray.h> | 25 #include <CoreFoundation/CFArray.h> |
26 #include <Security/SecBase.h> | 26 #include <Security/SecBase.h> |
27 | 27 |
28 #include "base/synchronization/lock.h" | 28 #include "base/synchronization/lock.h" |
29 #elif defined(USE_OPENSSL) | 29 #elif defined(USE_OPENSSL) |
30 #include <openssl/safestack.h> | |
30 // Forward declaration; real one in <x509.h> | 31 // Forward declaration; real one in <x509.h> |
31 struct x509_st; | 32 typedef struct x509_st X509; |
33 PREDECLARE_STACK_OF(X509); | |
32 typedef struct x509_store_st X509_STORE; | 34 typedef struct x509_store_st X509_STORE; |
33 #elif defined(USE_NSS) | 35 #elif defined(USE_NSS) |
34 // Forward declaration; real one in <cert.h> | 36 // Forward declaration; real one in <cert.h> |
35 struct CERTCertificateStr; | 37 struct CERTCertificateStr; |
36 #endif | 38 #endif |
37 | 39 |
38 class Pickle; | 40 class Pickle; |
39 | 41 |
40 namespace crypto { | 42 namespace crypto { |
41 class StringPiece; | 43 class StringPiece; |
42 class RSAPrivateKey; | 44 class RSAPrivateKey; |
43 } // namespace crypto | 45 } // namespace crypto |
44 | 46 |
45 namespace net { | 47 namespace net { |
46 | 48 |
47 class CertVerifyResult; | 49 class CertVerifyResult; |
48 | 50 |
49 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 51 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
50 | 52 |
51 // X509Certificate represents a X.509 certificate, which is comprised a | 53 // X509Certificate represents a X.509 certificate, which is comprised a |
52 // particular identity or end-entity certificate, such as an SSL server | 54 // particular identity or end-entity certificate, such as an SSL server |
53 // identity or an SSL client certificate, and zero or more intermediate | 55 // identity or an SSL client certificate, and zero or more intermediate |
54 // certificates that may be used to build a path to a root certificate. | 56 // certificates that may be used to build a path to a root certificate. |
55 class NET_EXPORT X509Certificate | 57 class NET_EXPORT X509Certificate |
56 : public base::RefCountedThreadSafe<X509Certificate> { | 58 : public base::RefCountedThreadSafe<X509Certificate> { |
57 public: | 59 public: |
58 // A handle to the certificate object in the underlying crypto library. | 60 // An OSCertHandle is a handle to the certificate object in the underlying |
59 // We assume that OSCertHandle is a pointer type on all platforms and | 61 // crypto library. We assume that OSCertHandle is a pointer type on all |
60 // NULL is an invalid OSCertHandle. | 62 // platforms and that NULL represents an invalid OSCertHandle. |
63 // | |
64 // An OSCertListHandle is a handle to the object in the underlying crypto | |
65 // library that represents a collection of certificates, with one of the | |
66 // certificates marked as an identity certificate and the remaining | |
67 // certificates marked as supplementary certificates for path building. Like | |
68 // OSCertHandle, it is assumed to be a pointer type on all platforms and | |
69 // that NULL represents an invalid OSCertListHandle. | |
70 // | |
71 // Depending on the underlying cryptographic library, an OSCertHandle or | |
72 // or OSCertListHandle may not be thread-safe. To avoid threading issues, | |
73 // each thread that is sharing an X509Certificate and needs access to an | |
74 // OSCertListHandle should use CreateOSCertListHandle() or only allow it to | |
wtc
2011/10/04 18:00:52
In "only allow it to be used on a single thread",
| |
75 // be used on a single thread. | |
61 #if defined(OS_WIN) | 76 #if defined(OS_WIN) |
62 typedef PCCERT_CONTEXT OSCertHandle; | 77 typedef PCCERT_CONTEXT OSCertHandle; |
78 // Though the same type as an OSCertHandle, a different PCCERT_CONTEXT is | |
79 // returned, beloning to a unique, temporary HCERTSTORE containing just the | |
80 // intermediate certificates. | |
81 typedef PCCERT_CONTEXT OSCertListHandle; | |
63 #elif defined(OS_MACOSX) | 82 #elif defined(OS_MACOSX) |
64 typedef SecCertificateRef OSCertHandle; | 83 typedef SecCertificateRef OSCertHandle; |
84 // Apple's certificate chain and identity functions use a CFArrayRef, with | |
85 // the first item in the array being the certificate that is to be | |
86 // verified/viewed/modified, and the remaining items containing optional | |
87 // additional certificates to use in path building or verification. | |
88 typedef CFArrayRef OSCertListHandle; | |
65 #elif defined(USE_OPENSSL) | 89 #elif defined(USE_OPENSSL) |
66 typedef struct x509_st* OSCertHandle; | 90 typedef X509* OSCertHandle; |
91 typedef STACK_OF(X509)* OSCertListHandle; | |
67 #elif defined(USE_NSS) | 92 #elif defined(USE_NSS) |
68 typedef struct CERTCertificateStr* OSCertHandle; | 93 typedef struct CERTCertificateStr* OSCertHandle; |
94 // Currently, because of how chain building/verification is used with NSS, | |
95 // it is not necessary to provide a separate type for the NSS native | |
96 // certificate chains (CERT_CertificateList or CERTCertList, depending on | |
97 // API). | |
98 typedef OSCertHandle OSCertListHandle; | |
69 #else | 99 #else |
70 // TODO(ericroman): not implemented | 100 // TODO(ericroman): not implemented |
71 typedef void* OSCertHandle; | 101 typedef void* OSCertHandle; |
102 typedef OSCertHandle OSCertListHandle; | |
72 #endif | 103 #endif |
73 | 104 |
74 typedef std::vector<OSCertHandle> OSCertHandles; | 105 typedef std::vector<OSCertHandle> OSCertHandles; |
75 | 106 |
76 // Predicate functor used in maps when X509Certificate is used as the key. | 107 // Predicate functor used in maps when X509Certificate is used as the key. |
77 class NET_EXPORT LessThan { | 108 class NET_EXPORT LessThan { |
78 public: | 109 public: |
79 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 110 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
80 }; | 111 }; |
81 | 112 |
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
247 const OSCertHandles& GetIntermediateCertificates() const { | 278 const OSCertHandles& GetIntermediateCertificates() const { |
248 return intermediate_ca_certs_; | 279 return intermediate_ca_certs_; |
249 } | 280 } |
250 | 281 |
251 // Returns true if I already contain the given intermediate cert. | 282 // Returns true if I already contain the given intermediate cert. |
252 bool HasIntermediateCertificate(OSCertHandle cert); | 283 bool HasIntermediateCertificate(OSCertHandle cert); |
253 | 284 |
254 // Returns true if I already contain all the given intermediate certs. | 285 // Returns true if I already contain all the given intermediate certs. |
255 bool HasIntermediateCertificates(const OSCertHandles& certs); | 286 bool HasIntermediateCertificates(const OSCertHandles& certs); |
256 | 287 |
288 // Returns a new OSCertListHandle representing the certificate and any | |
289 // associated intermediates certificates, or NULL on failure. Ownership is | |
290 // transferred to the caller and may be released by calling | |
291 // FreeOSCertListHandle() with the returned value. | |
292 OSCertListHandle CreateOSCertListHandle() const; | |
293 | |
257 #if defined(OS_MACOSX) | 294 #if defined(OS_MACOSX) |
258 // Does this certificate's usage allow SSL client authentication? | 295 // Does this certificate's usage allow SSL client authentication? |
259 bool SupportsSSLClientAuth() const; | 296 bool SupportsSSLClientAuth() const; |
260 | 297 |
261 // Do any of the given issuer names appear in this cert's chain of trust? | 298 // Do any of the given issuer names appear in this cert's chain of trust? |
262 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); | 299 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); |
263 | 300 |
264 // Creates a security policy for certificates used as client certificates | 301 // Creates a security policy for certificates used as client certificates |
265 // in SSL. | 302 // in SSL. |
266 // If a policy is successfully created, it will be stored in | 303 // If a policy is successfully created, it will be stored in |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
361 // specific |format|. Returns an empty collection on failure. | 398 // specific |format|. Returns an empty collection on failure. |
362 static OSCertHandles CreateOSCertHandlesFromBytes( | 399 static OSCertHandles CreateOSCertHandlesFromBytes( |
363 const char* data, int length, Format format); | 400 const char* data, int length, Format format); |
364 | 401 |
365 // Duplicates (or adds a reference to) an OS certificate handle. | 402 // Duplicates (or adds a reference to) an OS certificate handle. |
366 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 403 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
367 | 404 |
368 // Frees (or releases a reference to) an OS certificate handle. | 405 // Frees (or releases a reference to) an OS certificate handle. |
369 static void FreeOSCertHandle(OSCertHandle cert_handle); | 406 static void FreeOSCertHandle(OSCertHandle cert_handle); |
370 | 407 |
408 // Frees (or releases a reference to) an OS certificate list handle. | |
409 static void FreeOSCertListHandle(OSCertListHandle cert_list_handle); | |
410 | |
371 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | 411 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
372 // (all zero) fingerprint on failure. | 412 // (all zero) fingerprint on failure. |
373 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); | 413 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
374 | 414 |
375 private: | 415 private: |
376 friend class base::RefCountedThreadSafe<X509Certificate>; | 416 friend class base::RefCountedThreadSafe<X509Certificate>; |
377 friend class TestRootCerts; // For unit tests | 417 friend class TestRootCerts; // For unit tests |
378 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); | 418 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); |
379 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); | 419 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); |
380 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); | 420 FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
493 // (Marked mutable because it's used in a const method.) | 533 // (Marked mutable because it's used in a const method.) |
494 mutable base::Lock verification_lock_; | 534 mutable base::Lock verification_lock_; |
495 #endif | 535 #endif |
496 | 536 |
497 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 537 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
498 }; | 538 }; |
499 | 539 |
500 } // namespace net | 540 } // namespace net |
501 | 541 |
502 #endif // NET_BASE_X509_CERTIFICATE_H_ | 542 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |