OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_BASE_X509_UTIL_WIN_H_ | |
6 #define NET_BASE_X509_UTIL_WIN_H_ | |
7 #pragma once | |
8 | |
9 #include <windows.h> | |
10 #include <wincrypt.h> | |
11 | |
12 namespace net { | |
13 | |
14 class X509Certificate; | |
15 | |
16 namespace x509_util { | |
17 | |
18 // Returns a new PCCERT_CONTEXT containing |cert| and its intermediates, or | |
19 // NULL on failure. | |
wtc
2011/10/16 14:55:49
Nit: intermediates => intermediate certificates
I
| |
20 // | |
21 // Depending on the CryptoAPI function, Windows may need to access the | |
22 // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to locate | |
23 // additional intermediates or access certificate properties. However, in the | |
24 // current implementation on Windows, all X509Certificate::OSCertHandles | |
wtc
2011/10/16 14:55:49
Nit: current implementation => current X509Certifi
| |
25 // belong to the same HCERTSTORE - X509Certificate::cert_store(). If CryptoAPI | |
26 // accesses this shared store on multiple threads, it may return inconsistent | |
27 // results if the store is modified while enumerating. | |
28 // | |
29 // To avoid this, a new in-memory HCERTSTORE is created containing just |cert| | |
30 // and its optional intermediates. The handle to the primary certificate of | |
31 // |cert| in this new HCERTSTORE is then returned, and the new HCERTSTORE will | |
32 // be automatically freed when the returned certificate is released. | |
33 // | |
34 // This function is only needed when the HCERTSTORE of the os_cert_handle() | |
35 // will be accessed, which is generally only during certificate validation or | |
36 // display. While the returned PCCERT_CONTEXT and its HCERTSTORE can safely | |
37 // be used on multiple threads if no further modifications happen, it is | |
38 // generally preferable for each thread that needs such a context to obtain | |
39 // its own, rather than risk thread-safety issues by sharing. | |
40 // | |
41 // Additionally, because of how X509Certificate caching is implemented, the | |
42 // returned PCCERT_CONTEXT *SHOULD NOT* be stored in an X509Certificate, as | |
wtc
2011/10/16 14:55:49
Nit: SHOULD => MUST?
| |
43 // the returned os_cert_handle() may differ from the one originally created by | |
44 // this function. | |
45 PCCERT_CONTEXT CreateOSCertChainForCert(const X509Certificate* cert); | |
46 | |
47 } // namespace x509_util | |
48 | |
49 } // namespace net | |
50 | |
51 #endif // NET_BASE_X509_UTIL_WIN_H_ | |
OLD | NEW |