OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 10 matching lines...) Expand all Loading... |
21 #if defined(OS_WIN) | 21 #if defined(OS_WIN) |
22 #include <windows.h> | 22 #include <windows.h> |
23 #include <wincrypt.h> | 23 #include <wincrypt.h> |
24 #elif defined(OS_MACOSX) | 24 #elif defined(OS_MACOSX) |
25 #include <CoreFoundation/CFArray.h> | 25 #include <CoreFoundation/CFArray.h> |
26 #include <Security/SecBase.h> | 26 #include <Security/SecBase.h> |
27 | 27 |
28 #include "base/synchronization/lock.h" | 28 #include "base/synchronization/lock.h" |
29 #elif defined(USE_OPENSSL) | 29 #elif defined(USE_OPENSSL) |
30 // Forward declaration; real one in <x509.h> | 30 // Forward declaration; real one in <x509.h> |
31 struct x509_st; | 31 typedef struct x509_st X509; |
32 typedef struct x509_store_st X509_STORE; | 32 typedef struct x509_store_st X509_STORE; |
33 #elif defined(USE_NSS) | 33 #elif defined(USE_NSS) |
34 // Forward declaration; real one in <cert.h> | 34 // Forward declaration; real one in <cert.h> |
35 struct CERTCertificateStr; | 35 struct CERTCertificateStr; |
36 #endif | 36 #endif |
37 | 37 |
38 class Pickle; | 38 class Pickle; |
39 | 39 |
40 namespace crypto { | 40 namespace crypto { |
41 class StringPiece; | 41 class StringPiece; |
42 class RSAPrivateKey; | 42 class RSAPrivateKey; |
43 } // namespace crypto | 43 } // namespace crypto |
44 | 44 |
45 namespace net { | 45 namespace net { |
46 | 46 |
47 class CRLSet; | 47 class CRLSet; |
48 class CertVerifyResult; | 48 class CertVerifyResult; |
49 | 49 |
50 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 50 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
51 | 51 |
52 // X509Certificate represents a X.509 certificate, which is comprised a | 52 // X509Certificate represents a X.509 certificate, which is comprised a |
53 // particular identity or end-entity certificate, such as an SSL server | 53 // particular identity or end-entity certificate, such as an SSL server |
54 // identity or an SSL client certificate, and zero or more intermediate | 54 // identity or an SSL client certificate, and zero or more intermediate |
55 // certificates that may be used to build a path to a root certificate. | 55 // certificates that may be used to build a path to a root certificate. |
56 class NET_EXPORT X509Certificate | 56 class NET_EXPORT X509Certificate |
57 : public base::RefCountedThreadSafe<X509Certificate> { | 57 : public base::RefCountedThreadSafe<X509Certificate> { |
58 public: | 58 public: |
59 // A handle to the certificate object in the underlying crypto library. | 59 // An OSCertHandle is a handle to a certificate object in the underlying |
60 // We assume that OSCertHandle is a pointer type on all platforms and | 60 // crypto library. We assume that OSCertHandle is a pointer type on all |
61 // NULL is an invalid OSCertHandle. | 61 // platforms and that NULL represents an invalid OSCertHandle. |
62 #if defined(OS_WIN) | 62 #if defined(OS_WIN) |
63 typedef PCCERT_CONTEXT OSCertHandle; | 63 typedef PCCERT_CONTEXT OSCertHandle; |
64 #elif defined(OS_MACOSX) | 64 #elif defined(OS_MACOSX) |
65 typedef SecCertificateRef OSCertHandle; | 65 typedef SecCertificateRef OSCertHandle; |
66 #elif defined(USE_OPENSSL) | 66 #elif defined(USE_OPENSSL) |
67 typedef struct x509_st* OSCertHandle; | 67 typedef X509* OSCertHandle; |
68 #elif defined(USE_NSS) | 68 #elif defined(USE_NSS) |
69 typedef struct CERTCertificateStr* OSCertHandle; | 69 typedef struct CERTCertificateStr* OSCertHandle; |
70 #else | 70 #else |
71 // TODO(ericroman): not implemented | 71 // TODO(ericroman): not implemented |
72 typedef void* OSCertHandle; | 72 typedef void* OSCertHandle; |
73 #endif | 73 #endif |
74 | 74 |
75 typedef std::vector<OSCertHandle> OSCertHandles; | 75 typedef std::vector<OSCertHandle> OSCertHandles; |
76 | 76 |
77 // Predicate functor used in maps when X509Certificate is used as the key. | 77 // Predicate functor used in maps when X509Certificate is used as the key. |
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
281 // precedence and returned first in the output vector.) | 281 // precedence and returned first in the output vector.) |
282 // If valid_issuers is non-empty, only certs that were transitively issued | 282 // If valid_issuers is non-empty, only certs that were transitively issued |
283 // by one of the given names will be included in the list. | 283 // by one of the given names will be included in the list. |
284 static bool GetSSLClientCertificates( | 284 static bool GetSSLClientCertificates( |
285 const std::string& server_domain, | 285 const std::string& server_domain, |
286 const std::vector<CertPrincipal>& valid_issuers, | 286 const std::vector<CertPrincipal>& valid_issuers, |
287 CertificateList* certs); | 287 CertificateList* certs); |
288 | 288 |
289 // Creates the chain of certs to use for this client identity cert. | 289 // Creates the chain of certs to use for this client identity cert. |
290 CFArrayRef CreateClientCertificateChain() const; | 290 CFArrayRef CreateClientCertificateChain() const; |
| 291 |
| 292 // Returns a new CFArrayRef containing this certificate and its intermediate |
| 293 // certificates in the form expected by Security.framework and Keychain |
| 294 // Services, or NULL on failure. |
| 295 // The first item in the array will be this certificate, followed by its |
| 296 // intermediates, if any. |
| 297 CFArrayRef CreateOSCertChainForCert() const; |
291 #endif | 298 #endif |
292 | 299 |
293 #if defined(OS_WIN) | 300 #if defined(OS_WIN) |
294 // Returns a handle to a global, in-memory certificate store. We use it for | 301 // Returns a handle to a global, in-memory certificate store. We use it for |
295 // two purposes: | 302 // two purposes: |
296 // 1. Import server certificates into this store so that we can verify and | 303 // 1. Import server certificates into this store so that we can verify and |
297 // display the certificates using CryptoAPI. | 304 // display the certificates using CryptoAPI. |
298 // 2. Copy client certificates from the "MY" system certificate store into | 305 // 2. Copy client certificates from the "MY" system certificate store into |
299 // this store so that we can close the system store when we finish | 306 // this store so that we can close the system store when we finish |
300 // searching for client certificates. | 307 // searching for client certificates. |
301 static HCERTSTORE cert_store(); | 308 static HCERTSTORE cert_store(); |
| 309 |
| 310 // Returns a new PCCERT_CONTEXT containing this certificate and its |
| 311 // intermediate certificates, or NULL on failure. The returned |
| 312 // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as then |
| 313 // os_cert_handle() will not return the correct result. This function is |
| 314 // only necessary if the CERT_CONTEXT.hCertStore member will be accessed or |
| 315 // enumerated, which is generally true for any CryptoAPI functions involving |
| 316 // certificate chains, including validation or certificate display. |
| 317 // |
| 318 // Remarks: |
| 319 // Depending on the CryptoAPI function, Windows may need to access the |
| 320 // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to |
| 321 // locate additional intermediates. However, in the current X509Certificate |
| 322 // implementation on Windows, all X509Certificate::OSCertHandles belong to |
| 323 // the same HCERTSTORE - X509Certificate::cert_store(). Since certificates |
| 324 // may be created and accessed on any number of threads, if CryptoAPI is |
| 325 // trying to read this global store while additional certificates are being |
| 326 // added, it may return inconsistent results while enumerating the store. |
| 327 // While the memory accesses themselves are thread-safe, the resultant view |
| 328 // of what is in the store may be altered. |
| 329 // |
| 330 // If OSCertHandles were instead added to a NULL HCERTSTORE, which is valid |
| 331 // in CryptoAPI, then Windows would be unable to locate any of the |
| 332 // intermediates supplied in |intermediate_ca_certs_|, because the |
| 333 // hCertStore will refer to a magic value that indicates "only this |
| 334 // certificate." |
| 335 // |
| 336 // To avoid these problems, a new in-memory HCERTSTORE is created containing |
| 337 // just this certificate and its intermediates. The handle to the version of |
| 338 // this certificate in the new HCERTSTORE is then returned, with the |
| 339 // HCERTSTORE set to be automatically freed when the returned certificate |
| 340 // is freed. |
| 341 // |
| 342 // This function is only needed when the HCERTSTORE of the os_cert_handle() |
| 343 // will be accessed, which is generally only during certificate validation |
| 344 // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can |
| 345 // safely be used on multiple threads if no further modifications happen, it |
| 346 // is generally preferable for each thread that needs such a context to |
| 347 // obtain its own, rather than risk thread-safety issues by sharing. |
| 348 // |
| 349 // Because of how X509Certificate caching is implemented, attempting to |
| 350 // create an X509Certificate from the returned PCCERT_CONTEXT may result in |
| 351 // the original handle (and thus the originall HCERTSTORE) being returned by |
| 352 // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* |
| 353 // be stored in an X509Certificate. |
| 354 PCCERT_CONTEXT CreateOSCertChainForCert() const; |
302 #endif | 355 #endif |
303 | 356 |
304 #if defined(OS_ANDROID) | 357 #if defined(OS_ANDROID) |
305 // |chain_bytes| will contain the chain (including this certificate) encoded | 358 // |chain_bytes| will contain the chain (including this certificate) encoded |
306 // using GetChainDEREncodedBytes below. | 359 // using GetChainDEREncodedBytes below. |
307 void GetChainDEREncodedBytes(std::vector<std::string>* chain_bytes) const; | 360 void GetChainDEREncodedBytes(std::vector<std::string>* chain_bytes) const; |
308 #endif | 361 #endif |
309 | 362 |
310 #if defined(USE_OPENSSL) | 363 #if defined(USE_OPENSSL) |
311 // Returns a handle to a global, in-memory certificate store. We | 364 // Returns a handle to a global, in-memory certificate store. We |
(...skipping 26 matching lines...) Expand all Loading... |
338 // Does not verify that the certificate is valid, only that the certificate | 391 // Does not verify that the certificate is valid, only that the certificate |
339 // matches this host. | 392 // matches this host. |
340 // Returns true if it matches. | 393 // Returns true if it matches. |
341 bool VerifyNameMatch(const std::string& hostname) const; | 394 bool VerifyNameMatch(const std::string& hostname) const; |
342 | 395 |
343 // This method returns the DER encoded certificate. | 396 // This method returns the DER encoded certificate. |
344 // If the return value is true then the DER encoded certificate is available. | 397 // If the return value is true then the DER encoded certificate is available. |
345 // The content of the DER encoded certificate is written to |encoded|. | 398 // The content of the DER encoded certificate is written to |encoded|. |
346 bool GetDEREncoded(std::string* encoded); | 399 bool GetDEREncoded(std::string* encoded); |
347 | 400 |
| 401 // Returns the OSCertHandle of this object. Because of caching, this may |
| 402 // differ from the OSCertHandle originally supplied during initialization. |
| 403 // Note: On Windows, CryptoAPI may return unexpected results if this handle |
| 404 // is used across multiple threads. For more details, see |
| 405 // CreateOSCertChainForCert(). |
348 OSCertHandle os_cert_handle() const { return cert_handle_; } | 406 OSCertHandle os_cert_handle() const { return cert_handle_; } |
349 | 407 |
350 // Returns true if two OSCertHandles refer to identical certificates. | 408 // Returns true if two OSCertHandles refer to identical certificates. |
351 static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); | 409 static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); |
352 | 410 |
353 // Creates an OS certificate handle from the BER-encoded representation. | 411 // Creates an OS certificate handle from the BER-encoded representation. |
354 // Returns NULL on failure. | 412 // Returns NULL on failure. |
355 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, | 413 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, |
356 int length); | 414 int length); |
357 | 415 |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
494 // (Marked mutable because it's used in a const method.) | 552 // (Marked mutable because it's used in a const method.) |
495 mutable base::Lock verification_lock_; | 553 mutable base::Lock verification_lock_; |
496 #endif | 554 #endif |
497 | 555 |
498 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 556 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
499 }; | 557 }; |
500 | 558 |
501 } // namespace net | 559 } // namespace net |
502 | 560 |
503 #endif // NET_BASE_X509_CERTIFICATE_H_ | 561 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |