Index: net/base/x509_util_win.h |
diff --git a/net/base/x509_util_win.h b/net/base/x509_util_win.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..3ac501c8b2f9eb26ead991cbd21841ace1fdfdfd |
--- /dev/null |
+++ b/net/base/x509_util_win.h |
@@ -0,0 +1,51 @@ |
+// Copyright (c) 2011 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef NET_BASE_X509_UTIL_WIN_H_ |
+#define NET_BASE_X509_UTIL_WIN_H_ |
+#pragma once |
+ |
+#include <windows.h> |
+#include <wincrypt.h> |
+ |
+namespace net { |
+ |
+class X509Certificate; |
+ |
+namespace x509_util { |
+ |
+// Returns a new PCCERT_CONTEXT containing |cert| and its intermediates, or |
+// NULL on failure. |
wtc
2011/10/16 14:55:49
Nit: intermediates => intermediate certificates
I
|
+// |
+// Depending on the CryptoAPI function, Windows may need to access the |
+// HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to locate |
+// additional intermediates or access certificate properties. However, in the |
+// current implementation on Windows, all X509Certificate::OSCertHandles |
wtc
2011/10/16 14:55:49
Nit: current implementation => current X509Certifi
|
+// belong to the same HCERTSTORE - X509Certificate::cert_store(). If CryptoAPI |
+// accesses this shared store on multiple threads, it may return inconsistent |
+// results if the store is modified while enumerating. |
+// |
+// To avoid this, a new in-memory HCERTSTORE is created containing just |cert| |
+// and its optional intermediates. The handle to the primary certificate of |
+// |cert| in this new HCERTSTORE is then returned, and the new HCERTSTORE will |
+// be automatically freed when the returned certificate is released. |
+// |
+// This function is only needed when the HCERTSTORE of the os_cert_handle() |
+// will be accessed, which is generally only during certificate validation or |
+// display. While the returned PCCERT_CONTEXT and its HCERTSTORE can safely |
+// be used on multiple threads if no further modifications happen, it is |
+// generally preferable for each thread that needs such a context to obtain |
+// its own, rather than risk thread-safety issues by sharing. |
+// |
+// Additionally, because of how X509Certificate caching is implemented, the |
+// returned PCCERT_CONTEXT *SHOULD NOT* be stored in an X509Certificate, as |
wtc
2011/10/16 14:55:49
Nit: SHOULD => MUST?
|
+// the returned os_cert_handle() may differ from the one originally created by |
+// this function. |
+PCCERT_CONTEXT CreateOSCertChainForCert(const X509Certificate* cert); |
+ |
+} // namespace x509_util |
+ |
+} // namespace net |
+ |
+#endif // NET_BASE_X509_UTIL_WIN_H_ |