Implement a whitelist for code-signing certificates.

chrome/browser/safe_browsing/download_protection_service.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // Helper class which handles communication with the SafeBrowsing servers for
 // improved binary download protection.
 
 #ifndef CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_SERVICE_H_
 #define CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_SERVICE_H_
 #pragma once
 
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/file_path.h"
 #include "base/gtest_prod_util.h"
 #include "base/memory/ref_counted.h"
 #include "googleurl/src/gurl.h"
 
 class DownloadItem;
 class SafeBrowsingService;
 
 namespace net {
 class URLRequestContextGetter;
+class X509Certificate;
 }  // namespace net
 
 namespace safe_browsing {
 class SignatureUtil;
 
 // This class provides an asynchronous API to check whether a particular
 // client download is malicious or not.
 class DownloadProtectionService {
  public:
   // TODO(noelutz): we're missing some fields here: server IPs,
@@ skipping 94 matching lines @@
   class CheckClientDownloadRequest;  // Per-request state
   friend class DownloadProtectionServiceTest;
   FRIEND_TEST_ALL_PREFIXES(DownloadProtectionServiceTest,
                            CheckClientDownloadValidateRequest);
   FRIEND_TEST_ALL_PREFIXES(DownloadProtectionServiceTest,
                            CheckClientDownloadSuccess);
   FRIEND_TEST_ALL_PREFIXES(DownloadProtectionServiceTest,
                            CheckClientDownloadFetchFailed);
   FRIEND_TEST_ALL_PREFIXES(DownloadProtectionServiceTest,
                            TestDownloadRequestTimeout);
-
   static const char kDownloadRequestUrl[];
 
   // Cancels all requests in |download_requests_|, and empties it, releasing
   // the references to the requests.
   void CancelPendingRequests();
 
   // Called by a CheckClientDownloadRequest instance when it finishes, to
   // remove it from |download_requests_|.
   void RequestFinished(CheckClientDownloadRequest* request);
 
   static void FillDownloadInfo(const DownloadItem& item,
                                DownloadInfo* download_info);
 
+  // Given a certificate and its immediate issuer certificate, generates the
+  // list of strings that need to be checked against the download whitelist to
+  // determine whether the certificate is whitelisted.
+  static void GetCertificateWhitelistStrings(
+      const net::X509Certificate& certificate,
+      const net::X509Certificate& issuer,
+      std::vector<std::string>* whitelist_strings);
+
   // This pointer may be NULL if SafeBrowsing is disabled. The
   // SafeBrowsingService owns us, so we don't need to hold a reference to it.
   SafeBrowsingService* sb_service_;
 
   // The context we use to issue network requests.
   scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
 
   // Map of client download request to the corresponding callback that
   // has to be invoked when the request is done.  This map contains all
   // pending server requests.
   std::set<scoped_refptr<CheckClientDownloadRequest> > download_requests_;
 
   // Keeps track of the state of the service.
   bool enabled_;
 
   // SignatureUtil object, may be overridden for testing.
   scoped_refptr<SignatureUtil> signature_util_;
 
   int64 download_request_timeout_ms_;
 
   DISALLOW_COPY_AND_ASSIGN(DownloadProtectionService);
 };
 }  // namespace safe_browsing
 
 #endif  // CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_SERVICE_H_