net/base/x509_certificate.h - Issue 9415040: Refactor TransportSecurityState.

Side by Side Diff: net/base/x509_certificate.h

Issue 9415040: Refactor TransportSecurityState. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_BASE_X509_CERTIFICATE_H_	5 #ifndef NET_BASE_X509_CERTIFICATE_H_

6 #define NET_BASE_X509_CERTIFICATE_H_	6 #define NET_BASE_X509_CERTIFICATE_H_

7 #pragma once	7 #pragma once

8	8

9 #include <string.h>	9 #include <string.h>

10	10

(...skipping 225 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
236 const base::Time& valid_expiry() const { return valid_expiry_; }	236 const base::Time& valid_expiry() const { return valid_expiry_; }

237	237

238 // The fingerprint of this certificate.	238 // The fingerprint of this certificate.

239 const SHA1Fingerprint& fingerprint() const { return fingerprint_; }	239 const SHA1Fingerprint& fingerprint() const { return fingerprint_; }

240	240

241 // The fingerprint of the intermediate CA certificates.	241 // The fingerprint of the intermediate CA certificates.

242 const SHA1Fingerprint& ca_fingerprint() const {	242 const SHA1Fingerprint& ca_fingerprint() const {

243 return ca_fingerprint_;	243 return ca_fingerprint_;

244 }	244 }

245	245

	246 // Parses \|cert\|'s Subject Public Key Info structure, hashes it, and

	247 // returns the hash.

	248 const SHA1Fingerprint GetPublicKeyHash() const;
	Ryan Sleevi 2012/03/15 03:51:15 No need to "const SHA1Fingerprint" since you're re No need to "const SHA1Fingerprint" since you're returning a copy/newly allocated structure (it would only be necessary if it was stored as a member variable) Although I think you mentioned you were staticizing this, which is good. palmer 2012/03/19 23:37:52 Done. Show quoted text On 2012/03/15 03:51:15, Ryan Sleevi wrote: > No need to "const SHA1Fingerprint" since you're returning a copy/newly allocated > structure (it would only be necessary if it was stored as a member variable) > > Although I think you mentioned you were staticizing this, which is good. Done.
	249

246 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1	250 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1

247 // Server Identity, if the certificate has a subjectAltName extension of	251 // Server Identity, if the certificate has a subjectAltName extension of

248 // type dNSName, this method gets the DNS names in that extension.	252 // type dNSName, this method gets the DNS names in that extension.

249 // Otherwise, it gets the common name in the subject field.	253 // Otherwise, it gets the common name in the subject field.

250 void GetDNSNames(std::vector<std::string>* dns_names) const;	254 void GetDNSNames(std::vector<std::string>* dns_names) const;

251	255

252 // Gets the subjectAltName extension field from the certificate, if any.	256 // Gets the subjectAltName extension field from the certificate, if any.

253 // For future extension; currently this only returns those name types that	257 // For future extension; currently this only returns those name types that

254 // are required for HTTP certificate name verification - see VerifyHostname.	258 // are required for HTTP certificate name verification - see VerifyHostname.

255 // Unrequired parameters may be passed as NULL.	259 // Unrequired parameters may be passed as NULL.

(...skipping 298 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
554 // certificate handle. The format of the certificate stored in \|pickle\| is	558 // certificate handle. The format of the certificate stored in \|pickle\| is

555 // not guaranteed to be the same across different underlying cryptographic	559 // not guaranteed to be the same across different underlying cryptographic

556 // libraries, nor acceptable to CreateFromBytes(). Returns an invalid	560 // libraries, nor acceptable to CreateFromBytes(). Returns an invalid

557 // handle, NULL, on failure.	561 // handle, NULL, on failure.

558 static OSCertHandle ReadOSCertHandleFromPickle(const Pickle& pickle,	562 static OSCertHandle ReadOSCertHandleFromPickle(const Pickle& pickle,

559 PickleIterator* pickle_iter);	563 PickleIterator* pickle_iter);

560	564

561 // Writes a single certificate to \|pickle\|. Returns false on failure.	565 // Writes a single certificate to \|pickle\|. Returns false on failure.

562 static bool WriteOSCertHandleToPickle(OSCertHandle handle, Pickle* pickle);	566 static bool WriteOSCertHandleToPickle(OSCertHandle handle, Pickle* pickle);

563	567

	568 // Parses \|side_info\| as a side pin. If successful, returns true and

	569 // appends the hash of the public key that signed \|leaf_spki\| to

	570 // \|*out_pub_key_hash\|.

	571 //

	572 // A side pin is a way for a site to sign their public key with a key that

	573 // is offline but still controlled by them.

	574 //

	575 // TODO(agl): Document the format of a side pin.

	576 static bool ParseSidePin(const base::StringPiece& leaf_spki,

	577 const base::StringPiece& side_info,

	578 FingerprintVector* out_pub_key_hash);
	Ryan Sleevi 2012/03/15 03:51:15 So I think this would be better in TSS (or somethi So I think this would be better in TSS (or something like it). My comment about adding an X509Certificate accessor was related to the net/socket/ssl_client_socket_nss.cc parsing (which can be a separate CL than this). There, I was suggesting something like static bool GetSidePin(OSCertHandle handle, std::string* side_pin); Where GetSidePin() handles the locating of the OID in the cert extensions array (1.3.6.1.4.1.11129.2.1.4) and grabbing that data. The interpretation of that data can remain in TSS. palmer 2012/03/19 23:37:52 Done. Show quoted text On 2012/03/15 03:51:15, Ryan Sleevi wrote: > So I think this would be better in TSS (or something like it). > > My comment about adding an X509Certificate accessor was related to the > net/socket/ssl_client_socket_nss.cc parsing (which can be a separate CL than > this). > > There, I was suggesting something like > > static bool GetSidePin(OSCertHandle handle, > std::string* side_pin); > > Where GetSidePin() handles the locating of the OID in the cert extensions array > (1.3.6.1.4.1.11129.2.1.4) and grabbing that data. > > The interpretation of that data can remain in TSS. Done. agl 2012/03/20 22:12:59 Note: this side pinning stuff was just a roadmap f Note: this side pinning stuff was just a roadmap for Moxie to put TACK in. Since it doesn't look like he's going to be following it, it can just be removed. palmer 2012/03/22 16:39:00 Done. Show quoted text On 2012/03/20 22:12:59, agl wrote: > Note: this side pinning stuff was just a roadmap for Moxie to put TACK in. Since > it doesn't look like he's going to be following it, it can just be removed. Done.
	579

564 // The subject of the certificate.	580 // The subject of the certificate.

565 CertPrincipal subject_;	581 CertPrincipal subject_;

566	582

567 // The issuer of the certificate.	583 // The issuer of the certificate.

568 CertPrincipal issuer_;	584 CertPrincipal issuer_;

569	585

570 // This certificate is not valid before \|valid_start_\|	586 // This certificate is not valid before \|valid_start_\|

571 base::Time valid_start_;	587 base::Time valid_start_;

572	588

573 // This certificate is not valid after \|valid_expiry_\|	589 // This certificate is not valid after \|valid_expiry_\|

(...skipping 28 matching lines...) Expand all Loading...
602 // (Marked mutable because it's used in a const method.)	618 // (Marked mutable because it's used in a const method.)

603 mutable base::Lock verification_lock_;	619 mutable base::Lock verification_lock_;

604 #endif	620 #endif

605	621

606 DISALLOW_COPY_AND_ASSIGN(X509Certificate);	622 DISALLOW_COPY_AND_ASSIGN(X509Certificate);

607 };	623 };

608	624

609 } // namespace net	625 } // namespace net

610	626

611 #endif // NET_BASE_X509_CERTIFICATE_H_	627 #endif // NET_BASE_X509_CERTIFICATE_H_

OLD	NEW

« net/base/transport_security_state.h ('K') | « net/base/transport_security_state.h ('k') | no next file » | no next file with comments »