Chromium Code Reviews Chromium Code Reviews
Issue 9617039:
Change Origin bound certs -> Domain bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ | 5 #ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ |
| 6 #define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ | 6 #define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <map> | 9 #include <map> |
| 10 #include <string> | 10 #include <string> |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/basictypes.h" | 13 #include "base/basictypes.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "base/time.h" | 15 #include "base/time.h" |
| 16 #include "base/threading/non_thread_safe.h" | 16 #include "base/threading/non_thread_safe.h" |
| 17 #include "net/base/completion_callback.h" | 17 #include "net/base/completion_callback.h" |
| 18 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
| 19 #include "net/base/ssl_client_cert_type.h" | 19 #include "net/base/ssl_client_cert_type.h" |
| 20 | 20 |
| 21 namespace net { | 21 namespace net { |
| 22 | 22 |
| 23 class OriginBoundCertServiceJob; | 23 class OriginBoundCertServiceJob; |
| 24 class OriginBoundCertServiceWorker; | 24 class OriginBoundCertServiceWorker; |
| 25 class OriginBoundCertStore; | 25 class OriginBoundCertStore; |
| 26 | 26 |
| 27 // A class for creating and fetching origin bound certs. | 27 // A class for creating and fetching domain bound certs. |
| 28 // Inherits from NonThreadSafe in order to use the function | 28 // Inherits from NonThreadSafe in order to use the function |
| 29 // |CalledOnValidThread|. | 29 // |CalledOnValidThread|. |
| 30 // Note: For historical reasons, this class is called OriginBoundCertService, | |
| 31 // but it's really a DomainBoundCertService. | |
| 30 class NET_EXPORT OriginBoundCertService | 32 class NET_EXPORT OriginBoundCertService |
| 31 : NON_EXPORTED_BASE(public base::NonThreadSafe) { | 33 : NON_EXPORTED_BASE(public base::NonThreadSafe) { |
| 32 public: | 34 public: |
| 33 // Opaque type used to cancel a request. | 35 // Opaque type used to cancel a request. |
| 34 typedef void* RequestHandle; | 36 typedef void* RequestHandle; |
| 35 | 37 |
| 36 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key | 38 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key |
| 37 // values. (This is not used to provide any security, but to workaround NSS | 39 // values. (This is not used to provide any security, but to workaround NSS |
| 38 // being unable to import unencrypted PrivateKeyInfo for EC keys.) | 40 // being unable to import unencrypted PrivateKeyInfo for EC keys.) |
| 39 static const char kEPKIPassword[]; | 41 static const char kEPKIPassword[]; |
| 40 | 42 |
| 41 // This object owns origin_bound_cert_store. | 43 // This object owns origin_bound_cert_store. |
| 42 explicit OriginBoundCertService( | 44 explicit OriginBoundCertService( |
| 43 OriginBoundCertStore* origin_bound_cert_store); | 45 OriginBoundCertStore* origin_bound_cert_store); |
| 44 | 46 |
| 45 ~OriginBoundCertService(); | 47 ~OriginBoundCertService(); |
| 46 | 48 |
| 47 // Returns the domain to be used for |host|. The domain is the | 49 // Returns the domain to be used for |host|. The domain is the |
| 48 // "registry controlled domain", or the "ETLD + 1" where one exists, or | 50 // "registry controlled domain", or the "ETLD + 1" where one exists, or |
| 49 // the origin otherwise. | 51 // the origin otherwise. |
| 50 static std::string GetDomainForHost(const std::string& host); | 52 static std::string GetDomainForHost(const std::string& host); |
| 51 | 53 |
| 52 // Fetches the origin bound cert for the specified origin of the specified | 54 // Fetches the domain bound cert for the specified origin of the specified |
| 53 // type if one exists and creates one otherwise. Returns OK if successful or | 55 // type if one exists and creates one otherwise. Returns OK if successful or |
| 54 // an error code upon failure. | 56 // an error code upon failure. |
| 55 // | 57 // |
| 56 // |requested_types| is a list of the TLS ClientCertificateTypes the site will | 58 // |requested_types| is a list of the TLS ClientCertificateTypes the site will |
| 57 // accept, ordered from most preferred to least preferred. Types we don't | 59 // accept, ordered from most preferred to least preferred. Types we don't |
| 58 // support will be ignored. See ssl_client_cert_type.h. | 60 // support will be ignored. See ssl_client_cert_type.h. |
| 59 // | 61 // |
| 60 // On successful completion, |private_key| stores a DER-encoded | 62 // On successful completion, |private_key| stores a DER-encoded |
| 61 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and | 63 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and |
| 62 // |type| specifies the type of certificate that was returned. | 64 // |type| specifies the type of certificate that was returned. |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 94 friend class OriginBoundCertServiceWorker; // Calls HandleResult. | 96 friend class OriginBoundCertServiceWorker; // Calls HandleResult. |
| 95 | 97 |
| 96 // On success, |private_key| stores a DER-encoded PrivateKeyInfo | 98 // On success, |private_key| stores a DER-encoded PrivateKeyInfo |
| 97 // struct, |cert| stores a DER-encoded certificate, |creation_time| stores the | 99 // struct, |cert| stores a DER-encoded certificate, |creation_time| stores the |
| 98 // start of the validity period of the certificate and |expiration_time| | 100 // start of the validity period of the certificate and |expiration_time| |
| 99 // stores the expiration time of the certificate. Returns OK if successful and | 101 // stores the expiration time of the certificate. Returns OK if successful and |
| 100 // an error code otherwise. | 102 // an error code otherwise. |
| 101 // |serial_number| is passed in because it is created with the function | 103 // |serial_number| is passed in because it is created with the function |
| 102 // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened | 104 // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened |
| 103 // with a LazyInstance, which is not allowed on a worker thread. | 105 // with a LazyInstance, which is not allowed on a worker thread. |
| 104 static int GenerateCert(const std::string& origin, | 106 static int GenerateCert(const std::string& domain, |
|
Ryan Hamilton
2012/03/07 04:46:06
Does this include the host and port for the domain
mattm
2012/03/15 01:48:44
just the host.
| |
| 105 SSLClientCertType type, | 107 SSLClientCertType type, |
| 106 uint32 serial_number, | 108 uint32 serial_number, |
| 107 base::Time* creation_time, | 109 base::Time* creation_time, |
| 108 base::Time* expiration_time, | 110 base::Time* expiration_time, |
| 109 std::string* private_key, | 111 std::string* private_key, |
| 110 std::string* cert); | 112 std::string* cert); |
| 111 | 113 |
| 112 void HandleResult(const std::string& origin, | 114 void HandleResult(const std::string& domain, |
| 113 int error, | 115 int error, |
| 114 SSLClientCertType type, | 116 SSLClientCertType type, |
| 115 base::Time creation_time, | 117 base::Time creation_time, |
| 116 base::Time expiration_time, | 118 base::Time expiration_time, |
| 117 const std::string& private_key, | 119 const std::string& private_key, |
| 118 const std::string& cert); | 120 const std::string& cert); |
| 119 | 121 |
| 120 scoped_ptr<OriginBoundCertStore> origin_bound_cert_store_; | 122 scoped_ptr<OriginBoundCertStore> origin_bound_cert_store_; |
| 121 | 123 |
| 122 // inflight_ maps from an origin to an active generation which is taking | 124 // inflight_ maps from a domain to an active generation which is taking |
| 123 // place. | 125 // place. |
| 124 std::map<std::string, OriginBoundCertServiceJob*> inflight_; | 126 std::map<std::string, OriginBoundCertServiceJob*> inflight_; |
| 125 | 127 |
| 126 uint64 requests_; | 128 uint64 requests_; |
| 127 uint64 cert_store_hits_; | 129 uint64 cert_store_hits_; |
| 128 uint64 inflight_joins_; | 130 uint64 inflight_joins_; |
| 129 | 131 |
| 130 DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService); | 132 DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService); |
| 131 }; | 133 }; |
| 132 | 134 |
| 133 } // namespace net | 135 } // namespace net |
| 134 | 136 |
| 135 #endif // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ | 137 #endif // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ |
| OLD | NEW |
