net: extract net/cert out of net/base

net/base/x509_certificate.h

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_X509_CERTIFICATE_H_
-#define NET_BASE_X509_CERTIFICATE_H_
-
-#include <string.h>
-
-#include <string>
-#include <vector>
-
-#include "base/gtest_prod_util.h"
-#include "base/memory/ref_counted.h"
-#include "base/string_piece.h"
-#include "base/time.h"
-#include "net/base/cert_type.h"
-#include "net/base/net_export.h"
-#include "net/base/x509_cert_types.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#include <wincrypt.h>
-#elif defined(OS_MACOSX)
-#include <CoreFoundation/CFArray.h>
-#include <Security/SecBase.h>
-
-#elif defined(USE_OPENSSL)
-// Forward declaration; real one in <x509.h>
-typedef struct x509_st X509;
-typedef struct x509_store_st X509_STORE;
-#elif defined(USE_NSS)
-// Forward declaration; real one in <cert.h>
-struct CERTCertificateStr;
-#endif
-
-class Pickle;
-class PickleIterator;
-
-namespace crypto {
-class RSAPrivateKey;
-}  // namespace crypto
-
-namespace net {
-
-class CRLSet;
-class CertVerifyResult;
-
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
-
-// X509Certificate represents a X.509 certificate, which is comprised a
-// particular identity or end-entity certificate, such as an SSL server
-// identity or an SSL client certificate, and zero or more intermediate
-// certificates that may be used to build a path to a root certificate.
-class NET_EXPORT X509Certificate
-    : public base::RefCountedThreadSafe<X509Certificate> {
- public:
-  // An OSCertHandle is a handle to a certificate object in the underlying
-  // crypto library. We assume that OSCertHandle is a pointer type on all
-  // platforms and that NULL represents an invalid OSCertHandle.
-#if defined(OS_WIN)
-  typedef PCCERT_CONTEXT OSCertHandle;
-#elif defined(OS_MACOSX)
-  typedef SecCertificateRef OSCertHandle;
-#elif defined(USE_OPENSSL)
-  typedef X509* OSCertHandle;
-#elif defined(USE_NSS)
-  typedef struct CERTCertificateStr* OSCertHandle;
-#else
-  // TODO(ericroman): not implemented
-  typedef void* OSCertHandle;
-#endif
-
-  typedef std::vector<OSCertHandle> OSCertHandles;
-
-  enum PublicKeyType {
-    kPublicKeyTypeUnknown,
-    kPublicKeyTypeRSA,
-    kPublicKeyTypeDSA,
-    kPublicKeyTypeECDSA,
-    kPublicKeyTypeDH,
-    kPublicKeyTypeECDH
-  };
-
-  // Predicate functor used in maps when X509Certificate is used as the key.
-  class NET_EXPORT LessThan {
-   public:
-    bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
-  };
-
-  enum Format {
-    // The data contains a single DER-encoded certificate, or a PEM-encoded
-    // DER certificate with the PEM encoding block name of "CERTIFICATE".
-    // Any subsequent blocks will be ignored.
-    FORMAT_SINGLE_CERTIFICATE = 1 << 0,
-
-    // The data contains a sequence of one or more PEM-encoded, DER
-    // certificates, with the PEM encoding block name of "CERTIFICATE".
-    // All PEM blocks will be parsed, until the first error is encountered.
-    FORMAT_PEM_CERT_SEQUENCE = 1 << 1,
-
-    // The data contains a PKCS#7 SignedData structure, whose certificates
-    // member is to be used to initialize the certificate and intermediates.
-    // The data may further be encoded using PEM, specifying block names of
-    // either "PKCS7" or "CERTIFICATE".
-    FORMAT_PKCS7 = 1 << 2,
-
-    // Automatically detect the format.
-    FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE |
-                  FORMAT_PKCS7,
-  };
-
-  // PickleType is intended for deserializing certificates that were pickled
-  // by previous releases as part of a net::HttpResponseInfo.
-  // When serializing certificates to a new Pickle,
-  // PICKLETYPE_CERTIFICATE_CHAIN_V3 is always used.
-  enum PickleType {
-    // When reading a certificate from a Pickle, the Pickle only contains a
-    // single certificate.
-    PICKLETYPE_SINGLE_CERTIFICATE,
-
-    // When reading a certificate from a Pickle, the Pickle contains the
-    // the certificate plus any certificates that were stored in
-    // |intermediate_ca_certificates_| at the time it was serialized.
-    // The count of certificates is stored as a size_t, which is either 32
-    // or 64 bits.
-    PICKLETYPE_CERTIFICATE_CHAIN_V2,
-
-    // The Pickle contains the certificate and any certificates that were
-    // stored in |intermediate_ca_certs_| at the time it was serialized.
-    // The format is [int count], [data - this certificate],
-    // [data - intermediate1], ... [data - intermediateN].
-    // All certificates are stored in DER form.
-    PICKLETYPE_CERTIFICATE_CHAIN_V3,
-  };
-
-  // Creates a X509Certificate from the ground up.  Used by tests that simulate
-  // SSL connections.
-  X509Certificate(const std::string& subject, const std::string& issuer,
-                  base::Time start_date, base::Time expiration_date);
-
-  // Create an X509Certificate from a handle to the certificate object in the
-  // underlying crypto library. The returned pointer must be stored in a
-  // scoped_refptr<X509Certificate>.
-  static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
-                                           const OSCertHandles& intermediates);
-
-  // Create an X509Certificate from a chain of DER encoded certificates. The
-  // first certificate in the chain is the end-entity certificate to which a
-  // handle is returned. The other certificates in the chain are intermediate
-  // certificates. The returned pointer must be stored in a
-  // scoped_refptr<X509Certificate>.
-  static X509Certificate* CreateFromDERCertChain(
-      const std::vector<base::StringPiece>& der_certs);
-
-  // Create an X509Certificate from the DER-encoded representation.
-  // Returns NULL on failure.
-  //
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
-  static X509Certificate* CreateFromBytes(const char* data, int length);
-
-#if defined(USE_NSS)
-  // Create an X509Certificate from the DER-encoded representation.
-  // |nickname| can be NULL if an auto-generated nickname is desired.
-  // Returns NULL on failure.  The returned pointer must be stored in a
-  // scoped_refptr<X509Certificate>.
-  //
-  // This function differs from CreateFromBytes in that it takes a
-  // nickname that will be used when the certificate is imported into PKCS#11.
-  static X509Certificate* CreateFromBytesWithNickname(const char* data,
-                                                      int length,
-                                                      const char* nickname);
-
-  // The default nickname of the certificate, based on the certificate type
-  // passed in.  If this object was created using CreateFromBytesWithNickname,
-  // then this will return the nickname specified upon creation.
-  std::string GetDefaultNickname(CertType type) const;
-#endif
-
-  // Create an X509Certificate from the representation stored in the given
-  // pickle.  The data for this object is found relative to the given
-  // pickle_iter, which should be passed to the pickle's various Read* methods.
-  // Returns NULL on failure.
-  //
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
-  static X509Certificate* CreateFromPickle(const Pickle& pickle,
-                                           PickleIterator* pickle_iter,
-                                           PickleType type);
-
-  // Parses all of the certificates possible from |data|. |format| is a
-  // bit-wise OR of Format, indicating the possible formats the
-  // certificates may have been serialized as. If an error occurs, an empty
-  // collection will be returned.
-  static CertificateList CreateCertificateListFromBytes(const char* data,
-                                                        int length,
-                                                        int format);
-
-  // Create a self-signed certificate containing the public key in |key|.
-  // Subject, serial number and validity period are given as parameters.
-  // The certificate is signed by the private key in |key|. The hashing
-  // algorithm for the signature is SHA-1.
-  //
-  // |subject| is a distinguished name defined in RFC4514.
-  //
-  // An example:
-  // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com
-  //
-  // SECURITY WARNING
-  //
-  // Using self-signed certificates has the following security risks:
-  // 1. Encryption without authentication and thus vulnerable to
-  //    man-in-the-middle attacks.
-  // 2. Self-signed certificates cannot be revoked.
-  //
-  // Use this certificate only after the above risks are acknowledged.
-  static X509Certificate* CreateSelfSigned(crypto::RSAPrivateKey* key,
-                                           const std::string& subject,
-                                           uint32 serial_number,
-                                           base::TimeDelta valid_duration);
-
-  // Appends a representation of this object to the given pickle.
-  void Persist(Pickle* pickle);
-
-  // The serial number, DER encoded, possibly including a leading 00 byte.
-  const std::string& serial_number() const { return serial_number_; }
-
-  // The subject of the certificate.  For HTTPS server certificates, this
-  // represents the web server.  The common name of the subject should match
-  // the host name of the web server.
-  const CertPrincipal& subject() const { return subject_; }
-
-  // The issuer of the certificate.
-  const CertPrincipal& issuer() const { return issuer_; }
-
-  // Time period during which the certificate is valid.  More precisely, this
-  // certificate is invalid before the |valid_start| date and invalid after
-  // the |valid_expiry| date.
-  // If we were unable to parse either date from the certificate (or if the cert
-  // lacks either date), the date will be null (i.e., is_null() will be true).
-  const base::Time& valid_start() const { return valid_start_; }
-  const base::Time& valid_expiry() const { return valid_expiry_; }
-
-  // The fingerprint of this certificate.
-  const SHA1HashValue& fingerprint() const { return fingerprint_; }
-
-  // The fingerprint of the intermediate CA certificates.
-  const SHA1HashValue& ca_fingerprint() const {
-    return ca_fingerprint_;
-  }
-
-  // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
-  // Server Identity, if the certificate has a subjectAltName extension of
-  // type dNSName, this method gets the DNS names in that extension.
-  // Otherwise, it gets the common name in the subject field.
-  void GetDNSNames(std::vector<std::string>* dns_names) const;
-
-  // Gets the subjectAltName extension field from the certificate, if any.
-  // For future extension; currently this only returns those name types that
-  // are required for HTTP certificate name verification - see VerifyHostname.
-  // Unrequired parameters may be passed as NULL.
-  void GetSubjectAltName(std::vector<std::string>* dns_names,
-                         std::vector<std::string>* ip_addrs) const;
-
-  // Convenience method that returns whether this certificate has expired as of
-  // now.
-  bool HasExpired() const;
-
-  // Returns true if this object and |other| represent the same certificate.
-  bool Equals(const X509Certificate* other) const;
-
-  // Returns intermediate certificates added via AddIntermediateCertificate().
-  // Ownership follows the "get" rule: it is the caller's responsibility to
-  // retain the elements of the result.
-  const OSCertHandles& GetIntermediateCertificates() const {
-    return intermediate_ca_certs_;
-  }
-
-#if defined(OS_MACOSX)
-  // Does this certificate's usage allow SSL client authentication?
-  bool SupportsSSLClientAuth() const;
-
-  // Creates the chain of certs to use for this client identity cert.
-  CFArrayRef CreateClientCertificateChain() const;
-
-  // Returns a new CFArrayRef containing this certificate and its intermediate
-  // certificates in the form expected by Security.framework and Keychain
-  // Services, or NULL on failure.
-  // The first item in the array will be this certificate, followed by its
-  // intermediates, if any.
-  CFArrayRef CreateOSCertChainForCert() const;
-#endif
-
-  // Do any of the given issuer names appear in this cert's chain of trust?
-  // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames.
-  bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers);
-
-#if defined(OS_WIN)
-  // Returns a new PCCERT_CONTEXT containing this certificate and its
-  // intermediate certificates, or NULL on failure. The returned
-  // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as this will
-  // cause os_cert_handle() to return incorrect results. This function is only
-  // necessary if the CERT_CONTEXT.hCertStore member will be accessed or
-  // enumerated, which is generally true for any CryptoAPI functions involving
-  // certificate chains, including validation or certificate display.
-  //
-  // Remarks:
-  // Depending on the CryptoAPI function, Windows may need to access the
-  // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to
-  // locate additional intermediates. However, all certificate handles are added
-  // to a NULL HCERTSTORE, allowing the system to manage the resources. As a
-  // result, intermediates for |cert_handle_| cannot be located simply via
-  // |cert_handle_->hCertStore|, as it refers to a magic value indicating
-  // "only this certificate".
-  //
-  // To avoid this problems, a new in-memory HCERTSTORE is created containing
-  // just this certificate and its intermediates. The handle to the version of
-  // the current certificate in the new HCERTSTORE is then returned, with the
-  // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned
-  // certificate handle is freed.
-  //
-  // This function is only needed when the HCERTSTORE of the os_cert_handle()
-  // will be accessed, which is generally only during certificate validation
-  // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can
-  // safely be used on multiple threads if no further modifications happen, it
-  // is generally preferable for each thread that needs such a context to
-  // obtain its own, rather than risk thread-safety issues by sharing.
-  //
-  // Because of how X509Certificate caching is implemented, attempting to
-  // create an X509Certificate from the returned PCCERT_CONTEXT may result in
-  // the original handle (and thus the originall HCERTSTORE) being returned by
-  // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT*
-  // be stored in an X509Certificate.
-  PCCERT_CONTEXT CreateOSCertChainForCert() const;
-#endif
-
-#if defined(USE_OPENSSL)
-  // Returns a handle to a global, in-memory certificate store. We
-  // use it for test code, e.g. importing the test server's certificate.
-  static X509_STORE* cert_store();
-#endif
-
-  // Verifies that |hostname| matches this certificate.
-  // Does not verify that the certificate is valid, only that the certificate
-  // matches this host.
-  // Returns true if it matches.
-  bool VerifyNameMatch(const std::string& hostname) const;
-
-  // Obtains the DER encoded certificate data for |cert_handle|. On success,
-  // returns true and writes the DER encoded certificate to |*der_encoded|.
-  static bool GetDEREncoded(OSCertHandle cert_handle,
-                            std::string* der_encoded);
-
-  // Returns the PEM encoded data from an OSCertHandle. If the return value is
-  // true, then the PEM encoded certificate is written to |pem_encoded|.
-  static bool GetPEMEncoded(OSCertHandle cert_handle,
-                            std::string* pem_encoded);
-
-  // Encodes the entire certificate chain (this certificate and any
-  // intermediate certificates stored in |intermediate_ca_certs_|) as a series
-  // of PEM encoded strings. Returns true if all certificates were encoded,
-  // storig the result in |*pem_encoded|, with this certificate stored as
-  // the first element.
-  bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const;
-
-  // Sets |*size_bits| to be the length of the public key in bits, and sets
-  // |*type| to one of the |PublicKeyType| values. In case of
-  // |kPublicKeyTypeUnknown|, |*size_bits| will be set to 0.
-  static void GetPublicKeyInfo(OSCertHandle cert_handle,
-                               size_t* size_bits,
-                               PublicKeyType* type);
-
-  // Returns the OSCertHandle of this object. Because of caching, this may
-  // differ from the OSCertHandle originally supplied during initialization.
-  // Note: On Windows, CryptoAPI may return unexpected results if this handle
-  // is used across multiple threads. For more details, see
-  // CreateOSCertChainForCert().
-  OSCertHandle os_cert_handle() const { return cert_handle_; }
-
-  // Returns true if two OSCertHandles refer to identical certificates.
-  static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
-
-  // Creates an OS certificate handle from the DER-encoded representation.
-  // Returns NULL on failure.
-  static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
-                                                  int length);
-
-#if defined(USE_NSS)
-  // Creates an OS certificate handle from the DER-encoded representation.
-  // Returns NULL on failure.  Sets the default nickname if |nickname| is
-  // non-NULL.
-  static OSCertHandle CreateOSCertHandleFromBytesWithNickname(
-      const char* data,
-      int length,
-      const char* nickname);
-#endif
-
-  // Creates all possible OS certificate handles from |data| encoded in a
-  // specific |format|. Returns an empty collection on failure.
-  static OSCertHandles CreateOSCertHandlesFromBytes(
-      const char* data,
-      int length,
-      Format format);
-
-  // Duplicates (or adds a reference to) an OS certificate handle.
-  static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
-
-  // Frees (or releases a reference to) an OS certificate handle.
-  static void FreeOSCertHandle(OSCertHandle cert_handle);
-
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle);
-
-  // Calculates the SHA-1 fingerprint of the intermediate CA certificates.
-  // Returns an empty (all zero) fingerprint on failure.
-  static SHA1HashValue CalculateCAFingerprint(
-      const OSCertHandles& intermediates);
-
- private:
-  friend class base::RefCountedThreadSafe<X509Certificate>;
-  friend class TestRootCerts;  // For unit tests
-
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
-
-  // Construct an X509Certificate from a handle to the certificate object
-  // in the underlying crypto library.
-  X509Certificate(OSCertHandle cert_handle,
-                  const OSCertHandles& intermediates);
-
-  ~X509Certificate();
-
-  // Common object initialization code.  Called by the constructors only.
-  void Initialize();
-
-#if defined(USE_OPENSSL)
-  // Resets the store returned by cert_store() to default state. Used by
-  // TestRootCerts to undo modifications.
-  static void ResetCertStore();
-#endif
-
-  // Verifies that |hostname| matches one of the certificate names or IP
-  // addresses supplied, based on TLS name matching rules - specifically,
-  // following http://tools.ietf.org/html/rfc6125.
-  // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject().
-  // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled
-  // from the dNSName and iPAddress components of the subject alternative name
-  // extension, if present. Note these IP addresses are NOT ascii-encoded:
-  // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6
-  // addresses, respectively.
-  static bool VerifyHostname(const std::string& hostname,
-                             const std::string& cert_common_name,
-                             const std::vector<std::string>& cert_san_dns_names,
-                             const std::vector<std::string>& cert_san_ip_addrs);
-
-  // Reads a single certificate from |pickle_iter| and returns a
-  // platform-specific certificate handle. The format of the certificate
-  // stored in |pickle_iter| is not guaranteed to be the same across different
-  // underlying cryptographic libraries, nor acceptable to CreateFromBytes().
-  // Returns an invalid handle, NULL, on failure.
-  // NOTE: This should not be used for any new code. It is provided for
-  // migration purposes and should eventually be removed.
-  static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter);
-
-  // Writes a single certificate to |pickle| in DER form. Returns false on
-  // failure.
-  static bool WriteOSCertHandleToPickle(OSCertHandle handle, Pickle* pickle);
-
-  // The subject of the certificate.
-  CertPrincipal subject_;
-
-  // The issuer of the certificate.
-  CertPrincipal issuer_;
-
-  // This certificate is not valid before |valid_start_|
-  base::Time valid_start_;
-
-  // This certificate is not valid after |valid_expiry_|
-  base::Time valid_expiry_;
-
-  // The fingerprint of this certificate.
-  SHA1HashValue fingerprint_;
-
-  // The fingerprint of the intermediate CA certificates.
-  SHA1HashValue ca_fingerprint_;
-
-  // The serial number of this certificate, DER encoded.
-  std::string serial_number_;
-
-  // A handle to the certificate object in the underlying crypto library.
-  OSCertHandle cert_handle_;
-
-  // Untrusted intermediate certificates associated with this certificate
-  // that may be needed for chain building.
-  OSCertHandles intermediate_ca_certs_;
-
-#if defined(USE_NSS)
-  // This stores any default nickname that has been set on the certificate
-  // at creation time with CreateFromBytesWithNickname.
-  // If this is empty, then GetDefaultNickname will return a generated name
-  // based on the type of the certificate.
-  std::string default_nickname_;
-#endif
-
-  DISALLOW_COPY_AND_ASSIGN(X509Certificate);
-};
-
-}  // namespace net
-
-#endif  // NET_BASE_X509_CERTIFICATE_H_