net: extract net/cert out of net/base

net/base/x509_util_mac.h

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_X509_UTIL_MAC_H_
-#define NET_BASE_X509_UTIL_MAC_H_
-
-#include <CoreFoundation/CFArray.h>
-#include <Security/Security.h>
-
-#include <string>
-
-#include "base/basictypes.h"
-#include "net/base/net_export.h"
-
-namespace net {
-
-namespace x509_util {
-
-// Creates a security policy for certificates used as client certificates
-// in SSL.
-// If a policy is successfully created, it will be stored in
-// |*policy| and ownership transferred to the caller.
-OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy);
-
-// Create an SSL server policy. While certificate name validation will be
-// performed by SecTrustEvaluate(), it has the following limitations:
-// - Doesn't support IP addresses in dotted-quad literals (127.0.0.1)
-// - Doesn't support IPv6 addresses
-// - Doesn't support the iPAddress subjectAltName
-// Providing the hostname is necessary in order to locate certain user or
-// system trust preferences, such as those created by Safari. Preferences
-// created by Keychain Access do not share this requirement.
-// On success, stores the resultant policy in |*policy| and returns noErr.
-OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
-                                          SecPolicyRef* policy);
-
-// Creates a security policy for basic X.509 validation. If the policy is
-// successfully created, it will be stored in |*policy| and ownership
-// transferred to the caller.
-OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
-
-// Creates security policies to control revocation checking (OCSP and CRL).
-// If |enable_revocation_checking| is true, revocation checking will be
-// explicitly enabled.
-// If |enable_revocation_checking| is false, but |enable_ev_checking| is
-// true, then the system policies for EV checking (which include checking
-// for an online OCSP response) will be permitted. However, if the OS
-// does not believe the certificate is EV, no revocation checking will be
-// performed.
-// If both are false, then the policies returned will be explicitly
-// prohibited from accessing the network or the local cache, regardless of
-// system settings.
-// If the policies are successfully created, they will be appended to
-// |policies|.
-OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
-                                             bool enable_ev_checking,
-                                             CFMutableArrayRef policies);
-
-// Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field
-// accessors (such as CSSM_CL_CertGet[First/Next]Value or
-// CSSM_CL_CertGet[First/Next]CachedValue).
-class CSSMFieldValue {
- public:
-  CSSMFieldValue();
-  CSSMFieldValue(CSSM_CL_HANDLE cl_handle,
-                 const CSSM_OID* oid,
-                 CSSM_DATA_PTR field);
-  ~CSSMFieldValue();
-
-  CSSM_OID_PTR oid() const { return oid_; }
-  CSSM_DATA_PTR field() const { return field_; }
-
-  // Returns the field as if it was an arbitrary type - most commonly, by
-  // interpreting the field as a specific CSSM/CDSA parsed type, such as
-  // CSSM_X509_SUBJECT_PUBLIC_KEY_INFO or CSSM_X509_ALGORITHM_IDENTIFIER.
-  // An added check is applied to ensure that the current field is large
-  // enough to actually contain the requested type.
-  template <typename T> const T* GetAs() const {
-    if (!field_ || field_->Length < sizeof(T))
-      return NULL;
-    return reinterpret_cast<const T*>(field_->Data);
-  }
-
-  void Reset(CSSM_CL_HANDLE cl_handle,
-             CSSM_OID_PTR oid,
-             CSSM_DATA_PTR field);
-
- private:
-  CSSM_CL_HANDLE cl_handle_;
-  CSSM_OID_PTR oid_;
-  CSSM_DATA_PTR field_;
-
-  DISALLOW_COPY_AND_ASSIGN(CSSMFieldValue);
-};
-
-// CSSMCachedCertificate is a container class that is used to wrap the
-// CSSM_CL_CertCache APIs and provide safe and efficient access to
-// certificate fields in their CSSM form.
-//
-// To provide efficient access to certificate/CRL fields, CSSM provides an
-// API/SPI to "cache" a certificate/CRL. The exact meaning of a cached
-// certificate is not defined by CSSM, but is documented to generally be some
-// intermediate or parsed form of the certificate. In the case of Apple's
-// CSSM CL implementation, the intermediate form is the parsed certificate
-// stored in an internal format (which happens to be NSS). By caching the
-// certificate, callers that wish to access multiple fields (such as subject,
-// issuer, and validity dates) do not need to repeatedly parse the entire
-// certificate, nor are they forced to convert all fields from their NSS types
-// to their CSSM equivalents. This latter point is especially helpful when
-// running on OS X 10.5, as it will fail to convert some fields that reference
-// unsupported algorithms, such as ECC.
-class CSSMCachedCertificate {
- public:
-  CSSMCachedCertificate();
-  ~CSSMCachedCertificate();
-
-  // Initializes the CSSMCachedCertificate by caching the specified
-  // |os_cert_handle|. On success, returns noErr.
-  // Note: Once initialized, the cached certificate should only be accessed
-  // from a single thread.
-  OSStatus Init(SecCertificateRef os_cert_handle);
-
-  // Fetches the first value for the field associated with |field_oid|.
-  // If |field_oid| is a valid OID and is present in the current certificate,
-  // returns CSSM_OK and stores the first value in |field|. If additional
-  // values are associated with |field_oid|, they are ignored.
-  OSStatus GetField(const CSSM_OID* field_oid, CSSMFieldValue* field) const;
-
- private:
-  CSSM_CL_HANDLE cl_handle_;
-  CSSM_HANDLE cached_cert_handle_;
-};
-
-}  // namespace x509_util
-
-}  // namespace net
-
-#endif  // NET_BASE_X509_UTIL_MAC_H_