Move certificate verification off the IO thread....

net/base/x509_certificate.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 
 #include <map>
 #include <set>
 #include <string>
@@ skipping 11 matching lines @@
 #include <Security/Security.h>
 #elif defined(OS_LINUX)
 // Forward declaration; real one in <cert.h>
 struct CERTCertificateStr;
 #endif
 
 class Pickle;
 
 namespace net {
 
+class CertVerifyResult;
+
 // X509Certificate represents an X.509 certificate used by SSL.
 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
  public:
   // SHA-1 fingerprint (160 bits) of a certificate.
   struct Fingerprint {
     unsigned char data[20];
   };
 
   class FingerprintLessThan
       : public std::binary_function<Fingerprint, Fingerprint, bool> {
    public:
     bool operator() (const Fingerprint& lhs, const Fingerprint& rhs) const;
   };
 
   // Predicate functor used in maps when X509Certificate is used as the key.
   class LessThan
       : public std::binary_function<X509Certificate*, X509Certificate*, bool> {
    public:
     bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
   };
 
+  // A handle to the certificate object in the underlying crypto library.
+  // We assume that OSCertHandle is a pointer type on all platforms and
+  // NULL is an invalid OSCertHandle.
 #if defined(OS_WIN)
   typedef PCCERT_CONTEXT OSCertHandle;
 #elif defined(OS_MACOSX)
   typedef SecCertificateRef OSCertHandle;
 #elif defined(OS_LINUX)
   typedef struct CERTCertificateStr* OSCertHandle;
 #else
   // TODO(ericroman): not implemented
   typedef void* OSCertHandle;
 #endif
-        
+
   // Principal represent an X.509 principal.
   struct Principal {
     Principal() { }
     explicit Principal(std::string name) : common_name(name) { }
 
     // The different attributes for a principal.  They may be "".
     // Note that some of them can have several values.
 
     std::string common_name;
     std::string locality_name;
@@ skipping 100 matching lines @@
   // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
   // Server Identity, if the certificate has a subjectAltName extension of
   // type dNSName, this method gets the DNS names in that extension.
   // Otherwise, it gets the common name in the subject field.
   void GetDNSNames(std::vector<std::string>* dns_names) const;
 
   // Convenience method that returns whether this certificate has expired as of
   // now.
   bool HasExpired() const;
 
+  // Verifies the certificate against the given hostname.  Returns OK if
+  // successful or an error code upon failure.
+  //
+  // The |*verify_result| structure, including the |verify_result->cert_status|
+  // bitmask, is always filled out regardless of the return value.  If the
+  // certificate has multiple errors, the corresponding status flags are set in
+  // |verify_result->cert_status|, and the error code for the most serious
+  // error is returned.
+  //
+  // If |rev_checking_enabled| is true, certificate revocation checking is
+  // performed.
+  int Verify(const std::string& hostname,
+             bool rev_checking_enabled,
+             CertVerifyResult* verify_result) const;
+
   // Returns true if the certificate is an extended-validation (EV)
   // certificate.
   bool IsEV(int cert_status) const;
 
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   FRIEND_TEST(X509CertificateTest, Cache);
 
   // A cache of X509Certificate objects.
   class Cache {
    public:
     static Cache* GetInstance();
     void Insert(X509Certificate* cert);
     void Remove(X509Certificate* cert);
     X509Certificate* Find(const Fingerprint& fingerprint);
-    
+
    private:
     typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan>
         CertMap;
-    
+
     // Obtain an instance of X509Certificate::Cache via GetInstance().
     Cache() { }
     friend struct DefaultSingletonTraits<Cache>;
-    
+
     // You must acquire this lock before using any private data of this object.
     // You must not block while holding this lock.
     Lock lock_;
-    
+
     // The certificate cache.  You must acquire |lock_| before using |cache_|.
     CertMap cache_;
-    
+
     DISALLOW_COPY_AND_ASSIGN(Cache);
   };
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
   X509Certificate(OSCertHandle cert_handle, Source source);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
@@ skipping 32 matching lines @@
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_