| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
| 6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <set> | 9 #include <set> |
| 10 #include <string> | 10 #include <string> |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/ref_counted.h" | 13 #include "base/ref_counted.h" |
| 14 #include "base/singleton.h" | 14 #include "base/singleton.h" |
| 15 #include "base/time.h" | 15 #include "base/time.h" |
| 16 #include "testing/gtest/include/gtest/gtest_prod.h" |
| 16 | 17 |
| 17 #if defined(OS_WIN) | 18 #if defined(OS_WIN) |
| 18 #include <windows.h> | 19 #include <windows.h> |
| 19 #include <wincrypt.h> | 20 #include <wincrypt.h> |
| 20 #elif defined(OS_MACOSX) | 21 #elif defined(OS_MACOSX) |
| 21 #include <Security/Security.h> | 22 #include <Security/Security.h> |
| 22 #elif defined(OS_LINUX) | 23 #elif defined(OS_LINUX) |
| 23 // Forward declaration; real one in <cert.h> | 24 // Forward declaration; real one in <cert.h> |
| 24 struct CERTCertificateStr; | 25 struct CERTCertificateStr; |
| 25 #endif | 26 #endif |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 105 void Deny(X509Certificate* cert); | 106 void Deny(X509Certificate* cert); |
| 106 | 107 |
| 107 private: | 108 private: |
| 108 // The set of fingerprints of allowed certificates. | 109 // The set of fingerprints of allowed certificates. |
| 109 std::set<Fingerprint, FingerprintLessThan> allowed_; | 110 std::set<Fingerprint, FingerprintLessThan> allowed_; |
| 110 | 111 |
| 111 // The set of fingerprints of denied certificates. | 112 // The set of fingerprints of denied certificates. |
| 112 std::set<Fingerprint, FingerprintLessThan> denied_; | 113 std::set<Fingerprint, FingerprintLessThan> denied_; |
| 113 }; | 114 }; |
| 114 | 115 |
| 116 // Where the certificate comes from. The enumeration constants are |
| 117 // listed in increasing order of preference. |
| 118 enum Source { |
| 119 SOURCE_UNUSED = 0, // The source_ member is not used. |
| 120 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without |
| 121 // its intermediate CA certificates. |
| 122 SOURCE_FROM_NETWORK = 2, // From the network. |
| 123 }; |
| 124 |
| 115 // Create an X509Certificate from a handle to the certificate object | 125 // Create an X509Certificate from a handle to the certificate object |
| 116 // in the underlying crypto library. This is a transfer of ownership; | 126 // in the underlying crypto library. This is a transfer of ownership; |
| 117 // X509Certificate will properly dispose of |cert_handle| for you. | 127 // X509Certificate will properly dispose of |cert_handle| for you. |
| 118 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle); | 128 // |source| specifies where |cert_handle| comes from. Given two |
| 129 // certificate handles for the same certificate, our certificate cache |
| 130 // prefers the handle from the network because our HTTP cache isn't |
| 131 // caching the corresponding intermediate CA certificates yet |
| 132 // (http://crbug.com/7065). |
| 133 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
| 134 Source source); |
| 119 | 135 |
| 120 // Create an X509Certificate from the BER-encoded representation. | 136 // Create an X509Certificate from the BER-encoded representation. |
| 121 // Returns NULL on failure. | 137 // Returns NULL on failure. |
| 122 static X509Certificate* CreateFromBytes(const char* data, int length); | 138 static X509Certificate* CreateFromBytes(const char* data, int length); |
| 123 | 139 |
| 124 // Create an X509Certificate from the representation stored in the given | 140 // Create an X509Certificate from the representation stored in the given |
| 125 // pickle. The data for this object is found relative to the given | 141 // pickle. The data for this object is found relative to the given |
| 126 // pickle_iter, which should be passed to the pickle's various Read* methods. | 142 // pickle_iter, which should be passed to the pickle's various Read* methods. |
| 127 // Returns NULL on failure. | 143 // Returns NULL on failure. |
| 128 static X509Certificate* CreateFromPickle(const Pickle& pickle, | 144 static X509Certificate* CreateFromPickle(const Pickle& pickle, |
| 129 void** pickle_iter); | 145 void** pickle_iter); |
| 130 | 146 |
| 131 // Creates a X509Certificate from the ground up. Used by tests that simulate | 147 // Creates a X509Certificate from the ground up. Used by tests that simulate |
| 132 // SSL connections. | 148 // SSL connections. |
| 133 X509Certificate(std::string subject, std::string issuer, | 149 X509Certificate(const std::string& subject, const std::string& issuer, |
| 134 base::Time start_date, base::Time expiration_date); | 150 base::Time start_date, base::Time expiration_date); |
| 135 | 151 |
| 136 // Appends a representation of this object to the given pickle. | 152 // Appends a representation of this object to the given pickle. |
| 137 void Persist(Pickle* pickle); | 153 void Persist(Pickle* pickle); |
| 138 | 154 |
| 139 // The subject of the certificate. For HTTPS server certificates, this | 155 // The subject of the certificate. For HTTPS server certificates, this |
| 140 // represents the web server. The common name of the subject should match | 156 // represents the web server. The common name of the subject should match |
| 141 // the host name of the web server. | 157 // the host name of the web server. |
| 142 const Principal& subject() const { return subject_; } | 158 const Principal& subject() const { return subject_; } |
| 143 | 159 |
| (...skipping 21 matching lines...) Expand all Loading... |
| 165 // now. | 181 // now. |
| 166 bool HasExpired() const; | 182 bool HasExpired() const; |
| 167 | 183 |
| 168 // Returns true if the certificate is an extended-validation (EV) | 184 // Returns true if the certificate is an extended-validation (EV) |
| 169 // certificate. | 185 // certificate. |
| 170 bool IsEV(int cert_status) const; | 186 bool IsEV(int cert_status) const; |
| 171 | 187 |
| 172 OSCertHandle os_cert_handle() const { return cert_handle_; } | 188 OSCertHandle os_cert_handle() const { return cert_handle_; } |
| 173 | 189 |
| 174 private: | 190 private: |
| 191 friend class base::RefCountedThreadSafe<X509Certificate>; |
| 192 FRIEND_TEST(X509CertificateTest, Cache); |
| 193 |
| 175 // A cache of X509Certificate objects. | 194 // A cache of X509Certificate objects. |
| 176 class Cache { | 195 class Cache { |
| 177 public: | 196 public: |
| 178 static Cache* GetInstance(); | 197 static Cache* GetInstance(); |
| 179 void Insert(X509Certificate* cert); | 198 void Insert(X509Certificate* cert); |
| 180 void Remove(X509Certificate* cert); | 199 void Remove(X509Certificate* cert); |
| 181 X509Certificate* Find(const Fingerprint& fingerprint); | 200 X509Certificate* Find(const Fingerprint& fingerprint); |
| 182 | 201 |
| 183 private: | 202 private: |
| 184 typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan> | 203 typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan> |
| 185 CertMap; | 204 CertMap; |
| 186 | 205 |
| 187 // Obtain an instance of X509Certificate::Cache via GetInstance(). | 206 // Obtain an instance of X509Certificate::Cache via GetInstance(). |
| 188 Cache() { } | 207 Cache() { } |
| 189 friend struct DefaultSingletonTraits<Cache>; | 208 friend struct DefaultSingletonTraits<Cache>; |
| 190 | 209 |
| 191 // You must acquire this lock before using any private data of this object. | 210 // You must acquire this lock before using any private data of this object. |
| 192 // You must not block while holding this lock. | 211 // You must not block while holding this lock. |
| 193 Lock lock_; | 212 Lock lock_; |
| 194 | 213 |
| 195 // The certificate cache. You must acquire |lock_| before using |cache_|. | 214 // The certificate cache. You must acquire |lock_| before using |cache_|. |
| 196 CertMap cache_; | 215 CertMap cache_; |
| 197 | 216 |
| 198 DISALLOW_COPY_AND_ASSIGN(Cache); | 217 DISALLOW_COPY_AND_ASSIGN(Cache); |
| 199 }; | 218 }; |
| 200 | 219 |
| 201 // Construct an X509Certificate from a handle to the certificate object | 220 // Construct an X509Certificate from a handle to the certificate object |
| 202 // in the underlying crypto library. | 221 // in the underlying crypto library. |
| 203 explicit X509Certificate(OSCertHandle cert_handle); | 222 X509Certificate(OSCertHandle cert_handle, Source source); |
| 204 | 223 |
| 205 friend class base::RefCountedThreadSafe<X509Certificate>; | |
| 206 ~X509Certificate(); | 224 ~X509Certificate(); |
| 207 | 225 |
| 208 // Common object initialization code. Called by the constructors only. | 226 // Common object initialization code. Called by the constructors only. |
| 209 void Initialize(); | 227 void Initialize(); |
| 210 | 228 |
| 229 // Creates an OS certificate handle from the BER-encoded representation. |
| 230 // Returns NULL on failure. |
| 231 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, |
| 232 int length); |
| 233 |
| 234 // Frees an OS certificate handle. |
| 235 static void FreeOSCertHandle(OSCertHandle cert_handle); |
| 236 |
| 237 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty |
| 238 // (all zero) fingerprint on failure. |
| 239 static Fingerprint CalculateFingerprint(OSCertHandle cert_handle); |
| 240 |
| 211 // The subject of the certificate. | 241 // The subject of the certificate. |
| 212 Principal subject_; | 242 Principal subject_; |
| 213 | 243 |
| 214 // The issuer of the certificate. | 244 // The issuer of the certificate. |
| 215 Principal issuer_; | 245 Principal issuer_; |
| 216 | 246 |
| 217 // This certificate is not valid before |valid_start_| | 247 // This certificate is not valid before |valid_start_| |
| 218 base::Time valid_start_; | 248 base::Time valid_start_; |
| 219 | 249 |
| 220 // This certificate is not valid after |valid_expiry_| | 250 // This certificate is not valid after |valid_expiry_| |
| 221 base::Time valid_expiry_; | 251 base::Time valid_expiry_; |
| 222 | 252 |
| 223 // The fingerprint of this certificate. | 253 // The fingerprint of this certificate. |
| 224 Fingerprint fingerprint_; | 254 Fingerprint fingerprint_; |
| 225 | 255 |
| 226 // A handle to the certificate object in the underlying crypto library. | 256 // A handle to the certificate object in the underlying crypto library. |
| 227 OSCertHandle cert_handle_; | 257 OSCertHandle cert_handle_; |
| 228 | 258 |
| 259 // Where the certificate comes from. |
| 260 Source source_; |
| 261 |
| 229 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 262 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
| 230 }; | 263 }; |
| 231 | 264 |
| 232 } // namespace net | 265 } // namespace net |
| 233 | 266 |
| 234 #endif // NET_BASE_X509_CERTIFICATE_H_ | 267 #endif // NET_BASE_X509_CERTIFICATE_H_ |
| 235 | 268 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 18836:
Work around our not caching the intermediate CA... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/