OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
74 | 74 |
75 enum PublicKeyType { | 75 enum PublicKeyType { |
76 kPublicKeyTypeUnknown, | 76 kPublicKeyTypeUnknown, |
77 kPublicKeyTypeRSA, | 77 kPublicKeyTypeRSA, |
78 kPublicKeyTypeDSA, | 78 kPublicKeyTypeDSA, |
79 kPublicKeyTypeECDSA, | 79 kPublicKeyTypeECDSA, |
80 kPublicKeyTypeDH, | 80 kPublicKeyTypeDH, |
81 kPublicKeyTypeECDH | 81 kPublicKeyTypeECDH |
82 }; | 82 }; |
83 | 83 |
84 // Predicate functor used in maps when X509Certificate is used as the key. | 84 // Predicate functor used to sort X509Certificates. |
85 class NET_EXPORT LessThan { | 85 class NET_EXPORT LessThan { |
86 public: | 86 public: |
87 bool operator()(const scoped_refptr<X509Certificate>& lhs, | 87 bool operator()(const scoped_refptr<X509Certificate>& lhs, |
88 const scoped_refptr<X509Certificate>& rhs) const; | 88 const scoped_refptr<X509Certificate>& rhs) const; |
89 }; | 89 }; |
90 | 90 |
91 enum Format { | 91 enum Format { |
92 // The data contains a single DER-encoded certificate, or a PEM-encoded | 92 // The data contains a single DER-encoded certificate, or a PEM-encoded |
93 // DER certificate with the PEM encoding block name of "CERTIFICATE". | 93 // DER certificate with the PEM encoding block name of "CERTIFICATE". |
94 // Any subsequent blocks will be ignored. | 94 // Any subsequent blocks will be ignored. |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
206 const CertPrincipal& issuer() const { return issuer_; } | 206 const CertPrincipal& issuer() const { return issuer_; } |
207 | 207 |
208 // Time period during which the certificate is valid. More precisely, this | 208 // Time period during which the certificate is valid. More precisely, this |
209 // certificate is invalid before the |valid_start| date and invalid after | 209 // certificate is invalid before the |valid_start| date and invalid after |
210 // the |valid_expiry| date. | 210 // the |valid_expiry| date. |
211 // If we were unable to parse either date from the certificate (or if the cert | 211 // If we were unable to parse either date from the certificate (or if the cert |
212 // lacks either date), the date will be null (i.e., is_null() will be true). | 212 // lacks either date), the date will be null (i.e., is_null() will be true). |
213 const base::Time& valid_start() const { return valid_start_; } | 213 const base::Time& valid_start() const { return valid_start_; } |
214 const base::Time& valid_expiry() const { return valid_expiry_; } | 214 const base::Time& valid_expiry() const { return valid_expiry_; } |
215 | 215 |
216 // The fingerprint of this certificate. | |
217 const SHA1HashValue& fingerprint() const { return fingerprint_; } | |
218 | |
219 // The fingerprint of the intermediate CA certificates. | |
220 const SHA1HashValue& ca_fingerprint() const { | |
221 return ca_fingerprint_; | |
222 } | |
223 | |
224 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 | 216 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 |
225 // Server Identity, if the certificate has a subjectAltName extension of | 217 // Server Identity, if the certificate has a subjectAltName extension of |
226 // type dNSName, this method gets the DNS names in that extension. | 218 // type dNSName, this method gets the DNS names in that extension. |
227 // Otherwise, it gets the common name in the subject field. | 219 // Otherwise, it gets the common name in the subject field. |
228 void GetDNSNames(std::vector<std::string>* dns_names) const; | 220 void GetDNSNames(std::vector<std::string>* dns_names) const; |
229 | 221 |
230 // Gets the subjectAltName extension field from the certificate, if any. | 222 // Gets the subjectAltName extension field from the certificate, if any. |
231 // For future extension; currently this only returns those name types that | 223 // For future extension; currently this only returns those name types that |
232 // are required for HTTP certificate name verification - see VerifyHostname. | 224 // are required for HTTP certificate name verification - see VerifyHostname. |
233 // Unrequired parameters may be passed as NULL. | 225 // Unrequired parameters may be passed as NULL. |
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
378 static OSCertHandles CreateOSCertHandlesFromBytes(const char* data, | 370 static OSCertHandles CreateOSCertHandlesFromBytes(const char* data, |
379 size_t length, | 371 size_t length, |
380 Format format); | 372 Format format); |
381 | 373 |
382 // Duplicates (or adds a reference to) an OS certificate handle. | 374 // Duplicates (or adds a reference to) an OS certificate handle. |
383 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); | 375 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); |
384 | 376 |
385 // Frees (or releases a reference to) an OS certificate handle. | 377 // Frees (or releases a reference to) an OS certificate handle. |
386 static void FreeOSCertHandle(OSCertHandle cert_handle); | 378 static void FreeOSCertHandle(OSCertHandle cert_handle); |
387 | 379 |
388 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | |
389 // (all zero) fingerprint on failure. | |
390 // | |
391 // For calculating fingerprints, prefer SHA-1 for performance when indexing, | |
392 // but callers should use IsSameOSCert() before assuming two certificates are | |
eroman
2016/05/30 20:20:30
Do you want to provide similar guidance for Calcul
Ryan Sleevi
2016/05/31 15:40:13
The SHA-256 is an external detail - we need it exp
| |
393 // the same. | |
394 static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle); | |
395 | |
396 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty | 380 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty |
397 // (all zero) fingerprint on failure. | 381 // (all zero) fingerprint on failure. |
398 static SHA256HashValue CalculateFingerprint256(OSCertHandle cert_handle); | 382 static SHA256HashValue CalculateFingerprint256(OSCertHandle cert_handle); |
399 | 383 |
400 // Calculates the SHA-1 fingerprint of the intermediate CA certificates. | |
401 // Returns an empty (all zero) fingerprint on failure. | |
402 // | |
403 // See SHA-1 caveat on CalculateFingerprint(). | |
404 static SHA1HashValue CalculateCAFingerprint( | |
405 const OSCertHandles& intermediates); | |
406 | |
407 // Calculates the SHA-256 fingerprint of the intermediate CA certificates. | 384 // Calculates the SHA-256 fingerprint of the intermediate CA certificates. |
408 // Returns an empty (all zero) fingerprint on failure. | 385 // Returns an empty (all zero) fingerprint on failure. |
409 // | 386 // |
410 // As part of the cross-platform implementation of this function, it currently | 387 // As part of the cross-platform implementation of this function, it currently |
411 // copies the certificate bytes into local variables which makes it | 388 // copies the certificate bytes into local variables which makes it |
412 // potentially slower than implementing it directly for each platform. For | 389 // potentially slower than implementing it directly for each platform. For |
413 // now, the expected consumers are not performance critical, but if | 390 // now, the expected consumers are not performance critical, but if |
414 // performance is a concern going forward, it may warrant implementing this on | 391 // performance is a concern going forward, it may warrant implementing this on |
415 // a per-platform basis. | 392 // a per-platform basis. |
416 static SHA256HashValue CalculateCAFingerprint256( | 393 static SHA256HashValue CalculateCAFingerprint256( |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
487 | 464 |
488 // The issuer of the certificate. | 465 // The issuer of the certificate. |
489 CertPrincipal issuer_; | 466 CertPrincipal issuer_; |
490 | 467 |
491 // This certificate is not valid before |valid_start_| | 468 // This certificate is not valid before |valid_start_| |
492 base::Time valid_start_; | 469 base::Time valid_start_; |
493 | 470 |
494 // This certificate is not valid after |valid_expiry_| | 471 // This certificate is not valid after |valid_expiry_| |
495 base::Time valid_expiry_; | 472 base::Time valid_expiry_; |
496 | 473 |
497 // The fingerprint of this certificate. | |
498 SHA1HashValue fingerprint_; | |
499 | |
500 // The fingerprint of the intermediate CA certificates. | |
501 SHA1HashValue ca_fingerprint_; | |
502 | |
503 // The serial number of this certificate, DER encoded. | 474 // The serial number of this certificate, DER encoded. |
504 std::string serial_number_; | 475 std::string serial_number_; |
505 | 476 |
506 // A handle to the certificate object in the underlying crypto library. | 477 // A handle to the certificate object in the underlying crypto library. |
507 OSCertHandle cert_handle_; | 478 OSCertHandle cert_handle_; |
508 | 479 |
509 // Untrusted intermediate certificates associated with this certificate | 480 // Untrusted intermediate certificates associated with this certificate |
510 // that may be needed for chain building. | 481 // that may be needed for chain building. |
511 OSCertHandles intermediate_ca_certs_; | 482 OSCertHandles intermediate_ca_certs_; |
512 | 483 |
513 #if defined(USE_NSS_CERTS) | 484 #if defined(USE_NSS_CERTS) |
514 // This stores any default nickname that has been set on the certificate | 485 // This stores any default nickname that has been set on the certificate |
515 // at creation time with CreateFromBytesWithNickname. | 486 // at creation time with CreateFromBytesWithNickname. |
516 // If this is empty, then GetDefaultNickname will return a generated name | 487 // If this is empty, then GetDefaultNickname will return a generated name |
517 // based on the type of the certificate. | 488 // based on the type of the certificate. |
518 std::string default_nickname_; | 489 std::string default_nickname_; |
519 #endif | 490 #endif |
520 | 491 |
521 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 492 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
522 }; | 493 }; |
523 | 494 |
524 } // namespace net | 495 } // namespace net |
525 | 496 |
526 #endif // NET_CERT_X509_CERTIFICATE_H_ | 497 #endif // NET_CERT_X509_CERTIFICATE_H_ |
OLD | NEW |