OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
280 | 280 |
281 #if defined(USE_OPENSSL_CERTS) | 281 #if defined(USE_OPENSSL_CERTS) |
282 // Returns a handle to a global, in-memory certificate store. We | 282 // Returns a handle to a global, in-memory certificate store. We |
283 // use it for test code, e.g. importing the test server's certificate. | 283 // use it for test code, e.g. importing the test server's certificate. |
284 static X509_STORE* cert_store(); | 284 static X509_STORE* cert_store(); |
285 #endif | 285 #endif |
286 | 286 |
287 // Verifies that |hostname| matches this certificate. | 287 // Verifies that |hostname| matches this certificate. |
288 // Does not verify that the certificate is valid, only that the certificate | 288 // Does not verify that the certificate is valid, only that the certificate |
289 // matches this host. | 289 // matches this host. |
290 // Returns true if it matches, and updates |*common_name_fallback_used|, | 290 // If |allow_common_name_fallback| is set to true, and iff no SANs are |
291 // setting it to true if a fallback to the CN was used, rather than | 291 // present of type dNSName or iPAddress, then fallback to using the |
292 // subjectAltName. | 292 // certificate's commonName field in the Subject. |
293 bool VerifyNameMatch(const std::string& hostname, | 293 bool VerifyNameMatch(const std::string& hostname, |
294 bool* common_name_fallback_used) const; | 294 bool allow_common_name_fallback) const; |
295 | 295 |
296 // Obtains the DER encoded certificate data for |cert_handle|. On success, | 296 // Obtains the DER encoded certificate data for |cert_handle|. On success, |
297 // returns true and writes the DER encoded certificate to |*der_encoded|. | 297 // returns true and writes the DER encoded certificate to |*der_encoded|. |
298 static bool GetDEREncoded(OSCertHandle cert_handle, | 298 static bool GetDEREncoded(OSCertHandle cert_handle, |
299 std::string* der_encoded); | 299 std::string* der_encoded); |
300 | 300 |
301 // Returns the PEM encoded data from a DER encoded certificate. If the return | 301 // Returns the PEM encoded data from a DER encoded certificate. If the return |
302 // value is true, then the PEM encoded certificate is written to | 302 // value is true, then the PEM encoded certificate is written to |
303 // |pem_encoded|. | 303 // |pem_encoded|. |
304 static bool GetPEMEncodedFromDER(const std::string& der_encoded, | 304 static bool GetPEMEncodedFromDER(const std::string& der_encoded, |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
413 | 413 |
414 // Verifies that |hostname| matches one of the certificate names or IP | 414 // Verifies that |hostname| matches one of the certificate names or IP |
415 // addresses supplied, based on TLS name matching rules - specifically, | 415 // addresses supplied, based on TLS name matching rules - specifically, |
416 // following http://tools.ietf.org/html/rfc6125. | 416 // following http://tools.ietf.org/html/rfc6125. |
417 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). | 417 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). |
418 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled | 418 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled |
419 // from the dNSName and iPAddress components of the subject alternative name | 419 // from the dNSName and iPAddress components of the subject alternative name |
420 // extension, if present. Note these IP addresses are NOT ascii-encoded: | 420 // extension, if present. Note these IP addresses are NOT ascii-encoded: |
421 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 | 421 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 |
422 // addresses, respectively. | 422 // addresses, respectively. |
423 // |common_name_fallback_used| will be updated to true if cert_common_name | 423 // If |allow_common_name_fallback| is true, then the |cert_common_name| will |
424 // was used to match the hostname, or false if either of the |cert_san_*| | 424 // be used if the |cert_san_dns_names| and |cert_san_ip_addrs| parameters are |
425 // parameters was used to match the hostname. | 425 // empty. |
426 static bool VerifyHostname(const std::string& hostname, | 426 static bool VerifyHostname(const std::string& hostname, |
427 const std::string& cert_common_name, | 427 const std::string& cert_common_name, |
428 const std::vector<std::string>& cert_san_dns_names, | 428 const std::vector<std::string>& cert_san_dns_names, |
429 const std::vector<std::string>& cert_san_ip_addrs, | 429 const std::vector<std::string>& cert_san_ip_addrs, |
430 bool* common_name_fallback_used); | 430 bool allow_common_name_fallback); |
431 | 431 |
432 // Reads a single certificate from |pickle_iter| and returns a | 432 // Reads a single certificate from |pickle_iter| and returns a |
433 // platform-specific certificate handle. The format of the certificate | 433 // platform-specific certificate handle. The format of the certificate |
434 // stored in |pickle_iter| is not guaranteed to be the same across different | 434 // stored in |pickle_iter| is not guaranteed to be the same across different |
435 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). | 435 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). |
436 // Returns an invalid handle, NULL, on failure. | 436 // Returns an invalid handle, NULL, on failure. |
437 // NOTE: This should not be used for any new code. It is provided for | 437 // NOTE: This should not be used for any new code. It is provided for |
438 // migration purposes and should eventually be removed. | 438 // migration purposes and should eventually be removed. |
439 static OSCertHandle ReadOSCertHandleFromPickle( | 439 static OSCertHandle ReadOSCertHandleFromPickle( |
440 base::PickleIterator* pickle_iter); | 440 base::PickleIterator* pickle_iter); |
(...skipping 24 matching lines...) Expand all Loading... |
465 // Untrusted intermediate certificates associated with this certificate | 465 // Untrusted intermediate certificates associated with this certificate |
466 // that may be needed for chain building. | 466 // that may be needed for chain building. |
467 OSCertHandles intermediate_ca_certs_; | 467 OSCertHandles intermediate_ca_certs_; |
468 | 468 |
469 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 469 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
470 }; | 470 }; |
471 | 471 |
472 } // namespace net | 472 } // namespace net |
473 | 473 |
474 #endif // NET_CERT_X509_CERTIFICATE_H_ | 474 #endif // NET_CERT_X509_CERTIFICATE_H_ |
OLD | NEW |