| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
| 6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
| 7 | 7 |
| 8 #include <stddef.h> | 8 #include <stddef.h> |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 | 10 |
| (...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 280 | 280 |
| 281 #if defined(USE_OPENSSL_CERTS) | 281 #if defined(USE_OPENSSL_CERTS) |
| 282 // Returns a handle to a global, in-memory certificate store. We | 282 // Returns a handle to a global, in-memory certificate store. We |
| 283 // use it for test code, e.g. importing the test server's certificate. | 283 // use it for test code, e.g. importing the test server's certificate. |
| 284 static X509_STORE* cert_store(); | 284 static X509_STORE* cert_store(); |
| 285 #endif | 285 #endif |
| 286 | 286 |
| 287 // Verifies that |hostname| matches this certificate. | 287 // Verifies that |hostname| matches this certificate. |
| 288 // Does not verify that the certificate is valid, only that the certificate | 288 // Does not verify that the certificate is valid, only that the certificate |
| 289 // matches this host. | 289 // matches this host. |
| 290 // Returns true if it matches, and updates |*common_name_fallback_used|, | 290 // If |allow_common_name_fallback| is set to true, and iff no SANs are |
| 291 // setting it to true if a fallback to the CN was used, rather than | 291 // present of type dNSName or iPAddress, then fallback to using the |
| 292 // subjectAltName. | 292 // certificate's commonName field in the Subject. |
| 293 bool VerifyNameMatch(const std::string& hostname, | 293 bool VerifyNameMatch(const std::string& hostname, |
| 294 bool* common_name_fallback_used) const; | 294 bool allow_common_name_fallback) const; |
| 295 | 295 |
| 296 // Obtains the DER encoded certificate data for |cert_handle|. On success, | 296 // Obtains the DER encoded certificate data for |cert_handle|. On success, |
| 297 // returns true and writes the DER encoded certificate to |*der_encoded|. | 297 // returns true and writes the DER encoded certificate to |*der_encoded|. |
| 298 static bool GetDEREncoded(OSCertHandle cert_handle, | 298 static bool GetDEREncoded(OSCertHandle cert_handle, |
| 299 std::string* der_encoded); | 299 std::string* der_encoded); |
| 300 | 300 |
| 301 // Returns the PEM encoded data from a DER encoded certificate. If the return | 301 // Returns the PEM encoded data from a DER encoded certificate. If the return |
| 302 // value is true, then the PEM encoded certificate is written to | 302 // value is true, then the PEM encoded certificate is written to |
| 303 // |pem_encoded|. | 303 // |pem_encoded|. |
| 304 static bool GetPEMEncodedFromDER(const std::string& der_encoded, | 304 static bool GetPEMEncodedFromDER(const std::string& der_encoded, |
| (...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 413 | 413 |
| 414 // Verifies that |hostname| matches one of the certificate names or IP | 414 // Verifies that |hostname| matches one of the certificate names or IP |
| 415 // addresses supplied, based on TLS name matching rules - specifically, | 415 // addresses supplied, based on TLS name matching rules - specifically, |
| 416 // following http://tools.ietf.org/html/rfc6125. | 416 // following http://tools.ietf.org/html/rfc6125. |
| 417 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). | 417 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). |
| 418 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled | 418 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled |
| 419 // from the dNSName and iPAddress components of the subject alternative name | 419 // from the dNSName and iPAddress components of the subject alternative name |
| 420 // extension, if present. Note these IP addresses are NOT ascii-encoded: | 420 // extension, if present. Note these IP addresses are NOT ascii-encoded: |
| 421 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 | 421 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 |
| 422 // addresses, respectively. | 422 // addresses, respectively. |
| 423 // |common_name_fallback_used| will be updated to true if cert_common_name | 423 // If |allow_common_name_fallback| is true, then the |cert_common_name| will |
| 424 // was used to match the hostname, or false if either of the |cert_san_*| | 424 // be used if the |cert_san_dns_names| and |cert_san_ip_addrs| parameters are |
| 425 // parameters was used to match the hostname. | 425 // empty. |
| 426 static bool VerifyHostname(const std::string& hostname, | 426 static bool VerifyHostname(const std::string& hostname, |
| 427 const std::string& cert_common_name, | 427 const std::string& cert_common_name, |
| 428 const std::vector<std::string>& cert_san_dns_names, | 428 const std::vector<std::string>& cert_san_dns_names, |
| 429 const std::vector<std::string>& cert_san_ip_addrs, | 429 const std::vector<std::string>& cert_san_ip_addrs, |
| 430 bool* common_name_fallback_used); | 430 bool allow_common_name_fallback); |
| 431 | 431 |
| 432 // Reads a single certificate from |pickle_iter| and returns a | 432 // Reads a single certificate from |pickle_iter| and returns a |
| 433 // platform-specific certificate handle. The format of the certificate | 433 // platform-specific certificate handle. The format of the certificate |
| 434 // stored in |pickle_iter| is not guaranteed to be the same across different | 434 // stored in |pickle_iter| is not guaranteed to be the same across different |
| 435 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). | 435 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). |
| 436 // Returns an invalid handle, NULL, on failure. | 436 // Returns an invalid handle, NULL, on failure. |
| 437 // NOTE: This should not be used for any new code. It is provided for | 437 // NOTE: This should not be used for any new code. It is provided for |
| 438 // migration purposes and should eventually be removed. | 438 // migration purposes and should eventually be removed. |
| 439 static OSCertHandle ReadOSCertHandleFromPickle( | 439 static OSCertHandle ReadOSCertHandleFromPickle( |
| 440 base::PickleIterator* pickle_iter); | 440 base::PickleIterator* pickle_iter); |
| (...skipping 24 matching lines...) Expand all Loading... |
| 465 // Untrusted intermediate certificates associated with this certificate | 465 // Untrusted intermediate certificates associated with this certificate |
| 466 // that may be needed for chain building. | 466 // that may be needed for chain building. |
| 467 OSCertHandles intermediate_ca_certs_; | 467 OSCertHandles intermediate_ca_certs_; |
| 468 | 468 |
| 469 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 469 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
| 470 }; | 470 }; |
| 471 | 471 |
| 472 } // namespace net | 472 } // namespace net |
| 473 | 473 |
| 474 #endif // NET_CERT_X509_CERTIFICATE_H_ | 474 #endif // NET_CERT_X509_CERTIFICATE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2719273002:
Disable commonName matching for certificates (Closed)
