OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_UTIL_MAC_H_ | 5 #ifndef NET_CERT_X509_UTIL_MAC_H_ |
6 #define NET_CERT_X509_UTIL_MAC_H_ | 6 #define NET_CERT_X509_UTIL_MAC_H_ |
7 | 7 |
8 #include <CoreFoundation/CFArray.h> | 8 #include <CoreFoundation/CFArray.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
11 #include <string> | 11 #include <string> |
12 | 12 |
| 13 #include "base/mac/scoped_cftyperef.h" |
13 #include "base/macros.h" | 14 #include "base/macros.h" |
| 15 #include "base/memory/ref_counted.h" |
| 16 #include "net/base/hash_value.h" |
14 #include "net/base/net_export.h" | 17 #include "net/base/net_export.h" |
15 | 18 |
16 namespace net { | 19 namespace net { |
17 | 20 |
| 21 class X509Certificate; |
| 22 |
18 namespace x509_util { | 23 namespace x509_util { |
19 | 24 |
| 25 // Test that a given |cert_handle| is actually a valid X.509 certificate, and |
| 26 // return true if it is. |
| 27 // |
| 28 // On OS X, SecCertificateCreateFromData() does not return any errors if |
| 29 // called with invalid data, as long as data is present. The actual decoding |
| 30 // of the certificate does not happen until an API that requires a CSSM |
| 31 // handle is called. While SecCertificateGetCLHandle is the most likely |
| 32 // candidate, as it performs the parsing, it does not check whether the |
| 33 // parsing was actually successful. Instead, SecCertificateGetSubject is |
| 34 // used (supported since 10.3), as a means to check that the certificate |
| 35 // parsed as a valid X.509 certificate. |
| 36 bool NET_EXPORT IsValidSecCertificate(SecCertificateRef cert_handle); |
| 37 |
| 38 // Creates a SecCertificate handle from the DER-encoded representation. |
| 39 // Returns NULL on failure. |
| 40 base::ScopedCFTypeRef<SecCertificateRef> NET_EXPORT |
| 41 CreateSecCertificateFromBytes(const uint8_t* data, size_t length); |
| 42 |
| 43 // Returns a SecCertificate representing |cert|, or NULL on failure. |
| 44 base::ScopedCFTypeRef<SecCertificateRef> NET_EXPORT |
| 45 CreateSecCertificateFromX509Certificate(const X509Certificate* cert); |
| 46 |
| 47 // Returns a new CFMutableArrayRef containing this certificate and its |
| 48 // intermediate certificates in the form expected by Security.framework |
| 49 // and Keychain Services, or NULL on failure. |
| 50 // The first item in the array will be this certificate, followed by its |
| 51 // intermediates, if any. |
| 52 base::ScopedCFTypeRef<CFMutableArrayRef> NET_EXPORT |
| 53 CreateSecCertificateArrayForX509Certificate(X509Certificate* cert); |
| 54 |
| 55 // Creates an X509Certificate representing |sec_cert| with intermediates |
| 56 // |sec_chain|. |
| 57 scoped_refptr<X509Certificate> NET_EXPORT |
| 58 CreateX509CertificateFromSecCertificate( |
| 59 SecCertificateRef sec_cert, |
| 60 const std::vector<SecCertificateRef>& sec_chain); |
| 61 |
| 62 // Returns true if the certificate is self-signed. |
| 63 bool NET_EXPORT IsSelfSigned(SecCertificateRef cert_handle); |
| 64 |
| 65 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty |
| 66 // (all zero) fingerprint on failure. |
| 67 SHA256HashValue NET_EXPORT CalculateFingerprint256(SecCertificateRef cert); |
| 68 |
20 // Creates a security policy for certificates used as client certificates | 69 // Creates a security policy for certificates used as client certificates |
21 // in SSL. | 70 // in SSL. |
22 // If a policy is successfully created, it will be stored in | 71 // If a policy is successfully created, it will be stored in |
23 // |*policy| and ownership transferred to the caller. | 72 // |*policy| and ownership transferred to the caller. |
24 OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy); | 73 OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy); |
25 | 74 |
26 // Create an SSL server policy. While certificate name validation will be | 75 // Create an SSL server policy. While certificate name validation will be |
27 // performed by SecTrustEvaluate(), it has the following limitations: | 76 // performed by SecTrustEvaluate(), it has the following limitations: |
28 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1) | 77 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1) |
29 // - Doesn't support IPv6 addresses | 78 // - Doesn't support IPv6 addresses |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
130 CSSM_HANDLE cached_cert_handle_; | 179 CSSM_HANDLE cached_cert_handle_; |
131 }; | 180 }; |
132 | 181 |
133 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 182 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
134 | 183 |
135 } // namespace x509_util | 184 } // namespace x509_util |
136 | 185 |
137 } // namespace net | 186 } // namespace net |
138 | 187 |
139 #endif // NET_CERT_X509_UTIL_MAC_H_ | 188 #endif // NET_CERT_X509_UTIL_MAC_H_ |
OLD | NEW |