OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_UTIL_MAC_H_ | 5 #ifndef NET_CERT_X509_UTIL_MAC_H_ |
6 #define NET_CERT_X509_UTIL_MAC_H_ | 6 #define NET_CERT_X509_UTIL_MAC_H_ |
7 | 7 |
8 #include <CoreFoundation/CFArray.h> | 8 #include <CoreFoundation/CFArray.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
11 #include <string> | 11 #include <string> |
12 | 12 |
13 #include "base/mac/scoped_cftyperef.h" | |
13 #include "base/macros.h" | 14 #include "base/macros.h" |
15 #include "base/memory/ref_counted.h" | |
16 #include "net/base/hash_value.h" | |
14 #include "net/base/net_export.h" | 17 #include "net/base/net_export.h" |
15 | 18 |
16 namespace net { | 19 namespace net { |
17 | 20 |
21 class X509Certificate; | |
22 | |
18 namespace x509_util { | 23 namespace x509_util { |
19 | 24 |
25 // Test that a given |cert_handle| is actually a valid X.509 certificate, and | |
eroman
2017/04/03 19:52:03
nit: Test -> Tests
mattm
2017/04/03 23:36:16
Done.
| |
26 // return true if it is. | |
eroman
2017/04/03 19:52:03
nit: return -> returns
mattm
2017/04/03 23:36:16
Done.
| |
27 // | |
28 // On OS X, SecCertificateCreateFromData() does not return any errors if | |
29 // called with invalid data, as long as data is present. The actual decoding | |
30 // of the certificate does not happen until an API that requires a CSSM | |
31 // handle is called. While SecCertificateGetCLHandle is the most likely | |
32 // candidate, as it performs the parsing, it does not check whether the | |
33 // parsing was actually successful. Instead, SecCertificateGetSubject is | |
34 // used (supported since 10.3), as a means to check that the certificate | |
35 // parsed as a valid X.509 certificate. | |
36 NET_EXPORT bool IsValidSecCertificate(SecCertificateRef cert_handle); | |
37 | |
38 // Creates a SecCertificate handle from the DER-encoded representation. | |
39 // Returns NULL on failure. | |
40 NET_EXPORT base::ScopedCFTypeRef<SecCertificateRef> | |
41 CreateSecCertificateFromBytes(const uint8_t* data, size_t length); | |
42 | |
43 // Returns a SecCertificate representing |cert|, or NULL on failure. | |
44 NET_EXPORT base::ScopedCFTypeRef<SecCertificateRef> | |
45 CreateSecCertificateFromX509Certificate(const X509Certificate* cert); | |
46 | |
47 // Returns a new CFMutableArrayRef containing this certificate and its | |
48 // intermediate certificates in the form expected by Security.framework | |
49 // and Keychain Services, or NULL on failure. | |
50 // The first item in the array will be this certificate, followed by its | |
51 // intermediates, if any. | |
52 NET_EXPORT base::ScopedCFTypeRef<CFMutableArrayRef> | |
53 CreateSecCertificateArrayForX509Certificate(X509Certificate* cert); | |
54 | |
55 // Creates an X509Certificate representing |sec_cert| with intermediates | |
56 // |sec_chain|. | |
57 NET_EXPORT scoped_refptr<X509Certificate> | |
58 CreateX509CertificateFromSecCertificate( | |
59 SecCertificateRef sec_cert, | |
60 const std::vector<SecCertificateRef>& sec_chain); | |
61 | |
62 // Returns true if the certificate is self-signed. | |
63 NET_EXPORT bool IsSelfSigned(SecCertificateRef cert_handle); | |
64 | |
65 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty | |
66 // (all zero) fingerprint on failure. | |
67 NET_EXPORT SHA256HashValue CalculateFingerprint256(SecCertificateRef cert); | |
68 | |
20 // Creates a security policy for certificates used as client certificates | 69 // Creates a security policy for certificates used as client certificates |
21 // in SSL. | 70 // in SSL. |
22 // If a policy is successfully created, it will be stored in | 71 // If a policy is successfully created, it will be stored in |
23 // |*policy| and ownership transferred to the caller. | 72 // |*policy| and ownership transferred to the caller. |
24 OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy); | 73 NET_EXPORT OSStatus CreateSSLClientPolicy(SecPolicyRef* policy); |
25 | 74 |
26 // Create an SSL server policy. While certificate name validation will be | 75 // Create an SSL server policy. While certificate name validation will be |
27 // performed by SecTrustEvaluate(), it has the following limitations: | 76 // performed by SecTrustEvaluate(), it has the following limitations: |
28 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1) | 77 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1) |
29 // - Doesn't support IPv6 addresses | 78 // - Doesn't support IPv6 addresses |
30 // - Doesn't support the iPAddress subjectAltName | 79 // - Doesn't support the iPAddress subjectAltName |
31 // Providing the hostname is necessary in order to locate certain user or | 80 // Providing the hostname is necessary in order to locate certain user or |
32 // system trust preferences, such as those created by Safari. Preferences | 81 // system trust preferences, such as those created by Safari. Preferences |
33 // created by Keychain Access do not share this requirement. | 82 // created by Keychain Access do not share this requirement. |
34 // On success, stores the resultant policy in |*policy| and returns noErr. | 83 // On success, stores the resultant policy in |*policy| and returns noErr. |
35 OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname, | 84 NET_EXPORT OSStatus CreateSSLServerPolicy(const std::string& hostname, |
36 SecPolicyRef* policy); | 85 SecPolicyRef* policy); |
37 | 86 |
38 // Creates a security policy for basic X.509 validation. If the policy is | 87 // Creates a security policy for basic X.509 validation. If the policy is |
39 // successfully created, it will be stored in |*policy| and ownership | 88 // successfully created, it will be stored in |*policy| and ownership |
40 // transferred to the caller. | 89 // transferred to the caller. |
41 OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy); | 90 NET_EXPORT OSStatus CreateBasicX509Policy(SecPolicyRef* policy); |
42 | 91 |
43 // Creates security policies to control revocation checking (OCSP and CRL). | 92 // Creates security policies to control revocation checking (OCSP and CRL). |
44 // If |enable_revocation_checking| is true, revocation checking will be | 93 // If |enable_revocation_checking| is true, revocation checking will be |
45 // explicitly enabled. | 94 // explicitly enabled. |
46 // Otherwise, the policies returned will be explicitly prohibited from accessing | 95 // Otherwise, the policies returned will be explicitly prohibited from accessing |
47 // the network or the local cache, if possible. | 96 // the network or the local cache, if possible. |
48 // If the policies are successfully created, they will be appended to | 97 // If the policies are successfully created, they will be appended to |
49 // |policies|. | 98 // |policies|. |
50 OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking, | 99 NET_EXPORT OSStatus CreateRevocationPolicies(bool enable_revocation_checking, |
51 CFMutableArrayRef policies); | 100 CFMutableArrayRef policies); |
52 | 101 |
53 // CSSM functions are deprecated as of OSX 10.7, but have no replacement. | 102 // CSSM functions are deprecated as of OSX 10.7, but have no replacement. |
54 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1 | 103 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1 |
55 #pragma clang diagnostic push | 104 #pragma clang diagnostic push |
56 #pragma clang diagnostic ignored "-Wdeprecated-declarations" | 105 #pragma clang diagnostic ignored "-Wdeprecated-declarations" |
57 | 106 |
58 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field | 107 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field |
59 // accessors (such as CSSM_CL_CertGet[First/Next]Value or | 108 // accessors (such as CSSM_CL_CertGet[First/Next]Value or |
60 // CSSM_CL_CertGet[First/Next]CachedValue). | 109 // CSSM_CL_CertGet[First/Next]CachedValue). |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
130 CSSM_HANDLE cached_cert_handle_; | 179 CSSM_HANDLE cached_cert_handle_; |
131 }; | 180 }; |
132 | 181 |
133 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 182 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
134 | 183 |
135 } // namespace x509_util | 184 } // namespace x509_util |
136 | 185 |
137 } // namespace net | 186 } // namespace net |
138 | 187 |
139 #endif // NET_CERT_X509_UTIL_MAC_H_ | 188 #endif // NET_CERT_X509_UTIL_MAC_H_ |
OLD | NEW |