OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <string> | 10 #include <string> |
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
306 | 306 |
307 #if defined(USE_OPENSSL) | 307 #if defined(USE_OPENSSL) |
308 // Returns a handle to a global, in-memory certificate store. We | 308 // Returns a handle to a global, in-memory certificate store. We |
309 // use it for test code, e.g. importing the test server's certificate. | 309 // use it for test code, e.g. importing the test server's certificate. |
310 static X509_STORE* cert_store(); | 310 static X509_STORE* cert_store(); |
311 #endif | 311 #endif |
312 | 312 |
313 // Verifies that |hostname| matches this certificate. | 313 // Verifies that |hostname| matches this certificate. |
314 // Does not verify that the certificate is valid, only that the certificate | 314 // Does not verify that the certificate is valid, only that the certificate |
315 // matches this host. | 315 // matches this host. |
316 // Returns true if it matches. | 316 // Returns true if it matches, and updates |*common_name_fallback_used|, |
317 bool VerifyNameMatch(const std::string& hostname) const; | 317 // setting it to true if a fallback to the CN was used, rather than |
| 318 // subjectAltName. |
| 319 bool VerifyNameMatch(const std::string& hostname, |
| 320 bool* common_name_fallback_used) const; |
318 | 321 |
319 // Obtains the DER encoded certificate data for |cert_handle|. On success, | 322 // Obtains the DER encoded certificate data for |cert_handle|. On success, |
320 // returns true and writes the DER encoded certificate to |*der_encoded|. | 323 // returns true and writes the DER encoded certificate to |*der_encoded|. |
321 static bool GetDEREncoded(OSCertHandle cert_handle, | 324 static bool GetDEREncoded(OSCertHandle cert_handle, |
322 std::string* der_encoded); | 325 std::string* der_encoded); |
323 | 326 |
324 // Returns the PEM encoded data from a DER encoded certificate. If the return | 327 // Returns the PEM encoded data from a DER encoded certificate. If the return |
325 // value is true, then the PEM encoded certificate is written to | 328 // value is true, then the PEM encoded certificate is written to |
326 // |pem_encoded|. | 329 // |pem_encoded|. |
327 static bool GetPEMEncodedFromDER(const std::string& der_encoded, | 330 static bool GetPEMEncodedFromDER(const std::string& der_encoded, |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
418 | 421 |
419 // Verifies that |hostname| matches one of the certificate names or IP | 422 // Verifies that |hostname| matches one of the certificate names or IP |
420 // addresses supplied, based on TLS name matching rules - specifically, | 423 // addresses supplied, based on TLS name matching rules - specifically, |
421 // following http://tools.ietf.org/html/rfc6125. | 424 // following http://tools.ietf.org/html/rfc6125. |
422 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). | 425 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). |
423 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled | 426 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled |
424 // from the dNSName and iPAddress components of the subject alternative name | 427 // from the dNSName and iPAddress components of the subject alternative name |
425 // extension, if present. Note these IP addresses are NOT ascii-encoded: | 428 // extension, if present. Note these IP addresses are NOT ascii-encoded: |
426 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 | 429 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 |
427 // addresses, respectively. | 430 // addresses, respectively. |
| 431 // |common_name_fallback_used| will be updated to true if cert_common_name |
| 432 // was used to match the hostname, or false if either of the |cert_san_*| |
| 433 // parameters was used to match the hostname. |
428 static bool VerifyHostname(const std::string& hostname, | 434 static bool VerifyHostname(const std::string& hostname, |
429 const std::string& cert_common_name, | 435 const std::string& cert_common_name, |
430 const std::vector<std::string>& cert_san_dns_names, | 436 const std::vector<std::string>& cert_san_dns_names, |
431 const std::vector<std::string>& cert_san_ip_addrs); | 437 const std::vector<std::string>& cert_san_ip_addrs, |
| 438 bool* common_name_fallback_used); |
432 | 439 |
433 // Reads a single certificate from |pickle_iter| and returns a | 440 // Reads a single certificate from |pickle_iter| and returns a |
434 // platform-specific certificate handle. The format of the certificate | 441 // platform-specific certificate handle. The format of the certificate |
435 // stored in |pickle_iter| is not guaranteed to be the same across different | 442 // stored in |pickle_iter| is not guaranteed to be the same across different |
436 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). | 443 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). |
437 // Returns an invalid handle, NULL, on failure. | 444 // Returns an invalid handle, NULL, on failure. |
438 // NOTE: This should not be used for any new code. It is provided for | 445 // NOTE: This should not be used for any new code. It is provided for |
439 // migration purposes and should eventually be removed. | 446 // migration purposes and should eventually be removed. |
440 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); | 447 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); |
441 | 448 |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
478 // based on the type of the certificate. | 485 // based on the type of the certificate. |
479 std::string default_nickname_; | 486 std::string default_nickname_; |
480 #endif | 487 #endif |
481 | 488 |
482 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 489 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
483 }; | 490 }; |
484 | 491 |
485 } // namespace net | 492 } // namespace net |
486 | 493 |
487 #endif // NET_CERT_X509_CERTIFICATE_H_ | 494 #endif // NET_CERT_X509_CERTIFICATE_H_ |
OLD | NEW |