Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(115)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_certificate.h

Issue 27624002: Add a histogram for measuring the number of times we fall back to common name matching, when a cert… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: whitespace Created 7 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/cert/cert_verify_result.h ('K') | « net/cert/cert_verify_result.cc ('k') | net/cert/x509_certificate.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ 5 #ifndef NET_CERT_X509_CERTIFICATE_H_
6 #define NET_CERT_X509_CERTIFICATE_H_ 6 #define NET_CERT_X509_CERTIFICATE_H_
7 7
8 #include <string.h> 8 #include <string.h>
9 9
10 #include <string> 10 #include <string>
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after
306 306
307 #if defined(USE_OPENSSL) 307 #if defined(USE_OPENSSL)
308 // Returns a handle to a global, in-memory certificate store. We 308 // Returns a handle to a global, in-memory certificate store. We
309 // use it for test code, e.g. importing the test server's certificate. 309 // use it for test code, e.g. importing the test server's certificate.
310 static X509_STORE* cert_store(); 310 static X509_STORE* cert_store();
311 #endif 311 #endif
312 312
313 // Verifies that |hostname| matches this certificate. 313 // Verifies that |hostname| matches this certificate.
314 // Does not verify that the certificate is valid, only that the certificate 314 // Does not verify that the certificate is valid, only that the certificate
315 // matches this host. 315 // matches this host.
316 // Returns true if it matches. 316 // Returns true if it matches, and sets |common_name_fallback_used| to true
317 bool VerifyNameMatch(const std::string& hostname) const; 317 // if a fallback to the CN was used, rather than subjectAlternativeName.
wtc 2013/10/23 22:39:26 Nit: it should be clarified that |common_name_fall
318 bool VerifyNameMatch(const std::string& hostname,
319 bool* common_name_fallback_used) const;
318 320
319 // Obtains the DER encoded certificate data for |cert_handle|. On success, 321 // Obtains the DER encoded certificate data for |cert_handle|. On success,
320 // returns true and writes the DER encoded certificate to |*der_encoded|. 322 // returns true and writes the DER encoded certificate to |*der_encoded|.
321 static bool GetDEREncoded(OSCertHandle cert_handle, 323 static bool GetDEREncoded(OSCertHandle cert_handle,
322 std::string* der_encoded); 324 std::string* der_encoded);
323 325
324 // Returns the PEM encoded data from a DER encoded certificate. If the return 326 // Returns the PEM encoded data from a DER encoded certificate. If the return
325 // value is true, then the PEM encoded certificate is written to 327 // value is true, then the PEM encoded certificate is written to
326 // |pem_encoded|. 328 // |pem_encoded|.
327 static bool GetPEMEncodedFromDER(const std::string& der_encoded, 329 static bool GetPEMEncodedFromDER(const std::string& der_encoded,
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after
417 #endif 419 #endif
418 420
419 // Verifies that |hostname| matches one of the certificate names or IP 421 // Verifies that |hostname| matches one of the certificate names or IP
420 // addresses supplied, based on TLS name matching rules - specifically, 422 // addresses supplied, based on TLS name matching rules - specifically,
421 // following http://tools.ietf.org/html/rfc6125. 423 // following http://tools.ietf.org/html/rfc6125.
422 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). 424 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject().
423 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled 425 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled
424 // from the dNSName and iPAddress components of the subject alternative name 426 // from the dNSName and iPAddress components of the subject alternative name
425 // extension, if present. Note these IP addresses are NOT ascii-encoded: 427 // extension, if present. Note these IP addresses are NOT ascii-encoded:
426 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 428 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6
427 // addresses, respectively. 429 // addresses, respectively.
wtc 2013/10/23 22:39:26 Document the common_name_fallback_used output para
428 static bool VerifyHostname(const std::string& hostname, 430 static bool VerifyHostname(const std::string& hostname,
429 const std::string& cert_common_name, 431 const std::string& cert_common_name,
430 const std::vector<std::string>& cert_san_dns_names, 432 const std::vector<std::string>& cert_san_dns_names,
431 const std::vector<std::string>& cert_san_ip_addrs); 433 const std::vector<std::string>& cert_san_ip_addrs,
434 bool* common_name_fallback_used);
wtc 2013/10/23 22:39:26 Having VerifyHostname return common_name_fallback_
Ryan Sleevi 2013/10/24 00:25:37 We already expose GetSubjectAltName, which is a cl
432 435
433 // Reads a single certificate from |pickle_iter| and returns a 436 // Reads a single certificate from |pickle_iter| and returns a
434 // platform-specific certificate handle. The format of the certificate 437 // platform-specific certificate handle. The format of the certificate
435 // stored in |pickle_iter| is not guaranteed to be the same across different 438 // stored in |pickle_iter| is not guaranteed to be the same across different
436 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). 439 // underlying cryptographic libraries, nor acceptable to CreateFromBytes().
437 // Returns an invalid handle, NULL, on failure. 440 // Returns an invalid handle, NULL, on failure.
438 // NOTE: This should not be used for any new code. It is provided for 441 // NOTE: This should not be used for any new code. It is provided for
439 // migration purposes and should eventually be removed. 442 // migration purposes and should eventually be removed.
440 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); 443 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter);
441 444
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
478 // based on the type of the certificate. 481 // based on the type of the certificate.
479 std::string default_nickname_; 482 std::string default_nickname_;
480 #endif 483 #endif
481 484
482 DISALLOW_COPY_AND_ASSIGN(X509Certificate); 485 DISALLOW_COPY_AND_ASSIGN(X509Certificate);
483 }; 486 };
484 487
485 } // namespace net 488 } // namespace net
486 489
487 #endif // NET_CERT_X509_CERTIFICATE_H_ 490 #endif // NET_CERT_X509_CERTIFICATE_H_
OLDNEW
« net/cert/cert_verify_result.h ('K') | « net/cert/cert_verify_result.cc ('k') | net/cert/x509_certificate.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698