OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <string> | 10 #include <string> |
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
306 | 306 |
307 #if defined(USE_OPENSSL) | 307 #if defined(USE_OPENSSL) |
308 // Returns a handle to a global, in-memory certificate store. We | 308 // Returns a handle to a global, in-memory certificate store. We |
309 // use it for test code, e.g. importing the test server's certificate. | 309 // use it for test code, e.g. importing the test server's certificate. |
310 static X509_STORE* cert_store(); | 310 static X509_STORE* cert_store(); |
311 #endif | 311 #endif |
312 | 312 |
313 // Verifies that |hostname| matches this certificate. | 313 // Verifies that |hostname| matches this certificate. |
314 // Does not verify that the certificate is valid, only that the certificate | 314 // Does not verify that the certificate is valid, only that the certificate |
315 // matches this host. | 315 // matches this host. |
316 // Returns true if it matches. | 316 // Returns true if it matches, and sets |common_name_fallback_used| to true |
317 bool VerifyNameMatch(const std::string& hostname) const; | 317 // if a fallback to the CN was used, rather than subjectAlternativeName. |
wtc
2013/10/23 22:39:26
Nit: it should be clarified that |common_name_fall
| |
318 bool VerifyNameMatch(const std::string& hostname, | |
319 bool* common_name_fallback_used) const; | |
318 | 320 |
319 // Obtains the DER encoded certificate data for |cert_handle|. On success, | 321 // Obtains the DER encoded certificate data for |cert_handle|. On success, |
320 // returns true and writes the DER encoded certificate to |*der_encoded|. | 322 // returns true and writes the DER encoded certificate to |*der_encoded|. |
321 static bool GetDEREncoded(OSCertHandle cert_handle, | 323 static bool GetDEREncoded(OSCertHandle cert_handle, |
322 std::string* der_encoded); | 324 std::string* der_encoded); |
323 | 325 |
324 // Returns the PEM encoded data from a DER encoded certificate. If the return | 326 // Returns the PEM encoded data from a DER encoded certificate. If the return |
325 // value is true, then the PEM encoded certificate is written to | 327 // value is true, then the PEM encoded certificate is written to |
326 // |pem_encoded|. | 328 // |pem_encoded|. |
327 static bool GetPEMEncodedFromDER(const std::string& der_encoded, | 329 static bool GetPEMEncodedFromDER(const std::string& der_encoded, |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
417 #endif | 419 #endif |
418 | 420 |
419 // Verifies that |hostname| matches one of the certificate names or IP | 421 // Verifies that |hostname| matches one of the certificate names or IP |
420 // addresses supplied, based on TLS name matching rules - specifically, | 422 // addresses supplied, based on TLS name matching rules - specifically, |
421 // following http://tools.ietf.org/html/rfc6125. | 423 // following http://tools.ietf.org/html/rfc6125. |
422 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). | 424 // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). |
423 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled | 425 // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled |
424 // from the dNSName and iPAddress components of the subject alternative name | 426 // from the dNSName and iPAddress components of the subject alternative name |
425 // extension, if present. Note these IP addresses are NOT ascii-encoded: | 427 // extension, if present. Note these IP addresses are NOT ascii-encoded: |
426 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 | 428 // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 |
427 // addresses, respectively. | 429 // addresses, respectively. |
wtc
2013/10/23 22:39:26
Document the common_name_fallback_used output para
| |
428 static bool VerifyHostname(const std::string& hostname, | 430 static bool VerifyHostname(const std::string& hostname, |
429 const std::string& cert_common_name, | 431 const std::string& cert_common_name, |
430 const std::vector<std::string>& cert_san_dns_names, | 432 const std::vector<std::string>& cert_san_dns_names, |
431 const std::vector<std::string>& cert_san_ip_addrs); | 433 const std::vector<std::string>& cert_san_ip_addrs, |
434 bool* common_name_fallback_used); | |
wtc
2013/10/23 22:39:26
Having VerifyHostname return common_name_fallback_
Ryan Sleevi
2013/10/24 00:25:37
We already expose GetSubjectAltName, which is a cl
| |
432 | 435 |
433 // Reads a single certificate from |pickle_iter| and returns a | 436 // Reads a single certificate from |pickle_iter| and returns a |
434 // platform-specific certificate handle. The format of the certificate | 437 // platform-specific certificate handle. The format of the certificate |
435 // stored in |pickle_iter| is not guaranteed to be the same across different | 438 // stored in |pickle_iter| is not guaranteed to be the same across different |
436 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). | 439 // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). |
437 // Returns an invalid handle, NULL, on failure. | 440 // Returns an invalid handle, NULL, on failure. |
438 // NOTE: This should not be used for any new code. It is provided for | 441 // NOTE: This should not be used for any new code. It is provided for |
439 // migration purposes and should eventually be removed. | 442 // migration purposes and should eventually be removed. |
440 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); | 443 static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); |
441 | 444 |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
478 // based on the type of the certificate. | 481 // based on the type of the certificate. |
479 std::string default_nickname_; | 482 std::string default_nickname_; |
480 #endif | 483 #endif |
481 | 484 |
482 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 485 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
483 }; | 486 }; |
484 | 487 |
485 } // namespace net | 488 } // namespace net |
486 | 489 |
487 #endif // NET_CERT_X509_CERTIFICATE_H_ | 490 #endif // NET_CERT_X509_CERTIFICATE_H_ |
OLD | NEW |