| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_ |
| 6 #define NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_ |
| 7 |
| 8 #include "base/callback.h" |
| 9 #include "net/base/net_export.h" |
| 10 #include "net/cert/x509_certificate.h" |
| 11 |
| 12 #if defined(OS_MACOSX) |
| 13 #include <Security/SecBase.h> |
| 14 #endif |
| 15 |
| 16 namespace base { |
| 17 class Time; |
| 18 } |
| 19 |
| 20 namespace net { |
| 21 |
| 22 class SSLPrivateKey; |
| 23 |
| 24 // XXX does this make sense as a standalone file, or should it be part of |
| 25 // ClientCertStore header? |
| 26 |
| 27 // XXX comment |
| 28 class NET_EXPORT ClientCertIdentity { |
| 29 public: |
| 30 explicit ClientCertIdentity(scoped_refptr<net::X509Certificate> cert); |
| 31 virtual ~ClientCertIdentity(); |
| 32 |
| 33 // XXX comments. |
| 34 // // XXX should this be const? |
| 35 X509Certificate* certificate() const { return cert_.get(); } |
| 36 |
| 37 // XXX idea: instead of doing a callback to aquire the private key and then |
| 38 // doing ContinueWithCertificate(cert,key), just do |
| 39 // ContinueWithCertificate(clientcertidentity), put off doing the lookup all |
| 40 // the way to SSLClientSocketImpl::PrivateKeySignDigestCallback. Might mess |
| 41 // up error handling though (eg, would auth cache record it even when there |
| 42 // was no matching key?) |
| 43 |
| 44 // XXX |
| 45 // caller responsible for keeping the ClientCertIdentity alive until the |
| 46 // callback is run. callback may be called with null private key callback may |
| 47 // be called synchronously (?) (XXX : verify all usages as sync safe) |
| 48 virtual void AcquirePrivateKey( |
| 49 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 50 private_key_callback) = 0; |
| 51 |
| 52 #if defined(OS_MACOSX) |
| 53 // XXX gross, but it allows ssl_client_certificate_selector_cocoa.mm to avoid |
| 54 // doing SecIdentityCreateWithCertificate on UI thread. |
| 55 virtual SecIdentityRef sec_identity_ref() const = 0; |
| 56 #endif |
| 57 |
| 58 // XXX comment |
| 59 static void SelfOwningAcquirePrivateKey( |
| 60 std::unique_ptr<ClientCertIdentity> self, |
| 61 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 62 private_key_callback); |
| 63 |
| 64 // Sets the intermediates of |certificate()| to |intermediates|. Note that |
| 65 // this will change the value of |certificate()|, and any references that |
| 66 // were retained to the previous value will not reflect the updated |
| 67 // intermediates list. |
| 68 void SetIntermediates(X509Certificate::OSCertHandles intermediates); |
| 69 |
| 70 private: |
| 71 scoped_refptr<net::X509Certificate> cert_; |
| 72 }; |
| 73 |
| 74 // Comparator for use in STL algorithms that will sort client certificates by |
| 75 // order of preference. |
| 76 // Returns true if |a| is more preferable than |b|, allowing it to be used |
| 77 // with any algorithm that compares according to strict weak ordering. |
| 78 // |
| 79 // Criteria include: |
| 80 // - Prefer certificates that have a longer validity period (later |
| 81 // expiration dates) |
| 82 // - If equal, prefer certificates that were issued more recently |
| 83 // - If equal, prefer shorter chains (if available) |
| 84 class NET_EXPORT_PRIVATE ClientCertIdentitySorter { |
| 85 public: |
| 86 ClientCertIdentitySorter(); |
| 87 |
| 88 bool operator()(const std::unique_ptr<ClientCertIdentity>& a, |
| 89 const std::unique_ptr<ClientCertIdentity>& b) const; |
| 90 |
| 91 private: |
| 92 base::Time now_; |
| 93 }; |
| 94 |
| 95 using ClientCertIdentityList = std::vector<std::unique_ptr<ClientCertIdentity>>; |
| 96 |
| 97 } // namespace net |
| 98 |
| 99 #endif // NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2898573002:
Refactor client cert private key handling. (Closed)
