OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_X509_CERTIFICATE_H_ | 5 #ifndef NET_CERT_X509_CERTIFICATE_H_ |
6 #define NET_CERT_X509_CERTIFICATE_H_ | 6 #define NET_CERT_X509_CERTIFICATE_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
228 // Ownership follows the "get" rule: it is the caller's responsibility to | 228 // Ownership follows the "get" rule: it is the caller's responsibility to |
229 // retain the elements of the result. | 229 // retain the elements of the result. |
230 const OSCertHandles& GetIntermediateCertificates() const { | 230 const OSCertHandles& GetIntermediateCertificates() const { |
231 return intermediate_ca_certs_; | 231 return intermediate_ca_certs_; |
232 } | 232 } |
233 | 233 |
234 // Do any of the given issuer names appear in this cert's chain of trust? | 234 // Do any of the given issuer names appear in this cert's chain of trust? |
235 // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames. | 235 // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames. |
236 bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers); | 236 bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers); |
237 | 237 |
238 #if defined(OS_WIN) | |
239 // Returns a new PCCERT_CONTEXT containing this certificate and its | |
240 // intermediate certificates, or NULL on failure. The returned | |
241 // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as this will | |
242 // cause os_cert_handle() to return incorrect results. This function is only | |
243 // necessary if the CERT_CONTEXT.hCertStore member will be accessed or | |
244 // enumerated, which is generally true for any CryptoAPI functions involving | |
245 // certificate chains, including validation or certificate display. | |
246 // | |
247 // Remarks: | |
248 // Depending on the CryptoAPI function, Windows may need to access the | |
249 // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to | |
250 // locate additional intermediates. However, all certificate handles are added | |
251 // to a NULL HCERTSTORE, allowing the system to manage the resources. As a | |
252 // result, intermediates for |cert_handle_| cannot be located simply via | |
253 // |cert_handle_->hCertStore|, as it refers to a magic value indicating | |
254 // "only this certificate". | |
255 // | |
256 // To avoid this problems, a new in-memory HCERTSTORE is created containing | |
257 // just this certificate and its intermediates. The handle to the version of | |
258 // the current certificate in the new HCERTSTORE is then returned, with the | |
259 // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned | |
260 // certificate handle is freed. | |
261 // | |
262 // This function is only needed when the HCERTSTORE of the os_cert_handle() | |
263 // will be accessed, which is generally only during certificate validation | |
264 // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can | |
265 // safely be used on multiple threads if no further modifications happen, it | |
266 // is generally preferable for each thread that needs such a context to | |
267 // obtain its own, rather than risk thread-safety issues by sharing. | |
268 // | |
269 // Because of how X509Certificate caching is implemented, attempting to | |
270 // create an X509Certificate from the returned PCCERT_CONTEXT may result in | |
271 // the original handle (and thus the originall HCERTSTORE) being returned by | |
272 // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* | |
273 // be stored in an X509Certificate. | |
274 PCCERT_CONTEXT CreateOSCertChainForCert() const; | |
275 #endif | |
276 | |
277 #if defined(USE_OPENSSL_CERTS) | 238 #if defined(USE_OPENSSL_CERTS) |
278 // Returns a handle to a global, in-memory certificate store. We | 239 // Returns a handle to a global, in-memory certificate store. We |
279 // use it for test code, e.g. importing the test server's certificate. | 240 // use it for test code, e.g. importing the test server's certificate. |
280 static X509_STORE* cert_store(); | 241 static X509_STORE* cert_store(); |
281 #endif | 242 #endif |
282 | 243 |
283 // Verifies that |hostname| matches this certificate. | 244 // Verifies that |hostname| matches this certificate. |
284 // Does not verify that the certificate is valid, only that the certificate | 245 // Does not verify that the certificate is valid, only that the certificate |
285 // matches this host. | 246 // matches this host. |
286 // If |allow_common_name_fallback| is set to true, and iff no SANs are | 247 // If |allow_common_name_fallback| is set to true, and iff no SANs are |
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
452 // Untrusted intermediate certificates associated with this certificate | 413 // Untrusted intermediate certificates associated with this certificate |
453 // that may be needed for chain building. | 414 // that may be needed for chain building. |
454 OSCertHandles intermediate_ca_certs_; | 415 OSCertHandles intermediate_ca_certs_; |
455 | 416 |
456 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 417 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
457 }; | 418 }; |
458 | 419 |
459 } // namespace net | 420 } // namespace net |
460 | 421 |
461 #endif // NET_CERT_X509_CERTIFICATE_H_ | 422 #endif // NET_CERT_X509_CERTIFICATE_H_ |
OLD | NEW |