OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_CERT_X509_UTIL_WIN_H_ | |
6 #define NET_CERT_X509_UTIL_WIN_H_ | |
7 | |
8 #include <memory> | |
9 #include <vector> | |
10 | |
11 #include <windows.h> | |
12 | |
13 #include "base/memory/ref_counted.h" | |
14 #include "crypto/wincrypt_shim.h" | |
15 #include "net/base/hash_value.h" | |
16 #include "net/base/net_export.h" | |
17 | |
18 namespace net { | |
19 | |
20 class X509Certificate; | |
21 | |
22 struct FreeCertContextFunctor { | |
23 void operator()(PCCERT_CONTEXT context) const { | |
24 if (context) | |
25 CertFreeCertificateContext(context); | |
26 } | |
27 }; | |
28 | |
29 typedef std::unique_ptr<const CERT_CONTEXT, FreeCertContextFunctor> | |
30 ScopedPCCERT_CONTEXT; | |
davidben
2017/06/15 23:55:18
Nit: using.
mattm
2017/06/16 21:39:31
Done.
| |
31 | |
32 namespace x509_util { | |
33 | |
34 // Creates an X509Certificate representing |os_cert| with intermediates | |
35 // |os_chain|. | |
36 NET_EXPORT scoped_refptr<X509Certificate> CreateX509CertificateFromCertContexts( | |
37 PCCERT_CONTEXT os_cert, | |
38 const std::vector<PCCERT_CONTEXT>& os_chain); | |
39 | |
40 // Returns a new PCCERT_CONTEXT containing the certificate and its | |
41 // intermediate certificates, or NULL on failure. This function is only | |
42 // necessary if the CERT_CONTEXT.hCertStore member will be accessed or | |
43 // enumerated, which is generally true for any CryptoAPI functions involving | |
44 // certificate chains, including validation or certificate display. | |
45 // | |
46 // While the returned PCCERT_CONTEXT and its HCERTSTORE can safely be used on | |
47 // multiple threads if no further modifications happen, it is generally | |
48 // preferable for each thread that needs such a context to obtain its own, | |
49 // rather than risk thread-safety issues by sharing. | |
50 // | |
51 // ------------------------------------------------------------------------ | |
52 // The following remarks only apply when USE_BYTE_CERTS=false (e.g., when | |
53 // using x509_certificate_win). | |
54 // TODO(mattm): remove references to USE_BYTE_CERTS and clean up the rest of | |
55 // the comment when x509_certificate_win is deleted. | |
56 // | |
57 // The returned PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as | |
58 // this will cause os_cert_handle() to return incorrect results. | |
59 // | |
60 // Depending on the CryptoAPI function, Windows may need to access the | |
61 // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to | |
62 // locate additional intermediates. However, all X509Certificate handles are | |
63 // added to a NULL HCERTSTORE, allowing the system to manage the resources. As | |
64 // a result, intermediates for |cert->os_cert_handle()| cannot be located | |
65 // simply via |cert->os_cert_handle()->hCertStore|, as it refers to a magic | |
66 // value indicating "only this certificate". | |
67 // | |
68 // To avoid this problems, a new in-memory HCERTSTORE is created containing | |
69 // just this certificate and its intermediates. The handle to the version of | |
70 // the current certificate in the new HCERTSTORE is then returned, with the | |
71 // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned | |
72 // certificate handle is freed. | |
73 // | |
74 // Because of how X509Certificate caching is implemented, attempting to | |
75 // create an X509Certificate from the returned PCCERT_CONTEXT may result in | |
76 // the original handle (and thus the originall HCERTSTORE) being returned by | |
77 // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* | |
78 // be stored in an X509Certificate. | |
79 NET_EXPORT ScopedPCCERT_CONTEXT | |
80 CreateCertContextWithChain(const X509Certificate* cert); | |
81 | |
82 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty | |
83 // (all zero) fingerprint on failure. | |
84 NET_EXPORT SHA256HashValue CalculateFingerprint256(PCCERT_CONTEXT cert); | |
85 | |
86 // Returns true if the certificate is self-signed. | |
87 NET_EXPORT bool IsSelfSigned(PCCERT_CONTEXT cert_handle); | |
88 | |
89 } // namespace x509_util | |
90 | |
91 } // namespace net | |
92 | |
93 #endif // NET_CERT_X509_UTIL_WIN_H_ | |
OLD | NEW |