OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_CERT_X509_UTIL_WIN_H_ |
| 6 #define NET_CERT_X509_UTIL_WIN_H_ |
| 7 |
| 8 #include <memory> |
| 9 #include <vector> |
| 10 |
| 11 #include <windows.h> |
| 12 |
| 13 #include "base/memory/ref_counted.h" |
| 14 #include "crypto/wincrypt_shim.h" |
| 15 #include "net/base/hash_value.h" |
| 16 #include "net/base/net_export.h" |
| 17 |
| 18 namespace net { |
| 19 |
| 20 class X509Certificate; |
| 21 |
| 22 struct FreeCertContextFunctor { |
| 23 void operator()(PCCERT_CONTEXT context) const { |
| 24 if (context) |
| 25 CertFreeCertificateContext(context); |
| 26 } |
| 27 }; |
| 28 |
| 29 using ScopedPCCERT_CONTEXT = |
| 30 std::unique_ptr<const CERT_CONTEXT, FreeCertContextFunctor>; |
| 31 |
| 32 namespace x509_util { |
| 33 |
| 34 // Creates an X509Certificate representing |os_cert| with intermediates |
| 35 // |os_chain|. |
| 36 NET_EXPORT scoped_refptr<X509Certificate> CreateX509CertificateFromCertContexts( |
| 37 PCCERT_CONTEXT os_cert, |
| 38 const std::vector<PCCERT_CONTEXT>& os_chain); |
| 39 |
| 40 // Returns a new PCCERT_CONTEXT containing the certificate and its |
| 41 // intermediate certificates, or NULL on failure. This function is only |
| 42 // necessary if the CERT_CONTEXT.hCertStore member will be accessed or |
| 43 // enumerated, which is generally true for any CryptoAPI functions involving |
| 44 // certificate chains, including validation or certificate display. |
| 45 // |
| 46 // While the returned PCCERT_CONTEXT and its HCERTSTORE can safely be used on |
| 47 // multiple threads if no further modifications happen, it is generally |
| 48 // preferable for each thread that needs such a context to obtain its own, |
| 49 // rather than risk thread-safety issues by sharing. |
| 50 // |
| 51 // ------------------------------------------------------------------------ |
| 52 // The following remarks only apply when USE_BYTE_CERTS=false (e.g., when |
| 53 // using x509_certificate_win). |
| 54 // TODO(mattm): remove references to USE_BYTE_CERTS and clean up the rest of |
| 55 // the comment when x509_certificate_win is deleted. |
| 56 // |
| 57 // The returned PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as |
| 58 // this will cause os_cert_handle() to return incorrect results. |
| 59 // |
| 60 // Depending on the CryptoAPI function, Windows may need to access the |
| 61 // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to |
| 62 // locate additional intermediates. However, all X509Certificate handles are |
| 63 // added to a NULL HCERTSTORE, allowing the system to manage the resources. As |
| 64 // a result, intermediates for |cert->os_cert_handle()| cannot be located |
| 65 // simply via |cert->os_cert_handle()->hCertStore|, as it refers to a magic |
| 66 // value indicating "only this certificate". |
| 67 // |
| 68 // To avoid this problems, a new in-memory HCERTSTORE is created containing |
| 69 // just this certificate and its intermediates. The handle to the version of |
| 70 // the current certificate in the new HCERTSTORE is then returned, with the |
| 71 // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned |
| 72 // certificate handle is freed. |
| 73 // |
| 74 // Because of how X509Certificate caching is implemented, attempting to |
| 75 // create an X509Certificate from the returned PCCERT_CONTEXT may result in |
| 76 // the original handle (and thus the originall HCERTSTORE) being returned by |
| 77 // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* |
| 78 // be stored in an X509Certificate. |
| 79 NET_EXPORT ScopedPCCERT_CONTEXT |
| 80 CreateCertContextWithChain(const X509Certificate* cert); |
| 81 |
| 82 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty |
| 83 // (all zero) fingerprint on failure. |
| 84 NET_EXPORT SHA256HashValue CalculateFingerprint256(PCCERT_CONTEXT cert); |
| 85 |
| 86 // Returns true if the certificate is self-signed. |
| 87 NET_EXPORT bool IsSelfSigned(PCCERT_CONTEXT cert_handle); |
| 88 |
| 89 } // namespace x509_util |
| 90 |
| 91 } // namespace net |
| 92 |
| 93 #endif // NET_CERT_X509_UTIL_WIN_H_ |
OLD | NEW |