Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2173)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/x509_util_win.h

Issue 2913253003: Convert Windows to use X509CertificateBytes. (Closed)
Patch Set: rebase Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ui/cryptuiapi_shim.h ('K') | « net/cert/x509_certificate_win.cc ('k') | net/cert/x509_util_win.cc » ('j') | net/cert/x509_util_win.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/x509_util_win.h
diff --git a/net/cert/x509_util_win.h b/net/cert/x509_util_win.h
new file mode 100644
index 0000000000000000000000000000000000000000..88d7893289a44a5e349c8509b8609d162515b60b
--- /dev/null
+++ b/net/cert/x509_util_win.h
@@ -0,0 +1,93 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_X509_UTIL_WIN_H_
+#define NET_CERT_X509_UTIL_WIN_H_
+
+#include <memory>
+#include <vector>
+
+#include <windows.h>
+
+#include "base/memory/ref_counted.h"
+#include "crypto/wincrypt_shim.h"
+#include "net/base/hash_value.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+class X509Certificate;
+
+struct FreeCertContextFunctor {
+ void operator()(PCCERT_CONTEXT context) const {
+ if (context)
+ CertFreeCertificateContext(context);
+ }
+};
+
+typedef std::unique_ptr<const CERT_CONTEXT, FreeCertContextFunctor>
+ ScopedPCCERT_CONTEXT;
davidben 2017/06/15 23:55:18 Nit: using.
mattm 2017/06/16 21:39:31 Done.
+
+namespace x509_util {
+
+// Creates an X509Certificate representing |os_cert| with intermediates
+// |os_chain|.
+NET_EXPORT scoped_refptr<X509Certificate> CreateX509CertificateFromCertContexts(
+ PCCERT_CONTEXT os_cert,
+ const std::vector<PCCERT_CONTEXT>& os_chain);
+
+// Returns a new PCCERT_CONTEXT containing the certificate and its
+// intermediate certificates, or NULL on failure. This function is only
+// necessary if the CERT_CONTEXT.hCertStore member will be accessed or
+// enumerated, which is generally true for any CryptoAPI functions involving
+// certificate chains, including validation or certificate display.
+//
+// While the returned PCCERT_CONTEXT and its HCERTSTORE can safely be used on
+// multiple threads if no further modifications happen, it is generally
+// preferable for each thread that needs such a context to obtain its own,
+// rather than risk thread-safety issues by sharing.
+//
+// ------------------------------------------------------------------------
+// The following remarks only apply when USE_BYTE_CERTS=false (e.g., when
+// using x509_certificate_win).
+// TODO(mattm): remove references to USE_BYTE_CERTS and clean up the rest of
+// the comment when x509_certificate_win is deleted.
+//
+// The returned PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as
+// this will cause os_cert_handle() to return incorrect results.
+//
+// Depending on the CryptoAPI function, Windows may need to access the
+// HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to
+// locate additional intermediates. However, all X509Certificate handles are
+// added to a NULL HCERTSTORE, allowing the system to manage the resources. As
+// a result, intermediates for |cert->os_cert_handle()| cannot be located
+// simply via |cert->os_cert_handle()->hCertStore|, as it refers to a magic
+// value indicating "only this certificate".
+//
+// To avoid this problems, a new in-memory HCERTSTORE is created containing
+// just this certificate and its intermediates. The handle to the version of
+// the current certificate in the new HCERTSTORE is then returned, with the
+// PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned
+// certificate handle is freed.
+//
+// Because of how X509Certificate caching is implemented, attempting to
+// create an X509Certificate from the returned PCCERT_CONTEXT may result in
+// the original handle (and thus the originall HCERTSTORE) being returned by
+// os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT*
+// be stored in an X509Certificate.
+NET_EXPORT ScopedPCCERT_CONTEXT
+CreateCertContextWithChain(const X509Certificate* cert);
+
+// Calculates the SHA-256 fingerprint of the certificate. Returns an empty
+// (all zero) fingerprint on failure.
+NET_EXPORT SHA256HashValue CalculateFingerprint256(PCCERT_CONTEXT cert);
+
+// Returns true if the certificate is self-signed.
+NET_EXPORT bool IsSelfSigned(PCCERT_CONTEXT cert_handle);
+
+} // namespace x509_util
+
+} // namespace net
+
+#endif // NET_CERT_X509_UTIL_WIN_H_
« chrome/browser/ui/cryptuiapi_shim.h ('K') | « net/cert/x509_certificate_win.cc ('k') | net/cert/x509_util_win.cc » ('j') | net/cert/x509_util_win.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698