OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_X509_CERTIFICATE_H_ | 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ |
6 #define NET_BASE_X509_CERTIFICATE_H_ | 6 #define NET_BASE_X509_CERTIFICATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string.h> | 9 #include <string.h> |
10 | 10 |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
72 class LessThan { | 72 class LessThan { |
73 public: | 73 public: |
74 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; | 74 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; |
75 }; | 75 }; |
76 | 76 |
77 // Where the certificate comes from. The enumeration constants are | 77 // Where the certificate comes from. The enumeration constants are |
78 // listed in increasing order of preference. | 78 // listed in increasing order of preference. |
79 enum Source { | 79 enum Source { |
80 SOURCE_UNUSED = 0, // The source_ member is not used. | 80 SOURCE_UNUSED = 0, // The source_ member is not used. |
81 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without | 81 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without |
82 // its intermediate CA certificates. | 82 // any intermediate CA certificates. |
83 SOURCE_FROM_NETWORK = 2, // From the network. | 83 SOURCE_FROM_CACHE = 2, // From the disk cache - which contains |
84 // intermediate CA certificates, but may be | |
85 // stale. | |
86 SOURCE_FROM_NETWORK = 3, // From the network. | |
84 }; | 87 }; |
wtc
2011/04/20 23:07:58
IMPORTANT: I added the enum Source to work around
Ryan Sleevi
2011/04/20 23:59:10
The motivation for extending it in M12 was to mini
| |
85 | 88 |
86 enum VerifyFlags { | 89 enum VerifyFlags { |
87 VERIFY_REV_CHECKING_ENABLED = 1 << 0, | 90 VERIFY_REV_CHECKING_ENABLED = 1 << 0, |
88 VERIFY_EV_CERT = 1 << 1, | 91 VERIFY_EV_CERT = 1 << 1, |
89 }; | 92 }; |
90 | 93 |
91 enum Format { | 94 enum Format { |
92 // The data contains a single DER-encoded certificate, or a PEM-encoded | 95 // The data contains a single DER-encoded certificate, or a PEM-encoded |
93 // DER certificate with the PEM encoding block name of "CERTIFICATE". | 96 // DER certificate with the PEM encoding block name of "CERTIFICATE". |
94 // Any subsequent blocks will be ignored. | 97 // Any subsequent blocks will be ignored. |
95 FORMAT_SINGLE_CERTIFICATE = 1 << 0, | 98 FORMAT_SINGLE_CERTIFICATE = 1 << 0, |
96 | 99 |
97 // The data contains a sequence of one or more PEM-encoded, DER | 100 // The data contains a sequence of one or more PEM-encoded, DER |
98 // certificates, with the PEM encoding block name of "CERTIFICATE". | 101 // certificates, with the PEM encoding block name of "CERTIFICATE". |
99 // All PEM blocks will be parsed, until the first error is encountered. | 102 // All PEM blocks will be parsed, until the first error is encountered. |
100 FORMAT_PEM_CERT_SEQUENCE = 1 << 1, | 103 FORMAT_PEM_CERT_SEQUENCE = 1 << 1, |
101 | 104 |
102 // The data contains a PKCS#7 SignedData structure, whose certificates | 105 // The data contains a PKCS#7 SignedData structure, whose certificates |
103 // member is to be used to initialize the certificate and intermediates. | 106 // member is to be used to initialize the certificate and intermediates. |
104 // The data may further be encoded using PEM, specifying block names of | 107 // The data may further be encoded using PEM, specifying block names of |
105 // either "PKCS7" or "CERTIFICATE". | 108 // either "PKCS7" or "CERTIFICATE". |
106 FORMAT_PKCS7 = 1 << 2, | 109 FORMAT_PKCS7 = 1 << 2, |
107 | 110 |
108 // Automatically detect the format. | 111 // Automatically detect the format. |
109 FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | | 112 FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | |
110 FORMAT_PKCS7, | 113 FORMAT_PKCS7, |
111 }; | 114 }; |
112 | 115 |
116 enum PickleType { | |
wtc
2011/04/20 23:07:58
The motivation for enum PickleType should be docum
| |
117 // When reading a certificate from a Pickle, the Pickle only contains a | |
118 // single certificate. | |
119 PICKLETYPE_SINGLE_CERTIFICATE, | |
120 | |
121 // When reading a certificate from a Pickle, the Pickle contains the | |
122 // the certificate plus any certificates that were stored in | |
123 // |intermediate_ca_certificates_| at the time it was serialized. | |
124 PICKLETYPE_CERTIFICATE_CHAIN, | |
125 }; | |
126 | |
113 // Creates a X509Certificate from the ground up. Used by tests that simulate | 127 // Creates a X509Certificate from the ground up. Used by tests that simulate |
114 // SSL connections. | 128 // SSL connections. |
115 X509Certificate(const std::string& subject, const std::string& issuer, | 129 X509Certificate(const std::string& subject, const std::string& issuer, |
116 base::Time start_date, base::Time expiration_date); | 130 base::Time start_date, base::Time expiration_date); |
117 | 131 |
118 // Create an X509Certificate from a handle to the certificate object in the | 132 // Create an X509Certificate from a handle to the certificate object in the |
119 // underlying crypto library. |source| specifies where |cert_handle| comes | 133 // underlying crypto library. |source| specifies where |cert_handle| comes |
120 // from. Given two certificate handles for the same certificate, our | 134 // from. Given two certificate handles for the same certificate, our |
121 // certificate cache prefers the handle from the network because our HTTP | 135 // certificate cache prefers the handle from the network because our HTTP |
122 // cache isn't caching the corresponding intermediate CA certificates yet | 136 // cache isn't caching the corresponding intermediate CA certificates yet |
123 // (http://crbug.com/7065). | 137 // (http://crbug.com/7065). |
124 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 138 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
125 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, | 139 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, |
126 Source source, | 140 Source source, |
127 const OSCertHandles& intermediates); | 141 const OSCertHandles& intermediates); |
128 | 142 |
129 // Create an X509Certificate from a chain of DER encoded certificates. The | 143 // Create an X509Certificate from a chain of DER encoded certificates. The |
130 // first certificate in the chain is the end-entity certificate to which a | 144 // first certificate in the chain is the end-entity certificate to which a |
131 // handle is returned. The other certificates in the chain are intermediate | 145 // handle is returned. The other certificates in the chain are intermediate |
132 // certificates. See the comment for |CreateFromHandle| about the |source| | 146 // certificates. See the comment for |CreateFromHandle| about the |source| |
133 // argument. | 147 // argument. |
134 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 148 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
135 static X509Certificate* CreateFromDERCertChain( | 149 static X509Certificate* CreateFromDERCertChain( |
136 const std::vector<base::StringPiece>& der_certs); | 150 const std::vector<base::StringPiece>& der_certs); |
137 | 151 |
138 // Create an X509Certificate from the DER-encoded representation. | 152 // Create an X509Certificate from the DER-encoded representation. |
139 // Returns NULL on failure. | 153 // Returns NULL on failure. |
140 // | 154 // |
141 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 155 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
142 static X509Certificate* CreateFromBytes(const char* data, int length); | 156 static X509Certificate* CreateFromBytes(const char* data, int length); |
143 | 157 |
144 // Create an X509Certificate from the representation stored in the given | 158 // Create an X509Certificate from the representation stored in the given |
145 // pickle. The data for this object is found relative to the given | 159 // pickle. The data for this object is found relative to the given |
146 // pickle_iter, which should be passed to the pickle's various Read* methods. | 160 // pickle_iter, which should be passed to the pickle's various Read* methods. |
147 // Returns NULL on failure. | 161 // Returns NULL on failure. |
148 // | 162 // |
149 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. | 163 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. |
150 static X509Certificate* CreateFromPickle(const Pickle& pickle, | 164 static X509Certificate* CreateFromPickle(const Pickle& pickle, |
151 void** pickle_iter); | 165 void** pickle_iter, |
166 PickleType type); | |
152 | 167 |
153 // Parses all of the certificates possible from |data|. |format| is a | 168 // Parses all of the certificates possible from |data|. |format| is a |
154 // bit-wise OR of Format, indicating the possible formats the | 169 // bit-wise OR of Format, indicating the possible formats the |
155 // certificates may have been serialized as. If an error occurs, an empty | 170 // certificates may have been serialized as. If an error occurs, an empty |
156 // collection will be returned. | 171 // collection will be returned. |
157 static CertificateList CreateCertificateListFromBytes(const char* data, | 172 static CertificateList CreateCertificateListFromBytes(const char* data, |
158 int length, | 173 int length, |
159 int format); | 174 int format); |
160 | 175 |
161 // Create a self-signed certificate containing the public key in |key|. | 176 // Create a self-signed certificate containing the public key in |key|. |
(...skipping 220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
382 | 397 |
383 // IsBlacklisted returns true if this certificate is explicitly blacklisted. | 398 // IsBlacklisted returns true if this certificate is explicitly blacklisted. |
384 bool IsBlacklisted() const; | 399 bool IsBlacklisted() const; |
385 | 400 |
386 // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted | 401 // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted |
387 // array of SHA1 hashes. | 402 // array of SHA1 hashes. |
388 static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 403 static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
389 const uint8* array, | 404 const uint8* array, |
390 size_t array_byte_len); | 405 size_t array_byte_len); |
391 | 406 |
407 // Reads a single certificate from |pickle| and returns a platform-specific | |
408 // certificate handle. The format of the certificate stored in |pickle| is | |
409 // not guaranteed to be the same across different underlying cryptographic | |
410 // libraries, nor acceptable to CreateFromBytes(). Returns an invalid | |
411 // handle, NULL, on failure. | |
412 static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle, | |
413 void** pickle_iter); | |
414 | |
415 // Writes a single certificate to |pickle|. Returns false on failure. | |
416 static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle); | |
wtc
2011/04/20 23:07:58
Nit: these two function names should say "OSCertHa
| |
417 | |
392 // The subject of the certificate. | 418 // The subject of the certificate. |
393 CertPrincipal subject_; | 419 CertPrincipal subject_; |
394 | 420 |
395 // The issuer of the certificate. | 421 // The issuer of the certificate. |
396 CertPrincipal issuer_; | 422 CertPrincipal issuer_; |
397 | 423 |
398 // This certificate is not valid before |valid_start_| | 424 // This certificate is not valid before |valid_start_| |
399 base::Time valid_start_; | 425 base::Time valid_start_; |
400 | 426 |
401 // This certificate is not valid after |valid_expiry_| | 427 // This certificate is not valid after |valid_expiry_| |
(...skipping 20 matching lines...) Expand all Loading... | |
422 | 448 |
423 // Where the certificate comes from. | 449 // Where the certificate comes from. |
424 Source source_; | 450 Source source_; |
425 | 451 |
426 DISALLOW_COPY_AND_ASSIGN(X509Certificate); | 452 DISALLOW_COPY_AND_ASSIGN(X509Certificate); |
427 }; | 453 }; |
428 | 454 |
429 } // namespace net | 455 } // namespace net |
430 | 456 |
431 #endif // NET_BASE_X509_CERTIFICATE_H_ | 457 #endif // NET_BASE_X509_CERTIFICATE_H_ |
OLD | NEW |