net/cert/x509_util_openssl.h - Issue 576233002: Only use the platform cert in verification in SSLClientSocketOpenSSL.

Side by Side Diff: net/cert/x509_util_openssl.h

Issue 576233002: Only use the platform cert in verification in SSLClientSocketOpenSSL. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Actually fix Android build Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_X509_UTIL_OPENSSL_H_	5 #ifndef NET_CERT_X509_UTIL_OPENSSL_H_

6 #define NET_CERT_X509_UTIL_OPENSSL_H_	6 #define NET_CERT_X509_UTIL_OPENSSL_H_

7	7

8 #include <openssl/asn1.h>	8 #include <openssl/asn1.h>

9 #include <openssl/x509v3.h>	9 #include <openssl/x509v3.h>

10	10

11 #include <string>	11 #include <string>

12 #include <vector>	12 #include <vector>

13	13

	14 #include "base/strings/string_piece.h"

14 #include "net/base/net_export.h"	15 #include "net/base/net_export.h"

15	16

16 namespace base {	17 namespace base {

17 class Time;	18 class Time;

18 } // namespace base	19 } // namespace base

19	20

20 namespace net {	21 namespace net {

21	22

22 // A collection of helper functions to fetch data from OpenSSL X509 certificates	23 // A collection of helper functions to fetch data from OpenSSL X509 certificates

23 // into more convenient std / base datatypes.	24 // into more convenient std / base datatypes.

(...skipping 11 matching lines...) Expand all Loading...
35 bool NET_EXPORT ParsePrincipalValueByIndex(X509_NAME* name,	36 bool NET_EXPORT ParsePrincipalValueByIndex(X509_NAME* name,

36 int index,	37 int index,

37 std::string* value);	38 std::string* value);

38	39

39 bool NET_EXPORT ParsePrincipalValueByNID(X509_NAME* name,	40 bool NET_EXPORT ParsePrincipalValueByNID(X509_NAME* name,

40 int nid,	41 int nid,

41 std::string* value);	42 std::string* value);

42	43

43 bool NET_EXPORT ParseDate(ASN1_TIME* x509_time, base::Time* time);	44 bool NET_EXPORT ParseDate(ASN1_TIME* x509_time, base::Time* time);

44	45

	46 // DER-encodes \|x509\|. On success, returns true and writes the

	47 // encoding to \|*out_der\|.

	48 bool NET_EXPORT GetDER(X509* x509, std::string* out_der);

	49
	Ryan Sleevi 2014/09/19 15:56:54 Why does this need to be exported? It is just a wr Why does this need to be exported? It is just a wrapper for i2d, which no one should need, right? Or they can use the X509Certificate method, which this seems to be redundant with? That is, why wouldn't you keep this method purely in the .cc, and make GetDerAndCacheIfNeeded called GetDER. The fact that there is a cache is an opaque detail, right? davidben 2014/09/19 16:53:40 Well, that there is a cache isn't entirely opaque Show quoted text On 2014/09/19 15:56:54, Ryan Sleevi wrote: > Why does this need to be exported? It is just a wrapper for i2d, which no one > should need, right? Or they can use the X509Certificate method, which this seems > to be redundant with? > > That is, why wouldn't you keep this method purely in the .cc, and make > GetDerAndCacheIfNeeded called GetDER. The fact that there is a cache is an > opaque detail, right? Well, that there is a cache isn't entirely opaque for a raw X509 since they're not necessarily immutable, so I figured it'd be worth exposing both cached and uncached versions. (GetDER is uncached.) I can unexpose GetDER if you prefer; I think nothing outside x509_util_openssl.cc is actually using it. This isn't redundant with the X509Certificate version because that's for the platform one (which was the whole point of moving it to x509_util). Ryan Sleevi 2014/09/19 17:39:33 Yeah, I would rather wait until we have a demonstr Show quoted text On 2014/09/19 16:53:40, David Benjamin wrote: > On 2014/09/19 15:56:54, Ryan Sleevi wrote: > > Why does this need to be exported? It is just a wrapper for i2d, which no one > > should need, right? Or they can use the X509Certificate method, which this > seems > > to be redundant with? > > > > That is, why wouldn't you keep this method purely in the .cc, and make > > GetDerAndCacheIfNeeded called GetDER. The fact that there is a cache is an > > opaque detail, right? > > Well, that there is a cache isn't entirely opaque for a raw X509 since they're > not necessarily immutable, so I figured it'd be worth exposing both cached and > uncached versions. (GetDER is uncached.) I can unexpose GetDER if you prefer; I > think nothing outside x509_util_openssl.cc is actually using it. > Yeah, I would rather wait until we have a demonstrable need for it. Show quoted text > This isn't redundant with the X509Certificate version because that's for the > platform one (which was the whole point of moving it to x509_util). I was more assuming that the only time you'd want to get the DER for an X509 AND explicitly not cache it would be on USE_OPENSSL_CERTS, which is why it seemed redundant/unnecessary, and that everyone else should always be using the AndCacheIfNeeded version. davidben 2014/09/19 18:10:09 Done. Show quoted text On 2014/09/19 17:39:33, Ryan Sleevi wrote: > On 2014/09/19 16:53:40, David Benjamin wrote: > > On 2014/09/19 15:56:54, Ryan Sleevi wrote: > > > Why does this need to be exported? It is just a wrapper for i2d, which no > one > > > should need, right? Or they can use the X509Certificate method, which this > > seems > > > to be redundant with? > > > > > > That is, why wouldn't you keep this method purely in the .cc, and make > > > GetDerAndCacheIfNeeded called GetDER. The fact that there is a cache is an > > > opaque detail, right? > > > > Well, that there is a cache isn't entirely opaque for a raw X509 since they're > > not necessarily immutable, so I figured it'd be worth exposing both cached and > > uncached versions. (GetDER is uncached.) I can unexpose GetDER if you prefer; > I > > think nothing outside x509_util_openssl.cc is actually using it. > > > > Yeah, I would rather wait until we have a demonstrable need for it. > > > This isn't redundant with the X509Certificate version because that's for the > > platform one (which was the whole point of moving it to x509_util). > > I was more assuming that the only time you'd want to get the DER for an X509 AND > explicitly not cache it would be on USE_OPENSSL_CERTS, which is why it seemed > redundant/unnecessary, and that everyone else should always be using the > AndCacheIfNeeded version. Done.
	50 // DER-encodes \|x509\|, caching the encoding in a structure owned by

	51 // the X509. On success, returns true, and sets \|*out_der\| to point to

	52 // the encoding. The StringPiece is valid as long as \|x509\| is not

	53 // freed.

	54 //

	55 // Note: this caches the encoding, so \|x509\| must not be modified

	56 // after the first call to this function.

	57 bool NET_EXPORT GetDERAndCacheIfNeeded(X509* x509, base::StringPiece* out_der);

	58

45 } // namespace x509_util	59 } // namespace x509_util

46	60

47 } // namespace net	61 } // namespace net

48	62

49 #endif // NET_CERT_X509_UTIL_OPENSSL_H_	63 #endif // NET_CERT_X509_UTIL_OPENSSL_H_

OLD	NEW

« no previous file with comments | « net/cert/x509_certificate_openssl.cc ('k') | net/cert/x509_util_openssl.cc » ('j') | no next file with comments »