Refactoring out common code in the X.509 cert handling

Review URL: http://codereview.chromium.org/4040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2525 0039d316-1c4b-4281-b951-d872f2087c98
author: avi@google.com <avi@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-23 21:58:45 +0000
committer: avi@google.com <avi@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-23 21:58:45 +0000
commit: d4f7e76644f684d0e9395fa8225e0d1c607de241 (patch)
tree: 037f5dd8b63ae6dcb79a7850c5a41dee128dafd4 /net/base/x509_certificate.cc
parent: 9f8a2077e3c53da309c3e9b3698eff577877ad8c (diff)
download: chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.zip
chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.tar.gz
chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.tar.bz2
1 files changed, 126 insertions, 0 deletions
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
new file mode 100644
index 0000000..d62f963
--- /dev/null
+++ b/net/base/x509_certificate.cc
@@ -0,0 +1,126 @@
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/x509_certificate.h"
+
+#include "base/logging.h"
+
+namespace net {
+
+namespace {
+
+// Returns true if this cert fingerprint is the null (all zero) fingerprint.
+// We use this as a bogus fingerprint value.
+bool IsNullFingerprint(const X509Certificate::Fingerprint& fingerprint) {
+  for (size_t i = 0; i < arraysize(fingerprint.data); ++i) {
+    if (fingerprint.data[i] != 0)
+      return false;
+  }
+  return true;
+}
+
+}  // namespace
+
+bool X509Certificate::FingerprintLessThan::operator()(
+    const Fingerprint& lhs,
+    const Fingerprint& rhs) const {
+  for (size_t i = 0; i < sizeof(lhs.data); ++i) {
+    if (lhs.data[i] < rhs.data[i])
+      return true;
+    if (lhs.data[i] > rhs.data[i])
+      return false;
+  }
+  return false;
+}
+
+bool X509Certificate::LessThan::operator()(X509Certificate* lhs,
+                                           X509Certificate* rhs) const {
+  if (lhs == rhs)
+    return false;
+
+  X509Certificate::FingerprintLessThan fingerprint_functor;
+  return fingerprint_functor(lhs->fingerprint_, rhs->fingerprint_);
+}
+
+// A thread-safe cache for X509Certificate objects.
+//
+// The cache does not hold a reference to the certificate objects.  The objects
+// must |Remove| themselves from the cache upon destruction (or else the cache
+// will be holding dead pointers to the objects).
+
+// Get the singleton object for the cache.
+// static
+X509Certificate::Cache* X509Certificate::Cache::GetInstance() {
+  return Singleton<X509Certificate::Cache>::get();
+}
+
+// Insert |cert| into the cache.  The cache does NOT AddRef |cert|.  The cache
+// must not already contain a certificate with the same fingerprint.
+void X509Certificate::Cache::Insert(X509Certificate* cert) {
+  AutoLock lock(lock_);
+
+  DCHECK(!IsNullFingerprint(cert->fingerprint())) <<
+      "Only insert certs with real fingerprints.";
+  DCHECK(cache_.find(cert->fingerprint()) == cache_.end());
+  cache_[cert->fingerprint()] = cert;
+};
+
+// Remove |cert| from the cache.  The cache does not assume that |cert| is
+// already in the cache.
+void X509Certificate::Cache::Remove(X509Certificate* cert) {
+  AutoLock lock(lock_);
+
+  CertMap::iterator pos(cache_.find(cert->fingerprint()));
+  if (pos == cache_.end())
+    return;  // It is not an error to remove a cert that is not in the cache.
+  cache_.erase(pos);
+};
+
+// Find a certificate in the cache with the given fingerprint.  If one does
+// not exist, this method returns NULL.
+X509Certificate* X509Certificate::Cache::Find(const Fingerprint& fingerprint) {
+  AutoLock lock(lock_);
+
+  CertMap::iterator pos(cache_.find(fingerprint));
+  if (pos == cache_.end())
+    return NULL;
+
+  return pos->second;
+};
+
+X509Certificate::Policy::Judgment X509Certificate::Policy::Check(
+    X509Certificate* cert) const {
+  // It shouldn't matter which set we check first, but we check denied first
+  // in case something strange has happened.
+
+  if (denied_.find(cert->fingerprint()) != denied_.end()) {
+    // DCHECK that the order didn't matter.
+    DCHECK(allowed_.find(cert->fingerprint()) == allowed_.end());
+    return DENIED;
+  }
+
+  if (allowed_.find(cert->fingerprint()) != allowed_.end()) {
+    // DCHECK that the order didn't matter.
+    DCHECK(denied_.find(cert->fingerprint()) == denied_.end());
+    return ALLOWED;
+  }
+
+  // We don't have a policy for this cert.
+  return UNKNOWN;
+}
+
+void X509Certificate::Policy::Allow(X509Certificate* cert) {
+  // Put the cert in the allowed set and (maybe) remove it from the denied set.
+  denied_.erase(cert->fingerprint());
+  allowed_.insert(cert->fingerprint());
+}
+
+void X509Certificate::Policy::Deny(X509Certificate* cert) {
+  // Put the cert in the denied set and (maybe) remove it from the allowed set.
+  allowed_.erase(cert->fingerprint());
+  denied_.insert(cert->fingerprint());
+}
+
+}  // namespace net
+
author	avi@google.com <avi@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-23 21:58:45 +0000
committer	avi@google.com <avi@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-23 21:58:45 +0000
commit	d4f7e76644f684d0e9395fa8225e0d1c607de241 (patch)
tree	037f5dd8b63ae6dcb79a7850c5a41dee128dafd4 /net/base/x509_certificate.cc
parent	9f8a2077e3c53da309c3e9b3698eff577877ad8c (diff)
download	chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.zip chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.tar.gz chromium_src-d4f7e76644f684d0e9395fa8225e0d1c607de241.tar.bz2