diff options
| author | mbelshe@chromium.org <mbelshe@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-03-03 23:07:28 +0000 |
|---|---|---|
| committer | mbelshe@chromium.org <mbelshe@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-03-03 23:07:28 +0000 |
| commit | 7c8f18ab4383e497f0ba3663156abf81ea5af3e6 (patch) | |
| tree | 55dad50fe5f4444083043ded0c259b81ae78fa67 /net/base/x509_certificate.h | |
| parent | a81ec206b45851a7ece856149fc6be76918b6f1d (diff) | |
| download | chromium_src-7c8f18ab4383e497f0ba3663156abf81ea5af3e6.zip chromium_src-7c8f18ab4383e497f0ba3663156abf81ea5af3e6.tar.gz chromium_src-7c8f18ab4383e497f0ba3663156abf81ea5af3e6.tar.bz2 | |
Add X509Certificate::VerifyCertName(string) API. This will be used
to check if a name matches a cert without doing a full certificate verify.
Use the API provided as part of NSS. For other platforms, provide a default
implementation based on GetDNSNames.
BUG=none
TEST=X509CertificateTest.WebkitCertParsing
Review URL: http://codereview.chromium.org/6612013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@76824 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/x509_certificate.h')
| -rw-r--r-- | net/base/x509_certificate.h | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index 961c68a..5c8a285 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -287,6 +287,16 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { int flags, CertVerifyResult* verify_result) const; + // Verifies that |hostname| matches this certificate. + // Does not verify that the certificate is valid, only that the certificate + // matches this host. + // Returns true if it matches. + // + // WARNING: This function may return false negatives (for example, if + // |hostname| is an IP address literal) on some platforms. Only + // use in cases where some false-positives are acceptible. + bool VerifyNameMatch(const std::string& hostname) const; + // This method returns the DER encoded certificate. // If the return value is true then the DER encoded certificate is available. // The content of the DER encoded certificate is written to |encoded|. @@ -345,6 +355,17 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { // (all zero) fingerprint on failure. static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); + // Verifies that |hostname| matches one of the names in |cert_names|, based on + // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3 + // The members of |cert_names| must have been extracted from the Subject CN or + // SAN fields of a certificate. + // WARNING: This function may return false negatives (for example, if + // |hostname| is an IP address literal) on some platforms. Only + // use in cases where some false-positives are acceptible. + static bool VerifyHostname(const std::string& hostname, + const std::vector<std::string>& cert_names); + + // The subject of the certificate. CertPrincipal subject_; |