net: move importing a DER certificate chain into X509Certificate.

This is a prelude to having SSLHostInfo be able to kick off certificate validations. The vector of intermediate certificates is added on Linux because, otherwise, nothing is holding a reference to them. Previously, the nss_fd_ was holding a reference. However, without the vector holding references, CreateFromDERChain deletes them all at the end and NSS has to AIA chase up the chain. BUG=none TEST=net_unittests http://codereview.chromium.org/3920001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63881 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-26 13:27:09 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-26 13:27:09 +0000
commit: 670dca99f9c8615c544d6fefaace29208c9223d2 (patch)
tree: 50a34ebd350701d916d0d35ec795e1e82d084a66 /net/base/x509_certificate.h
parent: cf408d77cc83210061573b507574974bf86289fa (diff)
download: chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.zip
chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.tar.gz
chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.tar.bz2
1 files changed, 22 insertions, 6 deletions
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 577de92..a7eef9d 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -13,6 +13,7 @@
 
 #include "base/gtest_prod_util.h"
 #include "base/ref_counted.h"
+#include "base/string_piece.h"
 #include "base/time.h"
 #include "net/base/x509_cert_types.h"
 
@@ -107,12 +108,20 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // certificate cache prefers the handle from the network because our HTTP
   // cache isn't caching the corresponding intermediate CA certificates yet
   // (http://crbug.com/7065).
-  // The list of intermediate certificates is ignored under NSS (i.e. Linux.)
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
       Source source,
       const OSCertHandles& intermediates);
 
+  // Create an X509Certificate from a chain of DER encoded certificates. The
+  // first certificate in the chain is the end-entity certificate to which a
+  // handle is returned. The other certificates in the chain are intermediate
+  // certificates. See the comment for |CreateFromHandle| about the |source|
+  // argument.
+  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
+  static X509Certificate* CreateFromDERCertChain(
+      const std::vector<base::StringPiece>& der_certs);
+
   // Create an X509Certificate from the DER-encoded representation.
   // Returns NULL on failure.
   //
@@ -173,14 +182,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // now.
   bool HasExpired() const;
 
-#if defined(OS_MACOSX) || defined(OS_WIN) || defined(USE_OPENSSL)
   // Returns intermediate certificates added via AddIntermediateCertificate().
   // Ownership follows the "get" rule: it is the caller's responsibility to
   // retain the elements of the result.
   const OSCertHandles& GetIntermediateCertificates() const {
     return intermediate_ca_certs_;
   }
-#endif
 
   // Returns true if I already contain the given intermediate cert.
   bool HasIntermediateCertificate(OSCertHandle cert);
@@ -213,6 +220,17 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   CFArrayRef CreateClientCertificateChain() const;
 #endif
 
+#if defined(OS_WIN)
+  // Returns a handle to a global, in-memory certificate store. We use it for
+  // two purposes:
+  // 1. Import server certificates into this store so that we can verify and
+  //    display the certificates using CryptoAPI.
+  // 2. Copy client certificates from the "MY" system certificate store into
+  //    this store so that we can close the system store when we finish
+  //    searching for client certificates.
+  static HCERTSTORE cert_store();
+#endif
+
   // Verifies the certificate against the given hostname.  Returns OK if
   // successful or an error code upon failure.
   //
@@ -292,11 +310,9 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // A handle to the certificate object in the underlying crypto library.
   OSCertHandle cert_handle_;
 
-#if defined(OS_MACOSX) || defined(OS_WIN) || defined(USE_OPENSSL)
   // Untrusted intermediate certificates associated with this certificate
-  // that may be needed for chain building. (NSS impl does not need these.)
+  // that may be needed for chain building.
   OSCertHandles intermediate_ca_certs_;
-#endif
 
 #if defined(OS_MACOSX)
   // Blocks multiple threads from verifying the cert simultaneously.
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-26 13:27:09 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-26 13:27:09 +0000
commit	670dca99f9c8615c544d6fefaace29208c9223d2 (patch)
tree	50a34ebd350701d916d0d35ec795e1e82d084a66 /net/base/x509_certificate.h
parent	cf408d77cc83210061573b507574974bf86289fa (diff)
download	chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.zip chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.tar.gz chromium_src-670dca99f9c8615c544d6fefaace29208c9223d2.tar.bz2