diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-26 13:56:57 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-26 13:56:57 +0000 |
| commit | 98f397e9a7720f1476e37b0966c9ad70ea4deebc (patch) | |
| tree | 9e7374a3d50f0abc764343981c8b071850ff3c8d /net/socket/ssl_host_info.h | |
| parent | abf23550d6399dc647c984f9135447f658bbaf35 (diff) | |
| download | chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.zip chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.tar.gz chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.tar.bz2 | |
net: always save certs and trigger verify in SSLHostInfo.
(This is still behind --enable-snap-start because the SSLHostInfo's
don't get created without it.)
Have ssl_client_socket_nss always save certificates to the SSLHostInfo
and have the SSLHostInfo kick off a validation as soon as possible if
it has the certificates.
For now the validation just primes the OCSP cache and isn't tied into
anything else. In future patches, the SSL socket will compare the
actual certificates against the predicted certificates and avoid a
second validation if they match.
BUG=none
TEST=none
http://codereview.chromium.org/3968003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63887 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_host_info.h')
| -rw-r--r-- | net/socket/ssl_host_info.h | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/net/socket/ssl_host_info.h b/net/socket/ssl_host_info.h index ea82f34..6d545a9 100644 --- a/net/socket/ssl_host_info.h +++ b/net/socket/ssl_host_info.h @@ -9,18 +9,24 @@ #include <vector> #include "base/ref_counted.h" +#include "base/scoped_ptr.h" +#include "net/base/cert_verify_result.h" #include "net/base/completion_callback.h" #include "net/socket/ssl_client_socket.h" namespace net { +class CertVerifier; +class X509Certificate; +struct SSLConfig; + // SSLHostInfo is an interface for fetching information about an SSL server. // This information may be stored on disk so does not include keys or session // information etc. Primarily it's intended for caching the server's // certificates. class SSLHostInfo { public: - SSLHostInfo(); + SSLHostInfo(const std::string& hostname, const SSLConfig& ssl_config); virtual ~SSLHostInfo(); // Start will commence the lookup. This must be called before any other @@ -72,6 +78,14 @@ class SSLHostInfo { const State& state() const; State* mutable_state(); + // This is true if state().certs.size() > 0 and state().certs[0] has been + // verified for |hostname_|. + bool cert_valid() const; + + // If |cert_valid()| returns true, then this contains the result of verifying + // the certificate. + const CertVerifyResult& cert_verify_result() const; + protected: // Parse parses an opaque blob of data and fills out the public member fields // of this object. It returns true iff the parse was successful. The public @@ -79,6 +93,21 @@ class SSLHostInfo { bool Parse(const std::string& data); std::string Serialize() const; State state_; + + private: + // This is the callback function which the CertVerifier calls via |callback_|. + void VerifyCallback(int rv); + + // This is the hostname that we'll validate the certificates against. + const std::string hostname_; + bool cert_valid_; // see the comments for |cert_valid|. + // These two members are taken from the SSLConfig. + bool rev_checking_enabled_; + bool verify_ev_cert_; + CertVerifyResult cert_verify_result_; + scoped_ptr<CertVerifier> verifier_; + scoped_refptr<X509Certificate> cert_; + scoped_refptr<CancelableCompletionCallback<SSLHostInfo> > callback_; }; class SSLHostInfoFactory { @@ -87,7 +116,8 @@ class SSLHostInfoFactory { // GetForHost returns a fresh, allocated SSLHostInfo for the given hostname // or NULL on failure. - virtual SSLHostInfo* GetForHost(const std::string& hostname) = 0; + virtual SSLHostInfo* GetForHost(const std::string& hostname, + const SSLConfig& ssl_config) = 0; }; } // namespace net |