diff options
Diffstat (limited to 'net/base/x509_certificate.h')
| -rw-r--r-- | net/base/x509_certificate.h | 510 |
1 files changed, 0 insertions, 510 deletions
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h deleted file mode 100644 index ade9655..0000000 --- a/net/base/x509_certificate.h +++ /dev/null @@ -1,510 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_BASE_X509_CERTIFICATE_H_ -#define NET_BASE_X509_CERTIFICATE_H_ - -#include <string.h> - -#include <string> -#include <vector> - -#include "base/gtest_prod_util.h" -#include "base/memory/ref_counted.h" -#include "base/string_piece.h" -#include "base/time.h" -#include "net/base/cert_type.h" -#include "net/base/net_export.h" -#include "net/base/x509_cert_types.h" - -#if defined(OS_WIN) -#include <windows.h> -#include <wincrypt.h> -#elif defined(OS_MACOSX) -#include <CoreFoundation/CFArray.h> -#include <Security/SecBase.h> - -#elif defined(USE_OPENSSL) -// Forward declaration; real one in <x509.h> -typedef struct x509_st X509; -typedef struct x509_store_st X509_STORE; -#elif defined(USE_NSS) -// Forward declaration; real one in <cert.h> -struct CERTCertificateStr; -#endif - -class Pickle; -class PickleIterator; - -namespace crypto { -class RSAPrivateKey; -} // namespace crypto - -namespace net { - -class CRLSet; -class CertVerifyResult; - -typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; - -// X509Certificate represents a X.509 certificate, which is comprised a -// particular identity or end-entity certificate, such as an SSL server -// identity or an SSL client certificate, and zero or more intermediate -// certificates that may be used to build a path to a root certificate. -class NET_EXPORT X509Certificate - : public base::RefCountedThreadSafe<X509Certificate> { - public: - // An OSCertHandle is a handle to a certificate object in the underlying - // crypto library. We assume that OSCertHandle is a pointer type on all - // platforms and that NULL represents an invalid OSCertHandle. -#if defined(OS_WIN) - typedef PCCERT_CONTEXT OSCertHandle; -#elif defined(OS_MACOSX) - typedef SecCertificateRef OSCertHandle; -#elif defined(USE_OPENSSL) - typedef X509* OSCertHandle; -#elif defined(USE_NSS) - typedef struct CERTCertificateStr* OSCertHandle; -#else - // TODO(ericroman): not implemented - typedef void* OSCertHandle; -#endif - - typedef std::vector<OSCertHandle> OSCertHandles; - - enum PublicKeyType { - kPublicKeyTypeUnknown, - kPublicKeyTypeRSA, - kPublicKeyTypeDSA, - kPublicKeyTypeECDSA, - kPublicKeyTypeDH, - kPublicKeyTypeECDH - }; - - // Predicate functor used in maps when X509Certificate is used as the key. - class NET_EXPORT LessThan { - public: - bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; - }; - - enum Format { - // The data contains a single DER-encoded certificate, or a PEM-encoded - // DER certificate with the PEM encoding block name of "CERTIFICATE". - // Any subsequent blocks will be ignored. - FORMAT_SINGLE_CERTIFICATE = 1 << 0, - - // The data contains a sequence of one or more PEM-encoded, DER - // certificates, with the PEM encoding block name of "CERTIFICATE". - // All PEM blocks will be parsed, until the first error is encountered. - FORMAT_PEM_CERT_SEQUENCE = 1 << 1, - - // The data contains a PKCS#7 SignedData structure, whose certificates - // member is to be used to initialize the certificate and intermediates. - // The data may further be encoded using PEM, specifying block names of - // either "PKCS7" or "CERTIFICATE". - FORMAT_PKCS7 = 1 << 2, - - // Automatically detect the format. - FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | - FORMAT_PKCS7, - }; - - // PickleType is intended for deserializing certificates that were pickled - // by previous releases as part of a net::HttpResponseInfo. - // When serializing certificates to a new Pickle, - // PICKLETYPE_CERTIFICATE_CHAIN_V3 is always used. - enum PickleType { - // When reading a certificate from a Pickle, the Pickle only contains a - // single certificate. - PICKLETYPE_SINGLE_CERTIFICATE, - - // When reading a certificate from a Pickle, the Pickle contains the - // the certificate plus any certificates that were stored in - // |intermediate_ca_certificates_| at the time it was serialized. - // The count of certificates is stored as a size_t, which is either 32 - // or 64 bits. - PICKLETYPE_CERTIFICATE_CHAIN_V2, - - // The Pickle contains the certificate and any certificates that were - // stored in |intermediate_ca_certs_| at the time it was serialized. - // The format is [int count], [data - this certificate], - // [data - intermediate1], ... [data - intermediateN]. - // All certificates are stored in DER form. - PICKLETYPE_CERTIFICATE_CHAIN_V3, - }; - - // Creates a X509Certificate from the ground up. Used by tests that simulate - // SSL connections. - X509Certificate(const std::string& subject, const std::string& issuer, - base::Time start_date, base::Time expiration_date); - - // Create an X509Certificate from a handle to the certificate object in the - // underlying crypto library. The returned pointer must be stored in a - // scoped_refptr<X509Certificate>. - static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, - const OSCertHandles& intermediates); - - // Create an X509Certificate from a chain of DER encoded certificates. The - // first certificate in the chain is the end-entity certificate to which a - // handle is returned. The other certificates in the chain are intermediate - // certificates. The returned pointer must be stored in a - // scoped_refptr<X509Certificate>. - static X509Certificate* CreateFromDERCertChain( - const std::vector<base::StringPiece>& der_certs); - - // Create an X509Certificate from the DER-encoded representation. - // Returns NULL on failure. - // - // The returned pointer must be stored in a scoped_refptr<X509Certificate>. - static X509Certificate* CreateFromBytes(const char* data, int length); - -#if defined(USE_NSS) - // Create an X509Certificate from the DER-encoded representation. - // |nickname| can be NULL if an auto-generated nickname is desired. - // Returns NULL on failure. The returned pointer must be stored in a - // scoped_refptr<X509Certificate>. - // - // This function differs from CreateFromBytes in that it takes a - // nickname that will be used when the certificate is imported into PKCS#11. - static X509Certificate* CreateFromBytesWithNickname(const char* data, - int length, - const char* nickname); - - // The default nickname of the certificate, based on the certificate type - // passed in. If this object was created using CreateFromBytesWithNickname, - // then this will return the nickname specified upon creation. - std::string GetDefaultNickname(CertType type) const; -#endif - - // Create an X509Certificate from the representation stored in the given - // pickle. The data for this object is found relative to the given - // pickle_iter, which should be passed to the pickle's various Read* methods. - // Returns NULL on failure. - // - // The returned pointer must be stored in a scoped_refptr<X509Certificate>. - static X509Certificate* CreateFromPickle(const Pickle& pickle, - PickleIterator* pickle_iter, - PickleType type); - - // Parses all of the certificates possible from |data|. |format| is a - // bit-wise OR of Format, indicating the possible formats the - // certificates may have been serialized as. If an error occurs, an empty - // collection will be returned. - static CertificateList CreateCertificateListFromBytes(const char* data, - int length, - int format); - - // Create a self-signed certificate containing the public key in |key|. - // Subject, serial number and validity period are given as parameters. - // The certificate is signed by the private key in |key|. The hashing - // algorithm for the signature is SHA-1. - // - // |subject| is a distinguished name defined in RFC4514. - // - // An example: - // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com - // - // SECURITY WARNING - // - // Using self-signed certificates has the following security risks: - // 1. Encryption without authentication and thus vulnerable to - // man-in-the-middle attacks. - // 2. Self-signed certificates cannot be revoked. - // - // Use this certificate only after the above risks are acknowledged. - static X509Certificate* CreateSelfSigned(crypto::RSAPrivateKey* key, - const std::string& subject, - uint32 serial_number, - base::TimeDelta valid_duration); - - // Appends a representation of this object to the given pickle. - void Persist(Pickle* pickle); - - // The serial number, DER encoded, possibly including a leading 00 byte. - const std::string& serial_number() const { return serial_number_; } - - // The subject of the certificate. For HTTPS server certificates, this - // represents the web server. The common name of the subject should match - // the host name of the web server. - const CertPrincipal& subject() const { return subject_; } - - // The issuer of the certificate. - const CertPrincipal& issuer() const { return issuer_; } - - // Time period during which the certificate is valid. More precisely, this - // certificate is invalid before the |valid_start| date and invalid after - // the |valid_expiry| date. - // If we were unable to parse either date from the certificate (or if the cert - // lacks either date), the date will be null (i.e., is_null() will be true). - const base::Time& valid_start() const { return valid_start_; } - const base::Time& valid_expiry() const { return valid_expiry_; } - - // The fingerprint of this certificate. - const SHA1HashValue& fingerprint() const { return fingerprint_; } - - // The fingerprint of the intermediate CA certificates. - const SHA1HashValue& ca_fingerprint() const { - return ca_fingerprint_; - } - - // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 - // Server Identity, if the certificate has a subjectAltName extension of - // type dNSName, this method gets the DNS names in that extension. - // Otherwise, it gets the common name in the subject field. - void GetDNSNames(std::vector<std::string>* dns_names) const; - - // Gets the subjectAltName extension field from the certificate, if any. - // For future extension; currently this only returns those name types that - // are required for HTTP certificate name verification - see VerifyHostname. - // Unrequired parameters may be passed as NULL. - void GetSubjectAltName(std::vector<std::string>* dns_names, - std::vector<std::string>* ip_addrs) const; - - // Convenience method that returns whether this certificate has expired as of - // now. - bool HasExpired() const; - - // Returns true if this object and |other| represent the same certificate. - bool Equals(const X509Certificate* other) const; - - // Returns intermediate certificates added via AddIntermediateCertificate(). - // Ownership follows the "get" rule: it is the caller's responsibility to - // retain the elements of the result. - const OSCertHandles& GetIntermediateCertificates() const { - return intermediate_ca_certs_; - } - -#if defined(OS_MACOSX) - // Does this certificate's usage allow SSL client authentication? - bool SupportsSSLClientAuth() const; - - // Creates the chain of certs to use for this client identity cert. - CFArrayRef CreateClientCertificateChain() const; - - // Returns a new CFArrayRef containing this certificate and its intermediate - // certificates in the form expected by Security.framework and Keychain - // Services, or NULL on failure. - // The first item in the array will be this certificate, followed by its - // intermediates, if any. - CFArrayRef CreateOSCertChainForCert() const; -#endif - - // Do any of the given issuer names appear in this cert's chain of trust? - // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames. - bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers); - -#if defined(OS_WIN) - // Returns a new PCCERT_CONTEXT containing this certificate and its - // intermediate certificates, or NULL on failure. The returned - // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as this will - // cause os_cert_handle() to return incorrect results. This function is only - // necessary if the CERT_CONTEXT.hCertStore member will be accessed or - // enumerated, which is generally true for any CryptoAPI functions involving - // certificate chains, including validation or certificate display. - // - // Remarks: - // Depending on the CryptoAPI function, Windows may need to access the - // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to - // locate additional intermediates. However, all certificate handles are added - // to a NULL HCERTSTORE, allowing the system to manage the resources. As a - // result, intermediates for |cert_handle_| cannot be located simply via - // |cert_handle_->hCertStore|, as it refers to a magic value indicating - // "only this certificate". - // - // To avoid this problems, a new in-memory HCERTSTORE is created containing - // just this certificate and its intermediates. The handle to the version of - // the current certificate in the new HCERTSTORE is then returned, with the - // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned - // certificate handle is freed. - // - // This function is only needed when the HCERTSTORE of the os_cert_handle() - // will be accessed, which is generally only during certificate validation - // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can - // safely be used on multiple threads if no further modifications happen, it - // is generally preferable for each thread that needs such a context to - // obtain its own, rather than risk thread-safety issues by sharing. - // - // Because of how X509Certificate caching is implemented, attempting to - // create an X509Certificate from the returned PCCERT_CONTEXT may result in - // the original handle (and thus the originall HCERTSTORE) being returned by - // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* - // be stored in an X509Certificate. - PCCERT_CONTEXT CreateOSCertChainForCert() const; -#endif - -#if defined(USE_OPENSSL) - // Returns a handle to a global, in-memory certificate store. We - // use it for test code, e.g. importing the test server's certificate. - static X509_STORE* cert_store(); -#endif - - // Verifies that |hostname| matches this certificate. - // Does not verify that the certificate is valid, only that the certificate - // matches this host. - // Returns true if it matches. - bool VerifyNameMatch(const std::string& hostname) const; - - // Obtains the DER encoded certificate data for |cert_handle|. On success, - // returns true and writes the DER encoded certificate to |*der_encoded|. - static bool GetDEREncoded(OSCertHandle cert_handle, - std::string* der_encoded); - - // Returns the PEM encoded data from an OSCertHandle. If the return value is - // true, then the PEM encoded certificate is written to |pem_encoded|. - static bool GetPEMEncoded(OSCertHandle cert_handle, - std::string* pem_encoded); - - // Encodes the entire certificate chain (this certificate and any - // intermediate certificates stored in |intermediate_ca_certs_|) as a series - // of PEM encoded strings. Returns true if all certificates were encoded, - // storig the result in |*pem_encoded|, with this certificate stored as - // the first element. - bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const; - - // Sets |*size_bits| to be the length of the public key in bits, and sets - // |*type| to one of the |PublicKeyType| values. In case of - // |kPublicKeyTypeUnknown|, |*size_bits| will be set to 0. - static void GetPublicKeyInfo(OSCertHandle cert_handle, - size_t* size_bits, - PublicKeyType* type); - - // Returns the OSCertHandle of this object. Because of caching, this may - // differ from the OSCertHandle originally supplied during initialization. - // Note: On Windows, CryptoAPI may return unexpected results if this handle - // is used across multiple threads. For more details, see - // CreateOSCertChainForCert(). - OSCertHandle os_cert_handle() const { return cert_handle_; } - - // Returns true if two OSCertHandles refer to identical certificates. - static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); - - // Creates an OS certificate handle from the DER-encoded representation. - // Returns NULL on failure. - static OSCertHandle CreateOSCertHandleFromBytes(const char* data, - int length); - -#if defined(USE_NSS) - // Creates an OS certificate handle from the DER-encoded representation. - // Returns NULL on failure. Sets the default nickname if |nickname| is - // non-NULL. - static OSCertHandle CreateOSCertHandleFromBytesWithNickname( - const char* data, - int length, - const char* nickname); -#endif - - // Creates all possible OS certificate handles from |data| encoded in a - // specific |format|. Returns an empty collection on failure. - static OSCertHandles CreateOSCertHandlesFromBytes( - const char* data, - int length, - Format format); - - // Duplicates (or adds a reference to) an OS certificate handle. - static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); - - // Frees (or releases a reference to) an OS certificate handle. - static void FreeOSCertHandle(OSCertHandle cert_handle); - - // Calculates the SHA-1 fingerprint of the certificate. Returns an empty - // (all zero) fingerprint on failure. - static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle); - - // Calculates the SHA-1 fingerprint of the intermediate CA certificates. - // Returns an empty (all zero) fingerprint on failure. - static SHA1HashValue CalculateCAFingerprint( - const OSCertHandles& intermediates); - - private: - friend class base::RefCountedThreadSafe<X509Certificate>; - friend class TestRootCerts; // For unit tests - - FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); - FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); - - // Construct an X509Certificate from a handle to the certificate object - // in the underlying crypto library. - X509Certificate(OSCertHandle cert_handle, - const OSCertHandles& intermediates); - - ~X509Certificate(); - - // Common object initialization code. Called by the constructors only. - void Initialize(); - -#if defined(USE_OPENSSL) - // Resets the store returned by cert_store() to default state. Used by - // TestRootCerts to undo modifications. - static void ResetCertStore(); -#endif - - // Verifies that |hostname| matches one of the certificate names or IP - // addresses supplied, based on TLS name matching rules - specifically, - // following http://tools.ietf.org/html/rfc6125. - // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). - // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled - // from the dNSName and iPAddress components of the subject alternative name - // extension, if present. Note these IP addresses are NOT ascii-encoded: - // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 - // addresses, respectively. - static bool VerifyHostname(const std::string& hostname, - const std::string& cert_common_name, - const std::vector<std::string>& cert_san_dns_names, - const std::vector<std::string>& cert_san_ip_addrs); - - // Reads a single certificate from |pickle_iter| and returns a - // platform-specific certificate handle. The format of the certificate - // stored in |pickle_iter| is not guaranteed to be the same across different - // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). - // Returns an invalid handle, NULL, on failure. - // NOTE: This should not be used for any new code. It is provided for - // migration purposes and should eventually be removed. - static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); - - // Writes a single certificate to |pickle| in DER form. Returns false on - // failure. - static bool WriteOSCertHandleToPickle(OSCertHandle handle, Pickle* pickle); - - // The subject of the certificate. - CertPrincipal subject_; - - // The issuer of the certificate. - CertPrincipal issuer_; - - // This certificate is not valid before |valid_start_| - base::Time valid_start_; - - // This certificate is not valid after |valid_expiry_| - base::Time valid_expiry_; - - // The fingerprint of this certificate. - SHA1HashValue fingerprint_; - - // The fingerprint of the intermediate CA certificates. - SHA1HashValue ca_fingerprint_; - - // The serial number of this certificate, DER encoded. - std::string serial_number_; - - // A handle to the certificate object in the underlying crypto library. - OSCertHandle cert_handle_; - - // Untrusted intermediate certificates associated with this certificate - // that may be needed for chain building. - OSCertHandles intermediate_ca_certs_; - -#if defined(USE_NSS) - // This stores any default nickname that has been set on the certificate - // at creation time with CreateFromBytesWithNickname. - // If this is empty, then GetDefaultNickname will return a generated name - // based on the type of the certificate. - std::string default_nickname_; -#endif - - DISALLOW_COPY_AND_ASSIGN(X509Certificate); -}; - -} // namespace net - -#endif // NET_BASE_X509_CERTIFICATE_H_ |