diff options
Diffstat (limited to 'net/base/x509_util_mac.h')
| -rw-r--r-- | net/base/x509_util_mac.h | 139 |
1 files changed, 0 insertions, 139 deletions
diff --git a/net/base/x509_util_mac.h b/net/base/x509_util_mac.h deleted file mode 100644 index 9272bc7..0000000 --- a/net/base/x509_util_mac.h +++ /dev/null @@ -1,139 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_BASE_X509_UTIL_MAC_H_ -#define NET_BASE_X509_UTIL_MAC_H_ - -#include <CoreFoundation/CFArray.h> -#include <Security/Security.h> - -#include <string> - -#include "base/basictypes.h" -#include "net/base/net_export.h" - -namespace net { - -namespace x509_util { - -// Creates a security policy for certificates used as client certificates -// in SSL. -// If a policy is successfully created, it will be stored in -// |*policy| and ownership transferred to the caller. -OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy); - -// Create an SSL server policy. While certificate name validation will be -// performed by SecTrustEvaluate(), it has the following limitations: -// - Doesn't support IP addresses in dotted-quad literals (127.0.0.1) -// - Doesn't support IPv6 addresses -// - Doesn't support the iPAddress subjectAltName -// Providing the hostname is necessary in order to locate certain user or -// system trust preferences, such as those created by Safari. Preferences -// created by Keychain Access do not share this requirement. -// On success, stores the resultant policy in |*policy| and returns noErr. -OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname, - SecPolicyRef* policy); - -// Creates a security policy for basic X.509 validation. If the policy is -// successfully created, it will be stored in |*policy| and ownership -// transferred to the caller. -OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy); - -// Creates security policies to control revocation checking (OCSP and CRL). -// If |enable_revocation_checking| is true, revocation checking will be -// explicitly enabled. -// If |enable_revocation_checking| is false, but |enable_ev_checking| is -// true, then the system policies for EV checking (which include checking -// for an online OCSP response) will be permitted. However, if the OS -// does not believe the certificate is EV, no revocation checking will be -// performed. -// If both are false, then the policies returned will be explicitly -// prohibited from accessing the network or the local cache, regardless of -// system settings. -// If the policies are successfully created, they will be appended to -// |policies|. -OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking, - bool enable_ev_checking, - CFMutableArrayRef policies); - -// Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field -// accessors (such as CSSM_CL_CertGet[First/Next]Value or -// CSSM_CL_CertGet[First/Next]CachedValue). -class CSSMFieldValue { - public: - CSSMFieldValue(); - CSSMFieldValue(CSSM_CL_HANDLE cl_handle, - const CSSM_OID* oid, - CSSM_DATA_PTR field); - ~CSSMFieldValue(); - - CSSM_OID_PTR oid() const { return oid_; } - CSSM_DATA_PTR field() const { return field_; } - - // Returns the field as if it was an arbitrary type - most commonly, by - // interpreting the field as a specific CSSM/CDSA parsed type, such as - // CSSM_X509_SUBJECT_PUBLIC_KEY_INFO or CSSM_X509_ALGORITHM_IDENTIFIER. - // An added check is applied to ensure that the current field is large - // enough to actually contain the requested type. - template <typename T> const T* GetAs() const { - if (!field_ || field_->Length < sizeof(T)) - return NULL; - return reinterpret_cast<const T*>(field_->Data); - } - - void Reset(CSSM_CL_HANDLE cl_handle, - CSSM_OID_PTR oid, - CSSM_DATA_PTR field); - - private: - CSSM_CL_HANDLE cl_handle_; - CSSM_OID_PTR oid_; - CSSM_DATA_PTR field_; - - DISALLOW_COPY_AND_ASSIGN(CSSMFieldValue); -}; - -// CSSMCachedCertificate is a container class that is used to wrap the -// CSSM_CL_CertCache APIs and provide safe and efficient access to -// certificate fields in their CSSM form. -// -// To provide efficient access to certificate/CRL fields, CSSM provides an -// API/SPI to "cache" a certificate/CRL. The exact meaning of a cached -// certificate is not defined by CSSM, but is documented to generally be some -// intermediate or parsed form of the certificate. In the case of Apple's -// CSSM CL implementation, the intermediate form is the parsed certificate -// stored in an internal format (which happens to be NSS). By caching the -// certificate, callers that wish to access multiple fields (such as subject, -// issuer, and validity dates) do not need to repeatedly parse the entire -// certificate, nor are they forced to convert all fields from their NSS types -// to their CSSM equivalents. This latter point is especially helpful when -// running on OS X 10.5, as it will fail to convert some fields that reference -// unsupported algorithms, such as ECC. -class CSSMCachedCertificate { - public: - CSSMCachedCertificate(); - ~CSSMCachedCertificate(); - - // Initializes the CSSMCachedCertificate by caching the specified - // |os_cert_handle|. On success, returns noErr. - // Note: Once initialized, the cached certificate should only be accessed - // from a single thread. - OSStatus Init(SecCertificateRef os_cert_handle); - - // Fetches the first value for the field associated with |field_oid|. - // If |field_oid| is a valid OID and is present in the current certificate, - // returns CSSM_OK and stores the first value in |field|. If additional - // values are associated with |field_oid|, they are ignored. - OSStatus GetField(const CSSM_OID* field_oid, CSSMFieldValue* field) const; - - private: - CSSM_CL_HANDLE cl_handle_; - CSSM_HANDLE cached_cert_handle_; -}; - -} // namespace x509_util - -} // namespace net - -#endif // NET_BASE_X509_UTIL_MAC_H_ |