1ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott// Use of this source code is governed by a BSD-style license that can be 3c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott// found in the LICENSE file. 4c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 5c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#ifndef NET_BASE_X509_CERTIFICATE_H_ 6c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#define NET_BASE_X509_CERTIFICATE_H_ 73345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick#pragma once 8c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 9c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include <string.h> 10c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 11c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include <string> 12c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include <vector> 13c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 143345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick#include "base/gtest_prod_util.h" 15ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen#include "base/memory/ref_counted.h" 16513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch#include "base/string_piece.h" 17c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include "base/time.h" 182557749644f9d25af9721533322db19197c49b49Kristian Monsen#include "net/base/net_export.h" 19c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include "net/base/x509_cert_types.h" 20c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 21c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#if defined(OS_WIN) 22c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include <windows.h> 23c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#include <wincrypt.h> 24c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#elif defined(OS_MACOSX) 25c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <CoreFoundation/CFArray.h> 26c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <Security/SecBase.h> 27201ade2fbba22bfb27ae029f4d23fca6ded109a0Ben Murdoch 2872a454cd3513ac24fbdd0e0cb9ad70b86a99b801Kristian Monsen#include "base/synchronization/lock.h" 29731df977c0511bca2206b5f333555b1205ff1f43Iain Merrick#elif defined(USE_OPENSSL) 30731df977c0511bca2206b5f333555b1205ff1f43Iain Merrick// Forward declaration; real one in <x509.h> 31731df977c0511bca2206b5f333555b1205ff1f43Iain Merrickstruct x509_st; 324a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdochtypedef struct x509_store_st X509_STORE; 33c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#elif defined(USE_NSS) 34c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott// Forward declaration; real one in <cert.h> 35c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scottstruct CERTCertificateStr; 36c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#endif 37c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 38c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scottclass Pickle; 39c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 40ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsennamespace crypto { 41ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsenclass StringPiece; 4221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsenclass RSAPrivateKey; 43ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen} // namespace crypto 4421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 45c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scottnamespace net { 46c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 47c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scottclass CertVerifyResult; 48c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 493345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merricktypedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 503345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 51c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott// X509Certificate represents an X.509 certificate used by SSL. 522557749644f9d25af9721533322db19197c49b49Kristian Monsenclass NET_EXPORT X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { 53c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott public: 54c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // A handle to the certificate object in the underlying crypto library. 55c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // We assume that OSCertHandle is a pointer type on all platforms and 56c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // NULL is an invalid OSCertHandle. 57c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#if defined(OS_WIN) 58c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott typedef PCCERT_CONTEXT OSCertHandle; 59c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#elif defined(OS_MACOSX) 60c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott typedef SecCertificateRef OSCertHandle; 61731df977c0511bca2206b5f333555b1205ff1f43Iain Merrick#elif defined(USE_OPENSSL) 62731df977c0511bca2206b5f333555b1205ff1f43Iain Merrick typedef struct x509_st* OSCertHandle; 63c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#elif defined(USE_NSS) 64c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott typedef struct CERTCertificateStr* OSCertHandle; 65c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#else 66c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // TODO(ericroman): not implemented 67c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott typedef void* OSCertHandle; 68c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#endif 69c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 70c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch typedef std::vector<OSCertHandle> OSCertHandles; 71c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 72c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Predicate functor used in maps when X509Certificate is used as the key. 73731df977c0511bca2206b5f333555b1205ff1f43Iain Merrick class LessThan { 74c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott public: 75c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; 76c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott }; 77c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 78c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Where the certificate comes from. The enumeration constants are 79c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // listed in increasing order of preference. 80c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott enum Source { 81c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott SOURCE_UNUSED = 0, // The source_ member is not used. 82c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without 83ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // any intermediate CA certificates. 84ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen SOURCE_FROM_CACHE = 2, // From the disk cache - which contains 85ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // intermediate CA certificates, but may be 86ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // stale. 87ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen SOURCE_FROM_NETWORK = 3, // From the network. 88c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott }; 89c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 90c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott enum VerifyFlags { 91c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott VERIFY_REV_CHECKING_ENABLED = 1 << 0, 92c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott VERIFY_EV_CERT = 1 << 1, 93c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott }; 94c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 953345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick enum Format { 963345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // The data contains a single DER-encoded certificate, or a PEM-encoded 973345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // DER certificate with the PEM encoding block name of "CERTIFICATE". 983345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Any subsequent blocks will be ignored. 993345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FORMAT_SINGLE_CERTIFICATE = 1 << 0, 1003345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 1013345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // The data contains a sequence of one or more PEM-encoded, DER 1023345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // certificates, with the PEM encoding block name of "CERTIFICATE". 1033345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // All PEM blocks will be parsed, until the first error is encountered. 1043345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FORMAT_PEM_CERT_SEQUENCE = 1 << 1, 1053345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 1063345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // The data contains a PKCS#7 SignedData structure, whose certificates 1073345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // member is to be used to initialize the certificate and intermediates. 1083345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // The data may further be encoded using PEM, specifying block names of 1093345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // either "PKCS7" or "CERTIFICATE". 1103345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FORMAT_PKCS7 = 1 << 2, 1113345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 1123345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Automatically detect the format. 1133345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | 1143345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FORMAT_PKCS7, 1153345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick }; 1163345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 117ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen enum PickleType { 118ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // When reading a certificate from a Pickle, the Pickle only contains a 119ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // single certificate. 120ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen PICKLETYPE_SINGLE_CERTIFICATE, 121ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 122ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // When reading a certificate from a Pickle, the Pickle contains the 123ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // the certificate plus any certificates that were stored in 124ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // |intermediate_ca_certificates_| at the time it was serialized. 125ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen PICKLETYPE_CERTIFICATE_CHAIN, 126ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen }; 127ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 1283f50c38dc070f4bb515c1b64450dae14f316474eKristian Monsen // Creates a X509Certificate from the ground up. Used by tests that simulate 1293f50c38dc070f4bb515c1b64450dae14f316474eKristian Monsen // SSL connections. 1303f50c38dc070f4bb515c1b64450dae14f316474eKristian Monsen X509Certificate(const std::string& subject, const std::string& issuer, 1313f50c38dc070f4bb515c1b64450dae14f316474eKristian Monsen base::Time start_date, base::Time expiration_date); 1323f50c38dc070f4bb515c1b64450dae14f316474eKristian Monsen 133c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Create an X509Certificate from a handle to the certificate object in the 134c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // underlying crypto library. |source| specifies where |cert_handle| comes 135c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // from. Given two certificate handles for the same certificate, our 136c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // certificate cache prefers the handle from the network because our HTTP 137c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // cache isn't caching the corresponding intermediate CA certificates yet 138c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // (http://crbug.com/7065). 139c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 14095b2bad159f2dbca0555e82f156db8424b75c2b8Jonathan Dixon static scoped_refptr<X509Certificate> CreateFromHandle(OSCertHandle cert_handle, 141ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen Source source, 142ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen const OSCertHandles& intermediates); 143c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 144513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // Create an X509Certificate from a chain of DER encoded certificates. The 145513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // first certificate in the chain is the end-entity certificate to which a 146513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // handle is returned. The other certificates in the chain are intermediate 147513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // certificates. See the comment for |CreateFromHandle| about the |source| 148513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // argument. 149513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 15095b2bad159f2dbca0555e82f156db8424b75c2b8Jonathan Dixon static scoped_refptr<X509Certificate> CreateFromDERCertChain( 151513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch const std::vector<base::StringPiece>& der_certs); 152513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch 1533345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Create an X509Certificate from the DER-encoded representation. 154c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Returns NULL on failure. 155c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // 156c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 15795b2bad159f2dbca0555e82f156db8424b75c2b8Jonathan Dixon static scoped_refptr<X509Certificate> CreateFromBytes(const char* data, int length); 158c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 159c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Create an X509Certificate from the representation stored in the given 160c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // pickle. The data for this object is found relative to the given 161c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // pickle_iter, which should be passed to the pickle's various Read* methods. 162c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Returns NULL on failure. 163c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // 164c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 16595b2bad159f2dbca0555e82f156db8424b75c2b8Jonathan Dixon static scoped_refptr<X509Certificate> CreateFromPickle(const Pickle& pickle, 166ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen void** pickle_iter, 167ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen PickleType type); 168c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 1693345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Parses all of the certificates possible from |data|. |format| is a 1703345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // bit-wise OR of Format, indicating the possible formats the 1713345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // certificates may have been serialized as. If an error occurs, an empty 1723345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // collection will be returned. 1733345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick static CertificateList CreateCertificateListFromBytes(const char* data, 1743345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick int length, 1753345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick int format); 1763345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 17721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // Create a self-signed certificate containing the public key in |key|. 17821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // Subject, serial number and validity period are given as parameters. 17921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // The certificate is signed by the private key in |key|. The hashing 18021d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // algorithm for the signature is SHA-1. 18121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 18221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // |subject| is a distinguished name defined in RFC4514. 18321d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 18421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // An example: 18521d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com 18621d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 187ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // SECURITY WARNING 18821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 18921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // Using self-signed certificates has the following security risks: 19021d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 1. Encryption without authentication and thus vulnerable to 19121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // man-in-the-middle attacks. 19221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 2. Self-signed certificates cannot be revoked. 19321d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // 19421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // Use this certificate only after the above risks are acknowledged. 19595b2bad159f2dbca0555e82f156db8424b75c2b8Jonathan Dixon static scoped_refptr<X509Certificate> CreateSelfSigned(crypto::RSAPrivateKey* key, 19621d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen const std::string& subject, 19721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen uint32 serial_number, 19821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen base::TimeDelta valid_duration); 19921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 200c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Appends a representation of this object to the given pickle. 201c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott void Persist(Pickle* pickle); 202c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 203c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The subject of the certificate. For HTTPS server certificates, this 204c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // represents the web server. The common name of the subject should match 205c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // the host name of the web server. 206c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const CertPrincipal& subject() const { return subject_; } 207c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 208c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The issuer of the certificate. 209c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const CertPrincipal& issuer() const { return issuer_; } 210c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 211c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Time period during which the certificate is valid. More precisely, this 212c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // certificate is invalid before the |valid_start| date and invalid after 213c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // the |valid_expiry| date. 214c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // If we were unable to parse either date from the certificate (or if the cert 215c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // lacks either date), the date will be null (i.e., is_null() will be true). 216c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott const base::Time& valid_start() const { return valid_start_; } 217c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott const base::Time& valid_expiry() const { return valid_expiry_; } 218c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 219c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The fingerprint of this certificate. 220c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const SHA1Fingerprint& fingerprint() const { return fingerprint_; } 221c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 222c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 223c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Server Identity, if the certificate has a subjectAltName extension of 224c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // type dNSName, this method gets the DNS names in that extension. 225c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Otherwise, it gets the common name in the subject field. 226c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott void GetDNSNames(std::vector<std::string>* dns_names) const; 227c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 228c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Convenience method that returns whether this certificate has expired as of 229c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // now. 230c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott bool HasExpired() const; 231c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 2324a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch // Returns true if this object and |other| represent the same certificate. 2334a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch bool Equals(const X509Certificate* other) const; 2344a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch 235c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Returns intermediate certificates added via AddIntermediateCertificate(). 236c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Ownership follows the "get" rule: it is the caller's responsibility to 237c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // retain the elements of the result. 238c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const OSCertHandles& GetIntermediateCertificates() const { 239c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott return intermediate_ca_certs_; 240c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott } 241c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 242c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns true if I already contain the given intermediate cert. 243c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool HasIntermediateCertificate(OSCertHandle cert); 244c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 245c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns true if I already contain all the given intermediate certs. 246c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool HasIntermediateCertificates(const OSCertHandles& certs); 247c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 248c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#if defined(OS_MACOSX) 249c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Does this certificate's usage allow SSL client authentication? 250c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool SupportsSSLClientAuth() const; 251c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 252c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Do any of the given issuer names appear in this cert's chain of trust? 253c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); 254c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 255c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Creates a security policy for SSL client certificates. 256c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy); 257c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 258c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Adds all available SSL client identity certs to the given vector. 259c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // |server_domain| is a hint for which domain the cert is to be sent to 260c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // (a cert previously specified as the default for that domain will be given 261c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // precedence and returned first in the output vector.) 262c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // If valid_issuers is non-empty, only certs that were transitively issued by 263c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // one of the given names will be included in the list. 264c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static bool GetSSLClientCertificates( 265c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const std::string& server_domain, 266c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const std::vector<CertPrincipal>& valid_issuers, 26721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen CertificateList* certs); 268c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 269c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Creates the chain of certs to use for this client identity cert. 270c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch CFArrayRef CreateClientCertificateChain() const; 271c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#endif 272c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 273513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch#if defined(OS_WIN) 274513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // Returns a handle to a global, in-memory certificate store. We use it for 275513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // two purposes: 276513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // 1. Import server certificates into this store so that we can verify and 277513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // display the certificates using CryptoAPI. 278513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // 2. Copy client certificates from the "MY" system certificate store into 279513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // this store so that we can close the system store when we finish 280513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // searching for client certificates. 281513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch static HCERTSTORE cert_store(); 282513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch#endif 283513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch 2844a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch#if defined(USE_OPENSSL) 2854a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch // Returns a handle to a global, in-memory certificate store. We 2864a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch // use it for test code, e.g. importing the test server's certificate. 2874a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch static X509_STORE* cert_store(); 2884a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch#endif 2894a5e2dc747d50c653511c68ccb2cfbfb740bd5a7Ben Murdoch 2903d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu#if defined(ANDROID) 2913d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu // Returns the certificate chain in DER-encoded form, using the application DER 2923d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu // cache as appropriate. 2933d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu void GetChainDEREncodedBytes(std::vector<std::string>* chain_bytes) const; 2943d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu#endif 2953d0d34ea4a088d416226d2fa36b1727867b597d8Huahui Wu 296c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Verifies the certificate against the given hostname. Returns OK if 297c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // successful or an error code upon failure. 298c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // 299c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The |*verify_result| structure, including the |verify_result->cert_status| 300c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // bitmask, is always filled out regardless of the return value. If the 301c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // certificate has multiple errors, the corresponding status flags are set in 302c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // |verify_result->cert_status|, and the error code for the most serious 303c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // error is returned. 304c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // 305c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // |flags| is bitwise OR'd of VerifyFlags. 306c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation 307c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // checking is performed. If VERIFY_EV_CERT is set in |flags| too, 308c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // EV certificate verification is performed. 309c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott int Verify(const std::string& hostname, 310c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott int flags, 311c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott CertVerifyResult* verify_result) const; 312c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 313dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // Verifies that |hostname| matches this certificate. 314dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // Does not verify that the certificate is valid, only that the certificate 315dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // matches this host. 316dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // Returns true if it matches. 317dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // 318dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // WARNING: This function may return false negatives (for example, if 319dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // |hostname| is an IP address literal) on some platforms. Only 320dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // use in cases where some false-positives are acceptible. 321dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen bool VerifyNameMatch(const std::string& hostname) const; 322dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen 32321d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // This method returns the DER encoded certificate. 32421d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // If the return value is true then the DER encoded certificate is available. 32521d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // The content of the DER encoded certificate is written to |encoded|. 32621d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen bool GetDEREncoded(std::string* encoded); 32721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 328c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott OSCertHandle os_cert_handle() const { return cert_handle_; } 329c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 330c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns true if two OSCertHandles refer to identical certificates. 331c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); 332c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 333c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Creates an OS certificate handle from the BER-encoded representation. 334c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Returns NULL on failure. 335c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static OSCertHandle CreateOSCertHandleFromBytes(const char* data, 336c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch int length); 337c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 3383345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // Creates all possible OS certificate handles from |data| encoded in a 3393345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick // specific |format|. Returns an empty collection on failure. 3403345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick static OSCertHandles CreateOSCertHandlesFromBytes( 3413345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick const char* data, int length, Format format); 3423345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick 343c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Duplicates (or adds a reference to) an OS certificate handle. 344c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); 345c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 346c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Frees (or releases a reference to) an OS certificate handle. 347c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static void FreeOSCertHandle(OSCertHandle cert_handle); 348c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 349c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch private: 350c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch friend class base::RefCountedThreadSafe<X509Certificate>; 35121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen friend class TestRootCerts; // For unit tests 3523345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache); 3533345a6884c488ff3a535c2c9acdd33d74b37e311Iain Merrick FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates); 354ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); 355ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); 356c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 357c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Construct an X509Certificate from a handle to the certificate object 358c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // in the underlying crypto library. 359c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch X509Certificate(OSCertHandle cert_handle, Source source, 360c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const OSCertHandles& intermediates); 361c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 362c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott ~X509Certificate(); 363c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 364c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Common object initialization code. Called by the constructors only. 365c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott void Initialize(); 366c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 367513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch#if defined(OS_WIN) 368513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, 369513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch const char* policy_oid) const; 370ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen static bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context); 371ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen#endif 372ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen#if defined(OS_MACOSX) 373ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen static bool IsIssuedByKnownRoot(CFArrayRef chain); 374513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch#endif 375c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott bool VerifyEV() const; 376c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 37721d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen#if defined(USE_OPENSSL) 37821d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // Resets the store returned by cert_store() to default state. Used by 37921d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen // TestRootCerts to undo modifications. 38021d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen static void ResetCertStore(); 38121d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen#endif 38221d179b334e59e9a3bfcaed4c4430bef1bc5759dKristian Monsen 383c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Calculates the SHA-1 fingerprint of the certificate. Returns an empty 384c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // (all zero) fingerprint on failure. 385c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); 386c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 387dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // Verifies that |hostname| matches one of the names in |cert_names|, based on 388dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3 389dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // The members of |cert_names| must have been extracted from the Subject CN or 390dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // SAN fields of a certificate. 391dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // WARNING: This function may return false negatives (for example, if 392dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // |hostname| is an IP address literal) on some platforms. Only 393dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen // use in cases where some false-positives are acceptible. 394dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen static bool VerifyHostname(const std::string& hostname, 395dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen const std::vector<std::string>& cert_names); 396dc0f95d653279beabeb9817299e2902918ba123eKristian Monsen 397ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // The serial number, DER encoded. 398ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // NOTE: keep this method private, used by IsBlacklisted only. To simplify 399ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // IsBlacklisted, we strip the leading 0 byte of a serial number, used to 400ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // encode a positive DER INTEGER (a signed type) with a most significant bit 401ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // of 1. Other code must not use this method for general purpose until this 402ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // is fixed. 403ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen const std::string& serial_number() const { return serial_number_; } 404ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 405ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // IsBlacklisted returns true if this certificate is explicitly blacklisted. 406ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen bool IsBlacklisted() const; 407ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 40894ea77830f08742eaf1760a8ccc858530cb1c36eKristian Monsen // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which 40994ea77830f08742eaf1760a8ccc858530cb1c36eKristian Monsen // are SHA1 hashes of SubjectPublicKeyInfo structures) is explicitly blocked. 41094ea77830f08742eaf1760a8ccc858530cb1c36eKristian Monsen static bool IsPublicKeyBlacklisted( 41194ea77830f08742eaf1760a8ccc858530cb1c36eKristian Monsen const std::vector<SHA1Fingerprint>& public_key_hashes); 41294ea77830f08742eaf1760a8ccc858530cb1c36eKristian Monsen 413ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted 414ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // array of SHA1 hashes. 415ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, 416ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen const uint8* array, 417ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen size_t array_byte_len); 418ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 419ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // Reads a single certificate from |pickle| and returns a platform-specific 420ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // certificate handle. The format of the certificate stored in |pickle| is 421ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // not guaranteed to be the same across different underlying cryptographic 422ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // libraries, nor acceptable to CreateFromBytes(). Returns an invalid 423ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // handle, NULL, on failure. 424ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle, 425ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen void** pickle_iter); 426ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 427ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // Writes a single certificate to |pickle|. Returns false on failure. 428ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle); 42980b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen 43080b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen#ifdef ANDROID 43180b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen#if defined(USE_OPENSSL) 43280b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen // Returns the certificate in DER-encoded form, using the application DER 43380b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen // cache as appropriate. The returned string piece will be valid as long 43480b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen // as the handle is. 43580b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen static std::string GetDEREncodedBytes(OSCertHandle handle); 43680b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen#endif 43780b02f653a8dd9e96eaa219647537e15a87d9330Kristian Monsen#endif 43876a88e2c298122bfdfc498a5df61aab702184639Ben Murdoch 439c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The subject of the certificate. 440c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch CertPrincipal subject_; 441c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 442c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The issuer of the certificate. 443c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch CertPrincipal issuer_; 444c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 445c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // This certificate is not valid before |valid_start_| 446c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott base::Time valid_start_; 447c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 448c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // This certificate is not valid after |valid_expiry_| 449c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott base::Time valid_expiry_; 450c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 451c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // The fingerprint of this certificate. 452c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch SHA1Fingerprint fingerprint_; 453c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 454ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen // The serial number of this certificate, DER encoded. 455ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen std::string serial_number_; 456ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen 457c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // A handle to the certificate object in the underlying crypto library. 458c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott OSCertHandle cert_handle_; 459c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 460c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Untrusted intermediate certificates associated with this certificate 461513209b27ff55e2841eac0e4120199c23acce758Ben Murdoch // that may be needed for chain building. 462c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch OSCertHandles intermediate_ca_certs_; 463c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 464c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#if defined(OS_MACOSX) 465c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Blocks multiple threads from verifying the cert simultaneously. 466c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // (Marked mutable because it's used in a const method.) 46772a454cd3513ac24fbdd0e0cb9ad70b86a99b801Kristian Monsen mutable base::Lock verification_lock_; 468c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#endif 469c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 470c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott // Where the certificate comes from. 471c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott Source source_; 472c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 473c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott DISALLOW_COPY_AND_ASSIGN(X509Certificate); 474c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott}; 475c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 476c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott} // namespace net 477c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott 478c7f5f8508d98d5952d42ed7648c2a8f30a4da156Patrick Scott#endif // NET_BASE_X509_CERTIFICATE_H_ 479