x509_certificate.h revision c407dc5cd9bdc5668497f21b26b09d988ab439de
1// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_BASE_X509_CERTIFICATE_H_ 6#define NET_BASE_X509_CERTIFICATE_H_ 7 8#include <string.h> 9 10#include <string> 11#include <vector> 12 13#include "base/ref_counted.h" 14#include "base/time.h" 15#include "net/base/x509_cert_types.h" 16#include "testing/gtest/include/gtest/gtest_prod.h" 17 18#if defined(OS_WIN) 19#include <windows.h> 20#include <wincrypt.h> 21#elif defined(OS_MACOSX) 22#include <CoreFoundation/CFArray.h> 23#include <Security/SecBase.h> 24#elif defined(USE_NSS) 25// Forward declaration; real one in <cert.h> 26struct CERTCertificateStr; 27#endif 28 29class Pickle; 30 31namespace net { 32 33class CertVerifyResult; 34 35// X509Certificate represents an X.509 certificate used by SSL. 36class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { 37 public: 38 // A handle to the certificate object in the underlying crypto library. 39 // We assume that OSCertHandle is a pointer type on all platforms and 40 // NULL is an invalid OSCertHandle. 41#if defined(OS_WIN) 42 typedef PCCERT_CONTEXT OSCertHandle; 43#elif defined(OS_MACOSX) 44 typedef SecCertificateRef OSCertHandle; 45#elif defined(USE_NSS) 46 typedef struct CERTCertificateStr* OSCertHandle; 47#else 48 // TODO(ericroman): not implemented 49 typedef void* OSCertHandle; 50#endif 51 52 typedef std::vector<OSCertHandle> OSCertHandles; 53 54 // Predicate functor used in maps when X509Certificate is used as the key. 55 class LessThan 56 : public std::binary_function<X509Certificate*, X509Certificate*, bool> { 57 public: 58 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; 59 }; 60 61 // Where the certificate comes from. The enumeration constants are 62 // listed in increasing order of preference. 63 enum Source { 64 SOURCE_UNUSED = 0, // The source_ member is not used. 65 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without 66 // its intermediate CA certificates. 67 SOURCE_FROM_NETWORK = 2, // From the network. 68 }; 69 70 enum VerifyFlags { 71 VERIFY_REV_CHECKING_ENABLED = 1 << 0, 72 VERIFY_EV_CERT = 1 << 1, 73 }; 74 75 // Create an X509Certificate from a handle to the certificate object in the 76 // underlying crypto library. |source| specifies where |cert_handle| comes 77 // from. Given two certificate handles for the same certificate, our 78 // certificate cache prefers the handle from the network because our HTTP 79 // cache isn't caching the corresponding intermediate CA certificates yet 80 // (http://crbug.com/7065). 81 // The list of intermediate certificates is ignored under NSS (i.e. Linux.) 82 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 83 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, 84 Source source, 85 const OSCertHandles& intermediates); 86 87 // Create an X509Certificate from the BER-encoded representation. 88 // Returns NULL on failure. 89 // 90 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 91 static X509Certificate* CreateFromBytes(const char* data, int length); 92 93 // Create an X509Certificate from the representation stored in the given 94 // pickle. The data for this object is found relative to the given 95 // pickle_iter, which should be passed to the pickle's various Read* methods. 96 // Returns NULL on failure. 97 // 98 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 99 static X509Certificate* CreateFromPickle(const Pickle& pickle, 100 void** pickle_iter); 101 102 // Creates a X509Certificate from the ground up. Used by tests that simulate 103 // SSL connections. 104 X509Certificate(const std::string& subject, const std::string& issuer, 105 base::Time start_date, base::Time expiration_date); 106 107 // Appends a representation of this object to the given pickle. 108 void Persist(Pickle* pickle); 109 110 // The subject of the certificate. For HTTPS server certificates, this 111 // represents the web server. The common name of the subject should match 112 // the host name of the web server. 113 const CertPrincipal& subject() const { return subject_; } 114 115 // The issuer of the certificate. 116 const CertPrincipal& issuer() const { return issuer_; } 117 118 // Time period during which the certificate is valid. More precisely, this 119 // certificate is invalid before the |valid_start| date and invalid after 120 // the |valid_expiry| date. 121 // If we were unable to parse either date from the certificate (or if the cert 122 // lacks either date), the date will be null (i.e., is_null() will be true). 123 const base::Time& valid_start() const { return valid_start_; } 124 const base::Time& valid_expiry() const { return valid_expiry_; } 125 126 // The fingerprint of this certificate. 127 const SHA1Fingerprint& fingerprint() const { return fingerprint_; } 128 129 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 130 // Server Identity, if the certificate has a subjectAltName extension of 131 // type dNSName, this method gets the DNS names in that extension. 132 // Otherwise, it gets the common name in the subject field. 133 void GetDNSNames(std::vector<std::string>* dns_names) const; 134 135 // Convenience method that returns whether this certificate has expired as of 136 // now. 137 bool HasExpired() const; 138 139#if defined(OS_MACOSX) || defined(OS_WIN) 140 // Returns intermediate certificates added via AddIntermediateCertificate(). 141 // Ownership follows the "get" rule: it is the caller's responsibility to 142 // retain the elements of the result. 143 const OSCertHandles& GetIntermediateCertificates() const { 144 return intermediate_ca_certs_; 145 } 146#endif 147 148 // Returns true if I already contain the given intermediate cert. 149 bool HasIntermediateCertificate(OSCertHandle cert); 150 151 // Returns true if I already contain all the given intermediate certs. 152 bool HasIntermediateCertificates(const OSCertHandles& certs); 153 154#if defined(OS_MACOSX) 155 // Does this certificate's usage allow SSL client authentication? 156 bool SupportsSSLClientAuth() const; 157 158 // Do any of the given issuer names appear in this cert's chain of trust? 159 bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers); 160 161 // Creates a security policy for SSL client certificates. 162 static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy); 163 164 // Adds all available SSL client identity certs to the given vector. 165 // |server_domain| is a hint for which domain the cert is to be sent to 166 // (a cert previously specified as the default for that domain will be given 167 // precedence and returned first in the output vector.) 168 // If valid_issuers is non-empty, only certs that were transitively issued by 169 // one of the given names will be included in the list. 170 static bool GetSSLClientCertificates( 171 const std::string& server_domain, 172 const std::vector<CertPrincipal>& valid_issuers, 173 std::vector<scoped_refptr<X509Certificate> >* certs); 174 175 // Creates the chain of certs to use for this client identity cert. 176 CFArrayRef CreateClientCertificateChain() const; 177#endif 178 179 // Verifies the certificate against the given hostname. Returns OK if 180 // successful or an error code upon failure. 181 // 182 // The |*verify_result| structure, including the |verify_result->cert_status| 183 // bitmask, is always filled out regardless of the return value. If the 184 // certificate has multiple errors, the corresponding status flags are set in 185 // |verify_result->cert_status|, and the error code for the most serious 186 // error is returned. 187 // 188 // |flags| is bitwise OR'd of VerifyFlags. 189 // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation 190 // checking is performed. If VERIFY_EV_CERT is set in |flags| too, 191 // EV certificate verification is performed. 192 int Verify(const std::string& hostname, 193 int flags, 194 CertVerifyResult* verify_result) const; 195 196 OSCertHandle os_cert_handle() const { return cert_handle_; } 197 198 // Returns true if two OSCertHandles refer to identical certificates. 199 static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); 200 201 // Creates an OS certificate handle from the BER-encoded representation. 202 // Returns NULL on failure. 203 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, 204 int length); 205 206 // Duplicates (or adds a reference to) an OS certificate handle. 207 static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); 208 209 // Frees (or releases a reference to) an OS certificate handle. 210 static void FreeOSCertHandle(OSCertHandle cert_handle); 211 212 private: 213 friend class base::RefCountedThreadSafe<X509Certificate>; 214 FRIEND_TEST(X509CertificateTest, Cache); 215 FRIEND_TEST(X509CertificateTest, IntermediateCertificates); 216 217 class Cache; 218 219 // Construct an X509Certificate from a handle to the certificate object 220 // in the underlying crypto library. 221 X509Certificate(OSCertHandle cert_handle, Source source, 222 const OSCertHandles& intermediates); 223 224 ~X509Certificate(); 225 226 // Common object initialization code. Called by the constructors only. 227 void Initialize(); 228 229 bool VerifyEV() const; 230 231 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty 232 // (all zero) fingerprint on failure. 233 static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); 234 235 // The subject of the certificate. 236 CertPrincipal subject_; 237 238 // The issuer of the certificate. 239 CertPrincipal issuer_; 240 241 // This certificate is not valid before |valid_start_| 242 base::Time valid_start_; 243 244 // This certificate is not valid after |valid_expiry_| 245 base::Time valid_expiry_; 246 247 // The fingerprint of this certificate. 248 SHA1Fingerprint fingerprint_; 249 250 // A handle to the certificate object in the underlying crypto library. 251 OSCertHandle cert_handle_; 252 253#if defined(OS_MACOSX) || defined(OS_WIN) 254 // Untrusted intermediate certificates associated with this certificate 255 // that may be needed for chain building. (NSS impl does not need these.) 256 OSCertHandles intermediate_ca_certs_; 257#endif 258 259#if defined(OS_MACOSX) 260 // Blocks multiple threads from verifying the cert simultaneously. 261 // (Marked mutable because it's used in a const method.) 262 mutable Lock verification_lock_; 263#endif 264 265 // Where the certificate comes from. 266 Source source_; 267 268 DISALLOW_COPY_AND_ASSIGN(X509Certificate); 269}; 270 271} // namespace net 272 273#endif // NET_BASE_X509_CERTIFICATE_H_ 274