x509_certificate.h revision c407dc5cd9bdc5668497f21b26b09d988ab439de 
1// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_BASE_X509_CERTIFICATE_H_
6#define NET_BASE_X509_CERTIFICATE_H_
7
8#include <string.h>
9
10#include <string>
11#include <vector>
12
13#include "base/ref_counted.h"
14#include "base/time.h"
15#include "net/base/x509_cert_types.h"
16#include "testing/gtest/include/gtest/gtest_prod.h"
17
18#if defined(OS_WIN)
19#include <windows.h>
20#include <wincrypt.h>
21#elif defined(OS_MACOSX)
22#include <CoreFoundation/CFArray.h>
23#include <Security/SecBase.h>
24#elif defined(USE_NSS)
25// Forward declaration; real one in <cert.h>
26struct CERTCertificateStr;
27#endif
28
29class Pickle;
30
31namespace net {
32
33class CertVerifyResult;
34
35// X509Certificate represents an X.509 certificate used by SSL.
36class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
37 public:
38  // A handle to the certificate object in the underlying crypto library.
39  // We assume that OSCertHandle is a pointer type on all platforms and
40  // NULL is an invalid OSCertHandle.
41#if defined(OS_WIN)
42  typedef PCCERT_CONTEXT OSCertHandle;
43#elif defined(OS_MACOSX)
44  typedef SecCertificateRef OSCertHandle;
45#elif defined(USE_NSS)
46  typedef struct CERTCertificateStr* OSCertHandle;
47#else
48  // TODO(ericroman): not implemented
49  typedef void* OSCertHandle;
50#endif
51
52  typedef std::vector<OSCertHandle> OSCertHandles;
53
54  // Predicate functor used in maps when X509Certificate is used as the key.
55  class LessThan
56      : public std::binary_function<X509Certificate*, X509Certificate*, bool> {
57   public:
58    bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
59  };
60
61  // Where the certificate comes from.  The enumeration constants are
62  // listed in increasing order of preference.
63  enum Source {
64    SOURCE_UNUSED = 0,            // The source_ member is not used.
65    SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
66                                  // its intermediate CA certificates.
67    SOURCE_FROM_NETWORK = 2,      // From the network.
68  };
69
70  enum VerifyFlags {
71    VERIFY_REV_CHECKING_ENABLED = 1 << 0,
72    VERIFY_EV_CERT = 1 << 1,
73  };
74
75  // Create an X509Certificate from a handle to the certificate object in the
76  // underlying crypto library. |source| specifies where |cert_handle| comes
77  // from.  Given two certificate handles for the same certificate, our
78  // certificate cache prefers the handle from the network because our HTTP
79  // cache isn't caching the corresponding intermediate CA certificates yet
80  // (http://crbug.com/7065).
81  // The list of intermediate certificates is ignored under NSS (i.e. Linux.)
82  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
83  static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
84      Source source,
85      const OSCertHandles& intermediates);
86
87  // Create an X509Certificate from the BER-encoded representation.
88  // Returns NULL on failure.
89  //
90  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
91  static X509Certificate* CreateFromBytes(const char* data, int length);
92
93  // Create an X509Certificate from the representation stored in the given
94  // pickle.  The data for this object is found relative to the given
95  // pickle_iter, which should be passed to the pickle's various Read* methods.
96  // Returns NULL on failure.
97  //
98  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
99  static X509Certificate* CreateFromPickle(const Pickle& pickle,
100                                           void** pickle_iter);
101
102  // Creates a X509Certificate from the ground up.  Used by tests that simulate
103  // SSL connections.
104  X509Certificate(const std::string& subject, const std::string& issuer,
105                  base::Time start_date, base::Time expiration_date);
106
107  // Appends a representation of this object to the given pickle.
108  void Persist(Pickle* pickle);
109
110  // The subject of the certificate.  For HTTPS server certificates, this
111  // represents the web server.  The common name of the subject should match
112  // the host name of the web server.
113  const CertPrincipal& subject() const { return subject_; }
114
115  // The issuer of the certificate.
116  const CertPrincipal& issuer() const { return issuer_; }
117
118  // Time period during which the certificate is valid.  More precisely, this
119  // certificate is invalid before the |valid_start| date and invalid after
120  // the |valid_expiry| date.
121  // If we were unable to parse either date from the certificate (or if the cert
122  // lacks either date), the date will be null (i.e., is_null() will be true).
123  const base::Time& valid_start() const { return valid_start_; }
124  const base::Time& valid_expiry() const { return valid_expiry_; }
125
126  // The fingerprint of this certificate.
127  const SHA1Fingerprint& fingerprint() const { return fingerprint_; }
128
129  // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
130  // Server Identity, if the certificate has a subjectAltName extension of
131  // type dNSName, this method gets the DNS names in that extension.
132  // Otherwise, it gets the common name in the subject field.
133  void GetDNSNames(std::vector<std::string>* dns_names) const;
134
135  // Convenience method that returns whether this certificate has expired as of
136  // now.
137  bool HasExpired() const;
138
139#if defined(OS_MACOSX) || defined(OS_WIN)
140  // Returns intermediate certificates added via AddIntermediateCertificate().
141  // Ownership follows the "get" rule: it is the caller's responsibility to
142  // retain the elements of the result.
143  const OSCertHandles& GetIntermediateCertificates() const {
144    return intermediate_ca_certs_;
145  }
146#endif
147
148  // Returns true if I already contain the given intermediate cert.
149  bool HasIntermediateCertificate(OSCertHandle cert);
150
151  // Returns true if I already contain all the given intermediate certs.
152  bool HasIntermediateCertificates(const OSCertHandles& certs);
153
154#if defined(OS_MACOSX)
155  // Does this certificate's usage allow SSL client authentication?
156  bool SupportsSSLClientAuth() const;
157
158  // Do any of the given issuer names appear in this cert's chain of trust?
159  bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers);
160
161  // Creates a security policy for SSL client certificates.
162  static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy);
163
164  // Adds all available SSL client identity certs to the given vector.
165  // |server_domain| is a hint for which domain the cert is to be sent to
166  // (a cert previously specified as the default for that domain will be given
167  // precedence and returned first in the output vector.)
168  // If valid_issuers is non-empty, only certs that were transitively issued by
169  // one of the given names will be included in the list.
170  static bool GetSSLClientCertificates(
171      const std::string& server_domain,
172      const std::vector<CertPrincipal>& valid_issuers,
173      std::vector<scoped_refptr<X509Certificate> >* certs);
174
175  // Creates the chain of certs to use for this client identity cert.
176  CFArrayRef CreateClientCertificateChain() const;
177#endif
178
179  // Verifies the certificate against the given hostname.  Returns OK if
180  // successful or an error code upon failure.
181  //
182  // The |*verify_result| structure, including the |verify_result->cert_status|
183  // bitmask, is always filled out regardless of the return value.  If the
184  // certificate has multiple errors, the corresponding status flags are set in
185  // |verify_result->cert_status|, and the error code for the most serious
186  // error is returned.
187  //
188  // |flags| is bitwise OR'd of VerifyFlags.
189  // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
190  // checking is performed.  If VERIFY_EV_CERT is set in |flags| too,
191  // EV certificate verification is performed.
192  int Verify(const std::string& hostname,
193             int flags,
194             CertVerifyResult* verify_result) const;
195
196  OSCertHandle os_cert_handle() const { return cert_handle_; }
197
198  // Returns true if two OSCertHandles refer to identical certificates.
199  static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
200
201  // Creates an OS certificate handle from the BER-encoded representation.
202  // Returns NULL on failure.
203  static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
204                                                  int length);
205
206  // Duplicates (or adds a reference to) an OS certificate handle.
207  static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
208
209  // Frees (or releases a reference to) an OS certificate handle.
210  static void FreeOSCertHandle(OSCertHandle cert_handle);
211
212 private:
213  friend class base::RefCountedThreadSafe<X509Certificate>;
214  FRIEND_TEST(X509CertificateTest, Cache);
215  FRIEND_TEST(X509CertificateTest, IntermediateCertificates);
216
217  class Cache;
218
219  // Construct an X509Certificate from a handle to the certificate object
220  // in the underlying crypto library.
221  X509Certificate(OSCertHandle cert_handle, Source source,
222                  const OSCertHandles& intermediates);
223
224  ~X509Certificate();
225
226  // Common object initialization code.  Called by the constructors only.
227  void Initialize();
228
229  bool VerifyEV() const;
230
231  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
232  // (all zero) fingerprint on failure.
233  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
234
235  // The subject of the certificate.
236  CertPrincipal subject_;
237
238  // The issuer of the certificate.
239  CertPrincipal issuer_;
240
241  // This certificate is not valid before |valid_start_|
242  base::Time valid_start_;
243
244  // This certificate is not valid after |valid_expiry_|
245  base::Time valid_expiry_;
246
247  // The fingerprint of this certificate.
248  SHA1Fingerprint fingerprint_;
249
250  // A handle to the certificate object in the underlying crypto library.
251  OSCertHandle cert_handle_;
252
253#if defined(OS_MACOSX) || defined(OS_WIN)
254  // Untrusted intermediate certificates associated with this certificate
255  // that may be needed for chain building. (NSS impl does not need these.)
256  OSCertHandles intermediate_ca_certs_;
257#endif
258
259#if defined(OS_MACOSX)
260  // Blocks multiple threads from verifying the cert simultaneously.
261  // (Marked mutable because it's used in a const method.)
262  mutable Lock verification_lock_;
263#endif
264
265  // Where the certificate comes from.
266  Source source_;
267
268  DISALLOW_COPY_AND_ASSIGN(X509Certificate);
269};
270
271}  // namespace net
272
273#endif  // NET_BASE_X509_CERTIFICATE_H_
274