15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#ifndef NET_CERT_X509_CERTIFICATE_H_ 6c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#define NET_CERT_X509_CERTIFICATE_H_ 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string.h> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string> 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <vector> 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/gtest_prod_util.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/ref_counted.h" 15c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "base/strings/string_piece.h" 16eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#include "base/time/time.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/net_export.h" 18c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_type.h" 19c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/x509_cert_types.h" 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_WIN) 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <windows.h> 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <wincrypt.h> 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(OS_MACOSX) 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <CoreFoundation/CFArray.h> 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <Security/SecBase.h> 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 28effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#elif defined(USE_OPENSSL_CERTS) 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Forward declaration; real one in <x509.h> 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)typedef struct x509_st X509; 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)typedef struct x509_store_st X509_STORE; 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(USE_NSS) 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Forward declaration; real one in <cert.h> 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)struct CERTCertificateStr; 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class Pickle; 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class PickleIterator; 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace net { 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CRLSet; 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CertVerifyResult; 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// X509Certificate represents a X.509 certificate, which is comprised a 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// particular identity or end-entity certificate, such as an SSL server 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// identity or an SSL client certificate, and zero or more intermediate 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// certificates that may be used to build a path to a root certificate. 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class NET_EXPORT X509Certificate 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) : public base::RefCountedThreadSafe<X509Certificate> { 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // An OSCertHandle is a handle to a certificate object in the underlying 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // crypto library. We assume that OSCertHandle is a pointer type on all 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // platforms and that NULL represents an invalid OSCertHandle. 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_WIN) 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef PCCERT_CONTEXT OSCertHandle; 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(OS_MACOSX) 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef SecCertificateRef OSCertHandle; 61effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#elif defined(USE_OPENSSL_CERTS) 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef X509* OSCertHandle; 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(USE_NSS) 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef struct CERTCertificateStr* OSCertHandle; 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(ericroman): not implemented 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef void* OSCertHandle; 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef std::vector<OSCertHandle> OSCertHandles; 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum PublicKeyType { 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeUnknown, 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeRSA, 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeDSA, 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeECDSA, 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeDH, 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPublicKeyTypeECDH 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Predicate functor used in maps when X509Certificate is used as the key. 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) class NET_EXPORT LessThan { 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 84eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch bool operator()(const scoped_refptr<X509Certificate>& lhs, 85eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch const scoped_refptr<X509Certificate>& rhs) const; 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum Format { 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The data contains a single DER-encoded certificate, or a PEM-encoded 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // DER certificate with the PEM encoding block name of "CERTIFICATE". 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Any subsequent blocks will be ignored. 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FORMAT_SINGLE_CERTIFICATE = 1 << 0, 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The data contains a sequence of one or more PEM-encoded, DER 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificates, with the PEM encoding block name of "CERTIFICATE". 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // All PEM blocks will be parsed, until the first error is encountered. 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FORMAT_PEM_CERT_SEQUENCE = 1 << 1, 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The data contains a PKCS#7 SignedData structure, whose certificates 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // member is to be used to initialize the certificate and intermediates. 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The data may further be encoded using PEM, specifying block names of 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // either "PKCS7" or "CERTIFICATE". 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FORMAT_PKCS7 = 1 << 2, 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Automatically detect the format. 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FORMAT_PKCS7, 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // PickleType is intended for deserializing certificates that were pickled 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // by previous releases as part of a net::HttpResponseInfo. 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // When serializing certificates to a new Pickle, 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // PICKLETYPE_CERTIFICATE_CHAIN_V3 is always used. 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum PickleType { 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // When reading a certificate from a Pickle, the Pickle only contains a 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // single certificate. 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PICKLETYPE_SINGLE_CERTIFICATE, 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // When reading a certificate from a Pickle, the Pickle contains the 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the certificate plus any certificates that were stored in 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |intermediate_ca_certificates_| at the time it was serialized. 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The count of certificates is stored as a size_t, which is either 32 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // or 64 bits. 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PICKLETYPE_CERTIFICATE_CHAIN_V2, 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The Pickle contains the certificate and any certificates that were 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // stored in |intermediate_ca_certs_| at the time it was serialized. 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The format is [int count], [data - this certificate], 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // [data - intermediate1], ... [data - intermediateN]. 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // All certificates are stored in DER form. 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PICKLETYPE_CERTIFICATE_CHAIN_V3, 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Creates a X509Certificate from the ground up. Used by tests that simulate 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // SSL connections. 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate(const std::string& subject, const std::string& issuer, 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::Time start_date, base::Time expiration_date); 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Create an X509Certificate from a handle to the certificate object in the 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // underlying crypto library. The returned pointer must be stored in a 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // scoped_refptr<X509Certificate>. 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const OSCertHandles& intermediates); 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Create an X509Certificate from a chain of DER encoded certificates. The 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // first certificate in the chain is the end-entity certificate to which a 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // handle is returned. The other certificates in the chain are intermediate 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificates. The returned pointer must be stored in a 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // scoped_refptr<X509Certificate>. 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509Certificate* CreateFromDERCertChain( 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::vector<base::StringPiece>& der_certs); 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Create an X509Certificate from the DER-encoded representation. 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns NULL on failure. 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509Certificate* CreateFromBytes(const char* data, int length); 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Create an X509Certificate from the DER-encoded representation. 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |nickname| can be NULL if an auto-generated nickname is desired. 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns NULL on failure. The returned pointer must be stored in a 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // scoped_refptr<X509Certificate>. 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This function differs from CreateFromBytes in that it takes a 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // nickname that will be used when the certificate is imported into PKCS#11. 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509Certificate* CreateFromBytesWithNickname(const char* data, 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int length, 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* nickname); 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The default nickname of the certificate, based on the certificate type 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // passed in. If this object was created using CreateFromBytesWithNickname, 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // then this will return the nickname specified upon creation. 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string GetDefaultNickname(CertType type) const; 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Create an X509Certificate from the representation stored in the given 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // pickle. The data for this object is found relative to the given 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // pickle_iter, which should be passed to the pickle's various Read* methods. 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns NULL on failure. 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509Certificate* CreateFromPickle(const Pickle& pickle, 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PickleIterator* pickle_iter, 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PickleType type); 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Parses all of the certificates possible from |data|. |format| is a 1885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // bit-wise OR of Format, indicating the possible formats the 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificates may have been serialized as. If an error occurs, an empty 1905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // collection will be returned. 1915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static CertificateList CreateCertificateListFromBytes(const char* data, 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int length, 1935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int format); 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Appends a representation of this object to the given pickle. 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Persist(Pickle* pickle); 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The serial number, DER encoded, possibly including a leading 00 byte. 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& serial_number() const { return serial_number_; } 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The subject of the certificate. For HTTPS server certificates, this 2025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // represents the web server. The common name of the subject should match 2035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the host name of the web server. 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CertPrincipal& subject() const { return subject_; } 2055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The issuer of the certificate. 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CertPrincipal& issuer() const { return issuer_; } 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Time period during which the certificate is valid. More precisely, this 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificate is invalid before the |valid_start| date and invalid after 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the |valid_expiry| date. 2125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If we were unable to parse either date from the certificate (or if the cert 2135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // lacks either date), the date will be null (i.e., is_null() will be true). 2145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const base::Time& valid_start() const { return valid_start_; } 2155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const base::Time& valid_expiry() const { return valid_expiry_; } 2165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The fingerprint of this certificate. 2185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const SHA1HashValue& fingerprint() const { return fingerprint_; } 2195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The fingerprint of the intermediate CA certificates. 2215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const SHA1HashValue& ca_fingerprint() const { 2225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ca_fingerprint_; 2235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server Identity, if the certificate has a subjectAltName extension of 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // type dNSName, this method gets the DNS names in that extension. 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Otherwise, it gets the common name in the subject field. 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GetDNSNames(std::vector<std::string>* dns_names) const; 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Gets the subjectAltName extension field from the certificate, if any. 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // For future extension; currently this only returns those name types that 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // are required for HTTP certificate name verification - see VerifyHostname. 2345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Unrequired parameters may be passed as NULL. 2355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GetSubjectAltName(std::vector<std::string>* dns_names, 2365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::vector<std::string>* ip_addrs) const; 2375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Convenience method that returns whether this certificate has expired as of 2395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // now. 2405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool HasExpired() const; 2415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns true if this object and |other| represent the same certificate. 2435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool Equals(const X509Certificate* other) const; 2445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns intermediate certificates added via AddIntermediateCertificate(). 2465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Ownership follows the "get" rule: it is the caller's responsibility to 2475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // retain the elements of the result. 2485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const OSCertHandles& GetIntermediateCertificates() const { 2495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return intermediate_ca_certs_; 2505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_MACOSX) 2535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Does this certificate's usage allow SSL client authentication? 2545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool SupportsSSLClientAuth() const; 2555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns a new CFArrayRef containing this certificate and its intermediate 2575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificates in the form expected by Security.framework and Keychain 2585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Services, or NULL on failure. 2595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The first item in the array will be this certificate, followed by its 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // intermediates, if any. 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CFArrayRef CreateOSCertChainForCert() const; 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2642a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Do any of the given issuer names appear in this cert's chain of trust? 2652a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames. 2662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers); 2672a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 2685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_WIN) 2695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns a new PCCERT_CONTEXT containing this certificate and its 2705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // intermediate certificates, or NULL on failure. The returned 2715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as this will 2725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // cause os_cert_handle() to return incorrect results. This function is only 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // necessary if the CERT_CONTEXT.hCertStore member will be accessed or 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // enumerated, which is generally true for any CryptoAPI functions involving 2755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificate chains, including validation or certificate display. 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Remarks: 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Depending on the CryptoAPI function, Windows may need to access the 2795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to 2805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // locate additional intermediates. However, all certificate handles are added 2815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // to a NULL HCERTSTORE, allowing the system to manage the resources. As a 2825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // result, intermediates for |cert_handle_| cannot be located simply via 2835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |cert_handle_->hCertStore|, as it refers to a magic value indicating 2845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // "only this certificate". 2855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 2865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // To avoid this problems, a new in-memory HCERTSTORE is created containing 2875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // just this certificate and its intermediates. The handle to the version of 2885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the current certificate in the new HCERTSTORE is then returned, with the 2895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // PCCERT_CONTEXT's HCERTSTORE set to be automatically freed when the returned 2905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // certificate handle is freed. 2915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 2925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This function is only needed when the HCERTSTORE of the os_cert_handle() 2935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // will be accessed, which is generally only during certificate validation 2945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can 2955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // safely be used on multiple threads if no further modifications happen, it 2965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // is generally preferable for each thread that needs such a context to 2975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // obtain its own, rather than risk thread-safety issues by sharing. 2985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 2995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Because of how X509Certificate caching is implemented, attempting to 3005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // create an X509Certificate from the returned PCCERT_CONTEXT may result in 3015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the original handle (and thus the originall HCERTSTORE) being returned by 3025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT* 3035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // be stored in an X509Certificate. 3045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PCCERT_CONTEXT CreateOSCertChainForCert() const; 3055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 307effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) 3085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns a handle to a global, in-memory certificate store. We 3095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // use it for test code, e.g. importing the test server's certificate. 3105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static X509_STORE* cert_store(); 3115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Verifies that |hostname| matches this certificate. 3145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Does not verify that the certificate is valid, only that the certificate 3155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // matches this host. 3161e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // Returns true if it matches, and updates |*common_name_fallback_used|, 3171e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // setting it to true if a fallback to the CN was used, rather than 3181e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // subjectAltName. 3191e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) bool VerifyNameMatch(const std::string& hostname, 3201e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) bool* common_name_fallback_used) const; 3215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Obtains the DER encoded certificate data for |cert_handle|. On success, 3235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // returns true and writes the DER encoded certificate to |*der_encoded|. 3245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool GetDEREncoded(OSCertHandle cert_handle, 3255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string* der_encoded); 3265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 327ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch // Returns the PEM encoded data from a DER encoded certificate. If the return 328ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch // value is true, then the PEM encoded certificate is written to 329ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch // |pem_encoded|. 330ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch static bool GetPEMEncodedFromDER(const std::string& der_encoded, 331ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch std::string* pem_encoded); 332ca12bfac764ba476d6cd062bf1dde12cc64c3f40Ben Murdoch 3335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns the PEM encoded data from an OSCertHandle. If the return value is 3345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // true, then the PEM encoded certificate is written to |pem_encoded|. 3355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool GetPEMEncoded(OSCertHandle cert_handle, 3365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string* pem_encoded); 3375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Encodes the entire certificate chain (this certificate and any 3395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // intermediate certificates stored in |intermediate_ca_certs_|) as a series 3405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // of PEM encoded strings. Returns true if all certificates were encoded, 3415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // storig the result in |*pem_encoded|, with this certificate stored as 3425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the first element. 3435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const; 3445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Sets |*size_bits| to be the length of the public key in bits, and sets 3465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |*type| to one of the |PublicKeyType| values. In case of 3475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |kPublicKeyTypeUnknown|, |*size_bits| will be set to 0. 3485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static void GetPublicKeyInfo(OSCertHandle cert_handle, 3495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) size_t* size_bits, 3505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PublicKeyType* type); 3515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns the OSCertHandle of this object. Because of caching, this may 3535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // differ from the OSCertHandle originally supplied during initialization. 3545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Note: On Windows, CryptoAPI may return unexpected results if this handle 3555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // is used across multiple threads. For more details, see 3565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // CreateOSCertChainForCert(). 3575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OSCertHandle os_cert_handle() const { return cert_handle_; } 3585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns true if two OSCertHandles refer to identical certificates. 3605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool IsSameOSCert(OSCertHandle a, OSCertHandle b); 3615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Creates an OS certificate handle from the DER-encoded representation. 3635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns NULL on failure. 3645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static OSCertHandle CreateOSCertHandleFromBytes(const char* data, 3655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int length); 3665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) 3685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Creates an OS certificate handle from the DER-encoded representation. 3695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns NULL on failure. Sets the default nickname if |nickname| is 3705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // non-NULL. 3715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static OSCertHandle CreateOSCertHandleFromBytesWithNickname( 3725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* data, 3735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int length, 3745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* nickname); 3755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Creates all possible OS certificate handles from |data| encoded in a 3785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // specific |format|. Returns an empty collection on failure. 3795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static OSCertHandles CreateOSCertHandlesFromBytes( 3805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* data, 3815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int length, 3825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) Format format); 3835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Duplicates (or adds a reference to) an OS certificate handle. 3855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle); 3865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Frees (or releases a reference to) an OS certificate handle. 3885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static void FreeOSCertHandle(OSCertHandle cert_handle); 3895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Calculates the SHA-1 fingerprint of the certificate. Returns an empty 3915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // (all zero) fingerprint on failure. 3925f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // 3935f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // For calculating fingerprints, prefer SHA-1 for performance when indexing, 3945f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // but callers should use IsSameOSCert() before assuming two certificates are 3955f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // the same. 3965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle); 3975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Calculates the SHA-1 fingerprint of the intermediate CA certificates. 3995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns an empty (all zero) fingerprint on failure. 4005f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // 4015f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // See SHA-1 caveat on CalculateFingerprint(). 4025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static SHA1HashValue CalculateCAFingerprint( 4035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const OSCertHandles& intermediates); 4045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4055f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // Calculates the SHA-256 fingerprint of the intermediate CA certificates. 4065f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // Returns an empty (all zero) fingerprint on failure. 4075f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // 4085f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // As part of the cross-platform implementation of this function, it currently 4095f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // copies the certificate bytes into local variables which makes it 4105f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // potentially slower than implementing it directly for each platform. For 4115f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // now, the expected consumers are not performance critical, but if 4125f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // performance is a concern going forward, it may warrant implementing this on 4135f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // a per-platform basis. 4145f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) static SHA256HashValue CalculateCAFingerprint256( 4155f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) const OSCertHandles& intermediates); 4165f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 4175f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // Calculates the SHA-256 fingerprint for the complete chain, including the 4185f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // leaf certificate and all intermediate CA certificates. Returns an empty 4195f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // (all zero) fingerprint on failure. 4205f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) static SHA256HashValue CalculateChainFingerprint256( 4215f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) OSCertHandle leaf, 4225f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) const OSCertHandles& intermediates); 4235f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 4245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) private: 4255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) friend class base::RefCountedThreadSafe<X509Certificate>; 4265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) friend class TestRootCerts; // For unit tests 4275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); 4295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); 4305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Construct an X509Certificate from a handle to the certificate object 4325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // in the underlying crypto library. 4335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate(OSCertHandle cert_handle, 4345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const OSCertHandles& intermediates); 4355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ~X509Certificate(); 4375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Common object initialization code. Called by the constructors only. 4395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Initialize(); 4405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 441effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) 4425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Resets the store returned by cert_store() to default state. Used by 4435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TestRootCerts to undo modifications. 4445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static void ResetCertStore(); 4455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Verifies that |hostname| matches one of the certificate names or IP 4485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // addresses supplied, based on TLS name matching rules - specifically, 4495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // following http://tools.ietf.org/html/rfc6125. 4505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject(). 4515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled 4525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // from the dNSName and iPAddress components of the subject alternative name 4535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // extension, if present. Note these IP addresses are NOT ascii-encoded: 4545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 4555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // addresses, respectively. 4561e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // |common_name_fallback_used| will be updated to true if cert_common_name 4571e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // was used to match the hostname, or false if either of the |cert_san_*| 4581e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) // parameters was used to match the hostname. 4595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool VerifyHostname(const std::string& hostname, 4605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& cert_common_name, 4615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::vector<std::string>& cert_san_dns_names, 4621e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) const std::vector<std::string>& cert_san_ip_addrs, 4631e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) bool* common_name_fallback_used); 4645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Reads a single certificate from |pickle_iter| and returns a 4665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // platform-specific certificate handle. The format of the certificate 4675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // stored in |pickle_iter| is not guaranteed to be the same across different 4685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // underlying cryptographic libraries, nor acceptable to CreateFromBytes(). 4695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns an invalid handle, NULL, on failure. 4705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // NOTE: This should not be used for any new code. It is provided for 4715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // migration purposes and should eventually be removed. 4725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter); 4735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Writes a single certificate to |pickle| in DER form. Returns false on 4755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // failure. 4765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool WriteOSCertHandleToPickle(OSCertHandle handle, Pickle* pickle); 4775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The subject of the certificate. 4795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertPrincipal subject_; 4805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The issuer of the certificate. 4825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertPrincipal issuer_; 4835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This certificate is not valid before |valid_start_| 4855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::Time valid_start_; 4865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This certificate is not valid after |valid_expiry_| 4885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::Time valid_expiry_; 4895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The fingerprint of this certificate. 4915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SHA1HashValue fingerprint_; 4925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The fingerprint of the intermediate CA certificates. 4945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SHA1HashValue ca_fingerprint_; 4955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The serial number of this certificate, DER encoded. 4975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string serial_number_; 4985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // A handle to the certificate object in the underlying crypto library. 5005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OSCertHandle cert_handle_; 5015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Untrusted intermediate certificates associated with this certificate 5035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // that may be needed for chain building. 5045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OSCertHandles intermediate_ca_certs_; 5055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) 5075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This stores any default nickname that has been set on the certificate 5085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // at creation time with CreateFromBytesWithNickname. 5095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If this is empty, then GetDefaultNickname will return a generated name 5105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // based on the type of the certificate. 5115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string default_nickname_; 5125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(X509Certificate); 5155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 5165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace net 5185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 519c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#endif // NET_CERT_X509_CERTIFICATE_H_ 520