1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_
6#define NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_
7
8#include <openssl/evp.h>
9
10#include <vector>
11
12#include "base/basictypes.h"
13#include "base/memory/scoped_ptr.h"
14#include "base/memory/singleton.h"
15#include "crypto/openssl_util.h"
16#include "crypto/scoped_openssl_types.h"
17#include "net/base/net_export.h"
18
19namespace net {
20
21class X509Certificate;
22
23// OpenSSLClientKeyStore implements an in-memory store for client
24// certificate private keys, because the platforms where OpenSSL is
25// used do not provide a way to retrieve the private key of a known
26// certificate.
27//
28// This class is not thread-safe and should only be used from the network
29// thread.
30class NET_EXPORT OpenSSLClientKeyStore {
31 public:
32  // Platforms must define this factory function as appropriate.
33  static OpenSSLClientKeyStore* GetInstance();
34
35  // Record the association between a certificate and its
36  // private key. This method should be called _before_
37  // FetchClientCertPrivateKey to ensure that the private key is returned
38  // when it is called later. The association is recorded in memory
39  // exclusively.
40  // |cert| is a handle to a certificate object.
41  // |private_key| is an OpenSSL EVP_PKEY that corresponds to the
42  // certificate's private key.
43  // Returns false if an error occured.
44  // This function does not take ownership of the private_key, but may
45  // increment its internal reference count.
46  NET_EXPORT bool RecordClientCertPrivateKey(const X509Certificate* cert,
47                                             EVP_PKEY* private_key);
48
49  // Given a certificate's |public_key|, return the corresponding private
50  // key that has been recorded previously by RecordClientCertPrivateKey().
51  // |cert| is a client certificate.
52  // Returns its matching private key on success, NULL otherwise.
53  crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(const X509Certificate* cert);
54
55  // Flush all recorded keys.
56  void Flush();
57
58 protected:
59  OpenSSLClientKeyStore();
60
61  ~OpenSSLClientKeyStore();
62
63  // Adds a given public/private key pair.
64  // |pub_key| and |private_key| can point to the same object.
65  // This increments the reference count on both objects, caller
66  // must still call EVP_PKEY_free on them.
67  void AddKeyPair(EVP_PKEY* pub_key, EVP_PKEY* private_key);
68
69 private:
70  // KeyPair is an internal class used to hold a pair of private / public
71  // EVP_PKEY objects, with appropriate ownership.
72  class KeyPair {
73   public:
74    explicit KeyPair(EVP_PKEY* pub_key, EVP_PKEY* priv_key);
75    KeyPair(const KeyPair& other);
76    void operator=(const KeyPair& other);
77    ~KeyPair();
78
79    crypto::ScopedEVP_PKEY public_key;
80    crypto::ScopedEVP_PKEY private_key;
81
82   private:
83    KeyPair();  // intentionally not implemented.
84  };
85
86  // Returns the index of the keypair for |public_key|. or -1 if not found.
87  int FindKeyPairIndex(EVP_PKEY* public_key);
88
89  std::vector<KeyPair> pairs_;
90
91  friend struct DefaultSingletonTraits<OpenSSLClientKeyStore>;
92
93  DISALLOW_COPY_AND_ASSIGN(OpenSSLClientKeyStore);
94};
95
96}  // namespace net
97
98#endif  // NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_
99