1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_ 6#define NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_ 7 8#include <openssl/evp.h> 9 10#include <vector> 11 12#include "base/basictypes.h" 13#include "base/memory/scoped_ptr.h" 14#include "base/memory/singleton.h" 15#include "crypto/openssl_util.h" 16#include "crypto/scoped_openssl_types.h" 17#include "net/base/net_export.h" 18 19namespace net { 20 21class X509Certificate; 22 23// OpenSSLClientKeyStore implements an in-memory store for client 24// certificate private keys, because the platforms where OpenSSL is 25// used do not provide a way to retrieve the private key of a known 26// certificate. 27// 28// This class is not thread-safe and should only be used from the network 29// thread. 30class NET_EXPORT OpenSSLClientKeyStore { 31 public: 32 // Platforms must define this factory function as appropriate. 33 static OpenSSLClientKeyStore* GetInstance(); 34 35 // Record the association between a certificate and its 36 // private key. This method should be called _before_ 37 // FetchClientCertPrivateKey to ensure that the private key is returned 38 // when it is called later. The association is recorded in memory 39 // exclusively. 40 // |cert| is a handle to a certificate object. 41 // |private_key| is an OpenSSL EVP_PKEY that corresponds to the 42 // certificate's private key. 43 // Returns false if an error occured. 44 // This function does not take ownership of the private_key, but may 45 // increment its internal reference count. 46 NET_EXPORT bool RecordClientCertPrivateKey(const X509Certificate* cert, 47 EVP_PKEY* private_key); 48 49 // Given a certificate's |public_key|, return the corresponding private 50 // key that has been recorded previously by RecordClientCertPrivateKey(). 51 // |cert| is a client certificate. 52 // Returns its matching private key on success, NULL otherwise. 53 crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(const X509Certificate* cert); 54 55 // Flush all recorded keys. 56 void Flush(); 57 58 protected: 59 OpenSSLClientKeyStore(); 60 61 ~OpenSSLClientKeyStore(); 62 63 // Adds a given public/private key pair. 64 // |pub_key| and |private_key| can point to the same object. 65 // This increments the reference count on both objects, caller 66 // must still call EVP_PKEY_free on them. 67 void AddKeyPair(EVP_PKEY* pub_key, EVP_PKEY* private_key); 68 69 private: 70 // KeyPair is an internal class used to hold a pair of private / public 71 // EVP_PKEY objects, with appropriate ownership. 72 class KeyPair { 73 public: 74 explicit KeyPair(EVP_PKEY* pub_key, EVP_PKEY* priv_key); 75 KeyPair(const KeyPair& other); 76 void operator=(const KeyPair& other); 77 ~KeyPair(); 78 79 crypto::ScopedEVP_PKEY public_key; 80 crypto::ScopedEVP_PKEY private_key; 81 82 private: 83 KeyPair(); // intentionally not implemented. 84 }; 85 86 // Returns the index of the keypair for |public_key|. or -1 if not found. 87 int FindKeyPairIndex(EVP_PKEY* public_key); 88 89 std::vector<KeyPair> pairs_; 90 91 friend struct DefaultSingletonTraits<OpenSSLClientKeyStore>; 92 93 DISALLOW_COPY_AND_ASSIGN(OpenSSLClientKeyStore); 94}; 95 96} // namespace net 97 98#endif // NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_ 99