1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_CLIENT_CERT_IDENTITY_H_ 6 #define NET_SSL_CLIENT_CERT_IDENTITY_H_ 7 8 #include "base/functional/callback.h" 9 #include "base/time/time.h" 10 #include "net/base/net_export.h" 11 #include "net/cert/x509_certificate.h" 12 13 namespace base { 14 class Time; 15 } 16 17 namespace net { 18 19 class SSLPrivateKey; 20 21 // Represents a client certificate and a promise to retrieve the associated 22 // private key. 23 class NET_EXPORT ClientCertIdentity { 24 public: 25 explicit ClientCertIdentity(scoped_refptr<net::X509Certificate> cert); 26 virtual ~ClientCertIdentity(); 27 28 // Returns the certificate. certificate()29 X509Certificate* certificate() const { return cert_.get(); } 30 31 // Passes the private key to |private_key_callback| on the same sequence 32 // AcquirePrivateKey is called on, or nullptr on error. The callback may be 33 // run synchronously or asynchronously. The caller is responsible for 34 // keeping the ClientCertIdentity alive until the callback is run. 35 virtual void AcquirePrivateKey( 36 base::OnceCallback<void(scoped_refptr<SSLPrivateKey>)> 37 private_key_callback) = 0; 38 39 // Acquires the private key for |identity|, taking ownership of |identity| so 40 // that the caller does not need to manage its lifetime. The other semantics 41 // are the same as for AcquirePrivateKey above. 42 static void SelfOwningAcquirePrivateKey( 43 std::unique_ptr<ClientCertIdentity> identity, 44 base::OnceCallback<void(scoped_refptr<SSLPrivateKey>)> 45 private_key_callback); 46 47 // Sets the intermediates of |certificate()| to |intermediates|. Note that 48 // this will change the value of |certificate()|, and any references that 49 // were retained to the previous value will not reflect the updated 50 // intermediates list. 51 void SetIntermediates( 52 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); 53 54 private: 55 scoped_refptr<net::X509Certificate> cert_; 56 }; 57 58 // Comparator for use in STL algorithms that will sort client certificates by 59 // order of preference. 60 // Returns true if |a| is more preferable than |b|, allowing it to be used 61 // with any algorithm that compares according to strict weak ordering. 62 // 63 // Criteria include: 64 // - Prefer certificates that have a longer validity period (later 65 // expiration dates) 66 // - If equal, prefer certificates that were issued more recently 67 // - If equal, prefer shorter chains (if available) 68 class NET_EXPORT_PRIVATE ClientCertIdentitySorter { 69 public: 70 ClientCertIdentitySorter(); 71 72 bool operator()(const std::unique_ptr<ClientCertIdentity>& a, 73 const std::unique_ptr<ClientCertIdentity>& b) const; 74 75 private: 76 base::Time now_; 77 }; 78 79 using ClientCertIdentityList = std::vector<std::unique_ptr<ClientCertIdentity>>; 80 81 } // namespace net 82 83 #endif // NET_SSL_CLIENT_CERT_IDENTITY_H_ 84