1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_X509_CERTIFICATE_H_ 6 #define NET_BASE_X509_CERTIFICATE_H_ 7 8 #include <string.h> 9 10 #include <map> 11 #include <set> 12 #include <string> 13 #include <vector> 14 15 #include "base/ref_counted.h" 16 #include "base/singleton.h" 17 #include "base/time.h" 18 #include "testing/gtest/include/gtest/gtest_prod.h" 19 20 #if defined(OS_WIN) 21 #include <windows.h> 22 #include <wincrypt.h> 23 #elif defined(OS_MACOSX) 24 #include <Security/Security.h> 25 #elif defined(USE_NSS) 26 // Forward declaration; real one in <cert.h> 27 struct CERTCertificateStr; 28 #endif 29 30 class Pickle; 31 32 namespace net { 33 34 class CertVerifyResult; 35 36 // X509Certificate represents an X.509 certificate used by SSL. 37 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { 38 public: 39 // SHA-1 fingerprint (160 bits) of a certificate. 40 struct Fingerprint { EqualsFingerprint41 bool Equals(const Fingerprint& other) const { 42 return memcmp(data, other.data, sizeof(data)) == 0; 43 } 44 45 unsigned char data[20]; 46 }; 47 48 class FingerprintLessThan 49 : public std::binary_function<Fingerprint, Fingerprint, bool> { 50 public: 51 bool operator() (const Fingerprint& lhs, const Fingerprint& rhs) const; 52 }; 53 54 // Predicate functor used in maps when X509Certificate is used as the key. 55 class LessThan 56 : public std::binary_function<X509Certificate*, X509Certificate*, bool> { 57 public: 58 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const; 59 }; 60 61 // A handle to the certificate object in the underlying crypto library. 62 // We assume that OSCertHandle is a pointer type on all platforms and 63 // NULL is an invalid OSCertHandle. 64 #if defined(OS_WIN) 65 typedef PCCERT_CONTEXT OSCertHandle; 66 #elif defined(OS_MACOSX) 67 typedef SecCertificateRef OSCertHandle; 68 #elif defined(USE_NSS) 69 typedef struct CERTCertificateStr* OSCertHandle; 70 #else 71 // TODO(ericroman): not implemented 72 typedef void* OSCertHandle; 73 #endif 74 75 // Principal represent an X.509 principal. 76 struct Principal { PrincipalPrincipal77 Principal() { } PrincipalPrincipal78 explicit Principal(const std::string& name) : common_name(name) { } 79 80 // The different attributes for a principal. They may be "". 81 // Note that some of them can have several values. 82 83 std::string common_name; 84 std::string locality_name; 85 std::string state_or_province_name; 86 std::string country_name; 87 88 std::vector<std::string> street_addresses; 89 std::vector<std::string> organization_names; 90 std::vector<std::string> organization_unit_names; 91 std::vector<std::string> domain_components; 92 }; 93 94 // This class is useful for maintaining policies about which certificates are 95 // permitted or forbidden for a particular purpose. 96 class Policy { 97 public: 98 // The judgments this policy can reach. 99 enum Judgment { 100 // We don't have policy information for this certificate. 101 UNKNOWN, 102 103 // This certificate is allowed. 104 ALLOWED, 105 106 // This certificate is denied. 107 DENIED, 108 }; 109 110 // Returns the judgment this policy makes about this certificate. 111 Judgment Check(X509Certificate* cert) const; 112 113 // Causes the policy to allow this certificate. 114 void Allow(X509Certificate* cert); 115 116 // Causes the policy to deny this certificate. 117 void Deny(X509Certificate* cert); 118 119 // Returns true if this policy has allowed at least one certificate. 120 bool HasAllowedCert() const; 121 122 // Returns true if this policy has denied at least one certificate. 123 bool HasDeniedCert() const; 124 125 private: 126 // The set of fingerprints of allowed certificates. 127 std::set<Fingerprint, FingerprintLessThan> allowed_; 128 129 // The set of fingerprints of denied certificates. 130 std::set<Fingerprint, FingerprintLessThan> denied_; 131 }; 132 133 // Where the certificate comes from. The enumeration constants are 134 // listed in increasing order of preference. 135 enum Source { 136 SOURCE_UNUSED = 0, // The source_ member is not used. 137 SOURCE_LONE_CERT_IMPORT = 1, // From importing a certificate without 138 // its intermediate CA certificates. 139 SOURCE_FROM_NETWORK = 2, // From the network. 140 }; 141 142 enum VerifyFlags { 143 VERIFY_REV_CHECKING_ENABLED = 1 << 0, 144 VERIFY_EV_CERT = 1 << 1, 145 }; 146 147 // Create an X509Certificate from a handle to the certificate object 148 // in the underlying crypto library. This is a transfer of ownership; 149 // X509Certificate will properly dispose of |cert_handle| for you. 150 // |source| specifies where |cert_handle| comes from. Given two 151 // certificate handles for the same certificate, our certificate cache 152 // prefers the handle from the network because our HTTP cache isn't 153 // caching the corresponding intermediate CA certificates yet 154 // (http://crbug.com/7065). 155 // 156 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 157 static X509Certificate* CreateFromHandle(OSCertHandle cert_handle, 158 Source source); 159 160 // Create an X509Certificate from the BER-encoded representation. 161 // Returns NULL on failure. 162 // 163 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 164 static X509Certificate* CreateFromBytes(const char* data, int length); 165 166 // Create an X509Certificate from the representation stored in the given 167 // pickle. The data for this object is found relative to the given 168 // pickle_iter, which should be passed to the pickle's various Read* methods. 169 // Returns NULL on failure. 170 // 171 // The returned pointer must be stored in a scoped_refptr<X509Certificate>. 172 static X509Certificate* CreateFromPickle(const Pickle& pickle, 173 void** pickle_iter); 174 175 // Creates a X509Certificate from the ground up. Used by tests that simulate 176 // SSL connections. 177 X509Certificate(const std::string& subject, const std::string& issuer, 178 base::Time start_date, base::Time expiration_date); 179 180 // Appends a representation of this object to the given pickle. 181 void Persist(Pickle* pickle); 182 183 // The subject of the certificate. For HTTPS server certificates, this 184 // represents the web server. The common name of the subject should match 185 // the host name of the web server. subject()186 const Principal& subject() const { return subject_; } 187 188 // The issuer of the certificate. issuer()189 const Principal& issuer() const { return issuer_; } 190 191 // Time period during which the certificate is valid. More precisely, this 192 // certificate is invalid before the |valid_start| date and invalid after 193 // the |valid_expiry| date. 194 // If we were unable to parse either date from the certificate (or if the cert 195 // lacks either date), the date will be null (i.e., is_null() will be true). valid_start()196 const base::Time& valid_start() const { return valid_start_; } valid_expiry()197 const base::Time& valid_expiry() const { return valid_expiry_; } 198 199 // The fingerprint of this certificate. fingerprint()200 const Fingerprint& fingerprint() const { return fingerprint_; } 201 202 // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 203 // Server Identity, if the certificate has a subjectAltName extension of 204 // type dNSName, this method gets the DNS names in that extension. 205 // Otherwise, it gets the common name in the subject field. 206 void GetDNSNames(std::vector<std::string>* dns_names) const; 207 208 // Convenience method that returns whether this certificate has expired as of 209 // now. 210 bool HasExpired() const; 211 212 #if defined(OS_MACOSX) || defined(OS_WIN) 213 // Adds an untrusted intermediate certificate that may be needed for 214 // chain building. AddIntermediateCertificate(OSCertHandle cert)215 void AddIntermediateCertificate(OSCertHandle cert) { 216 intermediate_ca_certs_.push_back(cert); 217 } 218 219 // Returns intermediate certificates added via AddIntermediateCertificate(). 220 // Ownership follows the "get" rule: it is the caller's responsibility to 221 // retain the elements of the result. GetIntermediateCertificates()222 const std::vector<OSCertHandle>& GetIntermediateCertificates() const { 223 return intermediate_ca_certs_; 224 } 225 #endif 226 227 // Verifies the certificate against the given hostname. Returns OK if 228 // successful or an error code upon failure. 229 // 230 // The |*verify_result| structure, including the |verify_result->cert_status| 231 // bitmask, is always filled out regardless of the return value. If the 232 // certificate has multiple errors, the corresponding status flags are set in 233 // |verify_result->cert_status|, and the error code for the most serious 234 // error is returned. 235 // 236 // |flags| is bitwise OR'd of VerifyFlags. 237 // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation 238 // checking is performed. If VERIFY_EV_CERT is set in |flags| too, 239 // EV certificate verification is performed. 240 int Verify(const std::string& hostname, 241 int flags, 242 CertVerifyResult* verify_result) const; 243 os_cert_handle()244 OSCertHandle os_cert_handle() const { return cert_handle_; } 245 246 private: 247 friend class base::RefCountedThreadSafe<X509Certificate>; 248 FRIEND_TEST(X509CertificateTest, Cache); 249 250 // A cache of X509Certificate objects. 251 class Cache { 252 public: 253 static Cache* GetInstance(); 254 void Insert(X509Certificate* cert); 255 void Remove(X509Certificate* cert); 256 X509Certificate* Find(const Fingerprint& fingerprint); 257 258 private: 259 typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan> 260 CertMap; 261 262 // Obtain an instance of X509Certificate::Cache via GetInstance(). Cache()263 Cache() { } 264 friend struct DefaultSingletonTraits<Cache>; 265 266 // You must acquire this lock before using any private data of this object. 267 // You must not block while holding this lock. 268 Lock lock_; 269 270 // The certificate cache. You must acquire |lock_| before using |cache_|. 271 CertMap cache_; 272 273 DISALLOW_COPY_AND_ASSIGN(Cache); 274 }; 275 276 // Construct an X509Certificate from a handle to the certificate object 277 // in the underlying crypto library. 278 X509Certificate(OSCertHandle cert_handle, Source source); 279 280 ~X509Certificate(); 281 282 // Common object initialization code. Called by the constructors only. 283 void Initialize(); 284 285 bool VerifyEV() const; 286 287 // Creates an OS certificate handle from the BER-encoded representation. 288 // Returns NULL on failure. 289 static OSCertHandle CreateOSCertHandleFromBytes(const char* data, 290 int length); 291 292 // Frees an OS certificate handle. 293 static void FreeOSCertHandle(OSCertHandle cert_handle); 294 295 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty 296 // (all zero) fingerprint on failure. 297 static Fingerprint CalculateFingerprint(OSCertHandle cert_handle); 298 299 // The subject of the certificate. 300 Principal subject_; 301 302 // The issuer of the certificate. 303 Principal issuer_; 304 305 // This certificate is not valid before |valid_start_| 306 base::Time valid_start_; 307 308 // This certificate is not valid after |valid_expiry_| 309 base::Time valid_expiry_; 310 311 // The fingerprint of this certificate. 312 Fingerprint fingerprint_; 313 314 // A handle to the certificate object in the underlying crypto library. 315 OSCertHandle cert_handle_; 316 317 #if defined(OS_MACOSX) || defined(OS_WIN) 318 // Untrusted intermediate certificates associated with this certificate 319 // that may be needed for chain building. 320 std::vector<OSCertHandle> intermediate_ca_certs_; 321 #endif 322 323 // Where the certificate comes from. 324 Source source_; 325 326 DISALLOW_COPY_AND_ASSIGN(X509Certificate); 327 }; 328 329 } // namespace net 330 331 #endif // NET_BASE_X509_CERTIFICATE_H_ 332