1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_X509_CERTIFICATE_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_X509_CERTIFICATE_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stddef.h> 9*6777b538SAndroid Build Coastguard Worker #include <string.h> 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Worker #include <string> 12*6777b538SAndroid Build Coastguard Worker #include <string_view> 13*6777b538SAndroid Build Coastguard Worker #include <vector> 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard Worker #include "base/containers/span.h" 16*6777b538SAndroid Build Coastguard Worker #include "base/gtest_prod_util.h" 17*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h" 18*6777b538SAndroid Build Coastguard Worker #include "base/time/time.h" 19*6777b538SAndroid Build Coastguard Worker #include "net/base/hash_value.h" 20*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 21*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_cert_types.h" 22*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h" 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker namespace base { 25*6777b538SAndroid Build Coastguard Worker class Pickle; 26*6777b538SAndroid Build Coastguard Worker class PickleIterator; 27*6777b538SAndroid Build Coastguard Worker } 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard Worker namespace net { 30*6777b538SAndroid Build Coastguard Worker 31*6777b538SAndroid Build Coastguard Worker class X509Certificate; 32*6777b538SAndroid Build Coastguard Worker 33*6777b538SAndroid Build Coastguard Worker typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 34*6777b538SAndroid Build Coastguard Worker 35*6777b538SAndroid Build Coastguard Worker // A X.509 certificate represents a particular identity or end-entity 36*6777b538SAndroid Build Coastguard Worker // certificate, such as an SSL server identity or an SSL client certificate. An 37*6777b538SAndroid Build Coastguard Worker // X509Certificate contains this leaf certificate accessible via cert_buffer(). 38*6777b538SAndroid Build Coastguard Worker // An X509Certificate may also contain 0 or more intermediary X.509 certificates 39*6777b538SAndroid Build Coastguard Worker // that are used to build a path to a root certificate. These are accessed via 40*6777b538SAndroid Build Coastguard Worker // intermediate_buffers(). 41*6777b538SAndroid Build Coastguard Worker class NET_EXPORT X509Certificate 42*6777b538SAndroid Build Coastguard Worker : public base::RefCountedThreadSafe<X509Certificate> { 43*6777b538SAndroid Build Coastguard Worker public: 44*6777b538SAndroid Build Coastguard Worker enum PublicKeyType { 45*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeUnknown, 46*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeRSA, 47*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeDSA, 48*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeECDSA, 49*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeDH, 50*6777b538SAndroid Build Coastguard Worker kPublicKeyTypeECDH 51*6777b538SAndroid Build Coastguard Worker }; 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Worker enum Format { 54*6777b538SAndroid Build Coastguard Worker // The data contains a single DER-encoded certificate, or a PEM-encoded 55*6777b538SAndroid Build Coastguard Worker // DER certificate with the PEM encoding block name of "CERTIFICATE". 56*6777b538SAndroid Build Coastguard Worker // Any subsequent blocks will be ignored. 57*6777b538SAndroid Build Coastguard Worker FORMAT_SINGLE_CERTIFICATE = 1 << 0, 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker // The data contains a sequence of one or more PEM-encoded, DER 60*6777b538SAndroid Build Coastguard Worker // certificates, with the PEM encoding block name of "CERTIFICATE". 61*6777b538SAndroid Build Coastguard Worker // All PEM blocks will be parsed, until the first error is encountered. 62*6777b538SAndroid Build Coastguard Worker FORMAT_PEM_CERT_SEQUENCE = 1 << 1, 63*6777b538SAndroid Build Coastguard Worker 64*6777b538SAndroid Build Coastguard Worker // The data contains a PKCS#7 SignedData structure, whose certificates 65*6777b538SAndroid Build Coastguard Worker // member is to be used to initialize the certificate and intermediates. 66*6777b538SAndroid Build Coastguard Worker // The data may further be encoded using PEM, specifying block names of 67*6777b538SAndroid Build Coastguard Worker // either "PKCS7" or "CERTIFICATE". 68*6777b538SAndroid Build Coastguard Worker FORMAT_PKCS7 = 1 << 2, 69*6777b538SAndroid Build Coastguard Worker 70*6777b538SAndroid Build Coastguard Worker // Automatically detect the format. 71*6777b538SAndroid Build Coastguard Worker FORMAT_AUTO = FORMAT_SINGLE_CERTIFICATE | FORMAT_PEM_CERT_SEQUENCE | 72*6777b538SAndroid Build Coastguard Worker FORMAT_PKCS7, 73*6777b538SAndroid Build Coastguard Worker }; 74*6777b538SAndroid Build Coastguard Worker 75*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from a CRYPTO_BUFFER containing the DER-encoded 76*6777b538SAndroid Build Coastguard Worker // representation. Returns NULL on failure to parse or extract data from the 77*6777b538SAndroid Build Coastguard Worker // the certificate. Note that this does not guarantee the certificate is 78*6777b538SAndroid Build Coastguard Worker // fully parsed and validated, only that the members of this class, such as 79*6777b538SAndroid Build Coastguard Worker // subject, issuer, expiry times, and serial number, could be successfully 80*6777b538SAndroid Build Coastguard Worker // initialized from the certificate. 81*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromBuffer( 82*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer, 83*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); 84*6777b538SAndroid Build Coastguard Worker 85*6777b538SAndroid Build Coastguard Worker // Options for configuring certificate parsing. 86*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 87*6777b538SAndroid Build Coastguard Worker struct UnsafeCreateOptions { 88*6777b538SAndroid Build Coastguard Worker bool printable_string_is_utf8 = false; 89*6777b538SAndroid Build Coastguard Worker }; 90*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate with non-standard parsing options. 91*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 92*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromBufferUnsafeOptions( 93*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer, 94*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates, 95*6777b538SAndroid Build Coastguard Worker UnsafeCreateOptions options); 96*6777b538SAndroid Build Coastguard Worker 97*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from a chain of DER encoded certificates. The 98*6777b538SAndroid Build Coastguard Worker // first certificate in the chain is the end-entity certificate to which a 99*6777b538SAndroid Build Coastguard Worker // handle is returned. The other certificates in the chain are intermediate 100*6777b538SAndroid Build Coastguard Worker // certificates. 101*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromDERCertChain( 102*6777b538SAndroid Build Coastguard Worker const std::vector<std::string_view>& der_certs); 103*6777b538SAndroid Build Coastguard Worker 104*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from a chain of DER encoded certificates with 105*6777b538SAndroid Build Coastguard Worker // non-standard parsing options. 106*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 107*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromDERCertChainUnsafeOptions( 108*6777b538SAndroid Build Coastguard Worker const std::vector<std::string_view>& der_certs, 109*6777b538SAndroid Build Coastguard Worker UnsafeCreateOptions options); 110*6777b538SAndroid Build Coastguard Worker 111*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from the DER-encoded representation. 112*6777b538SAndroid Build Coastguard Worker // Returns NULL on failure. 113*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromBytes( 114*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data); 115*6777b538SAndroid Build Coastguard Worker 116*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate with non-standard parsing options. 117*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 118*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromBytesUnsafeOptions( 119*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data, 120*6777b538SAndroid Build Coastguard Worker UnsafeCreateOptions options); 121*6777b538SAndroid Build Coastguard Worker 122*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from the representation stored in the given 123*6777b538SAndroid Build Coastguard Worker // pickle. The data for this object is found relative to the given 124*6777b538SAndroid Build Coastguard Worker // pickle_iter, which should be passed to the pickle's various Read* methods. 125*6777b538SAndroid Build Coastguard Worker // Returns NULL on failure. 126*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromPickle( 127*6777b538SAndroid Build Coastguard Worker base::PickleIterator* pickle_iter); 128*6777b538SAndroid Build Coastguard Worker 129*6777b538SAndroid Build Coastguard Worker // Create an X509Certificate from the representation stored in the given 130*6777b538SAndroid Build Coastguard Worker // pickle with non-standard parsing options. 131*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 132*6777b538SAndroid Build Coastguard Worker static scoped_refptr<X509Certificate> CreateFromPickleUnsafeOptions( 133*6777b538SAndroid Build Coastguard Worker base::PickleIterator* pickle_iter, 134*6777b538SAndroid Build Coastguard Worker UnsafeCreateOptions options); 135*6777b538SAndroid Build Coastguard Worker 136*6777b538SAndroid Build Coastguard Worker // Parses all of the certificates possible from |data|. |format| is a 137*6777b538SAndroid Build Coastguard Worker // bit-wise OR of Format, indicating the possible formats the 138*6777b538SAndroid Build Coastguard Worker // certificates may have been serialized as. If an error occurs, an empty 139*6777b538SAndroid Build Coastguard Worker // collection will be returned. 140*6777b538SAndroid Build Coastguard Worker static CertificateList CreateCertificateListFromBytes( 141*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data, 142*6777b538SAndroid Build Coastguard Worker int format); 143*6777b538SAndroid Build Coastguard Worker 144*6777b538SAndroid Build Coastguard Worker // Return a X509Certificate object representing the same certificate but 145*6777b538SAndroid Build Coastguard Worker // with a different set of intermediates. If |intermediates| are the same as 146*6777b538SAndroid Build Coastguard Worker // |intermediate_ca_certs_|, it will return a reference to the same 147*6777b538SAndroid Build Coastguard Worker // X509Certificate object rather than cloning. 148*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> CloneWithDifferentIntermediates( 149*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); 150*6777b538SAndroid Build Coastguard Worker 151*6777b538SAndroid Build Coastguard Worker X509Certificate(const X509Certificate&) = delete; 152*6777b538SAndroid Build Coastguard Worker X509Certificate& operator=(const X509Certificate&) = delete; 153*6777b538SAndroid Build Coastguard Worker 154*6777b538SAndroid Build Coastguard Worker // Appends a representation of this object to the given pickle. 155*6777b538SAndroid Build Coastguard Worker // The Pickle contains the certificate and any certificates that were 156*6777b538SAndroid Build Coastguard Worker // stored in |intermediate_ca_certs_| at the time it was serialized. 157*6777b538SAndroid Build Coastguard Worker // The format is [int count], [data - this certificate], 158*6777b538SAndroid Build Coastguard Worker // [data - intermediate1], ... [data - intermediateN]. 159*6777b538SAndroid Build Coastguard Worker // All certificates are stored in DER form. 160*6777b538SAndroid Build Coastguard Worker void Persist(base::Pickle* pickle) const; 161*6777b538SAndroid Build Coastguard Worker 162*6777b538SAndroid Build Coastguard Worker // The serial number, DER encoded, possibly including a leading 00 byte. serial_number()163*6777b538SAndroid Build Coastguard Worker const std::string& serial_number() const { return parsed_.serial_number_; } 164*6777b538SAndroid Build Coastguard Worker 165*6777b538SAndroid Build Coastguard Worker // The subject of the certificate. For HTTPS server certificates, this 166*6777b538SAndroid Build Coastguard Worker // represents the web server. The common name of the subject should match 167*6777b538SAndroid Build Coastguard Worker // the host name of the web server. subject()168*6777b538SAndroid Build Coastguard Worker const CertPrincipal& subject() const { return parsed_.subject_; } 169*6777b538SAndroid Build Coastguard Worker 170*6777b538SAndroid Build Coastguard Worker // The issuer of the certificate. issuer()171*6777b538SAndroid Build Coastguard Worker const CertPrincipal& issuer() const { return parsed_.issuer_; } 172*6777b538SAndroid Build Coastguard Worker 173*6777b538SAndroid Build Coastguard Worker // Time period during which the certificate is valid. More precisely, this 174*6777b538SAndroid Build Coastguard Worker // certificate is invalid before the |valid_start| date and invalid after 175*6777b538SAndroid Build Coastguard Worker // the |valid_expiry| date. 176*6777b538SAndroid Build Coastguard Worker // If we were unable to parse either date from the certificate (or if the cert 177*6777b538SAndroid Build Coastguard Worker // lacks either date), the date will be null (i.e., is_null() will be true). valid_start()178*6777b538SAndroid Build Coastguard Worker const base::Time& valid_start() const { return parsed_.valid_start_; } valid_expiry()179*6777b538SAndroid Build Coastguard Worker const base::Time& valid_expiry() const { return parsed_.valid_expiry_; } 180*6777b538SAndroid Build Coastguard Worker 181*6777b538SAndroid Build Coastguard Worker // Gets the subjectAltName extension field from the certificate, if any. 182*6777b538SAndroid Build Coastguard Worker // For future extension; currently this only returns those name types that 183*6777b538SAndroid Build Coastguard Worker // are required for HTTP certificate name verification - see VerifyHostname. 184*6777b538SAndroid Build Coastguard Worker // Returns true if any dNSName or iPAddress SAN was present. If |dns_names| 185*6777b538SAndroid Build Coastguard Worker // is non-null, it will be set to all dNSNames present. If |ip_addrs| is 186*6777b538SAndroid Build Coastguard Worker // non-null, it will be set to all iPAddresses present. 187*6777b538SAndroid Build Coastguard Worker bool GetSubjectAltName(std::vector<std::string>* dns_names, 188*6777b538SAndroid Build Coastguard Worker std::vector<std::string>* ip_addrs) const; 189*6777b538SAndroid Build Coastguard Worker 190*6777b538SAndroid Build Coastguard Worker // Convenience method that returns whether this certificate has expired as of 191*6777b538SAndroid Build Coastguard Worker // now. 192*6777b538SAndroid Build Coastguard Worker bool HasExpired() const; 193*6777b538SAndroid Build Coastguard Worker 194*6777b538SAndroid Build Coastguard Worker // Returns true if this object and |other| represent the same certificate. 195*6777b538SAndroid Build Coastguard Worker // Does not consider any associated intermediates. 196*6777b538SAndroid Build Coastguard Worker bool EqualsExcludingChain(const X509Certificate* other) const; 197*6777b538SAndroid Build Coastguard Worker 198*6777b538SAndroid Build Coastguard Worker // Returns true if this object and |other| represent the same certificate 199*6777b538SAndroid Build Coastguard Worker // and intermediates. 200*6777b538SAndroid Build Coastguard Worker bool EqualsIncludingChain(const X509Certificate* other) const; 201*6777b538SAndroid Build Coastguard Worker 202*6777b538SAndroid Build Coastguard Worker // Do any of the given issuer names appear in this cert's chain of trust? 203*6777b538SAndroid Build Coastguard Worker // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames. 204*6777b538SAndroid Build Coastguard Worker bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers) const; 205*6777b538SAndroid Build Coastguard Worker 206*6777b538SAndroid Build Coastguard Worker // Verifies that |hostname| matches this certificate. 207*6777b538SAndroid Build Coastguard Worker // Does not verify that the certificate is valid, only that the certificate 208*6777b538SAndroid Build Coastguard Worker // matches this host. 209*6777b538SAndroid Build Coastguard Worker bool VerifyNameMatch(std::string_view hostname) const; 210*6777b538SAndroid Build Coastguard Worker 211*6777b538SAndroid Build Coastguard Worker // Returns the PEM encoded data from a DER encoded certificate. If the 212*6777b538SAndroid Build Coastguard Worker // return value is true, then the PEM encoded certificate is written to 213*6777b538SAndroid Build Coastguard Worker // |pem_encoded|. 214*6777b538SAndroid Build Coastguard Worker static bool GetPEMEncodedFromDER(std::string_view der_encoded, 215*6777b538SAndroid Build Coastguard Worker std::string* pem_encoded); 216*6777b538SAndroid Build Coastguard Worker 217*6777b538SAndroid Build Coastguard Worker // Returns the PEM encoded data from a CRYPTO_BUFFER. If the return value is 218*6777b538SAndroid Build Coastguard Worker // true, then the PEM encoded certificate is written to |pem_encoded|. 219*6777b538SAndroid Build Coastguard Worker static bool GetPEMEncoded(const CRYPTO_BUFFER* cert_buffer, 220*6777b538SAndroid Build Coastguard Worker std::string* pem_encoded); 221*6777b538SAndroid Build Coastguard Worker 222*6777b538SAndroid Build Coastguard Worker // Encodes the entire certificate chain (this certificate and any 223*6777b538SAndroid Build Coastguard Worker // intermediate certificates stored in |intermediate_ca_certs_|) as a series 224*6777b538SAndroid Build Coastguard Worker // of PEM encoded strings. Returns true if all certificates were encoded, 225*6777b538SAndroid Build Coastguard Worker // storing the result in |*pem_encoded|, with this certificate stored as 226*6777b538SAndroid Build Coastguard Worker // the first element. 227*6777b538SAndroid Build Coastguard Worker bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const; 228*6777b538SAndroid Build Coastguard Worker 229*6777b538SAndroid Build Coastguard Worker // Sets |*size_bits| to be the length of the public key in bits, and sets 230*6777b538SAndroid Build Coastguard Worker // |*type| to one of the |PublicKeyType| values. In case of 231*6777b538SAndroid Build Coastguard Worker // |kPublicKeyTypeUnknown|, |*size_bits| will be set to 0. 232*6777b538SAndroid Build Coastguard Worker static void GetPublicKeyInfo(const CRYPTO_BUFFER* cert_buffer, 233*6777b538SAndroid Build Coastguard Worker size_t* size_bits, 234*6777b538SAndroid Build Coastguard Worker PublicKeyType* type); 235*6777b538SAndroid Build Coastguard Worker 236*6777b538SAndroid Build Coastguard Worker // Returns the CRYPTO_BUFFER holding this certificate's DER encoded data. The 237*6777b538SAndroid Build Coastguard Worker // data is not guaranteed to be valid DER or to encode a valid Certificate 238*6777b538SAndroid Build Coastguard Worker // object. cert_buffer()239*6777b538SAndroid Build Coastguard Worker CRYPTO_BUFFER* cert_buffer() const { return cert_buffer_.get(); } 240*6777b538SAndroid Build Coastguard Worker 241*6777b538SAndroid Build Coastguard Worker // Returns the associated intermediate certificates that were specified 242*6777b538SAndroid Build Coastguard Worker // during creation of this object, if any. The intermediates are not 243*6777b538SAndroid Build Coastguard Worker // guaranteed to be valid DER or to encode valid Certificate objects. 244*6777b538SAndroid Build Coastguard Worker // Ownership follows the "get" rule: it is the caller's responsibility to 245*6777b538SAndroid Build Coastguard Worker // retain the elements of the result. intermediate_buffers()246*6777b538SAndroid Build Coastguard Worker const std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>& intermediate_buffers() 247*6777b538SAndroid Build Coastguard Worker const { 248*6777b538SAndroid Build Coastguard Worker return intermediate_ca_certs_; 249*6777b538SAndroid Build Coastguard Worker } 250*6777b538SAndroid Build Coastguard Worker 251*6777b538SAndroid Build Coastguard Worker // Creates all possible CRYPTO_BUFFERs from |data| encoded in a specific 252*6777b538SAndroid Build Coastguard Worker // |format|. Returns an empty collection on failure. 253*6777b538SAndroid Build Coastguard Worker static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> CreateCertBuffersFromBytes( 254*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data, 255*6777b538SAndroid Build Coastguard Worker Format format); 256*6777b538SAndroid Build Coastguard Worker 257*6777b538SAndroid Build Coastguard Worker // Calculates the SHA-256 fingerprint of the certificate. Returns an empty 258*6777b538SAndroid Build Coastguard Worker // (all zero) fingerprint on failure. 259*6777b538SAndroid Build Coastguard Worker static SHA256HashValue CalculateFingerprint256( 260*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* cert_buffer); 261*6777b538SAndroid Build Coastguard Worker 262*6777b538SAndroid Build Coastguard Worker // Calculates the SHA-256 fingerprint for the complete chain, including the 263*6777b538SAndroid Build Coastguard Worker // leaf certificate and all intermediate CA certificates. Returns an empty 264*6777b538SAndroid Build Coastguard Worker // (all zero) fingerprint on failure. 265*6777b538SAndroid Build Coastguard Worker SHA256HashValue CalculateChainFingerprint256() const; 266*6777b538SAndroid Build Coastguard Worker 267*6777b538SAndroid Build Coastguard Worker // Returns true if the certificate is self-signed. 268*6777b538SAndroid Build Coastguard Worker static bool IsSelfSigned(CRYPTO_BUFFER* cert_buffer); 269*6777b538SAndroid Build Coastguard Worker 270*6777b538SAndroid Build Coastguard Worker private: 271*6777b538SAndroid Build Coastguard Worker friend class base::RefCountedThreadSafe<X509Certificate>; 272*6777b538SAndroid Build Coastguard Worker friend class TestRootCerts; // For unit tests 273*6777b538SAndroid Build Coastguard Worker 274*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname); 275*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers); 276*6777b538SAndroid Build Coastguard Worker 277*6777b538SAndroid Build Coastguard Worker class ParsedFields { 278*6777b538SAndroid Build Coastguard Worker public: 279*6777b538SAndroid Build Coastguard Worker ParsedFields(); 280*6777b538SAndroid Build Coastguard Worker ParsedFields(const ParsedFields&); 281*6777b538SAndroid Build Coastguard Worker ParsedFields(ParsedFields&&); 282*6777b538SAndroid Build Coastguard Worker ~ParsedFields(); 283*6777b538SAndroid Build Coastguard Worker 284*6777b538SAndroid Build Coastguard Worker bool Initialize(const CRYPTO_BUFFER* cert_buffer, 285*6777b538SAndroid Build Coastguard Worker UnsafeCreateOptions options); 286*6777b538SAndroid Build Coastguard Worker 287*6777b538SAndroid Build Coastguard Worker // The subject of the certificate. 288*6777b538SAndroid Build Coastguard Worker CertPrincipal subject_; 289*6777b538SAndroid Build Coastguard Worker 290*6777b538SAndroid Build Coastguard Worker // The issuer of the certificate. 291*6777b538SAndroid Build Coastguard Worker CertPrincipal issuer_; 292*6777b538SAndroid Build Coastguard Worker 293*6777b538SAndroid Build Coastguard Worker // This certificate is not valid before |valid_start_| 294*6777b538SAndroid Build Coastguard Worker base::Time valid_start_; 295*6777b538SAndroid Build Coastguard Worker 296*6777b538SAndroid Build Coastguard Worker // This certificate is not valid after |valid_expiry_| 297*6777b538SAndroid Build Coastguard Worker base::Time valid_expiry_; 298*6777b538SAndroid Build Coastguard Worker 299*6777b538SAndroid Build Coastguard Worker // The serial number of this certificate, DER encoded. 300*6777b538SAndroid Build Coastguard Worker std::string serial_number_; 301*6777b538SAndroid Build Coastguard Worker }; 302*6777b538SAndroid Build Coastguard Worker 303*6777b538SAndroid Build Coastguard Worker // Construct an X509Certificate from a CRYPTO_BUFFER containing the 304*6777b538SAndroid Build Coastguard Worker // DER-encoded representation. 305*6777b538SAndroid Build Coastguard Worker X509Certificate(ParsedFields parsed, 306*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer, 307*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); 308*6777b538SAndroid Build Coastguard Worker 309*6777b538SAndroid Build Coastguard Worker // Copy |other|, except with a different set of intermediates. 310*6777b538SAndroid Build Coastguard Worker X509Certificate(const X509Certificate& other, 311*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); 312*6777b538SAndroid Build Coastguard Worker 313*6777b538SAndroid Build Coastguard Worker ~X509Certificate(); 314*6777b538SAndroid Build Coastguard Worker 315*6777b538SAndroid Build Coastguard Worker // Verifies that |hostname| matches one of the certificate names or IP 316*6777b538SAndroid Build Coastguard Worker // addresses supplied, based on TLS name matching rules - specifically, 317*6777b538SAndroid Build Coastguard Worker // following http://tools.ietf.org/html/rfc6125. 318*6777b538SAndroid Build Coastguard Worker // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled 319*6777b538SAndroid Build Coastguard Worker // from the dNSName and iPAddress components of the subject alternative name 320*6777b538SAndroid Build Coastguard Worker // extension, if present. Note these IP addresses are NOT ascii-encoded: 321*6777b538SAndroid Build Coastguard Worker // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6 322*6777b538SAndroid Build Coastguard Worker // addresses, respectively. 323*6777b538SAndroid Build Coastguard Worker static bool VerifyHostname(std::string_view hostname, 324*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& cert_san_dns_names, 325*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& cert_san_ip_addrs); 326*6777b538SAndroid Build Coastguard Worker 327*6777b538SAndroid Build Coastguard Worker // Fields that were parsed from |cert_buffer_|. 328*6777b538SAndroid Build Coastguard Worker const ParsedFields parsed_; 329*6777b538SAndroid Build Coastguard Worker 330*6777b538SAndroid Build Coastguard Worker // A handle to the DER encoded certificate data. 331*6777b538SAndroid Build Coastguard Worker const bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer_; 332*6777b538SAndroid Build Coastguard Worker 333*6777b538SAndroid Build Coastguard Worker // Untrusted intermediate certificates associated with this certificate 334*6777b538SAndroid Build Coastguard Worker // that may be needed for chain building. 335*6777b538SAndroid Build Coastguard Worker const std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_ca_certs_; 336*6777b538SAndroid Build Coastguard Worker }; 337*6777b538SAndroid Build Coastguard Worker 338*6777b538SAndroid Build Coastguard Worker } // namespace net 339*6777b538SAndroid Build Coastguard Worker 340*6777b538SAndroid Build Coastguard Worker #endif // NET_CERT_X509_CERTIFICATE_H_ 341