Chromium Code Reviews Chromium Code Reviews
Issue 10825211:
Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_X509_CERT_TYPES_H_ | 5 #ifndef NET_BASE_X509_CERT_TYPES_H_ |
| 6 #define NET_BASE_X509_CERT_TYPES_H_ | 6 #define NET_BASE_X509_CERT_TYPES_H_ |
| 7 | 7 |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | |
| 10 #include <set> | 11 #include <set> |
| 11 #include <string> | 12 #include <string> |
| 12 #include <vector> | 13 #include <vector> |
| 13 | 14 |
| 15 #include "base/logging.h" | |
| 14 #include "base/string_piece.h" | 16 #include "base/string_piece.h" |
| 15 #include "build/build_config.h" | 17 #include "build/build_config.h" |
| 16 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
| 17 | 19 |
| 18 #if defined(OS_MACOSX) && !defined(OS_IOS) | 20 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 19 #include <Security/x509defs.h> | 21 #include <Security/x509defs.h> |
| 20 #endif | 22 #endif |
| 21 | 23 |
| 22 namespace base { | 24 namespace base { |
| 23 class Time; | 25 class Time; |
| 24 } // namespace base | 26 } // namespace base |
| 25 | 27 |
| 26 namespace net { | 28 namespace net { |
| 27 | 29 |
| 28 class X509Certificate; | 30 class X509Certificate; |
| 29 | 31 |
| 30 // SHA-1 fingerprint (160 bits) of a certificate. | 32 // SHA-1 fingerprint (160 bits) of a certificate. |
| 31 struct NET_EXPORT SHA1Fingerprint { | 33 struct NET_EXPORT SHA1HashValue { |
| 32 bool Equals(const SHA1Fingerprint& other) const { | 34 bool Equals(const SHA1HashValue& other) const { |
| 33 return memcmp(data, other.data, sizeof(data)) == 0; | 35 return memcmp(data, other.data, sizeof(data)) == 0; |
| 34 } | 36 } |
| 35 | 37 |
| 36 unsigned char data[20]; | 38 unsigned char data[20]; |
| 37 }; | 39 }; |
| 38 | 40 |
| 39 // In the future there will be a generic Fingerprint type, with at least two | 41 class NET_EXPORT SHA1HashValueLessThan { |
| 40 // implementations: SHA1 and SHA256. See http://crbug.com/117914. Until that | |
| 41 // work is done (in a separate patch) this typedef bridges the gap. | |
| 42 typedef SHA1Fingerprint Fingerprint; | |
| 43 | |
| 44 typedef std::vector<Fingerprint> FingerprintVector; | |
| 45 | |
| 46 class NET_EXPORT SHA1FingerprintLessThan { | |
| 47 public: | 42 public: |
| 48 bool operator() (const SHA1Fingerprint& lhs, | 43 bool operator() (const SHA1HashValue& lhs, |
| 49 const SHA1Fingerprint& rhs) const { | 44 const SHA1HashValue& rhs) const { |
| 50 return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; | 45 return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; |
| 51 } | 46 } |
| 52 }; | 47 }; |
| 53 | 48 |
| 49 struct NET_EXPORT SHA256HashValue { | |
| 50 bool Equals(const SHA256HashValue& other) const { | |
| 51 return memcmp(data, other.data, sizeof(data)) == 0; | |
| 52 } | |
| 53 | |
| 54 unsigned char data[32]; | |
| 55 }; | |
| 56 | |
| 57 class NET_EXPORT SHA256HashValueLessThan { | |
| 58 public: | |
| 59 bool operator() (const SHA256HashValue& lhs, | |
| 60 const SHA256HashValue& rhs) const { | |
| 61 return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; | |
| 62 } | |
| 63 }; | |
| 64 | |
| 65 enum HashValueTag { | |
| 66 HASH_VALUE_SHA1, | |
| 67 HASH_VALUE_SHA256, | |
| 68 | |
| 69 // This must always be last. | |
| 70 HASH_VALUE_TAGS_COUNT | |
| 71 }; | |
| 72 | |
| 73 struct NET_EXPORT HashValue { | |
| 74 bool Equals(const HashValue& other) const { | |
| 75 if (tag != other.tag) | |
| 76 return false; | |
| 77 switch (tag) { | |
| 78 case HASH_VALUE_SHA1: | |
| 79 return fingerprint.sha1.Equals(other.fingerprint.sha1); | |
| 80 break; | |
| 81 case HASH_VALUE_SHA256: | |
| 82 return fingerprint.sha256.Equals(other.fingerprint.sha256); | |
| 83 break; | |
| 84 default: | |
| 85 NOTREACHED() << "Unknown HashValueTag " << tag; | |
| 86 return false; | |
| 87 } | |
| 88 } | |
| 89 | |
| 90 size_t size() const { | |
| 91 switch (tag) { | |
| 92 case HASH_VALUE_SHA1: | |
| 93 return sizeof(fingerprint.sha1.data); | |
| 94 break; | |
| 95 case HASH_VALUE_SHA256: | |
| 96 return sizeof(fingerprint.sha256.data); | |
| 97 break; | |
| 98 default: | |
| 99 NOTREACHED() << "Unknown HashValueTag " << tag; | |
| 100 return sizeof(fingerprint.sha1.data); | |
|
wtc
2012/08/07 00:46:02
What was the problem that caused the revert?
If t
| |
| 101 } | |
| 102 } | |
| 103 | |
| 104 unsigned char* data() { | |
| 105 switch (tag) { | |
| 106 case HASH_VALUE_SHA1: | |
| 107 return fingerprint.sha1.data; | |
| 108 break; | |
| 109 case HASH_VALUE_SHA256: | |
| 110 return fingerprint.sha256.data; | |
| 111 break; | |
| 112 default: | |
| 113 NOTREACHED() << "Unknown HashValueTag " << tag; | |
| 114 return NULL; | |
| 115 } | |
| 116 } | |
| 117 | |
| 118 const unsigned char* data() const { | |
| 119 switch (tag) { | |
| 120 case HASH_VALUE_SHA1: | |
| 121 return fingerprint.sha1.data; | |
| 122 break; | |
| 123 case HASH_VALUE_SHA256: | |
| 124 return fingerprint.sha256.data; | |
| 125 break; | |
| 126 default: | |
| 127 NOTREACHED() << "Unknown HashValueTag " << tag; | |
| 128 return NULL; | |
| 129 } | |
| 130 } | |
| 131 | |
| 132 HashValueTag tag; | |
| 133 | |
| 134 union { | |
| 135 SHA1HashValue sha1; | |
| 136 SHA256HashValue sha256; | |
| 137 } fingerprint; | |
| 138 }; | |
| 139 | |
| 140 class NET_EXPORT HashValueLessThan { | |
| 141 public: | |
| 142 bool operator() (const HashValue& lhs, | |
| 143 const HashValue& rhs) const { | |
| 144 size_t lhs_size = lhs.size(); | |
| 145 size_t rhs_size = rhs.size(); | |
| 146 int r = memcmp(lhs.data(), rhs.data(), std::min(lhs_size, rhs_size)); | |
| 147 | |
| 148 if (r == 0 && lhs_size != rhs_size) | |
| 149 return lhs_size < rhs_size; | |
| 150 return r < 0; | |
| 151 } | |
| 152 }; | |
| 153 | |
| 154 typedef std::vector<HashValue> HashValueVector; | |
| 155 | |
| 54 // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted | 156 // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted |
| 55 // array of SHA1 hashes. | 157 // array of SHA1 hashes. |
| 56 bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 158 bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1HashValue& hash, |
| 57 const uint8* array, | 159 const uint8* array, |
| 58 size_t array_byte_len); | 160 size_t array_byte_len); |
| 59 | 161 |
| 60 // CertPrincipal represents the issuer or subject field of an X.509 certificate. | 162 // CertPrincipal represents the issuer or subject field of an X.509 certificate. |
| 61 struct NET_EXPORT CertPrincipal { | 163 struct NET_EXPORT CertPrincipal { |
| 62 CertPrincipal(); | 164 CertPrincipal(); |
| 63 explicit CertPrincipal(const std::string& name); | 165 explicit CertPrincipal(const std::string& name); |
| 64 ~CertPrincipal(); | 166 ~CertPrincipal(); |
| 65 | 167 |
| 66 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN) | 168 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN) |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 123 void Deny(X509Certificate* cert); | 225 void Deny(X509Certificate* cert); |
| 124 | 226 |
| 125 // Returns true if this policy has allowed at least one certificate. | 227 // Returns true if this policy has allowed at least one certificate. |
| 126 bool HasAllowedCert() const; | 228 bool HasAllowedCert() const; |
| 127 | 229 |
| 128 // Returns true if this policy has denied at least one certificate. | 230 // Returns true if this policy has denied at least one certificate. |
| 129 bool HasDeniedCert() const; | 231 bool HasDeniedCert() const; |
| 130 | 232 |
| 131 private: | 233 private: |
| 132 // The set of fingerprints of allowed certificates. | 234 // The set of fingerprints of allowed certificates. |
| 133 std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_; | 235 std::set<SHA1HashValue, SHA1HashValueLessThan> allowed_; |
| 134 | 236 |
| 135 // The set of fingerprints of denied certificates. | 237 // The set of fingerprints of denied certificates. |
| 136 std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_; | 238 std::set<SHA1HashValue, SHA1HashValueLessThan> denied_; |
| 137 }; | 239 }; |
| 138 | 240 |
| 139 #if defined(OS_MACOSX) && !defined(OS_IOS) | 241 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 140 // Compares two OIDs by value. | 242 // Compares two OIDs by value. |
| 141 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { | 243 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { |
| 142 return oid1->Length == oid2->Length && | 244 return oid1->Length == oid2->Length && |
| 143 (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0); | 245 (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0); |
| 144 } | 246 } |
| 145 #endif | 247 #endif |
| 146 | 248 |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 157 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as | 259 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as |
| 158 // |format|, and writes the result into |*time|. If an invalid date is | 260 // |format|, and writes the result into |*time|. If an invalid date is |
| 159 // specified, or if parsing fails, returns false, and |*time| will not be | 261 // specified, or if parsing fails, returns false, and |*time| will not be |
| 160 // updated. | 262 // updated. |
| 161 bool ParseCertificateDate(const base::StringPiece& raw_date, | 263 bool ParseCertificateDate(const base::StringPiece& raw_date, |
| 162 CertDateFormat format, | 264 CertDateFormat format, |
| 163 base::Time* time); | 265 base::Time* time); |
| 164 } // namespace net | 266 } // namespace net |
| 165 | 267 |
| 166 #endif // NET_BASE_X509_CERT_TYPES_H_ | 268 #endif // NET_BASE_X509_CERT_TYPES_H_ |
| OLD | NEW |
