Introduce CertVerifierProc to handle system cert validation.

net/base/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 357 matching lines @@
   // using GetChainDEREncodedBytes below.
   void GetChainDEREncodedBytes(std::vector<std::string>* chain_bytes) const;
 #endif
 
 #if defined(USE_OPENSSL)
   // Returns a handle to a global, in-memory certificate store. We
   // use it for test code, e.g. importing the test server's certificate.
   static X509_STORE* cert_store();
 #endif
 
-  // Verifies the certificate against the given hostname.  Returns OK if
-  // successful or an error code upon failure.
-  //
-  // The |*verify_result| structure, including the |verify_result->cert_status|
-  // bitmask, is always filled out regardless of the return value.  If the
-  // certificate has multiple errors, the corresponding status flags are set in
-  // |verify_result->cert_status|, and the error code for the most serious
-  // error is returned.
-  //
-  // |flags| is bitwise OR'd of VerifyFlags:
-  //
-  // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate
-  // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet
-  // based revocation checking is always enabled, regardless of this flag, if
-  // |crl_set| is given.
-  //
-  // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is
-  // performed.
-  //
-  // |crl_set| points to an optional CRLSet structure which can be used to
-  // avoid revocation checks over the network.
-  int Verify(const std::string& hostname,
-             int flags,
-             CRLSet* crl_set,
-             CertVerifyResult* verify_result) const;
-
   // Verifies that |hostname| matches this certificate.
   // Does not verify that the certificate is valid, only that the certificate
   // matches this host.
   // Returns true if it matches.
   bool VerifyNameMatch(const std::string& hostname) const;
 
   // Obtains the DER encoded certificate data for |cert_handle|. On success,
   // returns true and writes the DER encoded certificate to |*der_encoded|.
   static bool GetDEREncoded(OSCertHandle cert_handle,
                             std::string* der_encoded);
@@ skipping 60 matching lines @@
   static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
 
   // Calculates the SHA-1 fingerprint of the intermediate CA certificates.
   // Returns an empty (all zero) fingerprint on failure.
   static SHA1Fingerprint CalculateCAFingerprint(
       const OSCertHandles& intermediates);
 
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
+  // TODO(rsleevi): Temporary refactoring - http://crbug.com/114343
+  friend class CertVerifyProcStub;
+
+  FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
+  FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, DigiNotarCerts);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, DigiNotarCerts);
-  FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
   X509Certificate(OSCertHandle cert_handle,
                   const OSCertHandles& intermediates);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
+  // Verifies the certificate against the given hostname.  Returns OK if
+  // successful or an error code upon failure.
+  //
+  // The |*verify_result| structure, including the |verify_result->cert_status|
+  // bitmask, is always filled out regardless of the return value.  If the
+  // certificate has multiple errors, the corresponding status flags are set in
+  // |verify_result->cert_status|, and the error code for the most serious
+  // error is returned.
+  //
+  // |flags| is bitwise OR'd of VerifyFlags:
+  //
+  // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate
+  // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet
+  // based revocation checking is always enabled, regardless of this flag, if
+  // |crl_set| is given.
+  //
+  // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is
+  // performed.
+  //
+  // |crl_set| points to an optional CRLSet structure which can be used to
+  // avoid revocation checks over the network.
+  int Verify(const std::string& hostname,
+             int flags,
+             CRLSet* crl_set,
+             CertVerifyResult* verify_result) const;
+
 #if defined(OS_WIN)
   bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
                bool rev_checking_enabled,
                const char* policy_oid) const;
   static bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context);
 #endif
 #if defined(OS_MACOSX)
   static bool IsIssuedByKnownRoot(CFArrayRef chain);
 #endif
 #if defined(USE_NSS)
@@ skipping 97 matching lines @@
   // (Marked mutable because it's used in a const method.)
   mutable base::Lock verification_lock_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_