net/base/x509_util_mac.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_BASE_X509_UTIL_MAC_H_
   6 #define NET_BASE_X509_UTIL_MAC_H_
   7
   8 #include <CoreFoundation/CFArray.h>
   9 #include <Security/Security.h>
  10
  11 #include <string>
  12
  13 #include "base/basictypes.h"
  14 #include "net/base/net_export.h"
  15
  16 namespace net {
  17
  18 namespace x509_util {
  19
  20 // Creates a security policy for certificates used as client certificates
  21 // in SSL.
  22 // If a policy is successfully created, it will be stored in
  23 // |*policy| and ownership transferred to the caller.
  24 OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy);
  25
  26 // Create an SSL server policy. While certificate name validation will be
  27 // performed by SecTrustEvaluate(), it has the following limitations:
  28 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1)
  29 // - Doesn't support IPv6 addresses
  30 // - Doesn't support the iPAddress subjectAltName
  31 // Providing the hostname is necessary in order to locate certain user or
  32 // system trust preferences, such as those created by Safari. Preferences
  33 // created by Keychain Access do not share this requirement.
  34 // On success, stores the resultant policy in |*policy| and returns noErr.
  35 OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
  36                                           SecPolicyRef* policy);
  37
  38 // Creates a security policy for basic X.509 validation. If the policy is
  39 // successfully created, it will be stored in |*policy| and ownership
  40 // transferred to the caller.
  41 OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
  42
  43 // Creates security policies to control revocation checking (OCSP and CRL).
  44 // If |enable_revocation_checking| is false, the policies returned will be
  45 // explicitly disabled from accessing the network or the cache. This may be
  46 // used to override system settings regarding revocation checking.
  47 // If the policies are successfully created, they will be appended to
  48 // |policies|.
  49 OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
  50                                              CFMutableArrayRef policies);
  51
  52 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field
  53 // accessors (such as CSSM_CL_CertGet[First/Next]Value or
  54 // CSSM_CL_CertGet[First/Next]CachedValue).
  55 class CSSMFieldValue {
  56  public:
  57   CSSMFieldValue();
  58   CSSMFieldValue(CSSM_CL_HANDLE cl_handle,
  59                  const CSSM_OID* oid,
  60                  CSSM_DATA_PTR field);
  61   ~CSSMFieldValue();
  62
  63   CSSM_OID_PTR oid() const { return oid_; }
  64   CSSM_DATA_PTR field() const { return field_; }
  65
  66   // Returns the field as if it was an arbitrary type - most commonly, by
  67   // interpreting the field as a specific CSSM/CDSA parsed type, such as
  68   // CSSM_X509_SUBJECT_PUBLIC_KEY_INFO or CSSM_X509_ALGORITHM_IDENTIFIER.
  69   // An added check is applied to ensure that the current field is large
  70   // enough to actually contain the requested type.
  71   template <typename T> const T* GetAs() const {
  72     if (!field_ || field_->Length < sizeof(T))
  73       return NULL;
  74     return reinterpret_cast<const T*>(field_->Data);
  75   }
  76
  77   void Reset(CSSM_CL_HANDLE cl_handle,
  78              CSSM_OID_PTR oid,
  79              CSSM_DATA_PTR field);
  80
  81  private:
  82   CSSM_CL_HANDLE cl_handle_;
  83   CSSM_OID_PTR oid_;
  84   CSSM_DATA_PTR field_;
  85
  86   DISALLOW_COPY_AND_ASSIGN(CSSMFieldValue);
  87 };
  88
  89 // CSSMCachedCertificate is a container class that is used to wrap the
  90 // CSSM_CL_CertCache APIs and provide safe and efficient access to
  91 // certificate fields in their CSSM form.
  92 //
  93 // To provide efficient access to certificate/CRL fields, CSSM provides an
  94 // API/SPI to "cache" a certificate/CRL. The exact meaning of a cached
  95 // certificate is not defined by CSSM, but is documented to generally be some
  96 // intermediate or parsed form of the certificate. In the case of Apple's
  97 // CSSM CL implementation, the intermediate form is the parsed certificate
  98 // stored in an internal format (which happens to be NSS). By caching the
  99 // certificate, callers that wish to access multiple fields (such as subject,
 100 // issuer, and validity dates) do not need to repeatedly parse the entire
 101 // certificate, nor are they forced to convert all fields from their NSS types
 102 // to their CSSM equivalents. This latter point is especially helpful when
 103 // running on OS X 10.5, as it will fail to convert some fields that reference
 104 // unsupported algorithms, such as ECC.
 105 class CSSMCachedCertificate {
 106  public:
 107   CSSMCachedCertificate();
 108   ~CSSMCachedCertificate();
 109
 110   // Initializes the CSSMCachedCertificate by caching the specified
 111   // |os_cert_handle|. On success, returns noErr.
 112   // Note: Once initialized, the cached certificate should only be accessed
 113   // from a single thread.
 114   OSStatus Init(SecCertificateRef os_cert_handle);
 115
 116   // Fetches the first value for the field associated with |field_oid|.
 117   // If |field_oid| is a valid OID and is present in the current certificate,
 118   // returns CSSM_OK and stores the first value in |field|. If additional
 119   // values are associated with |field_oid|, they are ignored.
 120   OSStatus GetField(const CSSM_OID* field_oid, CSSMFieldValue* field) const;
 121
 122  private:
 123   CSSM_CL_HANDLE cl_handle_;
 124   CSSM_HANDLE cached_cert_handle_;
 125 };
 126
 127 }  // namespace x509_util
 128
 129 }  // namespace net
 130
 131 #endif  // NET_BASE_X509_UTIL_MAC_H_