net/ssl/openssl_client_key_store.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_
   6 #define NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_
   7
   8 #include <openssl/evp.h>
   9
  10 #include <vector>
  11
  12 #include "base/basictypes.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/memory/singleton.h"
  15 #include "crypto/openssl_util.h"
  16 #include "crypto/scoped_openssl_types.h"
  17 #include "net/base/net_export.h"
  18
  19 namespace net {
  20
  21 class X509Certificate;
  22
  23 // OpenSSLClientKeyStore implements an in-memory store for client
  24 // certificate private keys, because the platforms where OpenSSL is
  25 // used do not provide a way to retrieve the private key of a known
  26 // certificate.
  27 //
  28 // This class is not thread-safe and should only be used from the network
  29 // thread.
  30 class NET_EXPORT OpenSSLClientKeyStore {
  31  public:
  32   // Platforms must define this factory function as appropriate.
  33   static OpenSSLClientKeyStore* GetInstance();
  34
  35   // Record the association between a certificate and its
  36   // private key. This method should be called _before_
  37   // FetchClientCertPrivateKey to ensure that the private key is returned
  38   // when it is called later. The association is recorded in memory
  39   // exclusively.
  40   // |cert| is a handle to a certificate object.
  41   // |private_key| is an OpenSSL EVP_PKEY that corresponds to the
  42   // certificate's private key.
  43   // Returns false if an error occured.
  44   // This function does not take ownership of the private_key, but may
  45   // increment its internal reference count.
  46   NET_EXPORT bool RecordClientCertPrivateKey(const X509Certificate* cert,
  47                                              EVP_PKEY* private_key);
  48
  49   // Given a certificate's |public_key|, return the corresponding private
  50   // key that has been recorded previously by RecordClientCertPrivateKey().
  51   // |cert| is a client certificate.
  52   // Returns its matching private key on success, NULL otherwise.
  53   crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(const X509Certificate* cert);
  54
  55   // Flush all recorded keys.
  56   void Flush();
  57
  58  protected:
  59   OpenSSLClientKeyStore();
  60
  61   ~OpenSSLClientKeyStore();
  62
  63   // Adds a given public/private key pair.
  64   // |pub_key| and |private_key| can point to the same object.
  65   // This increments the reference count on both objects, caller
  66   // must still call EVP_PKEY_free on them.
  67   void AddKeyPair(EVP_PKEY* pub_key, EVP_PKEY* private_key);
  68
  69  private:
  70   // KeyPair is an internal class used to hold a pair of private / public
  71   // EVP_PKEY objects, with appropriate ownership.
  72   class KeyPair {
  73    public:
  74     explicit KeyPair(EVP_PKEY* pub_key, EVP_PKEY* priv_key);
  75     KeyPair(const KeyPair& other);
  76     void operator=(const KeyPair& other);
  77     ~KeyPair();
  78
  79     crypto::ScopedEVP_PKEY public_key;
  80     crypto::ScopedEVP_PKEY private_key;
  81
  82    private:
  83     KeyPair();  // intentionally not implemented.
  84   };
  85
  86   // Returns the index of the keypair for |public_key|. or -1 if not found.
  87   int FindKeyPairIndex(EVP_PKEY* public_key);
  88
  89   std::vector<KeyPair> pairs_;
  90
  91   friend struct DefaultSingletonTraits<OpenSSLClientKeyStore>;
  92
  93   DISALLOW_COPY_AND_ASSIGN(OpenSSLClientKeyStore);
  94 };
  95
  96 }  // namespace net
  97
  98 #endif  // NET_SSL_OPENSSL_CLIENT_KEY_STORE_H_