1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
6 #define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
13 #include "base/basictypes.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/time.h"
16 #include "base/threading/non_thread_safe.h"
17 #include "net/base/completion_callback.h"
18 #include "net/base/net_export.h"
19 #include "net/base/ssl_client_cert_type.h"
23 class OriginBoundCertServiceJob
;
24 class OriginBoundCertServiceWorker
;
25 class OriginBoundCertStore
;
27 // A class for creating and fetching origin bound certs.
28 // Inherits from NonThreadSafe in order to use the function
29 // |CalledOnValidThread|.
30 class NET_EXPORT OriginBoundCertService
31 : NON_EXPORTED_BASE(public base::NonThreadSafe
) {
33 // Opaque type used to cancel a request.
34 typedef void* RequestHandle
;
36 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key
37 // values. (This is not used to provide any security, but to workaround NSS
38 // being unable to import unencrypted PrivateKeyInfo for EC keys.)
39 static const char kEPKIPassword
[];
41 // This object owns origin_bound_cert_store.
42 explicit OriginBoundCertService(
43 OriginBoundCertStore
* origin_bound_cert_store
);
45 ~OriginBoundCertService();
47 // Fetches the origin bound cert for the specified origin of the specified
48 // type if one exists and creates one otherwise. Returns OK if successful or
49 // an error code upon failure.
51 // |requested_types| is a list of the TLS ClientCertificateTypes the site will
52 // accept, ordered from most preferred to least preferred. Types we don't
53 // support will be ignored. See ssl_client_cert_type.h.
55 // On successful completion, |private_key| stores a DER-encoded
56 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and
57 // |type| specifies the type of certificate that was returned.
59 // |callback| must not be null. ERR_IO_PENDING is returned if the operation
60 // could not be completed immediately, in which case the result code will
61 // be passed to the callback when available.
63 // If |out_req| is non-NULL, then |*out_req| will be filled with a handle to
64 // the async request. This handle is not valid after the request has
66 int GetOriginBoundCert(
67 const std::string
& origin
,
68 const std::vector
<uint8
>& requested_types
,
69 SSLClientCertType
* type
,
70 std::string
* private_key
,
72 const CompletionCallback
& callback
,
73 RequestHandle
* out_req
);
75 // Cancels the specified request. |req| is the handle returned by
76 // GetOriginBoundCert(). After a request is canceled, its completion
77 // callback will not be called.
78 void CancelRequest(RequestHandle req
);
80 // Public only for unit testing.
82 uint64
requests() const { return requests_
; }
83 uint64
cert_store_hits() const { return cert_store_hits_
; }
84 uint64
inflight_joins() const { return inflight_joins_
; }
87 friend class OriginBoundCertServiceWorker
; // Calls HandleResult.
89 // On success, |private_key| stores a DER-encoded PrivateKeyInfo
90 // struct, |cert| stores a DER-encoded certificate, and |expiration_time|
91 // stores the expiration time of the certificate. Returns
92 // OK if successful and an error code otherwise.
93 // |serial_number| is passed in because it is created with the function
94 // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened
95 // with a LazyInstance, which is not allowed on a worker thread.
96 static int GenerateCert(const std::string
& origin
,
97 SSLClientCertType type
,
99 base::Time
* expiration_time
,
100 std::string
* private_key
,
103 void HandleResult(const std::string
& origin
,
105 SSLClientCertType type
,
106 base::Time expiration_time
,
107 const std::string
& private_key
,
108 const std::string
& cert
);
110 scoped_ptr
<OriginBoundCertStore
> origin_bound_cert_store_
;
112 // inflight_ maps from an origin to an active generation which is taking
114 std::map
<std::string
, OriginBoundCertServiceJob
*> inflight_
;
117 uint64 cert_store_hits_
;
118 uint64 inflight_joins_
;
120 DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService
);
125 #endif // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_