blob: caf7a281ce9bc9c5663cc0de87b7ad48122e33c0 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_X509_UTIL_MAC_H_
#define NET_CERT_X509_UTIL_MAC_H_
#include <CoreFoundation/CFArray.h>
#include <Security/Security.h>
#include <string>
#include "base/basictypes.h"
#include "net/base/net_export.h"
namespace net {
namespace x509_util {
// Creates a security policy for certificates used as client certificates
// in SSL.
// If a policy is successfully created, it will be stored in
// |*policy| and ownership transferred to the caller.
OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy);
// Create an SSL server policy. While certificate name validation will be
// performed by SecTrustEvaluate(), it has the following limitations:
// - Doesn't support IP addresses in dotted-quad literals (
// - Doesn't support IPv6 addresses
// - Doesn't support the iPAddress subjectAltName
// Providing the hostname is necessary in order to locate certain user or
// system trust preferences, such as those created by Safari. Preferences
// created by Keychain Access do not share this requirement.
// On success, stores the resultant policy in |*policy| and returns noErr.
OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
SecPolicyRef* policy);
// Creates a security policy for basic X.509 validation. If the policy is
// successfully created, it will be stored in |*policy| and ownership
// transferred to the caller.
OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
// Creates security policies to control revocation checking (OCSP and CRL).
// If |enable_revocation_checking| is true, revocation checking will be
// explicitly enabled.
// If |enable_revocation_checking| is false, but |enable_ev_checking| is
// true, then the system policies for EV checking (which include checking
// for an online OCSP response) will be permitted. However, if the OS
// does not believe the certificate is EV, no revocation checking will be
// performed.
// If both are false, then the policies returned will be explicitly
// prohibited from accessing the network or the local cache, regardless of
// system settings.
// If the policies are successfully created, they will be appended to
// |policies|.
OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
bool enable_ev_checking,
CFMutableArrayRef policies);
// Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field
// accessors (such as CSSM_CL_CertGet[First/Next]Value or
// CSSM_CL_CertGet[First/Next]CachedValue).
class CSSMFieldValue {
CSSMFieldValue(CSSM_CL_HANDLE cl_handle,
const CSSM_OID* oid,
CSSM_OID_PTR oid() const { return oid_; }
CSSM_DATA_PTR field() const { return field_; }
// Returns the field as if it was an arbitrary type - most commonly, by
// interpreting the field as a specific CSSM/CDSA parsed type, such as
// An added check is applied to ensure that the current field is large
// enough to actually contain the requested type.
template <typename T> const T* GetAs() const {
if (!field_ || field_->Length < sizeof(T))
return NULL;
return reinterpret_cast<const T*>(field_->Data);
void Reset(CSSM_CL_HANDLE cl_handle,
CSSM_CL_HANDLE cl_handle_;
// CSSMCachedCertificate is a container class that is used to wrap the
// CSSM_CL_CertCache APIs and provide safe and efficient access to
// certificate fields in their CSSM form.
// To provide efficient access to certificate/CRL fields, CSSM provides an
// API/SPI to "cache" a certificate/CRL. The exact meaning of a cached
// certificate is not defined by CSSM, but is documented to generally be some
// intermediate or parsed form of the certificate. In the case of Apple's
// CSSM CL implementation, the intermediate form is the parsed certificate
// stored in an internal format (which happens to be NSS). By caching the
// certificate, callers that wish to access multiple fields (such as subject,
// issuer, and validity dates) do not need to repeatedly parse the entire
// certificate, nor are they forced to convert all fields from their NSS types
// to their CSSM equivalents. This latter point is especially helpful when
// running on OS X 10.5, as it will fail to convert some fields that reference
// unsupported algorithms, such as ECC.
class CSSMCachedCertificate {
// Initializes the CSSMCachedCertificate by caching the specified
// |os_cert_handle|. On success, returns noErr.
// Note: Once initialized, the cached certificate should only be accessed
// from a single thread.
OSStatus Init(SecCertificateRef os_cert_handle);
// Fetches the first value for the field associated with |field_oid|.
// If |field_oid| is a valid OID and is present in the current certificate,
// returns CSSM_OK and stores the first value in |field|. If additional
// values are associated with |field_oid|, they are ignored.
OSStatus GetField(const CSSM_OID* field_oid, CSSMFieldValue* field) const;
CSSM_CL_HANDLE cl_handle_;
CSSM_HANDLE cached_cert_handle_;
} // namespace x509_util
} // namespace net
#endif // NET_CERT_X509_UTIL_MAC_H_