net/base/ssl_config_service.h - chromium/src - Git at Google

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
 #define NET_BASE_SSL_CONFIG_SERVICE_H_

 #include <vector>

 #include "base/ref_counted.h"
 #include "net/base/x509_certificate.h"

 namespace net {

 // A collection of SSL-related configuration settings.
 struct SSLConfig {
   // Default to revocation checking.
   // Default to SSL 2.0 off, SSL 3.0 on, and TLS 1.0 on.
   SSLConfig()
       : rev_checking_enabled(true),  ssl2_enabled(false), ssl3_enabled(true),
         tls1_enabled(true), send_client_cert(false), verify_ev_cert(false) {
   }

   bool rev_checking_enabled;  // True if server certificate revocation
                               // checking is enabled.
   bool ssl2_enabled;  // True if SSL 2.0 is enabled.
   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
   bool tls1_enabled;  // True if TLS 1.0 is enabled.

   // TODO(wtc): move the following members to a new SSLParams structure.  They
   // are not SSL configuration settings.

   struct CertAndStatus {
     scoped_refptr<X509Certificate> cert;
     int cert_status;
   };

   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
   // TODO(wtc): Move this to a .cc file.  ssl_config_service.cc is Windows
   // only right now, so I can't move it there.
   bool IsAllowedBadCert(X509Certificate* cert) const {
     for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
       if (cert == allowed_bad_certs[i].cert)
         return true;
     }
     return false;
   }

   // Add any known-bad SSL certificate (with its cert status) to
   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
   // calling SSLClientSocket::Connect.  This would normally be done in
   // response to the user explicitly accepting the bad certificate.
   std::vector<CertAndStatus> allowed_bad_certs;

   // True if we should send client_cert to the server.
   bool send_client_cert;

   bool verify_ev_cert;  // True if we should verify the certificate for EV.

   // The list of application level protocols supported. If set, this will
   // enable Next Protocol Negotiation (if supported). This is a list of 8-bit
   // length prefixed strings. The order of the protocols doesn't matter expect
   // for one case: if the server supports Next Protocol Negotiation, but there
   // is no overlap between the server's and client's protocol sets, then the
   // first protocol in this list will be requested by the client.
   std::string next_protos;

   scoped_refptr<X509Certificate> client_cert;
 };

 // The interface for retrieving the SSL configuration.  This interface
 // does not cover setting the SSL configuration, as on some systems, the
 // SSLConfigService objects may not have direct access to the configuration, or
 // live longer than the configuration preferences.
 class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
  public:
   // Create an instance of SSLConfigService which retrieves the configuration
   // from the system SSL configuration, or an instance of
   // SSLConfigServiceDefaults if the current system does not have a system SSL
   // configuration.  Note: this does not handle SSLConfigService implementations
   // that are not native to their platform, such as preference-backed ones.
   static SSLConfigService* CreateSystemSSLConfigService();

   // May not be thread-safe, should only be called on the IO thread.
   virtual void GetSSLConfig(SSLConfig* config) = 0;

  protected:
   friend class base::RefCountedThreadSafe<SSLConfigService>;

   virtual ~SSLConfigService() {}
 };

 }  // namespace net

 #endif  // NET_BASE_SSL_CONFIG_SERVICE_H_
	// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
	#define NET_BASE_SSL_CONFIG_SERVICE_H_

	#include <vector>

	#include "base/ref_counted.h"
	#include "net/base/x509_certificate.h"

	namespace net {

	// A collection of SSL-related configuration settings.
	struct SSLConfig {
	// Default to revocation checking.
	// Default to SSL 2.0 off, SSL 3.0 on, and TLS 1.0 on.
	SSLConfig()
	: rev_checking_enabled(true), ssl2_enabled(false), ssl3_enabled(true),
	tls1_enabled(true), send_client_cert(false), verify_ev_cert(false) {
	}

	bool rev_checking_enabled; // True if server certificate revocation
	// checking is enabled.
	bool ssl2_enabled; // True if SSL 2.0 is enabled.
	bool ssl3_enabled; // True if SSL 3.0 is enabled.
	bool tls1_enabled; // True if TLS 1.0 is enabled.

	// TODO(wtc): move the following members to a new SSLParams structure. They
	// are not SSL configuration settings.

	struct CertAndStatus {
	scoped_refptr<X509Certificate> cert;
	int cert_status;
	};

	// Returns true if \|cert\| is one of the certs in \|allowed_bad_certs\|.
	// TODO(wtc): Move this to a .cc file. ssl_config_service.cc is Windows
	// only right now, so I can't move it there.
	bool IsAllowedBadCert(X509Certificate* cert) const {
	for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
	if (cert == allowed_bad_certs[i].cert)
	return true;
	}
	return false;
	}

	// Add any known-bad SSL certificate (with its cert status) to
	// \|allowed_bad_certs\| that should not trigger an ERR_CERT_* error when
	// calling SSLClientSocket::Connect. This would normally be done in
	// response to the user explicitly accepting the bad certificate.
	std::vector<CertAndStatus> allowed_bad_certs;

	// True if we should send client_cert to the server.
	bool send_client_cert;

	bool verify_ev_cert; // True if we should verify the certificate for EV.

	// The list of application level protocols supported. If set, this will
	// enable Next Protocol Negotiation (if supported). This is a list of 8-bit
	// length prefixed strings. The order of the protocols doesn't matter expect
	// for one case: if the server supports Next Protocol Negotiation, but there
	// is no overlap between the server's and client's protocol sets, then the
	// first protocol in this list will be requested by the client.
	std::string next_protos;

	scoped_refptr<X509Certificate> client_cert;
	};

	// The interface for retrieving the SSL configuration. This interface
	// does not cover setting the SSL configuration, as on some systems, the
	// SSLConfigService objects may not have direct access to the configuration, or
	// live longer than the configuration preferences.
	class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
	public:
	// Create an instance of SSLConfigService which retrieves the configuration
	// from the system SSL configuration, or an instance of
	// SSLConfigServiceDefaults if the current system does not have a system SSL
	// configuration. Note: this does not handle SSLConfigService implementations
	// that are not native to their platform, such as preference-backed ones.
	static SSLConfigService* CreateSystemSSLConfigService();

	// May not be thread-safe, should only be called on the IO thread.
	virtual void GetSSLConfig(SSLConfig* config) = 0;

	protected:
	friend class base::RefCountedThreadSafe<SSLConfigService>;

	virtual ~SSLConfigService() {}
	};

	} // namespace net

	#endif // NET_BASE_SSL_CONFIG_SERVICE_H_