Added CreateOriginBound method to x509_certificate.h.

net/base/x509_certificate_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prtime.h>
 #include <secder.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/memory/singleton.h"
 #include "base/pickle.h"
 #include "base/time.h"
 #include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 
 namespace net {
 
 namespace {
 
+class ObCertOIDWrapper {
+  public:
+    static ObCertOIDWrapper* GetInstance() {
+      return Singleton<ObCertOIDWrapper,
+        LeakySingletonTraits<ObCertOIDWrapper> >::get();
+    }

[wtc, 2011/08/23 01:32:21]

I would format this method as follows:

  static ObCertOIDWrapper* GetInstance() {
    return Singleton<ObCertOIDWrapper,
                     LeakySingletonTraits<ObCertOIDWrapper> >::get();
  }

Making this a leaky singleton is fine.  Please add a comment
to explain why (to allow the singleton to be constructed on
a worker thread, which is not joined on process shutdown).

[mdietz, 2011/08/23 20:52:56]

Done.

+
+    SECOidTag ob_cert_oid_tag() const {
+      return ob_cert_oid_tag_;
+    }
+
+  private:
+    SECOidTag ob_cert_oid_tag_;
+
+    ObCertOIDWrapper();
+
+    friend struct DefaultSingletonTraits<ObCertOIDWrapper>;
+
+    DISALLOW_COPY_AND_ASSIGN(ObCertOIDWrapper);
+};

[wtc, 2011/08/23 01:32:21]

Please fix the indentation in this class.

"public:" and "private:" should be indented by only one space.

The other lines should be indented by two spaces as usual.

The private section should be declared in the order
recommended by the Style Guide:

 private:
  friend struct DefaultSingletonTraits<ObCertOIDWrapper>;

  ObCertOIDWrapper();

  SECOidTag ob_cert_oid_tag_;

  DISALLOW_COPY_AND_ASSIGN(ObCertOIDWrapper);

See
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Declaration_Order

[mdietz, 2011/08/23 20:52:56]

Done.

+
+ObCertOIDWrapper::ObCertOIDWrapper()
+  : ob_cert_oid_tag_(SEC_OID_UNKNOWN) {

[wtc, 2011/08/23 01:32:21]

The Style Guide recommends indenting the colon of the
initializer list by four spaces.  Alternatively, you can
put this on the previous line if it fits.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Constructor_In...

[mdietz, 2011/08/23 20:52:56]

Done.

+  // 1.3.6.1.4.1.11129.2.1.6
+  // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
+  //  certificateExtensions.originBoundCertificate)
+  static const uint8 kObCertOID[] = {
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06
+  };
+  SECOidData oid_data;
+  memset(&oid_data, 0, sizeof(oid_data));
+  oid_data.oid.data = const_cast<uint8*>(kObCertOID);
+  oid_data.oid.len = sizeof(kObCertOID);
+  oid_data.offset = SEC_OID_UNKNOWN;
+  oid_data.desc = "Origin Bound Certificate";
+  oid_data.mechanism = CKM_INVALID_MECHANISM;
+  oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
+  ob_cert_oid_tag_ = SECOID_AddEntry(&oid_data);
+  if (ob_cert_oid_tag_ == SEC_OID_UNKNOWN)
+    LOG(ERROR) << "OB_CERT OID tag creation failed";
+}
+
 class ScopedCERTCertificatePolicies {
  public:
   explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies)
       : policies_(policies) {}
 
   ~ScopedCERTCertificatePolicies() {
     if (policies_)
       CERT_DestroyCertificatePoliciesExtension(policies_);
   }
 
@@ skipping 572 matching lines @@
   fingerprint_ = CalculateFingerprint(cert_handle_);
 
   serial_number_ = std::string(
       reinterpret_cast<char*>(cert_handle_->serialNumber.data),
       cert_handle_->serialNumber.len);
   // Remove leading zeros.
   while (serial_number_.size() > 1 && serial_number_[0] == 0)
     serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
 }
 
-// static
-X509Certificate* X509Certificate::CreateSelfSigned(
+// Creates a Certificate object that may be passed to the SignCertificate
+// method to generate an X509 certificate.
+// Returns NULL if an error is encountered in the certificate creation
+// process.
+// Caller responsible for freeing returned certificate object.
+static CERTCertificate* CreateCertificate(
     crypto::RSAPrivateKey* key,
     const std::string& subject,
     uint32 serial_number,
     base::TimeDelta valid_duration) {
-  DCHECK(key);
-
   // Create info about public key.
   CERTSubjectPublicKeyInfo* spki =
       SECKEY_CreateSubjectPublicKeyInfo(key->public_key());
   if (!spki)
     return NULL;
 
   // Create the certificate request.
   CERTName* subject_name =
       CERT_AsciiToName(const_cast<char*>(subject.c_str()));
   CERTCertificateRequest* cert_request =
@@ skipping 17 matching lines @@
   if (!cert) {
     PRErrorCode prerr = PR_GetError();
     LOG(ERROR) << "Failed to create certificate: " << prerr;
   }
 
   // Cleanup for resources used to generate the cert.
   CERT_DestroyName(subject_name);
   CERT_DestroyValidity(validity);
   CERT_DestroyCertificateRequest(cert_request);
 
-  if (!cert)
-    return NULL;
+  return cert;
+}
 
-  // Sign the cert here. The logic of this method references SignCert() in NSS
-  // utility certutil: http://mxr.mozilla.org/security/ident?i=SignCert.
-
+// Signs a certificate object, with |key| generating a new X509Certificate
+// and destroying the passed certificate object (even when NULL is returned).
+// The logic of this method references SignCert() in NSS utility certutil:
+// http://mxr.mozilla.org/security/ident?i=SignCert.
+// Returns NULL if an error is encountered in the certificate signing
+// process.
+// Caller responsible for freeing returned X509Certificate object.
+//
+// TODO: change this function to return
+// a success/failure status, and not create an X509Certificate
+// object, and not destroy |cert| on failure.  Let the caller
+// create the X509Certificate object and destroy |cert|.
+static X509Certificate* SignCertificate(
+    CERTCertificate* cert,
+    crypto::RSAPrivateKey* key) {
   // |arena| is used to encode the cert.
   PRArenaPool* arena = cert->arena;
   SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->key()->keyType,
                                                       SEC_OID_SHA1);
   if (algo_id == SEC_OID_UNKNOWN) {
     CERT_DestroyCertificate(cert);
     return NULL;
   }
 
   SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0);
@@ skipping 28 matching lines @@
   // Sign the ASN1 encoded cert and save it to |result|.
   rv = SEC_DerSignData(arena, result, der.data, der.len, key->key(), algo_id);
   if (rv != SECSuccess) {
     CERT_DestroyCertificate(cert);
     return NULL;
   }
 
   // Save the signed result to the cert.
   cert->derCert = *result;
 
-  X509Certificate* x509_cert = CreateFromHandle(cert, OSCertHandles());
+  X509Certificate* x509_cert =
+    X509Certificate::CreateFromHandle(cert, X509Certificate::OSCertHandles());

[wtc, 2011/08/23 01:32:21]

Nit: indent this line by four spaces.

[mdietz, 2011/08/23 20:52:56]

Done.

   CERT_DestroyCertificate(cert);
   return x509_cert;
 }
 
+X509Certificate* X509Certificate::CreateSelfSigned(

[wtc, 2011/08/23 01:32:21]

Resurrect the "// static" comment for this method because
this is a static method.

Add a "// static" comment to the CreateOriginBound method
on line 808 below.

[mdietz, 2011/08/23 20:52:56]

Done.

+    crypto::RSAPrivateKey* key,
+    const std::string& subject,
+    uint32 serial_number,
+    base::TimeDelta valid_duration) {
+  DCHECK(key);
+
+  CERTCertificate* cert = CreateCertificate(key,
+                                            subject,
+                                            serial_number,
+                                            valid_duration);
+
+  if(!cert)

[wtc, 2011/08/23 01:32:21]

Add a space after "if" here and on line 820 below.

[mdietz, 2011/08/23 20:52:56]

Done.

+    return NULL;
+
+  X509Certificate* x509_cert = SignCertificate(cert, key);
+
+  return x509_cert;
+}
+
+X509Certificate* X509Certificate::CreateOriginBound(
+    crypto::RSAPrivateKey* key,
+    const std::string& origin,
+    uint32 serial_number,
+    base::TimeDelta valid_duration) {
+  DCHECK(key);
+
+  CERTCertificate* cert = CreateCertificate(key,
+                                            "CN=anonymous.invalid",
+                                            serial_number,
+                                            valid_duration);
+
+  if(!cert)
+    return NULL;
+
+  // Create opaque handle used to add extensions later.
+  void* cert_handle;
+  if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
+    LOG(ERROR) << "Unable to get opaque handle for adding extensions";
+    return NULL;
+  }
+
+  // Create SECItem for IA5String encoding.
+  SECItem origin_string_item = {
+    siAsciiString,
+    (unsigned char*)origin.data(),
+    origin.size()
+  };
+
+  // IA5Encode and arena allocate SECItem
+  SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
+      cert->arena, NULL, &origin_string_item,
+      SEC_ASN1_GET(SEC_IA5StringTemplate));
+  if (asn1_origin_string == NULL) {
+    LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
+    return NULL;
+  }
+
+  // Add the extension to the opaque handle
+  if (CERT_AddExtension(cert_handle,
+                        ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
+                        asn1_origin_string,
+                        PR_TRUE, PR_TRUE)
+      != SECSuccess){

[wtc, 2011/08/23 01:32:21]

Nit: move this to the previous line.

[mdietz, 2011/08/23 20:52:56]

Done.

+    LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
+    return NULL;
+  }
+
+  // Copy extension into x509 cert
+  if (CERT_FinishExtensions(cert_handle) != SECSuccess){
+    LOG(ERROR) << "Unable to copy extension to X509 cert";
+    return NULL;
+  }
+
+  X509Certificate* x509_cert = SignCertificate(cert, key);
+
+  return x509_cert;
+}
+
 void X509Certificate::GetSubjectAltName(
     std::vector<std::string>* dns_names,
     std::vector<std::string>* ip_addrs) const {
   if (dns_names)
     dns_names->clear();
   if (ip_addrs)
     ip_addrs->clear();
 
   SECItem alt_name;
   SECStatus rv = CERT_FindCertExtension(cert_handle_,
@@ skipping 269 matching lines @@
 
 // static
 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
                                                 Pickle* pickle) {
   return pickle->WriteData(
       reinterpret_cast<const char*>(cert_handle->derCert.data),
       cert_handle->derCert.len);
 }
 
 }  // namespace net