Use NSS to generate Origin-Bound Certs on Win and Mac.

net/base/origin_bound_cert_service.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/origin_bound_cert_service.h"
 
 #include <limits>
 
 #include "base/compiler_specific.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop.h"
 #include "base/rand_util.h"
 #include "base/stl_util.h"
 #include "base/threading/worker_pool.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/net_errors.h"
 #include "net/base/origin_bound_cert_store.h"
 #include "net/base/x509_certificate.h"
+#include "net/base/x509_util.h"
 
 #if defined(USE_NSS)
 #include <private/pprthred.h>  // PR_DetachThread
 #endif
 
 namespace net {
 
 namespace {
 
 const int kKeySizeInBits = 1024;
@@ skipping 285 matching lines @@
 int OriginBoundCertService::GenerateCert(const std::string& origin,
                                          uint32 serial_number,
                                          std::string* private_key,
                                          std::string* cert) {
   scoped_ptr<crypto::RSAPrivateKey> key(
       crypto::RSAPrivateKey::Create(kKeySizeInBits));
   if (!key.get()) {
     LOG(WARNING) << "Unable to create key pair for client";
     return ERR_KEY_GENERATION_FAILED;
   }
-#if defined(USE_NSS)
-  scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateOriginBound(
+  std::string der_cert;
+  if (!x509_util::CreateOriginBoundCert(
       key.get(),
       origin,
       serial_number,
-      base::TimeDelta::FromDays(kValidityPeriodInDays));
-#else
-  scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateSelfSigned(
-      key.get(),
-      "CN=anonymous.invalid",
-      serial_number,
-      base::TimeDelta::FromDays(kValidityPeriodInDays));
-#endif
-  if (!x509_cert) {
+      base::TimeDelta::FromDays(kValidityPeriodInDays),
+      &der_cert)) {
     LOG(WARNING) << "Unable to create x509 cert for client";
     return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
   }
 
   std::vector<uint8> private_key_info;
   if (!key->ExportPrivateKey(&private_key_info)) {
     LOG(WARNING) << "Unable to export private key";
     return ERR_PRIVATE_KEY_EXPORT_FAILED;
   }
   // TODO(rkn): Perhaps ExportPrivateKey should be changed to output a
   // std::string* to prevent this copying.
   std::string key_out(private_key_info.begin(), private_key_info.end());
 
-  std::string der_cert;
-  if (!x509_cert->GetDEREncoded(&der_cert)) {
-    LOG(WARNING) << "Unable to get DER-encoded cert";
-    return ERR_GET_CERT_BYTES_FAILED;

[wtc, 2011/10/17 19:09:27]

I believe this is the only place where ERR_GET_CERT_BYTES_FAILED
is used.  We should either remove this error code, or
improve the comment for it in net_error_list.h, e.g., mention
X509Certificate::GetDEREncoded explicitly.

Please make the net_error_list.h change last, or in a
separate CL because it will cause many files to be
recompiled.

[mattm, 2011/10/17 22:54:19]

Done.

-  }
-
   private_key->swap(key_out);
   cert->swap(der_cert);
   return OK;
 }
 
 void OriginBoundCertService::CancelRequest(RequestHandle req) {
   DCHECK(CalledOnValidThread());
   OriginBoundCertServiceRequest* request =
       reinterpret_cast<OriginBoundCertServiceRequest*>(req);
   request->Cancel();
@@ skipping 22 matching lines @@
   delete job;
 }
 
 int OriginBoundCertService::cert_count() {
   return origin_bound_cert_store_->GetCertCount();
 }
 
 }  // namespace net
 
 DISABLE_RUNNABLE_METHOD_REFCOUNT(net::OriginBoundCertServiceWorker);