Use NSS to generate Origin-Bound Certs on Win and Mac.

net/base/x509_util.h

Index: net/base/x509_util.h
diff --git a/net/base/x509_util.h b/net/base/x509_util.h
new file mode 100644
index 0000000000000000000000000000000000000000..372f62c3aac34ecaf7df17103b99994b668366ae
--- /dev/null
+++ b/net/base/x509_util.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_X509_UTIL_H_
+#define NET_BASE_X509_UTIL_H_
+#pragma once
+
+#include <string>
+
+#include "base/time.h"
+#include "net/base/net_export.h"
+
+namespace crypto {
+class RSAPrivateKey;
+}
+
+namespace net {
+
+namespace x509_util {
+
+// Create an origin bound certificate containing the public key in |key|.

[wtc, 2011/10/17 19:09:27]

Nit: Create => Creates

[mattm, 2011/10/17 22:54:19]

Done.

+// Web origin, serial number and validity period are given as
+// parameters. The certificate is signed by the private key in |key|.
+// The hashing algorithm for the signature is SHA-1.
+//
+// See Internet Draft draft-balfanz-tls-obc-00 for more details:
+// http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html

[wtc, 2011/10/17 19:09:27]

This URL is now broken.  Although there is a newer version
of the draft on http://balfanz.github.com (I don't have the
URL off hand), I suggest that we use the URL for the official
IETF draft (it has some typos though):
http://tools.ietf.org/html/draft-balfanz-tls-obc-00

[mattm, 2011/10/17 22:54:19]

Done.

+bool NET_EXPORT_PRIVATE CreateOriginBoundCert(crypto::RSAPrivateKey* key,
+                                              const std::string& origin,
+                                              uint32 serial_number,
+                                              base::TimeDelta valid_duration,
+                                              std::string* der_cert);
+
+} // namespace x509_util
+
+} // namespace net
+
+#endif  // NET_BASE_X509_UTIL_H_