| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_util.h" | 5 #include "net/base/x509_util.h" |
| 6 #include "net/base/x509_util_nss.h" | 6 #include "net/base/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <secoid.h> | 9 #include <secoid.h> |
| 10 | 10 |
| 11 #include "base/memory/scoped_ptr.h" | 11 #include "base/memory/scoped_ptr.h" |
| 12 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
| 13 #include "crypto/ec_private_key.h" |
| 13 #include "crypto/rsa_private_key.h" | 14 #include "crypto/rsa_private_key.h" |
| 15 #include "crypto/scoped_nss_types.h" |
| 16 #include "crypto/signature_verifier.h" |
| 14 #include "net/base/x509_certificate.h" | 17 #include "net/base/x509_certificate.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
| 16 | 19 |
| 20 namespace net { |
| 21 |
| 17 namespace { | 22 namespace { |
| 18 | 23 |
| 19 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { | 24 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { |
| 20 SECItem der_cert; | 25 SECItem der_cert; |
| 21 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); | 26 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); |
| 22 der_cert.len = length; | 27 der_cert.len = length; |
| 23 der_cert.type = siDERCertBuffer; | 28 der_cert.type = siDERCertBuffer; |
| 24 | 29 |
| 25 // Parse into a certificate structure. | 30 // Parse into a certificate structure. |
| 26 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, | 31 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, |
| 27 PR_FALSE, PR_TRUE); | 32 PR_FALSE, PR_TRUE); |
| 28 } | 33 } |
| 29 | 34 |
| 30 } // namespace | 35 void VerifyCertificateSignature(const std::string& der_cert, |
| 36 const std::vector<uint8>& der_spki) { |
| 37 crypto::ScopedPLArenaPool arena; |
| 31 | 38 |
| 32 namespace net { | 39 CERTSignedData sd; |
| 40 memset(&sd, 0, sizeof(sd)); |
| 33 | 41 |
| 34 // This test creates an origin-bound cert from a private key and | 42 SECItem der_cert_item = { |
| 35 // then verifies the content of the certificate. | 43 siDERCertBuffer, |
| 36 TEST(X509UtilNSSTest, CreateOriginBoundCert) { | 44 reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())), |
| 45 der_cert.size() |
| 46 }; |
| 47 SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd, |
| 48 SEC_ASN1_GET(CERT_SignedDataTemplate), |
| 49 &der_cert_item); |
| 50 ASSERT_EQ(SECSuccess, rv); |
| 51 |
| 52 // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier |
| 53 // wants the DER encoded form, so re-encode it again. |
| 54 SECItem* signature_algorithm = SEC_ASN1EncodeItem( |
| 55 arena.get(), |
| 56 NULL, |
| 57 &sd.signatureAlgorithm, |
| 58 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); |
| 59 ASSERT_TRUE(signature_algorithm); |
| 60 |
| 61 crypto::SignatureVerifier verifier; |
| 62 bool ok = verifier.VerifyInit( |
| 63 signature_algorithm->data, |
| 64 signature_algorithm->len, |
| 65 sd.signature.data, |
| 66 sd.signature.len / 8, // Signature is a BIT STRING, convert to bytes. |
| 67 &der_spki[0], |
| 68 der_spki.size()); |
| 69 |
| 70 ASSERT_TRUE(ok); |
| 71 verifier.VerifyUpdate(sd.data.data, |
| 72 sd.data.len); |
| 73 |
| 74 ok = verifier.VerifyFinal(); |
| 75 EXPECT_TRUE(ok); |
| 76 } |
| 77 |
| 78 void VerifyOriginBoundCert(const std::string& origin, |
| 79 const std::string& der_cert) { |
| 37 // Origin Bound Cert OID. | 80 // Origin Bound Cert OID. |
| 38 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; | 81 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; |
| 39 | 82 |
| 40 // Create a sample ASCII weborigin. | |
| 41 std::string origin = "http://weborigin.com:443"; | |
| 42 | |
| 43 // Create object neccessary for extension lookup call. | 83 // Create object neccessary for extension lookup call. |
| 44 SECItem extension_object = { | 84 SECItem extension_object = { |
| 45 siAsciiString, | 85 siAsciiString, |
| 46 (unsigned char*)origin.data(), | 86 (unsigned char*)origin.data(), |
| 47 origin.size() | 87 origin.size() |
| 48 }; | 88 }; |
| 49 | 89 |
| 50 scoped_ptr<crypto::RSAPrivateKey> private_key( | |
| 51 crypto::RSAPrivateKey::Create(1024)); | |
| 52 std::string der_cert; | |
| 53 ASSERT_TRUE(x509_util::CreateOriginBoundCert(private_key.get(), | |
| 54 origin, 1, | |
| 55 base::TimeDelta::FromDays(1), | |
| 56 &der_cert)); | |
| 57 | |
| 58 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( | 90 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( |
| 59 der_cert.data(), der_cert.size()); | 91 der_cert.data(), der_cert.size()); |
| 60 | 92 |
| 93 ASSERT_TRUE(cert); |
| 94 |
| 61 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); | 95 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); |
| 62 EXPECT_FALSE(cert->HasExpired()); | 96 EXPECT_FALSE(cert->HasExpired()); |
| 63 | 97 |
| 64 // IA5Encode and arena allocate SECItem. | 98 // IA5Encode and arena allocate SECItem. |
| 65 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 99 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 66 SECItem* expected = SEC_ASN1EncodeItem(arena, | 100 SECItem* expected = SEC_ASN1EncodeItem(arena, |
| 67 NULL, | 101 NULL, |
| 68 &extension_object, | 102 &extension_object, |
| 69 SEC_ASN1_GET(SEC_IA5StringTemplate)); | 103 SEC_ASN1_GET(SEC_IA5StringTemplate)); |
| 70 | 104 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 96 | 130 |
| 97 // Compare expected and actual extension values. | 131 // Compare expected and actual extension values. |
| 98 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); | 132 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); |
| 99 ASSERT_TRUE(result); | 133 ASSERT_TRUE(result); |
| 100 | 134 |
| 101 // Do Cleanup. | 135 // Do Cleanup. |
| 102 SECITEM_FreeItem(&actual, PR_FALSE); | 136 SECITEM_FreeItem(&actual, PR_FALSE); |
| 103 PORT_FreeArena(arena, PR_FALSE); | 137 PORT_FreeArena(arena, PR_FALSE); |
| 104 } | 138 } |
| 105 | 139 |
| 140 } // namespace |
| 141 |
| 142 // This test creates an origin-bound cert from a RSA private key and |
| 143 // then verifies the content of the certificate. |
| 144 TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) { |
| 145 // Create a sample ASCII weborigin. |
| 146 std::string origin = "http://weborigin.com:443"; |
| 147 |
| 148 scoped_ptr<crypto::RSAPrivateKey> private_key( |
| 149 crypto::RSAPrivateKey::Create(1024)); |
| 150 std::string der_cert; |
| 151 ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA(private_key.get(), |
| 152 origin, 1, |
| 153 base::TimeDelta::FromDays(1), |
| 154 &der_cert)); |
| 155 |
| 156 VerifyOriginBoundCert(origin, der_cert); |
| 157 |
| 158 std::vector<uint8> spki; |
| 159 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); |
| 160 VerifyCertificateSignature(der_cert, spki); |
| 161 } |
| 162 |
| 163 // This test creates an origin-bound cert from an EC private key and |
| 164 // then verifies the content of the certificate. |
| 165 TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { |
| 166 // Create a sample ASCII weborigin. |
| 167 std::string origin = "http://weborigin.com:443"; |
| 168 |
| 169 scoped_ptr<crypto::ECPrivateKey> private_key( |
| 170 crypto::ECPrivateKey::Create()); |
| 171 std::string der_cert; |
| 172 ASSERT_TRUE(x509_util::CreateOriginBoundCertEC(private_key.get(), |
| 173 origin, 1, |
| 174 base::TimeDelta::FromDays(1), |
| 175 &der_cert)); |
| 176 |
| 177 VerifyOriginBoundCert(origin, der_cert); |
| 178 |
| 179 #if !defined(OS_WIN) && !defined(OS_MACOSX) |
| 180 // signature_verifier_win and signature_verifier_mac can't handle EC certs. |
| 181 std::vector<uint8> spki; |
| 182 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); |
| 183 VerifyCertificateSignature(der_cert, spki); |
| 184 #endif |
| 185 } |
| 186 |
| 106 } // namespace net | 187 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8537025:
Allow signing EC certs and creating EC origin-bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src