Chromium Code Reviews Chromium Code Reviews
Issue 8537025:
Allow signing EC certs and creating EC origin-bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_util.h" | 5 #include "net/base/x509_util.h" |
| 6 #include "net/base/x509_util_nss.h" | 6 #include "net/base/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <secoid.h> | 9 #include <secoid.h> |
| 10 | 10 |
| 11 #include "base/memory/scoped_ptr.h" | 11 #include "base/memory/scoped_ptr.h" |
| 12 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
| 13 #include "crypto/ec_private_key.h" | |
| 13 #include "crypto/rsa_private_key.h" | 14 #include "crypto/rsa_private_key.h" |
| 15 #include "crypto/scoped_nss_types.h" | |
| 16 #include "crypto/signature_verifier.h" | |
| 14 #include "net/base/x509_certificate.h" | 17 #include "net/base/x509_certificate.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
| 16 | 19 |
| 20 #if defined(OS_MACOSX) | |
| 21 #include "base/mac/mac_util.h" | |
| 22 #endif | |
| 23 | |
| 24 namespace net { | |
| 25 | |
| 17 namespace { | 26 namespace { |
| 18 | 27 |
| 19 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { | 28 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { |
| 20 SECItem der_cert; | 29 SECItem der_cert; |
| 21 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); | 30 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); |
| 22 der_cert.len = length; | 31 der_cert.len = length; |
| 23 der_cert.type = siDERCertBuffer; | 32 der_cert.type = siDERCertBuffer; |
| 24 | 33 |
| 25 // Parse into a certificate structure. | 34 // Parse into a certificate structure. |
| 26 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, | 35 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, |
| 27 PR_FALSE, PR_TRUE); | 36 PR_FALSE, PR_TRUE); |
| 28 } | 37 } |
| 29 | 38 |
| 30 } // namespace | 39 void VerifyCertificateSignature(const std::string& der_cert, |
| 40 const std::vector<uint8>& der_spki) { | |
| 41 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
| 31 | 42 |
| 32 namespace net { | 43 CERTSignedData sd; |
| 44 memset(&sd, 0, sizeof(sd)); | |
| 33 | 45 |
| 34 // This test creates an origin-bound cert from a private key and | 46 SECItem der_cert_item = { |
| 35 // then verifies the content of the certificate. | 47 siDERCertBuffer, |
| 36 TEST(X509UtilNSSTest, CreateOriginBoundCert) { | 48 reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())), |
| 49 der_cert.size() | |
| 50 }; | |
| 51 SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd, | |
| 52 SEC_ASN1_GET(CERT_SignedDataTemplate), | |
| 53 &der_cert_item); | |
| 54 ASSERT_EQ(SECSuccess, rv); | |
| 55 | |
| 56 // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier | |
| 57 // wants the DER encoded form, so re-encode it again. | |
| 58 SECItem* signature_algorithm = SEC_ASN1EncodeItem( | |
| 59 arena.get(), | |
| 60 NULL, | |
| 61 &sd.signatureAlgorithm, | |
| 62 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); | |
| 63 ASSERT_TRUE(signature_algorithm); | |
| 64 | |
| 65 crypto::SignatureVerifier verifier; | |
| 66 bool ok = verifier.VerifyInit( | |
| 67 signature_algorithm->data, | |
| 68 signature_algorithm->len, | |
| 69 sd.signature.data, | |
| 70 sd.signature.len / 8, // Signature is a BIT STRING, convert to bytes. | |
| 71 &der_spki[0], | |
| 72 der_spki.size()); | |
| 73 | |
| 74 ASSERT_TRUE(ok); | |
| 75 verifier.VerifyUpdate(sd.data.data, | |
| 76 sd.data.len); | |
| 77 | |
| 78 ok = verifier.VerifyFinal(); | |
| 79 EXPECT_TRUE(ok); | |
| 80 } | |
| 81 | |
| 82 void VerifyX509CertificateParsing(const std::string& der_cert) { | |
| 83 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( | |
| 84 der_cert.data(), der_cert.size()); | |
| 85 | |
| 86 ASSERT_TRUE(cert); | |
| 87 | |
| 88 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); | |
|
wtc
2011/11/30 20:30:02
This expected certificate subject name is specific
| |
| 89 EXPECT_FALSE(cert->HasExpired()); | |
| 90 } | |
| 91 | |
| 92 void VerifyOriginBoundCert(const std::string& origin, | |
| 93 const std::string& der_cert) { | |
| 37 // Origin Bound Cert OID. | 94 // Origin Bound Cert OID. |
| 38 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; | 95 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; |
| 39 | 96 |
| 40 // Create a sample ASCII weborigin. | |
| 41 std::string origin = "http://weborigin.com:443"; | |
| 42 | |
| 43 // Create object neccessary for extension lookup call. | 97 // Create object neccessary for extension lookup call. |
| 44 SECItem extension_object = { | 98 SECItem extension_object = { |
| 45 siAsciiString, | 99 siAsciiString, |
| 46 (unsigned char*)origin.data(), | 100 (unsigned char*)origin.data(), |
| 47 origin.size() | 101 origin.size() |
| 48 }; | 102 }; |
| 49 | 103 |
| 50 scoped_ptr<crypto::RSAPrivateKey> private_key( | |
| 51 crypto::RSAPrivateKey::Create(1024)); | |
| 52 std::string der_cert; | |
| 53 ASSERT_TRUE(x509_util::CreateOriginBoundCert(private_key.get(), | |
| 54 origin, 1, | |
| 55 base::TimeDelta::FromDays(1), | |
| 56 &der_cert)); | |
| 57 | |
| 58 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( | |
| 59 der_cert.data(), der_cert.size()); | |
| 60 | |
| 61 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); | |
| 62 EXPECT_FALSE(cert->HasExpired()); | |
| 63 | |
| 64 // IA5Encode and arena allocate SECItem. | 104 // IA5Encode and arena allocate SECItem. |
| 65 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 105 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 66 SECItem* expected = SEC_ASN1EncodeItem(arena, | 106 SECItem* expected = SEC_ASN1EncodeItem(arena, |
| 67 NULL, | 107 NULL, |
| 68 &extension_object, | 108 &extension_object, |
| 69 SEC_ASN1_GET(SEC_IA5StringTemplate)); | 109 SEC_ASN1_GET(SEC_IA5StringTemplate)); |
| 70 | 110 |
| 71 ASSERT_NE(static_cast<SECItem*>(NULL), expected); | 111 ASSERT_NE(static_cast<SECItem*>(NULL), expected); |
| 72 | 112 |
| 73 // Create OID SECItem. | 113 // Create OID SECItem. |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 96 | 136 |
| 97 // Compare expected and actual extension values. | 137 // Compare expected and actual extension values. |
| 98 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); | 138 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); |
| 99 ASSERT_TRUE(result); | 139 ASSERT_TRUE(result); |
| 100 | 140 |
| 101 // Do Cleanup. | 141 // Do Cleanup. |
| 102 SECITEM_FreeItem(&actual, PR_FALSE); | 142 SECITEM_FreeItem(&actual, PR_FALSE); |
| 103 PORT_FreeArena(arena, PR_FALSE); | 143 PORT_FreeArena(arena, PR_FALSE); |
| 104 } | 144 } |
| 105 | 145 |
| 146 } // namespace | |
| 147 | |
| 148 // This test creates an origin-bound cert from a RSA private key and | |
| 149 // then verifies the content of the certificate. | |
| 150 TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) { | |
| 151 // Create a sample ASCII weborigin. | |
| 152 std::string origin = "http://weborigin.com:443"; | |
| 153 | |
| 154 scoped_ptr<crypto::RSAPrivateKey> private_key( | |
| 155 crypto::RSAPrivateKey::Create(1024)); | |
| 156 std::string der_cert; | |
| 157 ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA(private_key.get(), | |
| 158 origin, 1, | |
| 159 base::TimeDelta::FromDays(1), | |
| 160 &der_cert)); | |
| 161 | |
| 162 VerifyOriginBoundCert(origin, der_cert); | |
| 163 | |
| 164 VerifyX509CertificateParsing(der_cert); | |
| 165 | |
| 166 std::vector<uint8> spki; | |
| 167 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | |
| 168 VerifyCertificateSignature(der_cert, spki); | |
| 169 } | |
| 170 | |
| 171 // This test creates an origin-bound cert from an EC private key and | |
| 172 // then verifies the content of the certificate. | |
| 173 TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { | |
| 174 // Create a sample ASCII weborigin. | |
| 175 std::string origin = "http://weborigin.com:443"; | |
| 176 | |
| 177 scoped_ptr<crypto::ECPrivateKey> private_key( | |
| 178 crypto::ECPrivateKey::Create()); | |
| 179 std::string der_cert; | |
| 180 ASSERT_TRUE(x509_util::CreateOriginBoundCertEC(private_key.get(), | |
| 181 origin, 1, | |
| 182 base::TimeDelta::FromDays(1), | |
| 183 &der_cert)); | |
| 184 | |
| 185 VerifyOriginBoundCert(origin, der_cert); | |
| 186 | |
| 187 #if defined(OS_MACOSX) | |
| 188 // X509Certificate on OSX 10.5 will fail with EC certs. We don't actually | |
| 189 // need to parse them into an X509Certificate except for here in the unittest, | |
| 190 // so skipping this part of the test should be fine. | |
| 191 // TODO(mattm): Try removing this check when http://crbug.com/101231 is fixed. | |
|
wtc
2011/11/30 20:30:02
and also merging VerifyX509CertificateParsing back
| |
| 192 if (base::mac::IsOSSnowLeopardOrLater()) | |
| 193 VerifyX509CertificateParsing(der_cert); | |
| 194 #else | |
| 195 VerifyX509CertificateParsing(der_cert); | |
| 196 #endif | |
| 197 | |
| 198 #if !defined(OS_WIN) && !defined(OS_MACOSX) | |
| 199 // signature_verifier_win and signature_verifier_mac can't handle EC certs. | |
| 200 std::vector<uint8> spki; | |
| 201 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | |
| 202 VerifyCertificateSignature(der_cert, spki); | |
| 203 #endif | |
| 204 } | |
| 205 | |
| 106 } // namespace net | 206 } // namespace net |
| OLD | NEW |
