Allow signing EC certs and creating EC origin-bound certs.

net/base/x509_util_nss.cc

Index: net/base/x509_util_nss.cc
diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc
index fe3fb1731cb87297f228563892a69f6cbb8dc135..75d7aa4138e540c87532d75424d85a4b6cf2073d 100644
--- a/net/base/x509_util_nss.cc
+++ b/net/base/x509_util_nss.cc
@@ -16,10 +16,12 @@
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
+#include "crypto/ec_private_key.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_nss_types.h"
+#include "crypto/third_party/nss/chromium-nss.h"
 
 namespace {
 
@@ -157,9 +159,11 @@ bool SignCertificate(
     return false;
 
   // Sign the ASN1 encoded cert and save it to |result|.
-  rv = SEC_DerSignData(arena, result, der.data, der.len, key, algo_id);
-  if (rv != SECSuccess)
+  rv = DerSignData(arena, result, &der, key, algo_id);
+  if (rv != SECSuccess) {
+    DLOG(ERROR) << "DerSignData: " << PORT_GetError();
     return false;
+  }
 
   // Save the signed result to the cert.
   cert->derCert = *result;
@@ -167,6 +171,78 @@ bool SignCertificate(
   return true;
 }
 
+bool CreateOriginBoundCert(

[wtc, 2011/11/15 03:10:57]

It may be better to name this function CreateOriginBoundCertCommon
or CreateOriginBoundCertInternal to suggest its relation with
CreateOriginBoundCertRSA and CreateOriginBoundCertEC.

[mattm, 2011/11/15 05:42:31]

Done.

+    SECKEYPublicKey* public_key,
+    SECKEYPrivateKey* private_key,
+    const std::string& origin,
+    uint32 serial_number,
+    base::TimeDelta valid_duration,
+    std::string* der_cert) {
+
+  CERTCertificate* cert = CreateCertificate(public_key,
+                                            "CN=anonymous.invalid",
+                                            serial_number,
+                                            valid_duration);
+
+  if (!cert)
+    return false;
+
+  // Create opaque handle used to add extensions later.
+  void* cert_handle;
+  if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
+    LOG(ERROR) << "Unable to get opaque handle for adding extensions";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+
+  // Create SECItem for IA5String encoding.
+  SECItem origin_string_item = {
+    siAsciiString,
+    (unsigned char*)origin.data(),
+    origin.size()
+  };
+
+  // IA5Encode and arena allocate SECItem
+  SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
+      cert->arena, NULL, &origin_string_item,
+      SEC_ASN1_GET(SEC_IA5StringTemplate));
+  if (asn1_origin_string == NULL) {
+    LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+
+  // Add the extension to the opaque handle
+  if (CERT_AddExtension(cert_handle,
+                        ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
+                        asn1_origin_string,
+                        PR_TRUE, PR_TRUE) != SECSuccess){
+    LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+
+  // Copy extension into x509 cert
+  if (CERT_FinishExtensions(cert_handle) != SECSuccess){
+    LOG(ERROR) << "Unable to copy extension to X509 cert";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+
+  if (!SignCertificate(cert, private_key)) {
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+
+  DCHECK(cert->derCert.len);
+  // XXX copied from X509Certificate::GetDEREncoded
+  der_cert->clear();
+  der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
+                   cert->derCert.len);
+  CERT_DestroyCertificate(cert);
+  return true;
+}
+
 }  // namespace
 
 namespace net {
@@ -194,7 +270,7 @@ CERTCertificate* CreateSelfSignedCert(
   return cert;
 }
 
-bool CreateOriginBoundCert(
+bool CreateOriginBoundCertRSA(
     crypto::RSAPrivateKey* key,
     const std::string& origin,
     uint32 serial_number,
@@ -249,68 +325,27 @@ bool CreateOriginBoundCert(
   }
 #endif
 
-  CERTCertificate* cert = CreateCertificate(public_key,
-                                            "CN=anonymous.invalid",
-                                            serial_number,
-                                            valid_duration);
-
-  if (!cert)
-    return false;
-
-  // Create opaque handle used to add extensions later.
-  void* cert_handle;
-  if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
-    LOG(ERROR) << "Unable to get opaque handle for adding extensions";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-
-  // Create SECItem for IA5String encoding.
-  SECItem origin_string_item = {
-    siAsciiString,
-    (unsigned char*)origin.data(),
-    origin.size()
-  };
-
-  // IA5Encode and arena allocate SECItem
-  SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
-      cert->arena, NULL, &origin_string_item,
-      SEC_ASN1_GET(SEC_IA5StringTemplate));
-  if (asn1_origin_string == NULL) {
-    LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-
-  // Add the extension to the opaque handle
-  if (CERT_AddExtension(cert_handle,
-                        ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
-                        asn1_origin_string,
-                        PR_TRUE, PR_TRUE) != SECSuccess){
-    LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-
-  // Copy extension into x509 cert
-  if (CERT_FinishExtensions(cert_handle) != SECSuccess){
-    LOG(ERROR) << "Unable to copy extension to X509 cert";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-
-  if (!SignCertificate(cert, private_key)) {
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
+  return CreateOriginBoundCert(public_key,
+                               private_key,
+                               origin,
+                               serial_number,
+                               valid_duration,
+                               der_cert);
+}
 
-  DCHECK(cert->derCert.len);
-  // XXX copied from X509Certificate::GetDEREncoded
-  der_cert->clear();
-  der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
-                   cert->derCert.len);
-  CERT_DestroyCertificate(cert);
-  return true;
+bool CreateOriginBoundCertEC(
+    crypto::ECPrivateKey* key,
+    const std::string& origin,
+    uint32 serial_number,
+    base::TimeDelta valid_duration,
+    std::string* der_cert) {
+  DCHECK(key);
+  return CreateOriginBoundCert(key->public_key(),
+                               key->key(),
+                               origin,
+                               serial_number,
+                               valid_duration,
+                               der_cert);
 }
 
 } // namespace x509_util