| Index: net/base/x509_util_nss.cc
|
| diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc
|
| index fe3fb1731cb87297f228563892a69f6cbb8dc135..61126af6a1fbc68f65e5f664fc17103a33505b94 100644
|
| --- a/net/base/x509_util_nss.cc
|
| +++ b/net/base/x509_util_nss.cc
|
| @@ -16,10 +16,12 @@
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/memory/singleton.h"
|
| +#include "crypto/ec_private_key.h"
|
| #include "crypto/nss_util.h"
|
| #include "crypto/nss_util_internal.h"
|
| #include "crypto/rsa_private_key.h"
|
| #include "crypto/scoped_nss_types.h"
|
| +#include "crypto/third_party/nss/chromium-nss.h"
|
|
|
| namespace {
|
|
|
| @@ -157,9 +159,11 @@ bool SignCertificate(
|
| return false;
|
|
|
| // Sign the ASN1 encoded cert and save it to |result|.
|
| - rv = SEC_DerSignData(arena, result, der.data, der.len, key, algo_id);
|
| - if (rv != SECSuccess)
|
| + rv = DerSignData(arena, result, &der, key, algo_id);
|
| + if (rv != SECSuccess) {
|
| + DLOG(ERROR) << "DerSignData: " << PORT_GetError();
|
| return false;
|
| + }
|
|
|
| // Save the signed result to the cert.
|
| cert->derCert = *result;
|
| @@ -167,6 +171,78 @@ bool SignCertificate(
|
| return true;
|
| }
|
|
|
| +bool CreateOriginBoundCertInternal(
|
| + SECKEYPublicKey* public_key,
|
| + SECKEYPrivateKey* private_key,
|
| + const std::string& origin,
|
| + uint32 serial_number,
|
| + base::TimeDelta valid_duration,
|
| + std::string* der_cert) {
|
| +
|
| + CERTCertificate* cert = CreateCertificate(public_key,
|
| + "CN=anonymous.invalid",
|
| + serial_number,
|
| + valid_duration);
|
| +
|
| + if (!cert)
|
| + return false;
|
| +
|
| + // Create opaque handle used to add extensions later.
|
| + void* cert_handle;
|
| + if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
|
| + LOG(ERROR) << "Unable to get opaque handle for adding extensions";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Create SECItem for IA5String encoding.
|
| + SECItem origin_string_item = {
|
| + siAsciiString,
|
| + (unsigned char*)origin.data(),
|
| + origin.size()
|
| + };
|
| +
|
| + // IA5Encode and arena allocate SECItem
|
| + SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
|
| + cert->arena, NULL, &origin_string_item,
|
| + SEC_ASN1_GET(SEC_IA5StringTemplate));
|
| + if (asn1_origin_string == NULL) {
|
| + LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Add the extension to the opaque handle
|
| + if (CERT_AddExtension(cert_handle,
|
| + ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
|
| + asn1_origin_string,
|
| + PR_TRUE, PR_TRUE) != SECSuccess){
|
| + LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Copy extension into x509 cert
|
| + if (CERT_FinishExtensions(cert_handle) != SECSuccess){
|
| + LOG(ERROR) << "Unable to copy extension to X509 cert";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + if (!SignCertificate(cert, private_key)) {
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + DCHECK(cert->derCert.len);
|
| + // XXX copied from X509Certificate::GetDEREncoded
|
| + der_cert->clear();
|
| + der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
|
| + cert->derCert.len);
|
| + CERT_DestroyCertificate(cert);
|
| + return true;
|
| +}
|
| +
|
| } // namespace
|
|
|
| namespace net {
|
| @@ -194,7 +270,7 @@ CERTCertificate* CreateSelfSignedCert(
|
| return cert;
|
| }
|
|
|
| -bool CreateOriginBoundCert(
|
| +bool CreateOriginBoundCertRSA(
|
| crypto::RSAPrivateKey* key,
|
| const std::string& origin,
|
| uint32 serial_number,
|
| @@ -249,68 +325,27 @@ bool CreateOriginBoundCert(
|
| }
|
| #endif
|
|
|
| - CERTCertificate* cert = CreateCertificate(public_key,
|
| - "CN=anonymous.invalid",
|
| - serial_number,
|
| - valid_duration);
|
| -
|
| - if (!cert)
|
| - return false;
|
| -
|
| - // Create opaque handle used to add extensions later.
|
| - void* cert_handle;
|
| - if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
|
| - LOG(ERROR) << "Unable to get opaque handle for adding extensions";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Create SECItem for IA5String encoding.
|
| - SECItem origin_string_item = {
|
| - siAsciiString,
|
| - (unsigned char*)origin.data(),
|
| - origin.size()
|
| - };
|
| -
|
| - // IA5Encode and arena allocate SECItem
|
| - SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
|
| - cert->arena, NULL, &origin_string_item,
|
| - SEC_ASN1_GET(SEC_IA5StringTemplate));
|
| - if (asn1_origin_string == NULL) {
|
| - LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Add the extension to the opaque handle
|
| - if (CERT_AddExtension(cert_handle,
|
| - ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
|
| - asn1_origin_string,
|
| - PR_TRUE, PR_TRUE) != SECSuccess){
|
| - LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Copy extension into x509 cert
|
| - if (CERT_FinishExtensions(cert_handle) != SECSuccess){
|
| - LOG(ERROR) << "Unable to copy extension to X509 cert";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - if (!SignCertificate(cert, private_key)) {
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| + return CreateOriginBoundCertInternal(public_key,
|
| + private_key,
|
| + origin,
|
| + serial_number,
|
| + valid_duration,
|
| + der_cert);
|
| +}
|
|
|
| - DCHECK(cert->derCert.len);
|
| - // XXX copied from X509Certificate::GetDEREncoded
|
| - der_cert->clear();
|
| - der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
|
| - cert->derCert.len);
|
| - CERT_DestroyCertificate(cert);
|
| - return true;
|
| +bool CreateOriginBoundCertEC(
|
| + crypto::ECPrivateKey* key,
|
| + const std::string& origin,
|
| + uint32 serial_number,
|
| + base::TimeDelta valid_duration,
|
| + std::string* der_cert) {
|
| + DCHECK(key);
|
| + return CreateOriginBoundCertInternal(key->public_key(),
|
| + key->key(),
|
| + origin,
|
| + serial_number,
|
| + valid_duration,
|
| + der_cert);
|
| }
|
|
|
| } // namespace x509_util
|
|
|
Chromium Code Reviews
Issue 8537025:
Allow signing EC certs and creating EC origin-bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src