| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_util.h" | 5 #include "net/base/x509_util.h" |
| 6 #include "net/base/x509_util_nss.h" | 6 #include "net/base/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <secoid.h> | 9 #include <secoid.h> |
| 10 | 10 |
| 11 #include "base/memory/scoped_ptr.h" | 11 #include "base/memory/scoped_ptr.h" |
| 12 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
| 13 #include "crypto/ec_private_key.h" | |
| 14 #include "crypto/rsa_private_key.h" | 13 #include "crypto/rsa_private_key.h" |
| 15 #include "crypto/scoped_nss_types.h" | |
| 16 #include "crypto/signature_verifier.h" | |
| 17 #include "net/base/x509_certificate.h" | 14 #include "net/base/x509_certificate.h" |
| 18 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
| 19 | 16 |
| 20 namespace net { | |
| 21 | |
| 22 namespace { | 17 namespace { |
| 23 | 18 |
| 24 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { | 19 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { |
| 25 SECItem der_cert; | 20 SECItem der_cert; |
| 26 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); | 21 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data)); |
| 27 der_cert.len = length; | 22 der_cert.len = length; |
| 28 der_cert.type = siDERCertBuffer; | 23 der_cert.type = siDERCertBuffer; |
| 29 | 24 |
| 30 // Parse into a certificate structure. | 25 // Parse into a certificate structure. |
| 31 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, | 26 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, |
| 32 PR_FALSE, PR_TRUE); | 27 PR_FALSE, PR_TRUE); |
| 33 } | 28 } |
| 34 | 29 |
| 35 void VerifyCertificateSignature(const std::string& der_cert, | 30 } // namespace |
| 36 const std::vector<uint8>& der_spki) { | |
| 37 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
| 38 | 31 |
| 39 CERTSignedData sd; | 32 namespace net { |
| 40 memset(&sd, 0, sizeof(sd)); | |
| 41 | 33 |
| 42 SECItem der_cert_item = { | 34 // This test creates an origin-bound cert from a private key and |
| 43 siDERCertBuffer, | 35 // then verifies the content of the certificate. |
| 44 reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())), | 36 TEST(X509UtilNSSTest, CreateOriginBoundCert) { |
| 45 der_cert.size() | |
| 46 }; | |
| 47 SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd, | |
| 48 SEC_ASN1_GET(CERT_SignedDataTemplate), | |
| 49 &der_cert_item); | |
| 50 ASSERT_EQ(SECSuccess, rv); | |
| 51 | |
| 52 // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier | |
| 53 // wants the DER encoded form, so re-encode it again. | |
| 54 SECItem* signature_algorithm = SEC_ASN1EncodeItem( | |
| 55 arena.get(), | |
| 56 NULL, | |
| 57 &sd.signatureAlgorithm, | |
| 58 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); | |
| 59 ASSERT_TRUE(signature_algorithm); | |
| 60 | |
| 61 crypto::SignatureVerifier verifier; | |
| 62 bool ok = verifier.VerifyInit( | |
| 63 signature_algorithm->data, | |
| 64 signature_algorithm->len, | |
| 65 sd.signature.data, | |
| 66 sd.signature.len / 8, // Signature is a BIT STRING, convert to bytes. | |
| 67 &der_spki[0], | |
| 68 der_spki.size()); | |
| 69 | |
| 70 ASSERT_TRUE(ok); | |
| 71 verifier.VerifyUpdate(sd.data.data, | |
| 72 sd.data.len); | |
| 73 | |
| 74 ok = verifier.VerifyFinal(); | |
| 75 EXPECT_TRUE(ok); | |
| 76 } | |
| 77 | |
| 78 void VerifyOriginBoundCert(const std::string& origin, | |
| 79 const std::string& der_cert) { | |
| 80 // Origin Bound Cert OID. | 37 // Origin Bound Cert OID. |
| 81 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; | 38 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; |
| 82 | 39 |
| 40 // Create a sample ASCII weborigin. |
| 41 std::string origin = "http://weborigin.com:443"; |
| 42 |
| 83 // Create object neccessary for extension lookup call. | 43 // Create object neccessary for extension lookup call. |
| 84 SECItem extension_object = { | 44 SECItem extension_object = { |
| 85 siAsciiString, | 45 siAsciiString, |
| 86 (unsigned char*)origin.data(), | 46 (unsigned char*)origin.data(), |
| 87 origin.size() | 47 origin.size() |
| 88 }; | 48 }; |
| 89 | 49 |
| 50 scoped_ptr<crypto::RSAPrivateKey> private_key( |
| 51 crypto::RSAPrivateKey::Create(1024)); |
| 52 std::string der_cert; |
| 53 ASSERT_TRUE(x509_util::CreateOriginBoundCert(private_key.get(), |
| 54 origin, 1, |
| 55 base::TimeDelta::FromDays(1), |
| 56 &der_cert)); |
| 57 |
| 90 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( | 58 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( |
| 91 der_cert.data(), der_cert.size()); | 59 der_cert.data(), der_cert.size()); |
| 92 | 60 |
| 93 ASSERT_TRUE(cert); | |
| 94 | |
| 95 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); | 61 EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); |
| 96 EXPECT_FALSE(cert->HasExpired()); | 62 EXPECT_FALSE(cert->HasExpired()); |
| 97 | 63 |
| 98 // IA5Encode and arena allocate SECItem. | 64 // IA5Encode and arena allocate SECItem. |
| 99 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 65 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 100 SECItem* expected = SEC_ASN1EncodeItem(arena, | 66 SECItem* expected = SEC_ASN1EncodeItem(arena, |
| 101 NULL, | 67 NULL, |
| 102 &extension_object, | 68 &extension_object, |
| 103 SEC_ASN1_GET(SEC_IA5StringTemplate)); | 69 SEC_ASN1_GET(SEC_IA5StringTemplate)); |
| 104 | 70 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 130 | 96 |
| 131 // Compare expected and actual extension values. | 97 // Compare expected and actual extension values. |
| 132 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); | 98 PRBool result = SECITEM_ItemsAreEqual(expected, &actual); |
| 133 ASSERT_TRUE(result); | 99 ASSERT_TRUE(result); |
| 134 | 100 |
| 135 // Do Cleanup. | 101 // Do Cleanup. |
| 136 SECITEM_FreeItem(&actual, PR_FALSE); | 102 SECITEM_FreeItem(&actual, PR_FALSE); |
| 137 PORT_FreeArena(arena, PR_FALSE); | 103 PORT_FreeArena(arena, PR_FALSE); |
| 138 } | 104 } |
| 139 | 105 |
| 140 } // namespace | |
| 141 | |
| 142 // This test creates an origin-bound cert from a RSA private key and | |
| 143 // then verifies the content of the certificate. | |
| 144 TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) { | |
| 145 // Create a sample ASCII weborigin. | |
| 146 std::string origin = "http://weborigin.com:443"; | |
| 147 | |
| 148 scoped_ptr<crypto::RSAPrivateKey> private_key( | |
| 149 crypto::RSAPrivateKey::Create(1024)); | |
| 150 std::string der_cert; | |
| 151 ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA(private_key.get(), | |
| 152 origin, 1, | |
| 153 base::TimeDelta::FromDays(1), | |
| 154 &der_cert)); | |
| 155 | |
| 156 VerifyOriginBoundCert(origin, der_cert); | |
| 157 | |
| 158 std::vector<uint8> spki; | |
| 159 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | |
| 160 VerifyCertificateSignature(der_cert, spki); | |
| 161 } | |
| 162 | |
| 163 // This test creates an origin-bound cert from an EC private key and | |
| 164 // then verifies the content of the certificate. | |
| 165 TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { | |
| 166 // Create a sample ASCII weborigin. | |
| 167 std::string origin = "http://weborigin.com:443"; | |
| 168 | |
| 169 scoped_ptr<crypto::ECPrivateKey> private_key( | |
| 170 crypto::ECPrivateKey::Create()); | |
| 171 std::string der_cert; | |
| 172 ASSERT_TRUE(x509_util::CreateOriginBoundCertEC(private_key.get(), | |
| 173 origin, 1, | |
| 174 base::TimeDelta::FromDays(1), | |
| 175 &der_cert)); | |
| 176 | |
| 177 VerifyOriginBoundCert(origin, der_cert); | |
| 178 | |
| 179 #if !defined(OS_WIN) && !defined(OS_MACOSX) | |
| 180 // signature_verifier_win and signature_verifier_mac can't handle EC certs. | |
| 181 std::vector<uint8> spki; | |
| 182 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | |
| 183 VerifyCertificateSignature(der_cert, spki); | |
| 184 #endif | |
| 185 } | |
| 186 | |
| 187 } // namespace net | 106 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8587018:
Revert "Allow signing EC certs and creating EC origin-bound certs." (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src