| Index: net/base/x509_util_nss.cc
|
| ===================================================================
|
| --- net/base/x509_util_nss.cc (revision 112390)
|
| +++ net/base/x509_util_nss.cc (working copy)
|
| @@ -16,12 +16,10 @@
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/memory/singleton.h"
|
| -#include "crypto/ec_private_key.h"
|
| #include "crypto/nss_util.h"
|
| #include "crypto/nss_util_internal.h"
|
| #include "crypto/rsa_private_key.h"
|
| #include "crypto/scoped_nss_types.h"
|
| -#include "crypto/third_party/nss/chromium-nss.h"
|
|
|
| namespace {
|
|
|
| @@ -159,11 +157,9 @@
|
| return false;
|
|
|
| // Sign the ASN1 encoded cert and save it to |result|.
|
| - rv = DerSignData(arena, result, &der, key, algo_id);
|
| - if (rv != SECSuccess) {
|
| - DLOG(ERROR) << "DerSignData: " << PORT_GetError();
|
| + rv = SEC_DerSignData(arena, result, der.data, der.len, key, algo_id);
|
| + if (rv != SECSuccess)
|
| return false;
|
| - }
|
|
|
| // Save the signed result to the cert.
|
| cert->derCert = *result;
|
| @@ -171,78 +167,6 @@
|
| return true;
|
| }
|
|
|
| -bool CreateOriginBoundCertInternal(
|
| - SECKEYPublicKey* public_key,
|
| - SECKEYPrivateKey* private_key,
|
| - const std::string& origin,
|
| - uint32 serial_number,
|
| - base::TimeDelta valid_duration,
|
| - std::string* der_cert) {
|
| -
|
| - CERTCertificate* cert = CreateCertificate(public_key,
|
| - "CN=anonymous.invalid",
|
| - serial_number,
|
| - valid_duration);
|
| -
|
| - if (!cert)
|
| - return false;
|
| -
|
| - // Create opaque handle used to add extensions later.
|
| - void* cert_handle;
|
| - if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
|
| - LOG(ERROR) << "Unable to get opaque handle for adding extensions";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Create SECItem for IA5String encoding.
|
| - SECItem origin_string_item = {
|
| - siAsciiString,
|
| - (unsigned char*)origin.data(),
|
| - origin.size()
|
| - };
|
| -
|
| - // IA5Encode and arena allocate SECItem
|
| - SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
|
| - cert->arena, NULL, &origin_string_item,
|
| - SEC_ASN1_GET(SEC_IA5StringTemplate));
|
| - if (asn1_origin_string == NULL) {
|
| - LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Add the extension to the opaque handle
|
| - if (CERT_AddExtension(cert_handle,
|
| - ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
|
| - asn1_origin_string,
|
| - PR_TRUE, PR_TRUE) != SECSuccess){
|
| - LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - // Copy extension into x509 cert
|
| - if (CERT_FinishExtensions(cert_handle) != SECSuccess){
|
| - LOG(ERROR) << "Unable to copy extension to X509 cert";
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - if (!SignCertificate(cert, private_key)) {
|
| - CERT_DestroyCertificate(cert);
|
| - return false;
|
| - }
|
| -
|
| - DCHECK(cert->derCert.len);
|
| - // XXX copied from X509Certificate::GetDEREncoded
|
| - der_cert->clear();
|
| - der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
|
| - cert->derCert.len);
|
| - CERT_DestroyCertificate(cert);
|
| - return true;
|
| -}
|
| -
|
| } // namespace
|
|
|
| namespace net {
|
| @@ -270,7 +194,7 @@
|
| return cert;
|
| }
|
|
|
| -bool CreateOriginBoundCertRSA(
|
| +bool CreateOriginBoundCert(
|
| crypto::RSAPrivateKey* key,
|
| const std::string& origin,
|
| uint32 serial_number,
|
| @@ -325,27 +249,68 @@
|
| }
|
| #endif
|
|
|
| - return CreateOriginBoundCertInternal(public_key,
|
| - private_key,
|
| - origin,
|
| - serial_number,
|
| - valid_duration,
|
| - der_cert);
|
| -}
|
| + CERTCertificate* cert = CreateCertificate(public_key,
|
| + "CN=anonymous.invalid",
|
| + serial_number,
|
| + valid_duration);
|
|
|
| -bool CreateOriginBoundCertEC(
|
| - crypto::ECPrivateKey* key,
|
| - const std::string& origin,
|
| - uint32 serial_number,
|
| - base::TimeDelta valid_duration,
|
| - std::string* der_cert) {
|
| - DCHECK(key);
|
| - return CreateOriginBoundCertInternal(key->public_key(),
|
| - key->key(),
|
| - origin,
|
| - serial_number,
|
| - valid_duration,
|
| - der_cert);
|
| + if (!cert)
|
| + return false;
|
| +
|
| + // Create opaque handle used to add extensions later.
|
| + void* cert_handle;
|
| + if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
|
| + LOG(ERROR) << "Unable to get opaque handle for adding extensions";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Create SECItem for IA5String encoding.
|
| + SECItem origin_string_item = {
|
| + siAsciiString,
|
| + (unsigned char*)origin.data(),
|
| + origin.size()
|
| + };
|
| +
|
| + // IA5Encode and arena allocate SECItem
|
| + SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
|
| + cert->arena, NULL, &origin_string_item,
|
| + SEC_ASN1_GET(SEC_IA5StringTemplate));
|
| + if (asn1_origin_string == NULL) {
|
| + LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Add the extension to the opaque handle
|
| + if (CERT_AddExtension(cert_handle,
|
| + ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
|
| + asn1_origin_string,
|
| + PR_TRUE, PR_TRUE) != SECSuccess){
|
| + LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + // Copy extension into x509 cert
|
| + if (CERT_FinishExtensions(cert_handle) != SECSuccess){
|
| + LOG(ERROR) << "Unable to copy extension to X509 cert";
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + if (!SignCertificate(cert, private_key)) {
|
| + CERT_DestroyCertificate(cert);
|
| + return false;
|
| + }
|
| +
|
| + DCHECK(cert->derCert.len);
|
| + // XXX copied from X509Certificate::GetDEREncoded
|
| + der_cert->clear();
|
| + der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
|
| + cert->derCert.len);
|
| + CERT_DestroyCertificate(cert);
|
| + return true;
|
| }
|
|
|
| } // namespace x509_util
|
|
|
Chromium Code Reviews
Issue 8764017:
Revert 112385 - Reland: Allow signing EC certs and creating EC origin-bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/