| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_util.h" | 5 #include "net/base/x509_util.h" |
| 6 #include "net/base/x509_util_nss.h" | 6 #include "net/base/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <cryptohi.h> | 9 #include <cryptohi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 71 | 71 |
| 72 // Creates a Certificate object that may be passed to the SignCertificate | 72 // Creates a Certificate object that may be passed to the SignCertificate |
| 73 // method to generate an X509 certificate. | 73 // method to generate an X509 certificate. |
| 74 // Returns NULL if an error is encountered in the certificate creation | 74 // Returns NULL if an error is encountered in the certificate creation |
| 75 // process. | 75 // process. |
| 76 // Caller responsible for freeing returned certificate object. | 76 // Caller responsible for freeing returned certificate object. |
| 77 CERTCertificate* CreateCertificate( | 77 CERTCertificate* CreateCertificate( |
| 78 SECKEYPublicKey* public_key, | 78 SECKEYPublicKey* public_key, |
| 79 const std::string& subject, | 79 const std::string& subject, |
| 80 uint32 serial_number, | 80 uint32 serial_number, |
| 81 base::TimeDelta valid_duration) { | 81 base::Time not_valid_after) { |
| 82 // Create info about public key. | 82 // Create info about public key. |
| 83 CERTSubjectPublicKeyInfo* spki = | 83 CERTSubjectPublicKeyInfo* spki = |
| 84 SECKEY_CreateSubjectPublicKeyInfo(public_key); | 84 SECKEY_CreateSubjectPublicKeyInfo(public_key); |
| 85 if (!spki) | 85 if (!spki) |
| 86 return NULL; | 86 return NULL; |
| 87 | 87 |
| 88 // Create the certificate request. | 88 // Create the certificate request. |
| 89 CERTName* subject_name = | 89 CERTName* subject_name = |
| 90 CERT_AsciiToName(const_cast<char*>(subject.c_str())); | 90 CERT_AsciiToName(const_cast<char*>(subject.c_str())); |
| 91 CERTCertificateRequest* cert_request = | 91 CERTCertificateRequest* cert_request = |
| 92 CERT_CreateCertificateRequest(subject_name, spki, NULL); | 92 CERT_CreateCertificateRequest(subject_name, spki, NULL); |
| 93 SECKEY_DestroySubjectPublicKeyInfo(spki); | 93 SECKEY_DestroySubjectPublicKeyInfo(spki); |
| 94 | 94 |
| 95 if (!cert_request) { | 95 if (!cert_request) { |
| 96 PRErrorCode prerr = PR_GetError(); | 96 PRErrorCode prerr = PR_GetError(); |
| 97 LOG(ERROR) << "Failed to create certificate request: " << prerr; | 97 LOG(ERROR) << "Failed to create certificate request: " << prerr; |
| 98 CERT_DestroyName(subject_name); | 98 CERT_DestroyName(subject_name); |
| 99 return NULL; | 99 return NULL; |
| 100 } | 100 } |
| 101 | 101 |
| 102 PRTime now = PR_Now(); | 102 PRTime now = PR_Now(); |
| 103 PRTime not_after = now + valid_duration.InMicroseconds(); | |
| 104 | 103 |
| 105 // Note that the time is now in micro-second unit. | 104 CERTValidity* validity = CERT_CreateValidity( |
| 106 CERTValidity* validity = CERT_CreateValidity(now, not_after); | 105 now, crypto::BaseTimeToPRTime(not_valid_after)); |
| 107 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, | 106 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, |
| 108 validity, cert_request); | 107 validity, cert_request); |
| 109 if (!cert) { | 108 if (!cert) { |
| 110 PRErrorCode prerr = PR_GetError(); | 109 PRErrorCode prerr = PR_GetError(); |
| 111 LOG(ERROR) << "Failed to create certificate: " << prerr; | 110 LOG(ERROR) << "Failed to create certificate: " << prerr; |
| 112 } | 111 } |
| 113 | 112 |
| 114 // Cleanup for resources used to generate the cert. | 113 // Cleanup for resources used to generate the cert. |
| 115 CERT_DestroyName(subject_name); | 114 CERT_DestroyName(subject_name); |
| 116 CERT_DestroyValidity(validity); | 115 CERT_DestroyValidity(validity); |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 169 cert->derCert = *result; | 168 cert->derCert = *result; |
| 170 | 169 |
| 171 return true; | 170 return true; |
| 172 } | 171 } |
| 173 | 172 |
| 174 bool CreateOriginBoundCertInternal( | 173 bool CreateOriginBoundCertInternal( |
| 175 SECKEYPublicKey* public_key, | 174 SECKEYPublicKey* public_key, |
| 176 SECKEYPrivateKey* private_key, | 175 SECKEYPrivateKey* private_key, |
| 177 const std::string& origin, | 176 const std::string& origin, |
| 178 uint32 serial_number, | 177 uint32 serial_number, |
| 179 base::TimeDelta valid_duration, | 178 base::Time not_valid_after, |
| 180 std::string* der_cert) { | 179 std::string* der_cert) { |
| 181 | 180 |
| 182 CERTCertificate* cert = CreateCertificate(public_key, | 181 CERTCertificate* cert = CreateCertificate(public_key, |
| 183 "CN=anonymous.invalid", | 182 "CN=anonymous.invalid", |
| 184 serial_number, | 183 serial_number, |
| 185 valid_duration); | 184 not_valid_after); |
| 186 | 185 |
| 187 if (!cert) | 186 if (!cert) |
| 188 return false; | 187 return false; |
| 189 | 188 |
| 190 // Create opaque handle used to add extensions later. | 189 // Create opaque handle used to add extensions later. |
| 191 void* cert_handle; | 190 void* cert_handle; |
| 192 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | 191 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { |
| 193 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | 192 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; |
| 194 CERT_DestroyCertificate(cert); | 193 CERT_DestroyCertificate(cert); |
| 195 return false; | 194 return false; |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 | 246 |
| 248 namespace net { | 247 namespace net { |
| 249 | 248 |
| 250 namespace x509_util { | 249 namespace x509_util { |
| 251 | 250 |
| 252 CERTCertificate* CreateSelfSignedCert( | 251 CERTCertificate* CreateSelfSignedCert( |
| 253 SECKEYPublicKey* public_key, | 252 SECKEYPublicKey* public_key, |
| 254 SECKEYPrivateKey* private_key, | 253 SECKEYPrivateKey* private_key, |
| 255 const std::string& subject, | 254 const std::string& subject, |
| 256 uint32 serial_number, | 255 uint32 serial_number, |
| 257 base::TimeDelta valid_duration) { | 256 base::Time not_valid_after) { |
| 258 CERTCertificate* cert = CreateCertificate(public_key, | 257 CERTCertificate* cert = CreateCertificate(public_key, |
| 259 subject, | 258 subject, |
| 260 serial_number, | 259 serial_number, |
| 261 valid_duration); | 260 not_valid_after); |
| 262 if (!cert) | 261 if (!cert) |
| 263 return NULL; | 262 return NULL; |
| 264 | 263 |
| 265 if (!SignCertificate(cert, private_key)) { | 264 if (!SignCertificate(cert, private_key)) { |
| 266 CERT_DestroyCertificate(cert); | 265 CERT_DestroyCertificate(cert); |
| 267 return NULL; | 266 return NULL; |
| 268 } | 267 } |
| 269 | 268 |
| 270 return cert; | 269 return cert; |
| 271 } | 270 } |
| 272 | 271 |
| 273 bool CreateOriginBoundCertRSA( | 272 bool CreateOriginBoundCertRSA( |
| 274 crypto::RSAPrivateKey* key, | 273 crypto::RSAPrivateKey* key, |
| 275 const std::string& origin, | 274 const std::string& origin, |
| 276 uint32 serial_number, | 275 uint32 serial_number, |
| 277 base::TimeDelta valid_duration, | 276 base::Time not_valid_after, |
| 278 std::string* der_cert) { | 277 std::string* der_cert) { |
| 279 DCHECK(key); | 278 DCHECK(key); |
| 280 | 279 |
| 281 SECKEYPublicKey* public_key; | 280 SECKEYPublicKey* public_key; |
| 282 SECKEYPrivateKey* private_key; | 281 SECKEYPrivateKey* private_key; |
| 283 #if defined(USE_NSS) | 282 #if defined(USE_NSS) |
| 284 public_key = key->public_key(); | 283 public_key = key->public_key(); |
| 285 private_key = key->key(); | 284 private_key = key->key(); |
| 286 #else | 285 #else |
| 287 crypto::ScopedSECKEYPublicKey scoped_public_key; | 286 crypto::ScopedSECKEYPublicKey scoped_public_key; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 322 return NULL; | 321 return NULL; |
| 323 } | 322 } |
| 324 scoped_public_key.reset(public_key); | 323 scoped_public_key.reset(public_key); |
| 325 } | 324 } |
| 326 #endif | 325 #endif |
| 327 | 326 |
| 328 return CreateOriginBoundCertInternal(public_key, | 327 return CreateOriginBoundCertInternal(public_key, |
| 329 private_key, | 328 private_key, |
| 330 origin, | 329 origin, |
| 331 serial_number, | 330 serial_number, |
| 332 valid_duration, | 331 not_valid_after, |
| 333 der_cert); | 332 der_cert); |
| 334 } | 333 } |
| 335 | 334 |
| 336 bool CreateOriginBoundCertEC( | 335 bool CreateOriginBoundCertEC( |
| 337 crypto::ECPrivateKey* key, | 336 crypto::ECPrivateKey* key, |
| 338 const std::string& origin, | 337 const std::string& origin, |
| 339 uint32 serial_number, | 338 uint32 serial_number, |
| 340 base::TimeDelta valid_duration, | 339 base::Time not_valid_after, |
| 341 std::string* der_cert) { | 340 std::string* der_cert) { |
| 342 DCHECK(key); | 341 DCHECK(key); |
| 343 return CreateOriginBoundCertInternal(key->public_key(), | 342 return CreateOriginBoundCertInternal(key->public_key(), |
| 344 key->key(), | 343 key->key(), |
| 345 origin, | 344 origin, |
| 346 serial_number, | 345 serial_number, |
| 347 valid_duration, | 346 not_valid_after, |
| 348 der_cert); | 347 der_cert); |
| 349 } | 348 } |
| 350 | 349 |
| 351 } // namespace x509_util | 350 } // namespace x509_util |
| 352 | 351 |
| 353 } // namespace net | 352 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src