| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_util.h" | 5 #include "net/base/x509_util.h" |
| 6 #include "net/base/x509_util_nss.h" | 6 #include "net/base/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <cryptohi.h> | 9 #include <cryptohi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 71 | 71 |
| 72 // Creates a Certificate object that may be passed to the SignCertificate | 72 // Creates a Certificate object that may be passed to the SignCertificate |
| 73 // method to generate an X509 certificate. | 73 // method to generate an X509 certificate. |
| 74 // Returns NULL if an error is encountered in the certificate creation | 74 // Returns NULL if an error is encountered in the certificate creation |
| 75 // process. | 75 // process. |
| 76 // Caller responsible for freeing returned certificate object. | 76 // Caller responsible for freeing returned certificate object. |
| 77 CERTCertificate* CreateCertificate( | 77 CERTCertificate* CreateCertificate( |
| 78 SECKEYPublicKey* public_key, | 78 SECKEYPublicKey* public_key, |
| 79 const std::string& subject, | 79 const std::string& subject, |
| 80 uint32 serial_number, | 80 uint32 serial_number, |
| 81 base::TimeDelta valid_duration) { | 81 base::Time not_valid_before, |
| 82 base::Time not_valid_after) { |
| 82 // Create info about public key. | 83 // Create info about public key. |
| 83 CERTSubjectPublicKeyInfo* spki = | 84 CERTSubjectPublicKeyInfo* spki = |
| 84 SECKEY_CreateSubjectPublicKeyInfo(public_key); | 85 SECKEY_CreateSubjectPublicKeyInfo(public_key); |
| 85 if (!spki) | 86 if (!spki) |
| 86 return NULL; | 87 return NULL; |
| 87 | 88 |
| 88 // Create the certificate request. | 89 // Create the certificate request. |
| 89 CERTName* subject_name = | 90 CERTName* subject_name = |
| 90 CERT_AsciiToName(const_cast<char*>(subject.c_str())); | 91 CERT_AsciiToName(const_cast<char*>(subject.c_str())); |
| 91 CERTCertificateRequest* cert_request = | 92 CERTCertificateRequest* cert_request = |
| 92 CERT_CreateCertificateRequest(subject_name, spki, NULL); | 93 CERT_CreateCertificateRequest(subject_name, spki, NULL); |
| 93 SECKEY_DestroySubjectPublicKeyInfo(spki); | 94 SECKEY_DestroySubjectPublicKeyInfo(spki); |
| 94 | 95 |
| 95 if (!cert_request) { | 96 if (!cert_request) { |
| 96 PRErrorCode prerr = PR_GetError(); | 97 PRErrorCode prerr = PR_GetError(); |
| 97 LOG(ERROR) << "Failed to create certificate request: " << prerr; | 98 LOG(ERROR) << "Failed to create certificate request: " << prerr; |
| 98 CERT_DestroyName(subject_name); | 99 CERT_DestroyName(subject_name); |
| 99 return NULL; | 100 return NULL; |
| 100 } | 101 } |
| 101 | 102 |
| 102 PRTime now = PR_Now(); | 103 CERTValidity* validity = CERT_CreateValidity( |
| 103 PRTime not_after = now + valid_duration.InMicroseconds(); | 104 crypto::BaseTimeToPRTime(not_valid_before), |
| 104 | 105 crypto::BaseTimeToPRTime(not_valid_after)); |
| 105 // Note that the time is now in micro-second unit. | |
| 106 CERTValidity* validity = CERT_CreateValidity(now, not_after); | |
| 107 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, | 106 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, |
| 108 validity, cert_request); | 107 validity, cert_request); |
| 109 if (!cert) { | 108 if (!cert) { |
| 110 PRErrorCode prerr = PR_GetError(); | 109 PRErrorCode prerr = PR_GetError(); |
| 111 LOG(ERROR) << "Failed to create certificate: " << prerr; | 110 LOG(ERROR) << "Failed to create certificate: " << prerr; |
| 112 } | 111 } |
| 113 | 112 |
| 114 // Cleanup for resources used to generate the cert. | 113 // Cleanup for resources used to generate the cert. |
| 115 CERT_DestroyName(subject_name); | 114 CERT_DestroyName(subject_name); |
| 116 CERT_DestroyValidity(validity); | 115 CERT_DestroyValidity(validity); |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 169 cert->derCert = *result; | 168 cert->derCert = *result; |
| 170 | 169 |
| 171 return true; | 170 return true; |
| 172 } | 171 } |
| 173 | 172 |
| 174 bool CreateOriginBoundCertInternal( | 173 bool CreateOriginBoundCertInternal( |
| 175 SECKEYPublicKey* public_key, | 174 SECKEYPublicKey* public_key, |
| 176 SECKEYPrivateKey* private_key, | 175 SECKEYPrivateKey* private_key, |
| 177 const std::string& origin, | 176 const std::string& origin, |
| 178 uint32 serial_number, | 177 uint32 serial_number, |
| 179 base::TimeDelta valid_duration, | 178 base::Time not_valid_before, |
| 179 base::Time not_valid_after, |
| 180 std::string* der_cert) { | 180 std::string* der_cert) { |
| 181 | 181 |
| 182 CERTCertificate* cert = CreateCertificate(public_key, | 182 CERTCertificate* cert = CreateCertificate(public_key, |
| 183 "CN=anonymous.invalid", | 183 "CN=anonymous.invalid", |
| 184 serial_number, | 184 serial_number, |
| 185 valid_duration); | 185 not_valid_before, |
| 186 not_valid_after); |
| 186 | 187 |
| 187 if (!cert) | 188 if (!cert) |
| 188 return false; | 189 return false; |
| 189 | 190 |
| 190 // Create opaque handle used to add extensions later. | 191 // Create opaque handle used to add extensions later. |
| 191 void* cert_handle; | 192 void* cert_handle; |
| 192 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | 193 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { |
| 193 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | 194 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; |
| 194 CERT_DestroyCertificate(cert); | 195 CERT_DestroyCertificate(cert); |
| 195 return false; | 196 return false; |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 | 248 |
| 248 namespace net { | 249 namespace net { |
| 249 | 250 |
| 250 namespace x509_util { | 251 namespace x509_util { |
| 251 | 252 |
| 252 CERTCertificate* CreateSelfSignedCert( | 253 CERTCertificate* CreateSelfSignedCert( |
| 253 SECKEYPublicKey* public_key, | 254 SECKEYPublicKey* public_key, |
| 254 SECKEYPrivateKey* private_key, | 255 SECKEYPrivateKey* private_key, |
| 255 const std::string& subject, | 256 const std::string& subject, |
| 256 uint32 serial_number, | 257 uint32 serial_number, |
| 257 base::TimeDelta valid_duration) { | 258 base::Time not_valid_before, |
| 259 base::Time not_valid_after) { |
| 258 CERTCertificate* cert = CreateCertificate(public_key, | 260 CERTCertificate* cert = CreateCertificate(public_key, |
| 259 subject, | 261 subject, |
| 260 serial_number, | 262 serial_number, |
| 261 valid_duration); | 263 not_valid_before, |
| 264 not_valid_after); |
| 262 if (!cert) | 265 if (!cert) |
| 263 return NULL; | 266 return NULL; |
| 264 | 267 |
| 265 if (!SignCertificate(cert, private_key)) { | 268 if (!SignCertificate(cert, private_key)) { |
| 266 CERT_DestroyCertificate(cert); | 269 CERT_DestroyCertificate(cert); |
| 267 return NULL; | 270 return NULL; |
| 268 } | 271 } |
| 269 | 272 |
| 270 return cert; | 273 return cert; |
| 271 } | 274 } |
| 272 | 275 |
| 273 bool CreateOriginBoundCertRSA( | 276 bool CreateOriginBoundCertRSA( |
| 274 crypto::RSAPrivateKey* key, | 277 crypto::RSAPrivateKey* key, |
| 275 const std::string& origin, | 278 const std::string& origin, |
| 276 uint32 serial_number, | 279 uint32 serial_number, |
| 277 base::TimeDelta valid_duration, | 280 base::Time not_valid_before, |
| 281 base::Time not_valid_after, |
| 278 std::string* der_cert) { | 282 std::string* der_cert) { |
| 279 DCHECK(key); | 283 DCHECK(key); |
| 280 | 284 |
| 281 SECKEYPublicKey* public_key; | 285 SECKEYPublicKey* public_key; |
| 282 SECKEYPrivateKey* private_key; | 286 SECKEYPrivateKey* private_key; |
| 283 #if defined(USE_NSS) | 287 #if defined(USE_NSS) |
| 284 public_key = key->public_key(); | 288 public_key = key->public_key(); |
| 285 private_key = key->key(); | 289 private_key = key->key(); |
| 286 #else | 290 #else |
| 287 crypto::ScopedSECKEYPublicKey scoped_public_key; | 291 crypto::ScopedSECKEYPublicKey scoped_public_key; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 322 return NULL; | 326 return NULL; |
| 323 } | 327 } |
| 324 scoped_public_key.reset(public_key); | 328 scoped_public_key.reset(public_key); |
| 325 } | 329 } |
| 326 #endif | 330 #endif |
| 327 | 331 |
| 328 return CreateOriginBoundCertInternal(public_key, | 332 return CreateOriginBoundCertInternal(public_key, |
| 329 private_key, | 333 private_key, |
| 330 origin, | 334 origin, |
| 331 serial_number, | 335 serial_number, |
| 332 valid_duration, | 336 not_valid_before, |
| 337 not_valid_after, |
| 333 der_cert); | 338 der_cert); |
| 334 } | 339 } |
| 335 | 340 |
| 336 bool CreateOriginBoundCertEC( | 341 bool CreateOriginBoundCertEC( |
| 337 crypto::ECPrivateKey* key, | 342 crypto::ECPrivateKey* key, |
| 338 const std::string& origin, | 343 const std::string& origin, |
| 339 uint32 serial_number, | 344 uint32 serial_number, |
| 340 base::TimeDelta valid_duration, | 345 base::Time not_valid_before, |
| 346 base::Time not_valid_after, |
| 341 std::string* der_cert) { | 347 std::string* der_cert) { |
| 342 DCHECK(key); | 348 DCHECK(key); |
| 343 return CreateOriginBoundCertInternal(key->public_key(), | 349 return CreateOriginBoundCertInternal(key->public_key(), |
| 344 key->key(), | 350 key->key(), |
| 345 origin, | 351 origin, |
| 346 serial_number, | 352 serial_number, |
| 347 valid_duration, | 353 not_valid_before, |
| 354 not_valid_after, |
| 348 der_cert); | 355 der_cert); |
| 349 } | 356 } |
| 350 | 357 |
| 351 } // namespace x509_util | 358 } // namespace x509_util |
| 352 | 359 |
| 353 } // namespace net | 360 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src