net/cert/x509_util_nss.cc - Issue 1076063002: Remove certificates from Channel ID

Side by Side Diff: net/cert/x509_util_nss.cc

Issue 1076063002: Remove certificates from Channel ID (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix some small style/formatting issues Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/x509_util.h"	5 #include "net/cert/x509_util.h"

6 #include "net/cert/x509_util_nss.h"	6 #include "net/cert/x509_util_nss.h"

7	7

8 #include <cert.h> // Must be included before certdb.h	8 #include <cert.h> // Must be included before certdb.h

9 #include <certdb.h>	9 #include <certdb.h>

10 #include <cryptohi.h>	10 #include <cryptohi.h>

(...skipping 58 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
69 memset(&oid_data, 0, sizeof(oid_data));	69 memset(&oid_data, 0, sizeof(oid_data));

70 oid_data.oid.data = const_cast<uint8*>(kObCertOID);	70 oid_data.oid.data = const_cast<uint8*>(kObCertOID);

71 oid_data.oid.len = sizeof(kObCertOID);	71 oid_data.oid.len = sizeof(kObCertOID);

72 oid_data.offset = SEC_OID_UNKNOWN;	72 oid_data.offset = SEC_OID_UNKNOWN;

73 oid_data.desc = "Origin Bound Certificate";	73 oid_data.desc = "Origin Bound Certificate";

74 oid_data.mechanism = CKM_INVALID_MECHANISM;	74 oid_data.mechanism = CKM_INVALID_MECHANISM;

75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;	75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;

76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data);	76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data);

77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN)	77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN)

78 LOG(ERROR) << "OB_CERT OID tag creation failed";	78 LOG(ERROR) << "OB_CERT OID tag creation failed";

79 }	79 }
	Ryan Sleevi 2015/04/15 22:50:02 This is all now dead code This is all now dead code nharper 2015/04/25 02:59:19 Done. Show quoted text On 2015/04/15 22:50:02, Ryan Sleevi wrote: > This is all now dead code Done.
80	80

81 // Creates a Certificate object that may be passed to the SignCertificate	81 // Creates a Certificate object that may be passed to the SignCertificate

82 // method to generate an X509 certificate.	82 // method to generate an X509 certificate.

83 // Returns NULL if an error is encountered in the certificate creation	83 // Returns NULL if an error is encountered in the certificate creation

84 // process.	84 // process.

85 // Caller responsible for freeing returned certificate object.	85 // Caller responsible for freeing returned certificate object.

86 CERTCertificate* CreateCertificate(	86 CERTCertificate* CreateCertificate(

87 SECKEYPublicKey* public_key,	87 SECKEYPublicKey* public_key,

88 const std::string& subject,	88 const std::string& subject,

89 uint32 serial_number,	89 uint32 serial_number,

(...skipping 162 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
252	252

253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,	253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,

254 DigestAlgorithm alg,	254 DigestAlgorithm alg,

255 const std::string& subject,	255 const std::string& subject,

256 uint32 serial_number,	256 uint32 serial_number,

257 base::Time not_valid_before,	257 base::Time not_valid_before,

258 base::Time not_valid_after,	258 base::Time not_valid_after,

259 std::string* der_cert) {	259 std::string* der_cert) {

260 DCHECK(key);	260 DCHECK(key);

261 DCHECK(!strncmp(subject.c_str(), "CN=", 3U));	261 DCHECK(!strncmp(subject.c_str(), "CN=", 3U));

262 CERTCertificate* cert = CreateCertificate(key->public_key(),	262 CERTCertificate* cert = CreateCertificate(key->public_key(),
	Ryan Sleevi 2015/04/15 22:50:02 Should \|CreateCertificate\| be folded into this? Do Should \|CreateCertificate\| be folded into this? Does it make sense to have a distinct function? nharper 2015/04/25 02:59:19 I like keeping it the way it is. CreateCertificate Show quoted text On 2015/04/15 22:50:02, Ryan Sleevi wrote: > Should \|CreateCertificate\| be folded into this? Does it make sense to have a > distinct function? I like keeping it the way it is. CreateCertificate is a rather lengthy function, and keeping it as 2 functions separates out the creating a certificate part with signing the certificate. If CreateCertificate were to be folded in, then it would also make sense to fold in SignCertificate (since this is the only place that uses SignCertificate). I think it's cleaner to keep the functions smaller and more focused, even if it's only being called from one place.
263 subject,	263 subject,

264 serial_number,	264 serial_number,

265 not_valid_before,	265 not_valid_before,

266 not_valid_after);	266 not_valid_after);

267 if (!cert)	267 if (!cert)

268 return false;	268 return false;

269	269

270 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {	270 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {

271 CERT_DestroyCertificate(cert);	271 CERT_DestroyCertificate(cert);

272 return false;	272 return false;

(...skipping 11 matching lines...) Expand all Loading...
284 crypto::BaseTimeToPRTime(not_valid_before),	284 crypto::BaseTimeToPRTime(not_valid_before),

285 crypto::BaseTimeToPRTime(not_valid_after));	285 crypto::BaseTimeToPRTime(not_valid_after));

286	286

287 if (!validity)	287 if (!validity)

288 return false;	288 return false;

289	289

290 CERT_DestroyValidity(validity);	290 CERT_DestroyValidity(validity);

291 return true;	291 return true;

292 }	292 }

293	293

294 bool CreateChannelIDEC(crypto::ECPrivateKey* key,

295 DigestAlgorithm alg,

296 const std::string& domain,

297 uint32 serial_number,

298 base::Time not_valid_before,

299 base::Time not_valid_after,

300 std::string* der_cert) {

301 DCHECK(key);

302

303 CERTCertificate* cert = CreateCertificate(key->public_key(),

304 "CN=anonymous.invalid",

305 serial_number,

306 not_valid_before,

307 not_valid_after);

308

309 if (!cert)

310 return false;

311

312 // Create opaque handle used to add extensions later.

313 void* cert_handle;

314 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {

315 LOG(ERROR) << "Unable to get opaque handle for adding extensions";

316 CERT_DestroyCertificate(cert);

317 return false;

318 }

319

320 // Create SECItem for IA5String encoding.

321 SECItem domain_string_item = {

322 siAsciiString,

323 (unsigned char*)domain.data(),

324 static_cast<unsigned>(domain.size())

325 };

326

327 // IA5Encode and arena allocate SECItem

328 SECItem* asn1_domain_string = SEC_ASN1EncodeItem(

329 cert->arena, NULL, &domain_string_item,

330 SEC_ASN1_GET(SEC_IA5StringTemplate));

331 if (asn1_domain_string == NULL) {

332 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert"

333 " extension";

334 CERT_DestroyCertificate(cert);

335 return false;

336 }

337

338 // Add the extension to the opaque handle

339 if (CERT_AddExtension(

340 cert_handle,

341 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(),

342 asn1_domain_string,

343 PR_TRUE,

344 PR_TRUE) != SECSuccess){

345 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle";

346 CERT_DestroyCertificate(cert);

347 return false;

348 }

349

350 // Copy extension into x509 cert

351 if (CERT_FinishExtensions(cert_handle) != SECSuccess){

352 LOG(ERROR) << "Unable to copy extension to X509 cert";

353 CERT_DestroyCertificate(cert);

354 return false;

355 }

356

357 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {

358 CERT_DestroyCertificate(cert);

359 return false;

360 }

361

362 DCHECK(cert->derCert.len);

363 // XXX copied from X509Certificate::GetDEREncoded

364 der_cert->clear();

365 der_cert->append(reinterpret_cast<char*>(cert->derCert.data),

366 cert->derCert.len);

367 CERT_DestroyCertificate(cert);

368 return true;

369 }

370

371 #if defined(USE_NSS) \|\| defined(OS_IOS)	294 #if defined(USE_NSS) \|\| defined(OS_IOS)

372 void ParsePrincipal(CERTName* name, CertPrincipal* principal) {	295 void ParsePrincipal(CERTName* name, CertPrincipal* principal) {

373 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument.	296 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument.

374 #if NSS_VMINOR >= 15	297 #if NSS_VMINOR >= 15

375 typedef char* (CERTGetNameFunc)(const CERTName name);	298 typedef char* (CERTGetNameFunc)(const CERTName name);

376 #else	299 #else

377 typedef char* (CERTGetNameFunc)(CERTName name);	300 typedef char* (CERTGetNameFunc)(CERTName name);

378 #endif	301 #endif

379	302

380 // TODO(jcampan): add business_category and serial_number.	303 // TODO(jcampan): add business_category and serial_number.

(...skipping 248 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
629 }	552 }

630	553

631 return new_name;	554 return new_name;

632 }	555 }

633	556

634 #endif // defined(USE_NSS) \|\| defined(OS_IOS)	557 #endif // defined(USE_NSS) \|\| defined(OS_IOS)

635	558

636 } // namespace x509_util	559 } // namespace x509_util

637	560

638 } // namespace net	561 } // namespace net

OLD	NEW

« chrome/browser/extensions/api/messaging/message_property_provider.cc ('K') | « net/cert/x509_util.cc ('k') | net/cert/x509_util_nss_unittest.cc » ('j') | net/cert/x509_util_openssl.cc » ('J')