OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
7 | 7 |
8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
9 #include <certdb.h> | 9 #include <certdb.h> |
10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
69 memset(&oid_data, 0, sizeof(oid_data)); | 69 memset(&oid_data, 0, sizeof(oid_data)); |
70 oid_data.oid.data = const_cast<uint8*>(kObCertOID); | 70 oid_data.oid.data = const_cast<uint8*>(kObCertOID); |
71 oid_data.oid.len = sizeof(kObCertOID); | 71 oid_data.oid.len = sizeof(kObCertOID); |
72 oid_data.offset = SEC_OID_UNKNOWN; | 72 oid_data.offset = SEC_OID_UNKNOWN; |
73 oid_data.desc = "Origin Bound Certificate"; | 73 oid_data.desc = "Origin Bound Certificate"; |
74 oid_data.mechanism = CKM_INVALID_MECHANISM; | 74 oid_data.mechanism = CKM_INVALID_MECHANISM; |
75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; | 75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; |
76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); | 76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); |
77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) | 77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) |
78 LOG(ERROR) << "OB_CERT OID tag creation failed"; | 78 LOG(ERROR) << "OB_CERT OID tag creation failed"; |
79 } | 79 } |
Ryan Sleevi
2015/04/15 22:50:02
This is all now dead code
nharper
2015/04/25 02:59:19
Done.
| |
80 | 80 |
81 // Creates a Certificate object that may be passed to the SignCertificate | 81 // Creates a Certificate object that may be passed to the SignCertificate |
82 // method to generate an X509 certificate. | 82 // method to generate an X509 certificate. |
83 // Returns NULL if an error is encountered in the certificate creation | 83 // Returns NULL if an error is encountered in the certificate creation |
84 // process. | 84 // process. |
85 // Caller responsible for freeing returned certificate object. | 85 // Caller responsible for freeing returned certificate object. |
86 CERTCertificate* CreateCertificate( | 86 CERTCertificate* CreateCertificate( |
87 SECKEYPublicKey* public_key, | 87 SECKEYPublicKey* public_key, |
88 const std::string& subject, | 88 const std::string& subject, |
89 uint32 serial_number, | 89 uint32 serial_number, |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
252 | 252 |
253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
254 DigestAlgorithm alg, | 254 DigestAlgorithm alg, |
255 const std::string& subject, | 255 const std::string& subject, |
256 uint32 serial_number, | 256 uint32 serial_number, |
257 base::Time not_valid_before, | 257 base::Time not_valid_before, |
258 base::Time not_valid_after, | 258 base::Time not_valid_after, |
259 std::string* der_cert) { | 259 std::string* der_cert) { |
260 DCHECK(key); | 260 DCHECK(key); |
261 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); | 261 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); |
262 CERTCertificate* cert = CreateCertificate(key->public_key(), | 262 CERTCertificate* cert = CreateCertificate(key->public_key(), |
Ryan Sleevi
2015/04/15 22:50:02
Should |CreateCertificate| be folded into this? Do
nharper
2015/04/25 02:59:19
I like keeping it the way it is. CreateCertificate
| |
263 subject, | 263 subject, |
264 serial_number, | 264 serial_number, |
265 not_valid_before, | 265 not_valid_before, |
266 not_valid_after); | 266 not_valid_after); |
267 if (!cert) | 267 if (!cert) |
268 return false; | 268 return false; |
269 | 269 |
270 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | 270 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { |
271 CERT_DestroyCertificate(cert); | 271 CERT_DestroyCertificate(cert); |
272 return false; | 272 return false; |
(...skipping 11 matching lines...) Expand all Loading... | |
284 crypto::BaseTimeToPRTime(not_valid_before), | 284 crypto::BaseTimeToPRTime(not_valid_before), |
285 crypto::BaseTimeToPRTime(not_valid_after)); | 285 crypto::BaseTimeToPRTime(not_valid_after)); |
286 | 286 |
287 if (!validity) | 287 if (!validity) |
288 return false; | 288 return false; |
289 | 289 |
290 CERT_DestroyValidity(validity); | 290 CERT_DestroyValidity(validity); |
291 return true; | 291 return true; |
292 } | 292 } |
293 | 293 |
294 bool CreateChannelIDEC(crypto::ECPrivateKey* key, | |
295 DigestAlgorithm alg, | |
296 const std::string& domain, | |
297 uint32 serial_number, | |
298 base::Time not_valid_before, | |
299 base::Time not_valid_after, | |
300 std::string* der_cert) { | |
301 DCHECK(key); | |
302 | |
303 CERTCertificate* cert = CreateCertificate(key->public_key(), | |
304 "CN=anonymous.invalid", | |
305 serial_number, | |
306 not_valid_before, | |
307 not_valid_after); | |
308 | |
309 if (!cert) | |
310 return false; | |
311 | |
312 // Create opaque handle used to add extensions later. | |
313 void* cert_handle; | |
314 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | |
315 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | |
316 CERT_DestroyCertificate(cert); | |
317 return false; | |
318 } | |
319 | |
320 // Create SECItem for IA5String encoding. | |
321 SECItem domain_string_item = { | |
322 siAsciiString, | |
323 (unsigned char*)domain.data(), | |
324 static_cast<unsigned>(domain.size()) | |
325 }; | |
326 | |
327 // IA5Encode and arena allocate SECItem | |
328 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( | |
329 cert->arena, NULL, &domain_string_item, | |
330 SEC_ASN1_GET(SEC_IA5StringTemplate)); | |
331 if (asn1_domain_string == NULL) { | |
332 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" | |
333 " extension"; | |
334 CERT_DestroyCertificate(cert); | |
335 return false; | |
336 } | |
337 | |
338 // Add the extension to the opaque handle | |
339 if (CERT_AddExtension( | |
340 cert_handle, | |
341 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), | |
342 asn1_domain_string, | |
343 PR_TRUE, | |
344 PR_TRUE) != SECSuccess){ | |
345 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; | |
346 CERT_DestroyCertificate(cert); | |
347 return false; | |
348 } | |
349 | |
350 // Copy extension into x509 cert | |
351 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | |
352 LOG(ERROR) << "Unable to copy extension to X509 cert"; | |
353 CERT_DestroyCertificate(cert); | |
354 return false; | |
355 } | |
356 | |
357 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | |
358 CERT_DestroyCertificate(cert); | |
359 return false; | |
360 } | |
361 | |
362 DCHECK(cert->derCert.len); | |
363 // XXX copied from X509Certificate::GetDEREncoded | |
364 der_cert->clear(); | |
365 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | |
366 cert->derCert.len); | |
367 CERT_DestroyCertificate(cert); | |
368 return true; | |
369 } | |
370 | |
371 #if defined(USE_NSS) || defined(OS_IOS) | 294 #if defined(USE_NSS) || defined(OS_IOS) |
372 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { | 295 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
373 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. | 296 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. |
374 #if NSS_VMINOR >= 15 | 297 #if NSS_VMINOR >= 15 |
375 typedef char* (*CERTGetNameFunc)(const CERTName* name); | 298 typedef char* (*CERTGetNameFunc)(const CERTName* name); |
376 #else | 299 #else |
377 typedef char* (*CERTGetNameFunc)(CERTName* name); | 300 typedef char* (*CERTGetNameFunc)(CERTName* name); |
378 #endif | 301 #endif |
379 | 302 |
380 // TODO(jcampan): add business_category and serial_number. | 303 // TODO(jcampan): add business_category and serial_number. |
(...skipping 248 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
629 } | 552 } |
630 | 553 |
631 return new_name; | 554 return new_name; |
632 } | 555 } |
633 | 556 |
634 #endif // defined(USE_NSS) || defined(OS_IOS) | 557 #endif // defined(USE_NSS) || defined(OS_IOS) |
635 | 558 |
636 } // namespace x509_util | 559 } // namespace x509_util |
637 | 560 |
638 } // namespace net | 561 } // namespace net |
OLD | NEW |