Chromium Code Reviews Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util_openssl.h" | 5 #include "net/cert/x509_util_openssl.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <openssl/asn1.h> | 8 #include <openssl/asn1.h> |
| 9 | 9 |
| 10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 157 // Sign it with the private key. | 157 // Sign it with the private key. |
| 158 if (!X509_sign(cert, key, md)) { | 158 if (!X509_sign(cert, key, md)) { |
| 159 LOG(ERROR) << "Could not sign certificate with key."; | 159 LOG(ERROR) << "Could not sign certificate with key."; |
| 160 return false; | 160 return false; |
| 161 } | 161 } |
| 162 | 162 |
| 163 // Convert it into a DER-encoded string copied to |der_encoded|. | 163 // Convert it into a DER-encoded string copied to |der_encoded|. |
| 164 return DerEncodeCert(cert, der_encoded); | 164 return DerEncodeCert(cert, der_encoded); |
| 165 } | 165 } |
| 166 | 166 |
| 167 // There is no OpenSSL NID for the 'originBoundCertificate' extension OID yet, | |
| 168 // so create a global ASN1_OBJECT lazily with the right parameters. | |
| 169 class DomainBoundOid { | |
| 170 public: | |
| 171 DomainBoundOid() : obj_(OBJ_txt2obj(kDomainBoundOidText, 1)) { CHECK(obj_); } | |
| 172 | |
| 173 ~DomainBoundOid() { | |
| 174 if (obj_) | |
| 175 ASN1_OBJECT_free(obj_); | |
| 176 } | |
| 177 | |
| 178 ASN1_OBJECT* obj() const { return obj_; } | |
| 179 | |
| 180 private: | |
| 181 static const char kDomainBoundOidText[]; | |
| 182 | |
| 183 ASN1_OBJECT* obj_; | |
| 184 }; | |
| 185 | |
| 186 // 1.3.6.1.4.1.11129.2.1.6 | |
| 187 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. | |
| 188 // certificateExtensions.originBoundCertificate) | |
| 189 const char DomainBoundOid::kDomainBoundOidText[] = "1.3.6.1.4.1.11129.2.1.6"; | |
| 190 | |
| 191 ASN1_OBJECT* GetDomainBoundOid() { | |
| 192 static base::LazyInstance<DomainBoundOid>::Leaky s_lazy = | |
| 193 LAZY_INSTANCE_INITIALIZER; | |
| 194 return s_lazy.Get().obj(); | |
| 195 } | |
| 196 | |
| 197 | |
| 198 struct DERCache { | 167 struct DERCache { |
| 199 std::string data; | 168 std::string data; |
| 200 }; | 169 }; |
| 201 | 170 |
| 202 void DERCache_free(void* parent, void* ptr, CRYPTO_EX_DATA* ad, int idx, | 171 void DERCache_free(void* parent, void* ptr, CRYPTO_EX_DATA* ad, int idx, |
| 203 long argl, void* argp) { | 172 long argl, void* argp) { |
| 204 DERCache* der_cache = static_cast<DERCache*>(ptr); | 173 DERCache* der_cache = static_cast<DERCache*>(ptr); |
| 205 delete der_cache; | 174 delete der_cache; |
| 206 } | 175 } |
| 207 | 176 |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 252 const base::Time kYear10000 = kEpoch + | 221 const base::Time kYear10000 = kEpoch + |
| 253 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); | 222 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); |
| 254 | 223 |
| 255 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || | 224 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || |
| 256 not_valid_after < kYear0001 || not_valid_after >= kYear10000) | 225 not_valid_after < kYear0001 || not_valid_after >= kYear10000) |
| 257 return false; | 226 return false; |
| 258 | 227 |
| 259 return true; | 228 return true; |
| 260 } | 229 } |
| 261 | 230 |
| 262 bool CreateChannelIDEC( | |
| 263 crypto::ECPrivateKey* key, | |
| 264 DigestAlgorithm alg, | |
| 265 const std::string& domain, | |
| 266 uint32 serial_number, | |
| 267 base::Time not_valid_before, | |
| 268 base::Time not_valid_after, | |
| 269 std::string* der_cert) { | |
| 270 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 271 // Create certificate. | |
| 272 ScopedX509 cert(CreateCertificate(key->key(), | |
| 273 alg, | |
| 274 "CN=anonymous.invalid", | |
| 275 serial_number, | |
| 276 not_valid_before, | |
| 277 not_valid_after)); | |
| 278 if (!cert.get()) | |
| 279 return false; | |
| 280 | |
| 281 // Add TLS-Channel-ID extension to the certificate before signing it. | |
| 282 // The value must be stored DER-encoded, as a ASN.1 IA5String. | |
| 283 ScopedASN1_STRING domain_ia5(ASN1_IA5STRING_new()); | |
| 284 if (!domain_ia5.get() || | |
| 285 !ASN1_STRING_set(domain_ia5.get(), domain.data(), domain.size())) | |
| 286 return false; | |
| 287 | |
| 288 std::string domain_der; | |
| 289 int domain_der_len = i2d_ASN1_IA5STRING(domain_ia5.get(), NULL); | |
| 290 if (domain_der_len < 0) | |
| 291 return false; | |
| 292 | |
| 293 domain_der.resize(domain_der_len); | |
| 294 unsigned char* domain_der_data = | |
| 295 reinterpret_cast<unsigned char*>(&domain_der[0]); | |
| 296 if (i2d_ASN1_IA5STRING(domain_ia5.get(), &domain_der_data) < 0) | |
| 297 return false; | |
| 298 | |
| 299 ScopedASN1_OCTET_STRING domain_str(ASN1_OCTET_STRING_new()); | |
| 300 if (!domain_str.get() || | |
| 301 !ASN1_STRING_set(domain_str.get(), domain_der.data(), domain_der.size())) | |
| 302 return false; | |
| 303 | |
| 304 ScopedX509_EXTENSION ext(X509_EXTENSION_create_by_OBJ( | |
| 305 NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get())); | |
| 306 if (!ext.get() || !X509_add_ext(cert.get(), ext.get(), -1)) { | |
| 307 return false; | |
| 308 } | |
| 309 | |
| 310 // Sign and encode it. | |
| 311 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_cert); | |
| 312 } | |
| 313 | |
| 314 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 231 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 315 DigestAlgorithm alg, | 232 DigestAlgorithm alg, |
| 316 const std::string& common_name, | 233 const std::string& common_name, |
| 317 uint32 serial_number, | 234 uint32 serial_number, |
| 318 base::Time not_valid_before, | 235 base::Time not_valid_before, |
| 319 base::Time not_valid_after, | 236 base::Time not_valid_after, |
| 320 std::string* der_encoded) { | 237 std::string* der_encoded) { |
| 321 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 238 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 322 ScopedX509 cert(CreateCertificate(key->key(), | 239 ScopedX509 cert(CreateCertificate(key->key(), |
|
Ryan Sleevi
2015/04/15 22:50:02
Ditto here - do we still need a distinct function?
nharper
2015/04/25 02:59:19
See my argument on the other thread for why it's c
| |
| 323 alg, | 240 alg, |
| 324 common_name, | 241 common_name, |
| 325 serial_number, | 242 serial_number, |
| 326 not_valid_before, | 243 not_valid_before, |
| 327 not_valid_after)); | 244 not_valid_after)); |
| 328 if (!cert.get()) | 245 if (!cert.get()) |
| 329 return false; | 246 return false; |
| 330 | 247 |
| 331 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded); | 248 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded); |
| 332 } | 249 } |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 412 internal_cache = new_cache.get(); | 329 internal_cache = new_cache.get(); |
| 413 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release()); | 330 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release()); |
| 414 } | 331 } |
| 415 *der_cache = base::StringPiece(internal_cache->data); | 332 *der_cache = base::StringPiece(internal_cache->data); |
| 416 return true; | 333 return true; |
| 417 } | 334 } |
| 418 | 335 |
| 419 } // namespace x509_util | 336 } // namespace x509_util |
| 420 | 337 |
| 421 } // namespace net | 338 } // namespace net |
| OLD | NEW |
