Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(106)

Side by Side Diff: net/cert/x509_util_openssl.cc

Issue 1076063002: Remove certificates from Channel ID (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix some small style/formatting issues Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_util_openssl.h" 5 #include "net/cert/x509_util_openssl.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <openssl/asn1.h> 8 #include <openssl/asn1.h>
9 9
10 #include "base/lazy_instance.h" 10 #include "base/lazy_instance.h"
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after
157 // Sign it with the private key. 157 // Sign it with the private key.
158 if (!X509_sign(cert, key, md)) { 158 if (!X509_sign(cert, key, md)) {
159 LOG(ERROR) << "Could not sign certificate with key."; 159 LOG(ERROR) << "Could not sign certificate with key.";
160 return false; 160 return false;
161 } 161 }
162 162
163 // Convert it into a DER-encoded string copied to |der_encoded|. 163 // Convert it into a DER-encoded string copied to |der_encoded|.
164 return DerEncodeCert(cert, der_encoded); 164 return DerEncodeCert(cert, der_encoded);
165 } 165 }
166 166
167 // There is no OpenSSL NID for the 'originBoundCertificate' extension OID yet,
168 // so create a global ASN1_OBJECT lazily with the right parameters.
169 class DomainBoundOid {
170 public:
171 DomainBoundOid() : obj_(OBJ_txt2obj(kDomainBoundOidText, 1)) { CHECK(obj_); }
172
173 ~DomainBoundOid() {
174 if (obj_)
175 ASN1_OBJECT_free(obj_);
176 }
177
178 ASN1_OBJECT* obj() const { return obj_; }
179
180 private:
181 static const char kDomainBoundOidText[];
182
183 ASN1_OBJECT* obj_;
184 };
185
186 // 1.3.6.1.4.1.11129.2.1.6
187 // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
188 // certificateExtensions.originBoundCertificate)
189 const char DomainBoundOid::kDomainBoundOidText[] = "1.3.6.1.4.1.11129.2.1.6";
190
191 ASN1_OBJECT* GetDomainBoundOid() {
192 static base::LazyInstance<DomainBoundOid>::Leaky s_lazy =
193 LAZY_INSTANCE_INITIALIZER;
194 return s_lazy.Get().obj();
195 }
196
197
198 struct DERCache { 167 struct DERCache {
199 std::string data; 168 std::string data;
200 }; 169 };
201 170
202 void DERCache_free(void* parent, void* ptr, CRYPTO_EX_DATA* ad, int idx, 171 void DERCache_free(void* parent, void* ptr, CRYPTO_EX_DATA* ad, int idx,
203 long argl, void* argp) { 172 long argl, void* argp) {
204 DERCache* der_cache = static_cast<DERCache*>(ptr); 173 DERCache* der_cache = static_cast<DERCache*>(ptr);
205 delete der_cache; 174 delete der_cache;
206 } 175 }
207 176
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after
252 const base::Time kYear10000 = kEpoch + 221 const base::Time kYear10000 = kEpoch +
253 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); 222 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000);
254 223
255 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || 224 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 ||
256 not_valid_after < kYear0001 || not_valid_after >= kYear10000) 225 not_valid_after < kYear0001 || not_valid_after >= kYear10000)
257 return false; 226 return false;
258 227
259 return true; 228 return true;
260 } 229 }
261 230
262 bool CreateChannelIDEC(
263 crypto::ECPrivateKey* key,
264 DigestAlgorithm alg,
265 const std::string& domain,
266 uint32 serial_number,
267 base::Time not_valid_before,
268 base::Time not_valid_after,
269 std::string* der_cert) {
270 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
271 // Create certificate.
272 ScopedX509 cert(CreateCertificate(key->key(),
273 alg,
274 "CN=anonymous.invalid",
275 serial_number,
276 not_valid_before,
277 not_valid_after));
278 if (!cert.get())
279 return false;
280
281 // Add TLS-Channel-ID extension to the certificate before signing it.
282 // The value must be stored DER-encoded, as a ASN.1 IA5String.
283 ScopedASN1_STRING domain_ia5(ASN1_IA5STRING_new());
284 if (!domain_ia5.get() ||
285 !ASN1_STRING_set(domain_ia5.get(), domain.data(), domain.size()))
286 return false;
287
288 std::string domain_der;
289 int domain_der_len = i2d_ASN1_IA5STRING(domain_ia5.get(), NULL);
290 if (domain_der_len < 0)
291 return false;
292
293 domain_der.resize(domain_der_len);
294 unsigned char* domain_der_data =
295 reinterpret_cast<unsigned char*>(&domain_der[0]);
296 if (i2d_ASN1_IA5STRING(domain_ia5.get(), &domain_der_data) < 0)
297 return false;
298
299 ScopedASN1_OCTET_STRING domain_str(ASN1_OCTET_STRING_new());
300 if (!domain_str.get() ||
301 !ASN1_STRING_set(domain_str.get(), domain_der.data(), domain_der.size()))
302 return false;
303
304 ScopedX509_EXTENSION ext(X509_EXTENSION_create_by_OBJ(
305 NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get()));
306 if (!ext.get() || !X509_add_ext(cert.get(), ext.get(), -1)) {
307 return false;
308 }
309
310 // Sign and encode it.
311 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_cert);
312 }
313
314 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, 231 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
315 DigestAlgorithm alg, 232 DigestAlgorithm alg,
316 const std::string& common_name, 233 const std::string& common_name,
317 uint32 serial_number, 234 uint32 serial_number,
318 base::Time not_valid_before, 235 base::Time not_valid_before,
319 base::Time not_valid_after, 236 base::Time not_valid_after,
320 std::string* der_encoded) { 237 std::string* der_encoded) {
321 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); 238 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
322 ScopedX509 cert(CreateCertificate(key->key(), 239 ScopedX509 cert(CreateCertificate(key->key(),
Ryan Sleevi 2015/04/15 22:50:02 Ditto here - do we still need a distinct function?
nharper 2015/04/25 02:59:19 See my argument on the other thread for why it's c
323 alg, 240 alg,
324 common_name, 241 common_name,
325 serial_number, 242 serial_number,
326 not_valid_before, 243 not_valid_before,
327 not_valid_after)); 244 not_valid_after));
328 if (!cert.get()) 245 if (!cert.get())
329 return false; 246 return false;
330 247
331 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded); 248 return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded);
332 } 249 }
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
412 internal_cache = new_cache.get(); 329 internal_cache = new_cache.get();
413 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release()); 330 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release());
414 } 331 }
415 *der_cache = base::StringPiece(internal_cache->data); 332 *der_cache = base::StringPiece(internal_cache->data);
416 return true; 333 return true;
417 } 334 }
418 335
419 } // namespace x509_util 336 } // namespace x509_util
420 337
421 } // namespace net 338 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698