| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
| 9 #include <certdb.h> | 9 #include <certdb.h> |
| 10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "crypto/nss_util_internal.h" | 26 #include "crypto/nss_util_internal.h" |
| 27 #include "crypto/rsa_private_key.h" | 27 #include "crypto/rsa_private_key.h" |
| 28 #include "crypto/scoped_nss_types.h" | 28 #include "crypto/scoped_nss_types.h" |
| 29 #include "crypto/third_party/nss/chromium-nss.h" | 29 #include "crypto/third_party/nss/chromium-nss.h" |
| 30 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
| 31 | 31 |
| 32 namespace net { | 32 namespace net { |
| 33 | 33 |
| 34 namespace { | 34 namespace { |
| 35 | 35 |
| 36 class ChannelIDOIDWrapper { | |
| 37 public: | |
| 38 static ChannelIDOIDWrapper* GetInstance() { | |
| 39 // Instantiated as a leaky singleton to allow the singleton to be | |
| 40 // constructed on a worker thead that is not joined when a process | |
| 41 // shuts down. | |
| 42 return Singleton<ChannelIDOIDWrapper, | |
| 43 LeakySingletonTraits<ChannelIDOIDWrapper> >::get(); | |
| 44 } | |
| 45 | |
| 46 SECOidTag domain_bound_cert_oid_tag() const { | |
| 47 return domain_bound_cert_oid_tag_; | |
| 48 } | |
| 49 | |
| 50 private: | |
| 51 friend struct DefaultSingletonTraits<ChannelIDOIDWrapper>; | |
| 52 | |
| 53 ChannelIDOIDWrapper(); | |
| 54 | |
| 55 SECOidTag domain_bound_cert_oid_tag_; | |
| 56 | |
| 57 DISALLOW_COPY_AND_ASSIGN(ChannelIDOIDWrapper); | |
| 58 }; | |
| 59 | |
| 60 ChannelIDOIDWrapper::ChannelIDOIDWrapper() | |
| 61 : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) { | |
| 62 // 1.3.6.1.4.1.11129.2.1.6 | |
| 63 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. | |
| 64 // certificateExtensions.originBoundCertificate) | |
| 65 static const uint8 kObCertOID[] = { | |
| 66 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06 | |
| 67 }; | |
| 68 SECOidData oid_data; | |
| 69 memset(&oid_data, 0, sizeof(oid_data)); | |
| 70 oid_data.oid.data = const_cast<uint8*>(kObCertOID); | |
| 71 oid_data.oid.len = sizeof(kObCertOID); | |
| 72 oid_data.offset = SEC_OID_UNKNOWN; | |
| 73 oid_data.desc = "Origin Bound Certificate"; | |
| 74 oid_data.mechanism = CKM_INVALID_MECHANISM; | |
| 75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; | |
| 76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); | |
| 77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) | |
| 78 LOG(ERROR) << "OB_CERT OID tag creation failed"; | |
| 79 } | |
| 80 | |
| 81 // Creates a Certificate object that may be passed to the SignCertificate | 36 // Creates a Certificate object that may be passed to the SignCertificate |
| 82 // method to generate an X509 certificate. | 37 // method to generate an X509 certificate. |
| 83 // Returns NULL if an error is encountered in the certificate creation | 38 // Returns NULL if an error is encountered in the certificate creation |
| 84 // process. | 39 // process. |
| 85 // Caller responsible for freeing returned certificate object. | 40 // Caller responsible for freeing returned certificate object. |
| 86 CERTCertificate* CreateCertificate( | 41 CERTCertificate* CreateCertificate( |
| 87 SECKEYPublicKey* public_key, | 42 SECKEYPublicKey* public_key, |
| 88 const std::string& subject, | 43 const std::string& subject, |
| 89 uint32 serial_number, | 44 uint32 serial_number, |
| 90 base::Time not_valid_before, | 45 base::Time not_valid_before, |
| (...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 232 crypto::BaseTimeToPRTime(not_valid_before), | 187 crypto::BaseTimeToPRTime(not_valid_before), |
| 233 crypto::BaseTimeToPRTime(not_valid_after)); | 188 crypto::BaseTimeToPRTime(not_valid_after)); |
| 234 | 189 |
| 235 if (!validity) | 190 if (!validity) |
| 236 return false; | 191 return false; |
| 237 | 192 |
| 238 CERT_DestroyValidity(validity); | 193 CERT_DestroyValidity(validity); |
| 239 return true; | 194 return true; |
| 240 } | 195 } |
| 241 | 196 |
| 242 bool CreateChannelIDEC(crypto::ECPrivateKey* key, | |
| 243 DigestAlgorithm alg, | |
| 244 const std::string& domain, | |
| 245 uint32 serial_number, | |
| 246 base::Time not_valid_before, | |
| 247 base::Time not_valid_after, | |
| 248 std::string* der_cert) { | |
| 249 DCHECK(key); | |
| 250 | |
| 251 CERTCertificate* cert = CreateCertificate(key->public_key(), | |
| 252 "CN=anonymous.invalid", | |
| 253 serial_number, | |
| 254 not_valid_before, | |
| 255 not_valid_after); | |
| 256 | |
| 257 if (!cert) | |
| 258 return false; | |
| 259 | |
| 260 // Create opaque handle used to add extensions later. | |
| 261 void* cert_handle; | |
| 262 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | |
| 263 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | |
| 264 CERT_DestroyCertificate(cert); | |
| 265 return false; | |
| 266 } | |
| 267 | |
| 268 // Create SECItem for IA5String encoding. | |
| 269 SECItem domain_string_item = { | |
| 270 siAsciiString, | |
| 271 (unsigned char*)domain.data(), | |
| 272 static_cast<unsigned>(domain.size()) | |
| 273 }; | |
| 274 | |
| 275 // IA5Encode and arena allocate SECItem | |
| 276 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( | |
| 277 cert->arena, NULL, &domain_string_item, | |
| 278 SEC_ASN1_GET(SEC_IA5StringTemplate)); | |
| 279 if (asn1_domain_string == NULL) { | |
| 280 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" | |
| 281 " extension"; | |
| 282 CERT_DestroyCertificate(cert); | |
| 283 return false; | |
| 284 } | |
| 285 | |
| 286 // Add the extension to the opaque handle | |
| 287 if (CERT_AddExtension( | |
| 288 cert_handle, | |
| 289 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), | |
| 290 asn1_domain_string, | |
| 291 PR_TRUE, | |
| 292 PR_TRUE) != SECSuccess){ | |
| 293 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; | |
| 294 CERT_DestroyCertificate(cert); | |
| 295 return false; | |
| 296 } | |
| 297 | |
| 298 // Copy extension into x509 cert | |
| 299 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | |
| 300 LOG(ERROR) << "Unable to copy extension to X509 cert"; | |
| 301 CERT_DestroyCertificate(cert); | |
| 302 return false; | |
| 303 } | |
| 304 | |
| 305 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | |
| 306 CERT_DestroyCertificate(cert); | |
| 307 return false; | |
| 308 } | |
| 309 | |
| 310 DCHECK(cert->derCert.len); | |
| 311 // XXX copied from X509Certificate::GetDEREncoded | |
| 312 der_cert->clear(); | |
| 313 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | |
| 314 cert->derCert.len); | |
| 315 CERT_DestroyCertificate(cert); | |
| 316 return true; | |
| 317 } | |
| 318 | |
| 319 } // namespace x509_util | 197 } // namespace x509_util |
| 320 | 198 |
| 321 } // namespace net | 199 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master