Chromium Code Reviews Chromium Code Reviews
Issue 1882433002:
Removing NSS files and USE_OPENSSL flag (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
|
davidben
2016/04/18 19:36:45
Should we rename x509_util_nss_certs.cc to x509_ut
svaldez
2016/04/18 20:21:39
Done.
| |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/x509_util.h" | |
| 6 #include "net/cert/x509_util_nss.h" | |
| 7 | |
| 8 #include <cert.h> // Must be included before certdb.h | |
| 9 #include <certdb.h> | |
| 10 #include <cryptohi.h> | |
| 11 #include <nss.h> | |
| 12 #include <pk11pub.h> | |
| 13 #include <prerror.h> | |
| 14 #include <secder.h> | |
| 15 #include <secmod.h> | |
| 16 #include <secport.h> | |
| 17 | |
| 18 #include "base/debug/leak_annotations.h" | |
| 19 #include "base/logging.h" | |
| 20 #include "base/memory/scoped_ptr.h" | |
| 21 #include "base/memory/singleton.h" | |
| 22 #include "base/pickle.h" | |
| 23 #include "base/strings/stringprintf.h" | |
| 24 #include "crypto/ec_private_key.h" | |
| 25 #include "crypto/nss_util.h" | |
| 26 #include "crypto/nss_util_internal.h" | |
| 27 #include "crypto/rsa_private_key.h" | |
| 28 #include "crypto/scoped_nss_types.h" | |
| 29 #include "crypto/third_party/nss/chromium-nss.h" | |
| 30 #include "net/cert/x509_certificate.h" | |
| 31 | |
| 32 namespace net { | |
| 33 | |
| 34 namespace { | |
| 35 | |
| 36 // Creates a Certificate object that may be passed to the SignCertificate | |
| 37 // method to generate an X509 certificate. | |
| 38 // Returns NULL if an error is encountered in the certificate creation | |
| 39 // process. | |
| 40 // Caller responsible for freeing returned certificate object. | |
| 41 CERTCertificate* CreateCertificate(SECKEYPublicKey* public_key, | |
| 42 const std::string& subject, | |
| 43 uint32_t serial_number, | |
| 44 base::Time not_valid_before, | |
| 45 base::Time not_valid_after) { | |
| 46 // Create info about public key. | |
| 47 CERTSubjectPublicKeyInfo* spki = | |
| 48 SECKEY_CreateSubjectPublicKeyInfo(public_key); | |
| 49 if (!spki) | |
| 50 return NULL; | |
| 51 | |
| 52 // Create the certificate request. | |
| 53 CERTName* subject_name = | |
| 54 CERT_AsciiToName(const_cast<char*>(subject.c_str())); | |
| 55 CERTCertificateRequest* cert_request = | |
| 56 CERT_CreateCertificateRequest(subject_name, spki, NULL); | |
| 57 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
| 58 | |
| 59 if (!cert_request) { | |
| 60 PRErrorCode prerr = PR_GetError(); | |
| 61 LOG(ERROR) << "Failed to create certificate request: " << prerr; | |
| 62 CERT_DestroyName(subject_name); | |
| 63 return NULL; | |
| 64 } | |
| 65 | |
| 66 CERTValidity* validity = CERT_CreateValidity( | |
| 67 crypto::BaseTimeToPRTime(not_valid_before), | |
| 68 crypto::BaseTimeToPRTime(not_valid_after)); | |
| 69 if (!validity) { | |
| 70 PRErrorCode prerr = PR_GetError(); | |
| 71 LOG(ERROR) << "Failed to create certificate validity object: " << prerr; | |
| 72 CERT_DestroyName(subject_name); | |
| 73 CERT_DestroyCertificateRequest(cert_request); | |
| 74 return NULL; | |
| 75 } | |
| 76 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, | |
| 77 validity, cert_request); | |
| 78 if (!cert) { | |
| 79 PRErrorCode prerr = PR_GetError(); | |
| 80 LOG(ERROR) << "Failed to create certificate: " << prerr; | |
| 81 } | |
| 82 | |
| 83 // Cleanup for resources used to generate the cert. | |
| 84 CERT_DestroyName(subject_name); | |
| 85 CERT_DestroyValidity(validity); | |
| 86 CERT_DestroyCertificateRequest(cert_request); | |
| 87 | |
| 88 return cert; | |
| 89 } | |
| 90 | |
| 91 SECOidTag ToSECOid(x509_util::DigestAlgorithm alg) { | |
| 92 switch (alg) { | |
| 93 case x509_util::DIGEST_SHA1: | |
| 94 return SEC_OID_SHA1; | |
| 95 case x509_util::DIGEST_SHA256: | |
| 96 return SEC_OID_SHA256; | |
| 97 } | |
| 98 return SEC_OID_UNKNOWN; | |
| 99 } | |
| 100 | |
| 101 // Signs a certificate object, with |key| generating a new X509Certificate | |
| 102 // and destroying the passed certificate object (even when NULL is returned). | |
| 103 // The logic of this method references SignCert() in NSS utility certutil: | |
| 104 // http://mxr.mozilla.org/security/ident?i=SignCert. | |
| 105 // Returns true on success or false if an error is encountered in the | |
| 106 // certificate signing process. | |
| 107 bool SignCertificate( | |
| 108 CERTCertificate* cert, | |
| 109 SECKEYPrivateKey* key, | |
| 110 SECOidTag hash_algorithm) { | |
| 111 // |arena| is used to encode the cert. | |
| 112 PLArenaPool* arena = cert->arena; | |
| 113 SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType, | |
| 114 hash_algorithm); | |
| 115 if (algo_id == SEC_OID_UNKNOWN) | |
| 116 return false; | |
| 117 | |
| 118 SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0); | |
| 119 if (rv != SECSuccess) | |
| 120 return false; | |
| 121 | |
| 122 // Generate a cert of version 3. | |
| 123 *(cert->version.data) = 2; | |
| 124 cert->version.len = 1; | |
| 125 | |
| 126 SECItem der = { siBuffer, NULL, 0 }; | |
| 127 | |
| 128 // Use ASN1 DER to encode the cert. | |
| 129 void* encode_result = SEC_ASN1EncodeItem( | |
| 130 NULL, &der, cert, SEC_ASN1_GET(CERT_CertificateTemplate)); | |
| 131 if (!encode_result) | |
| 132 return false; | |
| 133 | |
| 134 // Allocate space to contain the signed cert. | |
| 135 SECItem result = { siBuffer, NULL, 0 }; | |
| 136 | |
| 137 // Sign the ASN1 encoded cert and save it to |result|. | |
| 138 rv = DerSignData(arena, &result, &der, key, algo_id); | |
| 139 PORT_Free(der.data); | |
| 140 if (rv != SECSuccess) { | |
| 141 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); | |
| 142 return false; | |
| 143 } | |
| 144 | |
| 145 // Save the signed result to the cert. | |
| 146 cert->derCert = result; | |
| 147 | |
| 148 return true; | |
| 149 } | |
| 150 | |
| 151 } // namespace | |
| 152 | |
| 153 namespace x509_util { | |
| 154 | |
| 155 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | |
| 156 DigestAlgorithm alg, | |
| 157 const std::string& subject, | |
| 158 uint32_t serial_number, | |
| 159 base::Time not_valid_before, | |
| 160 base::Time not_valid_after, | |
| 161 std::string* der_cert) { | |
| 162 DCHECK(key); | |
| 163 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); | |
| 164 CERTCertificate* cert = CreateCertificate(key->public_key(), | |
| 165 subject, | |
| 166 serial_number, | |
| 167 not_valid_before, | |
| 168 not_valid_after); | |
| 169 if (!cert) | |
| 170 return false; | |
| 171 | |
| 172 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | |
| 173 CERT_DestroyCertificate(cert); | |
| 174 return false; | |
| 175 } | |
| 176 | |
| 177 der_cert->assign(reinterpret_cast<char*>(cert->derCert.data), | |
| 178 cert->derCert.len); | |
| 179 CERT_DestroyCertificate(cert); | |
| 180 return true; | |
| 181 } | |
| 182 | |
| 183 bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate, | |
| 184 std::string* token) { | |
| 185 NOTIMPLEMENTED(); | |
| 186 return false; | |
| 187 } | |
| 188 | |
| 189 } // namespace x509_util | |
| 190 | |
| 191 } // namespace net | |
| OLD | NEW |
