OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
davidben
2016/04/18 19:36:45
Should we rename x509_util_nss_certs.cc to x509_ut
svaldez
2016/04/18 20:21:39
Done.
| |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/x509_util.h" | |
6 #include "net/cert/x509_util_nss.h" | |
7 | |
8 #include <cert.h> // Must be included before certdb.h | |
9 #include <certdb.h> | |
10 #include <cryptohi.h> | |
11 #include <nss.h> | |
12 #include <pk11pub.h> | |
13 #include <prerror.h> | |
14 #include <secder.h> | |
15 #include <secmod.h> | |
16 #include <secport.h> | |
17 | |
18 #include "base/debug/leak_annotations.h" | |
19 #include "base/logging.h" | |
20 #include "base/memory/scoped_ptr.h" | |
21 #include "base/memory/singleton.h" | |
22 #include "base/pickle.h" | |
23 #include "base/strings/stringprintf.h" | |
24 #include "crypto/ec_private_key.h" | |
25 #include "crypto/nss_util.h" | |
26 #include "crypto/nss_util_internal.h" | |
27 #include "crypto/rsa_private_key.h" | |
28 #include "crypto/scoped_nss_types.h" | |
29 #include "crypto/third_party/nss/chromium-nss.h" | |
30 #include "net/cert/x509_certificate.h" | |
31 | |
32 namespace net { | |
33 | |
34 namespace { | |
35 | |
36 // Creates a Certificate object that may be passed to the SignCertificate | |
37 // method to generate an X509 certificate. | |
38 // Returns NULL if an error is encountered in the certificate creation | |
39 // process. | |
40 // Caller responsible for freeing returned certificate object. | |
41 CERTCertificate* CreateCertificate(SECKEYPublicKey* public_key, | |
42 const std::string& subject, | |
43 uint32_t serial_number, | |
44 base::Time not_valid_before, | |
45 base::Time not_valid_after) { | |
46 // Create info about public key. | |
47 CERTSubjectPublicKeyInfo* spki = | |
48 SECKEY_CreateSubjectPublicKeyInfo(public_key); | |
49 if (!spki) | |
50 return NULL; | |
51 | |
52 // Create the certificate request. | |
53 CERTName* subject_name = | |
54 CERT_AsciiToName(const_cast<char*>(subject.c_str())); | |
55 CERTCertificateRequest* cert_request = | |
56 CERT_CreateCertificateRequest(subject_name, spki, NULL); | |
57 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
58 | |
59 if (!cert_request) { | |
60 PRErrorCode prerr = PR_GetError(); | |
61 LOG(ERROR) << "Failed to create certificate request: " << prerr; | |
62 CERT_DestroyName(subject_name); | |
63 return NULL; | |
64 } | |
65 | |
66 CERTValidity* validity = CERT_CreateValidity( | |
67 crypto::BaseTimeToPRTime(not_valid_before), | |
68 crypto::BaseTimeToPRTime(not_valid_after)); | |
69 if (!validity) { | |
70 PRErrorCode prerr = PR_GetError(); | |
71 LOG(ERROR) << "Failed to create certificate validity object: " << prerr; | |
72 CERT_DestroyName(subject_name); | |
73 CERT_DestroyCertificateRequest(cert_request); | |
74 return NULL; | |
75 } | |
76 CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name, | |
77 validity, cert_request); | |
78 if (!cert) { | |
79 PRErrorCode prerr = PR_GetError(); | |
80 LOG(ERROR) << "Failed to create certificate: " << prerr; | |
81 } | |
82 | |
83 // Cleanup for resources used to generate the cert. | |
84 CERT_DestroyName(subject_name); | |
85 CERT_DestroyValidity(validity); | |
86 CERT_DestroyCertificateRequest(cert_request); | |
87 | |
88 return cert; | |
89 } | |
90 | |
91 SECOidTag ToSECOid(x509_util::DigestAlgorithm alg) { | |
92 switch (alg) { | |
93 case x509_util::DIGEST_SHA1: | |
94 return SEC_OID_SHA1; | |
95 case x509_util::DIGEST_SHA256: | |
96 return SEC_OID_SHA256; | |
97 } | |
98 return SEC_OID_UNKNOWN; | |
99 } | |
100 | |
101 // Signs a certificate object, with |key| generating a new X509Certificate | |
102 // and destroying the passed certificate object (even when NULL is returned). | |
103 // The logic of this method references SignCert() in NSS utility certutil: | |
104 // http://mxr.mozilla.org/security/ident?i=SignCert. | |
105 // Returns true on success or false if an error is encountered in the | |
106 // certificate signing process. | |
107 bool SignCertificate( | |
108 CERTCertificate* cert, | |
109 SECKEYPrivateKey* key, | |
110 SECOidTag hash_algorithm) { | |
111 // |arena| is used to encode the cert. | |
112 PLArenaPool* arena = cert->arena; | |
113 SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType, | |
114 hash_algorithm); | |
115 if (algo_id == SEC_OID_UNKNOWN) | |
116 return false; | |
117 | |
118 SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0); | |
119 if (rv != SECSuccess) | |
120 return false; | |
121 | |
122 // Generate a cert of version 3. | |
123 *(cert->version.data) = 2; | |
124 cert->version.len = 1; | |
125 | |
126 SECItem der = { siBuffer, NULL, 0 }; | |
127 | |
128 // Use ASN1 DER to encode the cert. | |
129 void* encode_result = SEC_ASN1EncodeItem( | |
130 NULL, &der, cert, SEC_ASN1_GET(CERT_CertificateTemplate)); | |
131 if (!encode_result) | |
132 return false; | |
133 | |
134 // Allocate space to contain the signed cert. | |
135 SECItem result = { siBuffer, NULL, 0 }; | |
136 | |
137 // Sign the ASN1 encoded cert and save it to |result|. | |
138 rv = DerSignData(arena, &result, &der, key, algo_id); | |
139 PORT_Free(der.data); | |
140 if (rv != SECSuccess) { | |
141 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); | |
142 return false; | |
143 } | |
144 | |
145 // Save the signed result to the cert. | |
146 cert->derCert = result; | |
147 | |
148 return true; | |
149 } | |
150 | |
151 } // namespace | |
152 | |
153 namespace x509_util { | |
154 | |
155 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | |
156 DigestAlgorithm alg, | |
157 const std::string& subject, | |
158 uint32_t serial_number, | |
159 base::Time not_valid_before, | |
160 base::Time not_valid_after, | |
161 std::string* der_cert) { | |
162 DCHECK(key); | |
163 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); | |
164 CERTCertificate* cert = CreateCertificate(key->public_key(), | |
165 subject, | |
166 serial_number, | |
167 not_valid_before, | |
168 not_valid_after); | |
169 if (!cert) | |
170 return false; | |
171 | |
172 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | |
173 CERT_DestroyCertificate(cert); | |
174 return false; | |
175 } | |
176 | |
177 der_cert->assign(reinterpret_cast<char*>(cert->derCert.data), | |
178 cert->derCert.len); | |
179 CERT_DestroyCertificate(cert); | |
180 return true; | |
181 } | |
182 | |
183 bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate, | |
184 std::string* token) { | |
185 NOTIMPLEMENTED(); | |
186 return false; | |
187 } | |
188 | |
189 } // namespace x509_util | |
190 | |
191 } // namespace net | |
OLD | NEW |