| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_X509_UTIL_H_ | 5 #ifndef NET_CERT_X509_UTIL_H_ |
| 6 #define NET_CERT_X509_UTIL_H_ | 6 #define NET_CERT_X509_UTIL_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/memory/ref_counted.h" | 10 #include "base/memory/ref_counted.h" |
| 11 #include "base/memory/scoped_ptr.h" |
| 11 #include "base/time/time.h" | 12 #include "base/time/time.h" |
| 12 #include "net/base/net_export.h" | 13 #include "net/base/net_export.h" |
| 13 | 14 |
| 14 namespace crypto { | 15 namespace crypto { |
| 15 class ECPrivateKey; | 16 class ECPrivateKey; |
| 16 class RSAPrivateKey; | 17 class RSAPrivateKey; |
| 17 } | 18 } |
| 18 | 19 |
| 19 namespace net { | 20 namespace net { |
| 20 | 21 |
| 21 class X509Certificate; | 22 class X509Certificate; |
| 22 | 23 |
| 23 namespace x509_util { | 24 namespace x509_util { |
| 24 | 25 |
| 26 // Supported digest algorithms for signing certificates. |
| 27 enum DigestAlgorithm { |
| 28 DIGEST_SHA1, |
| 29 DIGEST_SHA256 |
| 30 }; |
| 31 |
| 25 // Returns true if the times can be used to create an X.509 certificate. | 32 // Returns true if the times can be used to create an X.509 certificate. |
| 26 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS | 33 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS |
| 27 // limited the range to 1950-9999 | 34 // limited the range to 1950-9999 |
| 28 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531). This function will | 35 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531). This function will |
| 29 // return whether it is supported by the currently used crypto library. | 36 // return whether it is supported by the currently used crypto library. |
| 30 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before, | 37 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before, |
| 31 base::Time not_valid_after); | 38 base::Time not_valid_after); |
| 32 | 39 |
| 33 // Creates a server bound certificate containing the public key in |key|. | 40 // Creates a private keypair and server bound certificate. |
| 34 // Domain, serial number and validity period are given as | 41 // Domain, serial number and validity period are given as |
| 35 // parameters. The certificate is signed by the private key in |key|. | 42 // parameters. The certificate is signed by the private key in |key|. |
| 36 // The hashing algorithm for the signature is SHA-1. | 43 // The signature algorithm may be updated periodically to match best practices. |
| 37 // | 44 // |
| 38 // See Internet Draft draft-balfanz-tls-obc-00 for more details: | 45 // See Internet Draft draft-balfanz-tls-obc-00 for more details: |
| 39 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 | 46 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 |
| 40 NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC( | 47 NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC( |
| 41 crypto::ECPrivateKey* key, | |
| 42 const std::string& domain, | 48 const std::string& domain, |
| 43 uint32 serial_number, | 49 uint32 serial_number, |
| 44 base::Time not_valid_before, | 50 base::Time not_valid_before, |
| 45 base::Time not_valid_after, | 51 base::Time not_valid_after, |
| 52 scoped_ptr<crypto::ECPrivateKey>* key, |
| 46 std::string* der_cert); | 53 std::string* der_cert); |
| 47 | 54 |
| 48 // Create a self-signed certificate containing the public key in |key|. | 55 // Helper function for CreateKeyAndDomainBoundCertEC. |
| 56 NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, |
| 57 DigestAlgorithm alg, |
| 58 const std::string& domain, |
| 59 uint32 serial_number, |
| 60 base::Time not_valid_before, |
| 61 base::Time not_valid_after, |
| 62 std::string* der_cert); |
| 63 |
| 64 // Creates a public-private keypair and a self-signed certificate. |
| 49 // Subject, serial number and validity period are given as parameters. | 65 // Subject, serial number and validity period are given as parameters. |
| 50 // The certificate is signed by the private key in |key|. The hashing | 66 // The certificate is signed by the private key in |key|. The key length and |
| 51 // algorithm for the signature is SHA-1. | 67 // signature algorithm may be updated periodically to match best practices. |
| 52 // | 68 // |
| 53 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN | 69 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN |
| 54 // component, as in: | 70 // component, as in: |
| 55 // CN=Michael Wong | 71 // CN=Michael Wong |
| 56 // | 72 // |
| 57 // SECURITY WARNING | 73 // SECURITY WARNING |
| 58 // | 74 // |
| 59 // Using self-signed certificates has the following security risks: | 75 // Using self-signed certificates has the following security risks: |
| 60 // 1. Encryption without authentication and thus vulnerable to | 76 // 1. Encryption without authentication and thus vulnerable to |
| 61 // man-in-the-middle attacks. | 77 // man-in-the-middle attacks. |
| 62 // 2. Self-signed certificates cannot be revoked. | 78 // 2. Self-signed certificates cannot be revoked. |
| 63 // | 79 // |
| 64 // Use this certificate only after the above risks are acknowledged. | 80 // Use this certificate only after the above risks are acknowledged. |
| 81 NET_EXPORT bool CreateKeyAndSelfSignedCert( |
| 82 const std::string& subject, |
| 83 uint32 serial_number, |
| 84 base::Time not_valid_before, |
| 85 base::Time not_valid_after, |
| 86 scoped_ptr<crypto::RSAPrivateKey>* key, |
| 87 std::string* der_cert); |
| 88 |
| 89 // Creates a self-signed certificate from a provided key, using the specified |
| 90 // hash algorithm. You should not re-use a key for signing data with multiple |
| 91 // signature algorithms or parameters. |
| 65 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 92 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 93 DigestAlgorithm alg, |
| 66 const std::string& subject, | 94 const std::string& subject, |
| 67 uint32 serial_number, | 95 uint32 serial_number, |
| 68 base::Time not_valid_before, | 96 base::Time not_valid_before, |
| 69 base::Time not_valid_after, | 97 base::Time not_valid_after, |
| 70 std::string* der_cert); | 98 std::string* der_cert); |
| 71 | 99 |
| 72 // Comparator for use in STL algorithms that will sort client certificates by | 100 // Comparator for use in STL algorithms that will sort client certificates by |
| 73 // order of preference. | 101 // order of preference. |
| 74 // Returns true if |a| is more preferable than |b|, allowing it to be used | 102 // Returns true if |a| is more preferable than |b|, allowing it to be used |
| 75 // with any algorithm that compares according to strict weak ordering. | 103 // with any algorithm that compares according to strict weak ordering. |
| (...skipping 13 matching lines...) Expand all Loading... |
| 89 | 117 |
| 90 private: | 118 private: |
| 91 base::Time now_; | 119 base::Time now_; |
| 92 }; | 120 }; |
| 93 | 121 |
| 94 } // namespace x509_util | 122 } // namespace x509_util |
| 95 | 123 |
| 96 } // namespace net | 124 } // namespace net |
| 97 | 125 |
| 98 #endif // NET_CERT_X509_UTIL_H_ | 126 #endif // NET_CERT_X509_UTIL_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/