| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
| 9 #include <certdb.h> | 9 #include <certdb.h> |
| 10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
| (...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 127 } | 127 } |
| 128 | 128 |
| 129 // Cleanup for resources used to generate the cert. | 129 // Cleanup for resources used to generate the cert. |
| 130 CERT_DestroyName(subject_name); | 130 CERT_DestroyName(subject_name); |
| 131 CERT_DestroyValidity(validity); | 131 CERT_DestroyValidity(validity); |
| 132 CERT_DestroyCertificateRequest(cert_request); | 132 CERT_DestroyCertificateRequest(cert_request); |
| 133 | 133 |
| 134 return cert; | 134 return cert; |
| 135 } | 135 } |
| 136 | 136 |
| 137 SECOidTag ToSECOid(x509_util::DigestAlgorithm alg) { |
| 138 switch (alg) { |
| 139 case x509_util::DIGEST_SHA1: |
| 140 return SEC_OID_SHA1; |
| 141 case x509_util::DIGEST_SHA256: |
| 142 return SEC_OID_SHA256; |
| 143 } |
| 144 return SEC_OID_UNKNOWN; |
| 145 } |
| 146 |
| 137 // Signs a certificate object, with |key| generating a new X509Certificate | 147 // Signs a certificate object, with |key| generating a new X509Certificate |
| 138 // and destroying the passed certificate object (even when NULL is returned). | 148 // and destroying the passed certificate object (even when NULL is returned). |
| 139 // The logic of this method references SignCert() in NSS utility certutil: | 149 // The logic of this method references SignCert() in NSS utility certutil: |
| 140 // http://mxr.mozilla.org/security/ident?i=SignCert. | 150 // http://mxr.mozilla.org/security/ident?i=SignCert. |
| 141 // Returns true on success or false if an error is encountered in the | 151 // Returns true on success or false if an error is encountered in the |
| 142 // certificate signing process. | 152 // certificate signing process. |
| 143 bool SignCertificate( | 153 bool SignCertificate( |
| 144 CERTCertificate* cert, | 154 CERTCertificate* cert, |
| 145 SECKEYPrivateKey* key) { | 155 SECKEYPrivateKey* key, |
| 156 SECOidTag hash_algorithm) { |
| 146 // |arena| is used to encode the cert. | 157 // |arena| is used to encode the cert. |
| 147 PLArenaPool* arena = cert->arena; | 158 PLArenaPool* arena = cert->arena; |
| 148 SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType, | 159 SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType, |
| 149 SEC_OID_SHA1); | 160 hash_algorithm); |
| 150 if (algo_id == SEC_OID_UNKNOWN) | 161 if (algo_id == SEC_OID_UNKNOWN) |
| 151 return false; | 162 return false; |
| 152 | 163 |
| 153 SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0); | 164 SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0); |
| 154 if (rv != SECSuccess) | 165 if (rv != SECSuccess) |
| 155 return false; | 166 return false; |
| 156 | 167 |
| 157 // Generate a cert of version 3. | 168 // Generate a cert of version 3. |
| 158 *(cert->version.data) = 2; | 169 *(cert->version.data) = 2; |
| 159 cert->version.len = 1; | 170 cert->version.len = 1; |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 233 return name.release(); | 244 return name.release(); |
| 234 } | 245 } |
| 235 | 246 |
| 236 #endif // defined(USE_NSS) || defined(OS_IOS) | 247 #endif // defined(USE_NSS) || defined(OS_IOS) |
| 237 | 248 |
| 238 } // namespace | 249 } // namespace |
| 239 | 250 |
| 240 namespace x509_util { | 251 namespace x509_util { |
| 241 | 252 |
| 242 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 254 DigestAlgorithm alg, |
| 243 const std::string& subject, | 255 const std::string& subject, |
| 244 uint32 serial_number, | 256 uint32 serial_number, |
| 245 base::Time not_valid_before, | 257 base::Time not_valid_before, |
| 246 base::Time not_valid_after, | 258 base::Time not_valid_after, |
| 247 std::string* der_cert) { | 259 std::string* der_cert) { |
| 248 DCHECK(key); | 260 DCHECK(key); |
| 249 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); | 261 DCHECK(!strncmp(subject.c_str(), "CN=", 3U)); |
| 250 CERTCertificate* cert = CreateCertificate(key->public_key(), | 262 CERTCertificate* cert = CreateCertificate(key->public_key(), |
| 251 subject, | 263 subject, |
| 252 serial_number, | 264 serial_number, |
| 253 not_valid_before, | 265 not_valid_before, |
| 254 not_valid_after); | 266 not_valid_after); |
| 255 if (!cert) | 267 if (!cert) |
| 256 return false; | 268 return false; |
| 257 | 269 |
| 258 if (!SignCertificate(cert, key->key())) { | 270 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { |
| 259 CERT_DestroyCertificate(cert); | 271 CERT_DestroyCertificate(cert); |
| 260 return false; | 272 return false; |
| 261 } | 273 } |
| 262 | 274 |
| 263 der_cert->assign(reinterpret_cast<char*>(cert->derCert.data), | 275 der_cert->assign(reinterpret_cast<char*>(cert->derCert.data), |
| 264 cert->derCert.len); | 276 cert->derCert.len); |
| 265 CERT_DestroyCertificate(cert); | 277 CERT_DestroyCertificate(cert); |
| 266 return true; | 278 return true; |
| 267 } | 279 } |
| 268 | 280 |
| 269 bool IsSupportedValidityRange(base::Time not_valid_before, | 281 bool IsSupportedValidityRange(base::Time not_valid_before, |
| 270 base::Time not_valid_after) { | 282 base::Time not_valid_after) { |
| 271 CERTValidity* validity = CERT_CreateValidity( | 283 CERTValidity* validity = CERT_CreateValidity( |
| 272 crypto::BaseTimeToPRTime(not_valid_before), | 284 crypto::BaseTimeToPRTime(not_valid_before), |
| 273 crypto::BaseTimeToPRTime(not_valid_after)); | 285 crypto::BaseTimeToPRTime(not_valid_after)); |
| 274 | 286 |
| 275 if (!validity) | 287 if (!validity) |
| 276 return false; | 288 return false; |
| 277 | 289 |
| 278 CERT_DestroyValidity(validity); | 290 CERT_DestroyValidity(validity); |
| 279 return true; | 291 return true; |
| 280 } | 292 } |
| 281 | 293 |
| 282 bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, | 294 bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, |
| 295 DigestAlgorithm alg, |
| 283 const std::string& domain, | 296 const std::string& domain, |
| 284 uint32 serial_number, | 297 uint32 serial_number, |
| 285 base::Time not_valid_before, | 298 base::Time not_valid_before, |
| 286 base::Time not_valid_after, | 299 base::Time not_valid_after, |
| 287 std::string* der_cert) { | 300 std::string* der_cert) { |
| 288 DCHECK(key); | 301 DCHECK(key); |
| 289 | 302 |
| 290 CERTCertificate* cert = CreateCertificate(key->public_key(), | 303 CERTCertificate* cert = CreateCertificate(key->public_key(), |
| 291 "CN=anonymous.invalid", | 304 "CN=anonymous.invalid", |
| 292 serial_number, | 305 serial_number, |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 334 return false; | 347 return false; |
| 335 } | 348 } |
| 336 | 349 |
| 337 // Copy extension into x509 cert | 350 // Copy extension into x509 cert |
| 338 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | 351 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ |
| 339 LOG(ERROR) << "Unable to copy extension to X509 cert"; | 352 LOG(ERROR) << "Unable to copy extension to X509 cert"; |
| 340 CERT_DestroyCertificate(cert); | 353 CERT_DestroyCertificate(cert); |
| 341 return false; | 354 return false; |
| 342 } | 355 } |
| 343 | 356 |
| 344 if (!SignCertificate(cert, key->key())) { | 357 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { |
| 345 CERT_DestroyCertificate(cert); | 358 CERT_DestroyCertificate(cert); |
| 346 return false; | 359 return false; |
| 347 } | 360 } |
| 348 | 361 |
| 349 DCHECK(cert->derCert.len); | 362 DCHECK(cert->derCert.len); |
| 350 // XXX copied from X509Certificate::GetDEREncoded | 363 // XXX copied from X509Certificate::GetDEREncoded |
| 351 der_cert->clear(); | 364 der_cert->clear(); |
| 352 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | 365 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), |
| 353 cert->derCert.len); | 366 cert->derCert.len); |
| 354 CERT_DestroyCertificate(cert); | 367 CERT_DestroyCertificate(cert); |
| (...skipping 261 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 616 } | 629 } |
| 617 | 630 |
| 618 return new_name; | 631 return new_name; |
| 619 } | 632 } |
| 620 | 633 |
| 621 #endif // defined(USE_NSS) || defined(OS_IOS) | 634 #endif // defined(USE_NSS) || defined(OS_IOS) |
| 622 | 635 |
| 623 } // namespace x509_util | 636 } // namespace x509_util |
| 624 | 637 |
| 625 } // namespace net | 638 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/