| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_openssl.h" | 6 #include "net/cert/x509_util_openssl.h" |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/strings/string_piece.h" | 11 #include "base/strings/string_piece.h" |
| 12 #include "crypto/openssl_util.h" | 12 #include "crypto/openssl_util.h" |
| 13 #include "crypto/rsa_private_key.h" | 13 #include "crypto/rsa_private_key.h" |
| 14 #include "net/cert/x509_cert_types.h" | 14 #include "net/cert/x509_cert_types.h" |
| 15 | 15 |
| 16 namespace net { | 16 namespace net { |
| 17 | 17 |
| 18 namespace { |
| 19 |
| 20 const EVP_MD* ToEVP(x509_util::DigestAlgorithm alg) { |
| 21 switch (alg) { |
| 22 case x509_util::DIGEST_SHA1: |
| 23 return EVP_sha1(); |
| 24 case x509_util::DIGEST_SHA256: |
| 25 return EVP_sha256(); |
| 26 } |
| 27 return NULL; |
| 28 } |
| 29 |
| 30 } // namespace |
| 31 |
| 18 namespace x509_util { | 32 namespace x509_util { |
| 19 | 33 |
| 20 bool IsSupportedValidityRange(base::Time not_valid_before, | 34 bool IsSupportedValidityRange(base::Time not_valid_before, |
| 21 base::Time not_valid_after) { | 35 base::Time not_valid_after) { |
| 22 if (not_valid_before > not_valid_after) | 36 if (not_valid_before > not_valid_after) |
| 23 return false; | 37 return false; |
| 24 | 38 |
| 25 // The validity field of a certificate can only encode years 1-9999. | 39 // The validity field of a certificate can only encode years 1-9999. |
| 26 | 40 |
| 27 // Compute the base::Time values corresponding to Jan 1st,0001 and | 41 // Compute the base::Time values corresponding to Jan 1st,0001 and |
| (...skipping 15 matching lines...) Expand all Loading... |
| 43 const base::Time kYear10000 = kEpoch + | 57 const base::Time kYear10000 = kEpoch + |
| 44 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); | 58 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); |
| 45 | 59 |
| 46 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || | 60 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || |
| 47 not_valid_after < kYear0001 || not_valid_after >= kYear10000) | 61 not_valid_after < kYear0001 || not_valid_after >= kYear10000) |
| 48 return false; | 62 return false; |
| 49 | 63 |
| 50 return true; | 64 return true; |
| 51 } | 65 } |
| 52 | 66 |
| 53 bool CreateDomainBoundCertEC( | 67 bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, |
| 54 crypto::ECPrivateKey* key, | 68 DigestAlgorithm alg, |
| 55 const std::string& domain, | 69 const std::string& domain, |
| 56 uint32 serial_number, | 70 uint32 serial_number, |
| 57 base::Time not_valid_before, | 71 base::Time not_valid_before, |
| 58 base::Time not_valid_after, | 72 base::Time not_valid_after, |
| 59 std::string* der_cert) { | 73 std::string* der_cert) { |
| 60 NOTIMPLEMENTED(); | 74 NOTIMPLEMENTED(); |
| 61 return false; | 75 return false; |
| 62 } | 76 } |
| 63 | 77 |
| 64 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 78 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 79 DigestAlgorithm alg, |
| 65 const std::string& common_name, | 80 const std::string& common_name, |
| 66 uint32 serial_number, | 81 uint32 serial_number, |
| 67 base::Time not_valid_before, | 82 base::Time not_valid_before, |
| 68 base::Time not_valid_after, | 83 base::Time not_valid_after, |
| 69 std::string* der_encoded) { | 84 std::string* der_encoded) { |
| 70 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 85 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 71 static const char kCommonNamePrefix[] = "CN="; | 86 static const char kCommonNamePrefix[] = "CN="; |
| 72 const size_t kCommonNamePrefixLen = sizeof(kCommonNamePrefix) - 1; | 87 const size_t kCommonNamePrefixLen = sizeof(kCommonNamePrefix) - 1; |
| 73 | 88 |
| 74 // Put the serial number into an OpenSSL-friendly object. | 89 // Put the serial number into an OpenSSL-friendly object. |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 132 !X509_set_pubkey(cert.get(), key->key()) || | 147 !X509_set_pubkey(cert.get(), key->key()) || |
| 133 !X509_set_serialNumber(cert.get(), asn1_serial.get()) || | 148 !X509_set_serialNumber(cert.get(), asn1_serial.get()) || |
| 134 !X509_set_notBefore(cert.get(), asn1_not_before_time.get()) || | 149 !X509_set_notBefore(cert.get(), asn1_not_before_time.get()) || |
| 135 !X509_set_notAfter(cert.get(), asn1_not_after_time.get()) || | 150 !X509_set_notAfter(cert.get(), asn1_not_after_time.get()) || |
| 136 !X509_set_subject_name(cert.get(), name.get()) || | 151 !X509_set_subject_name(cert.get(), name.get()) || |
| 137 !X509_set_issuer_name(cert.get(), name.get())) { | 152 !X509_set_issuer_name(cert.get(), name.get())) { |
| 138 LOG(ERROR) << "Could not create certificate"; | 153 LOG(ERROR) << "Could not create certificate"; |
| 139 return false; | 154 return false; |
| 140 } | 155 } |
| 141 | 156 |
| 157 // Get the message digest algorithm |
| 158 const EVP_MD* md = ToEVP(alg); |
| 159 if (!md) { |
| 160 LOG(ERROR) << "Unrecognized hash algorithm."; |
| 161 return false; |
| 162 } |
| 163 |
| 142 // Sign it with the private key. | 164 // Sign it with the private key. |
| 143 if (!X509_sign(cert.get(), key->key(), EVP_sha1())) { | 165 if (!X509_sign(cert.get(), key->key(), md)) { |
| 144 LOG(ERROR) << "Could not sign certificate with key."; | 166 LOG(ERROR) << "Could not sign certificate with key."; |
| 145 return false; | 167 return false; |
| 146 } | 168 } |
| 147 | 169 |
| 148 // Convert it into a DER-encoded string copied to |der_encoded|. | 170 // Convert it into a DER-encoded string copied to |der_encoded|. |
| 149 int der_data_length = i2d_X509(cert.get(), NULL); | 171 int der_data_length = i2d_X509(cert.get(), NULL); |
| 150 if (der_data_length < 0) | 172 if (der_data_length < 0) |
| 151 return false; | 173 return false; |
| 152 | 174 |
| 153 der_encoded->resize(static_cast<size_t>(der_data_length)); | 175 der_encoded->resize(static_cast<size_t>(der_data_length)); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 211 x509_time->length); | 233 x509_time->length); |
| 212 | 234 |
| 213 CertDateFormat format = x509_time->type == V_ASN1_UTCTIME ? | 235 CertDateFormat format = x509_time->type == V_ASN1_UTCTIME ? |
| 214 CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME; | 236 CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME; |
| 215 return ParseCertificateDate(str_date, format, time); | 237 return ParseCertificateDate(str_date, format, time); |
| 216 } | 238 } |
| 217 | 239 |
| 218 } // namespace x509_util | 240 } // namespace x509_util |
| 219 | 241 |
| 220 } // namespace net | 242 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/