Sign self-signed certs with SHA256.

net/cert/x509_util_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_util_openssl.h"
 
 #include <algorithm>
 #include <openssl/asn1.h>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/strings/string_piece.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/rsa_private_key.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_util.h"
 
 namespace net {
 
+namespace {
+
+const EVP_MD* ToEVP(x509_util::DigestAlgorithm alg) {
+  switch (alg) {
+    case x509_util::DIGEST_SHA1:
+      return EVP_sha1();
+    case x509_util::DIGEST_SHA256:
+      return EVP_sha256();
+  }
+  return NULL;
+}
+
+}  // namespace
+
 namespace x509_util {
 
 namespace {
 
 X509* CreateCertificate(EVP_PKEY* key,
+                        DigestAlgorithm alg,
                         const std::string& common_name,
                         uint32_t serial_number,
                         base::Time not_valid_before,
                         base::Time not_valid_after) {
   // Put the serial number into an OpenSSL-friendly object.
   crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free> asn1_serial(
       ASN1_INTEGER_new());
   if (!asn1_serial.get() ||
       !ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) {
     LOG(ERROR) << "Invalid serial number " << serial_number;
@@ skipping 57 matching lines @@
       !X509_set_notAfter(cert.get(), asn1_not_after_time.get()) ||
       !X509_set_subject_name(cert.get(), name.get()) ||
       !X509_set_issuer_name(cert.get(), name.get())) {
     LOG(ERROR) << "Could not create certificate";
     return NULL;
   }
 
   return cert.release();
 }
 
-bool SignAndDerEncodeCert(X509* cert, EVP_PKEY* key, std::string* der_encoded) {
+bool SignAndDerEncodeCert(X509* cert,
+                          EVP_PKEY* key,
+                          DigestAlgorithm alg,
+                          std::string* der_encoded) {
+  // Get the message digest algorithm
+  const EVP_MD* md = ToEVP(alg);
+  if (!md) {
+    LOG(ERROR) << "Unrecognized hash algorithm.";
+    return false;
+  }
+
   // Sign it with the private key.
-  if (!X509_sign(cert, key, EVP_sha1())) {
+  if (!X509_sign(cert, key, md)) {
     LOG(ERROR) << "Could not sign certificate with key.";
     return false;
   }
 
   // Convert it into a DER-encoded string copied to |der_encoded|.
   int der_data_length = i2d_X509(cert, NULL);
   if (der_data_length < 0)
     return false;
 
   der_encoded->resize(der_data_length);
@@ skipping 65 matching lines @@
 
   if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 ||
       not_valid_after < kYear0001 || not_valid_after >= kYear10000)
     return false;
 
   return true;
 }
 
 bool CreateDomainBoundCertEC(
     crypto::ECPrivateKey* key,
+    DigestAlgorithm alg,
     const std::string& domain,
     uint32 serial_number,
     base::Time not_valid_before,
     base::Time not_valid_after,
     std::string* der_cert) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   // Create certificate.
   crypto::ScopedOpenSSL<X509, X509_free> cert(
       CreateCertificate(key->key(),
+                        alg,
                         "CN=anonymous.invalid",
                         serial_number,
                         not_valid_before,
                         not_valid_after));
   if (!cert.get())
     return false;
 
   // Add TLS-Channel-ID extension to the certificate before signing it.
   // The value must be stored DER-encoded, as a ASN.1 IA5String.
   crypto::ScopedOpenSSL<ASN1_STRING, ASN1_STRING_free> domain_ia5(
@@ skipping 20 matching lines @@
     return false;
 
   crypto::ScopedOpenSSL<X509_EXTENSION, X509_EXTENSION_free> ext(
       X509_EXTENSION_create_by_OBJ(
           NULL, GetDomainBoundOid(), 1 /* critical */, domain_str.get()));
   if (!ext.get() || !X509_add_ext(cert.get(), ext.get(), -1)) {
     return false;
   }
 
   // Sign and encode it.
-  return SignAndDerEncodeCert(cert.get(), key->key(), der_cert);
+  return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_cert);
 }
 
 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
+                          DigestAlgorithm alg,
                           const std::string& common_name,
                           uint32 serial_number,
                           base::Time not_valid_before,
                           base::Time not_valid_after,
                           std::string* der_encoded) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   crypto::ScopedOpenSSL<X509, X509_free> cert(
       CreateCertificate(key->key(),
+                        alg,
                         common_name,
                         serial_number,
                         not_valid_before,
                         not_valid_after));
   if (!cert.get())
     return false;
 
-  return SignAndDerEncodeCert(cert.get(), key->key(), der_encoded);
+  return SignAndDerEncodeCert(cert.get(), key->key(), alg, der_encoded);
 }
 
 bool ParsePrincipalKeyAndValueByIndex(X509_NAME* name,
                                       int index,
                                       std::string* key,
                                       std::string* value) {
   X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, index);
   if (!entry)
     return false;
 
@@ skipping 40 matching lines @@
                              x509_time->length);
 
   CertDateFormat format = x509_time->type == V_ASN1_UTCTIME ?
       CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME;
   return ParseCertificateDate(str_date, format, time);
 }
 
 }  // namespace x509_util
 
 }  // namespace net