Chromium Code Reviews Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | |
| 8 #include "base/memory/scoped_ptr.h" | |
| 7 #include "base/time/time.h" | 9 #include "base/time/time.h" |
| 10 #include "crypto/ec_private_key.h" | |
| 11 #include "crypto/rsa_private_key.h" | |
| 8 #include "net/cert/x509_certificate.h" | 12 #include "net/cert/x509_certificate.h" |
| 9 | 13 |
| 10 namespace net { | 14 namespace net { |
| 11 | 15 |
| 12 namespace x509_util { | 16 namespace x509_util { |
| 13 | 17 |
| 18 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. | |
| 19 static const uint16 kRSAKeyLength = 1024; | |
|
Ryan Sleevi
2013/10/18 22:45:23
Switching to SHA-256 but using RSA-1024 provides n
bemasc
2013/10/19 00:47:45
Done.
bemasc
2013/10/21 17:46:06
I've switched this back to RSA-1024. juberti@ rec
| |
| 20 | |
| 21 // Certificates created by CreateKeyAndSelfSignedCert will be signed with this | |
| 22 // digest algorithm. | |
|
Ryan Sleevi
2013/10/18 22:45:23
It's a bit odd, this comment, since you use it in
bemasc
2013/10/19 00:47:45
Fixed.
| |
| 23 static const crypto::HMAC::HashAlgorithm kSignatureDigestAlgorithm = | |
| 24 crypto::HMAC::SHA256; | |
| 25 | |
| 14 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} | 26 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} |
| 15 | 27 |
| 16 bool ClientCertSorter::operator()( | 28 bool ClientCertSorter::operator()( |
| 17 const scoped_refptr<X509Certificate>& a, | 29 const scoped_refptr<X509Certificate>& a, |
| 18 const scoped_refptr<X509Certificate>& b) const { | 30 const scoped_refptr<X509Certificate>& b) const { |
| 19 // Certificates that are null are sorted last. | 31 // Certificates that are null are sorted last. |
| 20 if (!a.get() || !b.get()) | 32 if (!a.get() || !b.get()) |
| 21 return a.get() && !b.get(); | 33 return a.get() && !b.get(); |
| 22 | 34 |
| 23 // Certificates that are expired/not-yet-valid are sorted last. | 35 // Certificates that are expired/not-yet-valid are sorted last. |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 37 return a->valid_start() > b->valid_start(); | 49 return a->valid_start() > b->valid_start(); |
| 38 | 50 |
| 39 // Otherwise, prefer client certificates with shorter chains. | 51 // Otherwise, prefer client certificates with shorter chains. |
| 40 const X509Certificate::OSCertHandles& a_intermediates = | 52 const X509Certificate::OSCertHandles& a_intermediates = |
| 41 a->GetIntermediateCertificates(); | 53 a->GetIntermediateCertificates(); |
| 42 const X509Certificate::OSCertHandles& b_intermediates = | 54 const X509Certificate::OSCertHandles& b_intermediates = |
| 43 b->GetIntermediateCertificates(); | 55 b->GetIntermediateCertificates(); |
| 44 return a_intermediates.size() < b_intermediates.size(); | 56 return a_intermediates.size() < b_intermediates.size(); |
| 45 } | 57 } |
| 46 | 58 |
| 59 bool CreateKeyAndDomainBoundCertEC(const std::string& domain, | |
| 60 uint32 serial_number, | |
| 61 base::Time not_valid_before, | |
| 62 base::Time not_valid_after, | |
| 63 crypto::ECPrivateKey** key, | |
| 64 std::string* der_cert) { | |
| 65 scoped_ptr<crypto::ECPrivateKey> new_key(crypto::ECPrivateKey::Create()); | |
| 66 if (!new_key.get()) | |
| 67 return false; | |
| 68 | |
| 69 bool success = CreateDomainBoundCertECInternal(new_key.get(), | |
| 70 kSignatureDigestAlgorithm, | |
| 71 domain, | |
| 72 serial_number, | |
| 73 not_valid_before, | |
| 74 not_valid_after, | |
| 75 der_cert); | |
| 76 if (success) { | |
| 77 *key = new_key.release(); | |
| 78 } | |
| 79 return success; | |
| 80 } | |
| 81 | |
| 82 bool CreateKeyAndSelfSignedCert(const std::string& subject, | |
| 83 uint32 serial_number, | |
| 84 base::Time not_valid_before, | |
| 85 base::Time not_valid_after, | |
| 86 crypto::RSAPrivateKey** key, | |
| 87 std::string* der_cert) { | |
| 88 scoped_ptr<crypto::RSAPrivateKey> new_key( | |
| 89 crypto::RSAPrivateKey::Create(kRSAKeyLength)); | |
| 90 if (!new_key.get()) | |
| 91 return false; | |
| 92 | |
| 93 bool success = CreateSelfSignedCertInternal(new_key.get(), | |
| 94 kSignatureDigestAlgorithm, | |
| 95 subject, | |
| 96 serial_number, | |
| 97 not_valid_before, | |
| 98 not_valid_after, | |
| 99 der_cert); | |
| 100 if (success) { | |
| 101 *key = new_key.release(); | |
| 102 } | |
| 103 return success; | |
| 104 } | |
| 105 | |
| 106 bool CreateSha1SelfSignedCert(crypto::RSAPrivateKey* key, | |
| 107 const std::string& subject, | |
| 108 uint32 serial_number, | |
| 109 base::Time not_valid_before, | |
| 110 base::Time not_valid_after, | |
| 111 std::string* der_cert) { | |
| 112 return CreateSelfSignedCertInternal(key, | |
| 113 crypto::HMAC::SHA1, | |
| 114 subject, | |
| 115 serial_number, | |
| 116 not_valid_before, | |
| 117 not_valid_after, | |
| 118 der_cert); | |
| 119 } | |
| 120 | |
| 47 } // namespace x509_util | 121 } // namespace x509_util |
| 48 | 122 |
| 49 } // namespace net | 123 } // namespace net |
| OLD | NEW |
