net/cert/x509_util.h - Issue 27832002: Sign self-signed certs with SHA256.

Side by Side Diff: net/cert/x509_util.h

Issue 27832002: Sign self-signed certs with SHA256. (Closed) Base URL: https://src.chromium.org/chrome/trunk/src/

Patch Set: Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_X509_UTIL_H_	5 #ifndef NET_CERT_X509_UTIL_H_

6 #define NET_CERT_X509_UTIL_H_	6 #define NET_CERT_X509_UTIL_H_

7	7

8 #include <string>	8 #include <string>

9	9

10 #include "base/memory/ref_counted.h"	10 #include "base/memory/ref_counted.h"

11 #include "base/time/time.h"	11 #include "base/time/time.h"

	12 #include "crypto/hmac.h"

12 #include "net/base/net_export.h"	13 #include "net/base/net_export.h"

13	14

14 namespace crypto {	15 namespace crypto {

15 class ECPrivateKey;	16 class ECPrivateKey;

16 class RSAPrivateKey;	17 class RSAPrivateKey;

17 }	18 }

18	19

19 namespace net {	20 namespace net {

20	21

21 class X509Certificate;	22 class X509Certificate;

22	23

23 namespace x509_util {	24 namespace x509_util {

24	25

25 // Returns true if the times can be used to create an X.509 certificate.	26 // Returns true if the times can be used to create an X.509 certificate.

26 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS	27 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS

27 // limited the range to 1950-9999	28 // limited the range to 1950-9999

28 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531). This function will	29 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531). This function will

29 // return whether it is supported by the currently used crypto library.	30 // return whether it is supported by the currently used crypto library.

30 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,	31 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,

31 base::Time not_valid_after);	32 base::Time not_valid_after);

32	33

33 // Creates a server bound certificate containing the public key in \|key\|.	34 // Creates a private keypair and server bound certificate.

34 // Domain, serial number and validity period are given as	35 // Domain, serial number and validity period are given as

35 // parameters. The certificate is signed by the private key in \|key\|.	36 // parameters. The certificate is signed by the private key in \|key\|.

36 // The hashing algorithm for the signature is SHA-1.	37 // The signature algorithm may be updated periodically to match best practices.

37 //	38 //

38 // See Internet Draft draft-balfanz-tls-obc-00 for more details:	39 // See Internet Draft draft-balfanz-tls-obc-00 for more details:

39 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00	40 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00

40 NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(	41 NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC(

	42 const std::string& domain,

	43 uint32 serial_number,

	44 base::Time not_valid_before,

	45 base::Time not_valid_after,

	46 crypto::ECPrivateKey** key,
	Ryan Sleevi 2013/10/18 22:45:23 Pass a scoped_ptr<crypto::ECPrivateKey>, rather t Pass a scoped_ptr<crypto::ECPrivateKey>, rather than a pointer-pointer. bemasc 2013/10/19 00:47:45 Done. Show quoted text On 2013/10/18 22:45:23, Ryan Sleevi wrote: > Pass a scoped_ptr<crypto::ECPrivateKey>*, rather than a pointer-pointer. Done.
	47 std::string* der_cert);

	48

	49 // Helper function for CreateKeyAndDomainBoundCertEC

	50 NET_EXPORT_PRIVATE bool CreateDomainBoundCertECInternal(

41 crypto::ECPrivateKey* key,	51 crypto::ECPrivateKey* key,

	52 crypto::HMAC::HashAlgorithm alg,
	Ryan Sleevi 2013/10/18 22:45:23 The dependency on crypto::HMAC is wrong here. Lik The dependency on crypto::HMAC is wrong here. Likewise, you don't need to expose this in a public header. bemasc 2013/10/19 00:47:45 I'm not sure what you mean. Show quoted text On 2013/10/18 22:45:23, Ryan Sleevi wrote: > The dependency on crypto::HMAC is wrong here. I'm not sure what you mean. Show quoted text > Likewise, you don't need to expose this in a public header. In light of the new design, I've removed "Internal" from the name. Ryan Sleevi 2013/10/21 17:56:14 I meant that X.509 has nothing to do with HMAC. Yo Show quoted text On 2013/10/19 00:47:45, bemasc wrote: > On 2013/10/18 22:45:23, Ryan Sleevi wrote: > > The dependency on crypto::HMAC is wrong here. > > I'm not sure what you mean. I meant that X.509 has nothing to do with HMAC. You're just overloading it because it has hash names. I see us either moving crypto::HMAC::HashAlgorithm into crypto/, or making a specific hash algorithm for the cert. Having crypto::HashTo[EVP/OidTag] in crypto_util_openssl/crypto_util_nss is one approach, so that these functions can use it, or simply defining a new enum for the supported cert hash algs. Considering that there are other types of cert types that don't align with HMAC (eg: RSA-PSS), I don't want us to overload the enum. Show quoted text > > > Likewise, you don't need to expose this in a public header. > > In light of the new design, I've removed "Internal" from the name.
42 const std::string& domain,	53 const std::string& domain,

43 uint32 serial_number,	54 uint32 serial_number,

44 base::Time not_valid_before,	55 base::Time not_valid_before,

45 base::Time not_valid_after,	56 base::Time not_valid_after,

46 std::string* der_cert);	57 std::string* der_cert);

47	58

48 // Create a self-signed certificate containing the public key in \|key\|.	59 // Creates a public-private keypair and a self-signed certificate.

49 // Subject, serial number and validity period are given as parameters.	60 // Subject, serial number and validity period are given as parameters.

50 // The certificate is signed by the private key in \|key\|. The hashing	61 // The certificate is signed by the private key in \|key\|. The key length and

51 // algorithm for the signature is SHA-1.	62 // signature algorithm may be updated periodically to match best practices.

52 //	63 //

53 // \|subject\| is a distinguished name defined in RFC4514 with _only_ a CN	64 // \|subject\| is a distinguished name defined in RFC4514 with _only_ a CN

54 // component, as in:	65 // component, as in:

55 // CN=Michael Wong	66 // CN=Michael Wong

56 //	67 //

57 // SECURITY WARNING	68 // SECURITY WARNING

58 //	69 //

59 // Using self-signed certificates has the following security risks:	70 // Using self-signed certificates has the following security risks:

60 // 1. Encryption without authentication and thus vulnerable to	71 // 1. Encryption without authentication and thus vulnerable to

61 // man-in-the-middle attacks.	72 // man-in-the-middle attacks.

62 // 2. Self-signed certificates cannot be revoked.	73 // 2. Self-signed certificates cannot be revoked.

63 //	74 //

64 // Use this certificate only after the above risks are acknowledged.	75 // Use this certificate only after the above risks are acknowledged.

65 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,	76 NET_EXPORT bool CreateKeyAndSelfSignedCert(const std::string& subject,

66 const std::string& subject,	77 uint32 serial_number,

67 uint32 serial_number,	78 base::Time not_valid_before,

68 base::Time not_valid_before,	79 base::Time not_valid_after,

69 base::Time not_valid_after,	80 crypto::RSAPrivateKey** key,
	Ryan Sleevi 2013/10/18 22:45:23 ditto scoped_ptr ditto scoped_ptr bemasc 2013/10/19 00:47:45 Done. Show quoted text On 2013/10/18 22:45:23, Ryan Sleevi wrote: > ditto scoped_ptr Done.
70 std::string* der_cert);	81 std::string* der_cert);

	82

	83 // Helper function for CreateKeyAndSelfSignedCert.

	84 NET_EXPORT_PRIVATE bool CreateSelfSignedCertInternal(

	85 crypto::RSAPrivateKey* key,

	86 crypto::HMAC::HashAlgorithm alg,

	87 const std::string& subject,

	88 uint32 serial_number,

	89 base::Time not_valid_before,

	90 base::Time not_valid_after,

	91 std::string* der_cert);

	92

	93 // Legacy certificate signing function. This function is preserved here because

	94 // best practices suggest that keys signed with one hash algorithm should not be

	95 // signed again later with a different algorithm. Eventually, all users of this
	Ryan Sleevi 2013/10/18 22:45:23 You're not signing keys, you're signing data with You're not signing keys, you're signing data with a key. because you should not re-use a key for signing data with multiple signature algorithms or parameters. bemasc 2013/10/19 00:47:45 Done. Show quoted text On 2013/10/18 22:45:23, Ryan Sleevi wrote: > You're not signing keys, you're signing data with a key. > > because you should not re-use a key for signing data with multiple signature > algorithms or parameters. Done. bemasc 2013/10/19 00:47:45 Removed this function. Removed this function.
	96 // function should migrate to CreateKeyAndSelfSignedCert.

	97 NET_EXPORT bool CreateSha1SelfSignedCert(crypto::RSAPrivateKey* key,

	98 const std::string& subject,

	99 uint32 serial_number,

	100 base::Time not_valid_before,

	101 base::Time not_valid_after,

	102 std::string* der_cert);

71	103

72 // Comparator for use in STL algorithms that will sort client certificates by	104 // Comparator for use in STL algorithms that will sort client certificates by

73 // order of preference.	105 // order of preference.

74 // Returns true if \|a\| is more preferable than \|b\|, allowing it to be used	106 // Returns true if \|a\| is more preferable than \|b\|, allowing it to be used

75 // with any algorithm that compares according to strict weak ordering.	107 // with any algorithm that compares according to strict weak ordering.

76 //	108 //

77 // Criteria include:	109 // Criteria include:

78 // - Prefer certificates that have a longer validity period (later	110 // - Prefer certificates that have a longer validity period (later

79 // expiration dates)	111 // expiration dates)

80 // - If equal, prefer certificates that were issued more recently	112 // - If equal, prefer certificates that were issued more recently

81 // - If equal, prefer shorter chains (if available)	113 // - If equal, prefer shorter chains (if available)

82 class NET_EXPORT_PRIVATE ClientCertSorter {	114 class NET_EXPORT_PRIVATE ClientCertSorter {

83 public:	115 public:

84 ClientCertSorter();	116 ClientCertSorter();

85	117

86 bool operator()(	118 bool operator()(

87 const scoped_refptr<X509Certificate>& a,	119 const scoped_refptr<X509Certificate>& a,

88 const scoped_refptr<X509Certificate>& b) const;	120 const scoped_refptr<X509Certificate>& b) const;

89	121

90 private:	122 private:

91 base::Time now_;	123 base::Time now_;

92 };	124 };

93	125

94 } // namespace x509_util	126 } // namespace x509_util

95	127

96 } // namespace net	128 } // namespace net

97	129

98 #endif // NET_CERT_X509_UTIL_H_	130 #endif // NET_CERT_X509_UTIL_H_

OLD	NEW

« no previous file with comments | « content/browser/media/webrtc_identity_store.cc ('k') | net/cert/x509_util.cc » ('j') | net/cert/x509_util.cc » ('J')