| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_openssl.h" | 6 #include "net/cert/x509_util_openssl.h" |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/strings/string_piece.h" | 11 #include "base/strings/string_piece.h" |
| 12 #include "crypto/openssl_util.h" | 12 #include "crypto/openssl_util.h" |
| 13 #include "crypto/rsa_private_key.h" | 13 #include "crypto/rsa_private_key.h" |
| 14 #include "net/cert/x509_cert_types.h" | 14 #include "net/cert/x509_cert_types.h" |
| 15 | 15 |
| 16 namespace net { | 16 namespace net { |
| 17 | 17 |
| 18 namespace { |
| 19 |
| 20 const EVP_MD* HashAlgorithmToEVP(crypto::HMAC::HashAlgorithm alg) { |
| 21 switch (alg) { |
| 22 case crypto::HMAC::SHA1: |
| 23 return EVP_sha1(); |
| 24 case crypto::HMAC::SHA256: |
| 25 return EVP_sha256(); |
| 26 } |
| 27 return NULL; |
| 28 } |
| 29 |
| 30 } // namespace |
| 31 |
| 18 namespace x509_util { | 32 namespace x509_util { |
| 19 | 33 |
| 20 bool IsSupportedValidityRange(base::Time not_valid_before, | 34 bool IsSupportedValidityRange(base::Time not_valid_before, |
| 21 base::Time not_valid_after) { | 35 base::Time not_valid_after) { |
| 22 if (not_valid_before > not_valid_after) | 36 if (not_valid_before > not_valid_after) |
| 23 return false; | 37 return false; |
| 24 | 38 |
| 25 // The validity field of a certificate can only encode years 1-9999. | 39 // The validity field of a certificate can only encode years 1-9999. |
| 26 | 40 |
| 27 // Compute the base::Time values corresponding to Jan 1st,0001 and | 41 // Compute the base::Time values corresponding to Jan 1st,0001 and |
| (...skipping 15 matching lines...) Expand all Loading... |
| 43 const base::Time kYear10000 = kEpoch + | 57 const base::Time kYear10000 = kEpoch + |
| 44 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); | 58 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); |
| 45 | 59 |
| 46 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || | 60 if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || |
| 47 not_valid_after < kYear0001 || not_valid_after >= kYear10000) | 61 not_valid_after < kYear0001 || not_valid_after >= kYear10000) |
| 48 return false; | 62 return false; |
| 49 | 63 |
| 50 return true; | 64 return true; |
| 51 } | 65 } |
| 52 | 66 |
| 53 bool CreateDomainBoundCertEC( | 67 bool CreateDomainBoundCertECInternal( |
| 54 crypto::ECPrivateKey* key, | 68 crypto::ECPrivateKey* key, |
| 69 crypto::HMAC::HashAlgorithm alg, |
| 55 const std::string& domain, | 70 const std::string& domain, |
| 56 uint32 serial_number, | 71 uint32 serial_number, |
| 57 base::Time not_valid_before, | 72 base::Time not_valid_before, |
| 58 base::Time not_valid_after, | 73 base::Time not_valid_after, |
| 59 std::string* der_cert) { | 74 std::string* der_cert) { |
| 60 NOTIMPLEMENTED(); | 75 NOTIMPLEMENTED(); |
| 61 return false; | 76 return false; |
| 62 } | 77 } |
| 63 | 78 |
| 64 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 79 bool CreateSelfSignedCertInternal(crypto::RSAPrivateKey* key, |
| 65 const std::string& common_name, | 80 crypto::HMAC::HashAlgorithm alg, |
| 66 uint32 serial_number, | 81 const std::string& common_name, |
| 67 base::Time not_valid_before, | 82 uint32 serial_number, |
| 68 base::Time not_valid_after, | 83 base::Time not_valid_before, |
| 69 std::string* der_encoded) { | 84 base::Time not_valid_after, |
| 85 std::string* der_encoded) { |
| 70 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 86 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 71 static const char kCommonNamePrefix[] = "CN="; | 87 static const char kCommonNamePrefix[] = "CN="; |
| 72 const size_t kCommonNamePrefixLen = sizeof(kCommonNamePrefix) - 1; | 88 const size_t kCommonNamePrefixLen = sizeof(kCommonNamePrefix) - 1; |
| 73 | 89 |
| 74 // Put the serial number into an OpenSSL-friendly object. | 90 // Put the serial number into an OpenSSL-friendly object. |
| 75 crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free> asn1_serial( | 91 crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free> asn1_serial( |
| 76 ASN1_INTEGER_new()); | 92 ASN1_INTEGER_new()); |
| 77 if (!asn1_serial.get() || | 93 if (!asn1_serial.get() || |
| 78 !ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) { | 94 !ASN1_INTEGER_set(asn1_serial.get(), static_cast<long>(serial_number))) { |
| 79 LOG(ERROR) << "Invalid serial number " << serial_number; | 95 LOG(ERROR) << "Invalid serial number " << serial_number; |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 132 !X509_set_pubkey(cert.get(), key->key()) || | 148 !X509_set_pubkey(cert.get(), key->key()) || |
| 133 !X509_set_serialNumber(cert.get(), asn1_serial.get()) || | 149 !X509_set_serialNumber(cert.get(), asn1_serial.get()) || |
| 134 !X509_set_notBefore(cert.get(), asn1_not_before_time.get()) || | 150 !X509_set_notBefore(cert.get(), asn1_not_before_time.get()) || |
| 135 !X509_set_notAfter(cert.get(), asn1_not_after_time.get()) || | 151 !X509_set_notAfter(cert.get(), asn1_not_after_time.get()) || |
| 136 !X509_set_subject_name(cert.get(), name.get()) || | 152 !X509_set_subject_name(cert.get(), name.get()) || |
| 137 !X509_set_issuer_name(cert.get(), name.get())) { | 153 !X509_set_issuer_name(cert.get(), name.get())) { |
| 138 LOG(ERROR) << "Could not create certificate"; | 154 LOG(ERROR) << "Could not create certificate"; |
| 139 return false; | 155 return false; |
| 140 } | 156 } |
| 141 | 157 |
| 158 // Get the message digest algorithm |
| 159 const EVP_MD* md = HashAlgorithmToEVP(alg); |
| 160 if (!md) { |
| 161 LOG(ERROR) << "Unrecognized hash algorithm."; |
| 162 return false; |
| 163 } |
| 164 |
| 142 // Sign it with the private key. | 165 // Sign it with the private key. |
| 143 if (!X509_sign(cert.get(), key->key(), EVP_sha1())) { | 166 if (!X509_sign(cert.get(), key->key(), md)) { |
| 144 LOG(ERROR) << "Could not sign certificate with key."; | 167 LOG(ERROR) << "Could not sign certificate with key."; |
| 145 return false; | 168 return false; |
| 146 } | 169 } |
| 147 | 170 |
| 148 // Convert it into a DER-encoded string copied to |der_encoded|. | 171 // Convert it into a DER-encoded string copied to |der_encoded|. |
| 149 int der_data_length = i2d_X509(cert.get(), NULL); | 172 int der_data_length = i2d_X509(cert.get(), NULL); |
| 150 if (der_data_length < 0) | 173 if (der_data_length < 0) |
| 151 return false; | 174 return false; |
| 152 | 175 |
| 153 der_encoded->resize(static_cast<size_t>(der_data_length)); | 176 der_encoded->resize(static_cast<size_t>(der_data_length)); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 211 x509_time->length); | 234 x509_time->length); |
| 212 | 235 |
| 213 CertDateFormat format = x509_time->type == V_ASN1_UTCTIME ? | 236 CertDateFormat format = x509_time->type == V_ASN1_UTCTIME ? |
| 214 CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME; | 237 CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME; |
| 215 return ParseCertificateDate(str_date, format, time); | 238 return ParseCertificateDate(str_date, format, time); |
| 216 } | 239 } |
| 217 | 240 |
| 218 } // namespace x509_util | 241 } // namespace x509_util |
| 219 | 242 |
| 220 } // namespace net | 243 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/