| Index: net/cert/x509_util.h
|
| ===================================================================
|
| --- net/cert/x509_util.h (revision 228925)
|
| +++ net/cert/x509_util.h (working copy)
|
| @@ -9,6 +9,7 @@
|
|
|
| #include "base/memory/ref_counted.h"
|
| #include "base/time/time.h"
|
| +#include "crypto/hmac.h"
|
| #include "net/base/net_export.h"
|
|
|
| namespace crypto {
|
| @@ -30,25 +31,35 @@
|
| NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
|
| base::Time not_valid_after);
|
|
|
| -// Creates a server bound certificate containing the public key in |key|.
|
| +// Creates a private keypair and server bound certificate.
|
| // Domain, serial number and validity period are given as
|
| // parameters. The certificate is signed by the private key in |key|.
|
| -// The hashing algorithm for the signature is SHA-1.
|
| +// The signature algorithm may be updated periodically to match best practices.
|
| //
|
| // See Internet Draft draft-balfanz-tls-obc-00 for more details:
|
| // http://tools.ietf.org/html/draft-balfanz-tls-obc-00
|
| -NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(
|
| +NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC(
|
| + const std::string& domain,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + crypto::ECPrivateKey** key,
|
| + std::string* der_cert);
|
| +
|
| +// Helper function for CreateKeyAndDomainBoundCertEC
|
| +NET_EXPORT_PRIVATE bool CreateDomainBoundCertECInternal(
|
| crypto::ECPrivateKey* key,
|
| + crypto::HMAC::HashAlgorithm alg,
|
| const std::string& domain,
|
| uint32 serial_number,
|
| base::Time not_valid_before,
|
| base::Time not_valid_after,
|
| std::string* der_cert);
|
|
|
| -// Create a self-signed certificate containing the public key in |key|.
|
| +// Creates a public-private keypair and a self-signed certificate.
|
| // Subject, serial number and validity period are given as parameters.
|
| -// The certificate is signed by the private key in |key|. The hashing
|
| -// algorithm for the signature is SHA-1.
|
| +// The certificate is signed by the private key in |key|. The key length and
|
| +// signature algorithm may be updated periodically to match best practices.
|
| //
|
| // |subject| is a distinguished name defined in RFC4514.
|
| //
|
| @@ -63,13 +74,34 @@
|
| // 2. Self-signed certificates cannot be revoked.
|
| //
|
| // Use this certificate only after the above risks are acknowledged.
|
| -NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
|
| - const std::string& subject,
|
| - uint32 serial_number,
|
| - base::Time not_valid_before,
|
| - base::Time not_valid_after,
|
| - std::string* der_cert);
|
| +NET_EXPORT bool CreateKeyAndSelfSignedCert(const std::string& subject,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + crypto::RSAPrivateKey** key,
|
| + std::string* der_cert);
|
|
|
| +// Helper function for CreateKeyAndSelfSignedCert.
|
| +NET_EXPORT_PRIVATE bool CreateSelfSignedCertInternal(
|
| + crypto::RSAPrivateKey* key,
|
| + crypto::HMAC::HashAlgorithm alg,
|
| + const std::string& subject,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + std::string* der_cert);
|
| +
|
| +// Legacy certificate signing function. This function is preserved here because
|
| +// best practices suggest that keys signed with one hash algorithm should not be
|
| +// signed again later with a different algorithm. Eventually, all users of this
|
| +// function should migrate to CreateKeyAndSelfSignedCert.
|
| +NET_EXPORT bool CreateSha1SelfSignedCert(crypto::RSAPrivateKey* key,
|
| + const std::string& subject,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + std::string* der_cert);
|
| +
|
| // Comparator for use in STL algorithms that will sort client certificates by
|
| // order of preference.
|
| // Returns true if |a| is more preferable than |b|, allowing it to be used
|
|
|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/