| Index: net/cert/x509_util.h
|
| ===================================================================
|
| --- net/cert/x509_util.h (revision 231602)
|
| +++ net/cert/x509_util.h (working copy)
|
| @@ -8,6 +8,7 @@
|
| #include <string>
|
|
|
| #include "base/memory/ref_counted.h"
|
| +#include "base/memory/scoped_ptr.h"
|
| #include "base/time/time.h"
|
| #include "net/base/net_export.h"
|
|
|
| @@ -22,6 +23,12 @@
|
|
|
| namespace x509_util {
|
|
|
| +// Supported digest algorithms for signing certificates.
|
| +enum DigestAlgorithm {
|
| + DIGEST_SHA1,
|
| + DIGEST_SHA256
|
| +};
|
| +
|
| // Returns true if the times can be used to create an X.509 certificate.
|
| // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS
|
| // limited the range to 1950-9999
|
| @@ -30,25 +37,34 @@
|
| NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
|
| base::Time not_valid_after);
|
|
|
| -// Creates a server bound certificate containing the public key in |key|.
|
| +// Creates a private keypair and server bound certificate.
|
| // Domain, serial number and validity period are given as
|
| // parameters. The certificate is signed by the private key in |key|.
|
| -// The hashing algorithm for the signature is SHA-1.
|
| +// The signature algorithm may be updated periodically to match best practices.
|
| //
|
| // See Internet Draft draft-balfanz-tls-obc-00 for more details:
|
| // http://tools.ietf.org/html/draft-balfanz-tls-obc-00
|
| -NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(
|
| - crypto::ECPrivateKey* key,
|
| +NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC(
|
| const std::string& domain,
|
| uint32 serial_number,
|
| base::Time not_valid_before,
|
| base::Time not_valid_after,
|
| + scoped_ptr<crypto::ECPrivateKey>* key,
|
| std::string* der_cert);
|
|
|
| -// Create a self-signed certificate containing the public key in |key|.
|
| +// Helper function for CreateKeyAndDomainBoundCertEC.
|
| +NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key,
|
| + DigestAlgorithm alg,
|
| + const std::string& domain,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + std::string* der_cert);
|
| +
|
| +// Creates a public-private keypair and a self-signed certificate.
|
| // Subject, serial number and validity period are given as parameters.
|
| -// The certificate is signed by the private key in |key|. The hashing
|
| -// algorithm for the signature is SHA-1.
|
| +// The certificate is signed by the private key in |key|. The key length and
|
| +// signature algorithm may be updated periodically to match best practices.
|
| //
|
| // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
|
| // component, as in:
|
| @@ -62,7 +78,19 @@
|
| // 2. Self-signed certificates cannot be revoked.
|
| //
|
| // Use this certificate only after the above risks are acknowledged.
|
| +NET_EXPORT bool CreateKeyAndSelfSignedCert(
|
| + const std::string& subject,
|
| + uint32 serial_number,
|
| + base::Time not_valid_before,
|
| + base::Time not_valid_after,
|
| + scoped_ptr<crypto::RSAPrivateKey>* key,
|
| + std::string* der_cert);
|
| +
|
| +// Creates a self-signed certificate from a provided key, using the specified
|
| +// hash algorithm. You should not re-use a key for signing data with multiple
|
| +// signature algorithms or parameters.
|
| NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
|
| + DigestAlgorithm alg,
|
| const std::string& subject,
|
| uint32 serial_number,
|
| base::Time not_valid_before,
|
|
|
Chromium Code Reviews
Issue 27832002:
Sign self-signed certs with SHA256. (Closed)
Base URL: https://src.chromium.org/chrome/trunk/src/