Sign self-signed certs with SHA256.

net/cert/x509_util_nss.cc

Index: net/cert/x509_util_nss.cc
===================================================================
--- net/cert/x509_util_nss.cc	(revision 229411)
+++ net/cert/x509_util_nss.cc	(working copy)
@@ -134,6 +134,19 @@
   return cert;
 }
 
+SECOidTag HashAlgorithmToIdTag(crypto::HMAC::HashAlgorithm alg) {

[Ryan Sleevi, 2013/10/18 22:45:23]

ToSECOid

[bemasc, 2013/10/19 00:47:45]

Done.

+  SECOidTag id_tag = SEC_OID_UNKNOWN;
+  switch (alg) {
+    case crypto::HMAC::SHA1:
+      id_tag = SEC_OID_SHA1;
+      break;
+    case crypto::HMAC::SHA256:
+      id_tag = SEC_OID_SHA256;
+      break;
+  }
+  return id_tag;
+}
+
 // Signs a certificate object, with |key| generating a new X509Certificate
 // and destroying the passed certificate object (even when NULL is returned).
 // The logic of this method references SignCert() in NSS utility certutil:
@@ -142,11 +155,11 @@
 // certificate signing process.
 bool SignCertificate(
     CERTCertificate* cert,
-    SECKEYPrivateKey* key) {
+    SECKEYPrivateKey* key,
+    SECOidTag alg_id_tag) {

[Ryan Sleevi, 2013/10/18 22:45:23]

s/alg_id_tag/hash_algorithm/

[bemasc, 2013/10/19 00:47:45]

Done.

   // |arena| is used to encode the cert.
   PLArenaPool* arena = cert->arena;
-  SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType,
-                                                      SEC_OID_SHA1);
+  SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType, alg_id_tag);
   if (algo_id == SEC_OID_UNKNOWN)
     return false;
 
@@ -239,12 +252,13 @@
 
 namespace x509_util {
 
-bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
-                          const std::string& subject,
-                          uint32 serial_number,
-                          base::Time not_valid_before,
-                          base::Time not_valid_after,
-                          std::string* der_cert) {
+bool CreateSelfSignedCertInternal(crypto::RSAPrivateKey* key,
+                                  crypto::HMAC::HashAlgorithm alg,
+                                  const std::string& subject,
+                                  uint32 serial_number,
+                                  base::Time not_valid_before,
+                                  base::Time not_valid_after,
+                                  std::string* der_cert) {
   DCHECK(key);
   DCHECK(!strncmp(subject.c_str(), "CN=", 3U));
   CERTCertificate* cert = CreateCertificate(key->public_key(),
@@ -255,7 +269,7 @@
   if (!cert)
     return false;
 
-  if (!SignCertificate(cert, key->key())) {
+  if (!SignCertificate(cert, key->key(), HashAlgorithmToIdTag(alg))) {
     CERT_DestroyCertificate(cert);
     return false;
   }
@@ -279,12 +293,13 @@
   return true;
 }
 
-bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key,
-                             const std::string& domain,
-                             uint32 serial_number,
-                             base::Time not_valid_before,
-                             base::Time not_valid_after,
-                             std::string* der_cert) {
+bool CreateDomainBoundCertECInternal(crypto::ECPrivateKey* key,
+                                     crypto::HMAC::HashAlgorithm alg,
+                                     const std::string& domain,
+                                     uint32 serial_number,
+                                     base::Time not_valid_before,
+                                     base::Time not_valid_after,
+                                     std::string* der_cert) {
   DCHECK(key);
 
   CERTCertificate* cert = CreateCertificate(key->public_key(),
@@ -341,7 +356,7 @@
     return false;
   }
 
-  if (!SignCertificate(cert, key->key())) {
+  if (!SignCertificate(cert, key->key(), HashAlgorithmToIdTag(alg))) {
     CERT_DestroyCertificate(cert);
     return false;
   }