OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 | 8 |
9 #include "base/time/time.h" | 9 #include "base/time/time.h" |
10 #include "crypto/ec_private_key.h" | 10 #include "crypto/ec_private_key.h" |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
53 | 53 |
54 namespace x509_util { | 54 namespace x509_util { |
55 | 55 |
56 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. | 56 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. |
57 static const uint16_t kRSAKeyLength = 1024; | 57 static const uint16_t kRSAKeyLength = 1024; |
58 | 58 |
59 // Certificates made by CreateKeyAndSelfSignedCert and | 59 // Certificates made by CreateKeyAndSelfSignedCert and |
60 // CreateKeyAndChannelIDEC will be signed using this digest algorithm. | 60 // CreateKeyAndChannelIDEC will be signed using this digest algorithm. |
61 static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; | 61 static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; |
62 | 62 |
63 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} | |
64 | |
65 bool ClientCertSorter::operator()( | |
66 const scoped_refptr<X509Certificate>& a, | |
67 const scoped_refptr<X509Certificate>& b) const { | |
68 // Certificates that are null are sorted last. | |
69 if (!a.get() || !b.get()) | |
70 return a.get() && !b.get(); | |
71 | |
72 // Certificates that are expired/not-yet-valid are sorted last. | |
73 bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry(); | |
74 bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry(); | |
75 if (a_is_valid != b_is_valid) | |
76 return a_is_valid && !b_is_valid; | |
77 | |
78 // Certificates with longer expirations appear as higher priority (less | |
79 // than) certificates with shorter expirations. | |
80 if (a->valid_expiry() != b->valid_expiry()) | |
81 return a->valid_expiry() > b->valid_expiry(); | |
82 | |
83 // If the expiration dates are equivalent, certificates that were issued | |
84 // more recently should be prioritized over older certificates. | |
85 if (a->valid_start() != b->valid_start()) | |
86 return a->valid_start() > b->valid_start(); | |
87 | |
88 // Otherwise, prefer client certificates with shorter chains. | |
89 const X509Certificate::OSCertHandles& a_intermediates = | |
90 a->GetIntermediateCertificates(); | |
91 const X509Certificate::OSCertHandles& b_intermediates = | |
92 b->GetIntermediateCertificates(); | |
93 return a_intermediates.size() < b_intermediates.size(); | |
94 } | |
95 | |
96 bool CreateKeyAndSelfSignedCert(const std::string& subject, | 63 bool CreateKeyAndSelfSignedCert(const std::string& subject, |
97 uint32_t serial_number, | 64 uint32_t serial_number, |
98 base::Time not_valid_before, | 65 base::Time not_valid_before, |
99 base::Time not_valid_after, | 66 base::Time not_valid_after, |
100 std::unique_ptr<crypto::RSAPrivateKey>* key, | 67 std::unique_ptr<crypto::RSAPrivateKey>* key, |
101 std::string* der_cert) { | 68 std::string* der_cert) { |
102 std::unique_ptr<crypto::RSAPrivateKey> new_key( | 69 std::unique_ptr<crypto::RSAPrivateKey> new_key( |
103 crypto::RSAPrivateKey::Create(kRSAKeyLength)); | 70 crypto::RSAPrivateKey::Create(kRSAKeyLength)); |
104 if (!new_key.get()) | 71 if (!new_key.get()) |
105 return false; | 72 return false; |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
166 ip_addresses->push_back(ip.ToString()); | 133 ip_addresses->push_back(ip.ToString()); |
167 } | 134 } |
168 } | 135 } |
169 | 136 |
170 return true; | 137 return true; |
171 } | 138 } |
172 | 139 |
173 } // namespace x509_util | 140 } // namespace x509_util |
174 | 141 |
175 } // namespace net | 142 } // namespace net |
OLD | NEW |