Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(478)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_util.cc

Issue 2898573002: Refactor client cert private key handling. (Closed)
Patch Set: removed no longer needed forward declaration Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/x509_util.h ('k') | net/cert/x509_util_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_util.h" 5 #include "net/cert/x509_util.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "base/time/time.h" 9 #include "base/time/time.h"
10 #include "crypto/ec_private_key.h" 10 #include "crypto/ec_private_key.h"
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
53 53
54 namespace x509_util { 54 namespace x509_util {
55 55
56 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. 56 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length.
57 static const uint16_t kRSAKeyLength = 1024; 57 static const uint16_t kRSAKeyLength = 1024;
58 58
59 // Certificates made by CreateKeyAndSelfSignedCert and 59 // Certificates made by CreateKeyAndSelfSignedCert and
60 // CreateKeyAndChannelIDEC will be signed using this digest algorithm. 60 // CreateKeyAndChannelIDEC will be signed using this digest algorithm.
61 static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; 61 static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256;
62 62
63 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {}
64
65 bool ClientCertSorter::operator()(
66 const scoped_refptr<X509Certificate>& a,
67 const scoped_refptr<X509Certificate>& b) const {
68 // Certificates that are null are sorted last.
69 if (!a.get() || !b.get())
70 return a.get() && !b.get();
71
72 // Certificates that are expired/not-yet-valid are sorted last.
73 bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry();
74 bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry();
75 if (a_is_valid != b_is_valid)
76 return a_is_valid && !b_is_valid;
77
78 // Certificates with longer expirations appear as higher priority (less
79 // than) certificates with shorter expirations.
80 if (a->valid_expiry() != b->valid_expiry())
81 return a->valid_expiry() > b->valid_expiry();
82
83 // If the expiration dates are equivalent, certificates that were issued
84 // more recently should be prioritized over older certificates.
85 if (a->valid_start() != b->valid_start())
86 return a->valid_start() > b->valid_start();
87
88 // Otherwise, prefer client certificates with shorter chains.
89 const X509Certificate::OSCertHandles& a_intermediates =
90 a->GetIntermediateCertificates();
91 const X509Certificate::OSCertHandles& b_intermediates =
92 b->GetIntermediateCertificates();
93 return a_intermediates.size() < b_intermediates.size();
94 }
95
96 bool CreateKeyAndSelfSignedCert(const std::string& subject, 63 bool CreateKeyAndSelfSignedCert(const std::string& subject,
97 uint32_t serial_number, 64 uint32_t serial_number,
98 base::Time not_valid_before, 65 base::Time not_valid_before,
99 base::Time not_valid_after, 66 base::Time not_valid_after,
100 std::unique_ptr<crypto::RSAPrivateKey>* key, 67 std::unique_ptr<crypto::RSAPrivateKey>* key,
101 std::string* der_cert) { 68 std::string* der_cert) {
102 std::unique_ptr<crypto::RSAPrivateKey> new_key( 69 std::unique_ptr<crypto::RSAPrivateKey> new_key(
103 crypto::RSAPrivateKey::Create(kRSAKeyLength)); 70 crypto::RSAPrivateKey::Create(kRSAKeyLength));
104 if (!new_key.get()) 71 if (!new_key.get())
105 return false; 72 return false;
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after
166 ip_addresses->push_back(ip.ToString()); 133 ip_addresses->push_back(ip.ToString());
167 } 134 }
168 } 135 }
169 136
170 return true; 137 return true;
171 } 138 }
172 139
173 } // namespace x509_util 140 } // namespace x509_util
174 141
175 } // namespace net 142 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_util.h ('k') | net/cert/x509_util_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698