| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
| 9 #include <certdb.h> | 9 #include <certdb.h> |
| 10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
| 11 #include <nss.h> | 11 #include <nss.h> |
| 12 #include <pk11pub.h> | 12 #include <pk11pub.h> |
| 13 #include <prerror.h> | 13 #include <prerror.h> |
| 14 #include <secder.h> | 14 #include <secder.h> |
| 15 #include <secmod.h> | 15 #include <secmod.h> |
| 16 #include <secport.h> | 16 #include <secport.h> |
| 17 | 17 |
| 18 #include "base/debug/leak_annotations.h" | 18 #include "base/debug/leak_annotations.h" |
| 19 #include "base/logging.h" | 19 #include "base/logging.h" |
| 20 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
| 21 #include "base/memory/singleton.h" | 21 #include "base/memory/singleton.h" |
| 22 #include "base/pickle.h" | 22 #include "base/pickle.h" |
| 23 #include "base/strings/stringprintf.h" | 23 #include "base/strings/stringprintf.h" |
| 24 #include "crypto/ec_private_key.h" | 24 #include "crypto/ec_private_key.h" |
| 25 #include "crypto/nss_util.h" | 25 #include "crypto/nss_util.h" |
| 26 #include "crypto/nss_util_internal.h" | 26 #include "crypto/nss_util_internal.h" |
| 27 #include "crypto/rsa_private_key.h" |
| 27 #include "crypto/scoped_nss_types.h" | 28 #include "crypto/scoped_nss_types.h" |
| 28 #include "crypto/third_party/nss/chromium-nss.h" | 29 #include "crypto/third_party/nss/chromium-nss.h" |
| 29 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
| 30 | 31 |
| 31 namespace net { | 32 namespace net { |
| 32 | 33 |
| 33 namespace { | 34 namespace { |
| 34 | 35 |
| 35 class DomainBoundCertOIDWrapper { | 36 class DomainBoundCertOIDWrapper { |
| 36 public: | 37 public: |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 175 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); | 176 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); |
| 176 return false; | 177 return false; |
| 177 } | 178 } |
| 178 | 179 |
| 179 // Save the signed result to the cert. | 180 // Save the signed result to the cert. |
| 180 cert->derCert = result; | 181 cert->derCert = result; |
| 181 | 182 |
| 182 return true; | 183 return true; |
| 183 } | 184 } |
| 184 | 185 |
| 185 bool CreateDomainBoundCertInternal( | |
| 186 SECKEYPublicKey* public_key, | |
| 187 SECKEYPrivateKey* private_key, | |
| 188 const std::string& domain, | |
| 189 uint32 serial_number, | |
| 190 base::Time not_valid_before, | |
| 191 base::Time not_valid_after, | |
| 192 std::string* der_cert) { | |
| 193 CERTCertificate* cert = CreateCertificate(public_key, | |
| 194 "CN=anonymous.invalid", | |
| 195 serial_number, | |
| 196 not_valid_before, | |
| 197 not_valid_after); | |
| 198 | |
| 199 if (!cert) | |
| 200 return false; | |
| 201 | |
| 202 // Create opaque handle used to add extensions later. | |
| 203 void* cert_handle; | |
| 204 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | |
| 205 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | |
| 206 CERT_DestroyCertificate(cert); | |
| 207 return false; | |
| 208 } | |
| 209 | |
| 210 // Create SECItem for IA5String encoding. | |
| 211 SECItem domain_string_item = { | |
| 212 siAsciiString, | |
| 213 (unsigned char*)domain.data(), | |
| 214 static_cast<unsigned>(domain.size()) | |
| 215 }; | |
| 216 | |
| 217 // IA5Encode and arena allocate SECItem | |
| 218 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( | |
| 219 cert->arena, NULL, &domain_string_item, | |
| 220 SEC_ASN1_GET(SEC_IA5StringTemplate)); | |
| 221 if (asn1_domain_string == NULL) { | |
| 222 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" | |
| 223 " extension"; | |
| 224 CERT_DestroyCertificate(cert); | |
| 225 return false; | |
| 226 } | |
| 227 | |
| 228 // Add the extension to the opaque handle | |
| 229 if (CERT_AddExtension( | |
| 230 cert_handle, | |
| 231 DomainBoundCertOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), | |
| 232 asn1_domain_string, PR_TRUE, PR_TRUE) != SECSuccess){ | |
| 233 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; | |
| 234 CERT_DestroyCertificate(cert); | |
| 235 return false; | |
| 236 } | |
| 237 | |
| 238 // Copy extension into x509 cert | |
| 239 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | |
| 240 LOG(ERROR) << "Unable to copy extension to X509 cert"; | |
| 241 CERT_DestroyCertificate(cert); | |
| 242 return false; | |
| 243 } | |
| 244 | |
| 245 if (!SignCertificate(cert, private_key)) { | |
| 246 CERT_DestroyCertificate(cert); | |
| 247 return false; | |
| 248 } | |
| 249 | |
| 250 DCHECK(cert->derCert.len); | |
| 251 // XXX copied from X509Certificate::GetDEREncoded | |
| 252 der_cert->clear(); | |
| 253 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | |
| 254 cert->derCert.len); | |
| 255 CERT_DestroyCertificate(cert); | |
| 256 return true; | |
| 257 } | |
| 258 | |
| 259 #if defined(USE_NSS) || defined(OS_IOS) | 186 #if defined(USE_NSS) || defined(OS_IOS) |
| 260 // Callback for CERT_DecodeCertPackage(), used in | 187 // Callback for CERT_DecodeCertPackage(), used in |
| 261 // CreateOSCertHandlesFromBytes(). | 188 // CreateOSCertHandlesFromBytes(). |
| 262 SECStatus PR_CALLBACK CollectCertsCallback(void* arg, | 189 SECStatus PR_CALLBACK CollectCertsCallback(void* arg, |
| 263 SECItem** certs, | 190 SECItem** certs, |
| 264 int num_certs) { | 191 int num_certs) { |
| 265 X509Certificate::OSCertHandles* results = | 192 X509Certificate::OSCertHandles* results = |
| 266 reinterpret_cast<X509Certificate::OSCertHandles*>(arg); | 193 reinterpret_cast<X509Certificate::OSCertHandles*>(arg); |
| 267 | 194 |
| 268 for (int i = 0; i < num_certs; ++i) { | 195 for (int i = 0; i < num_certs; ++i) { |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 | 232 |
| 306 return name.release(); | 233 return name.release(); |
| 307 } | 234 } |
| 308 | 235 |
| 309 #endif // defined(USE_NSS) || defined(OS_IOS) | 236 #endif // defined(USE_NSS) || defined(OS_IOS) |
| 310 | 237 |
| 311 } // namespace | 238 } // namespace |
| 312 | 239 |
| 313 namespace x509_util { | 240 namespace x509_util { |
| 314 | 241 |
| 315 CERTCertificate* CreateSelfSignedCert( | 242 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 316 SECKEYPublicKey* public_key, | 243 const std::string& subject, |
| 317 SECKEYPrivateKey* private_key, | 244 uint32 serial_number, |
| 318 const std::string& subject, | 245 base::Time not_valid_before, |
| 319 uint32 serial_number, | 246 base::Time not_valid_after, |
| 320 base::Time not_valid_before, | 247 std::string* der_cert) { |
| 321 base::Time not_valid_after) { | 248 DCHECK(key); |
| 322 CERTCertificate* cert = CreateCertificate(public_key, | 249 CERTCertificate* cert = CreateCertificate(key->public_key(), |
| 323 subject, | 250 subject, |
| 324 serial_number, | 251 serial_number, |
| 325 not_valid_before, | 252 not_valid_before, |
| 326 not_valid_after); | 253 not_valid_after); |
| 327 if (!cert) | 254 if (!cert) |
| 328 return NULL; | 255 return false; |
| 329 | 256 |
| 330 if (!SignCertificate(cert, private_key)) { | 257 if (!SignCertificate(cert, key->key())) { |
| 331 CERT_DestroyCertificate(cert); | 258 CERT_DestroyCertificate(cert); |
| 332 return NULL; | 259 return false; |
| 333 } | 260 } |
| 334 | 261 |
| 335 return cert; | 262 der_cert->assign(reinterpret_cast<char*>(cert->derCert.data), |
| 263 cert->derCert.len); |
| 264 CERT_DestroyCertificate(cert); |
| 265 return true; |
| 336 } | 266 } |
| 337 | 267 |
| 338 bool IsSupportedValidityRange(base::Time not_valid_before, | 268 bool IsSupportedValidityRange(base::Time not_valid_before, |
| 339 base::Time not_valid_after) { | 269 base::Time not_valid_after) { |
| 340 CERTValidity* validity = CERT_CreateValidity( | 270 CERTValidity* validity = CERT_CreateValidity( |
| 341 crypto::BaseTimeToPRTime(not_valid_before), | 271 crypto::BaseTimeToPRTime(not_valid_before), |
| 342 crypto::BaseTimeToPRTime(not_valid_after)); | 272 crypto::BaseTimeToPRTime(not_valid_after)); |
| 343 | 273 |
| 344 if (!validity) | 274 if (!validity) |
| 345 return false; | 275 return false; |
| 346 | 276 |
| 347 CERT_DestroyValidity(validity); | 277 CERT_DestroyValidity(validity); |
| 348 return true; | 278 return true; |
| 349 } | 279 } |
| 350 | 280 |
| 351 bool CreateDomainBoundCertEC( | 281 bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, |
| 352 crypto::ECPrivateKey* key, | 282 const std::string& domain, |
| 353 const std::string& domain, | 283 uint32 serial_number, |
| 354 uint32 serial_number, | 284 base::Time not_valid_before, |
| 355 base::Time not_valid_before, | 285 base::Time not_valid_after, |
| 356 base::Time not_valid_after, | 286 std::string* der_cert) { |
| 357 std::string* der_cert) { | |
| 358 DCHECK(key); | 287 DCHECK(key); |
| 359 return CreateDomainBoundCertInternal(key->public_key(), | 288 |
| 360 key->key(), | 289 CERTCertificate* cert = CreateCertificate(key->public_key(), |
| 361 domain, | 290 "CN=anonymous.invalid", |
| 362 serial_number, | 291 serial_number, |
| 363 not_valid_before, | 292 not_valid_before, |
| 364 not_valid_after, | 293 not_valid_after); |
| 365 der_cert); | 294 |
| 295 if (!cert) |
| 296 return false; |
| 297 |
| 298 // Create opaque handle used to add extensions later. |
| 299 void* cert_handle; |
| 300 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { |
| 301 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; |
| 302 CERT_DestroyCertificate(cert); |
| 303 return false; |
| 304 } |
| 305 |
| 306 // Create SECItem for IA5String encoding. |
| 307 SECItem domain_string_item = { |
| 308 siAsciiString, |
| 309 (unsigned char*)domain.data(), |
| 310 static_cast<unsigned>(domain.size()) |
| 311 }; |
| 312 |
| 313 // IA5Encode and arena allocate SECItem |
| 314 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( |
| 315 cert->arena, NULL, &domain_string_item, |
| 316 SEC_ASN1_GET(SEC_IA5StringTemplate)); |
| 317 if (asn1_domain_string == NULL) { |
| 318 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" |
| 319 " extension"; |
| 320 CERT_DestroyCertificate(cert); |
| 321 return false; |
| 322 } |
| 323 |
| 324 // Add the extension to the opaque handle |
| 325 if (CERT_AddExtension( |
| 326 cert_handle, |
| 327 DomainBoundCertOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), |
| 328 asn1_domain_string, |
| 329 PR_TRUE, |
| 330 PR_TRUE) != SECSuccess){ |
| 331 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; |
| 332 CERT_DestroyCertificate(cert); |
| 333 return false; |
| 334 } |
| 335 |
| 336 // Copy extension into x509 cert |
| 337 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ |
| 338 LOG(ERROR) << "Unable to copy extension to X509 cert"; |
| 339 CERT_DestroyCertificate(cert); |
| 340 return false; |
| 341 } |
| 342 |
| 343 if (!SignCertificate(cert, key->key())) { |
| 344 CERT_DestroyCertificate(cert); |
| 345 return false; |
| 346 } |
| 347 |
| 348 DCHECK(cert->derCert.len); |
| 349 // XXX copied from X509Certificate::GetDEREncoded |
| 350 der_cert->clear(); |
| 351 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), |
| 352 cert->derCert.len); |
| 353 CERT_DestroyCertificate(cert); |
| 354 return true; |
| 366 } | 355 } |
| 367 | 356 |
| 368 #if defined(USE_NSS) || defined(OS_IOS) | 357 #if defined(USE_NSS) || defined(OS_IOS) |
| 369 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { | 358 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
| 370 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. | 359 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. |
| 371 #if NSS_VMINOR >= 15 | 360 #if NSS_VMINOR >= 15 |
| 372 typedef char* (*CERTGetNameFunc)(const CERTName* name); | 361 typedef char* (*CERTGetNameFunc)(const CERTName* name); |
| 373 #else | 362 #else |
| 374 typedef char* (*CERTGetNameFunc)(CERTName* name); | 363 typedef char* (*CERTGetNameFunc)(CERTName* name); |
| 375 #endif | 364 #endif |
| (...skipping 250 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 626 } | 615 } |
| 627 | 616 |
| 628 return new_name; | 617 return new_name; |
| 629 } | 618 } |
| 630 | 619 |
| 631 #endif // defined(USE_NSS) || defined(OS_IOS) | 620 #endif // defined(USE_NSS) || defined(OS_IOS) |
| 632 | 621 |
| 633 } // namespace x509_util | 622 } // namespace x509_util |
| 634 | 623 |
| 635 } // namespace net | 624 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 17265013:
Remove platform-specific implementations of RSAPrivateKey and SignatureCreator (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src