Added OriginBoundCertService class to handle the fetching (and creation) of origin bound certificates.

Origin bound certificates are specified in this internet draft <http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html>. The OriginBoundCertService class contains an OriginBoundCertStore object. This is an interface designed for handling the storage and retrieval (but not creation) of origin bound certificates. BUG=88782 TEST=None Review URL: http://codereview.chromium.org/7291020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@91906 0039d316-1c4b-4281-b951-d872f2087c98
author: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-08 22:46:31 +0000
committer: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-08 22:46:31 +0000
commit: 6f66f4f3f611f15789e1130164b3c80aa32f35be (patch)
tree: b7945a73e035d79ecd068f6707d2f808f53be900
parent: 8fddbc0fc921801a6c82b0f9aab610ff5f1d85bc (diff)
download: chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.zip
chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.tar.gz
chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.tar.bz2
4 files changed, 148 insertions, 0 deletions
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
new file mode 100644
index 0000000..853d3ef
--- /dev/null
+++ b/net/base/origin_bound_cert_service.cc
@@ -0,0 +1,65 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/origin_bound_cert_service.h"
+
+#include <limits>
+
+#include "base/logging.h"
+#include "base/rand_util.h"
+#include "crypto/rsa_private_key.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+bool OriginBoundCertService::GetOriginBoundCert(const GURL& url,
+                                                std::string* private_key_result,
+                                                std::string* cert_result) {
+  // Check if origin bound cert already exists for this origin.
+  if (origin_bound_cert_store_->HasOriginBoundCert(url)) {
+    origin_bound_cert_store_->GetOriginBoundCert(url,
+                                                 private_key_result,
+                                                 cert_result);
+    return true;
+  }
+
+  // No origin bound cert exists, we have to create one.
+  std::string origin = GetCertOriginFromURL(url);
+  std::string subject = "CN=origin-bound certificate for " + origin;
+  X509Certificate* x509_cert;
+  crypto::RSAPrivateKey* key = crypto::RSAPrivateKey::Create(1024);
+  if ((x509_cert = X509Certificate::CreateSelfSigned(
+      key,
+      subject,
+      base::RandInt(0, std::numeric_limits<int>::max()),
+      base::TimeDelta::FromDays(365))) == NULL) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+
+  std::vector<uint8> key_vec;
+  if (!key->ExportPrivateKey(&key_vec)) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+  std::string key_output(key_vec.begin(), key_vec.end());
+
+  std::string cert_output;
+  if (!x509_cert->GetDEREncoded(&cert_output)) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+
+  origin_bound_cert_store_->SetOriginBoundCert(url, key_output, cert_output);
+  *private_key_result = key_output;
+  *cert_result = cert_output;
+
+  return true;
+}
+
+std::string OriginBoundCertService::GetCertOriginFromURL(const GURL& url) {
+  return url.GetOrigin().spec();
+}
+
+}  // namespace net
diff --git a/net/base/origin_bound_cert_service.h b/net/base/origin_bound_cert_service.h
new file mode 100644
index 0000000..4502247
--- /dev/null
+++ b/net/base/origin_bound_cert_service.h
@@ -0,0 +1,41 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
+#define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
+#pragma once
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "net/base/origin_bound_cert_store.h"
+#include "googleurl/src/gurl.h" // TODO(rkn): This feels wrong.
+
+namespace net {
+
+// A class for creating and fetching origin bound certs.
+class OriginBoundCertService {
+ public:
+
+  OriginBoundCertService(OriginBoundCertStore* origin_bound_cert_store)
+      : origin_bound_cert_store_(origin_bound_cert_store) {}
+
+  // TODO(rkn): Specify certificate type (RSA or DSA).
+  // TODO(rkn): Key generation can be time consuming, so this should have an
+  // asynchronous interface.
+  // This function will fetch the origin bound cert for the specified origin
+  // if one exists and it will create one otherwise.
+  bool GetOriginBoundCert(const GURL& url,
+                          std::string* private_key_result,
+                          std::string* cert_result);
+
+  static std::string GetCertOriginFromURL(const GURL& url);
+
+ private:
+  OriginBoundCertStore* origin_bound_cert_store_;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
diff --git a/net/base/origin_bound_cert_store.h b/net/base/origin_bound_cert_store.h
new file mode 100644
index 0000000..01be9e3
--- /dev/null
+++ b/net/base/origin_bound_cert_store.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_ORIGIN_BOUND_CERT_STORE_H_
+#define NET_BASE_ORIGIN_BOUND_CERT_STORE_H_
+#pragma once
+
+#include <string>
+
+#include "base/basictypes.h"
+
+class GURL;
+
+namespace net {
+
+// An interface for storing and retrieving origin bound certs.
+
+class OriginBoundCertStore {
+ public:
+
+  virtual bool HasOriginBoundCert(const GURL& url) = 0;
+
+  // TODO(rkn): Specify certificate type (RSA or DSA).
+  // TODO(rkn): Key generation can be time consuming, so this should have an
+  // asynchronous interface.
+  // The output is stored in |private_key| and |cert|.
+  virtual void GetOriginBoundCert(const GURL& url,
+                                  std::string* private_key_result,
+                                  std::string* cert_result) = 0;
+
+  virtual void SetOriginBoundCert(const GURL& url,
+                                  const std::string& private_key,
+                                  const std::string& cert) = 0;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_ORIGIN_BOUND_CERT_STORE_H_
diff --git a/net/net.gyp b/net/net.gyp
index 27cdfe2..727266a 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -168,6 +168,9 @@
         'base/nss_memio.h',
         'base/openssl_memory_private_key_store.cc',
         'base/openssl_private_key_store.h',
+        'base/origin_bound_cert_service.cc',
+        'base/origin_bound_cert_service.h',
+        'base/origin_bound_cert_store.h',
         'base/pem_tokenizer.cc',
         'base/pem_tokenizer.h',
         'base/platform_mime_util.h',
author	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-08 22:46:31 +0000
committer	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-08 22:46:31 +0000
commit	6f66f4f3f611f15789e1130164b3c80aa32f35be (patch)
tree	b7945a73e035d79ecd068f6707d2f808f53be900
parent	8fddbc0fc921801a6c82b0f9aab610ff5f1d85bc (diff)
download	chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.zip chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.tar.gz chromium_src-6f66f4f3f611f15789e1130164b3c80aa32f35be.tar.bz2