summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjbates@chromium.org <jbates@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-08-25 20:49:41 +0000
committerjbates@chromium.org <jbates@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-08-25 20:49:41 +0000
commit13aba566502ed889c8dd59f0f571e7e68d7ba6af (patch)
tree60d9a505b2996dcb944de0d546a048f6ee5c758b
parenta3b92e56e065d42d0610c05d831b5912dcd1a340 (diff)
downloadchromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.zip
chromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.tar.gz
chromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.tar.bz2
Revert 98288 - Added CreateOriginBound method to x509_certificate.h.
This static method branches the CreateSelfSigned code to create a self signed certificate that contains an X509v3 extension that indicates the ASCII weborigin that is bound to the generated certificate. BUG=88782 TEST= Review URL: http://codereview.chromium.org/7384002 TBR=mdietz@google.com Review URL: http://codereview.chromium.org/7740034 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98293 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--net/base/origin_bound_cert_service.cc12
-rw-r--r--net/base/x509_certificate.h12
-rw-r--r--net/base/x509_certificate_mac.cc19
-rw-r--r--net/base/x509_certificate_nss.cc160
-rw-r--r--net/base/x509_certificate_openssl.cc11
-rw-r--r--net/base/x509_certificate_unittest.cc83
-rw-r--r--net/base/x509_certificate_win.cc10
7 files changed, 13 insertions, 294 deletions
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
index 4f53fc3..50d45c4 100644
--- a/net/base/origin_bound_cert_service.cc
+++ b/net/base/origin_bound_cert_service.cc
@@ -316,25 +316,19 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
uint32 serial_number,
std::string* private_key,
std::string* cert) {
+ std::string subject = "CN=OBC";
scoped_ptr<crypto::RSAPrivateKey> key(
crypto::RSAPrivateKey::Create(kKeySizeInBits));
if (!key.get()) {
LOG(WARNING) << "Unable to create key pair for client";
return ERR_KEY_GENERATION_FAILED;
}
-#if defined(USE_NSS)
- scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateOriginBound(
- key.get(),
- origin,
- serial_number,
- base::TimeDelta::FromDays(kValidityPeriodInDays));
-#else
+
scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateSelfSigned(
key.get(),
- "CN=anonymous.invalid",
+ subject,
serial_number,
base::TimeDelta::FromDays(kValidityPeriodInDays));
-#endif
if (!x509_cert) {
LOG(WARNING) << "Unable to create x509 cert for client";
return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 8589e92..4c8dd01 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -187,18 +187,6 @@ class NET_EXPORT X509Certificate
uint32 serial_number,
base::TimeDelta valid_duration);
- // Create an origin bound certificate containing the public key in |key|.
- // Web origin, serial number and validity period are given as
- // parameters. The certificate is signed by the private key in |key|.
- // The hashing algorithm for the signature is SHA-1.
- //
- // See Internet Draft draft-balfanz-tls-obc-00 for more details:
- // http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html
- static X509Certificate* CreateOriginBound(crypto::RSAPrivateKey* key,
- const std::string& origin,
- uint32 serial_number,
- base::TimeDelta valid_duration);
-
// Appends a representation of this object to the given pickle.
void Persist(Pickle* pickle);
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 014d51a..9b39de6 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -695,25 +695,6 @@ X509Certificate* X509Certificate::CreateSelfSigned(
return CreateFromHandle(scoped_cert, X509Certificate::OSCertHandles());
}
-// static
-X509Certificate* X509Certificate::CreateOriginBound(
- crypto::RSAPrivateKey* key,
- const std::string& origin,
- uint32 serial_number,
- base::TimeDelta valid_duration) {
- // TODO(wtc): this cannot be implemented by creating a CE_DataAndType for
- // the origin-bound extension and adding it to certReq.extensions because
- // it is not one of the supported extensions in the CE_DataType enum type.
- // Using the DT_Other enum constant does not work.
- //
- // The relevant Apple headers are:
- // - CSSM_APPLE_TP_CERT_REQUEST is defined in cssmapple.h.
- // - CE_DataAndType, CE_DataType, and CE_Data are defined in
- // certextensions.h.
- NOTIMPLEMENTED();
- return NULL;
-}
-
void X509Certificate::GetSubjectAltName(
std::vector<std::string>* dns_names,
std::vector<std::string>* ip_addrs) const {
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index 3b23f93..7224020 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -18,7 +18,6 @@
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
-#include "base/memory/singleton.h"
#include "base/pickle.h"
#include "base/time.h"
#include "crypto/nss_util.h"
@@ -32,50 +31,6 @@ namespace net {
namespace {
-class ObCertOIDWrapper {
- public:
- static ObCertOIDWrapper* GetInstance() {
- // Instantiated as a leaky singleton to allow the singleton to be
- // constructed on a worker thead that is not joined when a process
- // shuts down.
- return Singleton<ObCertOIDWrapper,
- LeakySingletonTraits<ObCertOIDWrapper> >::get();
- }
-
- SECOidTag ob_cert_oid_tag() const {
- return ob_cert_oid_tag_;
- }
-
- private:
- friend struct DefaultSingletonTraits<ObCertOIDWrapper>;
-
- ObCertOIDWrapper();
-
- SECOidTag ob_cert_oid_tag_;
-
- DISALLOW_COPY_AND_ASSIGN(ObCertOIDWrapper);
-};
-
-ObCertOIDWrapper::ObCertOIDWrapper(): ob_cert_oid_tag_(SEC_OID_UNKNOWN) {
- // 1.3.6.1.4.1.11129.2.1.6
- // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
- // certificateExtensions.originBoundCertificate)
- static const uint8 kObCertOID[] = {
- 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06
- };
- SECOidData oid_data;
- memset(&oid_data, 0, sizeof(oid_data));
- oid_data.oid.data = const_cast<uint8*>(kObCertOID);
- oid_data.oid.len = sizeof(kObCertOID);
- oid_data.offset = SEC_OID_UNKNOWN;
- oid_data.desc = "Origin Bound Certificate";
- oid_data.mechanism = CKM_INVALID_MECHANISM;
- oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
- ob_cert_oid_tag_ = SECOID_AddEntry(&oid_data);
- if (ob_cert_oid_tag_ == SEC_OID_UNKNOWN)
- LOG(ERROR) << "OB_CERT OID tag creation failed";
-}
-
class ScopedCERTCertificatePolicies {
public:
explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies)
@@ -668,16 +623,14 @@ void X509Certificate::Initialize() {
serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
}
-// Creates a Certificate object that may be passed to the SignCertificate
-// method to generate an X509 certificate.
-// Returns NULL if an error is encountered in the certificate creation
-// process.
-// Caller responsible for freeing returned certificate object.
-static CERTCertificate* CreateCertificate(
+// static
+X509Certificate* X509Certificate::CreateSelfSigned(
crypto::RSAPrivateKey* key,
const std::string& subject,
uint32 serial_number,
base::TimeDelta valid_duration) {
+ DCHECK(key);
+
// Create info about public key.
CERTSubjectPublicKeyInfo* spki =
SECKEY_CreateSubjectPublicKeyInfo(key->public_key());
@@ -715,24 +668,12 @@ static CERTCertificate* CreateCertificate(
CERT_DestroyValidity(validity);
CERT_DestroyCertificateRequest(cert_request);
- return cert;
-}
+ if (!cert)
+ return NULL;
+
+ // Sign the cert here. The logic of this method references SignCert() in NSS
+ // utility certutil: http://mxr.mozilla.org/security/ident?i=SignCert.
-// Signs a certificate object, with |key| generating a new X509Certificate
-// and destroying the passed certificate object (even when NULL is returned).
-// The logic of this method references SignCert() in NSS utility certutil:
-// http://mxr.mozilla.org/security/ident?i=SignCert.
-// Returns NULL if an error is encountered in the certificate signing
-// process.
-// Caller responsible for freeing returned X509Certificate object.
-//
-// TODO: change this function to return
-// a success/failure status, and not create an X509Certificate
-// object, and not destroy |cert| on failure. Let the caller
-// create the X509Certificate object and destroy |cert|.
-static X509Certificate* SignCertificate(
- CERTCertificate* cert,
- crypto::RSAPrivateKey* key) {
// |arena| is used to encode the cert.
PRArenaPool* arena = cert->arena;
SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->key()->keyType,
@@ -781,92 +722,11 @@ static X509Certificate* SignCertificate(
// Save the signed result to the cert.
cert->derCert = *result;
- X509Certificate* x509_cert =
- X509Certificate::CreateFromHandle(cert, X509Certificate::OSCertHandles());
+ X509Certificate* x509_cert = CreateFromHandle(cert, OSCertHandles());
CERT_DestroyCertificate(cert);
return x509_cert;
}
-// static
-X509Certificate* X509Certificate::CreateSelfSigned(
- crypto::RSAPrivateKey* key,
- const std::string& subject,
- uint32 serial_number,
- base::TimeDelta valid_duration) {
- DCHECK(key);
-
- CERTCertificate* cert = CreateCertificate(key,
- subject,
- serial_number,
- valid_duration);
-
- if (!cert)
- return NULL;
-
- X509Certificate* x509_cert = SignCertificate(cert, key);
-
- return x509_cert;
-}
-
-// static
-X509Certificate* X509Certificate::CreateOriginBound(
- crypto::RSAPrivateKey* key,
- const std::string& origin,
- uint32 serial_number,
- base::TimeDelta valid_duration) {
- DCHECK(key);
-
- CERTCertificate* cert = CreateCertificate(key,
- "CN=anonymous.invalid",
- serial_number,
- valid_duration);
-
- if (!cert)
- return NULL;
-
- // Create opaque handle used to add extensions later.
- void* cert_handle;
- if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
- LOG(ERROR) << "Unable to get opaque handle for adding extensions";
- return NULL;
- }
-
- // Create SECItem for IA5String encoding.
- SECItem origin_string_item = {
- siAsciiString,
- (unsigned char*)origin.data(),
- origin.size()
- };
-
- // IA5Encode and arena allocate SECItem
- SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
- cert->arena, NULL, &origin_string_item,
- SEC_ASN1_GET(SEC_IA5StringTemplate));
- if (asn1_origin_string == NULL) {
- LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
- return NULL;
- }
-
- // Add the extension to the opaque handle
- if (CERT_AddExtension(cert_handle,
- ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
- asn1_origin_string,
- PR_TRUE, PR_TRUE) != SECSuccess){
- LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
- return NULL;
- }
-
- // Copy extension into x509 cert
- if (CERT_FinishExtensions(cert_handle) != SECSuccess){
- LOG(ERROR) << "Unable to copy extension to X509 cert";
- return NULL;
- }
-
- X509Certificate* x509_cert = SignCertificate(cert, key);
-
- return x509_cert;
-}
-
void X509Certificate::GetSubjectAltName(
std::vector<std::string>* dns_names,
std::vector<std::string>* ip_addrs) const {
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index c824dc3..f23ede9 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -409,17 +409,6 @@ X509Certificate* X509Certificate::CreateSelfSigned(
return NULL;
}
-// static
-X509Certificate* X509Certificate::CreateOriginBound(
- crypto::RSAPrivateKey* key,
- const std::string& origin,
- uint32 serial_number,
- base::TimeDelta valid_duration) {
- // TODO(port): Implement.
- NOTIMPLEMENTED();
- return NULL;
-}
-
void X509Certificate::GetSubjectAltName(
std::vector<std::string>* dns_names,
std::vector<std::string>* ip_addrs) const {
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 8a0f79d..32417ac 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -20,11 +20,6 @@
#include "net/base/x509_certificate.h"
#include "testing/gtest/include/gtest/gtest.h"
-#if defined(USE_NSS)
-#include <cert.h>
-#include <secoid.h>
-#endif
-
// Unit tests aren't allowed to access external resources. Unfortunately, to
// properly verify the EV-ness of a cert, we need to check for its revocation
// through online servers. If you're manually running unit tests, feel free to
@@ -1137,84 +1132,6 @@ TEST(X509CertificateTest, GetDEREncoded) {
}
#endif
-#if defined(USE_NSS)
-// This test creates an origin-bound cert from a private key and
-// then verifies the content of the certificate.
-TEST(X509CertificateTest, CreateOriginBound) {
- // Origin Bound Cert OID.
- static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6";
-
- // Create a sample ASCII weborigin.
- std::string origin = "http://weborigin.com:443";
-
- // Create object neccissary for extension lookup call.
- SECItem extension_object = {
- siAsciiString,
- (unsigned char*)origin.data(),
- origin.size()
- };
-
- scoped_ptr<crypto::RSAPrivateKey> private_key(
- crypto::RSAPrivateKey::Create(1024));
- scoped_refptr<X509Certificate> cert =
- X509Certificate::CreateOriginBound(private_key.get(),
- origin, 1,
- base::TimeDelta::FromDays(1));
-
- EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName());
- EXPECT_FALSE(cert->HasExpired());
-
- // IA5Encode and arena allocate SECItem.
- PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- SECItem* expected = SEC_ASN1EncodeItem(arena,
- NULL,
- &extension_object,
- SEC_ASN1_GET(SEC_IA5StringTemplate));
-
- ASSERT_NE(static_cast<SECItem*>(NULL), expected);
-
- // Create OID SECItem.
- SECItem ob_cert_oid = { siDEROID, NULL, 0 };
- SECStatus ok = SEC_StringToOID(arena, &ob_cert_oid,
- oid_string, NULL);
-
- ASSERT_EQ(SECSuccess, ok);
-
- SECOidTag ob_cert_oid_tag = SECOID_FindOIDTag(&ob_cert_oid);
-
- ASSERT_NE(SEC_OID_UNKNOWN, ob_cert_oid_tag);
-
- // Lookup Origin Bound Cert extension in generated cert.
- SECItem actual = { siBuffer, NULL, 0 };
- ok = CERT_FindCertExtension(cert->os_cert_handle(),
- ob_cert_oid_tag,
- &actual);
- ASSERT_EQ(SECSuccess, ok);
-
- // Compare expected and actual extension values.
- PRBool result = SECITEM_ItemsAreEqual(expected, &actual);
- ASSERT_TRUE(result);
-
- // Do Cleanup.
- SECITEM_FreeItem(&actual, PR_FALSE);
- PORT_FreeArena(arena, PR_FALSE);
-}
-#else // defined(USE_NSS)
-// On other platforms, X509Certificate::CreateOriginBound() is not implemented
-// and should return NULL. This unit test ensures that a stub implementation
-// is present.
-TEST(X509CertificateTest, CreateOriginBoundNotImplemented) {
- std::string origin = "http://weborigin.com:443";
- scoped_ptr<crypto::RSAPrivateKey> private_key(
- crypto::RSAPrivateKey::Create(1024));
- scoped_refptr<X509Certificate> cert =
- X509Certificate::CreateOriginBound(private_key.get(),
- origin, 2,
- base::TimeDelta::FromDays(1));
- EXPECT_FALSE(cert);
-}
-#endif // defined(USE_NSS)
-
class X509CertificateParseTest
: public testing::TestWithParam<CertificateFormatTestData> {
public:
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 0432d79..5dfc285 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -630,16 +630,6 @@ X509Certificate* X509Certificate::CreateSelfSigned(
return cert;
}
-// static
-X509Certificate* X509Certificate::CreateOriginBound(
- crypto::RSAPrivateKey* key,
- const std::string& origin,
- uint32 serial_number,
- base::TimeDelta valid_duration) {
- NOTIMPLEMENTED();
- return NULL;
-}
-
void X509Certificate::GetSubjectAltName(
std::vector<std::string>* dns_names,
std::vector<std::string>* ip_addrs) const {