diff options
| author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-29 05:43:15 +0000 |
|---|---|---|
| committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-29 05:43:15 +0000 |
| commit | 515face447d10a3095341cc390c8c0274ca62381 (patch) | |
| tree | 831e1f70f53021963c30e3e22e557e2c9ea9bf87 | |
| parent | fbda95d8bff725d3433047fbef0f3ff068d2dd9f (diff) | |
| download | chromium_src-515face447d10a3095341cc390c8c0274ca62381.zip chromium_src-515face447d10a3095341cc390c8c0274ca62381.tar.gz chromium_src-515face447d10a3095341cc390c8c0274ca62381.tar.bz2 | |
Remove support for RSA Origin Bound Certificates.
Generating them is too slow & power hungry, especially on mobile
devices.
BUG=none
TEST=unittests
Review URL: http://codereview.chromium.org/9372118
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124124 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/base/origin_bound_cert_service.cc | 26 | ||||
| -rw-r--r-- | net/base/origin_bound_cert_service_unittest.cc | 159 | ||||
| -rw-r--r-- | net/base/x509_util.h | 9 | ||||
| -rw-r--r-- | net/base/x509_util_nss.cc | 68 | ||||
| -rw-r--r-- | net/base/x509_util_nss_unittest.cc | 27 | ||||
| -rw-r--r-- | net/base/x509_util_openssl.cc | 13 | ||||
| -rw-r--r-- | net/base/x509_util_openssl_unittest.cc | 12 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 19 | ||||
| -rw-r--r-- | net/spdy/spdy_http_stream_unittest.cc | 49 | ||||
| -rw-r--r-- | net/spdy/spdy_session.cc | 10 | ||||
| -rw-r--r-- | net/spdy/spdy_session_unittest.cc | 4 |
11 files changed, 33 insertions, 363 deletions
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc index 3cab29e..8901e26 100644 --- a/net/base/origin_bound_cert_service.cc +++ b/net/base/origin_bound_cert_service.cc @@ -19,7 +19,6 @@ #include "base/stl_util.h" #include "base/threading/worker_pool.h" #include "crypto/ec_private_key.h" -#include "crypto/rsa_private_key.h" #include "net/base/net_errors.h" #include "net/base/origin_bound_cert_store.h" #include "net/base/registry_controlled_domain.h" @@ -39,7 +38,6 @@ const int kValidityPeriodInDays = 365; bool IsSupportedCertType(uint8 type) { switch(type) { - case CLIENT_CERT_RSA_SIGN: case CLIENT_CERT_ECDSA_SIGN: return true; default: @@ -424,30 +422,6 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, std::string der_cert; std::vector<uint8> private_key_info; switch (type) { - case CLIENT_CERT_RSA_SIGN: { - scoped_ptr<crypto::RSAPrivateKey> key( - crypto::RSAPrivateKey::Create(kKeySizeInBits)); - if (!key.get()) { - DLOG(ERROR) << "Unable to create key pair for client"; - return ERR_KEY_GENERATION_FAILED; - } - if (!x509_util::CreateOriginBoundCertRSA( - key.get(), - origin, - serial_number, - now, - not_valid_after, - &der_cert)) { - DLOG(ERROR) << "Unable to create x509 cert for client"; - return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; - } - - if (!key->ExportPrivateKey(&private_key_info)) { - DLOG(ERROR) << "Unable to export private key"; - return ERR_PRIVATE_KEY_EXPORT_FAILED; - } - break; - } case CLIENT_CERT_ECDSA_SIGN: { scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create()); if (!key.get()) { diff --git a/net/base/origin_bound_cert_service_unittest.cc b/net/base/origin_bound_cert_service_unittest.cc index a005fae..f658659 100644 --- a/net/base/origin_bound_cert_service_unittest.cc +++ b/net/base/origin_bound_cert_service_unittest.cc @@ -10,7 +10,6 @@ #include "base/bind.h" #include "base/memory/scoped_ptr.h" #include "crypto/ec_private_key.h" -#include "crypto/rsa_private_key.h" #include "net/base/asn1_util.h" #include "net/base/default_origin_bound_cert_store.h" #include "net/base/net_errors.h" @@ -54,7 +53,7 @@ TEST(OriginBoundCertServiceTest, CacheHit) { int error; std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); + types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; OriginBoundCertService::RequestHandle request_handle; @@ -70,14 +69,12 @@ TEST(OriginBoundCertServiceTest, CacheHit) { error = callback.WaitForResult(); EXPECT_EQ(OK, error); EXPECT_EQ(1, service->cert_count()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type1); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type1); EXPECT_FALSE(private_key_info1.empty()); EXPECT_FALSE(der_cert1.empty()); // Synchronous completion. SSLClientCertType type2; - // If we request EC and RSA, should still retrieve the RSA cert. - types.insert(types.begin(), CLIENT_CERT_ECDSA_SIGN); std::string private_key_info2, der_cert2; error = service->GetOriginBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, @@ -85,47 +82,12 @@ TEST(OriginBoundCertServiceTest, CacheHit) { EXPECT_TRUE(request_handle == NULL); EXPECT_EQ(OK, error); EXPECT_EQ(1, service->cert_count()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type2); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type2); EXPECT_EQ(private_key_info1, private_key_info2); EXPECT_EQ(der_cert1, der_cert2); - // Request only EC. Should generate a new EC cert and discard the old RSA - // cert. - SSLClientCertType type3; - types.pop_back(); // Remove CLIENT_CERT_RSA_SIGN from requested types. - std::string private_key_info3, der_cert3; - EXPECT_EQ(1, service->cert_count()); - error = service->GetOriginBoundCert( - origin, types, &type3, &private_key_info3, &der_cert3, - callback.callback(), &request_handle); - EXPECT_EQ(ERR_IO_PENDING, error); - EXPECT_TRUE(request_handle != NULL); - error = callback.WaitForResult(); - EXPECT_EQ(OK, error); - EXPECT_EQ(1, service->cert_count()); - EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type3); - EXPECT_FALSE(private_key_info1.empty()); - EXPECT_FALSE(der_cert1.empty()); - EXPECT_NE(private_key_info1, private_key_info3); - EXPECT_NE(der_cert1, der_cert3); - - // Synchronous completion. - // If we request RSA and EC, should now retrieve the EC cert. - SSLClientCertType type4; - types.insert(types.begin(), CLIENT_CERT_RSA_SIGN); - std::string private_key_info4, der_cert4; - error = service->GetOriginBoundCert( - origin, types, &type4, &private_key_info4, &der_cert4, - callback.callback(), &request_handle); - EXPECT_TRUE(request_handle == NULL); - EXPECT_EQ(OK, error); - EXPECT_EQ(1, service->cert_count()); - EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type4); - EXPECT_EQ(private_key_info3, private_key_info4); - EXPECT_EQ(der_cert3, der_cert4); - - EXPECT_EQ(4u, service->requests()); - EXPECT_EQ(2u, service->cert_store_hits()); + EXPECT_EQ(2u, service->requests()); + EXPECT_EQ(1u, service->cert_store_hits()); EXPECT_EQ(0u, service->inflight_joins()); } @@ -149,6 +111,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { EXPECT_TRUE(request_handle == NULL); // No supported types in requested_types. + types.push_back(CLIENT_CERT_RSA_SIGN); types.push_back(2); types.push_back(3); error = service->GetOriginBoundCert( @@ -159,7 +122,6 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { // Supported types after unsupported ones in requested_types. types.push_back(CLIENT_CERT_ECDSA_SIGN); - types.push_back(CLIENT_CERT_RSA_SIGN); // Asynchronous completion. EXPECT_EQ(0, service->cert_count()); error = service->GetOriginBoundCert( @@ -187,6 +149,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { EXPECT_TRUE(request_handle == NULL); // No supported types in requested_types. + types.push_back(CLIENT_CERT_RSA_SIGN); types.push_back(2); types.push_back(3); error = service->GetOriginBoundCert( @@ -196,7 +159,6 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { EXPECT_TRUE(request_handle == NULL); // If we request EC, the cert we created before should still be there. - types.push_back(CLIENT_CERT_RSA_SIGN); types.push_back(CLIENT_CERT_ECDSA_SIGN); error = service->GetOriginBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, @@ -214,7 +176,7 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); int error; std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); + types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; OriginBoundCertService::RequestHandle request_handle; @@ -246,7 +208,6 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { std::string origin3("https://www.twitter.com:443"); SSLClientCertType type3; std::string private_key_info3, der_cert3; - types[0] = CLIENT_CERT_ECDSA_SIGN; error = service->GetOriginBoundCert( origin3, types, &type3, &private_key_info3, &der_cert3, callback.callback(), &request_handle); @@ -262,8 +223,8 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { EXPECT_NE(der_cert1, der_cert3); EXPECT_NE(private_key_info2, private_key_info3); EXPECT_NE(der_cert2, der_cert3); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type1); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type2); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type1); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type2); EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type3); } @@ -274,7 +235,7 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { std::string origin("https://encrypted.google.com:443"); int error; std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); + types.push_back(CLIENT_CERT_ECDSA_SIGN); SSLClientCertType type1; std::string private_key_info1, der_cert1; @@ -291,9 +252,9 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { callback1.callback(), &request_handle1); EXPECT_EQ(ERR_IO_PENDING, error); EXPECT_TRUE(request_handle1 != NULL); - // If we request EC and RSA in the 2nd request, should still join with the + // If we request RSA and EC in the 2nd request, should still join with the // original request. - types.insert(types.begin(), CLIENT_CERT_ECDSA_SIGN); + types.insert(types.begin(), CLIENT_CERT_RSA_SIGN); error = service->GetOriginBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback2.callback(), &request_handle2); @@ -305,91 +266,13 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { error = callback2.WaitForResult(); EXPECT_EQ(OK, error); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type1); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type2); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type1); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type2); EXPECT_EQ(2u, service->requests()); EXPECT_EQ(0u, service->cert_store_hits()); EXPECT_EQ(1u, service->inflight_joins()); } -// Tests an inflight join with mismatching request types. -TEST(OriginBoundCertServiceTest, InflightJoinTypeMismatch) { - scoped_ptr<OriginBoundCertService> service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); - std::string origin("https://encrypted.google.com:443"); - int error; - std::vector<uint8> types1; - types1.push_back(CLIENT_CERT_RSA_SIGN); - std::vector<uint8> types2; - types2.push_back(CLIENT_CERT_ECDSA_SIGN); - - SSLClientCertType type1; - std::string private_key_info1, der_cert1; - TestCompletionCallback callback1; - OriginBoundCertService::RequestHandle request_handle1; - - SSLClientCertType type2; - std::string private_key_info2, der_cert2; - TestCompletionCallback callback2; - OriginBoundCertService::RequestHandle request_handle2; - - error = service->GetOriginBoundCert( - origin, types1, &type1, &private_key_info1, &der_cert1, - callback1.callback(), &request_handle1); - EXPECT_EQ(ERR_IO_PENDING, error); - EXPECT_TRUE(request_handle1 != NULL); - // If we request only EC in the 2nd request, it should return an error. - error = service->GetOriginBoundCert( - origin, types2, &type2, &private_key_info2, &der_cert2, - callback2.callback(), &request_handle2); - EXPECT_EQ(ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH, error); - EXPECT_TRUE(request_handle2 == NULL); - - error = callback1.WaitForResult(); - EXPECT_EQ(OK, error); - - EXPECT_FALSE(private_key_info1.empty()); - EXPECT_FALSE(der_cert1.empty()); - EXPECT_TRUE(private_key_info2.empty()); - EXPECT_TRUE(der_cert2.empty()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type1); - EXPECT_EQ(2u, service->requests()); - EXPECT_EQ(0u, service->cert_store_hits()); - EXPECT_EQ(0u, service->inflight_joins()); -} - -TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesRSA) { - scoped_ptr<OriginBoundCertService> service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); - std::string origin("https://encrypted.google.com:443"); - SSLClientCertType type; - std::string private_key_info, der_cert; - int error; - std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); - TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; - - error = service->GetOriginBoundCert( - origin, types, &type, &private_key_info, &der_cert, callback.callback(), - &request_handle); - EXPECT_EQ(ERR_IO_PENDING, error); - EXPECT_TRUE(request_handle != NULL); - error = callback.WaitForResult(); - EXPECT_EQ(OK, error); - - // Check that we can retrieve the key from the bytes. - std::vector<uint8> key_vec(private_key_info.begin(), private_key_info.end()); - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vec)); - EXPECT_TRUE(private_key != NULL); - - // Check that we can retrieve the cert from the bytes. - scoped_refptr<X509Certificate> x509cert( - X509Certificate::CreateFromBytes(der_cert.data(), der_cert.size())); - EXPECT_TRUE(x509cert != NULL); -} - TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesEC) { scoped_ptr<OriginBoundCertService> service( new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); @@ -438,7 +321,7 @@ TEST(OriginBoundCertServiceTest, CancelRequest) { std::string private_key_info, der_cert; int error; std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); + types.push_back(CLIENT_CERT_ECDSA_SIGN); OriginBoundCertService::RequestHandle request_handle; error = service->GetOriginBoundCert(origin, @@ -479,13 +362,13 @@ TEST(OriginBoundCertServiceTest, Expiration) { OriginBoundCertStore* store = new DefaultOriginBoundCertStore(NULL); base::Time now = base::Time::Now(); store->SetOriginBoundCert("https://good", - CLIENT_CERT_RSA_SIGN, + CLIENT_CERT_ECDSA_SIGN, now, now + base::TimeDelta::FromDays(1), "a", "b"); store->SetOriginBoundCert("https://expired", - CLIENT_CERT_RSA_SIGN, + CLIENT_CERT_ECDSA_SIGN, now - base::TimeDelta::FromDays(2), now - base::TimeDelta::FromDays(1), "c", @@ -495,7 +378,7 @@ TEST(OriginBoundCertServiceTest, Expiration) { int error; std::vector<uint8> types; - types.push_back(CLIENT_CERT_RSA_SIGN); + types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; OriginBoundCertService::RequestHandle request_handle; @@ -508,7 +391,7 @@ TEST(OriginBoundCertServiceTest, Expiration) { EXPECT_EQ(OK, error); EXPECT_TRUE(request_handle == NULL); EXPECT_EQ(2, service.cert_count()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type1); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type1); EXPECT_STREQ("a", private_key_info1.c_str()); EXPECT_STREQ("b", der_cert1.c_str()); @@ -523,7 +406,7 @@ TEST(OriginBoundCertServiceTest, Expiration) { error = callback.WaitForResult(); EXPECT_EQ(OK, error); EXPECT_EQ(2, service.cert_count()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, type2); + EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, type2); EXPECT_LT(1U, private_key_info2.size()); EXPECT_LT(1U, der_cert2.size()); } diff --git a/net/base/x509_util.h b/net/base/x509_util.h index b35d274..825ee02 100644 --- a/net/base/x509_util.h +++ b/net/base/x509_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -13,7 +13,6 @@ namespace crypto { class ECPrivateKey; -class RSAPrivateKey; } namespace net { @@ -27,12 +26,6 @@ namespace x509_util { // // See Internet Draft draft-balfanz-tls-obc-00 for more details: // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 -bool NET_EXPORT_PRIVATE CreateOriginBoundCertRSA(crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::Time not_valid_before, - base::Time not_valid_after, - std::string* der_cert); bool NET_EXPORT_PRIVATE CreateOriginBoundCertEC(crypto::ECPrivateKey* key, const std::string& origin, uint32 serial_number, diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc index 3f630e2..141c0fa 100644 --- a/net/base/x509_util_nss.cc +++ b/net/base/x509_util_nss.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -19,7 +19,6 @@ #include "crypto/ec_private_key.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" -#include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" #include "crypto/third_party/nss/chromium-nss.h" @@ -273,71 +272,6 @@ CERTCertificate* CreateSelfSignedCert( return cert; } -bool CreateOriginBoundCertRSA( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::Time not_valid_before, - base::Time not_valid_after, - std::string* der_cert) { - DCHECK(key); - - SECKEYPublicKey* public_key; - SECKEYPrivateKey* private_key; -#if defined(USE_NSS) - public_key = key->public_key(); - private_key = key->key(); -#else - crypto::ScopedSECKEYPublicKey scoped_public_key; - crypto::ScopedSECKEYPrivateKey scoped_private_key; - { - // Based on the NSS RSAPrivateKey::CreateFromPrivateKeyInfoWithParams. - // This method currently leaks some memory. - // See http://crbug.com/34742. - ANNOTATE_SCOPED_MEMORY_LEAK; - crypto::EnsureNSSInit(); - - std::vector<uint8> key_data; - key->ExportPrivateKey(&key_data); - - crypto::ScopedPK11Slot slot(crypto::GetPrivateNSSKeySlot()); - if (!slot.get()) - return NULL; - - SECItem der_private_key_info; - der_private_key_info.data = const_cast<unsigned char*>(&key_data[0]); - der_private_key_info.len = key_data.size(); - // Allow the private key to be used for key unwrapping, data decryption, - // and signature generation. - const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | - KU_DIGITAL_SIGNATURE; - SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( - slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE, - key_usage, &private_key, NULL); - scoped_private_key.reset(private_key); - if (rv != SECSuccess) { - NOTREACHED(); - return NULL; - } - - public_key = SECKEY_ConvertToPublicKey(private_key); - if (!public_key) { - NOTREACHED(); - return NULL; - } - scoped_public_key.reset(public_key); - } -#endif - - return CreateOriginBoundCertInternal(public_key, - private_key, - origin, - serial_number, - not_valid_before, - not_valid_after, - der_cert); -} - bool CreateOriginBoundCertEC( crypto::ECPrivateKey* key, const std::string& origin, diff --git a/net/base/x509_util_nss_unittest.cc b/net/base/x509_util_nss_unittest.cc index 1dc2cd2..97eb5b4 100644 --- a/net/base/x509_util_nss_unittest.cc +++ b/net/base/x509_util_nss_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,7 +11,6 @@ #include "base/memory/scoped_ptr.h" #include "base/memory/ref_counted.h" #include "crypto/ec_private_key.h" -#include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" #include "crypto/signature_verifier.h" #include "net/base/x509_certificate.h" @@ -140,30 +139,6 @@ void VerifyOriginBoundCert(const std::string& origin, } // namespace -// This test creates an origin-bound cert from a RSA private key and -// then verifies the content of the certificate. -TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) { - // Create a sample ASCII weborigin. - std::string origin = "http://weborigin.com:443"; - base::Time now = base::Time::Now(); - - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::Create(1024)); - std::string der_cert; - ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA( - private_key.get(), - origin, 1, - now, - now + base::TimeDelta::FromDays(1), - &der_cert)); - - VerifyOriginBoundCert(origin, der_cert); - - std::vector<uint8> spki; - ASSERT_TRUE(private_key->ExportPublicKey(&spki)); - VerifyCertificateSignature(der_cert, spki); -} - // This test creates an origin-bound cert from an EC private key and // then verifies the content of the certificate. TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { diff --git a/net/base/x509_util_openssl.cc b/net/base/x509_util_openssl.cc index 786dd86..8bebfe0 100644 --- a/net/base/x509_util_openssl.cc +++ b/net/base/x509_util_openssl.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -15,17 +15,6 @@ namespace net { namespace x509_util { -bool CreateOriginBoundCertRSA( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::Time not_valid_before, - base::Time not_valid_after, - std::string* der_cert) { - NOTIMPLEMENTED(); - return false; -} - bool CreateOriginBoundCertEC( crypto::ECPrivateKey* key, const std::string& origin, diff --git a/net/base/x509_util_openssl_unittest.cc b/net/base/x509_util_openssl_unittest.cc index 5d96dfa..599d0e4 100644 --- a/net/base/x509_util_openssl_unittest.cc +++ b/net/base/x509_util_openssl_unittest.cc @@ -1,25 +1,25 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "base/memory/scoped_ptr.h" -#include "crypto/rsa_private_key.h" +#include "crypto/ec_private_key.h" #include "net/base/x509_util.h" #include "net/base/x509_util_openssl.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { -// For OpenSSL, x509_util::CreateOriginBoundCert() is not yet implemented +// For OpenSSL, x509_util::CreateOriginBoundCertEC() is not yet implemented // and should return false. This unit test ensures that a stub implementation // is present. TEST(X509UtilOpenSSLTest, CreateOriginBoundCertNotImplemented) { std::string origin = "http://weborigin.com:443"; base::Time now = base::Time::Now(); - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::Create(1024)); + scoped_ptr<crypto::ECPrivateKey> private_key( + crypto::ECPrivateKey::Create()); std::string der_cert; - EXPECT_FALSE(x509_util::CreateOriginBoundCertRSA( + EXPECT_FALSE(x509_util::CreateOriginBoundCertEC( private_key.get(), origin, 1, now, diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index fd32158..8188d66 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1558,25 +1558,6 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, // Set the private key. switch (ob_cert_type_) { - case CLIENT_CERT_RSA_SIGN: { - SECItem der_private_key_info; - der_private_key_info.data = (unsigned char*)ob_private_key_.data(); - der_private_key_info.len = ob_private_key_.size(); - const unsigned int key_usage = KU_DIGITAL_SIGNATURE; - crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); - SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( - slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE, - key_usage, key, NULL); - - if (rv != SECSuccess) { - int error = MapNSSError(PORT_GetError()); - CERT_DestroyCertificate(*cert); - *cert = NULL; - return error; - } - break; - } - case CLIENT_CERT_ECDSA_SIGN: { SECKEYPublicKey* public_key = NULL; if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( diff --git a/net/spdy/spdy_http_stream_unittest.cc b/net/spdy/spdy_http_stream_unittest.cc index 35ef311..6737d8c6 100644 --- a/net/spdy/spdy_http_stream_unittest.cc +++ b/net/spdy/spdy_http_stream_unittest.cc @@ -6,7 +6,6 @@ #include "crypto/ec_private_key.h" #include "crypto/ec_signature_creator.h" -#include "crypto/rsa_private_key.h" #include "crypto/signature_creator.h" #include "net/base/asn1_util.h" #include "net/base/default_origin_bound_cert_store.h" @@ -239,43 +238,6 @@ TEST_F(SpdyHttpStreamTest, SpdyURLTest) { EXPECT_TRUE(data()->at_write_eof()); } -void GetRSAOriginBoundCertAndProof(const std::string& origin, - OriginBoundCertService* obc_service, - std::string* cert, - std::string* proof) { - TestCompletionCallback callback; - std::vector<uint8> requested_cert_types; - requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN); - SSLClientCertType cert_type; - std::string key; - OriginBoundCertService::RequestHandle request_handle; - int rv = obc_service->GetOriginBoundCert(origin, requested_cert_types, - &cert_type, &key, cert, - callback.callback(), - &request_handle); - EXPECT_EQ(ERR_IO_PENDING, rv); - EXPECT_EQ(OK, callback.WaitForResult()); - EXPECT_EQ(CLIENT_CERT_RSA_SIGN, cert_type); - - unsigned char secret[32]; - memset(secret, 'A', arraysize(secret)); - - // Convert the key string into a vector<unit8> - std::vector<uint8> key_data; - for (size_t i = 0; i < key.length(); i++) { - key_data.push_back(key[i]); - } - - std::vector<uint8> proof_data; - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_data)); - scoped_ptr<crypto::SignatureCreator> creator( - crypto::SignatureCreator::Create(private_key.get())); - creator->Update(secret, arraysize(secret)); - creator->Final(&proof_data); - proof->assign(proof_data.begin(), proof_data.end()); -} - void GetECOriginBoundCertAndProof(const std::string& origin, OriginBoundCertService* obc_service, std::string* cert, @@ -440,17 +402,6 @@ void SpdyHttpStreamTest::TestSendCredentials( ASSERT_EQ(200, response.headers->response_code()); } -TEST_F(SpdyHttpStreamTest, SendCredentialsRSA) { - scoped_ptr<OriginBoundCertService> obc_service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); - std::string cert; - std::string proof; - GetRSAOriginBoundCertAndProof("http://www.gmail.com/", obc_service.get(), - &cert, &proof); - - TestSendCredentials(obc_service.get(), cert, proof, CLIENT_CERT_RSA_SIGN); -} - class MockECSignatureCreator : public crypto::ECSignatureCreator { public: explicit MockECSignatureCreator(crypto::ECPrivateKey* key) : key_(key) {} diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc index 19e6f46..06d3718 100644 --- a/net/spdy/spdy_session.cc +++ b/net/spdy/spdy_session.cc @@ -19,7 +19,6 @@ #include "base/values.h" #include "crypto/ec_private_key.h" #include "crypto/ec_signature_creator.h" -#include "crypto/rsa_private_key.h" #include "crypto/signature_creator.h" #include "net/base/asn1_util.h" #include "net/base/connection_type_histograms.h" @@ -649,15 +648,6 @@ int SpdySession::WriteCredentialFrame(const std::string& origin, std::vector<uint8> proof; switch (type) { - case CLIENT_CERT_RSA_SIGN: { - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_data)); - scoped_ptr<crypto::SignatureCreator> creator( - crypto::SignatureCreator::Create(private_key.get())); - creator->Update(secret, arraysize(secret)); - creator->Final(&proof); - break; - } case CLIENT_CERT_ECDSA_SIGN: { base::StringPiece spki_piece; asn1::ExtractSPKIFromDERCert(cert, &spki_piece); diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc index fe3becd..0dedc6d 100644 --- a/net/spdy/spdy_session_unittest.cc +++ b/net/spdy/spdy_session_unittest.cc @@ -920,7 +920,7 @@ TEST_F(SpdySessionTest, NeedsCredentials) { session_deps.socket_factory->AddSocketDataProvider(&data); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = CLIENT_CERT_RSA_SIGN; + ssl.origin_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); @@ -995,7 +995,7 @@ TEST_F(SpdySessionTest, SendCredentials) { session_deps.socket_factory->AddSocketDataProvider(&data); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = CLIENT_CERT_RSA_SIGN; + ssl.origin_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); |