diff options
author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-01 02:59:31 +0000 |
---|---|---|
committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-01 02:59:31 +0000 |
commit | c7ff2910aad25eab6d0ec61b14547294cd764958 (patch) | |
tree | 466c046ebd032b40141959e598852183c66ac711 | |
parent | 85c63cb2264f2e4ba3842487fd0835b8cd2f3b3a (diff) | |
download | chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.zip chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.tar.gz chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.tar.bz2 |
Reland: Allow signing EC certs and creating EC origin-bound certs.
BUG=88782
TEST=X509UtilNSSTest
Review URL: http://codereview.chromium.org/8537025
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112385 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | crypto/crypto.gyp | 2 | ||||
-rw-r--r-- | crypto/third_party/nss/chromium-nss.h | 9 | ||||
-rw-r--r-- | crypto/third_party/nss/secsign.cc | 130 | ||||
-rw-r--r-- | net/base/origin_bound_cert_service.cc | 2 | ||||
-rw-r--r-- | net/base/x509_util.h | 16 | ||||
-rw-r--r-- | net/base/x509_util_nss.cc | 163 | ||||
-rw-r--r-- | net/base/x509_util_nss_unittest.cc | 125 | ||||
-rw-r--r-- | net/base/x509_util_openssl.cc | 12 | ||||
-rw-r--r-- | net/base/x509_util_openssl_unittest.cc | 8 |
9 files changed, 369 insertions, 98 deletions
diff --git a/crypto/crypto.gyp b/crypto/crypto.gyp index 1461b95..fb3935f 100644 --- a/crypto/crypto.gyp +++ b/crypto/crypto.gyp @@ -106,6 +106,7 @@ 'third_party/nss/chromium-nss.h', 'third_party/nss/chromium-sha256.h', 'third_party/nss/pk11akey.cc', + 'third_party/nss/secsign.cc', 'third_party/nss/sha512.cc', ], }, { @@ -193,6 +194,7 @@ 'third_party/nss/chromium-nss.h', 'third_party/nss/chromium-sha256.h', 'third_party/nss/pk11akey.cc', + 'third_party/nss/secsign.cc', 'third_party/nss/sha512.cc', ], }, diff --git a/crypto/third_party/nss/chromium-nss.h b/crypto/third_party/nss/chromium-nss.h index af85e36..ab4726a 100644 --- a/crypto/third_party/nss/chromium-nss.h +++ b/crypto/third_party/nss/chromium-nss.h @@ -43,6 +43,8 @@ #include <keyhi.h> #include <secmod.h> +#include "crypto/crypto_export.h" + // Like PK11_ImportEncryptedPrivateKeyInfo, but hardcoded for EC, and returns // the SECKEYPrivateKey. // See https://bugzilla.mozilla.org/show_bug.cgi?id=211546 @@ -59,4 +61,11 @@ SECStatus ImportEncryptedECPrivateKeyInfoAndReturnKey( SECKEYPrivateKey** private_key, void* wincx); +// Like SEC_DerSignData. +CRYPTO_EXPORT SECStatus DerSignData(PLArenaPool *arena, + SECItem *result, + SECItem *input, + SECKEYPrivateKey *key, + SECOidTag algo_id); + #endif // CRYPTO_THIRD_PARTY_NSS_CHROMIUM_NSS_H_ diff --git a/crypto/third_party/nss/secsign.cc b/crypto/third_party/nss/secsign.cc new file mode 100644 index 0000000..9272d4a --- /dev/null +++ b/crypto/third_party/nss/secsign.cc @@ -0,0 +1,130 @@ +/* + * Signature stuff. + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "crypto/third_party/nss/chromium-nss.h" + +#include <vector> + +#include <cryptohi.h> +#include <pk11pub.h> +#include <secerr.h> +#include <sechash.h> + +#include "base/basictypes.h" +#include "base/logging.h" +#include "build/build_config.h" + +SECStatus DerSignData(PLArenaPool *arena, + SECItem *result, + SECItem *input, + SECKEYPrivateKey *key, + SECOidTag algo_id) { + if (key->keyType != ecKey) { + return SEC_DerSignData(arena, result, input->data, input->len, key, + algo_id); + } + + // NSS has a private function sec_DecodeSigAlg it uses to figure out the + // correct hash from the algorithm id. + HASH_HashType hash_type; + switch (algo_id) { + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: + hash_type = HASH_AlgSHA1; + break; +#ifdef SHA224_LENGTH + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + hash_type = HASH_AlgSHA224; + break; +#endif + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + hash_type = HASH_AlgSHA256; + break; + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + hash_type = HASH_AlgSHA384; + break; + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + hash_type = HASH_AlgSHA512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + // Hash the input. + std::vector<uint8> hash_data(HASH_ResultLen(hash_type)); + SECStatus rv = HASH_HashBuf( + hash_type, &hash_data[0], input->data, input->len); + if (rv != SECSuccess) + return rv; + SECItem hash = {siBuffer, &hash_data[0], hash_data.size()}; + + // Compute signature of hash. + int signature_len = PK11_SignatureLen(key); + std::vector<uint8> signature_data(signature_len); + SECItem sig = {siBuffer, &signature_data[0], signature_len}; + rv = PK11_Sign(key, &sig, &hash); + if (rv != SECSuccess) + return rv; + + CERTSignedData sd; + PORT_Memset(&sd, 0, sizeof(sd)); + // Fill in tbsCertificate. + sd.data.data = (unsigned char*) input->data; + sd.data.len = input->len; + + // Fill in signatureAlgorithm. + rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algo_id, 0); + if (rv != SECSuccess) + return rv; + + // Fill in signatureValue. + rv = DSAU_EncodeDerSigWithLen(&sd.signature, &sig, sig.len); + if (rv != SECSuccess) + return rv; + sd.signature.len <<= 3; // Convert to bit string. + + // DER encode the signed data object. + void* encode_result = SEC_ASN1EncodeItem( + arena, result, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate)); + + PORT_Free(sd.signature.data); + + return encode_result ? SECSuccess : SECFailure; +} diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc index e5c1e9d..4d1af28 100644 --- a/net/base/origin_bound_cert_service.cc +++ b/net/base/origin_bound_cert_service.cc @@ -326,7 +326,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, return ERR_KEY_GENERATION_FAILED; } std::string der_cert; - if (!x509_util::CreateOriginBoundCert( + if (!x509_util::CreateOriginBoundCertRSA( key.get(), origin, serial_number, diff --git a/net/base/x509_util.h b/net/base/x509_util.h index d110c939..1d8c933 100644 --- a/net/base/x509_util.h +++ b/net/base/x509_util.h @@ -12,6 +12,7 @@ #include "net/base/net_export.h" namespace crypto { +class ECPrivateKey; class RSAPrivateKey; } @@ -26,11 +27,16 @@ namespace x509_util { // // See Internet Draft draft-balfanz-tls-obc-00 for more details: // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 -bool NET_EXPORT_PRIVATE CreateOriginBoundCert(crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration, - std::string* der_cert); +bool NET_EXPORT_PRIVATE CreateOriginBoundCertRSA(crypto::RSAPrivateKey* key, + const std::string& origin, + uint32 serial_number, + base::TimeDelta valid_duration, + std::string* der_cert); +bool NET_EXPORT_PRIVATE CreateOriginBoundCertEC(crypto::ECPrivateKey* key, + const std::string& origin, + uint32 serial_number, + base::TimeDelta valid_duration, + std::string* der_cert); } // namespace x509_util diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc index fe3fb17..61126af 100644 --- a/net/base/x509_util_nss.cc +++ b/net/base/x509_util_nss.cc @@ -16,10 +16,12 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/memory/singleton.h" +#include "crypto/ec_private_key.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" #include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" +#include "crypto/third_party/nss/chromium-nss.h" namespace { @@ -157,9 +159,11 @@ bool SignCertificate( return false; // Sign the ASN1 encoded cert and save it to |result|. - rv = SEC_DerSignData(arena, result, der.data, der.len, key, algo_id); - if (rv != SECSuccess) + rv = DerSignData(arena, result, &der, key, algo_id); + if (rv != SECSuccess) { + DLOG(ERROR) << "DerSignData: " << PORT_GetError(); return false; + } // Save the signed result to the cert. cert->derCert = *result; @@ -167,6 +171,78 @@ bool SignCertificate( return true; } +bool CreateOriginBoundCertInternal( + SECKEYPublicKey* public_key, + SECKEYPrivateKey* private_key, + const std::string& origin, + uint32 serial_number, + base::TimeDelta valid_duration, + std::string* der_cert) { + + CERTCertificate* cert = CreateCertificate(public_key, + "CN=anonymous.invalid", + serial_number, + valid_duration); + + if (!cert) + return false; + + // Create opaque handle used to add extensions later. + void* cert_handle; + if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { + LOG(ERROR) << "Unable to get opaque handle for adding extensions"; + CERT_DestroyCertificate(cert); + return false; + } + + // Create SECItem for IA5String encoding. + SECItem origin_string_item = { + siAsciiString, + (unsigned char*)origin.data(), + origin.size() + }; + + // IA5Encode and arena allocate SECItem + SECItem* asn1_origin_string = SEC_ASN1EncodeItem( + cert->arena, NULL, &origin_string_item, + SEC_ASN1_GET(SEC_IA5StringTemplate)); + if (asn1_origin_string == NULL) { + LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension"; + CERT_DestroyCertificate(cert); + return false; + } + + // Add the extension to the opaque handle + if (CERT_AddExtension(cert_handle, + ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(), + asn1_origin_string, + PR_TRUE, PR_TRUE) != SECSuccess){ + LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle"; + CERT_DestroyCertificate(cert); + return false; + } + + // Copy extension into x509 cert + if (CERT_FinishExtensions(cert_handle) != SECSuccess){ + LOG(ERROR) << "Unable to copy extension to X509 cert"; + CERT_DestroyCertificate(cert); + return false; + } + + if (!SignCertificate(cert, private_key)) { + CERT_DestroyCertificate(cert); + return false; + } + + DCHECK(cert->derCert.len); + // XXX copied from X509Certificate::GetDEREncoded + der_cert->clear(); + der_cert->append(reinterpret_cast<char*>(cert->derCert.data), + cert->derCert.len); + CERT_DestroyCertificate(cert); + return true; +} + } // namespace namespace net { @@ -194,7 +270,7 @@ CERTCertificate* CreateSelfSignedCert( return cert; } -bool CreateOriginBoundCert( +bool CreateOriginBoundCertRSA( crypto::RSAPrivateKey* key, const std::string& origin, uint32 serial_number, @@ -249,68 +325,27 @@ bool CreateOriginBoundCert( } #endif - CERTCertificate* cert = CreateCertificate(public_key, - "CN=anonymous.invalid", - serial_number, - valid_duration); - - if (!cert) - return false; - - // Create opaque handle used to add extensions later. - void* cert_handle; - if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { - LOG(ERROR) << "Unable to get opaque handle for adding extensions"; - CERT_DestroyCertificate(cert); - return false; - } - - // Create SECItem for IA5String encoding. - SECItem origin_string_item = { - siAsciiString, - (unsigned char*)origin.data(), - origin.size() - }; - - // IA5Encode and arena allocate SECItem - SECItem* asn1_origin_string = SEC_ASN1EncodeItem( - cert->arena, NULL, &origin_string_item, - SEC_ASN1_GET(SEC_IA5StringTemplate)); - if (asn1_origin_string == NULL) { - LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension"; - CERT_DestroyCertificate(cert); - return false; - } - - // Add the extension to the opaque handle - if (CERT_AddExtension(cert_handle, - ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(), - asn1_origin_string, - PR_TRUE, PR_TRUE) != SECSuccess){ - LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle"; - CERT_DestroyCertificate(cert); - return false; - } - - // Copy extension into x509 cert - if (CERT_FinishExtensions(cert_handle) != SECSuccess){ - LOG(ERROR) << "Unable to copy extension to X509 cert"; - CERT_DestroyCertificate(cert); - return false; - } - - if (!SignCertificate(cert, private_key)) { - CERT_DestroyCertificate(cert); - return false; - } + return CreateOriginBoundCertInternal(public_key, + private_key, + origin, + serial_number, + valid_duration, + der_cert); +} - DCHECK(cert->derCert.len); - // XXX copied from X509Certificate::GetDEREncoded - der_cert->clear(); - der_cert->append(reinterpret_cast<char*>(cert->derCert.data), - cert->derCert.len); - CERT_DestroyCertificate(cert); - return true; +bool CreateOriginBoundCertEC( + crypto::ECPrivateKey* key, + const std::string& origin, + uint32 serial_number, + base::TimeDelta valid_duration, + std::string* der_cert) { + DCHECK(key); + return CreateOriginBoundCertInternal(key->public_key(), + key->key(), + origin, + serial_number, + valid_duration, + der_cert); } } // namespace x509_util diff --git a/net/base/x509_util_nss_unittest.cc b/net/base/x509_util_nss_unittest.cc index 79146b6..71aac2a 100644 --- a/net/base/x509_util_nss_unittest.cc +++ b/net/base/x509_util_nss_unittest.cc @@ -10,10 +10,15 @@ #include "base/memory/scoped_ptr.h" #include "base/memory/ref_counted.h" +#include "crypto/ec_private_key.h" #include "crypto/rsa_private_key.h" +#include "crypto/scoped_nss_types.h" +#include "crypto/signature_verifier.h" #include "net/base/x509_certificate.h" #include "testing/gtest/include/gtest/gtest.h" +namespace net { + namespace { CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { @@ -27,19 +32,54 @@ CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) { PR_FALSE, PR_TRUE); } -} // namespace +void VerifyCertificateSignature(const std::string& der_cert, + const std::vector<uint8>& der_spki) { + crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); -namespace net { + CERTSignedData sd; + memset(&sd, 0, sizeof(sd)); -// This test creates an origin-bound cert from a private key and -// then verifies the content of the certificate. -TEST(X509UtilNSSTest, CreateOriginBoundCert) { + SECItem der_cert_item = { + siDERCertBuffer, + reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())), + der_cert.size() + }; + SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd, + SEC_ASN1_GET(CERT_SignedDataTemplate), + &der_cert_item); + ASSERT_EQ(SECSuccess, rv); + + // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier + // wants the DER encoded form, so re-encode it again. + SECItem* signature_algorithm = SEC_ASN1EncodeItem( + arena.get(), + NULL, + &sd.signatureAlgorithm, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); + ASSERT_TRUE(signature_algorithm); + + crypto::SignatureVerifier verifier; + bool ok = verifier.VerifyInit( + signature_algorithm->data, + signature_algorithm->len, + sd.signature.data, + sd.signature.len / 8, // Signature is a BIT STRING, convert to bytes. + &der_spki[0], + der_spki.size()); + + ASSERT_TRUE(ok); + verifier.VerifyUpdate(sd.data.data, + sd.data.len); + + ok = verifier.VerifyFinal(); + EXPECT_TRUE(ok); +} + +void VerifyOriginBoundCert(const std::string& origin, + const std::string& der_cert) { // Origin Bound Cert OID. static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; - // Create a sample ASCII weborigin. - std::string origin = "http://weborigin.com:443"; - // Create object neccessary for extension lookup call. SECItem extension_object = { siAsciiString, @@ -47,20 +87,6 @@ TEST(X509UtilNSSTest, CreateOriginBoundCert) { origin.size() }; - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::Create(1024)); - std::string der_cert; - ASSERT_TRUE(x509_util::CreateOriginBoundCert(private_key.get(), - origin, 1, - base::TimeDelta::FromDays(1), - &der_cert)); - - scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes( - der_cert.data(), der_cert.size()); - - EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); - EXPECT_FALSE(cert->HasExpired()); - // IA5Encode and arena allocate SECItem. PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECItem* expected = SEC_ASN1EncodeItem(arena, @@ -83,9 +109,15 @@ TEST(X509UtilNSSTest, CreateOriginBoundCert) { // This test is run on Mac and Win where X509Certificate::os_cert_handle isn't // an NSS type, so we have to manually create a NSS certificate object so we - // can use CERT_FindCertExtension. + // can use CERT_FindCertExtension. We also check the subject and validity + // times using NSS since X509Certificate will fail with EC certs on OSX 10.5 + // (http://crbug.com/101231). CERTCertificate* nss_cert = CreateNSSCertHandleFromBytes( der_cert.data(), der_cert.size()); + + EXPECT_STREQ("anonymous.invalid", CERT_GetCommonName(&nss_cert->subject)); + EXPECT_EQ(SECSuccess, CERT_CertTimesValid(nss_cert)); + // Lookup Origin Bound Cert extension in generated cert. SECItem actual = { siBuffer, NULL, 0 }; ok = CERT_FindCertExtension(nss_cert, @@ -103,4 +135,51 @@ TEST(X509UtilNSSTest, CreateOriginBoundCert) { PORT_FreeArena(arena, PR_FALSE); } +} // namespace + +// This test creates an origin-bound cert from a RSA private key and +// then verifies the content of the certificate. +TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) { + // Create a sample ASCII weborigin. + std::string origin = "http://weborigin.com:443"; + + scoped_ptr<crypto::RSAPrivateKey> private_key( + crypto::RSAPrivateKey::Create(1024)); + std::string der_cert; + ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA(private_key.get(), + origin, 1, + base::TimeDelta::FromDays(1), + &der_cert)); + + VerifyOriginBoundCert(origin, der_cert); + + std::vector<uint8> spki; + ASSERT_TRUE(private_key->ExportPublicKey(&spki)); + VerifyCertificateSignature(der_cert, spki); +} + +// This test creates an origin-bound cert from an EC private key and +// then verifies the content of the certificate. +TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { + // Create a sample ASCII weborigin. + std::string origin = "http://weborigin.com:443"; + + scoped_ptr<crypto::ECPrivateKey> private_key( + crypto::ECPrivateKey::Create()); + std::string der_cert; + ASSERT_TRUE(x509_util::CreateOriginBoundCertEC(private_key.get(), + origin, 1, + base::TimeDelta::FromDays(1), + &der_cert)); + + VerifyOriginBoundCert(origin, der_cert); + +#if !defined(OS_WIN) && !defined(OS_MACOSX) + // signature_verifier_win and signature_verifier_mac can't handle EC certs. + std::vector<uint8> spki; + ASSERT_TRUE(private_key->ExportPublicKey(&spki)); + VerifyCertificateSignature(der_cert, spki); +#endif +} + } // namespace net diff --git a/net/base/x509_util_openssl.cc b/net/base/x509_util_openssl.cc index 8e4fb27..e663b95 100644 --- a/net/base/x509_util_openssl.cc +++ b/net/base/x509_util_openssl.cc @@ -15,7 +15,7 @@ namespace net { namespace x509_util { -bool CreateOriginBoundCert( +bool CreateOriginBoundCertRSA( crypto::RSAPrivateKey* key, const std::string& origin, uint32 serial_number, @@ -25,6 +25,16 @@ bool CreateOriginBoundCert( return false; } +bool CreateOriginBoundCertEC( + crypto::ECPrivateKey* key, + const std::string& origin, + uint32 serial_number, + base::TimeDelta valid_duration, + std::string* der_cert) { + NOTIMPLEMENTED(); + return false; +} + bool ParsePrincipalKeyAndValueByIndex(X509_NAME* name, int index, std::string* key, diff --git a/net/base/x509_util_openssl_unittest.cc b/net/base/x509_util_openssl_unittest.cc index 0647a62..23c33a3 100644 --- a/net/base/x509_util_openssl_unittest.cc +++ b/net/base/x509_util_openssl_unittest.cc @@ -18,10 +18,10 @@ TEST(X509UtilOpenSSLTest, CreateOriginBoundCertNotImplemented) { scoped_ptr<crypto::RSAPrivateKey> private_key( crypto::RSAPrivateKey::Create(1024)); std::string der_cert; - EXPECT_FALSE(x509_util::CreateOriginBoundCert(private_key.get(), - origin, 1, - base::TimeDelta::FromDays(1), - &der_cert)); + EXPECT_FALSE(x509_util::CreateOriginBoundCertRSA(private_key.get(), + origin, 1, + base::TimeDelta::FromDays(1), + &der_cert)); EXPECT_TRUE(der_cert.empty()); } |