Added OriginBoundCertService class to handle the fetching (and creation) of origin bound certificates.

Origin bound certificates are specified in this internet draft
<http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html>.
The OriginBoundCertService class contains an OriginBoundCertStore object. This is an interface
designed for handling the storage and retrieval (but not creation) of origin bound certificates.

BUG=88782
TEST=None

Review URL: http://codereview.chromium.org/7291020

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@91906 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 65 insertions, 0 deletions

diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
new file mode 100644
index 0000000..853d3ef
--- /dev/null
+++ b/net/base/origin_bound_cert_service.cc
@@ -0,0 +1,65 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/origin_bound_cert_service.h"
+
+#include <limits>
+
+#include "base/logging.h"
+#include "base/rand_util.h"
+#include "crypto/rsa_private_key.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+bool OriginBoundCertService::GetOriginBoundCert(const GURL& url,
+                                                std::string* private_key_result,
+                                                std::string* cert_result) {
+  // Check if origin bound cert already exists for this origin.
+  if (origin_bound_cert_store_->HasOriginBoundCert(url)) {
+    origin_bound_cert_store_->GetOriginBoundCert(url,
+                                                 private_key_result,
+                                                 cert_result);
+    return true;
+  }
+
+  // No origin bound cert exists, we have to create one.
+  std::string origin = GetCertOriginFromURL(url);
+  std::string subject = "CN=origin-bound certificate for " + origin;
+  X509Certificate* x509_cert;
+  crypto::RSAPrivateKey* key = crypto::RSAPrivateKey::Create(1024);
+  if ((x509_cert = X509Certificate::CreateSelfSigned(
+      key,
+      subject,
+      base::RandInt(0, std::numeric_limits<int>::max()),
+      base::TimeDelta::FromDays(365))) == NULL) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+
+  std::vector<uint8> key_vec;
+  if (!key->ExportPrivateKey(&key_vec)) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+  std::string key_output(key_vec.begin(), key_vec.end());
+
+  std::string cert_output;
+  if (!x509_cert->GetDEREncoded(&cert_output)) {
+    LOG(WARNING) << "Unable to create x509 cert for client";
+    return false;
+  }
+
+  origin_bound_cert_store_->SetOriginBoundCert(url, key_output, cert_output);
+  *private_key_result = key_output;
+  *cert_result = cert_output;
+
+  return true;
+}
+
+std::string OriginBoundCertService::GetCertOriginFromURL(const GURL& url) {
+  return url.GetOrigin().spec();
+}
+
+}  // namespace net