Provide an API for client certificate lookup/filtering.

BUG=170374

Review URL: https://chromiumcodereview.appspot.com/11879048

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@178732 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 238 insertions, 0 deletions

diff --git a/net/data/ssl/certificates/client_1.pem b/net/data/ssl/certificates/client_1.pem
new file mode 100644
index 0000000..502d0d5
--- /dev/null
+++ b/net/data/ssl/certificates/client_1.pem
@@ -0,0 +1,66 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 236 (0xec)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=Client Auth Test Root 1
+        Validity
+            Not Before: Jan 15 20:10:50 2013 GMT
+            Not After : Jan 13 20:10:50 2023 GMT
+        Subject: CN=Test Client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d1:54:39:70:34:69:89:ef:09:45:3f:62:c7:1a:
+                    63:ea:a6:36:69:eb:b7:39:43:f2:1b:85:c6:5b:3e:
+                    ab:8b:68:de:08:be:fc:26:6d:f9:56:b3:00:f0:e0:
+                    59:c0:35:e3:f2:5f:3b:e7:97:a0:cd:dd:f3:33:c3:
+                    a7:c3:c8:61:d6:80:08:29:ec:47:ee:ce:49:08:b3:
+                    c2:65:99:2f:82:ca:3f:80:f2:d3:d9:9b:29:a9:0b:
+                    b5:91:77:32:57:1d:e9:64:b0:92:eb:9e:ad:8b:43:
+                    08:5b:eb:db:26:62:c1:e1:8a:a3:c9:bf:44:f8:94:
+                    e0:31:82:89:43:ee:11:4a:19:b3:f8:07:3e:26:7b:
+                    1e:38:b1:e6:84:a8:45:1a:0a:88:ab:8c:5e:e9:11:
+                    ad:ee:7c:4e:16:bd:db:53:a6:23:e5:a6:7a:f6:a6:
+                    ff:cb:f2:ab:a2:6e:1a:7d:c8:7f:32:37:ab:43:5d:
+                    93:6b:3e:34:14:f7:c6:a0:ce:e3:1e:f0:18:4f:59:
+                    73:65:f2:94:d3:c5:cf:77:46:01:b3:0f:49:cf:4d:
+                    11:a1:0c:dd:8d:7a:8f:69:18:f5:ba:69:19:1c:9c:
+                    98:68:ac:8d:aa:92:74:a5:a1:30:76:4c:3e:f3:89:
+                    14:b4:bf:d5:86:cf:59:fb:27:75:58:a7:55:72:6b:
+                    eb:4f
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         41:c7:f1:99:cb:38:cd:29:09:a2:f5:4e:73:92:d5:50:5a:ab:
+         9a:34:75:8e:04:00:65:58:f5:c9:04:62:fd:c8:08:1e:a1:d2:
+         e2:30:18:29:ce:11:a9:02:81:86:7b:0c:f9:d9:45:f4:78:55:
+         3b:12:91:d4:ff:ca:d1:df:11:88:b4:9f:da:e2:02:48:1e:1b:
+         23:1f:e8:f6:1d:4d:d4:60:28:85:d8:bb:79:15:cf:7a:36:8a:
+         57:3d:4a:ee:19:d8:e4:8c:46:77:15:e0:3a:b3:d4:35:5e:bd:
+         5c:2d:9b:ae:06:ea:8f:f5:83:73:55:b3:11:26:59:0c:94:c4:
+         8e:09:1d:19:72:fd:00:56:a4:12:c6:1a:5d:c7:f9:4d:d8:fd:
+         54:f3:27:75:0a:d3:bb:f5:6b:d9:3c:7d:7d:e2:cc:a2:55:96:
+         da:76:d6:2f:2f:c3:1e:de:ac:77:a4:44:62:99:34:22:f2:21:
+         60:25:5c:3f:f8:63:b8:c2:9a:c1:58:73:ae:b9:8c:b1:48:7d:
+         c6:01:ec:4b:2a:1f:39:03:9e:7a:ac:bd:7d:6b:c5:5f:5a:0b:
+         c9:f5:8b:66:89:b9:06:b8:25:b9:c2:b0:49:7a:e8:2d:97:12:
+         8e:ca:e1:62:ca:49:60:51:8d:26:dc:a0:04:de:8c:dd:f0:78:
+         03:93:a7:e7
+-----BEGIN CERTIFICATE-----
+MIICrTCCAZUCAgDsMA0GCSqGSIb3DQEBBQUAMCIxIDAeBgNVBAMMF0NsaWVudCBB
+dXRoIFRlc3QgUm9vdCAxMB4XDTEzMDExNTIwMTA1MFoXDTIzMDExMzIwMTA1MFow
+FjEUMBIGA1UEAwwLVGVzdCBDbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDRVDlwNGmJ7wlFP2LHGmPqpjZp67c5Q/IbhcZbPquLaN4IvvwmbflW
+swDw4FnANePyXzvnl6DN3fMzw6fDyGHWgAgp7EfuzkkIs8JlmS+Cyj+A8tPZmymp
+C7WRdzJXHelksJLrnq2LQwhb69smYsHhiqPJv0T4lOAxgolD7hFKGbP4Bz4mex44
+seaEqEUaCoirjF7pEa3ufE4WvdtTpiPlpnr2pv/L8quibhp9yH8yN6tDXZNrPjQU
+98agzuMe8BhPWXNl8pTTxc93RgGzD0nPTRGhDN2Neo9pGPW6aRkcnJhorI2qknSl
+oTB2TD7ziRS0v9WGz1n7J3VYp1Vya+tPAgMBAAEwDQYJKoZIhvcNAQEFBQADggEB
+AEHH8ZnLOM0pCaL1TnOS1VBaq5o0dY4EAGVY9ckEYv3ICB6h0uIwGCnOEakCgYZ7
+DPnZRfR4VTsSkdT/ytHfEYi0n9riAkgeGyMf6PYdTdRgKIXYu3kVz3o2ilc9Su4Z
+2OSMRncV4Dqz1DVevVwtm64G6o/1g3NVsxEmWQyUxI4JHRly/QBWpBLGGl3H+U3Y
+/VTzJ3UK07v1a9k8fX3izKJVltp21i8vwx7erHekRGKZNCLyIWAlXD/4Y7jCmsFY
+c665jLFIfcYB7EsqHzkDnnqsvX1rxV9aC8n1i2aJuQa4JbnCsEl66C2XEo7K4WLK
+SWBRjSbcoATejN3weAOTp+c=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/client_2.pem b/net/data/ssl/certificates/client_2.pem
new file mode 100644
index 0000000..f7347f5d
--- /dev/null
+++ b/net/data/ssl/certificates/client_2.pem
@@ -0,0 +1,66 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 236 (0xec)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=Client Auth Test Root 2
+        Validity
+            Not Before: Jan 15 20:10:50 2013 GMT
+            Not After : Jan 13 20:10:50 2023 GMT
+        Subject: CN=Test Client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b0:82:b6:2d:f7:5b:13:39:fe:93:12:5a:0c:c9:
+                    1d:f3:76:31:f4:54:09:7c:7e:f3:03:87:0e:8f:9a:
+                    f5:98:99:f0:48:ae:68:90:a7:fd:85:e5:be:28:03:
+                    a1:0e:f2:62:e2:73:ae:db:3d:41:65:d5:6c:82:0b:
+                    8d:8e:78:ca:13:63:b6:df:1c:9b:0a:6f:7d:a1:26:
+                    5f:e6:7b:ea:38:e1:32:c6:c5:80:61:f8:bb:94:a0:
+                    e5:bb:2d:c0:3c:db:4c:fc:d3:83:5f:ca:42:e9:8c:
+                    90:1a:4f:64:9c:56:7e:e8:d4:a1:3c:3a:a4:5a:24:
+                    da:df:06:43:b5:c3:b8:a4:1a:c0:5b:1a:09:ff:f8:
+                    bf:69:59:b6:5e:0a:92:8e:98:fd:29:41:90:b5:0a:
+                    a7:33:f4:9c:0b:49:c4:93:b3:60:91:f3:6c:50:3f:
+                    68:2a:83:89:19:e5:5f:72:07:f7:2d:55:a3:c9:2a:
+                    e4:cc:d0:03:3c:27:ab:78:9d:01:8e:81:23:27:e7:
+                    5a:00:f0:2b:85:cb:ce:12:79:7e:66:52:0d:b5:4f:
+                    a8:db:9c:9d:97:d1:18:0d:44:7b:72:a6:af:52:30:
+                    3d:7a:3f:c1:13:28:6e:9c:73:10:c0:82:01:3b:af:
+                    d4:dd:0b:85:1f:bd:20:36:6b:5f:23:bf:9a:69:85:
+                    19:43
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         20:a9:75:4c:f6:0c:3e:03:ae:a4:3a:1f:51:93:81:c4:b7:d5:
+         36:12:65:70:a6:8e:a0:79:ae:07:91:bb:07:68:6f:3b:bb:bc:
+         97:1b:9d:63:1f:32:a7:88:40:83:f8:e5:29:a5:76:ef:bc:9e:
+         59:2e:2a:7f:25:10:8b:4f:80:88:3e:b3:18:50:2f:d6:87:d0:
+         1e:b3:7c:82:bf:ec:4f:b4:4a:5d:b5:0b:7c:06:1a:8e:9f:74:
+         0d:03:b8:2b:9a:92:e2:e0:06:87:a6:20:54:51:db:bd:79:6f:
+         6a:13:b7:b5:c3:c5:29:8c:3f:4a:ab:9c:0b:66:a8:db:ef:3e:
+         4b:c6:25:f5:2c:25:6a:31:6a:da:3a:42:bc:4b:02:40:86:ff:
+         ea:a1:33:18:31:47:68:1e:2e:80:67:95:b8:9a:8a:46:2f:d6:
+         63:ce:9c:66:eb:23:fb:c2:3b:fd:ee:8d:b9:bb:14:ee:e4:85:
+         95:b6:20:e8:1c:00:5a:07:5d:47:ed:34:92:77:80:43:cd:2a:
+         44:ef:1e:56:56:12:b4:43:c6:1a:e4:9a:52:dd:06:d9:1b:87:
+         98:e2:2b:80:22:39:7f:d3:30:ba:84:08:6a:40:e5:ea:9c:2e:
+         0a:c7:7d:e7:c2:ca:b4:69:c7:4a:93:ce:c7:f6:db:24:c6:d5:
+         a3:ab:4b:20
+-----BEGIN CERTIFICATE-----
+MIICrTCCAZUCAgDsMA0GCSqGSIb3DQEBBQUAMCIxIDAeBgNVBAMMF0NsaWVudCBB
+dXRoIFRlc3QgUm9vdCAyMB4XDTEzMDExNTIwMTA1MFoXDTIzMDExMzIwMTA1MFow
+FjEUMBIGA1UEAwwLVGVzdCBDbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCwgrYt91sTOf6TEloMyR3zdjH0VAl8fvMDhw6PmvWYmfBIrmiQp/2F
+5b4oA6EO8mLic67bPUFl1WyCC42OeMoTY7bfHJsKb32hJl/me+o44TLGxYBh+LuU
+oOW7LcA820z804NfykLpjJAaT2ScVn7o1KE8OqRaJNrfBkO1w7ikGsBbGgn/+L9p
+WbZeCpKOmP0pQZC1Cqcz9JwLScSTs2CR82xQP2gqg4kZ5V9yB/ctVaPJKuTM0AM8
+J6t4nQGOgSMn51oA8CuFy84SeX5mUg21T6jbnJ2X0RgNRHtypq9SMD16P8ETKG6c
+cxDAggE7r9TdC4UfvSA2a18jv5pphRlDAgMBAAEwDQYJKoZIhvcNAQEFBQADggEB
+ACCpdUz2DD4DrqQ6H1GTgcS31TYSZXCmjqB5rgeRuwdobzu7vJcbnWMfMqeIQIP4
+5Smldu+8nlkuKn8lEItPgIg+sxhQL9aH0B6zfIK/7E+0Sl21C3wGGo6fdA0DuCua
+kuLgBoemIFRR2715b2oTt7XDxSmMP0qrnAtmqNvvPkvGJfUsJWoxato6QrxLAkCG
+/+qhMxgxR2geLoBnlbiaikYv1mPOnGbrI/vCO/3ujbm7FO7khZW2IOgcAFoHXUft
+NJJ3gEPNKkTvHlZWErRDxhrkmlLdBtkbh5jiK4AiOX/TMLqECGpA5eqcLgrHfefC
+yrRpx0qTzsf22yTG1aOrSyA=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/client_authentication/client_authentication.cnf b/net/data/ssl/scripts/client_authentication/client_authentication.cnf
new file mode 100644
index 0000000..d2338a8
--- /dev/null
+++ b/net/data/ssl/scripts/client_authentication/client_authentication.cnf
@@ -0,0 +1,35 @@
+ID=1
+[req]
+default_bits       = 2048
+default_md         = sha1
+string_mask        = utf8only
+prompt             = no
+encrypt_key        = no
+distinguished_name = ${ENV::DISTINGUISHED_NAME}
+
+[ca]
+default_ca = ca_settings
+
+[ca_dn]
+CN = Client Auth Test Root ${ENV::ID}
+
+[client_dn]
+CN = Test Client
+
+[ca_settings]
+database      = out/${ENV::ID}-index.txt
+new_certs_dir = out
+default_md    = sha1
+policy        = policy_anything
+serial        = out/${ENV::ID}-serial
+default_days  = 3650
+
+[policy_anything]
+# Default signing policy
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = optional
+emailAddress           = optional
diff --git a/net/data/ssl/scripts/client_authentication/generate-client-certificates.sh b/net/data/ssl/scripts/client_authentication/generate-client-certificates.sh
new file mode 100755
index 0000000..0337389
--- /dev/null
+++ b/net/data/ssl/scripts/client_authentication/generate-client-certificates.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This script generates certificates for the unittests in
+# net/base/client_cert_store_unittest.cc. The output files are versioned in
+# net/data/ssl/certificates (client_1.pem, client_2.pem).
+
+try () {
+  echo "$@"
+  $@ || exit 1
+}
+
+# For each authority below a root ca certificate and one client certificate will
+# be created.
+authorities="1 2"
+
+try rm -rf out
+try mkdir out
+
+for id in $authorities
+do
+  # Generate a private key for the root cert.
+  try openssl genrsa -out out/root_$id.key 2048
+
+  # Create a certificate signing request for the root cert.
+  ID=$id \
+  DISTINGUISHED_NAME=ca_dn \
+  try openssl req \
+    -new \
+    -key out/root_$id.key \
+    -out out/root_$id.csr \
+    -config client_authentication.cnf
+
+  # Sign the root cert.
+  ID=$id \
+  DISTINGUISHED_NAME=ca_dn \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/root_$id.csr \
+    -signkey out/root_$id.key \
+    -out out/root_$id.pem
+    -config client_authentication.cnf
+
+  # Generate a private key for the client.
+  try openssl genrsa -out out/client_$id.key 2048
+
+  # Create a certificate signing request for the client cert.
+  ID=$id \
+  DISTINGUISHED_NAME=client_dn \
+  try openssl req \
+    -new \
+    -key out/client_$id.key \
+    -out out/client_$id.csr \
+    -config client_authentication.cnf
+
+  try touch out/$id-index.txt
+  try echo 1 > out/$id-serial
+
+  ID=$id \
+  DISTINGUISHED_NAME=client_dn \
+  try openssl ca \
+    -batch \
+    -in out/client_$id.csr \
+    -cert out/root_$id.pem \
+    -keyfile out/root_$id.key \
+    -out out/client_$id.pem \
+    -config client_authentication.cnf
+done