diff options
| author | bemasc@chromium.org <bemasc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 05:14:29 +0000 |
|---|---|---|
| committer | bemasc@chromium.org <bemasc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 05:14:29 +0000 |
| commit | d99b2fb4de7c6526d22a71f3226b561d4cf0eb3e (patch) | |
| tree | 850071165202d9f9efa71ea4ed39687586080a3f /net/ssl | |
| parent | e8ce38d361c43af704975d9ad83a10e30503bcd1 (diff) | |
| download | chromium_src-d99b2fb4de7c6526d22a71f3226b561d4cf0eb3e.zip chromium_src-d99b2fb4de7c6526d22a71f3226b561d4cf0eb3e.tar.gz chromium_src-d99b2fb4de7c6526d22a71f3226b561d4cf0eb3e.tar.bz2 | |
Avoid creating keys and self-signed certs separately.
Security best-practices dictate that the same public key should not
be signed by multiple hash algorithms. This CL prevents that
problem by replacing x509_util::CreateSelfSignedCertificate with
CreateKeyAndSelfSignedCertificate.
This should allow us to change hash functions in x509_utils without
worrying that users may re-sign old keys with the new hash function.
Review URL: https://codereview.chromium.org/27832002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@232292 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/ssl')
| -rw-r--r-- | net/ssl/server_bound_cert_service.cc | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/net/ssl/server_bound_cert_service.cc b/net/ssl/server_bound_cert_service.cc index 58d2209..61d610b 100644 --- a/net/ssl/server_bound_cert_service.cc +++ b/net/ssl/server_bound_cert_service.cc @@ -98,15 +98,13 @@ scoped_ptr<ServerBoundCertStore::ServerBoundCert> GenerateCert( not_valid_before + base::TimeDelta::FromDays(kValidityPeriodInDays); std::string der_cert; std::vector<uint8> private_key_info; - scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create()); - if (!key.get()) { - DLOG(ERROR) << "Unable to create key pair for client"; - *error = ERR_KEY_GENERATION_FAILED; - return result.Pass(); - } - if (!x509_util::CreateDomainBoundCertEC(key.get(), server_identifier, - serial_number, not_valid_before, - not_valid_after, &der_cert)) { + scoped_ptr<crypto::ECPrivateKey> key; + if (!x509_util::CreateKeyAndDomainBoundCertEC(server_identifier, + serial_number, + not_valid_before, + not_valid_after, + &key, + &der_cert)) { DLOG(ERROR) << "Unable to create x509 cert for client"; *error = ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; return result.Pass(); |