diff options
author | jbates@chromium.org <jbates@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-25 20:49:41 +0000 |
---|---|---|
committer | jbates@chromium.org <jbates@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-25 20:49:41 +0000 |
commit | 13aba566502ed889c8dd59f0f571e7e68d7ba6af (patch) | |
tree | 60d9a505b2996dcb944de0d546a048f6ee5c758b /net | |
parent | a3b92e56e065d42d0610c05d831b5912dcd1a340 (diff) | |
download | chromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.zip chromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.tar.gz chromium_src-13aba566502ed889c8dd59f0f571e7e68d7ba6af.tar.bz2 |
Revert 98288 - Added CreateOriginBound method to x509_certificate.h.
This static method branches the CreateSelfSigned code to create a self signed certificate that contains an X509v3 extension that indicates the ASCII weborigin that is bound to the generated certificate.
BUG=88782
TEST=
Review URL: http://codereview.chromium.org/7384002
TBR=mdietz@google.com
Review URL: http://codereview.chromium.org/7740034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98293 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r-- | net/base/origin_bound_cert_service.cc | 12 | ||||
-rw-r--r-- | net/base/x509_certificate.h | 12 | ||||
-rw-r--r-- | net/base/x509_certificate_mac.cc | 19 | ||||
-rw-r--r-- | net/base/x509_certificate_nss.cc | 160 | ||||
-rw-r--r-- | net/base/x509_certificate_openssl.cc | 11 | ||||
-rw-r--r-- | net/base/x509_certificate_unittest.cc | 83 | ||||
-rw-r--r-- | net/base/x509_certificate_win.cc | 10 |
7 files changed, 13 insertions, 294 deletions
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc index 4f53fc3..50d45c4 100644 --- a/net/base/origin_bound_cert_service.cc +++ b/net/base/origin_bound_cert_service.cc @@ -316,25 +316,19 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, uint32 serial_number, std::string* private_key, std::string* cert) { + std::string subject = "CN=OBC"; scoped_ptr<crypto::RSAPrivateKey> key( crypto::RSAPrivateKey::Create(kKeySizeInBits)); if (!key.get()) { LOG(WARNING) << "Unable to create key pair for client"; return ERR_KEY_GENERATION_FAILED; } -#if defined(USE_NSS) - scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateOriginBound( - key.get(), - origin, - serial_number, - base::TimeDelta::FromDays(kValidityPeriodInDays)); -#else + scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateSelfSigned( key.get(), - "CN=anonymous.invalid", + subject, serial_number, base::TimeDelta::FromDays(kValidityPeriodInDays)); -#endif if (!x509_cert) { LOG(WARNING) << "Unable to create x509 cert for client"; return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED; diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index 8589e92..4c8dd01 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -187,18 +187,6 @@ class NET_EXPORT X509Certificate uint32 serial_number, base::TimeDelta valid_duration); - // Create an origin bound certificate containing the public key in |key|. - // Web origin, serial number and validity period are given as - // parameters. The certificate is signed by the private key in |key|. - // The hashing algorithm for the signature is SHA-1. - // - // See Internet Draft draft-balfanz-tls-obc-00 for more details: - // http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html - static X509Certificate* CreateOriginBound(crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration); - // Appends a representation of this object to the given pickle. void Persist(Pickle* pickle); diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index 014d51a..9b39de6 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -695,25 +695,6 @@ X509Certificate* X509Certificate::CreateSelfSigned( return CreateFromHandle(scoped_cert, X509Certificate::OSCertHandles()); } -// static -X509Certificate* X509Certificate::CreateOriginBound( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration) { - // TODO(wtc): this cannot be implemented by creating a CE_DataAndType for - // the origin-bound extension and adding it to certReq.extensions because - // it is not one of the supported extensions in the CE_DataType enum type. - // Using the DT_Other enum constant does not work. - // - // The relevant Apple headers are: - // - CSSM_APPLE_TP_CERT_REQUEST is defined in cssmapple.h. - // - CE_DataAndType, CE_DataType, and CE_Data are defined in - // certextensions.h. - NOTIMPLEMENTED(); - return NULL; -} - void X509Certificate::GetSubjectAltName( std::vector<std::string>* dns_names, std::vector<std::string>* ip_addrs) const { diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 3b23f93..7224020 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -18,7 +18,6 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" -#include "base/memory/singleton.h" #include "base/pickle.h" #include "base/time.h" #include "crypto/nss_util.h" @@ -32,50 +31,6 @@ namespace net { namespace { -class ObCertOIDWrapper { - public: - static ObCertOIDWrapper* GetInstance() { - // Instantiated as a leaky singleton to allow the singleton to be - // constructed on a worker thead that is not joined when a process - // shuts down. - return Singleton<ObCertOIDWrapper, - LeakySingletonTraits<ObCertOIDWrapper> >::get(); - } - - SECOidTag ob_cert_oid_tag() const { - return ob_cert_oid_tag_; - } - - private: - friend struct DefaultSingletonTraits<ObCertOIDWrapper>; - - ObCertOIDWrapper(); - - SECOidTag ob_cert_oid_tag_; - - DISALLOW_COPY_AND_ASSIGN(ObCertOIDWrapper); -}; - -ObCertOIDWrapper::ObCertOIDWrapper(): ob_cert_oid_tag_(SEC_OID_UNKNOWN) { - // 1.3.6.1.4.1.11129.2.1.6 - // (iso.org.dod.internet.private.enterprises.google.googleSecurity. - // certificateExtensions.originBoundCertificate) - static const uint8 kObCertOID[] = { - 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06 - }; - SECOidData oid_data; - memset(&oid_data, 0, sizeof(oid_data)); - oid_data.oid.data = const_cast<uint8*>(kObCertOID); - oid_data.oid.len = sizeof(kObCertOID); - oid_data.offset = SEC_OID_UNKNOWN; - oid_data.desc = "Origin Bound Certificate"; - oid_data.mechanism = CKM_INVALID_MECHANISM; - oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; - ob_cert_oid_tag_ = SECOID_AddEntry(&oid_data); - if (ob_cert_oid_tag_ == SEC_OID_UNKNOWN) - LOG(ERROR) << "OB_CERT OID tag creation failed"; -} - class ScopedCERTCertificatePolicies { public: explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies) @@ -668,16 +623,14 @@ void X509Certificate::Initialize() { serial_number_ = serial_number_.substr(1, serial_number_.size() - 1); } -// Creates a Certificate object that may be passed to the SignCertificate -// method to generate an X509 certificate. -// Returns NULL if an error is encountered in the certificate creation -// process. -// Caller responsible for freeing returned certificate object. -static CERTCertificate* CreateCertificate( +// static +X509Certificate* X509Certificate::CreateSelfSigned( crypto::RSAPrivateKey* key, const std::string& subject, uint32 serial_number, base::TimeDelta valid_duration) { + DCHECK(key); + // Create info about public key. CERTSubjectPublicKeyInfo* spki = SECKEY_CreateSubjectPublicKeyInfo(key->public_key()); @@ -715,24 +668,12 @@ static CERTCertificate* CreateCertificate( CERT_DestroyValidity(validity); CERT_DestroyCertificateRequest(cert_request); - return cert; -} + if (!cert) + return NULL; + + // Sign the cert here. The logic of this method references SignCert() in NSS + // utility certutil: http://mxr.mozilla.org/security/ident?i=SignCert. -// Signs a certificate object, with |key| generating a new X509Certificate -// and destroying the passed certificate object (even when NULL is returned). -// The logic of this method references SignCert() in NSS utility certutil: -// http://mxr.mozilla.org/security/ident?i=SignCert. -// Returns NULL if an error is encountered in the certificate signing -// process. -// Caller responsible for freeing returned X509Certificate object. -// -// TODO: change this function to return -// a success/failure status, and not create an X509Certificate -// object, and not destroy |cert| on failure. Let the caller -// create the X509Certificate object and destroy |cert|. -static X509Certificate* SignCertificate( - CERTCertificate* cert, - crypto::RSAPrivateKey* key) { // |arena| is used to encode the cert. PRArenaPool* arena = cert->arena; SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->key()->keyType, @@ -781,92 +722,11 @@ static X509Certificate* SignCertificate( // Save the signed result to the cert. cert->derCert = *result; - X509Certificate* x509_cert = - X509Certificate::CreateFromHandle(cert, X509Certificate::OSCertHandles()); + X509Certificate* x509_cert = CreateFromHandle(cert, OSCertHandles()); CERT_DestroyCertificate(cert); return x509_cert; } -// static -X509Certificate* X509Certificate::CreateSelfSigned( - crypto::RSAPrivateKey* key, - const std::string& subject, - uint32 serial_number, - base::TimeDelta valid_duration) { - DCHECK(key); - - CERTCertificate* cert = CreateCertificate(key, - subject, - serial_number, - valid_duration); - - if (!cert) - return NULL; - - X509Certificate* x509_cert = SignCertificate(cert, key); - - return x509_cert; -} - -// static -X509Certificate* X509Certificate::CreateOriginBound( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration) { - DCHECK(key); - - CERTCertificate* cert = CreateCertificate(key, - "CN=anonymous.invalid", - serial_number, - valid_duration); - - if (!cert) - return NULL; - - // Create opaque handle used to add extensions later. - void* cert_handle; - if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { - LOG(ERROR) << "Unable to get opaque handle for adding extensions"; - return NULL; - } - - // Create SECItem for IA5String encoding. - SECItem origin_string_item = { - siAsciiString, - (unsigned char*)origin.data(), - origin.size() - }; - - // IA5Encode and arena allocate SECItem - SECItem* asn1_origin_string = SEC_ASN1EncodeItem( - cert->arena, NULL, &origin_string_item, - SEC_ASN1_GET(SEC_IA5StringTemplate)); - if (asn1_origin_string == NULL) { - LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension"; - return NULL; - } - - // Add the extension to the opaque handle - if (CERT_AddExtension(cert_handle, - ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(), - asn1_origin_string, - PR_TRUE, PR_TRUE) != SECSuccess){ - LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle"; - return NULL; - } - - // Copy extension into x509 cert - if (CERT_FinishExtensions(cert_handle) != SECSuccess){ - LOG(ERROR) << "Unable to copy extension to X509 cert"; - return NULL; - } - - X509Certificate* x509_cert = SignCertificate(cert, key); - - return x509_cert; -} - void X509Certificate::GetSubjectAltName( std::vector<std::string>* dns_names, std::vector<std::string>* ip_addrs) const { diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc index c824dc3..f23ede9 100644 --- a/net/base/x509_certificate_openssl.cc +++ b/net/base/x509_certificate_openssl.cc @@ -409,17 +409,6 @@ X509Certificate* X509Certificate::CreateSelfSigned( return NULL; } -// static -X509Certificate* X509Certificate::CreateOriginBound( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration) { - // TODO(port): Implement. - NOTIMPLEMENTED(); - return NULL; -} - void X509Certificate::GetSubjectAltName( std::vector<std::string>* dns_names, std::vector<std::string>* ip_addrs) const { diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 8a0f79d..32417ac 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -20,11 +20,6 @@ #include "net/base/x509_certificate.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS) -#include <cert.h> -#include <secoid.h> -#endif - // Unit tests aren't allowed to access external resources. Unfortunately, to // properly verify the EV-ness of a cert, we need to check for its revocation // through online servers. If you're manually running unit tests, feel free to @@ -1137,84 +1132,6 @@ TEST(X509CertificateTest, GetDEREncoded) { } #endif -#if defined(USE_NSS) -// This test creates an origin-bound cert from a private key and -// then verifies the content of the certificate. -TEST(X509CertificateTest, CreateOriginBound) { - // Origin Bound Cert OID. - static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; - - // Create a sample ASCII weborigin. - std::string origin = "http://weborigin.com:443"; - - // Create object neccissary for extension lookup call. - SECItem extension_object = { - siAsciiString, - (unsigned char*)origin.data(), - origin.size() - }; - - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::Create(1024)); - scoped_refptr<X509Certificate> cert = - X509Certificate::CreateOriginBound(private_key.get(), - origin, 1, - base::TimeDelta::FromDays(1)); - - EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName()); - EXPECT_FALSE(cert->HasExpired()); - - // IA5Encode and arena allocate SECItem. - PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - SECItem* expected = SEC_ASN1EncodeItem(arena, - NULL, - &extension_object, - SEC_ASN1_GET(SEC_IA5StringTemplate)); - - ASSERT_NE(static_cast<SECItem*>(NULL), expected); - - // Create OID SECItem. - SECItem ob_cert_oid = { siDEROID, NULL, 0 }; - SECStatus ok = SEC_StringToOID(arena, &ob_cert_oid, - oid_string, NULL); - - ASSERT_EQ(SECSuccess, ok); - - SECOidTag ob_cert_oid_tag = SECOID_FindOIDTag(&ob_cert_oid); - - ASSERT_NE(SEC_OID_UNKNOWN, ob_cert_oid_tag); - - // Lookup Origin Bound Cert extension in generated cert. - SECItem actual = { siBuffer, NULL, 0 }; - ok = CERT_FindCertExtension(cert->os_cert_handle(), - ob_cert_oid_tag, - &actual); - ASSERT_EQ(SECSuccess, ok); - - // Compare expected and actual extension values. - PRBool result = SECITEM_ItemsAreEqual(expected, &actual); - ASSERT_TRUE(result); - - // Do Cleanup. - SECITEM_FreeItem(&actual, PR_FALSE); - PORT_FreeArena(arena, PR_FALSE); -} -#else // defined(USE_NSS) -// On other platforms, X509Certificate::CreateOriginBound() is not implemented -// and should return NULL. This unit test ensures that a stub implementation -// is present. -TEST(X509CertificateTest, CreateOriginBoundNotImplemented) { - std::string origin = "http://weborigin.com:443"; - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::Create(1024)); - scoped_refptr<X509Certificate> cert = - X509Certificate::CreateOriginBound(private_key.get(), - origin, 2, - base::TimeDelta::FromDays(1)); - EXPECT_FALSE(cert); -} -#endif // defined(USE_NSS) - class X509CertificateParseTest : public testing::TestWithParam<CertificateFormatTestData> { public: diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index 0432d79..5dfc285 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -630,16 +630,6 @@ X509Certificate* X509Certificate::CreateSelfSigned( return cert; } -// static -X509Certificate* X509Certificate::CreateOriginBound( - crypto::RSAPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::TimeDelta valid_duration) { - NOTIMPLEMENTED(); - return NULL; -} - void X509Certificate::GetSubjectAltName( std::vector<std::string>* dns_names, std::vector<std::string>* ip_addrs) const { |