diff options
| -rw-r--r-- | net/base/origin_bound_cert_service.cc | 65 | ||||
| -rw-r--r-- | net/base/origin_bound_cert_service.h | 41 | ||||
| -rw-r--r-- | net/base/origin_bound_cert_store.h | 39 | ||||
| -rw-r--r-- | net/net.gyp | 3 |
4 files changed, 148 insertions, 0 deletions
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc new file mode 100644 index 0000000..853d3ef --- /dev/null +++ b/net/base/origin_bound_cert_service.cc @@ -0,0 +1,65 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/base/origin_bound_cert_service.h" + +#include <limits> + +#include "base/logging.h" +#include "base/rand_util.h" +#include "crypto/rsa_private_key.h" +#include "net/base/x509_certificate.h" + +namespace net { + +bool OriginBoundCertService::GetOriginBoundCert(const GURL& url, + std::string* private_key_result, + std::string* cert_result) { + // Check if origin bound cert already exists for this origin. + if (origin_bound_cert_store_->HasOriginBoundCert(url)) { + origin_bound_cert_store_->GetOriginBoundCert(url, + private_key_result, + cert_result); + return true; + } + + // No origin bound cert exists, we have to create one. + std::string origin = GetCertOriginFromURL(url); + std::string subject = "CN=origin-bound certificate for " + origin; + X509Certificate* x509_cert; + crypto::RSAPrivateKey* key = crypto::RSAPrivateKey::Create(1024); + if ((x509_cert = X509Certificate::CreateSelfSigned( + key, + subject, + base::RandInt(0, std::numeric_limits<int>::max()), + base::TimeDelta::FromDays(365))) == NULL) { + LOG(WARNING) << "Unable to create x509 cert for client"; + return false; + } + + std::vector<uint8> key_vec; + if (!key->ExportPrivateKey(&key_vec)) { + LOG(WARNING) << "Unable to create x509 cert for client"; + return false; + } + std::string key_output(key_vec.begin(), key_vec.end()); + + std::string cert_output; + if (!x509_cert->GetDEREncoded(&cert_output)) { + LOG(WARNING) << "Unable to create x509 cert for client"; + return false; + } + + origin_bound_cert_store_->SetOriginBoundCert(url, key_output, cert_output); + *private_key_result = key_output; + *cert_result = cert_output; + + return true; +} + +std::string OriginBoundCertService::GetCertOriginFromURL(const GURL& url) { + return url.GetOrigin().spec(); +} + +} // namespace net diff --git a/net/base/origin_bound_cert_service.h b/net/base/origin_bound_cert_service.h new file mode 100644 index 0000000..4502247 --- /dev/null +++ b/net/base/origin_bound_cert_service.h @@ -0,0 +1,41 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ +#define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ +#pragma once + +#include <string> + +#include "base/basictypes.h" +#include "net/base/origin_bound_cert_store.h" +#include "googleurl/src/gurl.h" // TODO(rkn): This feels wrong. + +namespace net { + +// A class for creating and fetching origin bound certs. +class OriginBoundCertService { + public: + + OriginBoundCertService(OriginBoundCertStore* origin_bound_cert_store) + : origin_bound_cert_store_(origin_bound_cert_store) {} + + // TODO(rkn): Specify certificate type (RSA or DSA). + // TODO(rkn): Key generation can be time consuming, so this should have an + // asynchronous interface. + // This function will fetch the origin bound cert for the specified origin + // if one exists and it will create one otherwise. + bool GetOriginBoundCert(const GURL& url, + std::string* private_key_result, + std::string* cert_result); + + static std::string GetCertOriginFromURL(const GURL& url); + + private: + OriginBoundCertStore* origin_bound_cert_store_; +}; + +} // namespace net + +#endif // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_ diff --git a/net/base/origin_bound_cert_store.h b/net/base/origin_bound_cert_store.h new file mode 100644 index 0000000..01be9e3 --- /dev/null +++ b/net/base/origin_bound_cert_store.h @@ -0,0 +1,39 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_BASE_ORIGIN_BOUND_CERT_STORE_H_ +#define NET_BASE_ORIGIN_BOUND_CERT_STORE_H_ +#pragma once + +#include <string> + +#include "base/basictypes.h" + +class GURL; + +namespace net { + +// An interface for storing and retrieving origin bound certs. + +class OriginBoundCertStore { + public: + + virtual bool HasOriginBoundCert(const GURL& url) = 0; + + // TODO(rkn): Specify certificate type (RSA or DSA). + // TODO(rkn): Key generation can be time consuming, so this should have an + // asynchronous interface. + // The output is stored in |private_key| and |cert|. + virtual void GetOriginBoundCert(const GURL& url, + std::string* private_key_result, + std::string* cert_result) = 0; + + virtual void SetOriginBoundCert(const GURL& url, + const std::string& private_key, + const std::string& cert) = 0; +}; + +} // namespace net + +#endif // NET_BASE_ORIGIN_BOUND_CERT_STORE_H_ diff --git a/net/net.gyp b/net/net.gyp index 27cdfe2..727266a 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -168,6 +168,9 @@ 'base/nss_memio.h', 'base/openssl_memory_private_key_store.cc', 'base/openssl_private_key_store.h', + 'base/origin_bound_cert_service.cc', + 'base/origin_bound_cert_service.h', + 'base/origin_bound_cert_store.h', 'base/pem_tokenizer.cc', 'base/pem_tokenizer.h', 'base/platform_mime_util.h', |