1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/x509_util.h"
#include "net/cert/x509_util_nss.h"
#include <cert.h> // Must be included before certdb.h
#include <certdb.h>
#include <cryptohi.h>
#include <nss.h>
#include <pk11pub.h>
#include <prerror.h>
#include <secder.h>
#include <secmod.h>
#include <secport.h>
#include "base/debug/leak_annotations.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/memory/singleton.h"
#include "base/pickle.h"
#include "base/strings/stringprintf.h"
#include "crypto/ec_private_key.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/rsa_private_key.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/third_party/nss/chromium-nss.h"
#include "net/cert/x509_certificate.h"
namespace net {
namespace {
// Creates a Certificate object that may be passed to the SignCertificate
// method to generate an X509 certificate.
// Returns NULL if an error is encountered in the certificate creation
// process.
// Caller responsible for freeing returned certificate object.
CERTCertificate* CreateCertificate(SECKEYPublicKey* public_key,
const std::string& subject,
uint32_t serial_number,
base::Time not_valid_before,
base::Time not_valid_after) {
// Create info about public key.
CERTSubjectPublicKeyInfo* spki =
SECKEY_CreateSubjectPublicKeyInfo(public_key);
if (!spki)
return NULL;
// Create the certificate request.
CERTName* subject_name =
CERT_AsciiToName(const_cast<char*>(subject.c_str()));
CERTCertificateRequest* cert_request =
CERT_CreateCertificateRequest(subject_name, spki, NULL);
SECKEY_DestroySubjectPublicKeyInfo(spki);
if (!cert_request) {
PRErrorCode prerr = PR_GetError();
LOG(ERROR) << "Failed to create certificate request: " << prerr;
CERT_DestroyName(subject_name);
return NULL;
}
CERTValidity* validity = CERT_CreateValidity(
crypto::BaseTimeToPRTime(not_valid_before),
crypto::BaseTimeToPRTime(not_valid_after));
if (!validity) {
PRErrorCode prerr = PR_GetError();
LOG(ERROR) << "Failed to create certificate validity object: " << prerr;
CERT_DestroyName(subject_name);
CERT_DestroyCertificateRequest(cert_request);
return NULL;
}
CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name,
validity, cert_request);
if (!cert) {
PRErrorCode prerr = PR_GetError();
LOG(ERROR) << "Failed to create certificate: " << prerr;
}
// Cleanup for resources used to generate the cert.
CERT_DestroyName(subject_name);
CERT_DestroyValidity(validity);
CERT_DestroyCertificateRequest(cert_request);
return cert;
}
SECOidTag ToSECOid(x509_util::DigestAlgorithm alg) {
switch (alg) {
case x509_util::DIGEST_SHA1:
return SEC_OID_SHA1;
case x509_util::DIGEST_SHA256:
return SEC_OID_SHA256;
}
return SEC_OID_UNKNOWN;
}
// Signs a certificate object, with |key| generating a new X509Certificate
// and destroying the passed certificate object (even when NULL is returned).
// The logic of this method references SignCert() in NSS utility certutil:
// http://mxr.mozilla.org/security/ident?i=SignCert.
// Returns true on success or false if an error is encountered in the
// certificate signing process.
bool SignCertificate(
CERTCertificate* cert,
SECKEYPrivateKey* key,
SECOidTag hash_algorithm) {
// |arena| is used to encode the cert.
PLArenaPool* arena = cert->arena;
SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType,
hash_algorithm);
if (algo_id == SEC_OID_UNKNOWN)
return false;
SECStatus rv = SECOID_SetAlgorithmID(arena, &cert->signature, algo_id, 0);
if (rv != SECSuccess)
return false;
// Generate a cert of version 3.
*(cert->version.data) = 2;
cert->version.len = 1;
SECItem der = { siBuffer, NULL, 0 };
// Use ASN1 DER to encode the cert.
void* encode_result = SEC_ASN1EncodeItem(
NULL, &der, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
if (!encode_result)
return false;
// Allocate space to contain the signed cert.
SECItem result = { siBuffer, NULL, 0 };
// Sign the ASN1 encoded cert and save it to |result|.
rv = DerSignData(arena, &result, &der, key, algo_id);
PORT_Free(der.data);
if (rv != SECSuccess) {
DLOG(ERROR) << "DerSignData: " << PORT_GetError();
return false;
}
// Save the signed result to the cert.
cert->derCert = result;
return true;
}
} // namespace
namespace x509_util {
bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
DigestAlgorithm alg,
const std::string& subject,
uint32_t serial_number,
base::Time not_valid_before,
base::Time not_valid_after,
std::string* der_cert) {
DCHECK(key);
DCHECK(!strncmp(subject.c_str(), "CN=", 3U));
CERTCertificate* cert = CreateCertificate(key->public_key(),
subject,
serial_number,
not_valid_before,
not_valid_after);
if (!cert)
return false;
if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {
CERT_DestroyCertificate(cert);
return false;
}
der_cert->assign(reinterpret_cast<char*>(cert->derCert.data),
cert->derCert.len);
CERT_DestroyCertificate(cert);
return true;
}
bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate,
std::string* token) {
NOTIMPLEMENTED();
return false;
}
} // namespace x509_util
} // namespace net
|
