1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/cert/x509_util.h" 6 7 #include "base/basictypes.h" 8 #include "base/memory/scoped_ptr.h" 9 #include "base/time/time.h" 10 #include "crypto/ec_private_key.h" 11 #include "crypto/rsa_private_key.h" 12 #include "net/cert/x509_certificate.h" 13 14 namespace net { 15 16 namespace x509_util { 17 18 // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. 19 static const uint16 kRSAKeyLength = 1024; 20 21 // Certificates made by CreateKeyAndSelfSignedCert and 22 // CreateKeyAndDomainBoundCertEC will be signed using this digest algorithm. 23 static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; 24 25 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} 26 27 bool ClientCertSorter::operator()( 28 const scoped_refptr<X509Certificate>& a, 29 const scoped_refptr<X509Certificate>& b) const { 30 // Certificates that are null are sorted last. 31 if (!a.get() || !b.get()) 32 return a.get() && !b.get(); 33 34 // Certificates that are expired/not-yet-valid are sorted last. 35 bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry(); 36 bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry(); 37 if (a_is_valid != b_is_valid) 38 return a_is_valid && !b_is_valid; 39 40 // Certificates with longer expirations appear as higher priority (less 41 // than) certificates with shorter expirations. 42 if (a->valid_expiry() != b->valid_expiry()) 43 return a->valid_expiry() > b->valid_expiry(); 44 45 // If the expiration dates are equivalent, certificates that were issued 46 // more recently should be prioritized over older certificates. 47 if (a->valid_start() != b->valid_start()) 48 return a->valid_start() > b->valid_start(); 49 50 // Otherwise, prefer client certificates with shorter chains. 51 const X509Certificate::OSCertHandles& a_intermediates = 52 a->GetIntermediateCertificates(); 53 const X509Certificate::OSCertHandles& b_intermediates = 54 b->GetIntermediateCertificates(); 55 return a_intermediates.size() < b_intermediates.size(); 56 } 57 58 bool CreateKeyAndDomainBoundCertEC(const std::string& domain, 59 uint32 serial_number, 60 base::Time not_valid_before, 61 base::Time not_valid_after, 62 scoped_ptr<crypto::ECPrivateKey>* key, 63 std::string* der_cert) { 64 scoped_ptr<crypto::ECPrivateKey> new_key(crypto::ECPrivateKey::Create()); 65 if (!new_key.get()) 66 return false; 67 68 bool success = CreateDomainBoundCertEC(new_key.get(), 69 kSignatureDigestAlgorithm, 70 domain, 71 serial_number, 72 not_valid_before, 73 not_valid_after, 74 der_cert); 75 if (success) 76 key->reset(new_key.release()); 77 78 return success; 79 } 80 81 bool CreateKeyAndSelfSignedCert(const std::string& subject, 82 uint32 serial_number, 83 base::Time not_valid_before, 84 base::Time not_valid_after, 85 scoped_ptr<crypto::RSAPrivateKey>* key, 86 std::string* der_cert) { 87 scoped_ptr<crypto::RSAPrivateKey> new_key( 88 crypto::RSAPrivateKey::Create(kRSAKeyLength)); 89 if (!new_key.get()) 90 return false; 91 92 bool success = CreateSelfSignedCert(new_key.get(), 93 kSignatureDigestAlgorithm, 94 subject, 95 serial_number, 96 not_valid_before, 97 not_valid_after, 98 der_cert); 99 if (success) 100 key->reset(new_key.release()); 101 102 return success; 103 } 104 105 } // namespace x509_util 106 107 } // namespace net 108
