Home | History | Annotate | Download | only in cert 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_CERT_X509_UTIL_H_
      6 #define NET_CERT_X509_UTIL_H_
      7 
      8 #include <string>
      9 
     10 #include "base/memory/ref_counted.h"
     11 #include "base/memory/scoped_ptr.h"
     12 #include "base/time/time.h"
     13 #include "net/base/net_export.h"
     14 
     15 namespace crypto {
     16 class ECPrivateKey;
     17 class RSAPrivateKey;
     18 }
     19 
     20 namespace net {
     21 
     22 class X509Certificate;
     23 
     24 namespace x509_util {
     25 
     26 // Supported digest algorithms for signing certificates.
     27 enum DigestAlgorithm {
     28   DIGEST_SHA1,
     29   DIGEST_SHA256
     30 };
     31 
     32 // Returns true if the times can be used to create an X.509 certificate.
     33 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999.  A bug in NSS
     34 // limited the range to 1950-9999
     35 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531).  This function will
     36 // return whether it is supported by the currently used crypto library.
     37 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
     38                                                  base::Time not_valid_after);
     39 
     40 // Creates a private keypair and server bound certificate.
     41 // Domain, serial number and validity period are given as
     42 // parameters. The certificate is signed by the private key in |key|.
     43 // The signature algorithm may be updated periodically to match best practices.
     44 //
     45 // See Internet Draft draft-balfanz-tls-obc-00 for more details:
     46 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00
     47 NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC(
     48     const std::string& domain,
     49     uint32 serial_number,
     50     base::Time not_valid_before,
     51     base::Time not_valid_after,
     52     scoped_ptr<crypto::ECPrivateKey>* key,
     53     std::string* der_cert);
     54 
     55 // Helper function for CreateKeyAndDomainBoundCertEC.
     56 NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key,
     57                                                 DigestAlgorithm alg,
     58                                                 const std::string& domain,
     59                                                 uint32 serial_number,
     60                                                 base::Time not_valid_before,
     61                                                 base::Time not_valid_after,
     62                                                 std::string* der_cert);
     63 
     64 // Creates a public-private keypair and a self-signed certificate.
     65 // Subject, serial number and validity period are given as parameters.
     66 // The certificate is signed by the private key in |key|. The key length and
     67 // signature algorithm may be updated periodically to match best practices.
     68 //
     69 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
     70 // component, as in:
     71 //   CN=Michael Wong
     72 //
     73 // SECURITY WARNING
     74 //
     75 // Using self-signed certificates has the following security risks:
     76 // 1. Encryption without authentication and thus vulnerable to
     77 //    man-in-the-middle attacks.
     78 // 2. Self-signed certificates cannot be revoked.
     79 //
     80 // Use this certificate only after the above risks are acknowledged.
     81 NET_EXPORT bool CreateKeyAndSelfSignedCert(
     82     const std::string& subject,
     83     uint32 serial_number,
     84     base::Time not_valid_before,
     85     base::Time not_valid_after,
     86     scoped_ptr<crypto::RSAPrivateKey>* key,
     87     std::string* der_cert);
     88 
     89 // Creates a self-signed certificate from a provided key, using the specified
     90 // hash algorithm.  You should not re-use a key for signing data with multiple
     91 // signature algorithms or parameters.
     92 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
     93                                      DigestAlgorithm alg,
     94                                      const std::string& subject,
     95                                      uint32 serial_number,
     96                                      base::Time not_valid_before,
     97                                      base::Time not_valid_after,
     98                                      std::string* der_cert);
     99 
    100 // Comparator for use in STL algorithms that will sort client certificates by
    101 // order of preference.
    102 // Returns true if |a| is more preferable than |b|, allowing it to be used
    103 // with any algorithm that compares according to strict weak ordering.
    104 //
    105 // Criteria include:
    106 // - Prefer certificates that have a longer validity period (later
    107 //   expiration dates)
    108 // - If equal, prefer certificates that were issued more recently
    109 // - If equal, prefer shorter chains (if available)
    110 class NET_EXPORT_PRIVATE ClientCertSorter {
    111  public:
    112   ClientCertSorter();
    113 
    114   bool operator()(
    115       const scoped_refptr<X509Certificate>& a,
    116       const scoped_refptr<X509Certificate>& b) const;
    117 
    118  private:
    119   base::Time now_;
    120 };
    121 
    122 } // namespace x509_util
    123 
    124 } // namespace net
    125 
    126 #endif  // NET_CERT_X509_UTIL_H_
    127