| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/cert/x509_util.h" |
| |
| #include "base/basictypes.h" |
| #include "base/memory/scoped_ptr.h" |
| #include "base/time/time.h" |
| #include "crypto/ec_private_key.h" |
| #include "crypto/rsa_private_key.h" |
| #include "net/cert/x509_certificate.h" |
| |
| namespace net { |
| |
| namespace x509_util { |
| |
| // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. |
| static const uint16 kRSAKeyLength = 1024; |
| |
| // Certificates made by CreateKeyAndSelfSignedCert and |
| // CreateKeyAndDomainBoundCertEC will be signed using this digest algorithm. |
| static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; |
| |
| ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} |
| |
| bool ClientCertSorter::operator()( |
| const scoped_refptr<X509Certificate>& a, |
| const scoped_refptr<X509Certificate>& b) const { |
| // Certificates that are null are sorted last. |
| if (!a.get() || !b.get()) |
| return a.get() && !b.get(); |
| |
| // Certificates that are expired/not-yet-valid are sorted last. |
| bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry(); |
| bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry(); |
| if (a_is_valid != b_is_valid) |
| return a_is_valid && !b_is_valid; |
| |
| // Certificates with longer expirations appear as higher priority (less |
| // than) certificates with shorter expirations. |
| if (a->valid_expiry() != b->valid_expiry()) |
| return a->valid_expiry() > b->valid_expiry(); |
| |
| // If the expiration dates are equivalent, certificates that were issued |
| // more recently should be prioritized over older certificates. |
| if (a->valid_start() != b->valid_start()) |
| return a->valid_start() > b->valid_start(); |
| |
| // Otherwise, prefer client certificates with shorter chains. |
| const X509Certificate::OSCertHandles& a_intermediates = |
| a->GetIntermediateCertificates(); |
| const X509Certificate::OSCertHandles& b_intermediates = |
| b->GetIntermediateCertificates(); |
| return a_intermediates.size() < b_intermediates.size(); |
| } |
| |
| bool CreateKeyAndDomainBoundCertEC(const std::string& domain, |
| uint32 serial_number, |
| base::Time not_valid_before, |
| base::Time not_valid_after, |
| scoped_ptr<crypto::ECPrivateKey>* key, |
| std::string* der_cert) { |
| scoped_ptr<crypto::ECPrivateKey> new_key(crypto::ECPrivateKey::Create()); |
| if (!new_key.get()) |
| return false; |
| |
| bool success = CreateDomainBoundCertEC(new_key.get(), |
| kSignatureDigestAlgorithm, |
| domain, |
| serial_number, |
| not_valid_before, |
| not_valid_after, |
| der_cert); |
| if (success) |
| key->reset(new_key.release()); |
| |
| return success; |
| } |
| |
| bool CreateKeyAndSelfSignedCert(const std::string& subject, |
| uint32 serial_number, |
| base::Time not_valid_before, |
| base::Time not_valid_after, |
| scoped_ptr<crypto::RSAPrivateKey>* key, |
| std::string* der_cert) { |
| scoped_ptr<crypto::RSAPrivateKey> new_key( |
| crypto::RSAPrivateKey::Create(kRSAKeyLength)); |
| if (!new_key.get()) |
| return false; |
| |
| bool success = CreateSelfSignedCert(new_key.get(), |
| kSignatureDigestAlgorithm, |
| subject, |
| serial_number, |
| not_valid_before, |
| not_valid_after, |
| der_cert); |
| if (success) |
| key->reset(new_key.release()); |
| |
| return success; |
| } |
| |
| } // namespace x509_util |
| |
| } // namespace net |