Google Git
Sign in
android / platform / external / openscreen / 83e50af3^! / .
commit83e50af3e0bd628e7307e67e0ae1c6a611b8d7bb[log] [tgz]
authorJordan Bayles <jophba@chromium.org>Wed Oct 21 18:14:44 2020 -0700
committerCommit Bot <commit-bot@chromium.org>Thu Oct 22 17:51:18 2020 +0000
tree3b138e3b167a230551098fb9827cafed16385e43
parentd975e29d1e934b21ebfc9dd4fbaebecab167f986 [diff]
Add version field to generated TLS certificates

Chrome requires the version field to be populated and set to V3. This
patch also adds DVLOGs, since currently generating a certificate
requires stepping through a debugger.

Change-Id: Id6e803834f11a4fba265684ff2be745197282279
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/2489927
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Jordan Bayles <jophba@chromium.org>

diff --git a/util/crypto/certificate_utils.cc b/util/crypto/certificate_utils.cc
index 8f18b7e..a9b7d9a 100644
--- a/util/crypto/certificate_utils.cc
+++ b/util/crypto/certificate_utils.cc

@@ -63,11 +63,19 @@
     issuer_key = &key_pair;
   }
 
+  // Certificate versions are zero indexed, so V1 = 0.
+  const int kCertificateVersion3 = 2;
+  if (X509_set_version(certificate.get(), kCertificateVersion3) != 1) {
+    OSP_DVLOG << "Failed to set certificate version";
+    return nullptr;
+  }
+
   // Serial numbers must be unique for this session. As a pretend CA, we should
   // not issue certificates with the same serial number in the same session.
   static int serial_number(1);
   if (ASN1_INTEGER_set(X509_get_serialNumber(certificate.get()),
                        serial_number++) != 1) {
+    OSP_DVLOG << "Failed to set serial number.";
     return nullptr;
   }
 
@@ -77,11 +85,13 @@
 
   if ((X509_set_notBefore(certificate.get(), now.get()) != 1) ||
       (X509_set_notAfter(certificate.get(), expiration_time.get()) != 1)) {
+    OSP_DVLOG << "Failed to set before and after ranges.";
     return nullptr;
   }
 
   X509_NAME* certificate_name = X509_get_subject_name(certificate.get());
   if (!AddCertificateField(certificate_name, "CN", name)) {
+    OSP_DVLOG << "Failed to set subject name";
     return nullptr;
   }
 
@@ -91,6 +101,7 @@
     ASN1_BIT_STRING_set_bit(x.get(), KeyUsageBits::kKeyCertSign, 1);
   }
   if (X509_add1_ext_i2d(certificate.get(), NID_key_usage, x.get(), 0, 0) != 1) {
+    OSP_DVLOG << "Failed to set key usage extension";
     return nullptr;
   }
   if (make_ca) {
@@ -101,6 +112,7 @@
         X509V3_EXT_nconf_nid(nullptr, &ctx, NID_basic_constraints,
                              const_cast<char*>("critical,CA:TRUE")));
     if (!ex) {
+      OSP_DVLOG << "Failed to set constraints extension";
       return nullptr;
     }
     void* thing = X509V3_EXT_d2i(ex.get());
@@ -115,6 +127,7 @@
       // the size of the signature in bytes.
       (X509_sign(certificate.get(), issuer_key, EVP_sha256()) <= 0) ||
       (X509_verify(certificate.get(), issuer_key) != 1)) {
+    OSP_DVLOG << "Failed to set pubkey, set issuer, sign, or verify";
     return nullptr;
   }