// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/x509_util.h" #include "base/basictypes.h" #include "base/memory/scoped_ptr.h" #include "base/time/time.h" #include "crypto/ec_private_key.h" #include "crypto/rsa_private_key.h" #include "net/cert/x509_certificate.h" namespace net { namespace x509_util { // RSA keys created by CreateKeyAndSelfSignedCert will be of this length. static const uint16 kRSAKeyLength = 1024; // Certificates made by CreateKeyAndSelfSignedCert and // CreateKeyAndDomainBoundCertEC will be signed using this digest algorithm. static const DigestAlgorithm kSignatureDigestAlgorithm = DIGEST_SHA256; ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {} bool ClientCertSorter::operator()( const scoped_refptr<X509Certificate>& a, const scoped_refptr<X509Certificate>& b) const { // Certificates that are null are sorted last. if (!a.get() || !b.get()) return a.get() && !b.get(); // Certificates that are expired/not-yet-valid are sorted last. bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry(); bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry(); if (a_is_valid != b_is_valid) return a_is_valid && !b_is_valid; // Certificates with longer expirations appear as higher priority (less // than) certificates with shorter expirations. if (a->valid_expiry() != b->valid_expiry()) return a->valid_expiry() > b->valid_expiry(); // If the expiration dates are equivalent, certificates that were issued // more recently should be prioritized over older certificates. if (a->valid_start() != b->valid_start()) return a->valid_start() > b->valid_start(); // Otherwise, prefer client certificates with shorter chains. const X509Certificate::OSCertHandles& a_intermediates = a->GetIntermediateCertificates(); const X509Certificate::OSCertHandles& b_intermediates = b->GetIntermediateCertificates(); return a_intermediates.size() < b_intermediates.size(); } bool CreateKeyAndDomainBoundCertEC(const std::string& domain, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, scoped_ptr<crypto::ECPrivateKey>* key, std::string* der_cert) { scoped_ptr<crypto::ECPrivateKey> new_key(crypto::ECPrivateKey::Create()); if (!new_key.get()) return false; bool success = CreateDomainBoundCertEC(new_key.get(), kSignatureDigestAlgorithm, domain, serial_number, not_valid_before, not_valid_after, der_cert); if (success) key->reset(new_key.release()); return success; } bool CreateKeyAndSelfSignedCert(const std::string& subject, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, scoped_ptr<crypto::RSAPrivateKey>* key, std::string* der_cert) { scoped_ptr<crypto::RSAPrivateKey> new_key( crypto::RSAPrivateKey::Create(kRSAKeyLength)); if (!new_key.get()) return false; bool success = CreateSelfSignedCert(new_key.get(), kSignatureDigestAlgorithm, subject, serial_number, not_valid_before, not_valid_after, der_cert); if (success) key->reset(new_key.release()); return success; } } // namespace x509_util } // namespace net