diff options
Diffstat (limited to 'chromium/net/cert/x509_util.h')
| -rw-r--r-- | chromium/net/cert/x509_util.h | 49 |
1 files changed, 38 insertions, 11 deletions
diff --git a/chromium/net/cert/x509_util.h b/chromium/net/cert/x509_util.h index 8a6bae2c95f..e6b0e448cd4 100644 --- a/chromium/net/cert/x509_util.h +++ b/chromium/net/cert/x509_util.h @@ -8,6 +8,7 @@ #include <string> #include "base/memory/ref_counted.h" +#include "base/memory/scoped_ptr.h" #include "base/time/time.h" #include "net/base/net_export.h" @@ -22,6 +23,12 @@ class X509Certificate; namespace x509_util { +// Supported digest algorithms for signing certificates. +enum DigestAlgorithm { + DIGEST_SHA1, + DIGEST_SHA256 +}; + // Returns true if the times can be used to create an X.509 certificate. // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS // limited the range to 1950-9999 @@ -30,30 +37,38 @@ namespace x509_util { NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before, base::Time not_valid_after); -// Creates a server bound certificate containing the public key in |key|. +// Creates a private keypair and server bound certificate. // Domain, serial number and validity period are given as // parameters. The certificate is signed by the private key in |key|. -// The hashing algorithm for the signature is SHA-1. +// The signature algorithm may be updated periodically to match best practices. // // See Internet Draft draft-balfanz-tls-obc-00 for more details: // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 -NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC( - crypto::ECPrivateKey* key, +NET_EXPORT_PRIVATE bool CreateKeyAndDomainBoundCertEC( const std::string& domain, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, + scoped_ptr<crypto::ECPrivateKey>* key, std::string* der_cert); -// Create a self-signed certificate containing the public key in |key|. +// Helper function for CreateKeyAndDomainBoundCertEC. +NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key, + DigestAlgorithm alg, + const std::string& domain, + uint32 serial_number, + base::Time not_valid_before, + base::Time not_valid_after, + std::string* der_cert); + +// Creates a public-private keypair and a self-signed certificate. // Subject, serial number and validity period are given as parameters. -// The certificate is signed by the private key in |key|. The hashing -// algorithm for the signature is SHA-1. +// The certificate is signed by the private key in |key|. The key length and +// signature algorithm may be updated periodically to match best practices. // -// |subject| is a distinguished name defined in RFC4514. -// -// An example: -// CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com +// |subject| is a distinguished name defined in RFC4514 with _only_ a CN +// component, as in: +// CN=Michael Wong // // SECURITY WARNING // @@ -63,7 +78,19 @@ NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC( // 2. Self-signed certificates cannot be revoked. // // Use this certificate only after the above risks are acknowledged. +NET_EXPORT bool CreateKeyAndSelfSignedCert( + const std::string& subject, + uint32 serial_number, + base::Time not_valid_before, + base::Time not_valid_after, + scoped_ptr<crypto::RSAPrivateKey>* key, + std::string* der_cert); + +// Creates a self-signed certificate from a provided key, using the specified +// hash algorithm. You should not re-use a key for signing data with multiple +// signature algorithms or parameters. NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, + DigestAlgorithm alg, const std::string& subject, uint32 serial_number, base::Time not_valid_before, |