net/cert/x509_util.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_X509_UTIL_H_
   6 #define NET_CERT_X509_UTIL_H_
   7
   8 #include <string>
   9
  10 #include "base/memory/ref_counted.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "base/time/time.h"
  13 #include "net/base/net_export.h"
  14
  15 namespace crypto {
  16 class ECPrivateKey;
  17 class RSAPrivateKey;
  18 }
  19
  20 namespace net {
  21
  22 class X509Certificate;
  23
  24 namespace x509_util {
  25
  26 // Supported digest algorithms for signing certificates.
  27 enum DigestAlgorithm {
  28   DIGEST_SHA1,
  29   DIGEST_SHA256
  30 };
  31
  32 // Returns true if the times can be used to create an X.509 certificate.
  33 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999.  A bug in NSS
  34 // limited the range to 1950-9999
  35 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531).  This function will
  36 // return whether it is supported by the currently used crypto library.
  37 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
  38                                                  base::Time not_valid_after);
  39
  40 // Creates a private keypair and server bound certificate.
  41 // Domain, serial number and validity period are given as
  42 // parameters. The certificate is signed by the private key in |key|.
  43 // The signature algorithm may be updated periodically to match best practices.
  44 //
  45 // See Internet Draft draft-balfanz-tls-obc-00 for more details:
  46 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00
  47 NET_EXPORT_PRIVATE bool CreateKeyAndChannelIDEC(
  48     const std::string& domain,
  49     uint32 serial_number,
  50     base::Time not_valid_before,
  51     base::Time not_valid_after,
  52     scoped_ptr<crypto::ECPrivateKey>* key,
  53     std::string* der_cert);
  54
  55 // Helper function for CreateKeyAndChannelIDEC.
  56 NET_EXPORT_PRIVATE bool CreateChannelIDEC(crypto::ECPrivateKey* key,
  57                                           DigestAlgorithm alg,
  58                                           const std::string& domain,
  59                                           uint32 serial_number,
  60                                           base::Time not_valid_before,
  61                                           base::Time not_valid_after,
  62                                           std::string* der_cert);
  63
  64 // Creates a public-private keypair and a self-signed certificate.
  65 // Subject, serial number and validity period are given as parameters.
  66 // The certificate is signed by the private key in |key|. The key length and
  67 // signature algorithm may be updated periodically to match best practices.
  68 //
  69 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
  70 // component, as in:
  71 //   CN=Michael Wong
  72 //
  73 // SECURITY WARNING
  74 //
  75 // Using self-signed certificates has the following security risks:
  76 // 1. Encryption without authentication and thus vulnerable to
  77 //    man-in-the-middle attacks.
  78 // 2. Self-signed certificates cannot be revoked.
  79 //
  80 // Use this certificate only after the above risks are acknowledged.
  81 NET_EXPORT bool CreateKeyAndSelfSignedCert(
  82     const std::string& subject,
  83     uint32 serial_number,
  84     base::Time not_valid_before,
  85     base::Time not_valid_after,
  86     scoped_ptr<crypto::RSAPrivateKey>* key,
  87     std::string* der_cert);
  88
  89 // Creates a self-signed certificate from a provided key, using the specified
  90 // hash algorithm.  You should not re-use a key for signing data with multiple
  91 // signature algorithms or parameters.
  92 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
  93                                      DigestAlgorithm alg,
  94                                      const std::string& subject,
  95                                      uint32 serial_number,
  96                                      base::Time not_valid_before,
  97                                      base::Time not_valid_after,
  98                                      std::string* der_cert);
  99
 100 // Comparator for use in STL algorithms that will sort client certificates by
 101 // order of preference.
 102 // Returns true if |a| is more preferable than |b|, allowing it to be used
 103 // with any algorithm that compares according to strict weak ordering.
 104 //
 105 // Criteria include:
 106 // - Prefer certificates that have a longer validity period (later
 107 //   expiration dates)
 108 // - If equal, prefer certificates that were issued more recently
 109 // - If equal, prefer shorter chains (if available)
 110 class NET_EXPORT_PRIVATE ClientCertSorter {
 111  public:
 112   ClientCertSorter();
 113
 114   bool operator()(
 115       const scoped_refptr<X509Certificate>& a,
 116       const scoped_refptr<X509Certificate>& b) const;
 117
 118  private:
 119   base::Time now_;
 120 };
 121
 122 } // namespace x509_util
 123
 124 } // namespace net
 125
 126 #endif  // NET_CERT_X509_UTIL_H_