Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / cert / x509_util.h
bloba1c296894681ccfd61e6ca5e4c412ebb6a2d697e
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_X509_UTIL_H_
6 #define NET_CERT_X509_UTIL_H_
8 #include <stdint.h>
9 #include <string>
11 #include "base/memory/ref_counted.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "base/time/time.h"
14 #include "net/base/net_export.h"
16 namespace crypto {
17 class ECPrivateKey;
18 class RSAPrivateKey;
21 namespace net {
23 class X509Certificate;
25 namespace x509_util {
27 // Supported digest algorithms for signing certificates.
28 enum DigestAlgorithm {
29 DIGEST_SHA1,
30 DIGEST_SHA256
33 // Returns true if the times can be used to create an X.509 certificate.
34 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999. A bug in NSS
35 // limited the range to 1950-9999
36 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531). This function will
37 // return whether it is supported by the currently used crypto library.
38 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
39 base::Time not_valid_after);
41 // Creates a public-private keypair and a self-signed certificate.
42 // Subject, serial number and validity period are given as parameters.
43 // The certificate is signed by the private key in |key|. The key length and
44 // signature algorithm may be updated periodically to match best practices.
46 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
47 // component, as in:
48 // CN=Michael Wong
50 // SECURITY WARNING
52 // Using self-signed certificates has the following security risks:
53 // 1. Encryption without authentication and thus vulnerable to
54 // man-in-the-middle attacks.
55 // 2. Self-signed certificates cannot be revoked.
57 // Use this certificate only after the above risks are acknowledged.
58 NET_EXPORT bool CreateKeyAndSelfSignedCert(
59 const std::string& subject,
60 uint32_t serial_number,
61 base::Time not_valid_before,
62 base::Time not_valid_after,
63 scoped_ptr<crypto::RSAPrivateKey>* key,
64 std::string* der_cert);
66 // Creates a self-signed certificate from a provided key, using the specified
67 // hash algorithm. You should not re-use a key for signing data with multiple
68 // signature algorithms or parameters.
69 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
70 DigestAlgorithm alg,
71 const std::string& subject,
72 uint32_t serial_number,
73 base::Time not_valid_before,
74 base::Time not_valid_after,
75 std::string* der_cert);
77 // Comparator for use in STL algorithms that will sort client certificates by
78 // order of preference.
79 // Returns true if |a| is more preferable than |b|, allowing it to be used
80 // with any algorithm that compares according to strict weak ordering.
82 // Criteria include:
83 // - Prefer certificates that have a longer validity period (later
84 // expiration dates)
85 // - If equal, prefer certificates that were issued more recently
86 // - If equal, prefer shorter chains (if available)
87 class NET_EXPORT_PRIVATE ClientCertSorter {
88 public:
89 ClientCertSorter();
91 bool operator()(
92 const scoped_refptr<X509Certificate>& a,
93 const scoped_refptr<X509Certificate>& b) const;
95 private:
96 base::Time now_;
99 } // namespace x509_util
101 } // namespace net
103 #endif // NET_CERT_X509_UTIL_H_