net/cert/x509_util.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_X509_UTIL_H_
   6 #define NET_CERT_X509_UTIL_H_
   7
   8 #include <stdint.h>
   9 #include <string>
  10
  11 #include "base/memory/ref_counted.h"
  12 #include "base/memory/scoped_ptr.h"
  13 #include "base/time/time.h"
  14 #include "net/base/net_export.h"
  15
  16 namespace crypto {
  17 class ECPrivateKey;
  18 class RSAPrivateKey;
  19 }
  20
  21 namespace net {
  22
  23 class X509Certificate;
  24
  25 namespace x509_util {
  26
  27 // Supported digest algorithms for signing certificates.
  28 enum DigestAlgorithm {
  29   DIGEST_SHA1,
  30   DIGEST_SHA256
  31 };
  32
  33 // Returns true if the times can be used to create an X.509 certificate.
  34 // Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999.  A bug in NSS
  35 // limited the range to 1950-9999
  36 // (https://bugzilla.mozilla.org/show_bug.cgi?id=786531).  This function will
  37 // return whether it is supported by the currently used crypto library.
  38 NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
  39                                                  base::Time not_valid_after);
  40
  41 // Creates a public-private keypair and a self-signed certificate.
  42 // Subject, serial number and validity period are given as parameters.
  43 // The certificate is signed by the private key in |key|. The key length and
  44 // signature algorithm may be updated periodically to match best practices.
  45 //
  46 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
  47 // component, as in:
  48 //   CN=Michael Wong
  49 //
  50 // SECURITY WARNING
  51 //
  52 // Using self-signed certificates has the following security risks:
  53 // 1. Encryption without authentication and thus vulnerable to
  54 //    man-in-the-middle attacks.
  55 // 2. Self-signed certificates cannot be revoked.
  56 //
  57 // Use this certificate only after the above risks are acknowledged.
  58 NET_EXPORT bool CreateKeyAndSelfSignedCert(
  59     const std::string& subject,
  60     uint32_t serial_number,
  61     base::Time not_valid_before,
  62     base::Time not_valid_after,
  63     scoped_ptr<crypto::RSAPrivateKey>* key,
  64     std::string* der_cert);
  65
  66 // Creates a self-signed certificate from a provided key, using the specified
  67 // hash algorithm.  You should not re-use a key for signing data with multiple
  68 // signature algorithms or parameters.
  69 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
  70                                      DigestAlgorithm alg,
  71                                      const std::string& subject,
  72                                      uint32_t serial_number,
  73                                      base::Time not_valid_before,
  74                                      base::Time not_valid_after,
  75                                      std::string* der_cert);
  76
  77 // Comparator for use in STL algorithms that will sort client certificates by
  78 // order of preference.
  79 // Returns true if |a| is more preferable than |b|, allowing it to be used
  80 // with any algorithm that compares according to strict weak ordering.
  81 //
  82 // Criteria include:
  83 // - Prefer certificates that have a longer validity period (later
  84 //   expiration dates)
  85 // - If equal, prefer certificates that were issued more recently
  86 // - If equal, prefer shorter chains (if available)
  87 class NET_EXPORT_PRIVATE ClientCertSorter {
  88  public:
  89   ClientCertSorter();
  90
  91   bool operator()(
  92       const scoped_refptr<X509Certificate>& a,
  93       const scoped_refptr<X509Certificate>& b) const;
  94
  95  private:
  96   base::Time now_;
  97 };
  98
  99 } // namespace x509_util
 100
 101 } // namespace net
 102
 103 #endif  // NET_CERT_X509_UTIL_H_