net/cert/x509_util.h - chromium/src - Git at Google

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef NET_CERT_X509_UTIL_H_
 #define NET_CERT_X509_UTIL_H_

 #include <stdint.h>

 #include <string>

 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"

 namespace crypto {
 class ECPrivateKey;
 class RSAPrivateKey;
 }

 namespace net {

 class X509Certificate;

 namespace x509_util {

 // Supported digest algorithms for signing certificates.
 enum DigestAlgorithm {
   DIGEST_SHA1,
   DIGEST_SHA256
 };

 // Creates a public-private keypair and a self-signed certificate.
 // Subject, serial number and validity period are given as parameters.
 // The certificate is signed by the private key in |key|. The key length and
 // signature algorithm may be updated periodically to match best practices.
 //
 // |subject| is a distinguished name defined in RFC4514 with _only_ a CN
 // component, as in:
 //   CN=Michael Wong
 //
 // SECURITY WARNING
 //
 // Using self-signed certificates has the following security risks:
 // 1. Encryption without authentication and thus vulnerable to
 //    man-in-the-middle attacks.
 // 2. Self-signed certificates cannot be revoked.
 //
 // Use this certificate only after the above risks are acknowledged.
 NET_EXPORT bool CreateKeyAndSelfSignedCert(
     const std::string& subject,
     uint32_t serial_number,
     base::Time not_valid_before,
     base::Time not_valid_after,
     scoped_ptr<crypto::RSAPrivateKey>* key,
     std::string* der_cert);

 // Creates a self-signed certificate from a provided key, using the specified
 // hash algorithm.  You should not re-use a key for signing data with multiple
 // signature algorithms or parameters.
 NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
                                      DigestAlgorithm alg,
                                      const std::string& subject,
                                      uint32_t serial_number,
                                      base::Time not_valid_before,
                                      base::Time not_valid_after,
                                      std::string* der_cert);

 // Comparator for use in STL algorithms that will sort client certificates by
 // order of preference.
 // Returns true if |a| is more preferable than |b|, allowing it to be used
 // with any algorithm that compares according to strict weak ordering.
 //
 // Criteria include:
 // - Prefer certificates that have a longer validity period (later
 //   expiration dates)
 // - If equal, prefer certificates that were issued more recently
 // - If equal, prefer shorter chains (if available)
 class NET_EXPORT_PRIVATE ClientCertSorter {
  public:
   ClientCertSorter();

   bool operator()(
       const scoped_refptr<X509Certificate>& a,
       const scoped_refptr<X509Certificate>& b) const;

  private:
   base::Time now_;
 };

 } // namespace x509_util

 } // namespace net

 #endif  // NET_CERT_X509_UTIL_H_
	// Copyright (c) 2012 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef NET_CERT_X509_UTIL_H_
	#define NET_CERT_X509_UTIL_H_

	#include <stdint.h>

	#include <string>

	#include "base/memory/ref_counted.h"
	#include "base/memory/scoped_ptr.h"
	#include "base/time/time.h"
	#include "net/base/net_export.h"

	namespace crypto {
	class ECPrivateKey;
	class RSAPrivateKey;
	}

	namespace net {

	class X509Certificate;

	namespace x509_util {

	// Supported digest algorithms for signing certificates.
	enum DigestAlgorithm {
	DIGEST_SHA1,
	DIGEST_SHA256
	};

	// Creates a public-private keypair and a self-signed certificate.
	// Subject, serial number and validity period are given as parameters.
	// The certificate is signed by the private key in \|key\|. The key length and
	// signature algorithm may be updated periodically to match best practices.
	//
	// \|subject\| is a distinguished name defined in RFC4514 with _only_ a CN
	// component, as in:
	// CN=Michael Wong
	//
	// SECURITY WARNING
	//
	// Using self-signed certificates has the following security risks:
	// 1. Encryption without authentication and thus vulnerable to
	// man-in-the-middle attacks.
	// 2. Self-signed certificates cannot be revoked.
	//
	// Use this certificate only after the above risks are acknowledged.
	NET_EXPORT bool CreateKeyAndSelfSignedCert(
	const std::string& subject,
	uint32_t serial_number,
	base::Time not_valid_before,
	base::Time not_valid_after,
	scoped_ptr<crypto::RSAPrivateKey>* key,
	std::string* der_cert);

	// Creates a self-signed certificate from a provided key, using the specified
	// hash algorithm. You should not re-use a key for signing data with multiple
	// signature algorithms or parameters.
	NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
	DigestAlgorithm alg,
	const std::string& subject,
	uint32_t serial_number,
	base::Time not_valid_before,
	base::Time not_valid_after,
	std::string* der_cert);

	// Comparator for use in STL algorithms that will sort client certificates by
	// order of preference.
	// Returns true if \|a\| is more preferable than \|b\|, allowing it to be used
	// with any algorithm that compares according to strict weak ordering.
	//
	// Criteria include:
	// - Prefer certificates that have a longer validity period (later
	// expiration dates)
	// - If equal, prefer certificates that were issued more recently
	// - If equal, prefer shorter chains (if available)
	class NET_EXPORT_PRIVATE ClientCertSorter {
	public:
	ClientCertSorter();

	bool operator()(
	const scoped_refptr<X509Certificate>& a,
	const scoped_refptr<X509Certificate>& b) const;

	private:
	base::Time now_;
	};

	} // namespace x509_util

	} // namespace net

	#endif // NET_CERT_X509_UTIL_H_