1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_X509_UTIL_H_
6#define NET_CERT_X509_UTIL_H_
7
8#include <string>
9
10#include "base/memory/ref_counted.h"
11#include "base/time/time.h"
12#include "net/base/net_export.h"
13
14namespace crypto {
15class ECPrivateKey;
16class RSAPrivateKey;
17}
18
19namespace net {
20
21class X509Certificate;
22
23namespace x509_util {
24
25// Returns true if the times can be used to create an X.509 certificate.
26// Certificates can accept dates from Jan 1st, 1 to Dec 31, 9999.  A bug in NSS
27// limited the range to 1950-9999
28// (https://bugzilla.mozilla.org/show_bug.cgi?id=786531).  This function will
29// return whether it is supported by the currently used crypto library.
30NET_EXPORT_PRIVATE bool IsSupportedValidityRange(base::Time not_valid_before,
31                                                 base::Time not_valid_after);
32
33// Creates a server bound certificate containing the public key in |key|.
34// Domain, serial number and validity period are given as
35// parameters. The certificate is signed by the private key in |key|.
36// The hashing algorithm for the signature is SHA-1.
37//
38// See Internet Draft draft-balfanz-tls-obc-00 for more details:
39// http://tools.ietf.org/html/draft-balfanz-tls-obc-00
40NET_EXPORT_PRIVATE bool CreateDomainBoundCertEC(
41    crypto::ECPrivateKey* key,
42    const std::string& domain,
43    uint32 serial_number,
44    base::Time not_valid_before,
45    base::Time not_valid_after,
46    std::string* der_cert);
47
48// Create a self-signed certificate containing the public key in |key|.
49// Subject, serial number and validity period are given as parameters.
50// The certificate is signed by the private key in |key|. The hashing
51// algorithm for the signature is SHA-1.
52//
53// |subject| is a distinguished name defined in RFC4514.
54//
55// An example:
56// CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com
57//
58// SECURITY WARNING
59//
60// Using self-signed certificates has the following security risks:
61// 1. Encryption without authentication and thus vulnerable to
62//    man-in-the-middle attacks.
63// 2. Self-signed certificates cannot be revoked.
64//
65// Use this certificate only after the above risks are acknowledged.
66NET_EXPORT bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
67                                     const std::string& subject,
68                                     uint32 serial_number,
69                                     base::Time not_valid_before,
70                                     base::Time not_valid_after,
71                                     std::string* der_cert);
72
73// Comparator for use in STL algorithms that will sort client certificates by
74// order of preference.
75// Returns true if |a| is more preferable than |b|, allowing it to be used
76// with any algorithm that compares according to strict weak ordering.
77//
78// Criteria include:
79// - Prefer certificates that have a longer validity period (later
80//   expiration dates)
81// - If equal, prefer certificates that were issued more recently
82// - If equal, prefer shorter chains (if available)
83class NET_EXPORT_PRIVATE ClientCertSorter {
84 public:
85  ClientCertSorter();
86
87  bool operator()(
88      const scoped_refptr<X509Certificate>& a,
89      const scoped_refptr<X509Certificate>& b) const;
90
91 private:
92  base::Time now_;
93};
94
95} // namespace x509_util
96
97} // namespace net
98
99#endif  // NET_CERT_X509_UTIL_H_
100