xref: /aosp_15_r20/external/cronet/net/test/cert_builder.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)
1*6777b538SAndroid Build Coastguard Worker // Copyright 2019 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #ifndef NET_TEST_CERT_BUILDER_H_
6*6777b538SAndroid Build Coastguard Worker #define NET_TEST_CERT_BUILDER_H_
7*6777b538SAndroid Build Coastguard Worker 
8*6777b538SAndroid Build Coastguard Worker #include <map>
9*6777b538SAndroid Build Coastguard Worker #include <memory>
10*6777b538SAndroid Build Coastguard Worker #include <string>
11*6777b538SAndroid Build Coastguard Worker #include <string_view>
12*6777b538SAndroid Build Coastguard Worker #include <vector>
13*6777b538SAndroid Build Coastguard Worker 
14*6777b538SAndroid Build Coastguard Worker #include "base/memory/raw_ptr.h"
15*6777b538SAndroid Build Coastguard Worker #include "base/rand_util.h"
16*6777b538SAndroid Build Coastguard Worker #include "net/base/ip_address.h"
17*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate.h"
18*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h"
19*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/bytestring.h"
20*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/evp.h"
21*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/pool.h"
22*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/parse_certificate.h"
23*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/signature_algorithm.h"
24*6777b538SAndroid Build Coastguard Worker 
25*6777b538SAndroid Build Coastguard Worker class GURL;
26*6777b538SAndroid Build Coastguard Worker 
27*6777b538SAndroid Build Coastguard Worker namespace base {
28*6777b538SAndroid Build Coastguard Worker class FilePath;
29*6777b538SAndroid Build Coastguard Worker }
30*6777b538SAndroid Build Coastguard Worker 
31*6777b538SAndroid Build Coastguard Worker namespace bssl {
32*6777b538SAndroid Build Coastguard Worker namespace der {
33*6777b538SAndroid Build Coastguard Worker class Input;
34*6777b538SAndroid Build Coastguard Worker }  // namespace der
35*6777b538SAndroid Build Coastguard Worker }  // namespace bssl
36*6777b538SAndroid Build Coastguard Worker 
37*6777b538SAndroid Build Coastguard Worker namespace net {
38*6777b538SAndroid Build Coastguard Worker 
39*6777b538SAndroid Build Coastguard Worker // CertBuilder is a helper class to dynamically create a test certificate.
40*6777b538SAndroid Build Coastguard Worker //
41*6777b538SAndroid Build Coastguard Worker // CertBuilder is initialized using an existing certificate, from which it
42*6777b538SAndroid Build Coastguard Worker // copies most properties (see InitFromCert for details).
43*6777b538SAndroid Build Coastguard Worker //
44*6777b538SAndroid Build Coastguard Worker // The subject, serial number, and key for the final certificate are chosen
45*6777b538SAndroid Build Coastguard Worker // randomly. Using a randomized subject and serial number is important to defeat
46*6777b538SAndroid Build Coastguard Worker // certificate caching done by NSS, which otherwise can make test outcomes
47*6777b538SAndroid Build Coastguard Worker // dependent on ordering.
48*6777b538SAndroid Build Coastguard Worker class CertBuilder {
49*6777b538SAndroid Build Coastguard Worker  public:
50*6777b538SAndroid Build Coastguard Worker   // Parameters for creating an embedded SignedCertificateTimestamp.
51*6777b538SAndroid Build Coastguard Worker   struct SctConfig {
52*6777b538SAndroid Build Coastguard Worker     SctConfig();
53*6777b538SAndroid Build Coastguard Worker     SctConfig(std::string log_id,
54*6777b538SAndroid Build Coastguard Worker               bssl::UniquePtr<EVP_PKEY> log_key,
55*6777b538SAndroid Build Coastguard Worker               base::Time timestamp);
56*6777b538SAndroid Build Coastguard Worker     SctConfig(const SctConfig&);
57*6777b538SAndroid Build Coastguard Worker     SctConfig(SctConfig&&);
58*6777b538SAndroid Build Coastguard Worker     ~SctConfig();
59*6777b538SAndroid Build Coastguard Worker     SctConfig& operator=(const SctConfig&);
60*6777b538SAndroid Build Coastguard Worker     SctConfig& operator=(SctConfig&&);
61*6777b538SAndroid Build Coastguard Worker 
62*6777b538SAndroid Build Coastguard Worker     std::string log_id;
63*6777b538SAndroid Build Coastguard Worker     // Only EC keys are supported currently.
64*6777b538SAndroid Build Coastguard Worker     bssl::UniquePtr<EVP_PKEY> log_key;
65*6777b538SAndroid Build Coastguard Worker     base::Time timestamp;
66*6777b538SAndroid Build Coastguard Worker   };
67*6777b538SAndroid Build Coastguard Worker 
68*6777b538SAndroid Build Coastguard Worker   // Initializes the CertBuilder, if |orig_cert| is non-null it will be used as
69*6777b538SAndroid Build Coastguard Worker   // a template. If |issuer| is null then the generated certificate will be
70*6777b538SAndroid Build Coastguard Worker   // self-signed. Otherwise, it will be signed using |issuer|.
71*6777b538SAndroid Build Coastguard Worker   CertBuilder(CRYPTO_BUFFER* orig_cert, CertBuilder* issuer);
72*6777b538SAndroid Build Coastguard Worker   ~CertBuilder();
73*6777b538SAndroid Build Coastguard Worker 
74*6777b538SAndroid Build Coastguard Worker   // Initializes a CertBuilder using the certificate and private key from
75*6777b538SAndroid Build Coastguard Worker   // |cert_and_key_file| as a template. If |issuer| is null then the generated
76*6777b538SAndroid Build Coastguard Worker   // certificate will be self-signed. Otherwise, it will be signed using
77*6777b538SAndroid Build Coastguard Worker   // |issuer|.
78*6777b538SAndroid Build Coastguard Worker   static std::unique_ptr<CertBuilder> FromFile(
79*6777b538SAndroid Build Coastguard Worker       const base::FilePath& cert_and_key_file,
80*6777b538SAndroid Build Coastguard Worker       CertBuilder* issuer);
81*6777b538SAndroid Build Coastguard Worker 
82*6777b538SAndroid Build Coastguard Worker   // Initializes a CertBuilder that will return a certificate for the provided
83*6777b538SAndroid Build Coastguard Worker   // public key |spki_der|. It will be signed with the |issuer|, this builder
84*6777b538SAndroid Build Coastguard Worker   // will not have a private key, so it cannot produce self-signed certificates
85*6777b538SAndroid Build Coastguard Worker   // and |issuer| cannot be null.
86*6777b538SAndroid Build Coastguard Worker   static std::unique_ptr<CertBuilder> FromSubjectPublicKeyInfo(
87*6777b538SAndroid Build Coastguard Worker       base::span<const uint8_t> spki_der,
88*6777b538SAndroid Build Coastguard Worker       CertBuilder* issuer);
89*6777b538SAndroid Build Coastguard Worker 
90*6777b538SAndroid Build Coastguard Worker   // Creates a CertBuilder that will return a static |cert| and |key|.
91*6777b538SAndroid Build Coastguard Worker   // This may be passed as the |issuer| param of another CertBuilder to create
92*6777b538SAndroid Build Coastguard Worker   // a cert chain that ends in a pre-defined certificate.
93*6777b538SAndroid Build Coastguard Worker   static std::unique_ptr<CertBuilder> FromStaticCert(CRYPTO_BUFFER* cert,
94*6777b538SAndroid Build Coastguard Worker                                                      EVP_PKEY* key);
95*6777b538SAndroid Build Coastguard Worker   // Like FromStaticCert, but loads the certificate and private key from the
96*6777b538SAndroid Build Coastguard Worker   // PEM file |cert_and_key_file|.
97*6777b538SAndroid Build Coastguard Worker   static std::unique_ptr<CertBuilder> FromStaticCertFile(
98*6777b538SAndroid Build Coastguard Worker       const base::FilePath& cert_and_key_file);
99*6777b538SAndroid Build Coastguard Worker 
100*6777b538SAndroid Build Coastguard Worker   // Creates a simple chain of CertBuilders with no AIA or CrlDistributionPoint
101*6777b538SAndroid Build Coastguard Worker   // extensions, and leaf having a subjectAltName of www.example.com.
102*6777b538SAndroid Build Coastguard Worker   // The chain is returned in leaf-first order.
103*6777b538SAndroid Build Coastguard Worker   static std::vector<std::unique_ptr<CertBuilder>> CreateSimpleChain(
104*6777b538SAndroid Build Coastguard Worker       size_t chain_length);
105*6777b538SAndroid Build Coastguard Worker 
106*6777b538SAndroid Build Coastguard Worker   // Creates a simple leaf->intermediate->root chain of CertBuilders with no AIA
107*6777b538SAndroid Build Coastguard Worker   // or CrlDistributionPoint extensions, and leaf having a subjectAltName of
108*6777b538SAndroid Build Coastguard Worker   // www.example.com.
109*6777b538SAndroid Build Coastguard Worker   static std::array<std::unique_ptr<CertBuilder>, 3> CreateSimpleChain3();
110*6777b538SAndroid Build Coastguard Worker 
111*6777b538SAndroid Build Coastguard Worker   // Creates a simple leaf->root chain of CertBuilders with no AIA or
112*6777b538SAndroid Build Coastguard Worker   // CrlDistributionPoint extensions, and leaf having a subjectAltName of
113*6777b538SAndroid Build Coastguard Worker   // www.example.com.
114*6777b538SAndroid Build Coastguard Worker   static std::array<std::unique_ptr<CertBuilder>, 2> CreateSimpleChain2();
115*6777b538SAndroid Build Coastguard Worker 
116*6777b538SAndroid Build Coastguard Worker   // Returns a compatible signature algorithm for |key|.
117*6777b538SAndroid Build Coastguard Worker   static std::optional<bssl::SignatureAlgorithm>
118*6777b538SAndroid Build Coastguard Worker   DefaultSignatureAlgorithmForKey(EVP_PKEY* key);
119*6777b538SAndroid Build Coastguard Worker 
120*6777b538SAndroid Build Coastguard Worker   // Signs |tbs_data| with |key| using |signature_algorithm| appending the
121*6777b538SAndroid Build Coastguard Worker   // signature onto |out_signature| and returns true if successful.
122*6777b538SAndroid Build Coastguard Worker   static bool SignData(bssl::SignatureAlgorithm signature_algorithm,
123*6777b538SAndroid Build Coastguard Worker                        std::string_view tbs_data,
124*6777b538SAndroid Build Coastguard Worker                        EVP_PKEY* key,
125*6777b538SAndroid Build Coastguard Worker                        CBB* out_signature);
126*6777b538SAndroid Build Coastguard Worker 
127*6777b538SAndroid Build Coastguard Worker   static bool SignDataWithDigest(const EVP_MD* digest,
128*6777b538SAndroid Build Coastguard Worker                                  std::string_view tbs_data,
129*6777b538SAndroid Build Coastguard Worker                                  EVP_PKEY* key,
130*6777b538SAndroid Build Coastguard Worker                                  CBB* out_signature);
131*6777b538SAndroid Build Coastguard Worker 
132*6777b538SAndroid Build Coastguard Worker   // Returns a DER encoded AlgorithmIdentifier TLV for |signature_algorithm|
133*6777b538SAndroid Build Coastguard Worker   // empty string on error.
134*6777b538SAndroid Build Coastguard Worker   static std::string SignatureAlgorithmToDer(
135*6777b538SAndroid Build Coastguard Worker       bssl::SignatureAlgorithm signature_algorithm);
136*6777b538SAndroid Build Coastguard Worker 
137*6777b538SAndroid Build Coastguard Worker   // Generates |num_bytes| random bytes, and then returns the hex encoding of
138*6777b538SAndroid Build Coastguard Worker   // those bytes.
139*6777b538SAndroid Build Coastguard Worker   static std::string MakeRandomHexString(size_t num_bytes);
140*6777b538SAndroid Build Coastguard Worker 
141*6777b538SAndroid Build Coastguard Worker   // Builds a DER encoded X.501 Name TLV containing a commonName of
142*6777b538SAndroid Build Coastguard Worker   // |common_name| with type |common_name_tag|.
143*6777b538SAndroid Build Coastguard Worker   static std::vector<uint8_t> BuildNameWithCommonNameOfType(
144*6777b538SAndroid Build Coastguard Worker       std::string_view common_name,
145*6777b538SAndroid Build Coastguard Worker       unsigned common_name_tag);
146*6777b538SAndroid Build Coastguard Worker 
147*6777b538SAndroid Build Coastguard Worker   // Set the version of the certificate. Note that only V3 certificates may
148*6777b538SAndroid Build Coastguard Worker   // contain extensions, so if |version| is |V1| or |V2| you may want to also
149*6777b538SAndroid Build Coastguard Worker   // call |ClearExtensions()| unless you intentionally want to generate an
150*6777b538SAndroid Build Coastguard Worker   // invalid certificate.
151*6777b538SAndroid Build Coastguard Worker   void SetCertificateVersion(bssl::CertificateVersion version);
152*6777b538SAndroid Build Coastguard Worker 
153*6777b538SAndroid Build Coastguard Worker   // Sets a value for the indicated X.509 (v3) extension.
154*6777b538SAndroid Build Coastguard Worker   void SetExtension(const bssl::der::Input& oid,
155*6777b538SAndroid Build Coastguard Worker                     std::string value,
156*6777b538SAndroid Build Coastguard Worker                     bool critical = false);
157*6777b538SAndroid Build Coastguard Worker 
158*6777b538SAndroid Build Coastguard Worker   // Removes an extension (if present).
159*6777b538SAndroid Build Coastguard Worker   void EraseExtension(const bssl::der::Input& oid);
160*6777b538SAndroid Build Coastguard Worker 
161*6777b538SAndroid Build Coastguard Worker   // Removes all extensions.
162*6777b538SAndroid Build Coastguard Worker   void ClearExtensions();
163*6777b538SAndroid Build Coastguard Worker 
164*6777b538SAndroid Build Coastguard Worker   // Sets the basicConstraints extension. |path_len| may be negative to
165*6777b538SAndroid Build Coastguard Worker   // indicate the pathLenConstraint should be omitted.
166*6777b538SAndroid Build Coastguard Worker   void SetBasicConstraints(bool is_ca, int path_len);
167*6777b538SAndroid Build Coastguard Worker 
168*6777b538SAndroid Build Coastguard Worker   // Sets the nameConstraints extension. |permitted_dns_names| lists permitted
169*6777b538SAndroid Build Coastguard Worker   // dnsName subtrees. |excluded_dns_names| lists excluded dnsName subtrees. If
170*6777b538SAndroid Build Coastguard Worker   // both lists are empty the extension is removed.
171*6777b538SAndroid Build Coastguard Worker   void SetNameConstraintsDnsNames(
172*6777b538SAndroid Build Coastguard Worker       const std::vector<std::string>& permitted_dns_names,
173*6777b538SAndroid Build Coastguard Worker       const std::vector<std::string>& excluded_dns_names);
174*6777b538SAndroid Build Coastguard Worker 
175*6777b538SAndroid Build Coastguard Worker   // Sets an AIA extension with a single caIssuers access method.
176*6777b538SAndroid Build Coastguard Worker   void SetCaIssuersUrl(const GURL& url);
177*6777b538SAndroid Build Coastguard Worker 
178*6777b538SAndroid Build Coastguard Worker   // Sets an AIA extension with the specified caIssuers and OCSP urls. Either
179*6777b538SAndroid Build Coastguard Worker   // list can have 0 or more URLs. If both are empty, the AIA extension is
180*6777b538SAndroid Build Coastguard Worker   // removed.
181*6777b538SAndroid Build Coastguard Worker   void SetCaIssuersAndOCSPUrls(const std::vector<GURL>& ca_issuers_urls,
182*6777b538SAndroid Build Coastguard Worker                                const std::vector<GURL>& ocsp_urls);
183*6777b538SAndroid Build Coastguard Worker 
184*6777b538SAndroid Build Coastguard Worker   // Sets a cRLDistributionPoints extension with a single DistributionPoint
185*6777b538SAndroid Build Coastguard Worker   // with |url| in distributionPoint.fullName.
186*6777b538SAndroid Build Coastguard Worker   void SetCrlDistributionPointUrl(const GURL& url);
187*6777b538SAndroid Build Coastguard Worker 
188*6777b538SAndroid Build Coastguard Worker   // Sets a cRLDistributionPoints extension with a single DistributionPoint
189*6777b538SAndroid Build Coastguard Worker   // with |urls| in distributionPoints.fullName.
190*6777b538SAndroid Build Coastguard Worker   void SetCrlDistributionPointUrls(const std::vector<GURL>& urls);
191*6777b538SAndroid Build Coastguard Worker 
192*6777b538SAndroid Build Coastguard Worker   // Sets the issuer bytes that will be encoded into the generated certificate.
193*6777b538SAndroid Build Coastguard Worker   // If this is not called, or |issuer_tlv| is empty, the subject field from
194*6777b538SAndroid Build Coastguard Worker   // the issuer CertBuilder will be used.
195*6777b538SAndroid Build Coastguard Worker   void SetIssuerTLV(base::span<const uint8_t> issuer_tlv);
196*6777b538SAndroid Build Coastguard Worker 
197*6777b538SAndroid Build Coastguard Worker   // Sets the subject to a Name with a single commonName attribute with
198*6777b538SAndroid Build Coastguard Worker   // the value |common_name| tagged as a UTF8String.
199*6777b538SAndroid Build Coastguard Worker   void SetSubjectCommonName(std::string_view common_name);
200*6777b538SAndroid Build Coastguard Worker 
201*6777b538SAndroid Build Coastguard Worker   // Sets the subject to |subject_tlv|.
202*6777b538SAndroid Build Coastguard Worker   void SetSubjectTLV(base::span<const uint8_t> subject_tlv);
203*6777b538SAndroid Build Coastguard Worker 
204*6777b538SAndroid Build Coastguard Worker   // Sets the SAN for the certificate to a single dNSName.
205*6777b538SAndroid Build Coastguard Worker   void SetSubjectAltName(std::string_view dns_name);
206*6777b538SAndroid Build Coastguard Worker 
207*6777b538SAndroid Build Coastguard Worker   // Sets the SAN for the certificate to the given dns names and ip addresses.
208*6777b538SAndroid Build Coastguard Worker   void SetSubjectAltNames(const std::vector<std::string>& dns_names,
209*6777b538SAndroid Build Coastguard Worker                           const std::vector<IPAddress>& ip_addresses);
210*6777b538SAndroid Build Coastguard Worker 
211*6777b538SAndroid Build Coastguard Worker   // Sets the keyUsage extension. |usages| should contain the bssl::KeyUsageBit
212*6777b538SAndroid Build Coastguard Worker   // values of the usages to set, and must not be empty.
213*6777b538SAndroid Build Coastguard Worker   void SetKeyUsages(const std::vector<bssl::KeyUsageBit>& usages);
214*6777b538SAndroid Build Coastguard Worker 
215*6777b538SAndroid Build Coastguard Worker   // Sets the extendedKeyUsage extension. |usages| should contain the DER OIDs
216*6777b538SAndroid Build Coastguard Worker   // of the usage purposes to set, and must not be empty.
217*6777b538SAndroid Build Coastguard Worker   void SetExtendedKeyUsages(const std::vector<bssl::der::Input>& purpose_oids);
218*6777b538SAndroid Build Coastguard Worker 
219*6777b538SAndroid Build Coastguard Worker   // Sets the certificatePolicies extension with the specified policyIdentifier
220*6777b538SAndroid Build Coastguard Worker   // OIDs, which must be specified in dotted string notation (e.g. "1.2.3.4").
221*6777b538SAndroid Build Coastguard Worker   // If |policy_oids| is empty, the extension will be removed.
222*6777b538SAndroid Build Coastguard Worker   void SetCertificatePolicies(const std::vector<std::string>& policy_oids);
223*6777b538SAndroid Build Coastguard Worker 
224*6777b538SAndroid Build Coastguard Worker   // Sets the policyMappings extension with the specified mappings, which are
225*6777b538SAndroid Build Coastguard Worker   // pairs of issuerDomainPolicy -> subjectDomainPolicy mappings in dotted
226*6777b538SAndroid Build Coastguard Worker   // string notation.
227*6777b538SAndroid Build Coastguard Worker   // If |policy_mappings| is empty, the extension will be removed.
228*6777b538SAndroid Build Coastguard Worker   void SetPolicyMappings(
229*6777b538SAndroid Build Coastguard Worker       const std::vector<std::pair<std::string, std::string>>& policy_mappings);
230*6777b538SAndroid Build Coastguard Worker 
231*6777b538SAndroid Build Coastguard Worker   // Sets the PolicyConstraints extension. If both |require_explicit_policy|
232*6777b538SAndroid Build Coastguard Worker   // and |inhibit_policy_mapping| are nullopt, the PolicyConstraints extension
233*6777b538SAndroid Build Coastguard Worker   // will removed.
234*6777b538SAndroid Build Coastguard Worker   void SetPolicyConstraints(std::optional<uint64_t> require_explicit_policy,
235*6777b538SAndroid Build Coastguard Worker                             std::optional<uint64_t> inhibit_policy_mapping);
236*6777b538SAndroid Build Coastguard Worker 
237*6777b538SAndroid Build Coastguard Worker   // Sets the inhibitAnyPolicy extension.
238*6777b538SAndroid Build Coastguard Worker   void SetInhibitAnyPolicy(uint64_t skip_certs);
239*6777b538SAndroid Build Coastguard Worker 
240*6777b538SAndroid Build Coastguard Worker   void SetValidity(base::Time not_before, base::Time not_after);
241*6777b538SAndroid Build Coastguard Worker 
242*6777b538SAndroid Build Coastguard Worker   // Sets the Subject Key Identifier (SKI) extension to the specified string.
243*6777b538SAndroid Build Coastguard Worker   // By default, a unique SKI will be generated for each CertBuilder; however,
244*6777b538SAndroid Build Coastguard Worker   // this may be overridden to force multiple certificates to be considered
245*6777b538SAndroid Build Coastguard Worker   // during path building on systems that prioritize matching SKI to the
246*6777b538SAndroid Build Coastguard Worker   // Authority Key Identifier (AKI) extension, rather than using the
247*6777b538SAndroid Build Coastguard Worker   // Subject/Issuer name. Empty SKIs are not supported; use EraseExtension()
248*6777b538SAndroid Build Coastguard Worker   // for that.
249*6777b538SAndroid Build Coastguard Worker   void SetSubjectKeyIdentifier(const std::string& subject_key_identifier);
250*6777b538SAndroid Build Coastguard Worker 
251*6777b538SAndroid Build Coastguard Worker   // Sets the Authority Key Identifier (AKI) extension to the specified
252*6777b538SAndroid Build Coastguard Worker   // string.
253*6777b538SAndroid Build Coastguard Worker   // Note: Only the keyIdentifier option is supported, and the value
254*6777b538SAndroid Build Coastguard Worker   // is the raw identifier (i.e. without DER encoding). Empty strings will
255*6777b538SAndroid Build Coastguard Worker   // result in the extension, if present, being erased. This ensures that it
256*6777b538SAndroid Build Coastguard Worker   // is safe to use SetAuthorityKeyIdentifier() with the result of the
257*6777b538SAndroid Build Coastguard Worker   // issuing CertBuilder's (if any) GetSubjectKeyIdentifier() without
258*6777b538SAndroid Build Coastguard Worker   // introducing AKI/SKI chain building issues.
259*6777b538SAndroid Build Coastguard Worker   void SetAuthorityKeyIdentifier(const std::string& authority_key_identifier);
260*6777b538SAndroid Build Coastguard Worker 
261*6777b538SAndroid Build Coastguard Worker   // Sets the signature algorithm to use in generating the certificate's
262*6777b538SAndroid Build Coastguard Worker   // signature. The signature algorithm should be compatible with
263*6777b538SAndroid Build Coastguard Worker   // the type of |issuer_->GetKey()|. If this method is not called, and the
264*6777b538SAndroid Build Coastguard Worker   // CertBuilder was initialized from a template cert, the signature algorithm
265*6777b538SAndroid Build Coastguard Worker   // of that cert will be used, or if there was no template cert, a default
266*6777b538SAndroid Build Coastguard Worker   // algorithm will be used base on the signing key type.
267*6777b538SAndroid Build Coastguard Worker   void SetSignatureAlgorithm(bssl::SignatureAlgorithm signature_algorithm);
268*6777b538SAndroid Build Coastguard Worker 
269*6777b538SAndroid Build Coastguard Worker   // Sets both signature AlgorithmIdentifier TLVs to encode in the generated
270*6777b538SAndroid Build Coastguard Worker   // certificate.
271*6777b538SAndroid Build Coastguard Worker   // This only affects the bytes written to the output - it does not affect what
272*6777b538SAndroid Build Coastguard Worker   // algorithm is actually used to perform the signature. To set the signature
273*6777b538SAndroid Build Coastguard Worker   // algorithm used to generate the certificate's signature, use
274*6777b538SAndroid Build Coastguard Worker   // |SetSignatureAlgorithm|. If this method is not called, the signature
275*6777b538SAndroid Build Coastguard Worker   // algorithm written to the output will be chosen to match the signature
276*6777b538SAndroid Build Coastguard Worker   // algorithm used to sign the certificate.
277*6777b538SAndroid Build Coastguard Worker   void SetSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv);
278*6777b538SAndroid Build Coastguard Worker 
279*6777b538SAndroid Build Coastguard Worker   // Set only the outer Certificate signatureAlgorithm TLV. See
280*6777b538SAndroid Build Coastguard Worker   // SetSignatureAlgorithmTLV comment for general notes.
281*6777b538SAndroid Build Coastguard Worker   void SetOuterSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv);
282*6777b538SAndroid Build Coastguard Worker 
283*6777b538SAndroid Build Coastguard Worker   // Set only the tbsCertificate signature TLV. See SetSignatureAlgorithmTLV
284*6777b538SAndroid Build Coastguard Worker   // comment for general notes.
285*6777b538SAndroid Build Coastguard Worker   void SetTBSSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv);
286*6777b538SAndroid Build Coastguard Worker 
287*6777b538SAndroid Build Coastguard Worker   void SetSerialNumber(uint64_t serial_number);
288*6777b538SAndroid Build Coastguard Worker   void SetRandomSerialNumber();
289*6777b538SAndroid Build Coastguard Worker 
290*6777b538SAndroid Build Coastguard Worker   // Sets the configuration that will be used to generate a
291*6777b538SAndroid Build Coastguard Worker   // SignedCertificateTimestampList extension in the certificate.
292*6777b538SAndroid Build Coastguard Worker   void SetSctConfig(std::vector<CertBuilder::SctConfig> sct_configs);
293*6777b538SAndroid Build Coastguard Worker 
294*6777b538SAndroid Build Coastguard Worker   // Sets the private key for the generated certificate to an EC key. If a key
295*6777b538SAndroid Build Coastguard Worker   // was already set, it will be replaced.
296*6777b538SAndroid Build Coastguard Worker   void GenerateECKey();
297*6777b538SAndroid Build Coastguard Worker 
298*6777b538SAndroid Build Coastguard Worker   // Sets the private key for the generated certificate to a 2048-bit RSA key.
299*6777b538SAndroid Build Coastguard Worker   // RSA key generation is expensive, so this should not be used unless an RSA
300*6777b538SAndroid Build Coastguard Worker   // key is specifically needed. If a key was already set, it will be replaced.
301*6777b538SAndroid Build Coastguard Worker   void GenerateRSAKey();
302*6777b538SAndroid Build Coastguard Worker 
303*6777b538SAndroid Build Coastguard Worker   // Loads the private key for the generated certificate from |key_file|.
304*6777b538SAndroid Build Coastguard Worker   bool UseKeyFromFile(const base::FilePath& key_file);
305*6777b538SAndroid Build Coastguard Worker 
306*6777b538SAndroid Build Coastguard Worker   // Sets the private key to be |key|.
307*6777b538SAndroid Build Coastguard Worker   void SetKey(bssl::UniquePtr<EVP_PKEY> key);
308*6777b538SAndroid Build Coastguard Worker 
309*6777b538SAndroid Build Coastguard Worker   // Returns the CertBuilder that issues this certificate. (Will be |this| if
310*6777b538SAndroid Build Coastguard Worker   // certificate is self-signed.)
issuer()311*6777b538SAndroid Build Coastguard Worker   CertBuilder* issuer() { return issuer_; }
312*6777b538SAndroid Build Coastguard Worker 
313*6777b538SAndroid Build Coastguard Worker   // Returns a CRYPTO_BUFFER to the generated certificate.
314*6777b538SAndroid Build Coastguard Worker   CRYPTO_BUFFER* GetCertBuffer();
315*6777b538SAndroid Build Coastguard Worker 
316*6777b538SAndroid Build Coastguard Worker   bssl::UniquePtr<CRYPTO_BUFFER> DupCertBuffer();
317*6777b538SAndroid Build Coastguard Worker 
318*6777b538SAndroid Build Coastguard Worker   // Returns the subject of the generated certificate.
319*6777b538SAndroid Build Coastguard Worker   const std::string& GetSubject();
320*6777b538SAndroid Build Coastguard Worker 
321*6777b538SAndroid Build Coastguard Worker   // Returns the serial number for the generated certificate.
322*6777b538SAndroid Build Coastguard Worker   uint64_t GetSerialNumber();
323*6777b538SAndroid Build Coastguard Worker 
324*6777b538SAndroid Build Coastguard Worker   // Returns the subject key identifier for the generated certificate. If
325*6777b538SAndroid Build Coastguard Worker   // none is present, a random value will be generated.
326*6777b538SAndroid Build Coastguard Worker   // Note: The returned value will be the contents of the OCTET
327*6777b538SAndroid Build Coastguard Worker   // STRING/KeyIdentifier, without DER encoding, ensuring it's suitable for
328*6777b538SAndroid Build Coastguard Worker   // SetSubjectKeyIdentifier().
329*6777b538SAndroid Build Coastguard Worker   std::string GetSubjectKeyIdentifier();
330*6777b538SAndroid Build Coastguard Worker 
331*6777b538SAndroid Build Coastguard Worker   // Parses and returns validity period for the generated certificate in
332*6777b538SAndroid Build Coastguard Worker   // |not_before| and |not_after|, returning true on success.
333*6777b538SAndroid Build Coastguard Worker   bool GetValidity(base::Time* not_before, base::Time* not_after) const;
334*6777b538SAndroid Build Coastguard Worker 
335*6777b538SAndroid Build Coastguard Worker   // Returns the key for the generated certificate.
336*6777b538SAndroid Build Coastguard Worker   EVP_PKEY* GetKey();
337*6777b538SAndroid Build Coastguard Worker 
338*6777b538SAndroid Build Coastguard Worker   // Returns an X509Certificate for the generated certificate.
339*6777b538SAndroid Build Coastguard Worker   scoped_refptr<X509Certificate> GetX509Certificate();
340*6777b538SAndroid Build Coastguard Worker 
341*6777b538SAndroid Build Coastguard Worker   // Returns an X509Certificate for the generated certificate, including
342*6777b538SAndroid Build Coastguard Worker   // intermediate certificates (not including the self-signed root).
343*6777b538SAndroid Build Coastguard Worker   scoped_refptr<X509Certificate> GetX509CertificateChain();
344*6777b538SAndroid Build Coastguard Worker 
345*6777b538SAndroid Build Coastguard Worker   // Returns an X509Certificate for the generated certificate, including
346*6777b538SAndroid Build Coastguard Worker   // intermediate certificates and the self-signed root.
347*6777b538SAndroid Build Coastguard Worker   scoped_refptr<X509Certificate> GetX509CertificateFullChain();
348*6777b538SAndroid Build Coastguard Worker 
349*6777b538SAndroid Build Coastguard Worker   // Returns a copy of the certificate's DER.
350*6777b538SAndroid Build Coastguard Worker   std::string GetDER();
351*6777b538SAndroid Build Coastguard Worker 
352*6777b538SAndroid Build Coastguard Worker   // Returns a copy of the certificate as PEM encoded DER.
353*6777b538SAndroid Build Coastguard Worker   // Convenience method for debugging, to more easily log what cert is being
354*6777b538SAndroid Build Coastguard Worker   // created.
355*6777b538SAndroid Build Coastguard Worker   std::string GetPEM();
356*6777b538SAndroid Build Coastguard Worker 
357*6777b538SAndroid Build Coastguard Worker   // Returns the full chain (including root) as PEM.
358*6777b538SAndroid Build Coastguard Worker   // Convenience method for debugging, to more easily log what certs are being
359*6777b538SAndroid Build Coastguard Worker   // created.
360*6777b538SAndroid Build Coastguard Worker   std::string GetPEMFullChain();
361*6777b538SAndroid Build Coastguard Worker 
362*6777b538SAndroid Build Coastguard Worker   // Returns the private key as PEM.
363*6777b538SAndroid Build Coastguard Worker   // Convenience method for debugging, to more easily log what certs are being
364*6777b538SAndroid Build Coastguard Worker   // created.
365*6777b538SAndroid Build Coastguard Worker   std::string GetPrivateKeyPEM();
366*6777b538SAndroid Build Coastguard Worker 
367*6777b538SAndroid Build Coastguard Worker  private:
368*6777b538SAndroid Build Coastguard Worker   // Initializes the CertBuilder, if |orig_cert| is non-null it will be used as
369*6777b538SAndroid Build Coastguard Worker   // a template. If |issuer| is null then the generated certificate will be
370*6777b538SAndroid Build Coastguard Worker   // self-signed. Otherwise, it will be signed using |issuer|.
371*6777b538SAndroid Build Coastguard Worker   // |unique_subject_key_identifier| controls whether an ephemeral SKI will
372*6777b538SAndroid Build Coastguard Worker   // be generated for this certificate. In general, any manipulation of the
373*6777b538SAndroid Build Coastguard Worker   // certificate at all should result in a new SKI, to avoid issues on
374*6777b538SAndroid Build Coastguard Worker   // Windows CryptoAPI, but generating a unique SKI can create issues for
375*6777b538SAndroid Build Coastguard Worker   // macOS Security.framework if |orig_cert| has already issued certificates
376*6777b538SAndroid Build Coastguard Worker   // (including self-signed certs). The only time this is safe is thus
377*6777b538SAndroid Build Coastguard Worker   // when used in conjunction with FromStaticCert() and re-using the
378*6777b538SAndroid Build Coastguard Worker   // same key, thus this constructor is private.
379*6777b538SAndroid Build Coastguard Worker   CertBuilder(CRYPTO_BUFFER* orig_cert,
380*6777b538SAndroid Build Coastguard Worker               CertBuilder* issuer,
381*6777b538SAndroid Build Coastguard Worker               bool unique_subject_key_identifier);
382*6777b538SAndroid Build Coastguard Worker 
383*6777b538SAndroid Build Coastguard Worker   // Marks the generated certificate DER as invalid, so it will need to
384*6777b538SAndroid Build Coastguard Worker   // be re-generated next time the DER is accessed.
385*6777b538SAndroid Build Coastguard Worker   void Invalidate();
386*6777b538SAndroid Build Coastguard Worker 
387*6777b538SAndroid Build Coastguard Worker   // Generates a random Subject Key Identifier for the certificate. This is
388*6777b538SAndroid Build Coastguard Worker   // necessary for Windows, which otherwises uses SKI/AKI matching for lookups
389*6777b538SAndroid Build Coastguard Worker   // with greater precedence than subject/issuer name matching, and on newer
390*6777b538SAndroid Build Coastguard Worker   // versions of Windows, limits the number of lookups+signature failures that
391*6777b538SAndroid Build Coastguard Worker   // can be performed. Rather than deriving from |key_|, generating a unique
392*6777b538SAndroid Build Coastguard Worker   // value is useful for signalling this is a "unique" and otherwise
393*6777b538SAndroid Build Coastguard Worker   // independent CA.
394*6777b538SAndroid Build Coastguard Worker   void GenerateSubjectKeyIdentifier();
395*6777b538SAndroid Build Coastguard Worker 
396*6777b538SAndroid Build Coastguard Worker   // Generates a random subject for the certificate, comprised of just a CN.
397*6777b538SAndroid Build Coastguard Worker   void GenerateSubject();
398*6777b538SAndroid Build Coastguard Worker 
399*6777b538SAndroid Build Coastguard Worker   // Parses |cert| and copies the following properties:
400*6777b538SAndroid Build Coastguard Worker   //   * All extensions (dropping any duplicates)
401*6777b538SAndroid Build Coastguard Worker   //   * Signature algorithm (from Certificate)
402*6777b538SAndroid Build Coastguard Worker   //   * Validity (expiration)
403*6777b538SAndroid Build Coastguard Worker   void InitFromCert(const bssl::der::Input& cert);
404*6777b538SAndroid Build Coastguard Worker 
405*6777b538SAndroid Build Coastguard Worker   // Assembles the CertBuilder into a TBSCertificate.
406*6777b538SAndroid Build Coastguard Worker   void BuildTBSCertificate(std::string_view signature_algorithm_tlv,
407*6777b538SAndroid Build Coastguard Worker                            std::string* out);
408*6777b538SAndroid Build Coastguard Worker 
409*6777b538SAndroid Build Coastguard Worker   void BuildSctListExtension(const std::string& pre_tbs_certificate,
410*6777b538SAndroid Build Coastguard Worker                              std::string* out);
411*6777b538SAndroid Build Coastguard Worker 
412*6777b538SAndroid Build Coastguard Worker   void GenerateCertificate();
413*6777b538SAndroid Build Coastguard Worker 
414*6777b538SAndroid Build Coastguard Worker   struct ExtensionValue {
415*6777b538SAndroid Build Coastguard Worker     bool critical = false;
416*6777b538SAndroid Build Coastguard Worker     std::string value;
417*6777b538SAndroid Build Coastguard Worker   };
418*6777b538SAndroid Build Coastguard Worker 
419*6777b538SAndroid Build Coastguard Worker   bssl::CertificateVersion version_ = bssl::CertificateVersion::V3;
420*6777b538SAndroid Build Coastguard Worker   std::string validity_tlv_;
421*6777b538SAndroid Build Coastguard Worker   std::optional<std::string> issuer_tlv_;
422*6777b538SAndroid Build Coastguard Worker   std::string subject_tlv_;
423*6777b538SAndroid Build Coastguard Worker   std::optional<bssl::SignatureAlgorithm> signature_algorithm_;
424*6777b538SAndroid Build Coastguard Worker   std::string outer_signature_algorithm_tlv_;
425*6777b538SAndroid Build Coastguard Worker   std::string tbs_signature_algorithm_tlv_;
426*6777b538SAndroid Build Coastguard Worker   uint64_t serial_number_ = 0;
427*6777b538SAndroid Build Coastguard Worker   int default_pkey_id_ = EVP_PKEY_EC;
428*6777b538SAndroid Build Coastguard Worker 
429*6777b538SAndroid Build Coastguard Worker   std::vector<SctConfig> sct_configs_;
430*6777b538SAndroid Build Coastguard Worker 
431*6777b538SAndroid Build Coastguard Worker   std::map<std::string, ExtensionValue> extensions_;
432*6777b538SAndroid Build Coastguard Worker 
433*6777b538SAndroid Build Coastguard Worker   bssl::UniquePtr<CRYPTO_BUFFER> cert_;
434*6777b538SAndroid Build Coastguard Worker   bssl::UniquePtr<EVP_PKEY> key_;
435*6777b538SAndroid Build Coastguard Worker 
436*6777b538SAndroid Build Coastguard Worker   raw_ptr<CertBuilder, DanglingUntriaged> issuer_ = nullptr;
437*6777b538SAndroid Build Coastguard Worker };
438*6777b538SAndroid Build Coastguard Worker 
439*6777b538SAndroid Build Coastguard Worker }  // namespace net
440*6777b538SAndroid Build Coastguard Worker 
441*6777b538SAndroid Build Coastguard Worker #endif  // NET_TEST_CERT_BUILDER_H_
442