1*6777b538SAndroid Build Coastguard Worker // Copyright 2019 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_TEST_CERT_BUILDER_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_TEST_CERT_BUILDER_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <map> 9*6777b538SAndroid Build Coastguard Worker #include <memory> 10*6777b538SAndroid Build Coastguard Worker #include <string> 11*6777b538SAndroid Build Coastguard Worker #include <string_view> 12*6777b538SAndroid Build Coastguard Worker #include <vector> 13*6777b538SAndroid Build Coastguard Worker 14*6777b538SAndroid Build Coastguard Worker #include "base/memory/raw_ptr.h" 15*6777b538SAndroid Build Coastguard Worker #include "base/rand_util.h" 16*6777b538SAndroid Build Coastguard Worker #include "net/base/ip_address.h" 17*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate.h" 18*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h" 19*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/bytestring.h" 20*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/evp.h" 21*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/pool.h" 22*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/parse_certificate.h" 23*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/signature_algorithm.h" 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker class GURL; 26*6777b538SAndroid Build Coastguard Worker 27*6777b538SAndroid Build Coastguard Worker namespace base { 28*6777b538SAndroid Build Coastguard Worker class FilePath; 29*6777b538SAndroid Build Coastguard Worker } 30*6777b538SAndroid Build Coastguard Worker 31*6777b538SAndroid Build Coastguard Worker namespace bssl { 32*6777b538SAndroid Build Coastguard Worker namespace der { 33*6777b538SAndroid Build Coastguard Worker class Input; 34*6777b538SAndroid Build Coastguard Worker } // namespace der 35*6777b538SAndroid Build Coastguard Worker } // namespace bssl 36*6777b538SAndroid Build Coastguard Worker 37*6777b538SAndroid Build Coastguard Worker namespace net { 38*6777b538SAndroid Build Coastguard Worker 39*6777b538SAndroid Build Coastguard Worker // CertBuilder is a helper class to dynamically create a test certificate. 40*6777b538SAndroid Build Coastguard Worker // 41*6777b538SAndroid Build Coastguard Worker // CertBuilder is initialized using an existing certificate, from which it 42*6777b538SAndroid Build Coastguard Worker // copies most properties (see InitFromCert for details). 43*6777b538SAndroid Build Coastguard Worker // 44*6777b538SAndroid Build Coastguard Worker // The subject, serial number, and key for the final certificate are chosen 45*6777b538SAndroid Build Coastguard Worker // randomly. Using a randomized subject and serial number is important to defeat 46*6777b538SAndroid Build Coastguard Worker // certificate caching done by NSS, which otherwise can make test outcomes 47*6777b538SAndroid Build Coastguard Worker // dependent on ordering. 48*6777b538SAndroid Build Coastguard Worker class CertBuilder { 49*6777b538SAndroid Build Coastguard Worker public: 50*6777b538SAndroid Build Coastguard Worker // Parameters for creating an embedded SignedCertificateTimestamp. 51*6777b538SAndroid Build Coastguard Worker struct SctConfig { 52*6777b538SAndroid Build Coastguard Worker SctConfig(); 53*6777b538SAndroid Build Coastguard Worker SctConfig(std::string log_id, 54*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<EVP_PKEY> log_key, 55*6777b538SAndroid Build Coastguard Worker base::Time timestamp); 56*6777b538SAndroid Build Coastguard Worker SctConfig(const SctConfig&); 57*6777b538SAndroid Build Coastguard Worker SctConfig(SctConfig&&); 58*6777b538SAndroid Build Coastguard Worker ~SctConfig(); 59*6777b538SAndroid Build Coastguard Worker SctConfig& operator=(const SctConfig&); 60*6777b538SAndroid Build Coastguard Worker SctConfig& operator=(SctConfig&&); 61*6777b538SAndroid Build Coastguard Worker 62*6777b538SAndroid Build Coastguard Worker std::string log_id; 63*6777b538SAndroid Build Coastguard Worker // Only EC keys are supported currently. 64*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<EVP_PKEY> log_key; 65*6777b538SAndroid Build Coastguard Worker base::Time timestamp; 66*6777b538SAndroid Build Coastguard Worker }; 67*6777b538SAndroid Build Coastguard Worker 68*6777b538SAndroid Build Coastguard Worker // Initializes the CertBuilder, if |orig_cert| is non-null it will be used as 69*6777b538SAndroid Build Coastguard Worker // a template. If |issuer| is null then the generated certificate will be 70*6777b538SAndroid Build Coastguard Worker // self-signed. Otherwise, it will be signed using |issuer|. 71*6777b538SAndroid Build Coastguard Worker CertBuilder(CRYPTO_BUFFER* orig_cert, CertBuilder* issuer); 72*6777b538SAndroid Build Coastguard Worker ~CertBuilder(); 73*6777b538SAndroid Build Coastguard Worker 74*6777b538SAndroid Build Coastguard Worker // Initializes a CertBuilder using the certificate and private key from 75*6777b538SAndroid Build Coastguard Worker // |cert_and_key_file| as a template. If |issuer| is null then the generated 76*6777b538SAndroid Build Coastguard Worker // certificate will be self-signed. Otherwise, it will be signed using 77*6777b538SAndroid Build Coastguard Worker // |issuer|. 78*6777b538SAndroid Build Coastguard Worker static std::unique_ptr<CertBuilder> FromFile( 79*6777b538SAndroid Build Coastguard Worker const base::FilePath& cert_and_key_file, 80*6777b538SAndroid Build Coastguard Worker CertBuilder* issuer); 81*6777b538SAndroid Build Coastguard Worker 82*6777b538SAndroid Build Coastguard Worker // Initializes a CertBuilder that will return a certificate for the provided 83*6777b538SAndroid Build Coastguard Worker // public key |spki_der|. It will be signed with the |issuer|, this builder 84*6777b538SAndroid Build Coastguard Worker // will not have a private key, so it cannot produce self-signed certificates 85*6777b538SAndroid Build Coastguard Worker // and |issuer| cannot be null. 86*6777b538SAndroid Build Coastguard Worker static std::unique_ptr<CertBuilder> FromSubjectPublicKeyInfo( 87*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> spki_der, 88*6777b538SAndroid Build Coastguard Worker CertBuilder* issuer); 89*6777b538SAndroid Build Coastguard Worker 90*6777b538SAndroid Build Coastguard Worker // Creates a CertBuilder that will return a static |cert| and |key|. 91*6777b538SAndroid Build Coastguard Worker // This may be passed as the |issuer| param of another CertBuilder to create 92*6777b538SAndroid Build Coastguard Worker // a cert chain that ends in a pre-defined certificate. 93*6777b538SAndroid Build Coastguard Worker static std::unique_ptr<CertBuilder> FromStaticCert(CRYPTO_BUFFER* cert, 94*6777b538SAndroid Build Coastguard Worker EVP_PKEY* key); 95*6777b538SAndroid Build Coastguard Worker // Like FromStaticCert, but loads the certificate and private key from the 96*6777b538SAndroid Build Coastguard Worker // PEM file |cert_and_key_file|. 97*6777b538SAndroid Build Coastguard Worker static std::unique_ptr<CertBuilder> FromStaticCertFile( 98*6777b538SAndroid Build Coastguard Worker const base::FilePath& cert_and_key_file); 99*6777b538SAndroid Build Coastguard Worker 100*6777b538SAndroid Build Coastguard Worker // Creates a simple chain of CertBuilders with no AIA or CrlDistributionPoint 101*6777b538SAndroid Build Coastguard Worker // extensions, and leaf having a subjectAltName of www.example.com. 102*6777b538SAndroid Build Coastguard Worker // The chain is returned in leaf-first order. 103*6777b538SAndroid Build Coastguard Worker static std::vector<std::unique_ptr<CertBuilder>> CreateSimpleChain( 104*6777b538SAndroid Build Coastguard Worker size_t chain_length); 105*6777b538SAndroid Build Coastguard Worker 106*6777b538SAndroid Build Coastguard Worker // Creates a simple leaf->intermediate->root chain of CertBuilders with no AIA 107*6777b538SAndroid Build Coastguard Worker // or CrlDistributionPoint extensions, and leaf having a subjectAltName of 108*6777b538SAndroid Build Coastguard Worker // www.example.com. 109*6777b538SAndroid Build Coastguard Worker static std::array<std::unique_ptr<CertBuilder>, 3> CreateSimpleChain3(); 110*6777b538SAndroid Build Coastguard Worker 111*6777b538SAndroid Build Coastguard Worker // Creates a simple leaf->root chain of CertBuilders with no AIA or 112*6777b538SAndroid Build Coastguard Worker // CrlDistributionPoint extensions, and leaf having a subjectAltName of 113*6777b538SAndroid Build Coastguard Worker // www.example.com. 114*6777b538SAndroid Build Coastguard Worker static std::array<std::unique_ptr<CertBuilder>, 2> CreateSimpleChain2(); 115*6777b538SAndroid Build Coastguard Worker 116*6777b538SAndroid Build Coastguard Worker // Returns a compatible signature algorithm for |key|. 117*6777b538SAndroid Build Coastguard Worker static std::optional<bssl::SignatureAlgorithm> 118*6777b538SAndroid Build Coastguard Worker DefaultSignatureAlgorithmForKey(EVP_PKEY* key); 119*6777b538SAndroid Build Coastguard Worker 120*6777b538SAndroid Build Coastguard Worker // Signs |tbs_data| with |key| using |signature_algorithm| appending the 121*6777b538SAndroid Build Coastguard Worker // signature onto |out_signature| and returns true if successful. 122*6777b538SAndroid Build Coastguard Worker static bool SignData(bssl::SignatureAlgorithm signature_algorithm, 123*6777b538SAndroid Build Coastguard Worker std::string_view tbs_data, 124*6777b538SAndroid Build Coastguard Worker EVP_PKEY* key, 125*6777b538SAndroid Build Coastguard Worker CBB* out_signature); 126*6777b538SAndroid Build Coastguard Worker 127*6777b538SAndroid Build Coastguard Worker static bool SignDataWithDigest(const EVP_MD* digest, 128*6777b538SAndroid Build Coastguard Worker std::string_view tbs_data, 129*6777b538SAndroid Build Coastguard Worker EVP_PKEY* key, 130*6777b538SAndroid Build Coastguard Worker CBB* out_signature); 131*6777b538SAndroid Build Coastguard Worker 132*6777b538SAndroid Build Coastguard Worker // Returns a DER encoded AlgorithmIdentifier TLV for |signature_algorithm| 133*6777b538SAndroid Build Coastguard Worker // empty string on error. 134*6777b538SAndroid Build Coastguard Worker static std::string SignatureAlgorithmToDer( 135*6777b538SAndroid Build Coastguard Worker bssl::SignatureAlgorithm signature_algorithm); 136*6777b538SAndroid Build Coastguard Worker 137*6777b538SAndroid Build Coastguard Worker // Generates |num_bytes| random bytes, and then returns the hex encoding of 138*6777b538SAndroid Build Coastguard Worker // those bytes. 139*6777b538SAndroid Build Coastguard Worker static std::string MakeRandomHexString(size_t num_bytes); 140*6777b538SAndroid Build Coastguard Worker 141*6777b538SAndroid Build Coastguard Worker // Builds a DER encoded X.501 Name TLV containing a commonName of 142*6777b538SAndroid Build Coastguard Worker // |common_name| with type |common_name_tag|. 143*6777b538SAndroid Build Coastguard Worker static std::vector<uint8_t> BuildNameWithCommonNameOfType( 144*6777b538SAndroid Build Coastguard Worker std::string_view common_name, 145*6777b538SAndroid Build Coastguard Worker unsigned common_name_tag); 146*6777b538SAndroid Build Coastguard Worker 147*6777b538SAndroid Build Coastguard Worker // Set the version of the certificate. Note that only V3 certificates may 148*6777b538SAndroid Build Coastguard Worker // contain extensions, so if |version| is |V1| or |V2| you may want to also 149*6777b538SAndroid Build Coastguard Worker // call |ClearExtensions()| unless you intentionally want to generate an 150*6777b538SAndroid Build Coastguard Worker // invalid certificate. 151*6777b538SAndroid Build Coastguard Worker void SetCertificateVersion(bssl::CertificateVersion version); 152*6777b538SAndroid Build Coastguard Worker 153*6777b538SAndroid Build Coastguard Worker // Sets a value for the indicated X.509 (v3) extension. 154*6777b538SAndroid Build Coastguard Worker void SetExtension(const bssl::der::Input& oid, 155*6777b538SAndroid Build Coastguard Worker std::string value, 156*6777b538SAndroid Build Coastguard Worker bool critical = false); 157*6777b538SAndroid Build Coastguard Worker 158*6777b538SAndroid Build Coastguard Worker // Removes an extension (if present). 159*6777b538SAndroid Build Coastguard Worker void EraseExtension(const bssl::der::Input& oid); 160*6777b538SAndroid Build Coastguard Worker 161*6777b538SAndroid Build Coastguard Worker // Removes all extensions. 162*6777b538SAndroid Build Coastguard Worker void ClearExtensions(); 163*6777b538SAndroid Build Coastguard Worker 164*6777b538SAndroid Build Coastguard Worker // Sets the basicConstraints extension. |path_len| may be negative to 165*6777b538SAndroid Build Coastguard Worker // indicate the pathLenConstraint should be omitted. 166*6777b538SAndroid Build Coastguard Worker void SetBasicConstraints(bool is_ca, int path_len); 167*6777b538SAndroid Build Coastguard Worker 168*6777b538SAndroid Build Coastguard Worker // Sets the nameConstraints extension. |permitted_dns_names| lists permitted 169*6777b538SAndroid Build Coastguard Worker // dnsName subtrees. |excluded_dns_names| lists excluded dnsName subtrees. If 170*6777b538SAndroid Build Coastguard Worker // both lists are empty the extension is removed. 171*6777b538SAndroid Build Coastguard Worker void SetNameConstraintsDnsNames( 172*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& permitted_dns_names, 173*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& excluded_dns_names); 174*6777b538SAndroid Build Coastguard Worker 175*6777b538SAndroid Build Coastguard Worker // Sets an AIA extension with a single caIssuers access method. 176*6777b538SAndroid Build Coastguard Worker void SetCaIssuersUrl(const GURL& url); 177*6777b538SAndroid Build Coastguard Worker 178*6777b538SAndroid Build Coastguard Worker // Sets an AIA extension with the specified caIssuers and OCSP urls. Either 179*6777b538SAndroid Build Coastguard Worker // list can have 0 or more URLs. If both are empty, the AIA extension is 180*6777b538SAndroid Build Coastguard Worker // removed. 181*6777b538SAndroid Build Coastguard Worker void SetCaIssuersAndOCSPUrls(const std::vector<GURL>& ca_issuers_urls, 182*6777b538SAndroid Build Coastguard Worker const std::vector<GURL>& ocsp_urls); 183*6777b538SAndroid Build Coastguard Worker 184*6777b538SAndroid Build Coastguard Worker // Sets a cRLDistributionPoints extension with a single DistributionPoint 185*6777b538SAndroid Build Coastguard Worker // with |url| in distributionPoint.fullName. 186*6777b538SAndroid Build Coastguard Worker void SetCrlDistributionPointUrl(const GURL& url); 187*6777b538SAndroid Build Coastguard Worker 188*6777b538SAndroid Build Coastguard Worker // Sets a cRLDistributionPoints extension with a single DistributionPoint 189*6777b538SAndroid Build Coastguard Worker // with |urls| in distributionPoints.fullName. 190*6777b538SAndroid Build Coastguard Worker void SetCrlDistributionPointUrls(const std::vector<GURL>& urls); 191*6777b538SAndroid Build Coastguard Worker 192*6777b538SAndroid Build Coastguard Worker // Sets the issuer bytes that will be encoded into the generated certificate. 193*6777b538SAndroid Build Coastguard Worker // If this is not called, or |issuer_tlv| is empty, the subject field from 194*6777b538SAndroid Build Coastguard Worker // the issuer CertBuilder will be used. 195*6777b538SAndroid Build Coastguard Worker void SetIssuerTLV(base::span<const uint8_t> issuer_tlv); 196*6777b538SAndroid Build Coastguard Worker 197*6777b538SAndroid Build Coastguard Worker // Sets the subject to a Name with a single commonName attribute with 198*6777b538SAndroid Build Coastguard Worker // the value |common_name| tagged as a UTF8String. 199*6777b538SAndroid Build Coastguard Worker void SetSubjectCommonName(std::string_view common_name); 200*6777b538SAndroid Build Coastguard Worker 201*6777b538SAndroid Build Coastguard Worker // Sets the subject to |subject_tlv|. 202*6777b538SAndroid Build Coastguard Worker void SetSubjectTLV(base::span<const uint8_t> subject_tlv); 203*6777b538SAndroid Build Coastguard Worker 204*6777b538SAndroid Build Coastguard Worker // Sets the SAN for the certificate to a single dNSName. 205*6777b538SAndroid Build Coastguard Worker void SetSubjectAltName(std::string_view dns_name); 206*6777b538SAndroid Build Coastguard Worker 207*6777b538SAndroid Build Coastguard Worker // Sets the SAN for the certificate to the given dns names and ip addresses. 208*6777b538SAndroid Build Coastguard Worker void SetSubjectAltNames(const std::vector<std::string>& dns_names, 209*6777b538SAndroid Build Coastguard Worker const std::vector<IPAddress>& ip_addresses); 210*6777b538SAndroid Build Coastguard Worker 211*6777b538SAndroid Build Coastguard Worker // Sets the keyUsage extension. |usages| should contain the bssl::KeyUsageBit 212*6777b538SAndroid Build Coastguard Worker // values of the usages to set, and must not be empty. 213*6777b538SAndroid Build Coastguard Worker void SetKeyUsages(const std::vector<bssl::KeyUsageBit>& usages); 214*6777b538SAndroid Build Coastguard Worker 215*6777b538SAndroid Build Coastguard Worker // Sets the extendedKeyUsage extension. |usages| should contain the DER OIDs 216*6777b538SAndroid Build Coastguard Worker // of the usage purposes to set, and must not be empty. 217*6777b538SAndroid Build Coastguard Worker void SetExtendedKeyUsages(const std::vector<bssl::der::Input>& purpose_oids); 218*6777b538SAndroid Build Coastguard Worker 219*6777b538SAndroid Build Coastguard Worker // Sets the certificatePolicies extension with the specified policyIdentifier 220*6777b538SAndroid Build Coastguard Worker // OIDs, which must be specified in dotted string notation (e.g. "1.2.3.4"). 221*6777b538SAndroid Build Coastguard Worker // If |policy_oids| is empty, the extension will be removed. 222*6777b538SAndroid Build Coastguard Worker void SetCertificatePolicies(const std::vector<std::string>& policy_oids); 223*6777b538SAndroid Build Coastguard Worker 224*6777b538SAndroid Build Coastguard Worker // Sets the policyMappings extension with the specified mappings, which are 225*6777b538SAndroid Build Coastguard Worker // pairs of issuerDomainPolicy -> subjectDomainPolicy mappings in dotted 226*6777b538SAndroid Build Coastguard Worker // string notation. 227*6777b538SAndroid Build Coastguard Worker // If |policy_mappings| is empty, the extension will be removed. 228*6777b538SAndroid Build Coastguard Worker void SetPolicyMappings( 229*6777b538SAndroid Build Coastguard Worker const std::vector<std::pair<std::string, std::string>>& policy_mappings); 230*6777b538SAndroid Build Coastguard Worker 231*6777b538SAndroid Build Coastguard Worker // Sets the PolicyConstraints extension. If both |require_explicit_policy| 232*6777b538SAndroid Build Coastguard Worker // and |inhibit_policy_mapping| are nullopt, the PolicyConstraints extension 233*6777b538SAndroid Build Coastguard Worker // will removed. 234*6777b538SAndroid Build Coastguard Worker void SetPolicyConstraints(std::optional<uint64_t> require_explicit_policy, 235*6777b538SAndroid Build Coastguard Worker std::optional<uint64_t> inhibit_policy_mapping); 236*6777b538SAndroid Build Coastguard Worker 237*6777b538SAndroid Build Coastguard Worker // Sets the inhibitAnyPolicy extension. 238*6777b538SAndroid Build Coastguard Worker void SetInhibitAnyPolicy(uint64_t skip_certs); 239*6777b538SAndroid Build Coastguard Worker 240*6777b538SAndroid Build Coastguard Worker void SetValidity(base::Time not_before, base::Time not_after); 241*6777b538SAndroid Build Coastguard Worker 242*6777b538SAndroid Build Coastguard Worker // Sets the Subject Key Identifier (SKI) extension to the specified string. 243*6777b538SAndroid Build Coastguard Worker // By default, a unique SKI will be generated for each CertBuilder; however, 244*6777b538SAndroid Build Coastguard Worker // this may be overridden to force multiple certificates to be considered 245*6777b538SAndroid Build Coastguard Worker // during path building on systems that prioritize matching SKI to the 246*6777b538SAndroid Build Coastguard Worker // Authority Key Identifier (AKI) extension, rather than using the 247*6777b538SAndroid Build Coastguard Worker // Subject/Issuer name. Empty SKIs are not supported; use EraseExtension() 248*6777b538SAndroid Build Coastguard Worker // for that. 249*6777b538SAndroid Build Coastguard Worker void SetSubjectKeyIdentifier(const std::string& subject_key_identifier); 250*6777b538SAndroid Build Coastguard Worker 251*6777b538SAndroid Build Coastguard Worker // Sets the Authority Key Identifier (AKI) extension to the specified 252*6777b538SAndroid Build Coastguard Worker // string. 253*6777b538SAndroid Build Coastguard Worker // Note: Only the keyIdentifier option is supported, and the value 254*6777b538SAndroid Build Coastguard Worker // is the raw identifier (i.e. without DER encoding). Empty strings will 255*6777b538SAndroid Build Coastguard Worker // result in the extension, if present, being erased. This ensures that it 256*6777b538SAndroid Build Coastguard Worker // is safe to use SetAuthorityKeyIdentifier() with the result of the 257*6777b538SAndroid Build Coastguard Worker // issuing CertBuilder's (if any) GetSubjectKeyIdentifier() without 258*6777b538SAndroid Build Coastguard Worker // introducing AKI/SKI chain building issues. 259*6777b538SAndroid Build Coastguard Worker void SetAuthorityKeyIdentifier(const std::string& authority_key_identifier); 260*6777b538SAndroid Build Coastguard Worker 261*6777b538SAndroid Build Coastguard Worker // Sets the signature algorithm to use in generating the certificate's 262*6777b538SAndroid Build Coastguard Worker // signature. The signature algorithm should be compatible with 263*6777b538SAndroid Build Coastguard Worker // the type of |issuer_->GetKey()|. If this method is not called, and the 264*6777b538SAndroid Build Coastguard Worker // CertBuilder was initialized from a template cert, the signature algorithm 265*6777b538SAndroid Build Coastguard Worker // of that cert will be used, or if there was no template cert, a default 266*6777b538SAndroid Build Coastguard Worker // algorithm will be used base on the signing key type. 267*6777b538SAndroid Build Coastguard Worker void SetSignatureAlgorithm(bssl::SignatureAlgorithm signature_algorithm); 268*6777b538SAndroid Build Coastguard Worker 269*6777b538SAndroid Build Coastguard Worker // Sets both signature AlgorithmIdentifier TLVs to encode in the generated 270*6777b538SAndroid Build Coastguard Worker // certificate. 271*6777b538SAndroid Build Coastguard Worker // This only affects the bytes written to the output - it does not affect what 272*6777b538SAndroid Build Coastguard Worker // algorithm is actually used to perform the signature. To set the signature 273*6777b538SAndroid Build Coastguard Worker // algorithm used to generate the certificate's signature, use 274*6777b538SAndroid Build Coastguard Worker // |SetSignatureAlgorithm|. If this method is not called, the signature 275*6777b538SAndroid Build Coastguard Worker // algorithm written to the output will be chosen to match the signature 276*6777b538SAndroid Build Coastguard Worker // algorithm used to sign the certificate. 277*6777b538SAndroid Build Coastguard Worker void SetSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv); 278*6777b538SAndroid Build Coastguard Worker 279*6777b538SAndroid Build Coastguard Worker // Set only the outer Certificate signatureAlgorithm TLV. See 280*6777b538SAndroid Build Coastguard Worker // SetSignatureAlgorithmTLV comment for general notes. 281*6777b538SAndroid Build Coastguard Worker void SetOuterSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv); 282*6777b538SAndroid Build Coastguard Worker 283*6777b538SAndroid Build Coastguard Worker // Set only the tbsCertificate signature TLV. See SetSignatureAlgorithmTLV 284*6777b538SAndroid Build Coastguard Worker // comment for general notes. 285*6777b538SAndroid Build Coastguard Worker void SetTBSSignatureAlgorithmTLV(std::string_view signature_algorithm_tlv); 286*6777b538SAndroid Build Coastguard Worker 287*6777b538SAndroid Build Coastguard Worker void SetSerialNumber(uint64_t serial_number); 288*6777b538SAndroid Build Coastguard Worker void SetRandomSerialNumber(); 289*6777b538SAndroid Build Coastguard Worker 290*6777b538SAndroid Build Coastguard Worker // Sets the configuration that will be used to generate a 291*6777b538SAndroid Build Coastguard Worker // SignedCertificateTimestampList extension in the certificate. 292*6777b538SAndroid Build Coastguard Worker void SetSctConfig(std::vector<CertBuilder::SctConfig> sct_configs); 293*6777b538SAndroid Build Coastguard Worker 294*6777b538SAndroid Build Coastguard Worker // Sets the private key for the generated certificate to an EC key. If a key 295*6777b538SAndroid Build Coastguard Worker // was already set, it will be replaced. 296*6777b538SAndroid Build Coastguard Worker void GenerateECKey(); 297*6777b538SAndroid Build Coastguard Worker 298*6777b538SAndroid Build Coastguard Worker // Sets the private key for the generated certificate to a 2048-bit RSA key. 299*6777b538SAndroid Build Coastguard Worker // RSA key generation is expensive, so this should not be used unless an RSA 300*6777b538SAndroid Build Coastguard Worker // key is specifically needed. If a key was already set, it will be replaced. 301*6777b538SAndroid Build Coastguard Worker void GenerateRSAKey(); 302*6777b538SAndroid Build Coastguard Worker 303*6777b538SAndroid Build Coastguard Worker // Loads the private key for the generated certificate from |key_file|. 304*6777b538SAndroid Build Coastguard Worker bool UseKeyFromFile(const base::FilePath& key_file); 305*6777b538SAndroid Build Coastguard Worker 306*6777b538SAndroid Build Coastguard Worker // Sets the private key to be |key|. 307*6777b538SAndroid Build Coastguard Worker void SetKey(bssl::UniquePtr<EVP_PKEY> key); 308*6777b538SAndroid Build Coastguard Worker 309*6777b538SAndroid Build Coastguard Worker // Returns the CertBuilder that issues this certificate. (Will be |this| if 310*6777b538SAndroid Build Coastguard Worker // certificate is self-signed.) issuer()311*6777b538SAndroid Build Coastguard Worker CertBuilder* issuer() { return issuer_; } 312*6777b538SAndroid Build Coastguard Worker 313*6777b538SAndroid Build Coastguard Worker // Returns a CRYPTO_BUFFER to the generated certificate. 314*6777b538SAndroid Build Coastguard Worker CRYPTO_BUFFER* GetCertBuffer(); 315*6777b538SAndroid Build Coastguard Worker 316*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<CRYPTO_BUFFER> DupCertBuffer(); 317*6777b538SAndroid Build Coastguard Worker 318*6777b538SAndroid Build Coastguard Worker // Returns the subject of the generated certificate. 319*6777b538SAndroid Build Coastguard Worker const std::string& GetSubject(); 320*6777b538SAndroid Build Coastguard Worker 321*6777b538SAndroid Build Coastguard Worker // Returns the serial number for the generated certificate. 322*6777b538SAndroid Build Coastguard Worker uint64_t GetSerialNumber(); 323*6777b538SAndroid Build Coastguard Worker 324*6777b538SAndroid Build Coastguard Worker // Returns the subject key identifier for the generated certificate. If 325*6777b538SAndroid Build Coastguard Worker // none is present, a random value will be generated. 326*6777b538SAndroid Build Coastguard Worker // Note: The returned value will be the contents of the OCTET 327*6777b538SAndroid Build Coastguard Worker // STRING/KeyIdentifier, without DER encoding, ensuring it's suitable for 328*6777b538SAndroid Build Coastguard Worker // SetSubjectKeyIdentifier(). 329*6777b538SAndroid Build Coastguard Worker std::string GetSubjectKeyIdentifier(); 330*6777b538SAndroid Build Coastguard Worker 331*6777b538SAndroid Build Coastguard Worker // Parses and returns validity period for the generated certificate in 332*6777b538SAndroid Build Coastguard Worker // |not_before| and |not_after|, returning true on success. 333*6777b538SAndroid Build Coastguard Worker bool GetValidity(base::Time* not_before, base::Time* not_after) const; 334*6777b538SAndroid Build Coastguard Worker 335*6777b538SAndroid Build Coastguard Worker // Returns the key for the generated certificate. 336*6777b538SAndroid Build Coastguard Worker EVP_PKEY* GetKey(); 337*6777b538SAndroid Build Coastguard Worker 338*6777b538SAndroid Build Coastguard Worker // Returns an X509Certificate for the generated certificate. 339*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> GetX509Certificate(); 340*6777b538SAndroid Build Coastguard Worker 341*6777b538SAndroid Build Coastguard Worker // Returns an X509Certificate for the generated certificate, including 342*6777b538SAndroid Build Coastguard Worker // intermediate certificates (not including the self-signed root). 343*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> GetX509CertificateChain(); 344*6777b538SAndroid Build Coastguard Worker 345*6777b538SAndroid Build Coastguard Worker // Returns an X509Certificate for the generated certificate, including 346*6777b538SAndroid Build Coastguard Worker // intermediate certificates and the self-signed root. 347*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> GetX509CertificateFullChain(); 348*6777b538SAndroid Build Coastguard Worker 349*6777b538SAndroid Build Coastguard Worker // Returns a copy of the certificate's DER. 350*6777b538SAndroid Build Coastguard Worker std::string GetDER(); 351*6777b538SAndroid Build Coastguard Worker 352*6777b538SAndroid Build Coastguard Worker // Returns a copy of the certificate as PEM encoded DER. 353*6777b538SAndroid Build Coastguard Worker // Convenience method for debugging, to more easily log what cert is being 354*6777b538SAndroid Build Coastguard Worker // created. 355*6777b538SAndroid Build Coastguard Worker std::string GetPEM(); 356*6777b538SAndroid Build Coastguard Worker 357*6777b538SAndroid Build Coastguard Worker // Returns the full chain (including root) as PEM. 358*6777b538SAndroid Build Coastguard Worker // Convenience method for debugging, to more easily log what certs are being 359*6777b538SAndroid Build Coastguard Worker // created. 360*6777b538SAndroid Build Coastguard Worker std::string GetPEMFullChain(); 361*6777b538SAndroid Build Coastguard Worker 362*6777b538SAndroid Build Coastguard Worker // Returns the private key as PEM. 363*6777b538SAndroid Build Coastguard Worker // Convenience method for debugging, to more easily log what certs are being 364*6777b538SAndroid Build Coastguard Worker // created. 365*6777b538SAndroid Build Coastguard Worker std::string GetPrivateKeyPEM(); 366*6777b538SAndroid Build Coastguard Worker 367*6777b538SAndroid Build Coastguard Worker private: 368*6777b538SAndroid Build Coastguard Worker // Initializes the CertBuilder, if |orig_cert| is non-null it will be used as 369*6777b538SAndroid Build Coastguard Worker // a template. If |issuer| is null then the generated certificate will be 370*6777b538SAndroid Build Coastguard Worker // self-signed. Otherwise, it will be signed using |issuer|. 371*6777b538SAndroid Build Coastguard Worker // |unique_subject_key_identifier| controls whether an ephemeral SKI will 372*6777b538SAndroid Build Coastguard Worker // be generated for this certificate. In general, any manipulation of the 373*6777b538SAndroid Build Coastguard Worker // certificate at all should result in a new SKI, to avoid issues on 374*6777b538SAndroid Build Coastguard Worker // Windows CryptoAPI, but generating a unique SKI can create issues for 375*6777b538SAndroid Build Coastguard Worker // macOS Security.framework if |orig_cert| has already issued certificates 376*6777b538SAndroid Build Coastguard Worker // (including self-signed certs). The only time this is safe is thus 377*6777b538SAndroid Build Coastguard Worker // when used in conjunction with FromStaticCert() and re-using the 378*6777b538SAndroid Build Coastguard Worker // same key, thus this constructor is private. 379*6777b538SAndroid Build Coastguard Worker CertBuilder(CRYPTO_BUFFER* orig_cert, 380*6777b538SAndroid Build Coastguard Worker CertBuilder* issuer, 381*6777b538SAndroid Build Coastguard Worker bool unique_subject_key_identifier); 382*6777b538SAndroid Build Coastguard Worker 383*6777b538SAndroid Build Coastguard Worker // Marks the generated certificate DER as invalid, so it will need to 384*6777b538SAndroid Build Coastguard Worker // be re-generated next time the DER is accessed. 385*6777b538SAndroid Build Coastguard Worker void Invalidate(); 386*6777b538SAndroid Build Coastguard Worker 387*6777b538SAndroid Build Coastguard Worker // Generates a random Subject Key Identifier for the certificate. This is 388*6777b538SAndroid Build Coastguard Worker // necessary for Windows, which otherwises uses SKI/AKI matching for lookups 389*6777b538SAndroid Build Coastguard Worker // with greater precedence than subject/issuer name matching, and on newer 390*6777b538SAndroid Build Coastguard Worker // versions of Windows, limits the number of lookups+signature failures that 391*6777b538SAndroid Build Coastguard Worker // can be performed. Rather than deriving from |key_|, generating a unique 392*6777b538SAndroid Build Coastguard Worker // value is useful for signalling this is a "unique" and otherwise 393*6777b538SAndroid Build Coastguard Worker // independent CA. 394*6777b538SAndroid Build Coastguard Worker void GenerateSubjectKeyIdentifier(); 395*6777b538SAndroid Build Coastguard Worker 396*6777b538SAndroid Build Coastguard Worker // Generates a random subject for the certificate, comprised of just a CN. 397*6777b538SAndroid Build Coastguard Worker void GenerateSubject(); 398*6777b538SAndroid Build Coastguard Worker 399*6777b538SAndroid Build Coastguard Worker // Parses |cert| and copies the following properties: 400*6777b538SAndroid Build Coastguard Worker // * All extensions (dropping any duplicates) 401*6777b538SAndroid Build Coastguard Worker // * Signature algorithm (from Certificate) 402*6777b538SAndroid Build Coastguard Worker // * Validity (expiration) 403*6777b538SAndroid Build Coastguard Worker void InitFromCert(const bssl::der::Input& cert); 404*6777b538SAndroid Build Coastguard Worker 405*6777b538SAndroid Build Coastguard Worker // Assembles the CertBuilder into a TBSCertificate. 406*6777b538SAndroid Build Coastguard Worker void BuildTBSCertificate(std::string_view signature_algorithm_tlv, 407*6777b538SAndroid Build Coastguard Worker std::string* out); 408*6777b538SAndroid Build Coastguard Worker 409*6777b538SAndroid Build Coastguard Worker void BuildSctListExtension(const std::string& pre_tbs_certificate, 410*6777b538SAndroid Build Coastguard Worker std::string* out); 411*6777b538SAndroid Build Coastguard Worker 412*6777b538SAndroid Build Coastguard Worker void GenerateCertificate(); 413*6777b538SAndroid Build Coastguard Worker 414*6777b538SAndroid Build Coastguard Worker struct ExtensionValue { 415*6777b538SAndroid Build Coastguard Worker bool critical = false; 416*6777b538SAndroid Build Coastguard Worker std::string value; 417*6777b538SAndroid Build Coastguard Worker }; 418*6777b538SAndroid Build Coastguard Worker 419*6777b538SAndroid Build Coastguard Worker bssl::CertificateVersion version_ = bssl::CertificateVersion::V3; 420*6777b538SAndroid Build Coastguard Worker std::string validity_tlv_; 421*6777b538SAndroid Build Coastguard Worker std::optional<std::string> issuer_tlv_; 422*6777b538SAndroid Build Coastguard Worker std::string subject_tlv_; 423*6777b538SAndroid Build Coastguard Worker std::optional<bssl::SignatureAlgorithm> signature_algorithm_; 424*6777b538SAndroid Build Coastguard Worker std::string outer_signature_algorithm_tlv_; 425*6777b538SAndroid Build Coastguard Worker std::string tbs_signature_algorithm_tlv_; 426*6777b538SAndroid Build Coastguard Worker uint64_t serial_number_ = 0; 427*6777b538SAndroid Build Coastguard Worker int default_pkey_id_ = EVP_PKEY_EC; 428*6777b538SAndroid Build Coastguard Worker 429*6777b538SAndroid Build Coastguard Worker std::vector<SctConfig> sct_configs_; 430*6777b538SAndroid Build Coastguard Worker 431*6777b538SAndroid Build Coastguard Worker std::map<std::string, ExtensionValue> extensions_; 432*6777b538SAndroid Build Coastguard Worker 433*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<CRYPTO_BUFFER> cert_; 434*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<EVP_PKEY> key_; 435*6777b538SAndroid Build Coastguard Worker 436*6777b538SAndroid Build Coastguard Worker raw_ptr<CertBuilder, DanglingUntriaged> issuer_ = nullptr; 437*6777b538SAndroid Build Coastguard Worker }; 438*6777b538SAndroid Build Coastguard Worker 439*6777b538SAndroid Build Coastguard Worker } // namespace net 440*6777b538SAndroid Build Coastguard Worker 441*6777b538SAndroid Build Coastguard Worker #endif // NET_TEST_CERT_BUILDER_H_ 442