Revert 112385 - Reland: Allow signing EC certs and creating EC origin-bound certs.

BUG=88782 TEST=X509UtilNSSTest Review URL: http://codereview.chromium.org/8537025 TBR=mattm@chromium.org Review URL: http://codereview.chromium.org/8764017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112391 0039d316-1c4b-4281-b951-d872f2087c98

Revert 112385 - Reland: Allow signing EC certs and creating EC origin-bound certs.
BUG=88782 TEST=X509UtilNSSTest Review URL: http://codereview.chromium.org/8537025 TBR=mattm@chromium.org Review URL: http://codereview.chromium.org/8764017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112391 0039d316-1c4b-4281-b951-d872f2087c98
928b2770 · rbyers@chromium.org · ffa5f5f3 · 928b2770 · 928b2770 · ffa5f5f3
Commit 928b2770 authored Dec 01, 2011 by rbyers@chromium.org
9 changed files
--- a/crypto/crypto.gyp
+++ b/crypto/crypto.gyp
@@ -106,7 +106,6 @@
              'third_party/nss/chromium-nss.h',
              'third_party/nss/chromium-sha256.h',
              'third_party/nss/pk11akey.cc',
-              'third_party/nss/secsign.cc',
              'third_party/nss/sha512.cc',
            ],
          }, {
@@ -194,7 +193,6 @@
        'third_party/nss/chromium-nss.h',
        'third_party/nss/chromium-sha256.h',
        'third_party/nss/pk11akey.cc',
-        'third_party/nss/secsign.cc',
        'third_party/nss/sha512.cc',
      ],
    },

--- a/crypto/third_party/nss/chromium-nss.h
+++ b/crypto/third_party/nss/chromium-nss.h
@@ -43,8 +43,6 @@
 #include <keyhi.h>
 #include <secmod.h>
-#include "crypto/crypto_export.h"
 // Like PK11_ImportEncryptedPrivateKeyInfo, but hardcoded for EC, and returns
 // the SECKEYPrivateKey.
 // See https://bugzilla.mozilla.org/show_bug.cgi?id=211546
@@ -61,11 +59,4 @@ SECStatus ImportEncryptedECPrivateKeyInfoAndReturnKey(
    SECKEYPrivateKey** private_key,
    void* wincx);
-// Like SEC_DerSignData.
-CRYPTO_EXPORT SECStatus DerSignData(PLArenaPool *arena,
-                                    SECItem *result,
-                                    SECItem *input,
-                                    SECKEYPrivateKey *key,
-                                    SECOidTag algo_id);
 #endif  // CRYPTO_THIRD_PARTY_NSS_CHROMIUM_NSS_H_
--- a/crypto/third_party/nss/secsign.cc
+++ b/crypto/third_party/nss/secsign.cc
-/*
- * Signature stuff.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "crypto/third_party/nss/chromium-nss.h"
-#include <vector>
-#include <cryptohi.h>
-#include <pk11pub.h>
-#include <secerr.h>
-#include <sechash.h>
-#include "base/basictypes.h"
-#include "base/logging.h"
-#include "build/build_config.h"
-SECStatus DerSignData(PLArenaPool *arena,
-                      SECItem *result,
-                      SECItem *input,
-                      SECKEYPrivateKey *key,
-                      SECOidTag algo_id) {
-  if (key->keyType != ecKey) {
-    return SEC_DerSignData(arena, result, input->data, input->len, key,
-                           algo_id);
-  }
-  // NSS has a private function sec_DecodeSigAlg it uses to figure out the
-  // correct hash from the algorithm id.
-  HASH_HashType hash_type;
-  switch (algo_id) {
-    case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
-      hash_type = HASH_AlgSHA1;
-      break;
-#ifdef SHA224_LENGTH
-    case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
-      hash_type = HASH_AlgSHA224;
-      break;
-#endif
-    case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
-      hash_type = HASH_AlgSHA256;
-      break;
-    case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
-      hash_type = HASH_AlgSHA384;
-      break;
-    case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
-      hash_type = HASH_AlgSHA512;
-      break;
-    default:
-      PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-      return SECFailure;
-  }
-  // Hash the input.
-  std::vector<uint8> hash_data(HASH_ResultLen(hash_type));
-  SECStatus rv = HASH_HashBuf(
-      hash_type, &hash_data[0], input->data, input->len);
-  if (rv != SECSuccess)
-    return rv;
-  SECItem hash = {siBuffer, &hash_data[0], hash_data.size()};
-  // Compute signature of hash.
-  int signature_len = PK11_SignatureLen(key);
-  std::vector<uint8> signature_data(signature_len);
-  SECItem sig = {siBuffer, &signature_data[0], signature_len};
-  rv = PK11_Sign(key, &sig, &hash);
-  if (rv != SECSuccess)
-    return rv;
-  CERTSignedData sd;
-  PORT_Memset(&sd, 0, sizeof(sd));
-  // Fill in tbsCertificate.
-  sd.data.data = (unsigned char*) input->data;
-  sd.data.len = input->len;
-  // Fill in signatureAlgorithm.
-  rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algo_id, 0);
-  if (rv != SECSuccess)
-    return rv;
-  // Fill in signatureValue.
-  rv = DSAU_EncodeDerSigWithLen(&sd.signature, &sig, sig.len);
-  if (rv != SECSuccess)
-    return rv;
-  sd.signature.len <<=  3;  // Convert to bit string.
-  // DER encode the signed data object.
-  void* encode_result = SEC_ASN1EncodeItem(
-      arena, result, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate));
-  PORT_Free(sd.signature.data);
-  return encode_result ? SECSuccess : SECFailure;
-}
--- a/net/base/origin_bound_cert_service.cc
+++ b/net/base/origin_bound_cert_service.cc
@@ -326,7 +326,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
    return ERR_KEY_GENERATION_FAILED;
  }
  std::string der_cert;
-  if (!x509_util::CreateOriginBoundCertRSA(
+  if (!x509_util::CreateOriginBoundCert(
      key.get(),
      origin,
      serial_number,

--- a/net/base/x509_util.h
+++ b/net/base/x509_util.h
@@ -12,7 +12,6 @@
 #include "net/base/net_export.h"
 namespace crypto {
-class ECPrivateKey;
 class RSAPrivateKey;
 }
@@ -27,16 +26,11 @@ namespace x509_util {
 //
 // See Internet Draft draft-balfanz-tls-obc-00 for more details:
 // http://tools.ietf.org/html/draft-balfanz-tls-obc-00
-bool NET_EXPORT_PRIVATE CreateOriginBoundCertRSA(crypto::RSAPrivateKey* key,
+bool NET_EXPORT_PRIVATE CreateOriginBoundCert(crypto::RSAPrivateKey* key,
-                                                 const std::string& origin,
+                                              const std::string& origin,
-                                                 uint32 serial_number,
+                                              uint32 serial_number,
-                                                 base::TimeDelta valid_duration,
+                                              base::TimeDelta valid_duration,
-                                                 std::string* der_cert);
+                                              std::string* der_cert);
-bool NET_EXPORT_PRIVATE CreateOriginBoundCertEC(crypto::ECPrivateKey* key,
-                                                const std::string& origin,
-                                                uint32 serial_number,
-                                                base::TimeDelta valid_duration,
-                                                std::string* der_cert);
 } // namespace x509_util

--- a/net/base/x509_util_nss.cc
+++ b/net/base/x509_util_nss.cc
@@ -16,12 +16,10 @@
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
-#include "crypto/ec_private_key.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_nss_types.h"
-#include "crypto/third_party/nss/chromium-nss.h"
 namespace {
@@ -159,11 +157,9 @@ bool SignCertificate(
    return false;
  // Sign the ASN1 encoded cert and save it to |result|.
-  rv = DerSignData(arena, result, &der, key, algo_id);
+  rv = SEC_DerSignData(arena, result, der.data, der.len, key, algo_id);
-  if (rv != SECSuccess) {
+  if (rv != SECSuccess)
-    DLOG(ERROR) << "DerSignData: " << PORT_GetError();
    return false;
-  }
  // Save the signed result to the cert.
  cert->derCert = *result;
@@ -171,78 +167,6 @@ bool SignCertificate(
  return true;
 }
-bool CreateOriginBoundCertInternal(
-    SECKEYPublicKey* public_key,
-    SECKEYPrivateKey* private_key,
-    const std::string& origin,
-    uint32 serial_number,
-    base::TimeDelta valid_duration,
-    std::string* der_cert) {
-  CERTCertificate* cert = CreateCertificate(public_key,
-                                            "CN=anonymous.invalid",
-                                            serial_number,
-                                            valid_duration);
-  if (!cert)
-    return false;
-  // Create opaque handle used to add extensions later.
-  void* cert_handle;
-  if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
-    LOG(ERROR) << "Unable to get opaque handle for adding extensions";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-  // Create SECItem for IA5String encoding.
-  SECItem origin_string_item = {
-    siAsciiString,
-    (unsigned char*)origin.data(),
-    origin.size()
-  };
-  // IA5Encode and arena allocate SECItem
-  SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
-      cert->arena, NULL, &origin_string_item,
-      SEC_ASN1_GET(SEC_IA5StringTemplate));
-  if (asn1_origin_string == NULL) {
-    LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-  // Add the extension to the opaque handle
-  if (CERT_AddExtension(cert_handle,
-                        ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
-                        asn1_origin_string,
-                        PR_TRUE, PR_TRUE) != SECSuccess){
-    LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-  // Copy extension into x509 cert
-  if (CERT_FinishExtensions(cert_handle) != SECSuccess){
-    LOG(ERROR) << "Unable to copy extension to X509 cert";
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-  if (!SignCertificate(cert, private_key)) {
-    CERT_DestroyCertificate(cert);
-    return false;
-  }
-  DCHECK(cert->derCert.len);
-  // XXX copied from X509Certificate::GetDEREncoded
-  der_cert->clear();
-  der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
-                   cert->derCert.len);
-  CERT_DestroyCertificate(cert);
-  return true;
-}
 }  // namespace
 namespace net {
@@ -270,7 +194,7 @@ CERTCertificate* CreateSelfSignedCert(
  return cert;
 }
-bool CreateOriginBoundCertRSA(
+bool CreateOriginBoundCert(
    crypto::RSAPrivateKey* key,
    const std::string& origin,
    uint32 serial_number,
@@ -325,27 +249,68 @@ bool CreateOriginBoundCertRSA(
  }
 #endif
-  return CreateOriginBoundCertInternal(public_key,
+  CERTCertificate* cert = CreateCertificate(public_key,
-                                       private_key,
+                                            "CN=anonymous.invalid",
-                                       origin,
+                                            serial_number,
-                                       serial_number,
+                                            valid_duration);
-                                       valid_duration,
-                                       der_cert);
-}
-bool CreateOriginBoundCertEC(
+  if (!cert)
-    crypto::ECPrivateKey* key,
+    return false;
-    const std::string& origin,
-    uint32 serial_number,
+  // Create opaque handle used to add extensions later.
-    base::TimeDelta valid_duration,
+  void* cert_handle;
-    std::string* der_cert) {
+  if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
-  DCHECK(key);
+    LOG(ERROR) << "Unable to get opaque handle for adding extensions";
-  return CreateOriginBoundCertInternal(key->public_key(),
+    CERT_DestroyCertificate(cert);
-                                       key->key(),
+    return false;
-                                       origin,
+  }
-                                       serial_number,
-                                       valid_duration,
+  // Create SECItem for IA5String encoding.
-                                       der_cert);
+  SECItem origin_string_item = {
+    siAsciiString,
+    (unsigned char*)origin.data(),
+    origin.size()
+  };
+  // IA5Encode and arena allocate SECItem
+  SECItem* asn1_origin_string = SEC_ASN1EncodeItem(
+      cert->arena, NULL, &origin_string_item,
+      SEC_ASN1_GET(SEC_IA5StringTemplate));
+  if (asn1_origin_string == NULL) {
+    LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+  // Add the extension to the opaque handle
+  if (CERT_AddExtension(cert_handle,
+                        ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(),
+                        asn1_origin_string,
+                        PR_TRUE, PR_TRUE) != SECSuccess){
+    LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+  // Copy extension into x509 cert
+  if (CERT_FinishExtensions(cert_handle) != SECSuccess){
+    LOG(ERROR) << "Unable to copy extension to X509 cert";
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+  if (!SignCertificate(cert, private_key)) {
+    CERT_DestroyCertificate(cert);
+    return false;
+  }
+  DCHECK(cert->derCert.len);
+  // XXX copied from X509Certificate::GetDEREncoded
+  der_cert->clear();
+  der_cert->append(reinterpret_cast<char*>(cert->derCert.data),
+                   cert->derCert.len);
+  CERT_DestroyCertificate(cert);
+  return true;
 }
 } // namespace x509_util

--- a/net/base/x509_util_nss_unittest.cc
+++ b/net/base/x509_util_nss_unittest.cc
@@ -10,15 +10,10 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/ref_counted.h"
-#include "crypto/ec_private_key.h"
 #include "crypto/rsa_private_key.h"
-#include "crypto/scoped_nss_types.h"
-#include "crypto/signature_verifier.h"
 #include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
-namespace net {
 namespace {
 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) {
@@ -32,54 +27,19 @@ CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) {
                                 PR_FALSE, PR_TRUE);
 }
-void VerifyCertificateSignature(const std::string& der_cert,
+}  // namespace
-                                const std::vector<uint8>& der_spki) {
-  crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
-  CERTSignedData sd;
-  memset(&sd, 0, sizeof(sd));
-  SECItem der_cert_item = {
+namespace net {
-    siDERCertBuffer,
-    reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())),
-    der_cert.size()
-  };
-  SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd,
-                                    SEC_ASN1_GET(CERT_SignedDataTemplate),
-                                    &der_cert_item);
-  ASSERT_EQ(SECSuccess, rv);
-  // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier
-  // wants the DER encoded form, so re-encode it again.
-  SECItem* signature_algorithm = SEC_ASN1EncodeItem(
-      arena.get(),
-      NULL,
-      &sd.signatureAlgorithm,
-      SEC_ASN1_GET(SECOID_AlgorithmIDTemplate));
-  ASSERT_TRUE(signature_algorithm);
-  crypto::SignatureVerifier verifier;
-  bool ok = verifier.VerifyInit(
-      signature_algorithm->data,
-      signature_algorithm->len,
-      sd.signature.data,
-      sd.signature.len / 8,  // Signature is a BIT STRING, convert to bytes.
-      &der_spki[0],
-      der_spki.size());
-  ASSERT_TRUE(ok);
-  verifier.VerifyUpdate(sd.data.data,
-                        sd.data.len);
-  ok = verifier.VerifyFinal();
-  EXPECT_TRUE(ok);
-}
-void VerifyOriginBoundCert(const std::string& origin,
+// This test creates an origin-bound cert from a private key and
-                           const std::string& der_cert) {
+// then verifies the content of the certificate.
+TEST(X509UtilNSSTest, CreateOriginBoundCert) {
  // Origin Bound Cert OID.
  static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6";
+  // Create a sample ASCII weborigin.
+  std::string origin = "http://weborigin.com:443";
  // Create object neccessary for extension lookup call.
  SECItem extension_object = {
    siAsciiString,
@@ -87,6 +47,20 @@ void VerifyOriginBoundCert(const std::string& origin,
    origin.size()
  };
+  scoped_ptr<crypto::RSAPrivateKey> private_key(
+      crypto::RSAPrivateKey::Create(1024));
+  std::string der_cert;
+  ASSERT_TRUE(x509_util::CreateOriginBoundCert(private_key.get(),
+                                               origin, 1,
+                                               base::TimeDelta::FromDays(1),
+                                               &der_cert));
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBytes(
+      der_cert.data(), der_cert.size());
+  EXPECT_EQ("anonymous.invalid", cert->subject().GetDisplayName());
+  EXPECT_FALSE(cert->HasExpired());
  // IA5Encode and arena allocate SECItem.
  PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
  SECItem* expected = SEC_ASN1EncodeItem(arena,
@@ -109,15 +83,9 @@ void VerifyOriginBoundCert(const std::string& origin,
  // This test is run on Mac and Win where X509Certificate::os_cert_handle isn't
  // an NSS type, so we have to manually create a NSS certificate object so we
-  // can use CERT_FindCertExtension.  We also check the subject and validity
+  // can use CERT_FindCertExtension.
-  // times using NSS since X509Certificate will fail with EC certs on OSX 10.5
-  // (http://crbug.com/101231).
  CERTCertificate* nss_cert = CreateNSSCertHandleFromBytes(
      der_cert.data(), der_cert.size());
-  EXPECT_STREQ("anonymous.invalid", CERT_GetCommonName(&nss_cert->subject));
-  EXPECT_EQ(SECSuccess, CERT_CertTimesValid(nss_cert));
  // Lookup Origin Bound Cert extension in generated cert.
  SECItem actual = { siBuffer, NULL, 0 };
  ok = CERT_FindCertExtension(nss_cert,
@@ -135,51 +103,4 @@ void VerifyOriginBoundCert(const std::string& origin,
  PORT_FreeArena(arena, PR_FALSE);
 }
-}  // namespace
-// This test creates an origin-bound cert from a RSA private key and
-// then verifies the content of the certificate.
-TEST(X509UtilNSSTest, CreateOriginBoundCertRSA) {
-  // Create a sample ASCII weborigin.
-  std::string origin = "http://weborigin.com:443";
-  scoped_ptr<crypto::RSAPrivateKey> private_key(
-      crypto::RSAPrivateKey::Create(1024));
-  std::string der_cert;
-  ASSERT_TRUE(x509_util::CreateOriginBoundCertRSA(private_key.get(),
-                                                  origin, 1,
-                                                  base::TimeDelta::FromDays(1),
-                                                  &der_cert));
-  VerifyOriginBoundCert(origin, der_cert);
-  std::vector<uint8> spki;
-  ASSERT_TRUE(private_key->ExportPublicKey(&spki));
-  VerifyCertificateSignature(der_cert, spki);
-}
-// This test creates an origin-bound cert from an EC private key and
-// then verifies the content of the certificate.
-TEST(X509UtilNSSTest, CreateOriginBoundCertEC) {
-  // Create a sample ASCII weborigin.
-  std::string origin = "http://weborigin.com:443";
-  scoped_ptr<crypto::ECPrivateKey> private_key(
-      crypto::ECPrivateKey::Create());
-  std::string der_cert;
-  ASSERT_TRUE(x509_util::CreateOriginBoundCertEC(private_key.get(),
-                                                 origin, 1,
-                                                 base::TimeDelta::FromDays(1),
-                                                 &der_cert));
-  VerifyOriginBoundCert(origin, der_cert);
-#if !defined(OS_WIN) && !defined(OS_MACOSX)
-  // signature_verifier_win and signature_verifier_mac can't handle EC certs.
-  std::vector<uint8> spki;
-  ASSERT_TRUE(private_key->ExportPublicKey(&spki));
-  VerifyCertificateSignature(der_cert, spki);
-#endif
-}
 }  // namespace net
--- a/net/base/x509_util_openssl.cc
+++ b/net/base/x509_util_openssl.cc
@@ -15,7 +15,7 @@ namespace net {
 namespace x509_util {
-bool CreateOriginBoundCertRSA(
+bool CreateOriginBoundCert(
    crypto::RSAPrivateKey* key,
    const std::string& origin,
    uint32 serial_number,
@@ -25,16 +25,6 @@ bool CreateOriginBoundCertRSA(
  return false;
 }
-bool CreateOriginBoundCertEC(
-    crypto::ECPrivateKey* key,
-    const std::string& origin,
-    uint32 serial_number,
-    base::TimeDelta valid_duration,
-    std::string* der_cert) {
-  NOTIMPLEMENTED();
-  return false;
-}
 bool ParsePrincipalKeyAndValueByIndex(X509_NAME* name,
                                      int index,
                                      std::string* key,

--- a/net/base/x509_util_openssl_unittest.cc
+++ b/net/base/x509_util_openssl_unittest.cc
@@ -18,10 +18,10 @@ TEST(X509UtilOpenSSLTest, CreateOriginBoundCertNotImplemented) {
  scoped_ptr<crypto::RSAPrivateKey> private_key(
      crypto::RSAPrivateKey::Create(1024));
  std::string der_cert;
-  EXPECT_FALSE(x509_util::CreateOriginBoundCertRSA(private_key.get(),
+  EXPECT_FALSE(x509_util::CreateOriginBoundCert(private_key.get(),
-                                                   origin, 1,
+                                                origin, 1,
-                                                   base::TimeDelta::FromDays(1),
+                                                base::TimeDelta::FromDays(1),
-                                                   &der_cert));
+                                                &der_cert));
  EXPECT_TRUE(der_cert.empty());
 }