Mac: implement <keygen> support, including adding generated cert to the Keychain.

net/base/keygen_handler_nss.cc

Index: net/base/keygen_handler_nss.cc
diff --git a/net/base/keygen_handler_nss.cc b/net/base/keygen_handler_nss.cc
index 6c172983718cfbfe43e5effde46e3e3f267a5c89..d8d9acb2e3c96b07920dd9cbf2ad3f345288d87b 100644
--- a/net/base/keygen_handler_nss.cc
+++ b/net/base/keygen_handler_nss.cc
@@ -7,11 +7,11 @@
 #include <pk11pub.h>
 #include <secmod.h>
 #include <ssl.h>
-#include <nssb64.h>    // NSSBase64_EncodeItem()
 #include <secder.h>    // DER_Encode()
 #include <cryptohi.h>  // SEC_DerSignData()
 #include <keyhi.h>     // SECKEY_CreateSubjectPublicKeyInfo()
 
+#include "base/base64.h"
 #include "base/nss_util.h"
 #include "base/logging.h"
 
@@ -51,21 +51,6 @@ DERTemplate CERTPublicKeyAndChallengeTemplate[] = {
   { 0, }
 };
 
-// This maps displayed strings indicating level of keysecurity in the <keygen>
-// menu to the key size in bits.
-// TODO(gauravsh): Should this mapping be moved else where?
-int RSAkeySizeMap[] = {2048, 1024};
-
-KeygenHandler::KeygenHandler(int key_size_index,
-                             const std::string& challenge)
-    : key_size_index_(key_size_index),
-      challenge_(challenge) {
-  if (key_size_index_ < 0 ||
-      key_size_index_ >=
-          static_cast<int>(sizeof(RSAkeySizeMap) / sizeof(RSAkeySizeMap[0])))
-    key_size_index_ = 0;
-}
-
 // This function is largely copied from the Firefox's
 // <keygen> implementation in security/manager/ssl/src/nsKeygenHandler.cpp
 // FIXME(gauravsh): Do we need a copy of the Mozilla license here?
@@ -73,7 +58,6 @@ KeygenHandler::KeygenHandler(int key_size_index,
 std::string KeygenHandler::GenKeyAndSignChallenge() {
   // Key pair generation mechanism - only RSA is supported at present.
   PRUint32 keyGenMechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;  // from nss/pkcs11t.h
-  char *keystring = NULL;  // Temporary store for result/
 
   // Temporary structures used for generating the result
   // in the right format.
@@ -107,7 +91,7 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
 
   switch (keyGenMechanism) {
     case CKM_RSA_PKCS_KEY_PAIR_GEN:
-      rsaKeyGenParams.keySizeInBits = RSAkeySizeMap[key_size_index_];
+      rsaKeyGenParams.keySizeInBits = key_size_in_bits_;
       rsaKeyGenParams.pe = DEFAULT_RSA_PUBLIC_EXPONENT;
       keyGenParams = &rsaKeyGenParams;
 
@@ -202,18 +186,14 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
   }
 
   // Convert the signed public key and challenge into base64/ascii.
-  keystring = NSSBase64_EncodeItem(arena,
-                                   NULL,  // NSS will allocate a buffer for us.
-                                   0,
-                                   &signedItem);
-  if (!keystring) {
+  if (!base::Base64Encode(std::string(reinterpret_cast<char*>(signedItem.data),
+                                      signedItem.len),
+                          &result_blob)) {
     LOG(ERROR) << "Couldn't convert signed public key into base64";
     isSuccess = false;
     goto failure;
   }
 
-  result_blob = keystring;
-
  failure:
   if (!isSuccess) {
     LOG(ERROR) << "SSL Keygen failed!";
@@ -223,11 +203,12 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
 
   // Do cleanups
   if (privateKey) {
-    // TODO(gauravsh): We still need to maintain the private key because it's
-    // used for certificate enrollment checks.
-
-    // PK11_DestroyTokenObject(privateKey->pkcs11Slot,privateKey->pkcs11ID);
-    // SECKEY_DestroyPrivateKey(privateKey);
+    if (!isSuccess || !stores_key_) {
+      PK11_DestroyTokenObject(privateKey->pkcs11Slot,privateKey->pkcs11ID);
+      SECKEY_DestroyPrivateKey(privateKey);
+    }
+    // On successful keygen we need to keep the private key, of course,
+    // or we won't be able to use the client certificate.
   }
 
   if (publicKey) {