Support EC certs in OriginBoundCertService and OriginBoundCertStore.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 56 matching lines @@
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
+#include "crypto/ec_private_key.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/dnsrr_resolver.h"
 #include "net/base/dnssec_chain_verifier.h"
@@ skipping 1451 matching lines @@
   cert_item.len = ob_cert_.size();
   *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   &cert_item,
                                   NULL,
                                   PR_FALSE,
                                   PR_TRUE);
   if (*cert == NULL)
     return MapNSSError(PORT_GetError());
 
   // Set the private key.
-  SECItem der_private_key_info;
-  der_private_key_info.data = (unsigned char*)ob_private_key_.data();
-  der_private_key_info.len = ob_private_key_.size();
-  const unsigned int key_usage = KU_DIGITAL_SIGNATURE;
-  crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
-  SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
-      slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE,
-      key_usage, key, NULL);
+  switch (ob_cert_type_) {
+    case CLIENT_CERT_RSA_SIGN: {
+      SECItem der_private_key_info;
+      der_private_key_info.data = (unsigned char*)ob_private_key_.data();
+      der_private_key_info.len = ob_private_key_.size();
+      const unsigned int key_usage = KU_DIGITAL_SIGNATURE;
+      crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
+      SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+          slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE,
+          key_usage, key, NULL);
 
-  if (rv != SECSuccess) {
-    int error = MapNSSError(PORT_GetError());
-    CERT_DestroyCertificate(*cert);
-    *cert = NULL;
-    return error;
+      if (rv != SECSuccess) {
+        int error = MapNSSError(PORT_GetError());
+        CERT_DestroyCertificate(*cert);
+        *cert = NULL;
+        return error;
+      }
+      break;
+    }
+
+    case CLIENT_CERT_ECDSA_SIGN: {
+      std::vector<uint8> private_key_info(ob_private_key_.begin(),
+                                          ob_private_key_.end());

[wtc, 2011/12/02 22:06:59]

Nit: this copies the PrivateKeyInfo.  If
crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo()
takes a SECItem or a data/len pair instead of const std::vector<uint8>&,
we can avoid this copying.

[mattm, 2011/12/05 22:19:20]

Done.

+      SECKEYPublicKey* public_key = NULL;
+      if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+          OriginBoundCertService::kEPKIPassword,
+          private_key_info,
+          &(*cert)->subjectPublicKeyInfo,
+          false,
+          false,
+          key,
+          &public_key)) {
+        CERT_DestroyCertificate(*cert);
+        *cert = NULL;
+        return MapNSSError(PORT_GetError());
+      }
+      SECKEY_DestroyPublicKey(public_key);
+      break;
+    }
+
+    default:
+      NOTREACHED();
+      return ERR_INVALID_ARGUMENT;
   }
 
   return OK;
 }
 
 int SSLClientSocketNSS::DoGetOBCertComplete(int result) {
   net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT,
                                     result);
   client_auth_cert_needed_ = false;
   ob_cert_request_handle_ = NULL;
@@ skipping 534 matching lines @@
 bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
   PRBool xtn_negotiated = PR_FALSE;
   SECStatus rv = SSL_HandshakeNegotiatedExtension(
       socket, ssl_ob_cert_xtn, &xtn_negotiated);
   DCHECK_EQ(SECSuccess, rv);
 
   return xtn_negotiated ? true : false;
 }
 
 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
+    const std::vector<uint8>& requested_cert_types,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   ob_cert_xtn_negotiated_ = true;
 
   // We have negotiated the origin-bound certificate extension.
   std::string origin = "https://" + host_and_port_.ToString();
   net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
   int error = origin_bound_cert_service_->GetOriginBoundCert(
       origin,
+      requested_cert_types,
+      &ob_cert_type_,
       &ob_private_key_,
       &ob_cert_,
       base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
                  base::Unretained(this)),
       &ob_cert_request_handle_);
 
   if (error == ERR_IO_PENDING) {
     // Asynchronous case.
     client_auth_cert_needed_ = true;
     return SECWouldBlock;
@@ skipping 29 matching lines @@
     CERTCertList** result_certs,
     void** result_private_key,
     CERTCertificate** result_nss_certificate,
     SECKEYPrivateKey** result_nss_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
+    // TODO(mattm): Once NSS supports it, pass the actual requested types.
+    std::vector<uint8> requested_cert_types;
+    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
+    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        result_nss_certificate, result_nss_private_key);
+        requested_cert_types, result_nss_certificate, result_nss_private_key);
   }
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
 #if defined(OS_WIN)
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       PCCERT_CONTEXT cert_context =
           that->ssl_config_.client_cert->os_cert_handle();
 
       HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
@@ skipping 283 matching lines @@
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
+    // TODO(mattm): Once NSS supports it, pass the actual requested types.
+    std::vector<uint8> requested_cert_types;
+    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
+    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        result_certificate, result_private_key);
+        requested_cert_types, result_certificate, result_private_key);
   }
 
   // Regular client certificate requested.
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
   // Second pass: a client certificate should have been selected.
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       CERTCertificate* cert = CERT_DupCertificate(
@@ skipping 125 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net