Support EC certs in OriginBoundCertService and OriginBoundCertStore.

crypto/ec_private_key_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/ec_private_key.h"
 
 extern "C" {
 // Work around NSS missing SEC_BEGIN_PROTOS in secmodt.h.  This must come before
 // other NSS headers.
 #include <secmodt.h>
@@ skipping 86 matching lines @@
       PR_TRUE /* permanent */,
       PR_TRUE /* sensitive */);
 #else
   // If USE_NSS is not defined, we initialize NSS with no databases, so we can't
   // create permanent keys.
   NOTREACHED();
   return NULL;
 #endif
 }
 
+// static
+bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+    const std::string& password,
+    const uint8* encrypted_private_key_info,
+    size_t encrypted_private_key_info_len,
+    CERTSubjectPublicKeyInfo* decoded_spki,
+    bool permanent,
+    bool sensitive,
+    SECKEYPrivateKey** key,
+    SECKEYPublicKey** public_key) {
+  ScopedPK11Slot slot(GetPrivateNSSKeySlot());
+  if (!slot.get())
+    return false;
+
+  *public_key = SECKEY_ExtractPublicKey(decoded_spki);
+
+  if (!*public_key) {
+    DLOG(ERROR) << "SECKEY_ExtractPublicKey: " << PORT_GetError();
+    return false;
+  }
+
+  SECItem encoded_epki = {
+    siBuffer,
+    const_cast<unsigned char*>(encrypted_private_key_info),
+    encrypted_private_key_info_len
+  };
+  SECKEYEncryptedPrivateKeyInfo epki;
+  memset(&epki, 0, sizeof(epki));
+
+  ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+
+  SECStatus rv = SEC_QuickDERDecodeItem(
+      arena.get(),
+      &epki,
+      SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
+      &encoded_epki);
+  if (rv != SECSuccess) {
+    DLOG(ERROR) << "SEC_QuickDERDecodeItem: " << PORT_GetError();
+    SECKEY_DestroyPublicKey(*public_key);
+    *public_key = NULL;
+    return false;
+  }
+
+  SECItem password_item = {
+    siBuffer,
+    reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
+    password.size()
+  };
+
+  rv = ImportEncryptedECPrivateKeyInfoAndReturnKey(
+      slot.get(),
+      &epki,
+      &password_item,
+      NULL,  // nickname
+      &(*public_key)->u.ec.publicValue,
+      permanent,
+      sensitive,
+      key,
+      NULL);  // wincx
+  if (rv != SECSuccess) {
+    DLOG(ERROR) << "ImportEncryptedECPrivateKeyInfoAndReturnKey: "
+                << PORT_GetError();
+    SECKEY_DestroyPublicKey(*public_key);
+    *public_key = NULL;
+    return false;
+  }
+
+  return true;
+}
+
 bool ECPrivateKey::ExportEncryptedPrivateKey(
     const std::string& password,
     int iterations,
     std::vector<uint8>* output) {
   // We export as an EncryptedPrivateKeyInfo bundle instead of a plain PKCS #8
   // PrivateKeyInfo because PK11_ImportDERPrivateKeyInfoAndReturnKey doesn't
   // support EC keys.
   // https://bugzilla.mozilla.org/show_bug.cgi?id=327773
   SECItem password_item = {
     siBuffer,
@@ skipping 103 matching lines @@
 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfoWithParams(
     const std::string& password,
     const std::vector<uint8>& encrypted_private_key_info,
     const std::vector<uint8>& subject_public_key_info,
     bool permanent,
     bool sensitive) {
   EnsureNSSInit();
 
   scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
 
-  ScopedPK11Slot slot(GetPrivateNSSKeySlot());
-  if (!slot.get())
-    return NULL;
-
   SECItem encoded_spki = {
     siBuffer,
     const_cast<unsigned char*>(&subject_public_key_info[0]),
     subject_public_key_info.size()
   };
   CERTSubjectPublicKeyInfo* decoded_spki = SECKEY_DecodeDERSubjectPublicKeyInfo(
       &encoded_spki);
   if (!decoded_spki) {
     DLOG(ERROR) << "SECKEY_DecodeDERSubjectPublicKeyInfo: " << PORT_GetError();
     return NULL;
   }
 
-  result->public_key_ = SECKEY_ExtractPublicKey(decoded_spki);
+  bool success = ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+      password,
+      &encrypted_private_key_info[0],
+      encrypted_private_key_info.size(),
+      decoded_spki,
+      permanent,
+      sensitive,
+      &result->key_,
+      &result->public_key_);
 
   SECKEY_DestroySubjectPublicKeyInfo(decoded_spki);
 
-  if (!result->public_key_) {
-    DLOG(ERROR) << "SECKEY_ExtractPublicKey: " << PORT_GetError();
-    return NULL;
-  }
+  if (success)
+    return result.release();
 
-  SECItem encoded_epki = {
-    siBuffer,
-    const_cast<unsigned char*>(&encrypted_private_key_info[0]),
-    encrypted_private_key_info.size()
-  };
-  SECKEYEncryptedPrivateKeyInfo epki;
-  memset(&epki, 0, sizeof(epki));
-
-  ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
-
-  SECStatus rv = SEC_QuickDERDecodeItem(
-      arena.get(),
-      &epki,
-      SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
-      &encoded_epki);
-  if (rv != SECSuccess) {
-    DLOG(ERROR) << "SEC_ASN1DecodeItem: " << PORT_GetError();
-    return NULL;
-  }
-
-  SECItem password_item = {
-    siBuffer,
-    reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
-    password.size()
-  };
-
-  rv = ImportEncryptedECPrivateKeyInfoAndReturnKey(
-      slot.get(),
-      &epki,
-      &password_item,
-      NULL,  // nickname
-      &result->public_key_->u.ec.publicValue,
-      permanent,
-      sensitive,
-      &result->key_,
-      NULL);  // wincx
-  if (rv != SECSuccess) {
-    DLOG(ERROR) << "ImportEncryptedECPrivateKeyInfoAndReturnKey: "
-                << PORT_GetError();
-    return NULL;
-  }
-
-  return result.release();
+  return NULL;
 }
 
 }  // namespace crypto