Chromium Code Reviews Chromium Code Reviews
Issue 8662036:
Support EC certs in OriginBoundCertService and OriginBoundCertStore. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/socket/ssl_client_socket_nss.cc |
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
| index 2595350e7548256bfcf2f76827236ee2bde15d8e..dcbbc6780ab393a6f879df6b363855a63cc8360b 100644 |
| --- a/net/socket/ssl_client_socket_nss.cc |
| +++ b/net/socket/ssl_client_socket_nss.cc |
| @@ -74,6 +74,7 @@ |
| #include "base/stringprintf.h" |
| #include "base/threading/thread_restrictions.h" |
| #include "base/values.h" |
| +#include "crypto/ec_private_key.h" |
| #include "crypto/rsa_private_key.h" |
| #include "crypto/scoped_nss_types.h" |
| #include "net/base/address_list.h" |
| @@ -1545,20 +1546,55 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, |
| return MapNSSError(PORT_GetError()); |
| // Set the private key. |
| - SECItem der_private_key_info; |
| - der_private_key_info.data = (unsigned char*)ob_private_key_.data(); |
| - der_private_key_info.len = ob_private_key_.size(); |
| - const unsigned int key_usage = KU_DIGITAL_SIGNATURE; |
| - crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); |
| - SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| - slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE, |
| - key_usage, key, NULL); |
| + switch (ob_cert_type_) { |
| + case ORIGIN_BOUND_RSA_CERT: |
|
wtc
2011/11/30 23:23:40
Format this as follows:
case ORIGIN_BOUND_RSA_C
mattm
2011/12/02 01:55:59
Done.
|
| + { |
| + SECItem der_private_key_info; |
| + der_private_key_info.data = (unsigned char*)ob_private_key_.data(); |
| + der_private_key_info.len = ob_private_key_.size(); |
| + const unsigned int key_usage = KU_DIGITAL_SIGNATURE; |
| + crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); |
| + SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| + slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE, |
| + key_usage, key, NULL); |
| + |
| + if (rv != SECSuccess) { |
| + int error = MapNSSError(PORT_GetError()); |
| + CERT_DestroyCertificate(*cert); |
| + *cert = NULL; |
| + return error; |
| + } |
| + break; |
| + } |
| - if (rv != SECSuccess) { |
| - int error = MapNSSError(PORT_GetError()); |
| - CERT_DestroyCertificate(*cert); |
| - *cert = NULL; |
| - return error; |
| + case ORIGIN_BOUND_EC_CERT: |
| + { |
| + // TODO(mattm): provide a static method on ECPrivateKey to generate a |
| + // SECKEYPrivateKey directly? |
|
wtc
2011/11/30 23:23:40
IMPORTANT: Yes, we should do something along that
mattm
2011/12/02 01:55:59
Done. (It's still a fair bit of common code, so I
|
| + std::vector<uint8> spki( |
| + (*cert)->derPublicKey.data, |
| + (*cert)->derPublicKey.data + (*cert)->derPublicKey.len); |
| + std::vector<uint8> private_key_info(ob_private_key_.begin(), |
| + ob_private_key_.end()); |
| + scoped_ptr<crypto::ECPrivateKey> ec_key_pair( |
| + crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( |
| + OriginBoundCertService::kEPKIPassword, private_key_info, spki)); |
| + if (!ec_key_pair.get()) { |
| + CERT_DestroyCertificate(*cert); |
| + *cert = NULL; |
| + return MapNSSError(PORT_GetError()); |
| + } |
| + *key = SECKEY_CopyPrivateKey(ec_key_pair->key()); |
| + if (!*key) { |
| + CERT_DestroyCertificate(*cert); |
| + *cert = NULL; |
| + return MapNSSError(PORT_GetError()); |
| + } |
| + break; |
| + } |
| + |
| + default: |
| + NOTREACHED(); |
|
wtc
2011/11/30 23:23:40
Nit: add a break statement to the default case.
B
mattm
2011/12/02 01:55:59
Done.
|
| } |
| return OK; |
| @@ -2113,6 +2149,7 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { |
| } |
| SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( |
| + const std::vector<OriginBoundCertType>& requested_types, |
| CERTCertificate** result_certificate, |
| SECKEYPrivateKey** result_private_key) { |
| ob_cert_xtn_negotiated_ = true; |
| @@ -2122,6 +2159,8 @@ SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( |
| net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); |
| int error = origin_bound_cert_service_->GetOriginBoundCert( |
| origin, |
| + requested_types, |
| + &ob_cert_type_, |
| &ob_private_key_, |
| &ob_cert_, |
| base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
| @@ -2171,8 +2210,11 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler( |
| // Check if an origin-bound certificate is requested. |
| if (OriginBoundCertNegotiated(socket)) { |
| + // TODO(mattm): Once NSS supports it, pass the actual requested types. |
| + std::vector<OriginBoundCertType> requested_types; |
| + requested_types.push_back(ORIGIN_BOUND_RSA_CERT); |
| return that->OriginBoundClientAuthHandler( |
| - result_nss_certificate, result_nss_private_key); |
| + requested_types, result_nss_certificate, result_nss_private_key); |
| } |
| that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
| @@ -2476,8 +2518,11 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( |
| // Check if an origin-bound certificate is requested. |
| if (OriginBoundCertNegotiated(socket)) { |
| + // TODO(mattm): Once NSS supports it, pass the actual requested types. |
| + std::vector<OriginBoundCertType> requested_types; |
| + requested_types.push_back(ORIGIN_BOUND_RSA_CERT); |
|
wtc
2011/11/30 23:23:40
I think we should add both the EC and RSA cert typ
mattm
2011/12/02 01:55:59
Done.
|
| return that->OriginBoundClientAuthHandler( |
| - result_certificate, result_private_key); |
| + requested_types, result_certificate, result_private_key); |
| } |
| // Regular client certificate requested. |
