| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "crypto/rsa_private_key.h" | 5 #include "crypto/rsa_private_key.h" |
| 6 | 6 |
| 7 #include <cryptohi.h> | 7 #include <cryptohi.h> |
| 8 #include <keyhi.h> | 8 #include <keyhi.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #include <secmod.h> | |
| 11 | 10 |
| 12 #include <list> | 11 #include <list> |
| 13 | 12 |
| 14 #include "base/debug/leak_annotations.h" | 13 #include "base/debug/leak_annotations.h" |
| 15 #include "base/logging.h" | 14 #include "base/logging.h" |
| 16 #include "base/memory/scoped_ptr.h" | 15 #include "base/memory/scoped_ptr.h" |
| 17 #include "base/strings/string_util.h" | 16 #include "base/strings/string_util.h" |
| 17 #include "crypto/nss_key_util.h" |
| 18 #include "crypto/nss_util.h" | 18 #include "crypto/nss_util.h" |
| 19 #include "crypto/nss_util_internal.h" | |
| 20 #include "crypto/scoped_nss_types.h" | 19 #include "crypto/scoped_nss_types.h" |
| 21 | 20 |
| 22 // TODO(rafaelw): Consider using NSS's ASN.1 encoder. | 21 // TODO(rafaelw): Consider using NSS's ASN.1 encoder. |
| 23 namespace { | 22 namespace { |
| 24 | 23 |
| 25 static bool ReadAttribute(SECKEYPrivateKey* key, | 24 static bool ReadAttribute(SECKEYPrivateKey* key, |
| 26 CK_ATTRIBUTE_TYPE type, | 25 CK_ATTRIBUTE_TYPE type, |
| 27 std::vector<uint8>* output) { | 26 std::vector<uint8>* output) { |
| 28 SECItem item; | 27 SECItem item; |
| 29 SECStatus rv; | 28 SECStatus rv; |
| 30 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); | 29 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); |
| 31 if (rv != SECSuccess) { | 30 if (rv != SECSuccess) { |
| 32 NOTREACHED(); | 31 NOTREACHED(); |
| 33 return false; | 32 return false; |
| 34 } | 33 } |
| 35 | 34 |
| 36 output->assign(item.data, item.data + item.len); | 35 output->assign(item.data, item.data + item.len); |
| 37 SECITEM_FreeItem(&item, PR_FALSE); | 36 SECITEM_FreeItem(&item, PR_FALSE); |
| 38 return true; | 37 return true; |
| 39 } | 38 } |
| 40 | 39 |
| 41 #if defined(USE_NSS_CERTS) | |
| 42 struct PublicKeyInfoDeleter { | |
| 43 inline void operator()(CERTSubjectPublicKeyInfo* spki) { | |
| 44 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
| 45 } | |
| 46 }; | |
| 47 | |
| 48 typedef scoped_ptr<CERTSubjectPublicKeyInfo, PublicKeyInfoDeleter> | |
| 49 ScopedPublicKeyInfo; | |
| 50 | |
| 51 // The function decodes RSA public key from the |input|. | |
| 52 crypto::ScopedSECKEYPublicKey GetRSAPublicKey(const std::vector<uint8>& input) { | |
| 53 // First, decode and save the public key. | |
| 54 SECItem key_der; | |
| 55 key_der.type = siBuffer; | |
| 56 key_der.data = const_cast<unsigned char*>(&input[0]); | |
| 57 key_der.len = input.size(); | |
| 58 | |
| 59 ScopedPublicKeyInfo spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&key_der)); | |
| 60 if (!spki) | |
| 61 return crypto::ScopedSECKEYPublicKey(); | |
| 62 | |
| 63 crypto::ScopedSECKEYPublicKey result(SECKEY_ExtractPublicKey(spki.get())); | |
| 64 | |
| 65 // Make sure the key is an RSA key.. If not, that's an error. | |
| 66 if (!result || result->keyType != rsaKey) | |
| 67 return crypto::ScopedSECKEYPublicKey(); | |
| 68 return result.Pass(); | |
| 69 } | |
| 70 #endif // defined(USE_NSS_CERTS) | |
| 71 | |
| 72 } // namespace | 40 } // namespace |
| 73 | 41 |
| 74 namespace crypto { | 42 namespace crypto { |
| 75 | 43 |
| 76 RSAPrivateKey::~RSAPrivateKey() { | 44 RSAPrivateKey::~RSAPrivateKey() { |
| 77 if (key_) | 45 if (key_) |
| 78 SECKEY_DestroyPrivateKey(key_); | 46 SECKEY_DestroyPrivateKey(key_); |
| 79 if (public_key_) | 47 if (public_key_) |
| 80 SECKEY_DestroyPublicKey(public_key_); | 48 SECKEY_DestroyPublicKey(public_key_); |
| 81 } | 49 } |
| 82 | 50 |
| 83 // static | 51 // static |
| 84 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { | 52 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { |
| 85 EnsureNSSInit(); | 53 EnsureNSSInit(); |
| 86 | 54 |
| 87 ScopedPK11Slot slot(PK11_GetInternalSlot()); | 55 ScopedPK11Slot slot(PK11_GetInternalSlot()); |
| 88 return CreateWithParams(slot.get(), | 56 if (!slot) { |
| 89 num_bits, | 57 NOTREACHED(); |
| 90 false /* not permanent */, | 58 return nullptr; |
| 91 false /* not sensitive */); | 59 } |
| 60 |
| 61 ScopedSECKEYPublicKey public_key; |
| 62 ScopedSECKEYPrivateKey private_key; |
| 63 if (!GenerateRSAKeyPairNSS(slot.get(), num_bits, false /* not permanent */, |
| 64 &public_key, &private_key)) { |
| 65 return nullptr; |
| 66 } |
| 67 |
| 68 RSAPrivateKey* rsa_key = new RSAPrivateKey; |
| 69 rsa_key->public_key_ = public_key.release(); |
| 70 rsa_key->key_ = private_key.release(); |
| 71 return rsa_key; |
| 92 } | 72 } |
| 93 | 73 |
| 94 // static | 74 // static |
| 95 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( | 75 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( |
| 96 const std::vector<uint8>& input) { | 76 const std::vector<uint8>& input) { |
| 97 EnsureNSSInit(); | 77 EnsureNSSInit(); |
| 98 | 78 |
| 99 ScopedPK11Slot slot(PK11_GetInternalSlot()); | 79 ScopedPK11Slot slot(PK11_GetInternalSlot()); |
| 100 return CreateFromPrivateKeyInfoWithParams( | 80 if (!slot) { |
| 101 slot.get(), | 81 NOTREACHED(); |
| 102 input, | 82 return nullptr; |
| 103 false /* not permanent */, | 83 } |
| 104 false /* not sensitive */); | 84 ScopedSECKEYPrivateKey key(ImportNSSKeyFromPrivateKeyInfo( |
| 85 slot.get(), input, false /* not permanent */)); |
| 86 if (!key || SECKEY_GetPrivateKeyType(key.get()) != rsaKey) |
| 87 return nullptr; |
| 88 return RSAPrivateKey::CreateFromKey(key.get()); |
| 105 } | 89 } |
| 106 | 90 |
| 107 // static | 91 // static |
| 108 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) { | 92 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) { |
| 109 DCHECK(key); | 93 DCHECK(key); |
| 110 if (SECKEY_GetPrivateKeyType(key) != rsaKey) | 94 if (SECKEY_GetPrivateKeyType(key) != rsaKey) |
| 111 return NULL; | 95 return NULL; |
| 112 RSAPrivateKey* copy = new RSAPrivateKey(); | 96 RSAPrivateKey* copy = new RSAPrivateKey(); |
| 113 copy->key_ = SECKEY_CopyPrivateKey(key); | 97 copy->key_ = SECKEY_CopyPrivateKey(key); |
| 114 copy->public_key_ = SECKEY_ConvertToPublicKey(key); | 98 copy->public_key_ = SECKEY_ConvertToPublicKey(key); |
| 115 if (!copy->key_ || !copy->public_key_) { | 99 if (!copy->key_ || !copy->public_key_) { |
| 116 NOTREACHED(); | 100 NOTREACHED(); |
| 117 delete copy; | 101 delete copy; |
| 118 return NULL; | 102 return NULL; |
| 119 } | 103 } |
| 120 return copy; | 104 return copy; |
| 121 } | 105 } |
| 122 | 106 |
| 123 #if defined(USE_NSS_CERTS) | |
| 124 // static | |
| 125 RSAPrivateKey* RSAPrivateKey::CreateSensitive(PK11SlotInfo* slot, | |
| 126 uint16 num_bits) { | |
| 127 return CreateWithParams(slot, | |
| 128 num_bits, | |
| 129 true /* permanent */, | |
| 130 true /* sensitive */); | |
| 131 } | |
| 132 | |
| 133 // static | |
| 134 RSAPrivateKey* RSAPrivateKey::CreateSensitiveFromPrivateKeyInfo( | |
| 135 PK11SlotInfo* slot, | |
| 136 const std::vector<uint8>& input) { | |
| 137 return CreateFromPrivateKeyInfoWithParams(slot, | |
| 138 input, | |
| 139 true /* permanent */, | |
| 140 true /* sensitive */); | |
| 141 } | |
| 142 | |
| 143 // static | |
| 144 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfo( | |
| 145 const std::vector<uint8>& input) { | |
| 146 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input)); | |
| 147 if (!result) | |
| 148 return NULL; | |
| 149 | |
| 150 ScopedSECItem ck_id( | |
| 151 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus))); | |
| 152 if (!ck_id.get()) { | |
| 153 NOTREACHED(); | |
| 154 return NULL; | |
| 155 } | |
| 156 | |
| 157 // Search all slots in all modules for the key with the given ID. | |
| 158 AutoSECMODListReadLock auto_lock; | |
| 159 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
| 160 for (SECMODModuleList* item = head; item != NULL; item = item->next) { | |
| 161 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
| 162 for (int i = 0; i < slot_count; i++) { | |
| 163 // Finally...Look for the key! | |
| 164 result->key_ = PK11_FindKeyByKeyID(item->module->slots[i], | |
| 165 ck_id.get(), NULL); | |
| 166 if (result->key_) | |
| 167 return result.release(); | |
| 168 } | |
| 169 } | |
| 170 | |
| 171 // We didn't find the key. | |
| 172 return NULL; | |
| 173 } | |
| 174 | |
| 175 // static | |
| 176 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfoInSlot( | |
| 177 const std::vector<uint8>& input, | |
| 178 PK11SlotInfo* slot) { | |
| 179 if (!slot) | |
| 180 return NULL; | |
| 181 | |
| 182 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input)); | |
| 183 if (!result) | |
| 184 return NULL; | |
| 185 | |
| 186 ScopedSECItem ck_id( | |
| 187 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus))); | |
| 188 if (!ck_id.get()) { | |
| 189 NOTREACHED(); | |
| 190 return NULL; | |
| 191 } | |
| 192 | |
| 193 result->key_ = PK11_FindKeyByKeyID(slot, ck_id.get(), NULL); | |
| 194 if (!result->key_) | |
| 195 return NULL; | |
| 196 return result.release(); | |
| 197 } | |
| 198 #endif | |
| 199 | |
| 200 RSAPrivateKey* RSAPrivateKey::Copy() const { | 107 RSAPrivateKey* RSAPrivateKey::Copy() const { |
| 201 RSAPrivateKey* copy = new RSAPrivateKey(); | 108 RSAPrivateKey* copy = new RSAPrivateKey(); |
| 202 copy->key_ = SECKEY_CopyPrivateKey(key_); | 109 copy->key_ = SECKEY_CopyPrivateKey(key_); |
| 203 copy->public_key_ = SECKEY_CopyPublicKey(public_key_); | 110 copy->public_key_ = SECKEY_CopyPublicKey(public_key_); |
| 204 return copy; | 111 return copy; |
| 205 } | 112 } |
| 206 | 113 |
| 207 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const { | 114 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const { |
| 208 PrivateKeyInfoCodec private_key_info(true); | 115 PrivateKeyInfoCodec private_key_info(true); |
| 209 | 116 |
| (...skipping 24 matching lines...) Expand all Loading... |
| 234 } | 141 } |
| 235 | 142 |
| 236 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len); | 143 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len); |
| 237 return true; | 144 return true; |
| 238 } | 145 } |
| 239 | 146 |
| 240 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) { | 147 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) { |
| 241 EnsureNSSInit(); | 148 EnsureNSSInit(); |
| 242 } | 149 } |
| 243 | 150 |
| 244 // static | |
| 245 RSAPrivateKey* RSAPrivateKey::CreateWithParams(PK11SlotInfo* slot, | |
| 246 uint16 num_bits, | |
| 247 bool permanent, | |
| 248 bool sensitive) { | |
| 249 if (!slot) | |
| 250 return NULL; | |
| 251 | |
| 252 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey); | |
| 253 | |
| 254 PK11RSAGenParams param; | |
| 255 param.keySizeInBits = num_bits; | |
| 256 param.pe = 65537L; | |
| 257 result->key_ = PK11_GenerateKeyPair(slot, | |
| 258 CKM_RSA_PKCS_KEY_PAIR_GEN, | |
| 259 ¶m, | |
| 260 &result->public_key_, | |
| 261 permanent, | |
| 262 sensitive, | |
| 263 NULL); | |
| 264 if (!result->key_) | |
| 265 return NULL; | |
| 266 | |
| 267 return result.release(); | |
| 268 } | |
| 269 | |
| 270 // static | |
| 271 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams( | |
| 272 PK11SlotInfo* slot, | |
| 273 const std::vector<uint8>& input, | |
| 274 bool permanent, | |
| 275 bool sensitive) { | |
| 276 if (!slot) | |
| 277 return NULL; | |
| 278 | |
| 279 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey); | |
| 280 | |
| 281 ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
| 282 if (!arena) { | |
| 283 NOTREACHED(); | |
| 284 return NULL; | |
| 285 } | |
| 286 | |
| 287 // Excess data is illegal, but NSS silently accepts it, so first ensure that | |
| 288 // |input| consists of a single ASN.1 element. | |
| 289 SECItem input_item; | |
| 290 input_item.data = const_cast<unsigned char*>(&input.front()); | |
| 291 input_item.len = input.size(); | |
| 292 SECItem der_private_key_info; | |
| 293 SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &der_private_key_info, | |
| 294 SEC_ASN1_GET(SEC_AnyTemplate), | |
| 295 &input_item); | |
| 296 if (rv != SECSuccess) | |
| 297 return NULL; | |
| 298 | |
| 299 // Allow the private key to be used for key unwrapping, data decryption, | |
| 300 // and signature generation. | |
| 301 const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | | |
| 302 KU_DIGITAL_SIGNATURE; | |
| 303 rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( | |
| 304 slot, &der_private_key_info, NULL, NULL, permanent, sensitive, | |
| 305 key_usage, &result->key_, NULL); | |
| 306 if (rv != SECSuccess) | |
| 307 return NULL; | |
| 308 | |
| 309 result->public_key_ = SECKEY_ConvertToPublicKey(result->key_); | |
| 310 if (!result->public_key_) | |
| 311 return NULL; | |
| 312 | |
| 313 return result.release(); | |
| 314 } | |
| 315 | |
| 316 #if defined(USE_NSS_CERTS) | |
| 317 // static | |
| 318 RSAPrivateKey* RSAPrivateKey::InitPublicPart(const std::vector<uint8>& input) { | |
| 319 EnsureNSSInit(); | |
| 320 | |
| 321 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey()); | |
| 322 result->public_key_ = GetRSAPublicKey(input).release(); | |
| 323 if (!result->public_key_) { | |
| 324 NOTREACHED(); | |
| 325 return NULL; | |
| 326 } | |
| 327 | |
| 328 return result.release(); | |
| 329 } | |
| 330 #endif // defined(USE_NSS_CERTS) | |
| 331 | |
| 332 } // namespace crypto | 151 } // namespace crypto |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1106103003:
Don't use RSAPrivateKey in NSS integration code. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-refactor