OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "crypto/rsa_private_key.h" | 5 #include "crypto/rsa_private_key.h" |
6 | 6 |
7 #include <cryptohi.h> | 7 #include <cryptohi.h> |
8 #include <keyhi.h> | 8 #include <keyhi.h> |
9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
10 #include <secmod.h> | |
11 | 10 |
12 #include <list> | 11 #include <list> |
13 | 12 |
14 #include "base/debug/leak_annotations.h" | 13 #include "base/debug/leak_annotations.h" |
15 #include "base/logging.h" | 14 #include "base/logging.h" |
16 #include "base/memory/scoped_ptr.h" | 15 #include "base/memory/scoped_ptr.h" |
17 #include "base/strings/string_util.h" | 16 #include "base/strings/string_util.h" |
| 17 #include "crypto/nss_key_util.h" |
18 #include "crypto/nss_util.h" | 18 #include "crypto/nss_util.h" |
19 #include "crypto/nss_util_internal.h" | |
20 #include "crypto/scoped_nss_types.h" | 19 #include "crypto/scoped_nss_types.h" |
21 | 20 |
22 // TODO(rafaelw): Consider using NSS's ASN.1 encoder. | 21 // TODO(rafaelw): Consider using NSS's ASN.1 encoder. |
23 namespace { | 22 namespace { |
24 | 23 |
25 static bool ReadAttribute(SECKEYPrivateKey* key, | 24 static bool ReadAttribute(SECKEYPrivateKey* key, |
26 CK_ATTRIBUTE_TYPE type, | 25 CK_ATTRIBUTE_TYPE type, |
27 std::vector<uint8>* output) { | 26 std::vector<uint8>* output) { |
28 SECItem item; | 27 SECItem item; |
29 SECStatus rv; | 28 SECStatus rv; |
30 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); | 29 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); |
31 if (rv != SECSuccess) { | 30 if (rv != SECSuccess) { |
32 NOTREACHED(); | 31 NOTREACHED(); |
33 return false; | 32 return false; |
34 } | 33 } |
35 | 34 |
36 output->assign(item.data, item.data + item.len); | 35 output->assign(item.data, item.data + item.len); |
37 SECITEM_FreeItem(&item, PR_FALSE); | 36 SECITEM_FreeItem(&item, PR_FALSE); |
38 return true; | 37 return true; |
39 } | 38 } |
40 | 39 |
41 #if defined(USE_NSS_CERTS) | |
42 struct PublicKeyInfoDeleter { | |
43 inline void operator()(CERTSubjectPublicKeyInfo* spki) { | |
44 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
45 } | |
46 }; | |
47 | |
48 typedef scoped_ptr<CERTSubjectPublicKeyInfo, PublicKeyInfoDeleter> | |
49 ScopedPublicKeyInfo; | |
50 | |
51 // The function decodes RSA public key from the |input|. | |
52 crypto::ScopedSECKEYPublicKey GetRSAPublicKey(const std::vector<uint8>& input) { | |
53 // First, decode and save the public key. | |
54 SECItem key_der; | |
55 key_der.type = siBuffer; | |
56 key_der.data = const_cast<unsigned char*>(&input[0]); | |
57 key_der.len = input.size(); | |
58 | |
59 ScopedPublicKeyInfo spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&key_der)); | |
60 if (!spki) | |
61 return crypto::ScopedSECKEYPublicKey(); | |
62 | |
63 crypto::ScopedSECKEYPublicKey result(SECKEY_ExtractPublicKey(spki.get())); | |
64 | |
65 // Make sure the key is an RSA key.. If not, that's an error. | |
66 if (!result || result->keyType != rsaKey) | |
67 return crypto::ScopedSECKEYPublicKey(); | |
68 return result.Pass(); | |
69 } | |
70 #endif // defined(USE_NSS_CERTS) | |
71 | |
72 } // namespace | 40 } // namespace |
73 | 41 |
74 namespace crypto { | 42 namespace crypto { |
75 | 43 |
76 RSAPrivateKey::~RSAPrivateKey() { | 44 RSAPrivateKey::~RSAPrivateKey() { |
77 if (key_) | 45 if (key_) |
78 SECKEY_DestroyPrivateKey(key_); | 46 SECKEY_DestroyPrivateKey(key_); |
79 if (public_key_) | 47 if (public_key_) |
80 SECKEY_DestroyPublicKey(public_key_); | 48 SECKEY_DestroyPublicKey(public_key_); |
81 } | 49 } |
82 | 50 |
83 // static | 51 // static |
84 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { | 52 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { |
85 EnsureNSSInit(); | 53 EnsureNSSInit(); |
86 | 54 |
87 ScopedPK11Slot slot(PK11_GetInternalSlot()); | 55 ScopedPK11Slot slot(PK11_GetInternalSlot()); |
88 return CreateWithParams(slot.get(), | 56 if (!slot) { |
89 num_bits, | 57 NOTREACHED(); |
90 false /* not permanent */, | 58 return nullptr; |
91 false /* not sensitive */); | 59 } |
| 60 |
| 61 ScopedSECKEYPublicKey public_key; |
| 62 ScopedSECKEYPrivateKey private_key; |
| 63 if (!GenerateRSAKeyPairNSS(slot.get(), num_bits, false /* not permanent */, |
| 64 &public_key, &private_key)) { |
| 65 return nullptr; |
| 66 } |
| 67 |
| 68 RSAPrivateKey* rsa_key = new RSAPrivateKey; |
| 69 rsa_key->public_key_ = public_key.release(); |
| 70 rsa_key->key_ = private_key.release(); |
| 71 return rsa_key; |
92 } | 72 } |
93 | 73 |
94 // static | 74 // static |
95 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( | 75 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( |
96 const std::vector<uint8>& input) { | 76 const std::vector<uint8>& input) { |
97 EnsureNSSInit(); | 77 EnsureNSSInit(); |
98 | 78 |
99 ScopedPK11Slot slot(PK11_GetInternalSlot()); | 79 ScopedPK11Slot slot(PK11_GetInternalSlot()); |
100 return CreateFromPrivateKeyInfoWithParams( | 80 if (!slot) { |
101 slot.get(), | 81 NOTREACHED(); |
102 input, | 82 return nullptr; |
103 false /* not permanent */, | 83 } |
104 false /* not sensitive */); | 84 ScopedSECKEYPrivateKey key(ImportNSSKeyFromPrivateKeyInfo( |
| 85 slot.get(), input, false /* not permanent */)); |
| 86 if (!key || SECKEY_GetPrivateKeyType(key.get()) != rsaKey) |
| 87 return nullptr; |
| 88 return RSAPrivateKey::CreateFromKey(key.get()); |
105 } | 89 } |
106 | 90 |
107 // static | 91 // static |
108 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) { | 92 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) { |
109 DCHECK(key); | 93 DCHECK(key); |
110 if (SECKEY_GetPrivateKeyType(key) != rsaKey) | 94 if (SECKEY_GetPrivateKeyType(key) != rsaKey) |
111 return NULL; | 95 return NULL; |
112 RSAPrivateKey* copy = new RSAPrivateKey(); | 96 RSAPrivateKey* copy = new RSAPrivateKey(); |
113 copy->key_ = SECKEY_CopyPrivateKey(key); | 97 copy->key_ = SECKEY_CopyPrivateKey(key); |
114 copy->public_key_ = SECKEY_ConvertToPublicKey(key); | 98 copy->public_key_ = SECKEY_ConvertToPublicKey(key); |
115 if (!copy->key_ || !copy->public_key_) { | 99 if (!copy->key_ || !copy->public_key_) { |
116 NOTREACHED(); | 100 NOTREACHED(); |
117 delete copy; | 101 delete copy; |
118 return NULL; | 102 return NULL; |
119 } | 103 } |
120 return copy; | 104 return copy; |
121 } | 105 } |
122 | 106 |
123 #if defined(USE_NSS_CERTS) | |
124 // static | |
125 RSAPrivateKey* RSAPrivateKey::CreateSensitive(PK11SlotInfo* slot, | |
126 uint16 num_bits) { | |
127 return CreateWithParams(slot, | |
128 num_bits, | |
129 true /* permanent */, | |
130 true /* sensitive */); | |
131 } | |
132 | |
133 // static | |
134 RSAPrivateKey* RSAPrivateKey::CreateSensitiveFromPrivateKeyInfo( | |
135 PK11SlotInfo* slot, | |
136 const std::vector<uint8>& input) { | |
137 return CreateFromPrivateKeyInfoWithParams(slot, | |
138 input, | |
139 true /* permanent */, | |
140 true /* sensitive */); | |
141 } | |
142 | |
143 // static | |
144 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfo( | |
145 const std::vector<uint8>& input) { | |
146 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input)); | |
147 if (!result) | |
148 return NULL; | |
149 | |
150 ScopedSECItem ck_id( | |
151 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus))); | |
152 if (!ck_id.get()) { | |
153 NOTREACHED(); | |
154 return NULL; | |
155 } | |
156 | |
157 // Search all slots in all modules for the key with the given ID. | |
158 AutoSECMODListReadLock auto_lock; | |
159 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
160 for (SECMODModuleList* item = head; item != NULL; item = item->next) { | |
161 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
162 for (int i = 0; i < slot_count; i++) { | |
163 // Finally...Look for the key! | |
164 result->key_ = PK11_FindKeyByKeyID(item->module->slots[i], | |
165 ck_id.get(), NULL); | |
166 if (result->key_) | |
167 return result.release(); | |
168 } | |
169 } | |
170 | |
171 // We didn't find the key. | |
172 return NULL; | |
173 } | |
174 | |
175 // static | |
176 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfoInSlot( | |
177 const std::vector<uint8>& input, | |
178 PK11SlotInfo* slot) { | |
179 if (!slot) | |
180 return NULL; | |
181 | |
182 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input)); | |
183 if (!result) | |
184 return NULL; | |
185 | |
186 ScopedSECItem ck_id( | |
187 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus))); | |
188 if (!ck_id.get()) { | |
189 NOTREACHED(); | |
190 return NULL; | |
191 } | |
192 | |
193 result->key_ = PK11_FindKeyByKeyID(slot, ck_id.get(), NULL); | |
194 if (!result->key_) | |
195 return NULL; | |
196 return result.release(); | |
197 } | |
198 #endif | |
199 | |
200 RSAPrivateKey* RSAPrivateKey::Copy() const { | 107 RSAPrivateKey* RSAPrivateKey::Copy() const { |
201 RSAPrivateKey* copy = new RSAPrivateKey(); | 108 RSAPrivateKey* copy = new RSAPrivateKey(); |
202 copy->key_ = SECKEY_CopyPrivateKey(key_); | 109 copy->key_ = SECKEY_CopyPrivateKey(key_); |
203 copy->public_key_ = SECKEY_CopyPublicKey(public_key_); | 110 copy->public_key_ = SECKEY_CopyPublicKey(public_key_); |
204 return copy; | 111 return copy; |
205 } | 112 } |
206 | 113 |
207 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const { | 114 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const { |
208 PrivateKeyInfoCodec private_key_info(true); | 115 PrivateKeyInfoCodec private_key_info(true); |
209 | 116 |
(...skipping 24 matching lines...) Expand all Loading... |
234 } | 141 } |
235 | 142 |
236 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len); | 143 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len); |
237 return true; | 144 return true; |
238 } | 145 } |
239 | 146 |
240 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) { | 147 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) { |
241 EnsureNSSInit(); | 148 EnsureNSSInit(); |
242 } | 149 } |
243 | 150 |
244 // static | |
245 RSAPrivateKey* RSAPrivateKey::CreateWithParams(PK11SlotInfo* slot, | |
246 uint16 num_bits, | |
247 bool permanent, | |
248 bool sensitive) { | |
249 if (!slot) | |
250 return NULL; | |
251 | |
252 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey); | |
253 | |
254 PK11RSAGenParams param; | |
255 param.keySizeInBits = num_bits; | |
256 param.pe = 65537L; | |
257 result->key_ = PK11_GenerateKeyPair(slot, | |
258 CKM_RSA_PKCS_KEY_PAIR_GEN, | |
259 ¶m, | |
260 &result->public_key_, | |
261 permanent, | |
262 sensitive, | |
263 NULL); | |
264 if (!result->key_) | |
265 return NULL; | |
266 | |
267 return result.release(); | |
268 } | |
269 | |
270 // static | |
271 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams( | |
272 PK11SlotInfo* slot, | |
273 const std::vector<uint8>& input, | |
274 bool permanent, | |
275 bool sensitive) { | |
276 if (!slot) | |
277 return NULL; | |
278 | |
279 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey); | |
280 | |
281 ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
282 if (!arena) { | |
283 NOTREACHED(); | |
284 return NULL; | |
285 } | |
286 | |
287 // Excess data is illegal, but NSS silently accepts it, so first ensure that | |
288 // |input| consists of a single ASN.1 element. | |
289 SECItem input_item; | |
290 input_item.data = const_cast<unsigned char*>(&input.front()); | |
291 input_item.len = input.size(); | |
292 SECItem der_private_key_info; | |
293 SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &der_private_key_info, | |
294 SEC_ASN1_GET(SEC_AnyTemplate), | |
295 &input_item); | |
296 if (rv != SECSuccess) | |
297 return NULL; | |
298 | |
299 // Allow the private key to be used for key unwrapping, data decryption, | |
300 // and signature generation. | |
301 const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | | |
302 KU_DIGITAL_SIGNATURE; | |
303 rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( | |
304 slot, &der_private_key_info, NULL, NULL, permanent, sensitive, | |
305 key_usage, &result->key_, NULL); | |
306 if (rv != SECSuccess) | |
307 return NULL; | |
308 | |
309 result->public_key_ = SECKEY_ConvertToPublicKey(result->key_); | |
310 if (!result->public_key_) | |
311 return NULL; | |
312 | |
313 return result.release(); | |
314 } | |
315 | |
316 #if defined(USE_NSS_CERTS) | |
317 // static | |
318 RSAPrivateKey* RSAPrivateKey::InitPublicPart(const std::vector<uint8>& input) { | |
319 EnsureNSSInit(); | |
320 | |
321 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey()); | |
322 result->public_key_ = GetRSAPublicKey(input).release(); | |
323 if (!result->public_key_) { | |
324 NOTREACHED(); | |
325 return NULL; | |
326 } | |
327 | |
328 return result.release(); | |
329 } | |
330 #endif // defined(USE_NSS_CERTS) | |
331 | |
332 } // namespace crypto | 151 } // namespace crypto |
OLD | NEW |