Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(788)

Side by Side Diff: crypto/rsa_private_key_nss.cc

Issue 1106103003: Don't use RSAPrivateKey in NSS integration code. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-refactor
Patch Set: pneubeck comments Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "crypto/rsa_private_key.h" 5 #include "crypto/rsa_private_key.h"
6 6
7 #include <cryptohi.h> 7 #include <cryptohi.h>
8 #include <keyhi.h> 8 #include <keyhi.h>
9 #include <pk11pub.h> 9 #include <pk11pub.h>
10 #include <secmod.h>
11 10
12 #include <list> 11 #include <list>
13 12
14 #include "base/debug/leak_annotations.h" 13 #include "base/debug/leak_annotations.h"
15 #include "base/logging.h" 14 #include "base/logging.h"
16 #include "base/memory/scoped_ptr.h" 15 #include "base/memory/scoped_ptr.h"
17 #include "base/strings/string_util.h" 16 #include "base/strings/string_util.h"
17 #include "crypto/nss_key_util.h"
18 #include "crypto/nss_util.h" 18 #include "crypto/nss_util.h"
19 #include "crypto/nss_util_internal.h"
20 #include "crypto/scoped_nss_types.h" 19 #include "crypto/scoped_nss_types.h"
21 20
22 // TODO(rafaelw): Consider using NSS's ASN.1 encoder. 21 // TODO(rafaelw): Consider using NSS's ASN.1 encoder.
23 namespace { 22 namespace {
24 23
25 static bool ReadAttribute(SECKEYPrivateKey* key, 24 static bool ReadAttribute(SECKEYPrivateKey* key,
26 CK_ATTRIBUTE_TYPE type, 25 CK_ATTRIBUTE_TYPE type,
27 std::vector<uint8>* output) { 26 std::vector<uint8>* output) {
28 SECItem item; 27 SECItem item;
29 SECStatus rv; 28 SECStatus rv;
30 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); 29 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item);
31 if (rv != SECSuccess) { 30 if (rv != SECSuccess) {
32 NOTREACHED(); 31 NOTREACHED();
33 return false; 32 return false;
34 } 33 }
35 34
36 output->assign(item.data, item.data + item.len); 35 output->assign(item.data, item.data + item.len);
37 SECITEM_FreeItem(&item, PR_FALSE); 36 SECITEM_FreeItem(&item, PR_FALSE);
38 return true; 37 return true;
39 } 38 }
40 39
41 #if defined(USE_NSS_CERTS)
42 struct PublicKeyInfoDeleter {
43 inline void operator()(CERTSubjectPublicKeyInfo* spki) {
44 SECKEY_DestroySubjectPublicKeyInfo(spki);
45 }
46 };
47
48 typedef scoped_ptr<CERTSubjectPublicKeyInfo, PublicKeyInfoDeleter>
49 ScopedPublicKeyInfo;
50
51 // The function decodes RSA public key from the |input|.
52 crypto::ScopedSECKEYPublicKey GetRSAPublicKey(const std::vector<uint8>& input) {
53 // First, decode and save the public key.
54 SECItem key_der;
55 key_der.type = siBuffer;
56 key_der.data = const_cast<unsigned char*>(&input[0]);
57 key_der.len = input.size();
58
59 ScopedPublicKeyInfo spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&key_der));
60 if (!spki)
61 return crypto::ScopedSECKEYPublicKey();
62
63 crypto::ScopedSECKEYPublicKey result(SECKEY_ExtractPublicKey(spki.get()));
64
65 // Make sure the key is an RSA key.. If not, that's an error.
66 if (!result || result->keyType != rsaKey)
67 return crypto::ScopedSECKEYPublicKey();
68 return result.Pass();
69 }
70 #endif // defined(USE_NSS_CERTS)
71
72 } // namespace 40 } // namespace
73 41
74 namespace crypto { 42 namespace crypto {
75 43
76 RSAPrivateKey::~RSAPrivateKey() { 44 RSAPrivateKey::~RSAPrivateKey() {
77 if (key_) 45 if (key_)
78 SECKEY_DestroyPrivateKey(key_); 46 SECKEY_DestroyPrivateKey(key_);
79 if (public_key_) 47 if (public_key_)
80 SECKEY_DestroyPublicKey(public_key_); 48 SECKEY_DestroyPublicKey(public_key_);
81 } 49 }
82 50
83 // static 51 // static
84 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) { 52 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) {
85 EnsureNSSInit(); 53 EnsureNSSInit();
86 54
87 ScopedPK11Slot slot(PK11_GetInternalSlot()); 55 ScopedPK11Slot slot(PK11_GetInternalSlot());
88 return CreateWithParams(slot.get(), 56 if (!slot) {
89 num_bits, 57 NOTREACHED();
90 false /* not permanent */, 58 return nullptr;
91 false /* not sensitive */); 59 }
60
61 ScopedSECKEYPublicKey public_key;
62 ScopedSECKEYPrivateKey private_key;
63 if (!GenerateRSAKeyPairNSS(slot.get(), num_bits, false /* not permanent */,
64 &public_key, &private_key)) {
65 return nullptr;
66 }
67
68 RSAPrivateKey* rsa_key = new RSAPrivateKey;
69 rsa_key->public_key_ = public_key.release();
70 rsa_key->key_ = private_key.release();
71 return rsa_key;
92 } 72 }
93 73
94 // static 74 // static
95 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo( 75 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo(
96 const std::vector<uint8>& input) { 76 const std::vector<uint8>& input) {
97 EnsureNSSInit(); 77 EnsureNSSInit();
98 78
99 ScopedPK11Slot slot(PK11_GetInternalSlot()); 79 ScopedPK11Slot slot(PK11_GetInternalSlot());
100 return CreateFromPrivateKeyInfoWithParams( 80 if (!slot) {
101 slot.get(), 81 NOTREACHED();
102 input, 82 return nullptr;
103 false /* not permanent */, 83 }
104 false /* not sensitive */); 84 ScopedSECKEYPrivateKey key(ImportNSSKeyFromPrivateKeyInfo(
85 slot.get(), input, false /* not permanent */));
86 if (!key || SECKEY_GetPrivateKeyType(key.get()) != rsaKey)
87 return nullptr;
88 return RSAPrivateKey::CreateFromKey(key.get());
105 } 89 }
106 90
107 // static 91 // static
108 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) { 92 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) {
109 DCHECK(key); 93 DCHECK(key);
110 if (SECKEY_GetPrivateKeyType(key) != rsaKey) 94 if (SECKEY_GetPrivateKeyType(key) != rsaKey)
111 return NULL; 95 return NULL;
112 RSAPrivateKey* copy = new RSAPrivateKey(); 96 RSAPrivateKey* copy = new RSAPrivateKey();
113 copy->key_ = SECKEY_CopyPrivateKey(key); 97 copy->key_ = SECKEY_CopyPrivateKey(key);
114 copy->public_key_ = SECKEY_ConvertToPublicKey(key); 98 copy->public_key_ = SECKEY_ConvertToPublicKey(key);
115 if (!copy->key_ || !copy->public_key_) { 99 if (!copy->key_ || !copy->public_key_) {
116 NOTREACHED(); 100 NOTREACHED();
117 delete copy; 101 delete copy;
118 return NULL; 102 return NULL;
119 } 103 }
120 return copy; 104 return copy;
121 } 105 }
122 106
123 #if defined(USE_NSS_CERTS)
124 // static
125 RSAPrivateKey* RSAPrivateKey::CreateSensitive(PK11SlotInfo* slot,
126 uint16 num_bits) {
127 return CreateWithParams(slot,
128 num_bits,
129 true /* permanent */,
130 true /* sensitive */);
131 }
132
133 // static
134 RSAPrivateKey* RSAPrivateKey::CreateSensitiveFromPrivateKeyInfo(
135 PK11SlotInfo* slot,
136 const std::vector<uint8>& input) {
137 return CreateFromPrivateKeyInfoWithParams(slot,
138 input,
139 true /* permanent */,
140 true /* sensitive */);
141 }
142
143 // static
144 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfo(
145 const std::vector<uint8>& input) {
146 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input));
147 if (!result)
148 return NULL;
149
150 ScopedSECItem ck_id(
151 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus)));
152 if (!ck_id.get()) {
153 NOTREACHED();
154 return NULL;
155 }
156
157 // Search all slots in all modules for the key with the given ID.
158 AutoSECMODListReadLock auto_lock;
159 SECMODModuleList* head = SECMOD_GetDefaultModuleList();
160 for (SECMODModuleList* item = head; item != NULL; item = item->next) {
161 int slot_count = item->module->loaded ? item->module->slotCount : 0;
162 for (int i = 0; i < slot_count; i++) {
163 // Finally...Look for the key!
164 result->key_ = PK11_FindKeyByKeyID(item->module->slots[i],
165 ck_id.get(), NULL);
166 if (result->key_)
167 return result.release();
168 }
169 }
170
171 // We didn't find the key.
172 return NULL;
173 }
174
175 // static
176 RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfoInSlot(
177 const std::vector<uint8>& input,
178 PK11SlotInfo* slot) {
179 if (!slot)
180 return NULL;
181
182 scoped_ptr<RSAPrivateKey> result(InitPublicPart(input));
183 if (!result)
184 return NULL;
185
186 ScopedSECItem ck_id(
187 PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus)));
188 if (!ck_id.get()) {
189 NOTREACHED();
190 return NULL;
191 }
192
193 result->key_ = PK11_FindKeyByKeyID(slot, ck_id.get(), NULL);
194 if (!result->key_)
195 return NULL;
196 return result.release();
197 }
198 #endif
199
200 RSAPrivateKey* RSAPrivateKey::Copy() const { 107 RSAPrivateKey* RSAPrivateKey::Copy() const {
201 RSAPrivateKey* copy = new RSAPrivateKey(); 108 RSAPrivateKey* copy = new RSAPrivateKey();
202 copy->key_ = SECKEY_CopyPrivateKey(key_); 109 copy->key_ = SECKEY_CopyPrivateKey(key_);
203 copy->public_key_ = SECKEY_CopyPublicKey(public_key_); 110 copy->public_key_ = SECKEY_CopyPublicKey(public_key_);
204 return copy; 111 return copy;
205 } 112 }
206 113
207 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const { 114 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const {
208 PrivateKeyInfoCodec private_key_info(true); 115 PrivateKeyInfoCodec private_key_info(true);
209 116
(...skipping 24 matching lines...) Expand all
234 } 141 }
235 142
236 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len); 143 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len);
237 return true; 144 return true;
238 } 145 }
239 146
240 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) { 147 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) {
241 EnsureNSSInit(); 148 EnsureNSSInit();
242 } 149 }
243 150
244 // static
245 RSAPrivateKey* RSAPrivateKey::CreateWithParams(PK11SlotInfo* slot,
246 uint16 num_bits,
247 bool permanent,
248 bool sensitive) {
249 if (!slot)
250 return NULL;
251
252 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
253
254 PK11RSAGenParams param;
255 param.keySizeInBits = num_bits;
256 param.pe = 65537L;
257 result->key_ = PK11_GenerateKeyPair(slot,
258 CKM_RSA_PKCS_KEY_PAIR_GEN,
259 &param,
260 &result->public_key_,
261 permanent,
262 sensitive,
263 NULL);
264 if (!result->key_)
265 return NULL;
266
267 return result.release();
268 }
269
270 // static
271 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams(
272 PK11SlotInfo* slot,
273 const std::vector<uint8>& input,
274 bool permanent,
275 bool sensitive) {
276 if (!slot)
277 return NULL;
278
279 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
280
281 ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
282 if (!arena) {
283 NOTREACHED();
284 return NULL;
285 }
286
287 // Excess data is illegal, but NSS silently accepts it, so first ensure that
288 // |input| consists of a single ASN.1 element.
289 SECItem input_item;
290 input_item.data = const_cast<unsigned char*>(&input.front());
291 input_item.len = input.size();
292 SECItem der_private_key_info;
293 SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &der_private_key_info,
294 SEC_ASN1_GET(SEC_AnyTemplate),
295 &input_item);
296 if (rv != SECSuccess)
297 return NULL;
298
299 // Allow the private key to be used for key unwrapping, data decryption,
300 // and signature generation.
301 const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
302 KU_DIGITAL_SIGNATURE;
303 rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
304 slot, &der_private_key_info, NULL, NULL, permanent, sensitive,
305 key_usage, &result->key_, NULL);
306 if (rv != SECSuccess)
307 return NULL;
308
309 result->public_key_ = SECKEY_ConvertToPublicKey(result->key_);
310 if (!result->public_key_)
311 return NULL;
312
313 return result.release();
314 }
315
316 #if defined(USE_NSS_CERTS)
317 // static
318 RSAPrivateKey* RSAPrivateKey::InitPublicPart(const std::vector<uint8>& input) {
319 EnsureNSSInit();
320
321 scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey());
322 result->public_key_ = GetRSAPublicKey(input).release();
323 if (!result->public_key_) {
324 NOTREACHED();
325 return NULL;
326 }
327
328 return result.release();
329 }
330 #endif // defined(USE_NSS_CERTS)
331
332 } // namespace crypto 151 } // namespace crypto
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698