Don't use RSAPrivateKey in NSS integration code.

crypto/rsa_private_key_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/rsa_private_key.h"
 
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <pk11pub.h>
-#include <secmod.h>
 
 #include <list>
 
 #include "base/debug/leak_annotations.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_util.h"
+#include "crypto/nss_key_util.h"
 #include "crypto/nss_util.h"
-#include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 
 // TODO(rafaelw): Consider using NSS's ASN.1 encoder.
 namespace {
 
 static bool ReadAttribute(SECKEYPrivateKey* key,
                           CK_ATTRIBUTE_TYPE type,
                           std::vector<uint8>* output) {
   SECItem item;
   SECStatus rv;
   rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item);
   if (rv != SECSuccess) {
     NOTREACHED();
     return false;
   }
 
   output->assign(item.data, item.data + item.len);
   SECITEM_FreeItem(&item, PR_FALSE);
   return true;
 }
 
-#if defined(USE_NSS_CERTS)
-struct PublicKeyInfoDeleter {
-  inline void operator()(CERTSubjectPublicKeyInfo* spki) {
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-  }
-};
-
-typedef scoped_ptr<CERTSubjectPublicKeyInfo, PublicKeyInfoDeleter>
-    ScopedPublicKeyInfo;
-
-// The function decodes RSA public key from the |input|.
-crypto::ScopedSECKEYPublicKey GetRSAPublicKey(const std::vector<uint8>& input) {
-  // First, decode and save the public key.
-  SECItem key_der;
-  key_der.type = siBuffer;
-  key_der.data = const_cast<unsigned char*>(&input[0]);
-  key_der.len = input.size();
-
-  ScopedPublicKeyInfo spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&key_der));
-  if (!spki)
-    return crypto::ScopedSECKEYPublicKey();
-
-  crypto::ScopedSECKEYPublicKey result(SECKEY_ExtractPublicKey(spki.get()));
-
-  // Make sure the key is an RSA key.. If not, that's an error.
-  if (!result || result->keyType != rsaKey)
-    return crypto::ScopedSECKEYPublicKey();
-  return result.Pass();
-}
-#endif  // defined(USE_NSS_CERTS)
-
 }  // namespace
 
 namespace crypto {
 
 RSAPrivateKey::~RSAPrivateKey() {
   if (key_)
     SECKEY_DestroyPrivateKey(key_);
   if (public_key_)
     SECKEY_DestroyPublicKey(public_key_);
 }
 
 // static
 RSAPrivateKey* RSAPrivateKey::Create(uint16 num_bits) {
   EnsureNSSInit();
 
   ScopedPK11Slot slot(PK11_GetInternalSlot());
-  return CreateWithParams(slot.get(),
-                          num_bits,
-                          false /* not permanent */,
-                          false /* not sensitive */);
+  if (!slot) {
+    NOTREACHED();
+    return nullptr;
+  }
+
+  ScopedSECKEYPublicKey public_key;
+  ScopedSECKEYPrivateKey private_key;
+  if (!GenerateRSAKeyPairNSS(slot.get(), num_bits, false /* not permanent */,
+                             &public_key, &private_key)) {
+    return nullptr;
+  }
+
+  RSAPrivateKey* rsa_key = new RSAPrivateKey;
+  rsa_key->public_key_ = public_key.release();
+  rsa_key->key_ = private_key.release();
+  return rsa_key;
 }
 
 // static
 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfo(
     const std::vector<uint8>& input) {
   EnsureNSSInit();
 
   ScopedPK11Slot slot(PK11_GetInternalSlot());
-  return CreateFromPrivateKeyInfoWithParams(
-      slot.get(),
-      input,
-      false /* not permanent */,
-      false /* not sensitive */);
+  if (!slot) {
+    NOTREACHED();
+    return nullptr;
+  }
+  ScopedSECKEYPrivateKey key(ImportNSSKeyFromPrivateKeyInfo(
+      slot.get(), input, false /* not permanent */));
+  if (!key || SECKEY_GetPrivateKeyType(key.get()) != rsaKey)
+    return nullptr;
+  return RSAPrivateKey::CreateFromKey(key.get());
 }
 
 // static
 RSAPrivateKey* RSAPrivateKey::CreateFromKey(SECKEYPrivateKey* key) {
   DCHECK(key);
   if (SECKEY_GetPrivateKeyType(key) != rsaKey)
     return NULL;
   RSAPrivateKey* copy = new RSAPrivateKey();
   copy->key_ = SECKEY_CopyPrivateKey(key);
   copy->public_key_ = SECKEY_ConvertToPublicKey(key);
   if (!copy->key_ || !copy->public_key_) {
     NOTREACHED();
     delete copy;
     return NULL;
   }
   return copy;
 }
 
-#if defined(USE_NSS_CERTS)
-// static
-RSAPrivateKey* RSAPrivateKey::CreateSensitive(PK11SlotInfo* slot,
-                                              uint16 num_bits) {
-  return CreateWithParams(slot,
-                          num_bits,
-                          true /* permanent */,
-                          true /* sensitive */);
-}
-
-// static
-RSAPrivateKey* RSAPrivateKey::CreateSensitiveFromPrivateKeyInfo(
-    PK11SlotInfo* slot,
-    const std::vector<uint8>& input) {
-  return CreateFromPrivateKeyInfoWithParams(slot,
-                                            input,
-                                            true /* permanent */,
-                                            true /* sensitive */);
-}
-
-// static
-RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfo(
-    const std::vector<uint8>& input) {
-  scoped_ptr<RSAPrivateKey> result(InitPublicPart(input));
-  if (!result)
-    return NULL;
-
-  ScopedSECItem ck_id(
-      PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus)));
-  if (!ck_id.get()) {
-    NOTREACHED();
-    return NULL;
-  }
-
-  // Search all slots in all modules for the key with the given ID.
-  AutoSECMODListReadLock auto_lock;
-  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
-  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
-    int slot_count = item->module->loaded ? item->module->slotCount : 0;
-    for (int i = 0; i < slot_count; i++) {
-      // Finally...Look for the key!
-      result->key_ = PK11_FindKeyByKeyID(item->module->slots[i],
-                                         ck_id.get(), NULL);
-      if (result->key_)
-        return result.release();
-    }
-  }
-
-  // We didn't find the key.
-  return NULL;
-}
-
-// static
-RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfoInSlot(
-    const std::vector<uint8>& input,
-    PK11SlotInfo* slot) {
-  if (!slot)
-    return NULL;
-
-  scoped_ptr<RSAPrivateKey> result(InitPublicPart(input));
-  if (!result)
-    return NULL;
-
-  ScopedSECItem ck_id(
-      PK11_MakeIDFromPubKey(&(result->public_key_->u.rsa.modulus)));
-  if (!ck_id.get()) {
-    NOTREACHED();
-    return NULL;
-  }
-
-  result->key_ = PK11_FindKeyByKeyID(slot, ck_id.get(), NULL);
-  if (!result->key_)
-    return NULL;
-  return result.release();
-}
-#endif
-
 RSAPrivateKey* RSAPrivateKey::Copy() const {
   RSAPrivateKey* copy = new RSAPrivateKey();
   copy->key_ = SECKEY_CopyPrivateKey(key_);
   copy->public_key_ = SECKEY_CopyPublicKey(public_key_);
   return copy;
 }
 
 bool RSAPrivateKey::ExportPrivateKey(std::vector<uint8>* output) const {
   PrivateKeyInfoCodec private_key_info(true);
 
@@ skipping 24 matching lines @@
   }
 
   output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len);
   return true;
 }
 
 RSAPrivateKey::RSAPrivateKey() : key_(NULL), public_key_(NULL) {
   EnsureNSSInit();
 }
 
-// static
-RSAPrivateKey* RSAPrivateKey::CreateWithParams(PK11SlotInfo* slot,
-                                               uint16 num_bits,
-                                               bool permanent,
-                                               bool sensitive) {
-  if (!slot)
-    return NULL;
-
-  scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
-
-  PK11RSAGenParams param;
-  param.keySizeInBits = num_bits;
-  param.pe = 65537L;
-  result->key_ = PK11_GenerateKeyPair(slot,
-                                      CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                      &param,
-                                      &result->public_key_,
-                                      permanent,
-                                      sensitive,
-                                      NULL);
-  if (!result->key_)
-    return NULL;
-
-  return result.release();
-}
-
-// static
-RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams(
-    PK11SlotInfo* slot,
-    const std::vector<uint8>& input,
-    bool permanent,
-    bool sensitive) {
-  if (!slot)
-    return NULL;
-
-  scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
-
-  ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
-  if (!arena) {
-    NOTREACHED();
-    return NULL;
-  }
-
-  // Excess data is illegal, but NSS silently accepts it, so first ensure that
-  // |input| consists of a single ASN.1 element.
-  SECItem input_item;
-  input_item.data = const_cast<unsigned char*>(&input.front());
-  input_item.len = input.size();
-  SECItem der_private_key_info;
-  SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &der_private_key_info,
-                                        SEC_ASN1_GET(SEC_AnyTemplate),
-                                        &input_item);
-  if (rv != SECSuccess)
-    return NULL;
-
-  // Allow the private key to be used for key unwrapping, data decryption,
-  // and signature generation.
-  const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
-                                 KU_DIGITAL_SIGNATURE;
-  rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
-      slot, &der_private_key_info, NULL, NULL, permanent, sensitive,
-      key_usage, &result->key_, NULL);
-  if (rv != SECSuccess)
-    return NULL;
-
-  result->public_key_ = SECKEY_ConvertToPublicKey(result->key_);
-  if (!result->public_key_)
-    return NULL;
-
-  return result.release();
-}
-
-#if defined(USE_NSS_CERTS)
-// static
-RSAPrivateKey* RSAPrivateKey::InitPublicPart(const std::vector<uint8>& input) {
-  EnsureNSSInit();
-
-  scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey());
-  result->public_key_ = GetRSAPublicKey(input).release();
-  if (!result->public_key_) {
-    NOTREACHED();
-    return NULL;
-  }
-
-  return result.release();
-}
-#endif  // defined(USE_NSS_CERTS)
-
 }  // namespace crypto