| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.
h" | 5 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.
h" |
| 6 | 6 |
| 7 #include <cryptohi.h> | 7 #include <cryptohi.h> |
| 8 #include <keyhi.h> | |
| 9 | 8 |
| 10 #include "base/base64.h" | 9 #include "base/base64.h" |
| 11 #include "base/bind.h" | 10 #include "base/bind.h" |
| 12 #include "base/location.h" | 11 #include "base/location.h" |
| 13 #include "base/logging.h" | 12 #include "base/logging.h" |
| 14 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
| 15 #include "base/prefs/pref_registry_simple.h" | 14 #include "base/prefs/pref_registry_simple.h" |
| 16 #include "base/prefs/pref_service.h" | 15 #include "base/prefs/pref_service.h" |
| 17 #include "base/prefs/scoped_user_pref_update.h" | 16 #include "base/prefs/scoped_user_pref_update.h" |
| 18 #include "base/single_thread_task_runner.h" | 17 #include "base/single_thread_task_runner.h" |
| 19 #include "base/thread_task_runner_handle.h" | 18 #include "base/thread_task_runner_handle.h" |
| 20 #include "base/threading/worker_pool.h" | 19 #include "base/threading/worker_pool.h" |
| 21 #include "base/time/time.h" | 20 #include "base/time/time.h" |
| 22 #include "base/values.h" | 21 #include "base/values.h" |
| 23 #include "chrome/browser/browser_process.h" | 22 #include "chrome/browser/browser_process.h" |
| 24 #include "chrome/common/pref_names.h" | 23 #include "chrome/common/pref_names.h" |
| 25 #include "content/public/browser/browser_thread.h" | 24 #include "content/public/browser/browser_thread.h" |
| 26 #include "crypto/nss_key_util.h" | |
| 27 #include "crypto/nss_util_internal.h" | 25 #include "crypto/nss_util_internal.h" |
| 26 #include "crypto/rsa_private_key.h" |
| 28 #include "crypto/scoped_nss_types.h" | 27 #include "crypto/scoped_nss_types.h" |
| 29 | 28 |
| 30 namespace { | 29 namespace { |
| 31 | 30 |
| 32 // The modulus length for RSA keys used by easy sign-in. | 31 // The modulus length for RSA keys used by easy sign-in. |
| 33 const int kKeyModulusLength = 2048; | 32 const int kKeyModulusLength = 2048; |
| 34 | 33 |
| 35 // Relays |GetSystemSlotOnIOThread| callback to |response_task_runner|. | 34 // Relays |GetSystemSlotOnIOThread| callback to |response_task_runner|. |
| 36 void RunCallbackOnThreadRunner( | 35 void RunCallbackOnThreadRunner( |
| 37 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, | 36 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| (...skipping 13 matching lines...) Expand all Loading... |
| 51 | 50 |
| 52 crypto::ScopedPK11Slot system_slot = | 51 crypto::ScopedPK11Slot system_slot = |
| 53 crypto::GetSystemNSSKeySlot(callback_on_origin_thread); | 52 crypto::GetSystemNSSKeySlot(callback_on_origin_thread); |
| 54 if (system_slot) | 53 if (system_slot) |
| 55 callback_on_origin_thread.Run(system_slot.Pass()); | 54 callback_on_origin_thread.Run(system_slot.Pass()); |
| 56 } | 55 } |
| 57 | 56 |
| 58 // Checks if a private RSA key associated with |public_key| can be found in | 57 // Checks if a private RSA key associated with |public_key| can be found in |
| 59 // |slot|. | 58 // |slot|. |
| 60 // Must be called on a worker thread. | 59 // Must be called on a worker thread. |
| 61 crypto::ScopedSECKEYPrivateKey GetPrivateKeyOnWorkerThread( | 60 scoped_ptr<crypto::RSAPrivateKey> GetPrivateKeyOnWorkerThread( |
| 62 PK11SlotInfo* slot, | 61 PK11SlotInfo* slot, |
| 63 const std::string& public_key) { | 62 const std::string& public_key) { |
| 64 const uint8* public_key_uint8 = | 63 const uint8* public_key_uint8 = |
| 65 reinterpret_cast<const uint8*>(public_key.data()); | 64 reinterpret_cast<const uint8*>(public_key.data()); |
| 66 std::vector<uint8> public_key_vector( | 65 std::vector<uint8> public_key_vector( |
| 67 public_key_uint8, public_key_uint8 + public_key.size()); | 66 public_key_uint8, public_key_uint8 + public_key.size()); |
| 68 | 67 |
| 69 crypto::ScopedSECKEYPrivateKey rsa_key( | 68 scoped_ptr<crypto::RSAPrivateKey> rsa_key( |
| 70 crypto::FindNSSKeyFromPublicKeyInfoInSlot(public_key_vector, slot)); | 69 crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector)); |
| 71 if (!rsa_key || SECKEY_GetPrivateKeyType(rsa_key.get()) != rsaKey) | 70 if (!rsa_key || rsa_key->key()->pkcs11Slot != slot) |
| 72 return nullptr; | 71 return scoped_ptr<crypto::RSAPrivateKey>(); |
| 73 return rsa_key.Pass(); | 72 return rsa_key.Pass(); |
| 74 } | 73 } |
| 75 | 74 |
| 76 // Signs |data| using a private key associated with |public_key| and stored in | 75 // Signs |data| using a private key associated with |public_key| and stored in |
| 77 // |slot|. Once the data is signed, callback is run on |response_task_runner|. | 76 // |slot|. Once the data is signed, callback is run on |response_task_runner|. |
| 78 // In case of an error, the callback will be passed an empty string. | 77 // In case of an error, the callback will be passed an empty string. |
| 79 void SignDataOnWorkerThread( | 78 void SignDataOnWorkerThread( |
| 80 crypto::ScopedPK11Slot slot, | 79 crypto::ScopedPK11Slot slot, |
| 81 const std::string& public_key, | 80 const std::string& public_key, |
| 82 const std::string& data, | 81 const std::string& data, |
| 83 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, | 82 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 84 const base::Callback<void(const std::string&)>& callback) { | 83 const base::Callback<void(const std::string&)>& callback) { |
| 85 crypto::ScopedSECKEYPrivateKey private_key( | 84 scoped_ptr<crypto::RSAPrivateKey> private_key( |
| 86 GetPrivateKeyOnWorkerThread(slot.get(), public_key)); | 85 GetPrivateKeyOnWorkerThread(slot.get(), public_key)); |
| 87 if (!private_key) { | 86 if (!private_key) { |
| 88 LOG(ERROR) << "Private key for signing data not found"; | 87 LOG(ERROR) << "Private key for signing data not found"; |
| 89 response_task_runner->PostTask(FROM_HERE, | 88 response_task_runner->PostTask(FROM_HERE, |
| 90 base::Bind(callback, std::string())); | 89 base::Bind(callback, std::string())); |
| 91 return; | 90 return; |
| 92 } | 91 } |
| 93 | 92 |
| 94 crypto::ScopedSECItem sign_result(SECITEM_AllocItem(NULL, NULL, 0)); | 93 crypto::ScopedSECItem sign_result(SECITEM_AllocItem(NULL, NULL, 0)); |
| 95 if (SEC_SignData(sign_result.get(), | 94 if (SEC_SignData(sign_result.get(), |
| 96 reinterpret_cast<const unsigned char*>(data.data()), | 95 reinterpret_cast<const unsigned char*>(data.data()), |
| 97 data.size(), private_key.get(), | 96 data.size(), |
| 97 private_key->key(), |
| 98 SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION) != SECSuccess) { | 98 SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION) != SECSuccess) { |
| 99 LOG(ERROR) << "Failed to sign data"; | 99 LOG(ERROR) << "Failed to sign data"; |
| 100 response_task_runner->PostTask(FROM_HERE, | 100 response_task_runner->PostTask(FROM_HERE, |
| 101 base::Bind(callback, std::string())); | 101 base::Bind(callback, std::string())); |
| 102 return; | 102 return; |
| 103 } | 103 } |
| 104 | 104 |
| 105 std::string signature(reinterpret_cast<const char*>(sign_result->data), | 105 std::string signature(reinterpret_cast<const char*>(sign_result->data), |
| 106 sign_result->len); | 106 sign_result->len); |
| 107 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, signature)); | 107 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, signature)); |
| 108 } | 108 } |
| 109 | 109 |
| 110 // Creates a RSA key pair in |slot|. When done, it runs |callback| with the | 110 // Creates a RSA key pair in |slot|. When done, it runs |callback| with the |
| 111 // created public key on |response_task_runner|. | 111 // created public key on |response_task_runner|. |
| 112 // If |public_key| is not empty, a key pair will be created only if the private | 112 // If |public_key| is not empty, a key pair will be created only if the private |
| 113 // key associated with |public_key| does not exist in |slot|. Otherwise the | 113 // key associated with |public_key| does not exist in |slot|. Otherwise the |
| 114 // callback will be run with |public_key|. | 114 // callback will be run with |public_key|. |
| 115 void CreateTpmKeyPairOnWorkerThread( | 115 void CreateTpmKeyPairOnWorkerThread( |
| 116 crypto::ScopedPK11Slot slot, | 116 crypto::ScopedPK11Slot slot, |
| 117 const std::string& public_key, | 117 const std::string& public_key, |
| 118 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, | 118 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 119 const base::Callback<void(const std::string&)>& callback) { | 119 const base::Callback<void(const std::string&)>& callback) { |
| 120 if (!public_key.empty() && | 120 if (!public_key.empty() && |
| 121 GetPrivateKeyOnWorkerThread(slot.get(), public_key)) { | 121 GetPrivateKeyOnWorkerThread(slot.get(), public_key)) { |
| 122 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, public_key)); | 122 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, public_key)); |
| 123 return; | 123 return; |
| 124 } | 124 } |
| 125 | 125 |
| 126 crypto::ScopedSECKEYPublicKey public_key_obj; | 126 scoped_ptr<crypto::RSAPrivateKey> rsa_key( |
| 127 crypto::ScopedSECKEYPrivateKey private_key_obj; | 127 crypto::RSAPrivateKey::CreateSensitive(slot.get(), kKeyModulusLength)); |
| 128 if (!crypto::GenerateRSAKeyPairNSS(slot.get(), kKeyModulusLength, | 128 if (!rsa_key) { |
| 129 true /* permanent */, &public_key_obj, | |
| 130 &private_key_obj)) { | |
| 131 LOG(ERROR) << "Failed to create an RSA key."; | 129 LOG(ERROR) << "Failed to create an RSA key."; |
| 132 response_task_runner->PostTask(FROM_HERE, | 130 response_task_runner->PostTask(FROM_HERE, |
| 133 base::Bind(callback, std::string())); | 131 base::Bind(callback, std::string())); |
| 134 return; | 132 return; |
| 135 } | 133 } |
| 136 | 134 |
| 137 crypto::ScopedSECItem public_key_der( | 135 std::vector<uint8> created_public_key; |
| 138 SECKEY_EncodeDERSubjectPublicKeyInfo(public_key_obj.get())); | 136 if (!rsa_key->ExportPublicKey(&created_public_key)) { |
| 139 if (!public_key_der) { | |
| 140 LOG(ERROR) << "Failed to export public key."; | 137 LOG(ERROR) << "Failed to export public key."; |
| 141 response_task_runner->PostTask(FROM_HERE, | 138 response_task_runner->PostTask(FROM_HERE, |
| 142 base::Bind(callback, std::string())); | 139 base::Bind(callback, std::string())); |
| 143 return; | 140 return; |
| 144 } | 141 } |
| 145 | 142 |
| 146 response_task_runner->PostTask( | 143 response_task_runner->PostTask( |
| 147 FROM_HERE, base::Bind(callback, std::string(reinterpret_cast<const char*>( | 144 FROM_HERE, |
| 148 public_key_der->data), | 145 base::Bind(callback, |
| 149 public_key_der->len))); | 146 std::string(created_public_key.begin(), |
| 147 created_public_key.end()))); |
| 150 } | 148 } |
| 151 | 149 |
| 152 } // namespace | 150 } // namespace |
| 153 | 151 |
| 154 // static | 152 // static |
| 155 void EasyUnlockTpmKeyManager::RegisterLocalStatePrefs( | 153 void EasyUnlockTpmKeyManager::RegisterLocalStatePrefs( |
| 156 PrefRegistrySimple* registry) { | 154 PrefRegistrySimple* registry) { |
| 157 registry->RegisterDictionaryPref(prefs::kEasyUnlockLocalStateTpmKeys); | 155 registry->RegisterDictionaryPref(prefs::kEasyUnlockLocalStateTpmKeys); |
| 158 } | 156 } |
| 159 | 157 |
| (...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 348 // If key creation failed, reset the state machine. | 346 // If key creation failed, reset the state machine. |
| 349 create_tpm_key_state_ = | 347 create_tpm_key_state_ = |
| 350 public_key.empty() ? CREATE_TPM_KEY_NOT_STARTED : CREATE_TPM_KEY_DONE; | 348 public_key.empty() ? CREATE_TPM_KEY_NOT_STARTED : CREATE_TPM_KEY_DONE; |
| 351 } | 349 } |
| 352 | 350 |
| 353 void EasyUnlockTpmKeyManager::OnDataSigned( | 351 void EasyUnlockTpmKeyManager::OnDataSigned( |
| 354 const base::Callback<void(const std::string&)>& callback, | 352 const base::Callback<void(const std::string&)>& callback, |
| 355 const std::string& signature) { | 353 const std::string& signature) { |
| 356 callback.Run(signature); | 354 callback.Run(signature); |
| 357 } | 355 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1118263003:
Revert of Don't use RSAPrivateKey in NSS integration code. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-refactor