Chromium Code Reviews Chromium Code Reviews
Issue 12220104:
Wire up SSL client authentication for OpenSSL/Android through the net/ stack (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master| Index: net/base/openssl_private_key_store.cc |
| diff --git a/net/base/openssl_private_key_store.cc b/net/base/openssl_private_key_store.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..636fdf99887acd570ce8dd5ba293eb38c6c90d38 |
| --- /dev/null |
| +++ b/net/base/openssl_private_key_store.cc |
| @@ -0,0 +1,131 @@ |
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "net/base/openssl_private_key_store.h" |
| + |
| +#include <openssl/evp.h> |
| +#include <openssl/x509.h> |
| + |
| +#include "base/memory/scoped_ptr.h" |
| +#include "net/base/x509_certificate.h" |
| + |
| +namespace net { |
| + |
| +namespace { |
| + |
| +typedef OpenSSLPrivateKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY; |
|
Ryan Sleevi
2013/02/15 23:53:26
Is this typedef really necessary? You don't use it
digit1
2013/02/25 14:26:22
Yes, I prefer to use it, and I've fixed line 31 ac
|
| + |
| +// Increment the reference count of a given EVP_PKEY. This function |
| +// is not available from the OpenSSL version used by Chromium at the |
| +// moment. |
| +EVP_PKEY* EVP_PKEY_dup(EVP_PKEY* key) { |
| + if (key != NULL) |
| + CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY); |
| + return key; |
| +} |
| + |
| +// Return the EVP_PKEY holding the public key of a given certificate. |
| +// |cert| is a certificate. |
| +// Returns a scoped EVP_PKEY for it. |
| +OpenSSLPrivateKeyStore::ScopedEVP_PKEY GetOpenSSLPublicKey( |
| + const X509Certificate* cert) { |
| + // X509_PUBKEY_get() increments the reference count of its result. |
| + // Unlike X509_get_X509_PUBKEY() which simply returns a direct pointer. |
| + EVP_PKEY* pkey = |
| + X509_PUBKEY_get(X509_get_X509_PUBKEY(cert->os_cert_handle())); |
| + if (!pkey) |
| + LOG(ERROR) << "Can't extract private key from certificate!"; |
| + return ScopedEVP_PKEY(pkey); |
| +} |
| + |
| +} // namespace |
| + |
| +// The constructor and destructor are _not_ inlined intentionally to |
| +// avoid the following Clang build error on the bots: |
| +// error: [chromium-style] Complex constructor has an inlined body. |
|
Ryan Sleevi
2013/02/15 23:53:26
This comment is unnecessary.
digit1
2013/02/25 14:26:22
I've removed it.
|
| +OpenSSLPrivateKeyStore::OpenSSLPrivateKeyStore() { |
| +} |
| + |
| +OpenSSLPrivateKeyStore::~OpenSSLPrivateKeyStore() { |
| +} |
| + |
| +OpenSSLPrivateKeyStore::KeyPair::KeyPair(EVP_PKEY* pub_key, |
| + EVP_PKEY* priv_key) { |
| + public_key_ = EVP_PKEY_dup(pub_key); |
| + private_key_ = EVP_PKEY_dup(priv_key); |
| +} |
| + |
| +OpenSSLPrivateKeyStore::KeyPair::~KeyPair() { |
| + EVP_PKEY_free(public_key_); |
| + EVP_PKEY_free(private_key_); |
| +} |
| + |
| +OpenSSLPrivateKeyStore::KeyPair::KeyPair(const KeyPair& other) { |
| + public_key_ = EVP_PKEY_dup(other.public_key_); |
| + private_key_ = EVP_PKEY_dup(other.private_key_); |
| +} |
| + |
| +int OpenSSLPrivateKeyStore::FindKeyPairIndexLocked(EVP_PKEY* public_key) { |
| + if (!public_key) |
| + return -1; |
| + for (size_t n = 0; n < pairs_.size(); ++n) { |
| + if (EVP_PKEY_cmp(pairs_[n].public_key_, public_key) == 1) |
| + return static_cast<int>(n); |
| + } |
| + return -1; |
| +} |
| + |
| +void OpenSSLPrivateKeyStore::AddKeyPair(EVP_PKEY* pub_key, |
| + EVP_PKEY* private_key) { |
| + base::AutoLock lock(lock_); |
| + int index = FindKeyPairIndexLocked(pub_key); |
| + if (index < 0) |
| + pairs_.push_back(KeyPair(pub_key, private_key)); |
| +} |
| + |
| +// Common code for OpenSSLPrivateKeyStore. Shared by all OpenSSL-based |
| +// builds. |
| +bool OpenSSLPrivateKeyStore::RecordClientCertPrivateKey( |
| + const X509Certificate* client_cert, EVP_PKEY* private_key) { |
| + // Sanity check. |
| + if (client_cert == NULL || private_key == NULL) |
| + return false; |
| + |
| + // Get public key from certificate. |
| + ScopedEVP_PKEY pub_key(GetOpenSSLPublicKey(client_cert)); |
| + if (!pub_key.get()) |
| + return false; |
| + |
| + AddKeyPair(pub_key.get(), private_key); |
| + return true; |
| +} |
| + |
| +bool OpenSSLPrivateKeyStore::FetchClientCertPrivateKey( |
| + const X509Certificate* client_cert, |
| + ScopedEVP_PKEY* private_key) { |
| + if (!client_cert) |
| + return false; |
| + |
| + ScopedEVP_PKEY pub_key(GetOpenSSLPublicKey(client_cert)); |
| + if (!pub_key.get()) |
| + return false; |
| + |
| + base::AutoLock lock(lock_); |
| + int index = FindKeyPairIndexLocked(pub_key.get()); |
| + if (index < 0) |
| + return false; |
| + |
| + ScopedEVP_PKEY result(EVP_PKEY_dup(pairs_[index].private_key_)); |
| + private_key->swap(result); |
| + return true; |
| +} |
| + |
| +void OpenSSLPrivateKeyStore::Flush() { |
| + base::AutoLock lock(lock_); |
| + pairs_.clear(); |
| +} |
| + |
| +} // namespace net |
| + |
| + |
