Per discussion, implement the Omaha Client Update Protocol (CUP) in src/crypto.

google_apis/cup/client_update_protocol_nss.cc

Index: google_apis/cup/client_update_protocol_nss.cc
===================================================================
--- google_apis/cup/client_update_protocol_nss.cc	(revision 0)
+++ google_apis/cup/client_update_protocol_nss.cc	(revision 0)
@@ -0,0 +1,112 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "google_apis/cup/client_update_protocol.h"
+
+#include <keyhi.h>
+#include <pk11pub.h>
+#include <seccomon.h>
+
+#include "base/logging.h"
+#include "crypto/nss_util.h"
+#include "crypto/scoped_nss_types.h"
+
+typedef scoped_ptr_malloc<
+    CERTSubjectPublicKeyInfo,
+    crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
+                         SECKEY_DestroySubjectPublicKeyInfo> >
+    ScopedCERTSubjectPublicKeyInfo;
+
+class NSSCupKeyImpl : public ClientUpdateProtocol::CupKeyImpl {
+ public:
+  NSSCupKeyImpl();
+  virtual ~NSSCupKeyImpl();
+
+  virtual size_t PublicKeyLength() const OVERRIDE;
+  virtual std::vector<uint8> EncryptKeySource(
+      const std::vector<uint8>& key_source) OVERRIDE;
+
+  bool LoadPublicKey(const base::StringPiece& public_key);
+
+ private:
+  crypto::ScopedSECKEYPublicKey public_key_;
+};
+
+NSSCupKeyImpl::NSSCupKeyImpl() {
+  crypto::EnsureNSSInit();
+}
+
+NSSCupKeyImpl::~NSSCupKeyImpl() {
+}
+
+bool NSSCupKeyImpl::LoadPublicKey(const base::StringPiece& public_key) {
+
+  // The binary blob |public_key| is expected to be a DER-encoded ASN.1
+  // Subject Public Key Info.
+  SECItem spki_item;
+  spki_item.type = siBuffer;
+  spki_item.data = (unsigned char*) public_key.data();
+  spki_item.len = static_cast<unsigned int>(public_key.size());
+
+  ScopedCERTSubjectPublicKeyInfo spki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+  if (!spki.get())
+    return false;
+
+  public_key_.reset(SECKEY_ExtractPublicKey(spki.get()));
+  if (!public_key_.get())
+    return false;
+
+  if (!PublicKeyLength())
+    return false;
+
+  return true;
+}
+
+size_t NSSCupKeyImpl::PublicKeyLength() const {
+  if (!public_key_.get())
+    return 0;
+
+  return SECKEY_PublicKeyStrength(public_key_.get());
+}
+
+std::vector<uint8> NSSCupKeyImpl::EncryptKeySource(
+    const std::vector<uint8>& key_source) {
+  // WARNING: This call bypasses the usual PKCS #1 padding and does direct RSA
+  // exponentiation.  This is not secure without taking measures to ensure that
+  // the contents of r are suitable.  This is done to remain compatible with
+  // the implementation on the Google Update servers; don't copy-paste this
+  // code arbitrarily and expect it to work and/or remain secure!
+  SECKEYPublicKey* public_key = public_key_.get();
+  if (!public_key)
+    return std::vector<uint8>();
+
+  size_t keysize = SECKEY_PublicKeyStrength(public_key);
+  if (key_source.size() != keysize)
+    return std::vector<uint8>();
+
+  std::vector<uint8> result(keysize);
+  if (SECSuccess != PK11_PubEncryptRaw(
+      public_key,
+      &result[0],
+      const_cast<unsigned char*>(&key_source[0]),
+      key_source.size(),
+      NULL))
+    return std::vector<uint8>();
+
+  return result;
+}
+
+ClientUpdateProtocol::CupKeyImpl* ClientUpdateProtocol::GetCupKeyImpl(
+      const base::StringPiece& public_key) {
+  scoped_ptr<NSSCupKeyImpl> result(new NSSCupKeyImpl());
+  if (!result.get())
+    return NULL;
+
+  if (!result->LoadPublicKey(public_key))
+    return NULL;
+
+  return result.release();
+}
+