Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(866)

Unified Diff: net/ssl/token_binding.cc

Issue 2013303002: Update Token Binding code to draft 06 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/ssl/token_binding.cc
diff --git a/net/ssl/token_binding.cc b/net/ssl/token_binding.cc
index 2c9a79f4a03050ee0db58385a6d8c66e7a3584e6..6564bcc1fdfe78c8dc9454efbbb645f7a5a78755 100644
--- a/net/ssl/token_binding.cc
+++ b/net/ssl/token_binding.cc
@@ -31,23 +31,46 @@ bool BuildTokenBindingID(crypto::ECPrivateKey* key, CBB* out) {
CBB_flush(out);
}
+bool ECDSA_SIG_to_raw(ECDSA_SIG* ec_sig,
davidben 2016/06/27 23:39:14 Since these are Chromium functions, probably name
nharper 2016/06/27 23:58:30 Done.
+ EC_KEY* ec,
+ std::vector<uint8_t>* out) {
+ const EC_GROUP* group = EC_KEY_get0_group(ec);
+ const BIGNUM* order = EC_GROUP_get0_order(group);
+ size_t len = BN_num_bytes(order);
+ out->resize(2 * len);
+ if (!BN_bn2bin_padded(out->data(), len, ec_sig->r) ||
+ !BN_bn2bin_padded(out->data() + len, len, ec_sig->s)) {
+ return false;
+ }
+ return true;
+}
+
+ECDSA_SIG* raw_to_ECDSA_SIG(EC_KEY* ec, base::StringPiece sig) {
+ crypto::ScopedECDSA_SIG raw_sig(ECDSA_SIG_new());
+ const EC_GROUP* group = EC_KEY_get0_group(ec);
+ const BIGNUM* order = EC_GROUP_get0_order(group);
+ size_t group_size = BN_num_bytes(order);
+ if (sig.size() != group_size * 2)
+ return nullptr;
+ const uint8_t* sigp = reinterpret_cast<const uint8_t*>(sig.data());
+ if (BN_bin2bn(sigp, group_size, raw_sig->r) == nullptr ||
+ BN_bin2bn(sigp + group_size, group_size, raw_sig->s) == nullptr) {
davidben 2016/06/27 23:39:15 Nit: I think Chromium prefers if (!BN_bin2bn(...)
nharper 2016/06/27 23:58:30 Done.
+ return nullptr;
+ }
+ return raw_sig.release();
+}
+
} // namespace
bool SignTokenBindingEkm(base::StringPiece ekm,
crypto::ECPrivateKey* key,
std::vector<uint8_t>* out) {
- size_t sig_len;
const uint8_t* ekm_data = reinterpret_cast<const uint8_t*>(ekm.data());
- crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(key->key(), nullptr));
- if (!EVP_PKEY_sign_init(pctx.get()) ||
- !EVP_PKEY_sign(pctx.get(), nullptr, &sig_len, ekm_data, ekm.size())) {
- return false;
- }
- out->resize(sig_len);
- if (!EVP_PKEY_sign(pctx.get(), out->data(), &sig_len, ekm_data, ekm.size()))
+ EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(key->key());
+ if (!ec_key)
return false;
- out->resize(sig_len);
- return true;
+ crypto::ScopedECDSA_SIG sig(ECDSA_do_sign(ekm_data, ekm.size(), ec_key));
+ return ECDSA_SIG_to_raw(sig.get(), ec_key, out);
davidben 2016/06/27 23:39:15 Nit: Check for !sig in case that failed? (I'm like
nharper 2016/06/27 23:58:30 Done.
}
Error BuildTokenBindingMessageFromTokenBindings(
@@ -145,18 +168,11 @@ bool VerifyEKMSignature(base::StringPiece ec_point,
reinterpret_cast<const uint8_t*>(ec_point.data());
if (o2i_ECPublicKey(&keyp, &ec_point_data, ec_point.size()) != key.get())
return false;
- crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
- if (!EVP_PKEY_assign_EC_KEY(pkey.get(), key.release()))
+ crypto::ScopedECDSA_SIG sig(raw_to_ECDSA_SIG(keyp, signature));
+ if (!sig.get())
davidben 2016/06/27 23:39:15 Nit: if (!sig)
nharper 2016/06/27 23:58:30 Done.
return false;
- crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
- if (!EVP_PKEY_verify_init(pctx.get()) ||
- !EVP_PKEY_verify(
- pctx.get(), reinterpret_cast<const uint8_t*>(signature.data()),
- signature.size(), reinterpret_cast<const uint8_t*>(ekm.data()),
- ekm.size())) {
- return false;
- }
- return true;
+ return 0 != ECDSA_do_verify(reinterpret_cast<const uint8_t*>(ekm.data()),
+ ekm.size(), sig.get(), keyp);
davidben 2016/06/27 23:39:15 Nit: I think I've usually seen !! as the "cast int
nharper 2016/06/27 23:58:30 Done.
}
} // namespace net

Powered by Google App Engine
This is Rietveld 408576698