Pass JavaRef to Java methods in net.

net/android/keystore_openssl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/android/keystore_openssl.h"
 
 #include <jni.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/engine.h>
@@ skipping 40 matching lines @@
 //
 // This source file thus defines a custom RSA_METHOD structure whose
 // fields point to static methods used to implement the corresponding
 // RSA operation using platform Android APIs.
 //
 // However, the platform APIs require a jobject JNI reference to work. It must
 // be stored in the RSA instance, or made accessible when the custom RSA
 // methods are called. This is done by storing it in a |KeyExData| structure
 // that's referenced by the key using |EX_DATA|.
 
+using base::android::JavaRef;
 using base::android::ScopedJavaGlobalRef;
 using base::android::ScopedJavaLocalRef;
 
 namespace net {
 namespace android {
 
 namespace {
 
 extern const RSA_METHOD android_rsa_method;
 extern const ECDSA_METHOD android_ecdsa_method;
@@ skipping 151 matching lines @@
       return 0;
     }
     *out_len = ret;
     return 1;
   }
 
   base::StringPiece from_piece(reinterpret_cast<const char*>(in), in_len);
   std::vector<uint8_t> result;
   // For RSA keys, this function behaves as RSA_private_encrypt with
   // PKCS#1 padding.
-  if (!RawSignDigestWithPrivateKey(ex_data->private_key.obj(), from_piece,
-                                   &result)) {
+  if (!RawSignDigestWithPrivateKey(ex_data->private_key, from_piece, &result)) {
     LOG(WARNING) << "Could not sign message in RsaMethodSignRaw!";
     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
     return 0;
   }
 
   size_t expected_size = static_cast<size_t>(RSA_size(rsa));
   if (result.size() > expected_size) {
     LOG(ERROR) << "RSA Signature size mismatch, actual: " << result.size()
                << ", expected <= " << expected_size;
     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
@@ skipping 66 matching lines @@
 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
 // |private_key| is the JNI reference (local or global) to the object.
 // |legacy_rsa|, if non-NULL, is a pointer to the system OpenSSL RSA object
 // backing |private_key|. This parameter is only used for Android < 4.2 to
 // implement key operations not exposed by the platform.
 // Returns a new EVP_PKEY on success, NULL otherwise.
 // On success, this creates a new global JNI reference to the object
 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
 // free |private_key| after the call.
 crypto::ScopedEVP_PKEY CreateRsaPkeyWrapper(
-    jobject private_key,
+    const JavaRef<jobject>& private_key,
     AndroidRSA* legacy_rsa,
     const crypto::OpenSSLErrStackTracer& tracer) {
   crypto::ScopedRSA rsa(RSA_new_method(global_boringssl_engine.Get().engine()));
 
   std::vector<uint8_t> modulus;
   if (!GetRSAKeyModulus(private_key, &modulus)) {
     LOG(ERROR) << "Failed to get private key modulus";
     return nullptr;
   }
 
   std::unique_ptr<KeyExData> ex_data(new KeyExData);
-  ex_data->private_key.Reset(nullptr, private_key);
+  ex_data->private_key.Reset(private_key);
   if (ex_data->private_key.is_null()) {
     LOG(ERROR) << "Could not create global JNI reference";
     return nullptr;
   }
   ex_data->legacy_rsa = legacy_rsa;
   ex_data->cached_size = VectorBignumSize(modulus);
 
   RSA_set_ex_data(rsa.get(), global_boringssl_engine.Get().rsa_ex_index(),
                   ex_data.release());
 
@@ skipping 10 matching lines @@
 // ENGINE we extract in GetRsaLegacyKey.
 //
 // In 4.2, this change avoids the problem:
 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61
 //
 // https://crbug.com/381465
 class KeystoreEngineWorkaround {
  public:
   KeystoreEngineWorkaround() {}
 
-  void LeakEngine(jobject private_key) {
+  void LeakEngine(const JavaRef<jobject>& private_key) {
     if (!engine_.is_null())
       return;
     ScopedJavaLocalRef<jobject> engine =
         GetOpenSSLEngineForPrivateKey(private_key);
     if (engine.is_null()) {
       NOTREACHED();
       return;
     }
     engine_.Reset(engine);
   }
 
  private:
   ScopedJavaGlobalRef<jobject> engine_;
 };
 
-void LeakEngine(jobject private_key) {
+void LeakEngine(const JavaRef<jobject>& private_key) {
   static base::LazyInstance<KeystoreEngineWorkaround>::Leaky s_instance =
       LAZY_INSTANCE_INITIALIZER;
   s_instance.Get().LeakEngine(private_key);
 }
 
 // Creates an EVP_PKEY wrapper corresponding to the RSA key
 // |private_key|. Returns nullptr on failure.
-crypto::ScopedEVP_PKEY GetRsaPkeyWrapper(jobject private_key) {
+crypto::ScopedEVP_PKEY GetRsaPkeyWrapper(const JavaRef<jobject>& private_key) {
   const int kAndroid42ApiLevel = 17;
   crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
 
   if (base::android::BuildInfo::GetInstance()->sdk_int() >=
       kAndroid42ApiLevel) {
     return CreateRsaPkeyWrapper(private_key, nullptr, tracer);
   }
 
   // Route around platform limitation: if Android < 4.2, then
   // base::android::RawSignDigestWithPrivateKey() cannot work, so try to get the
@@ skipping 18 matching lines @@
     }
   }
 
   return CreateRsaPkeyWrapper(private_key, sys_rsa, tracer);
 }
 
 // Custom ECDSA_METHOD that uses the platform APIs.
 // Note that for now, only signing through ECDSA_sign() is really supported.
 // all other method pointers are either stubs returning errors, or no-ops.
 
-jobject EcKeyGetKey(const EC_KEY* ec_key) {
+const JavaRef<jobject>& EcKeyGetKey(const EC_KEY* ec_key) {
   KeyExData* ex_data = reinterpret_cast<KeyExData*>(EC_KEY_get_ex_data(
       ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
-  return ex_data->private_key.obj();
+  return ex_data->private_key;
 }
 
 size_t EcdsaMethodGroupOrderSize(const EC_KEY* ec_key) {
   KeyExData* ex_data = reinterpret_cast<KeyExData*>(EC_KEY_get_ex_data(
       ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
   return ex_data->cached_size;
 }
 
 int EcdsaMethodSign(const uint8_t* digest,
                     size_t digest_len,
                     uint8_t* sig,
                     unsigned int* sig_len,
                     EC_KEY* ec_key) {
   // Retrieve private key JNI reference.
-  jobject private_key = EcKeyGetKey(ec_key);
-  if (!private_key) {
+  const JavaRef<jobject>& private_key = EcKeyGetKey(ec_key);
+  if (private_key.is_null()) {
     LOG(WARNING) << "Null JNI reference passed to EcdsaMethodSign!";
     return 0;
   }
   // Sign message with it through JNI.
   std::vector<uint8_t> signature;
   base::StringPiece digest_sp(reinterpret_cast<const char*>(digest),
                               digest_len);
   if (!RawSignDigestWithPrivateKey(private_key, digest_sp, &signature)) {
     LOG(WARNING) << "Could not sign message in EcdsaMethodSign!";
     return 0;
@@ skipping 22 matching lines @@
   OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);
   return 0;
 }
 
 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
 // |private_key| is the JNI reference (local or global) to the object.
 // Returns a new EVP_PKEY on success, NULL otherwise.
 // On success, this creates a global JNI reference to the object that
 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
 // always free |private_key| after the call.
-crypto::ScopedEVP_PKEY GetEcdsaPkeyWrapper(jobject private_key) {
+crypto::ScopedEVP_PKEY GetEcdsaPkeyWrapper(
+    const JavaRef<jobject>& private_key) {
   crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
   crypto::ScopedEC_KEY ec_key(
       EC_KEY_new_method(global_boringssl_engine.Get().engine()));
 
   std::vector<uint8_t> order;
   if (!GetECKeyOrder(private_key, &order)) {
     LOG(ERROR) << "Can't extract order parameter from EC private key";
     return nullptr;
   }
 
   std::unique_ptr<KeyExData> ex_data(new KeyExData);
-  ex_data->private_key.Reset(nullptr, private_key);
+  ex_data->private_key.Reset(private_key);
   if (ex_data->private_key.is_null()) {
     LOG(ERROR) << "Can't create global JNI reference";
     return nullptr;
   }
   ex_data->legacy_rsa = nullptr;
   ex_data->cached_size = VectorBignumSize(order);
 
   EC_KEY_set_ex_data(ec_key.get(),
                      global_boringssl_engine.Get().ec_key_ex_index(),
                      ex_data.release());
@@ skipping 13 matching lines @@
     NULL /* init */,
     NULL /* finish */,
     EcdsaMethodGroupOrderSize,
     EcdsaMethodSign,
     EcdsaMethodVerify,
     ECDSA_FLAG_OPAQUE,
 };
 
 }  // namespace
 
-crypto::ScopedEVP_PKEY GetOpenSSLPrivateKeyWrapper(jobject private_key) {
+crypto::ScopedEVP_PKEY GetOpenSSLPrivateKeyWrapper(
+    const JavaRef<jobject>& private_key) {
   // Create sub key type, depending on private key's algorithm type.
   PrivateKeyType key_type = GetPrivateKeyType(private_key);
   switch (key_type) {
     case PRIVATE_KEY_TYPE_RSA:
       return GetRsaPkeyWrapper(private_key);
     case PRIVATE_KEY_TYPE_ECDSA:
       return GetEcdsaPkeyWrapper(private_key);
     default:
       LOG(WARNING)
           << "GetOpenSSLPrivateKeyWrapper() called with invalid key type";
       return nullptr;
   }
 }
 
 }  // namespace android
 }  // namespace net