Added NetworkingPrivateCrypto and its unit test.

chrome/browser/extensions/api/networking_private/networking_private_crypto.h

Index: chrome/browser/extensions/api/networking_private/networking_private_crypto.h
diff --git a/chrome/browser/extensions/api/networking_private/networking_private_crypto.h b/chrome/browser/extensions/api/networking_private/networking_private_crypto.h
new file mode 100644
index 0000000000000000000000000000000000000000..962aef9ddbd57749158419dcf6d81c16f8c4084b
--- /dev/null
+++ b/chrome/browser/extensions/api/networking_private/networking_private_crypto.h
@@ -0,0 +1,63 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Implementation of Crypto support for networking private API.
+
+#ifndef CHROME_BROWSER_EXTENSIONS_API_NETWORKING_PRIVATE_NETWORKING_PRIVATE_CRYPTO_H_
+#define CHROME_BROWSER_EXTENSIONS_API_NETWORKING_PRIVATE_NETWORKING_PRIVATE_CRYPTO_H_
+
+#include <string>
+#include "base/basictypes.h"
+
+// Forward declaration.
+typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
+typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
+typedef struct CERTCertificateStr CERTCertificate;
+
+class NetworkingPrivateCrypto {
+ public:
+  NetworkingPrivateCrypto();
+  ~NetworkingPrivateCrypto();
+  // Verify that the destination described by |certificate| is valid.

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: line break between dtor.

[mef, 2013/08/28 21:28:58]

Done.

+  //
+  // 1) The MAC address listed in the certificate matches |connected_mac|.
+  // 2) The certificate is a valid PEM encoded certificate signed by our
+  //    trusted CA.

[Ryan Sleevi, 2013/08/28 19:02:37]

comment nit: drop our. Explain exactly what the requirements are without the use
of possessive pronouns.

[mef, 2013/08/28 21:28:58]

Done. This comment was copied from original code.

+  // 3) |signed_data| matches the hashed |unsigned_data| encrypted with
+  //    the public key in |certificate|.

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: "Verify that the destination" describes what it does, but then you say
"VerifyCredentials" for the name. It seems like the comment and name should be
in alignment.

[mef, 2013/08/28 21:28:58]

Done. This comment was copied from original code.

+  bool VerifyCredentials(const std::string& certificate,
+                         const std::string& signed_data,
+                         const std::string& unsigned_data,
+                         const std::string& connected_mac);
+
+  // Encrypt |data| with |public_key|.  |public_key| is the raw bytes of a key
+  // in
+  // RSAPublicKey format.  |data| is some string of bytes smaller than the

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: comment style - awkward line wrap.
nit: Use StringPiece rather than string?

[mef, 2013/08/28 21:28:58]

Done.

+  // maximum length permissable for encryption with a key of |public_key| size.
+  //
+  // Returns the encrypted result in |encrypted_output| and returns true on
+  // success.  Returns false on failure.

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: Returns true on success, storing the encrypted result in
|encrypted_output|.

drop the "Returns false"

[mef, 2013/08/28 21:28:58]

Done.

+  bool EncryptByteString(const std::string& public_key,
+                         const std::string& data,
+                         std::string* encrypted_output);
+
+  // Decrypt |encrypted_data| with |private_key_pem|. |private_key_pem| is the
+  // PEM-encoded private key. |encrypted_data| is data encrypted with

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: "PEM-encoded private key" is an undefined format. Please clarify.

[mef, 2013/08/28 21:28:58]

Done.

+  // EncryptByteString.
+  // Returns the decrypted result in |decrypted_output| and returns true on
+  // success.  Returns false on failure.

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: same comments as above apply here.

[mef, 2013/08/28 21:28:58]

Done.

+  bool DecryptByteString(const std::string& private_key_pem,
+                         const std::string& encrypted_data,
+                         std::string* decrypted_output);
+
+ private:
+  SECKEYPublicKey* ca_public_key_;

[mef, 2013/08/28 18:05:59]

These member variables are here only to ease the cleanup (in destructor). Is
there some better way to employ something like scoped_ptr for NSS objects?

[Ryan Sleevi, 2013/08/28 19:02:37]

Using the NSS objects directly here presumes !Android, which is a big
presumption, however accurate.

It would be better to use a pimpl/context type that you keep hidden here. eg:

private:
  struct [some name here];
  scoped_ptr<[some name here]> context_;

The compiler should (IIRC) be able to undo the double pointer indirection.

[mef, 2013/08/28 21:28:58]

Done.

+  SECKEYPublicKey* cert_public_key_;
+  CERTCertificate* cert_;
+  SECKEYPublicKey* enc_public_key_;

[Ryan Sleevi, 2013/08/28 19:02:37]

nit: Naming

enc_ is not a clear abbreviation.

[mef, 2013/08/28 21:28:58]

Done.

+
+  DISALLOW_COPY_AND_ASSIGN(NetworkingPrivateCrypto);
+};
+
+#endif  // CHROME_BROWSER_EXTENSIONS_API_NETWORKING_PRIVATE_NETWORKING_PRIVATE_CRYPTO_H_