Report curve types in ECDSA SSLPrivateKeys.

net/ssl/ssl_platform_key_nss.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <cert.h>
 #include <keyhi.h>
 #include <openssl/bn.h>
+#include <openssl/bytestring.h>
+#include <openssl/ec.h>
+#include <openssl/ec_key.h>
 #include <openssl/ecdsa.h>
 #include <openssl/mem.h>
 #include <openssl/nid.h>
 #include <openssl/rsa.h>
 #include <pk11pub.h>
 #include <prerror.h>
 
 #include <utility>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/sequenced_task_runner.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/client_key_store.h"
 #include "net/ssl/ssl_platform_key.h"
-#include "net/ssl/ssl_platform_key_task_runner.h"
+#include "net/ssl/ssl_platform_key_util.h"
 #include "net/ssl/ssl_private_key.h"
 #include "net/ssl/threaded_ssl_private_key.h"
 
 namespace net {
 
 namespace {
 
-void LogPRError() {
+void LogPRError(const char* message) {
   PRErrorCode err = PR_GetError();
   const char* err_name = PR_ErrorToName(err);
   if (err_name == nullptr)
     err_name = "";
-  LOG(ERROR) << "Could not sign digest: " << err << " (" << err_name << ")";
+  LOG(ERROR) << message << ": " << err << " (" << err_name << ")";
 }
 
 class SSLPlatformKeyNSS : public ThreadedSSLPrivateKey::Delegate {
  public:
   SSLPlatformKeyNSS(SSLPrivateKey::Type type,
+                    size_t max_length,
                     crypto::ScopedSECKEYPrivateKey key)
-      : type_(type), key_(std::move(key)) {}
+      : type_(type), max_length_(max_length), key_(std::move(key)) {}
   ~SSLPlatformKeyNSS() override {}
 
   SSLPrivateKey::Type GetType() override { return type_; }
 
   std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
     static const SSLPrivateKey::Hash kHashes[] = {
         SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384,
         SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1};
     return std::vector<SSLPrivateKey::Hash>(kHashes,
                                             kHashes + arraysize(kHashes));
   }
 
-  size_t GetMaxSignatureLengthInBytes() override {
-    int len = PK11_SignatureLen(key_.get());
-    if (len <= 0)
-      return 0;
-    // NSS signs raw ECDSA signatures rather than a DER-encoded ECDSA-Sig-Value.
-    if (type_ == SSLPrivateKey::Type::ECDSA)
-      return ECDSA_SIG_max_len(static_cast<size_t>(len) / 2);
-    return static_cast<size_t>(len);
-  }
+  size_t GetMaxSignatureLengthInBytes() override { return max_length_; }
 
   Error SignDigest(SSLPrivateKey::Hash hash,
                    const base::StringPiece& input,
                    std::vector<uint8_t>* signature) override {
     SECItem digest_item;
     digest_item.data =
         const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data()));
     digest_item.len = input.size();
 
     bssl::UniquePtr<uint8_t> free_digest_info;
@@ skipping 24 matching lines @@
                                 hash_nid, digest_item.data, digest_item.len)) {
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       }
       digest_item.len = prefix_len;
       if (is_alloced)
         free_digest_info.reset(digest_item.data);
     }
 
     int len = PK11_SignatureLen(key_.get());
     if (len <= 0) {
-      LogPRError();
+      LogPRError("PK11_SignatureLen failed");
       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
     }
     signature->resize(len);
     SECItem signature_item;
     signature_item.data = signature->data();
     signature_item.len = signature->size();
 
     SECStatus rv = PK11_Sign(key_.get(), &signature_item, &digest_item);
     if (rv != SECSuccess) {
-      LogPRError();
+      LogPRError("PK11_Sign failed");
       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
     }
     signature->resize(signature_item.len);
 
     // NSS emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
     // ECDSA-Sig-Value.
-    if (type_ == SSLPrivateKey::Type::ECDSA) {
+    if (SSLPrivateKey::IsECDSAType(type_)) {
       if (signature->size() % 2 != 0) {
         LOG(ERROR) << "Bad signature length";
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       }
       size_t order_len = signature->size() / 2;
 
       // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
       bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
       if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
           !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       }
 
       int len = i2d_ECDSA_SIG(sig.get(), nullptr);
       if (len <= 0)
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       signature->resize(len);
       uint8_t* ptr = signature->data();
       len = i2d_ECDSA_SIG(sig.get(), &ptr);
       if (len <= 0)
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       signature->resize(len);
     }
 
     return OK;
   }
 
  private:
   SSLPrivateKey::Type type_;
+  size_t max_length_;
   crypto::ScopedSECKEYPrivateKey key_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyNSS);
 };
 
 }  // namespace
 
 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
     X509Certificate* certificate) {
   crypto::ScopedSECKEYPrivateKey key(
       PK11_FindKeyByAnyCert(certificate->os_cert_handle(), nullptr));
   if (!key) {
     return ClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
         *certificate);
   }
 
-  KeyType nss_type = SECKEY_GetPrivateKeyType(key.get());
   SSLPrivateKey::Type type;
-  switch (nss_type) {
-    case rsaKey:
-      type = SSLPrivateKey::Type::RSA;
-      break;
-    case ecKey:
-      type = SSLPrivateKey::Type::ECDSA;
-      break;
-    default:
-      LOG(ERROR) << "Unknown key type: " << nss_type;
-      return nullptr;
-  }
+  size_t max_length;
+  if (!GetClientCertInfo(certificate, &type, &max_length))
+    return nullptr;
+
   return make_scoped_refptr(new ThreadedSSLPrivateKey(
-      base::MakeUnique<SSLPlatformKeyNSS>(type, std::move(key)),
+      base::MakeUnique<SSLPlatformKeyNSS>(type, max_length, std::move(key)),
       GetSSLPlatformKeyTaskRunner()));
 }
 
 }  // namespace net