| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <keyhi.h> | 5 #include <keyhi.h> |
| 6 #include <openssl/bn.h> | 6 #include <openssl/bn.h> |
| 7 #include <openssl/ecdsa.h> | 7 #include <openssl/ecdsa.h> |
| 8 #include <openssl/mem.h> |
| 9 #include <openssl/nid.h> |
| 8 #include <openssl/rsa.h> | 10 #include <openssl/rsa.h> |
| 9 #include <pk11pub.h> | 11 #include <pk11pub.h> |
| 10 #include <prerror.h> | 12 #include <prerror.h> |
| 11 | 13 |
| 12 #include <utility> | 14 #include <utility> |
| 13 | 15 |
| 14 #include "base/logging.h" | 16 #include "base/logging.h" |
| 15 #include "base/macros.h" | 17 #include "base/macros.h" |
| 16 #include "base/memory/ptr_util.h" | 18 #include "base/memory/ptr_util.h" |
| 17 #include "base/sequenced_task_runner.h" | 19 #include "base/sequenced_task_runner.h" |
| 18 #include "crypto/scoped_nss_types.h" | 20 #include "crypto/scoped_nss_types.h" |
| 19 #include "crypto/scoped_openssl_types.h" | |
| 20 #include "net/cert/x509_certificate.h" | 21 #include "net/cert/x509_certificate.h" |
| 21 #include "net/ssl/client_key_store.h" | 22 #include "net/ssl/client_key_store.h" |
| 22 #include "net/ssl/ssl_platform_key.h" | 23 #include "net/ssl/ssl_platform_key.h" |
| 23 #include "net/ssl/ssl_platform_key_task_runner.h" | 24 #include "net/ssl/ssl_platform_key_task_runner.h" |
| 24 #include "net/ssl/ssl_private_key.h" | 25 #include "net/ssl/ssl_private_key.h" |
| 25 #include "net/ssl/threaded_ssl_private_key.h" | 26 #include "net/ssl/threaded_ssl_private_key.h" |
| 26 | 27 |
| 27 namespace net { | 28 namespace net { |
| 28 | 29 |
| 29 namespace { | 30 namespace { |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 64 } | 65 } |
| 65 | 66 |
| 66 Error SignDigest(SSLPrivateKey::Hash hash, | 67 Error SignDigest(SSLPrivateKey::Hash hash, |
| 67 const base::StringPiece& input, | 68 const base::StringPiece& input, |
| 68 std::vector<uint8_t>* signature) override { | 69 std::vector<uint8_t>* signature) override { |
| 69 SECItem digest_item; | 70 SECItem digest_item; |
| 70 digest_item.data = | 71 digest_item.data = |
| 71 const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data())); | 72 const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data())); |
| 72 digest_item.len = input.size(); | 73 digest_item.len = input.size(); |
| 73 | 74 |
| 74 crypto::ScopedOpenSSLBytes free_digest_info; | 75 bssl::UniquePtr<uint8_t> free_digest_info; |
| 75 if (type_ == SSLPrivateKey::Type::RSA) { | 76 if (type_ == SSLPrivateKey::Type::RSA) { |
| 76 // PK11_Sign expects the caller to prepend the DigestInfo. | 77 // PK11_Sign expects the caller to prepend the DigestInfo. |
| 77 int hash_nid = NID_undef; | 78 int hash_nid = NID_undef; |
| 78 switch (hash) { | 79 switch (hash) { |
| 79 case SSLPrivateKey::Hash::MD5_SHA1: | 80 case SSLPrivateKey::Hash::MD5_SHA1: |
| 80 hash_nid = NID_md5_sha1; | 81 hash_nid = NID_md5_sha1; |
| 81 break; | 82 break; |
| 82 case SSLPrivateKey::Hash::SHA1: | 83 case SSLPrivateKey::Hash::SHA1: |
| 83 hash_nid = NID_sha1; | 84 hash_nid = NID_sha1; |
| 84 break; | 85 break; |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 124 // NSS emits raw ECDSA signatures, but BoringSSL expects a DER-encoded | 125 // NSS emits raw ECDSA signatures, but BoringSSL expects a DER-encoded |
| 125 // ECDSA-Sig-Value. | 126 // ECDSA-Sig-Value. |
| 126 if (type_ == SSLPrivateKey::Type::ECDSA) { | 127 if (type_ == SSLPrivateKey::Type::ECDSA) { |
| 127 if (signature->size() % 2 != 0) { | 128 if (signature->size() % 2 != 0) { |
| 128 LOG(ERROR) << "Bad signature length"; | 129 LOG(ERROR) << "Bad signature length"; |
| 129 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 130 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 130 } | 131 } |
| 131 size_t order_len = signature->size() / 2; | 132 size_t order_len = signature->size() / 2; |
| 132 | 133 |
| 133 // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value. | 134 // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value. |
| 134 crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new()); | 135 bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new()); |
| 135 if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) || | 136 if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) || |
| 136 !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) { | 137 !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) { |
| 137 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 138 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 138 } | 139 } |
| 139 | 140 |
| 140 int len = i2d_ECDSA_SIG(sig.get(), nullptr); | 141 int len = i2d_ECDSA_SIG(sig.get(), nullptr); |
| 141 if (len <= 0) | 142 if (len <= 0) |
| 142 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 143 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 143 signature->resize(len); | 144 signature->resize(len); |
| 144 uint8_t* ptr = signature->data(); | 145 uint8_t* ptr = signature->data(); |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 181 default: | 182 default: |
| 182 LOG(ERROR) << "Unknown key type: " << nss_type; | 183 LOG(ERROR) << "Unknown key type: " << nss_type; |
| 183 return nullptr; | 184 return nullptr; |
| 184 } | 185 } |
| 185 return make_scoped_refptr(new ThreadedSSLPrivateKey( | 186 return make_scoped_refptr(new ThreadedSSLPrivateKey( |
| 186 base::MakeUnique<SSLPlatformKeyNSS>(type, std::move(key)), | 187 base::MakeUnique<SSLPlatformKeyNSS>(type, std::move(key)), |
| 187 GetSSLPlatformKeyTaskRunner())); | 188 GetSSLPlatformKeyTaskRunner())); |
| 188 } | 189 } |
| 189 | 190 |
| 190 } // namespace net | 191 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2400033005:
Use BoringSSL scopers in //net. (Closed)
