| OLD | NEW |
|---|
| (Empty) |
| 1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- | |
| 2 * | |
| 3 * ***** BEGIN LICENSE BLOCK ***** | |
| 4 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | |
| 5 * | |
| 6 * The contents of this file are subject to the Mozilla Public License Version | |
| 7 * 1.1 (the "License"); you may not use this file except in compliance with | |
| 8 * the License. You may obtain a copy of the License at | |
| 9 * http://www.mozilla.org/MPL/ | |
| 10 * | |
| 11 * Software distributed under the License is distributed on an "AS IS" basis, | |
| 12 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License | |
| 13 * for the specific language governing rights and limitations under the | |
| 14 * License. | |
| 15 * | |
| 16 * The Original Code is mozilla.org code. | |
| 17 * | |
| 18 * The Initial Developer of the Original Code is | |
| 19 * Netscape Communications Corporation. | |
| 20 * Portions created by the Initial Developer are Copyright (C) 1998 | |
| 21 * the Initial Developer. All Rights Reserved. | |
| 22 * | |
| 23 * Contributor(s): | |
| 24 * Vipul Gupta <vipul.gupta@sun.com> | |
| 25 * Douglas Stebila <douglas@stebila.ca> | |
| 26 * | |
| 27 * Alternatively, the contents of this file may be used under the terms of | |
| 28 * either the GNU General Public License Version 2 or later (the "GPL"), or | |
| 29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), | |
| 30 * in which case the provisions of the GPL or the LGPL are applicable instead | |
| 31 * of those above. If you wish to allow use of your version of this file only | |
| 32 * under the terms of either the GPL or the LGPL, and not to allow others to | |
| 33 * use your version of this file under the terms of the MPL, indicate your | |
| 34 * decision by deleting the provisions above and replace them with the notice | |
| 35 * and other provisions required by the GPL or the LGPL. If you do not delete | |
| 36 * the provisions above, a recipient may use your version of this file under | |
| 37 * the terms of any one of the MPL, the GPL or the LGPL. | |
| 38 * | |
| 39 * ***** END LICENSE BLOCK ***** */ | |
| 40 | |
| 41 #include "net/third_party/mozilla_security_manager/nsKeygenHandler.h" | |
| 42 | |
| 43 #include <pk11pub.h> | |
| 44 #include <prerror.h> // PR_GetError() | |
| 45 #include <secmod.h> | |
| 46 #include <secder.h> // DER_Encode() | |
| 47 #include <cryptohi.h> // SEC_DerSignData() | |
| 48 #include <keyhi.h> // SECKEY_CreateSubjectPublicKeyInfo() | |
| 49 | |
| 50 #include "base/base64.h" | |
| 51 #include "base/logging.h" | |
| 52 #include "crypto/nss_util.h" | |
| 53 #include "url/gurl.h" | |
| 54 | |
| 55 namespace { | |
| 56 | |
| 57 // Template for creating the signed public key structure to be sent to the CA. | |
| 58 DERTemplate SECAlgorithmIDTemplate[] = { | |
| 59 { DER_SEQUENCE, | |
| 60 0, NULL, sizeof(SECAlgorithmID) }, | |
| 61 { DER_OBJECT_ID, | |
| 62 offsetof(SECAlgorithmID, algorithm), }, | |
| 63 { DER_OPTIONAL | DER_ANY, | |
| 64 offsetof(SECAlgorithmID, parameters), }, | |
| 65 { 0, } | |
| 66 }; | |
| 67 | |
| 68 DERTemplate CERTSubjectPublicKeyInfoTemplate[] = { | |
| 69 { DER_SEQUENCE, | |
| 70 0, NULL, sizeof(CERTSubjectPublicKeyInfo) }, | |
| 71 { DER_INLINE, | |
| 72 offsetof(CERTSubjectPublicKeyInfo, algorithm), | |
| 73 SECAlgorithmIDTemplate, }, | |
| 74 { DER_BIT_STRING, | |
| 75 offsetof(CERTSubjectPublicKeyInfo, subjectPublicKey), }, | |
| 76 { 0, } | |
| 77 }; | |
| 78 | |
| 79 DERTemplate CERTPublicKeyAndChallengeTemplate[] = { | |
| 80 { DER_SEQUENCE, | |
| 81 0, NULL, sizeof(CERTPublicKeyAndChallenge) }, | |
| 82 { DER_ANY, | |
| 83 offsetof(CERTPublicKeyAndChallenge, spki), }, | |
| 84 { DER_IA5_STRING, | |
| 85 offsetof(CERTPublicKeyAndChallenge, challenge), }, | |
| 86 { 0, } | |
| 87 }; | |
| 88 | |
| 89 } // namespace | |
| 90 | |
| 91 namespace mozilla_security_manager { | |
| 92 | |
| 93 // This function is based on the nsKeygenFormProcessor::GetPublicKey function | |
| 94 // in mozilla/security/manager/ssl/src/nsKeygenHandler.cpp. | |
| 95 std::string GenKeyAndSignChallenge(int key_size_in_bits, | |
| 96 const std::string& challenge, | |
| 97 const GURL& url, | |
| 98 PK11SlotInfo* slot, | |
| 99 bool stores_key) { | |
| 100 // Key pair generation mechanism - only RSA is supported at present. | |
| 101 PRUint32 keyGenMechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; // from nss/pkcs11t.h | |
| 102 | |
| 103 // Temporary structures used for generating the result | |
| 104 // in the right format. | |
| 105 PK11RSAGenParams rsaKeyGenParams; // Keygen parameters. | |
| 106 SECOidTag algTag; // used by SEC_DerSignData(). | |
| 107 SECKEYPrivateKey *privateKey = NULL; | |
| 108 SECKEYPublicKey *publicKey = NULL; | |
| 109 CERTSubjectPublicKeyInfo *spkInfo = NULL; | |
| 110 PLArenaPool *arena = NULL; | |
| 111 SECStatus sec_rv =SECFailure; | |
| 112 SECItem spkiItem; | |
| 113 SECItem pkacItem; | |
| 114 SECItem signedItem; | |
| 115 CERTPublicKeyAndChallenge pkac; | |
| 116 void *keyGenParams; | |
| 117 bool isSuccess = true; // Set to false as soon as a step fails. | |
| 118 | |
| 119 std::string result_blob; // the result. | |
| 120 | |
| 121 switch (keyGenMechanism) { | |
| 122 case CKM_RSA_PKCS_KEY_PAIR_GEN: | |
| 123 rsaKeyGenParams.keySizeInBits = key_size_in_bits; | |
| 124 rsaKeyGenParams.pe = DEFAULT_RSA_KEYGEN_PE; | |
| 125 keyGenParams = &rsaKeyGenParams; | |
| 126 | |
| 127 algTag = DEFAULT_RSA_KEYGEN_ALG; | |
| 128 break; | |
| 129 default: | |
| 130 // TODO(gauravsh): If we ever support other mechanisms, | |
| 131 // this can be changed. | |
| 132 LOG(ERROR) << "Only RSA keygen mechanism is supported"; | |
| 133 isSuccess = false; | |
| 134 goto failure; | |
| 135 } | |
| 136 | |
| 137 VLOG(1) << "Creating key pair..."; | |
| 138 { | |
| 139 crypto::AutoNSSWriteLock lock; | |
| 140 privateKey = PK11_GenerateKeyPair(slot, | |
| 141 keyGenMechanism, | |
| 142 keyGenParams, | |
| 143 &publicKey, | |
| 144 PR_TRUE, // isPermanent? | |
| 145 PR_TRUE, // isSensitive? | |
| 146 NULL); | |
| 147 } | |
| 148 VLOG(1) << "done."; | |
| 149 | |
| 150 if (!privateKey) { | |
| 151 LOG(ERROR) << "Generation of Keypair failed!"; | |
| 152 isSuccess = false; | |
| 153 goto failure; | |
| 154 } | |
| 155 | |
| 156 // Set friendly names for the keys. | |
| 157 if (url.has_host()) { | |
| 158 // TODO(davidben): Use something like "Key generated for | |
| 159 // example.com", but localize it. | |
| 160 const std::string& label = url.host(); | |
| 161 { | |
| 162 crypto::AutoNSSWriteLock lock; | |
| 163 PK11_SetPublicKeyNickname(publicKey, label.c_str()); | |
| 164 PK11_SetPrivateKeyNickname(privateKey, label.c_str()); | |
| 165 } | |
| 166 } | |
| 167 | |
| 168 // The CA expects the signed public key in a specific format | |
| 169 // Let's create that now. | |
| 170 | |
| 171 // Create a subject public key info from the public key. | |
| 172 spkInfo = SECKEY_CreateSubjectPublicKeyInfo(publicKey); | |
| 173 if (!spkInfo) { | |
| 174 LOG(ERROR) << "Couldn't create SubjectPublicKeyInfo from public key"; | |
| 175 isSuccess = false; | |
| 176 goto failure; | |
| 177 } | |
| 178 | |
| 179 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
| 180 if (!arena) { | |
| 181 LOG(ERROR) << "PORT_NewArena: Couldn't allocate memory"; | |
| 182 isSuccess = false; | |
| 183 goto failure; | |
| 184 } | |
| 185 | |
| 186 // DER encode the whole subjectPublicKeyInfo. | |
| 187 sec_rv = DER_Encode(arena, &spkiItem, CERTSubjectPublicKeyInfoTemplate, | |
| 188 spkInfo); | |
| 189 if (SECSuccess != sec_rv) { | |
| 190 LOG(ERROR) << "Couldn't DER Encode subjectPublicKeyInfo"; | |
| 191 isSuccess = false; | |
| 192 goto failure; | |
| 193 } | |
| 194 | |
| 195 // Set up the PublicKeyAndChallenge data structure, then DER encode it. | |
| 196 pkac.spki = spkiItem; | |
| 197 pkac.challenge.type = siBuffer; | |
| 198 pkac.challenge.len = challenge.length(); | |
| 199 pkac.challenge.data = (unsigned char *)challenge.data(); | |
| 200 sec_rv = DER_Encode(arena, &pkacItem, CERTPublicKeyAndChallengeTemplate, | |
| 201 &pkac); | |
| 202 if (SECSuccess != sec_rv) { | |
| 203 LOG(ERROR) << "Couldn't DER Encode PublicKeyAndChallenge"; | |
| 204 isSuccess = false; | |
| 205 goto failure; | |
| 206 } | |
| 207 | |
| 208 // Sign the DER encoded PublicKeyAndChallenge. | |
| 209 sec_rv = SEC_DerSignData(arena, &signedItem, pkacItem.data, pkacItem.len, | |
| 210 privateKey, algTag); | |
| 211 if (SECSuccess != sec_rv) { | |
| 212 LOG(ERROR) << "Couldn't sign the DER encoded PublicKeyandChallenge"; | |
| 213 isSuccess = false; | |
| 214 goto failure; | |
| 215 } | |
| 216 | |
| 217 // Convert the signed public key and challenge into base64/ascii. | |
| 218 base::Base64Encode(base::StringPiece(reinterpret_cast<char*>(signedItem.data), | |
| 219 signedItem.len), | |
| 220 &result_blob); | |
| 221 | |
| 222 failure: | |
| 223 if (!isSuccess) { | |
| 224 LOG(ERROR) << "SSL Keygen failed! (NSS error code " << PR_GetError() << ")"; | |
| 225 } else { | |
| 226 VLOG(1) << "SSL Keygen succeeded!"; | |
| 227 } | |
| 228 | |
| 229 // Do cleanups | |
| 230 if (privateKey) { | |
| 231 // On successful keygen we need to keep the private key, of course, | |
| 232 // or we won't be able to use the client certificate. | |
| 233 if (!isSuccess || !stores_key) { | |
| 234 crypto::AutoNSSWriteLock lock; | |
| 235 PK11_DestroyTokenObject(privateKey->pkcs11Slot, privateKey->pkcs11ID); | |
| 236 } | |
| 237 SECKEY_DestroyPrivateKey(privateKey); | |
| 238 } | |
| 239 | |
| 240 if (publicKey) { | |
| 241 if (!isSuccess || !stores_key) { | |
| 242 crypto::AutoNSSWriteLock lock; | |
| 243 PK11_DestroyTokenObject(publicKey->pkcs11Slot, publicKey->pkcs11ID); | |
| 244 } | |
| 245 SECKEY_DestroyPublicKey(publicKey); | |
| 246 } | |
| 247 if (spkInfo) { | |
| 248 SECKEY_DestroySubjectPublicKeyInfo(spkInfo); | |
| 249 } | |
| 250 if (arena) { | |
| 251 PORT_FreeArena(arena, PR_TRUE); | |
| 252 } | |
| 253 | |
| 254 return (isSuccess ? result_blob : std::string()); | |
| 255 } | |
| 256 | |
| 257 } // namespace mozilla_security_manager | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2536993002:
Remove support for the keygen tag (Closed)
