Index: crypto/ec_private_key.cc |
diff --git a/crypto/ec_private_key.cc b/crypto/ec_private_key.cc |
index 0a2344c2a6661c05ac60ee36e87b24b9aacb8aa5..9914c5dde866e9f2e47b9a747ab7584cefff4d19 100644 |
--- a/crypto/ec_private_key.cc |
+++ b/crypto/ec_private_key.cc |
@@ -95,7 +95,6 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromPrivateKeyInfo( |
// static |
std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( |
- const std::string& password, |
const std::vector<uint8_t>& encrypted_private_key_info, |
const std::vector<uint8_t>& subject_public_key_info) { |
// NOTE: The |subject_public_key_info| can be ignored here, it is only |
@@ -113,21 +112,15 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( |
if (!p8_encrypted || ptr != data + encrypted_private_key_info.size()) |
return nullptr; |
- bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> p8_decrypted; |
- if (password.empty()) { |
- // Hack for reading keys generated by an older version of the OpenSSL |
- // code. OpenSSL used to use "\0\0" rather than the empty string because it |
- // would treat the password as an ASCII string to be converted to UCS-2 |
- // while NSS used a byte string. |
- p8_decrypted.reset(PKCS8_decrypt_pbe( |
- p8_encrypted.get(), reinterpret_cast<const uint8_t*>("\0\0"), 2)); |
- } |
- if (!p8_decrypted) { |
- p8_decrypted.reset(PKCS8_decrypt_pbe( |
- p8_encrypted.get(), |
- reinterpret_cast<const uint8_t*>(password.data()), |
- password.size())); |
- } |
+ // Hack for reading keys generated by an older version of the OpenSSL code. |
+ // Some implementations encode the empty password as "\0\0" (passwords are |
+ // normally encoded in big-endian UCS-2 with a NUL terminator) and some |
+ // encode as the empty string. PKCS8_decrypt distinguishes the two by whether |
+ // the password is nullptr. |
+ bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> p8_decrypted( |
+ PKCS8_decrypt(p8_encrypted.get(), "", 0)); |
+ if (!p8_decrypted) |
+ p8_decrypted.reset(PKCS8_decrypt(p8_encrypted.get(), nullptr, 0)); |
if (!p8_decrypted) |
return nullptr; |
@@ -166,8 +159,6 @@ bool ECPrivateKey::ExportPrivateKey(std::vector<uint8_t>* output) const { |
} |
bool ECPrivateKey::ExportEncryptedPrivateKey( |
- const std::string& password, |
- int iterations, |
std::vector<uint8_t>* output) const { |
OpenSSLErrStackTracer err_tracer(FROM_HERE); |
// Convert into a PKCS#8 object. |
@@ -180,9 +171,8 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( |
// so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL |
// equivalent. |
bssl::UniquePtr<X509_SIG> encrypted( |
- PKCS8_encrypt_pbe(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, |
- reinterpret_cast<const uint8_t*>(password.data()), |
- password.size(), nullptr, 0, iterations, pkcs8.get())); |
+ PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, nullptr, 0, |
+ nullptr, 0, 1, pkcs8.get())); |
if (!encrypted) |
return false; |