Index: crypto/ec_private_key_openssl.cc |
diff --git a/crypto/ec_private_key_openssl.cc b/crypto/ec_private_key_openssl.cc |
index 20214e6c83dee4175d5deb3e9dce7776abdbbb8c..69f3937672b06e5334468428f4850930e3cf3ca6 100644 |
--- a/crypto/ec_private_key_openssl.cc |
+++ b/crypto/ec_private_key_openssl.cc |
@@ -4,21 +4,99 @@ |
#include "crypto/ec_private_key.h" |
+#include <openssl/ec.h> |
+#include <openssl/evp.h> |
+#include <openssl/pkcs12.h> |
+#include <openssl/x509.h> |
+ |
#include "base/logging.h" |
+#include "base/memory/scoped_ptr.h" |
+#include "crypto/openssl_util.h" |
namespace crypto { |
-ECPrivateKey::~ECPrivateKey() {} |
+namespace { |
-// static |
-bool ECPrivateKey::IsSupported() { |
- return false; |
+// Function pointer definition, for injecting the required key export function |
+// into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and |
+// |key| is a handle to the input key object. Return 1 on success, 0 otherwise. |
+typedef int (*ExportFunctionWithBio)(BIO* bio, void* key); |
wtc
2013/10/14 21:45:07
1. Nit: ExportFunctionWithBio => ExportWithBioFunc
digit1
2013/10/15 11:43:44
I've changed it to 'ExportBioFunction' and added a
|
+ |
+// Helper to export |key| into |output| via the specified ExportFunctionWithBio. |
+bool ExportKeyWithBio(void* key, |
wtc
2013/10/14 21:45:07
Nit: can |key| be declared as const void* ?
digit1
2013/10/15 11:43:44
Done.
|
+ ExportFunctionWithBio export_fn, |
+ std::vector<uint8>* output) { |
+ if (!key) |
+ return false; |
+ |
+ // OpenSSLErrStackTracer err_tracer(FROM_HERE); |
agl
2013/10/14 21:47:31
Uncomment or delete?
digit1
2013/10/15 11:43:44
Deleted. Thanks.
|
+ ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem())); |
+ if (!bio.get()) |
+ return false; |
+ |
+ if (!export_fn(bio.get(), key)) |
+ return false; |
+ |
+ char* data = NULL; |
+ long len = BIO_get_mem_data(bio.get(), &data); |
+ if (!data || len < 0) |
+ return false; |
+ |
+ output->assign(data, data + len); |
+ return true; |
} |
+// Function pointer definition, for injecting the required key export function |
+// into ExportKeyWithData below. |key| is a pointer to the input key object, |
+// and |data| is either NULL, or the address of an 'unsigned char*' pointer |
+// that points to the start of the output buffer. The function must return |
+// the number of bytes required to export the data. |
wtc
2013/10/14 21:45:07
Nit: Add "return -1 on failure".
digit1
2013/10/15 11:43:44
Done.
|
+typedef int (*ExportFunctionWithData)(void* key, unsigned char** data); |
+ |
+// Hlper to export |key| into |output| via the specified export function. |
wtc
2013/10/14 21:45:07
Typo: Hlper => Helper
agl
2013/10/14 21:47:31
// Helper...
digit1
2013/10/15 11:43:44
Done.
|
+bool ExportKeyWithData(void* key, |
+ ExportFunctionWithData export_fn, |
+ std::vector<uint8>* output) { |
+ if (!key) |
+ return false; |
+ |
+ int data_len = export_fn(key, NULL); |
+ if (data_len < 0) |
+ return false; |
+ |
+ output->resize(static_cast<size_t>(data_len)); |
+ unsigned char* data = reinterpret_cast<unsigned char*>(&output->front()); |
wtc
2013/10/14 21:45:07
We can assume uint8 is the same as unsigned char a
digit1
2013/10/15 11:43:44
Done.
|
+ if (export_fn(key, &data) < 0) |
+ return false; |
+ |
+ return true; |
+} |
+ |
+} // namespace |
+ |
+ECPrivateKey::~ECPrivateKey() { |
+ if (key_) |
+ EVP_PKEY_free(key_); |
+} |
+ |
+// static |
+bool ECPrivateKey::IsSupported() { return true; } |
+ |
// static |
ECPrivateKey* ECPrivateKey::Create() { |
- NOTIMPLEMENTED(); |
- return NULL; |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ |
+ ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key( |
+ EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); |
+ if (!ec_key.get() || !EC_KEY_generate_key(ec_key.get())) |
+ return NULL; |
+ |
+ scoped_ptr<ECPrivateKey> result(new ECPrivateKey()); |
+ result->key_ = EVP_PKEY_new(); |
+ if (!result->key_ || !EVP_PKEY_set1_EC_KEY(result->key_, ec_key.get())) |
+ return NULL; |
+ |
+ return result.release(); |
} |
// static |
@@ -32,8 +110,45 @@ ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( |
const std::string& password, |
const std::vector<uint8>& encrypted_private_key_info, |
const std::vector<uint8>& subject_public_key_info) { |
- NOTIMPLEMENTED(); |
- return NULL; |
+ if (encrypted_private_key_info.empty() || subject_public_key_info.empty()) { |
+ return NULL; |
+ } |
wtc
2013/10/14 21:45:07
Nit: omit curly braces.
digit1
2013/10/15 11:43:44
Done.
|
+ |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ // Write the encrypted private key into a memory BIO. |
+ char* private_key_data = reinterpret_cast<char*>( |
+ const_cast<uint8*>(&encrypted_private_key_info[0])); |
+ int private_key_data_len = |
+ static_cast<int>(encrypted_private_key_info.size()); |
+ ScopedOpenSSL<BIO, BIO_free_all> bio( |
+ BIO_new_mem_buf(private_key_data, private_key_data_len)); |
+ if (!bio.get()) |
+ return NULL; |
+ |
+ // Convert it, then decrypt it into a PKCS#8 object. |
+ ScopedOpenSSL<X509_SIG, X509_SIG_free> p8_encrypted( |
+ d2i_PKCS8_bio(bio.get(), NULL)); |
+ if (!p8_encrypted.get()) |
+ return NULL; |
+ |
+ ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8_decrypted( |
+ PKCS8_decrypt(p8_encrypted.get(), |
+ password.c_str(), |
+ static_cast<int>(password.size()))); |
+ if (!p8_decrypted.get()) |
+ return NULL; |
+ |
+ // Create a new EVP_PKEY for it. |
+ scoped_ptr<ECPrivateKey> result(new ECPrivateKey); |
+ result->key_ = EVP_PKCS82PKEY(p8_decrypted.get()); |
+ if (!result->key_) |
+ return NULL; |
+ |
+ // TODO(digit): What to do with |subject_public_key_info| exactly?? |
+ // The NSS code uses to call the NSS_specific API named |
+ // ImportEncryptedECPrivateKeyInfoAndReturnKey(). |
wtc
2013/10/14 21:45:07
I took a quick look. When NSS stores a private key
agl
2013/10/14 21:47:31
I think NSS might be using it to avoid recalculati
digit1
2013/10/15 11:43:44
Thanks, I think I'd prefer to ignore it if it is n
|
+ |
+ return result.release(); |
} |
// static |
@@ -49,23 +164,60 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( |
const std::string& password, |
int iterations, |
std::vector<uint8>* output) { |
- NOTIMPLEMENTED(); |
- return false; |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ // Convert into a PKCS#8 object. |
+ ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> pkcs8( |
+ EVP_PKEY2PKCS8(key_)); |
+ if (!pkcs8.get()) |
+ return false; |
+ |
+ // Encrypt the object. |
+ // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC |
+ // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL |
+ // equivalent. |
+ ScopedOpenSSL<X509_SIG, X509_SIG_free> encrypted( |
+ PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, |
+ NULL, |
+ password.c_str(), |
+ static_cast<int>(password.size()), |
+ NULL, |
+ 0, |
+ iterations, |
+ pkcs8.get())); |
+ if (!encrypted.get()) |
+ return false; |
+ |
+ // Write it into |*output| |
+ return ExportKeyWithBio( |
+ encrypted.get(), |
+ reinterpret_cast<ExportFunctionWithBio>(i2d_PKCS8_bio), |
+ output); |
} |
bool ECPrivateKey::ExportPublicKey(std::vector<uint8>* output) { |
- NOTIMPLEMENTED(); |
- return false; |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ return ExportKeyWithBio( |
+ key_, reinterpret_cast<ExportFunctionWithBio>(i2d_PUBKEY_bio), output); |
} |
bool ECPrivateKey::ExportValue(std::vector<uint8>* output) { |
- NOTIMPLEMENTED(); |
- return false; |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); |
+ return ExportKeyWithData( |
+ ec_key.get(), |
+ reinterpret_cast<ExportFunctionWithData>(i2d_ECPrivateKey), |
+ output); |
} |
bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) { |
- NOTIMPLEMENTED(); |
- return false; |
+ OpenSSLErrStackTracer err_tracer(FROM_HERE); |
+ ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_)); |
+ return ExportKeyWithData( |
+ ec_key.get(), |
+ reinterpret_cast<ExportFunctionWithData>(i2d_ECParameters), |
+ output); |
} |
+ECPrivateKey::ECPrivateKey() : key_(NULL) {} |
+ |
} // namespace crypto |