| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_platform_key_mac.h" | 5 #include "net/ssl/ssl_platform_key_mac.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <CoreFoundation/CoreFoundation.h> | 8 #include <CoreFoundation/CoreFoundation.h> |
| 9 #include <Security/cssm.h> | 9 #include <Security/cssm.h> |
| 10 #include <Security/SecBase.h> | 10 #include <Security/SecBase.h> |
| (...skipping 18 matching lines...) Expand all Loading... |
| 29 #include "crypto/mac_security_services_lock.h" | 29 #include "crypto/mac_security_services_lock.h" |
| 30 #include "crypto/openssl_util.h" | 30 #include "crypto/openssl_util.h" |
| 31 #include "net/base/net_errors.h" | 31 #include "net/base/net_errors.h" |
| 32 #include "net/cert/x509_certificate.h" | 32 #include "net/cert/x509_certificate.h" |
| 33 #include "net/cert/x509_util_mac.h" | 33 #include "net/cert/x509_util_mac.h" |
| 34 #include "net/ssl/ssl_platform_key.h" | 34 #include "net/ssl/ssl_platform_key.h" |
| 35 #include "net/ssl/ssl_platform_key_util.h" | 35 #include "net/ssl/ssl_platform_key_util.h" |
| 36 #include "net/ssl/ssl_private_key.h" | 36 #include "net/ssl/ssl_private_key.h" |
| 37 #include "net/ssl/threaded_ssl_private_key.h" | 37 #include "net/ssl/threaded_ssl_private_key.h" |
| 38 #include "third_party/boringssl/src/include/openssl/ecdsa.h" | 38 #include "third_party/boringssl/src/include/openssl/ecdsa.h" |
| 39 #include "third_party/boringssl/src/include/openssl/evp.h" |
| 39 #include "third_party/boringssl/src/include/openssl/mem.h" | 40 #include "third_party/boringssl/src/include/openssl/mem.h" |
| 40 #include "third_party/boringssl/src/include/openssl/nid.h" | 41 #include "third_party/boringssl/src/include/openssl/nid.h" |
| 41 #include "third_party/boringssl/src/include/openssl/rsa.h" | 42 #include "third_party/boringssl/src/include/openssl/rsa.h" |
| 42 | 43 |
| 43 #if !defined(MAC_OS_X_VERSION_10_12) || \ | 44 #if !defined(MAC_OS_X_VERSION_10_12) || \ |
| 44 MAC_OS_X_VERSION_MIN_ALLOWED < MAC_OS_X_VERSION_10_12 | 45 MAC_OS_X_VERSION_MIN_ALLOWED < MAC_OS_X_VERSION_10_12 |
| 45 // Redeclare typedefs that only exist in 10.12+ to suppress | 46 // Redeclare typedefs that only exist in 10.12+ to suppress |
| 46 // -Wpartial-availability warnings. | 47 // -Wpartial-availability warnings. |
| 47 typedef CFStringRef SecKeyAlgorithm; | 48 typedef CFStringRef SecKeyAlgorithm; |
| 48 #endif | 49 #endif |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 166 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256 = nullptr; | 167 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256 = nullptr; |
| 167 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384 = nullptr; | 168 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384 = nullptr; |
| 168 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512 = nullptr; | 169 SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512 = nullptr; |
| 169 }; | 170 }; |
| 170 | 171 |
| 171 base::LazyInstance<SecKeyAPIs>::Leaky g_sec_key_apis = | 172 base::LazyInstance<SecKeyAPIs>::Leaky g_sec_key_apis = |
| 172 LAZY_INSTANCE_INITIALIZER; | 173 LAZY_INSTANCE_INITIALIZER; |
| 173 | 174 |
| 174 class SSLPlatformKeyCSSM : public ThreadedSSLPrivateKey::Delegate { | 175 class SSLPlatformKeyCSSM : public ThreadedSSLPrivateKey::Delegate { |
| 175 public: | 176 public: |
| 176 SSLPlatformKeyCSSM(SSLPrivateKey::Type type, | 177 SSLPlatformKeyCSSM(int type, |
| 177 size_t max_length, | 178 size_t max_length, |
| 178 SecKeyRef key, | 179 SecKeyRef key, |
| 179 const CSSM_KEY* cssm_key) | 180 const CSSM_KEY* cssm_key) |
| 180 : type_(type), | 181 : max_length_(max_length), |
| 181 max_length_(max_length), | |
| 182 key_(key, base::scoped_policy::RETAIN), | 182 key_(key, base::scoped_policy::RETAIN), |
| 183 cssm_key_(cssm_key) {} | 183 cssm_key_(cssm_key) {} |
| 184 | 184 |
| 185 ~SSLPlatformKeyCSSM() override {} | 185 ~SSLPlatformKeyCSSM() override {} |
| 186 | 186 |
| 187 SSLPrivateKey::Type GetType() override { return type_; } | |
| 188 | |
| 189 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { | 187 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { |
| 190 return std::vector<SSLPrivateKey::Hash>{ | 188 return std::vector<SSLPrivateKey::Hash>{ |
| 191 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, | 189 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, |
| 192 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; | 190 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; |
| 193 } | 191 } |
| 194 | 192 |
| 195 size_t GetMaxSignatureLengthInBytes() override { return max_length_; } | |
| 196 | |
| 197 Error SignDigest(SSLPrivateKey::Hash hash, | 193 Error SignDigest(SSLPrivateKey::Hash hash, |
| 198 const base::StringPiece& input, | 194 const base::StringPiece& input, |
| 199 std::vector<uint8_t>* signature) override { | 195 std::vector<uint8_t>* signature) override { |
| 200 crypto::OpenSSLErrStackTracer tracer(FROM_HERE); | 196 crypto::OpenSSLErrStackTracer tracer(FROM_HERE); |
| 201 | 197 |
| 202 CSSM_CSP_HANDLE csp_handle; | 198 CSSM_CSP_HANDLE csp_handle; |
| 203 OSStatus status = SecKeyGetCSPHandle(key_.get(), &csp_handle); | 199 OSStatus status = SecKeyGetCSPHandle(key_.get(), &csp_handle); |
| 204 if (status != noErr) { | 200 if (status != noErr) { |
| 205 OSSTATUS_LOG(WARNING, status); | 201 OSSTATUS_LOG(WARNING, status); |
| 206 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 202 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 275 | 271 |
| 276 if (CSSM_SignData(cssm_signature.get(), &hash_data, 1, CSSM_ALGID_NONE, | 272 if (CSSM_SignData(cssm_signature.get(), &hash_data, 1, CSSM_ALGID_NONE, |
| 277 &signature_data) != CSSM_OK) { | 273 &signature_data) != CSSM_OK) { |
| 278 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 274 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 279 } | 275 } |
| 280 signature->resize(signature_data.Length); | 276 signature->resize(signature_data.Length); |
| 281 return OK; | 277 return OK; |
| 282 } | 278 } |
| 283 | 279 |
| 284 private: | 280 private: |
| 285 SSLPrivateKey::Type type_; | |
| 286 size_t max_length_; | 281 size_t max_length_; |
| 287 base::ScopedCFTypeRef<SecKeyRef> key_; | 282 base::ScopedCFTypeRef<SecKeyRef> key_; |
| 288 const CSSM_KEY* cssm_key_; | 283 const CSSM_KEY* cssm_key_; |
| 289 | 284 |
| 290 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCSSM); | 285 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCSSM); |
| 291 }; | 286 }; |
| 292 | 287 |
| 293 class SSLPlatformKeySecKey : public ThreadedSSLPrivateKey::Delegate { | 288 class SSLPlatformKeySecKey : public ThreadedSSLPrivateKey::Delegate { |
| 294 public: | 289 public: |
| 295 SSLPlatformKeySecKey(SSLPrivateKey::Type type, | 290 SSLPlatformKeySecKey(int type, size_t max_length, SecKeyRef key) |
| 296 size_t max_length, | 291 : type_(type), key_(key, base::scoped_policy::RETAIN) {} |
| 297 SecKeyRef key) | |
| 298 : type_(type), | |
| 299 max_length_(max_length), | |
| 300 key_(key, base::scoped_policy::RETAIN) {} | |
| 301 | 292 |
| 302 ~SSLPlatformKeySecKey() override {} | 293 ~SSLPlatformKeySecKey() override {} |
| 303 | 294 |
| 304 SSLPrivateKey::Type GetType() override { return type_; } | |
| 305 | |
| 306 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { | 295 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { |
| 307 return std::vector<SSLPrivateKey::Hash>{ | 296 return std::vector<SSLPrivateKey::Hash>{ |
| 308 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, | 297 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, |
| 309 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; | 298 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1}; |
| 310 } | 299 } |
| 311 | 300 |
| 312 size_t GetMaxSignatureLengthInBytes() override { return max_length_; } | |
| 313 | |
| 314 Error SignDigest(SSLPrivateKey::Hash hash, | 301 Error SignDigest(SSLPrivateKey::Hash hash, |
| 315 const base::StringPiece& input, | 302 const base::StringPiece& input, |
| 316 std::vector<uint8_t>* signature) override { | 303 std::vector<uint8_t>* signature) override { |
| 317 const SecKeyAPIs& apis = g_sec_key_apis.Get(); | 304 const SecKeyAPIs& apis = g_sec_key_apis.Get(); |
| 318 if (!apis.valid) { | 305 if (!apis.valid) { |
| 319 LOG(ERROR) << "SecKey APIs not found"; | 306 LOG(ERROR) << "SecKey APIs not found"; |
| 320 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 307 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 321 } | 308 } |
| 322 | 309 |
| 323 SecKeyAlgorithm algorithm = nullptr; | 310 SecKeyAlgorithm algorithm = nullptr; |
| 324 if (type_ == SSLPrivateKey::Type::RSA) { | 311 if (type_ == EVP_PKEY_RSA) { |
| 325 switch (hash) { | 312 switch (hash) { |
| 326 case SSLPrivateKey::Hash::SHA512: | 313 case SSLPrivateKey::Hash::SHA512: |
| 327 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512; | 314 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512; |
| 328 break; | 315 break; |
| 329 case SSLPrivateKey::Hash::SHA384: | 316 case SSLPrivateKey::Hash::SHA384: |
| 330 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384; | 317 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384; |
| 331 break; | 318 break; |
| 332 case SSLPrivateKey::Hash::SHA256: | 319 case SSLPrivateKey::Hash::SHA256: |
| 333 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256; | 320 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256; |
| 334 break; | 321 break; |
| 335 case SSLPrivateKey::Hash::SHA1: | 322 case SSLPrivateKey::Hash::SHA1: |
| 336 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1; | 323 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1; |
| 337 break; | 324 break; |
| 338 case SSLPrivateKey::Hash::MD5_SHA1: | 325 case SSLPrivateKey::Hash::MD5_SHA1: |
| 339 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw; | 326 algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw; |
| 340 break; | 327 break; |
| 341 } | 328 } |
| 342 } else if (SSLPrivateKey::IsECDSAType(type_)) { | 329 } else if (type_ == EVP_PKEY_EC) { |
| 343 switch (hash) { | 330 switch (hash) { |
| 344 case SSLPrivateKey::Hash::SHA512: | 331 case SSLPrivateKey::Hash::SHA512: |
| 345 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA512; | 332 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA512; |
| 346 break; | 333 break; |
| 347 case SSLPrivateKey::Hash::SHA384: | 334 case SSLPrivateKey::Hash::SHA384: |
| 348 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA384; | 335 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA384; |
| 349 break; | 336 break; |
| 350 case SSLPrivateKey::Hash::SHA256: | 337 case SSLPrivateKey::Hash::SHA256: |
| 351 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA256; | 338 algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA256; |
| 352 break; | 339 break; |
| (...skipping 23 matching lines...) Expand all Loading... |
| 376 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | 363 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; |
| 377 } | 364 } |
| 378 | 365 |
| 379 signature->assign( | 366 signature->assign( |
| 380 CFDataGetBytePtr(signature_ref), | 367 CFDataGetBytePtr(signature_ref), |
| 381 CFDataGetBytePtr(signature_ref) + CFDataGetLength(signature_ref)); | 368 CFDataGetBytePtr(signature_ref) + CFDataGetLength(signature_ref)); |
| 382 return OK; | 369 return OK; |
| 383 } | 370 } |
| 384 | 371 |
| 385 private: | 372 private: |
| 386 SSLPrivateKey::Type type_; | 373 int type_; |
| 387 size_t max_length_; | |
| 388 base::ScopedCFTypeRef<SecKeyRef> key_; | 374 base::ScopedCFTypeRef<SecKeyRef> key_; |
| 389 | 375 |
| 390 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeySecKey); | 376 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeySecKey); |
| 391 }; | 377 }; |
| 392 | 378 |
| 393 } // namespace | 379 } // namespace |
| 394 | 380 |
| 395 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKeyFromKeychain( | 381 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKeyFromKeychain( |
| 396 const X509Certificate* certificate, | 382 const X509Certificate* certificate, |
| 397 SecKeychainRef keychain) { | 383 SecKeychainRef keychain) { |
| 398 // Look up the private key. | 384 // Look up the private key. |
| 399 base::ScopedCFTypeRef<SecKeyRef> private_key( | 385 base::ScopedCFTypeRef<SecKeyRef> private_key( |
| 400 FetchSecKeyRefForCertificate(certificate, keychain)); | 386 FetchSecKeyRefForCertificate(certificate, keychain)); |
| 401 if (!private_key) | 387 if (!private_key) |
| 402 return nullptr; | 388 return nullptr; |
| 403 | 389 |
| 404 SSLPrivateKey::Type key_type; | 390 int key_type; |
| 405 size_t max_length; | 391 size_t max_length; |
| 406 if (!GetClientCertInfo(certificate, &key_type, &max_length)) | 392 if (!GetClientCertInfo(certificate, &key_type, &max_length)) |
| 407 return nullptr; | 393 return nullptr; |
| 408 | 394 |
| 409 if (base::mac::IsAtLeastOS10_12()) { | 395 if (base::mac::IsAtLeastOS10_12()) { |
| 410 return make_scoped_refptr( | 396 return make_scoped_refptr( |
| 411 new ThreadedSSLPrivateKey(base::MakeUnique<SSLPlatformKeySecKey>( | 397 new ThreadedSSLPrivateKey(base::MakeUnique<SSLPlatformKeySecKey>( |
| 412 key_type, max_length, private_key.get()), | 398 key_type, max_length, private_key.get()), |
| 413 GetSSLPlatformKeyTaskRunner())); | 399 GetSSLPlatformKeyTaskRunner())); |
| 414 } | 400 } |
| (...skipping 12 matching lines...) Expand all Loading... |
| 427 } | 413 } |
| 428 | 414 |
| 429 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey( | 415 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey( |
| 430 const X509Certificate* certificate) { | 416 const X509Certificate* certificate) { |
| 431 return FetchClientCertPrivateKeyFromKeychain(certificate, nullptr); | 417 return FetchClientCertPrivateKeyFromKeychain(certificate, nullptr); |
| 432 } | 418 } |
| 433 | 419 |
| 434 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 420 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| 435 | 421 |
| 436 } // namespace net | 422 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2822283002:
Remove SSLPrivateKey metadata hooks. (Closed)
