Remove SSLPrivateKey metadata hooks.

net/ssl/ssl_platform_key_win.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/ssl_platform_key.h"
 
 #include <windows.h>
 #include <NCrypt.h>
 
 #include <algorithm>
@@ skipping 15 matching lines @@
 #include "third_party/boringssl/src/include/openssl/ecdsa.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 
 namespace net {
 
 namespace {
 
 class SSLPlatformKeyCAPI : public ThreadedSSLPrivateKey::Delegate {
  public:
   // Takes ownership of |provider|.
-  SSLPlatformKeyCAPI(HCRYPTPROV provider, DWORD key_spec, size_t max_length)
-      : provider_(provider), key_spec_(key_spec), max_length_(max_length) {}
+  SSLPlatformKeyCAPI(HCRYPTPROV provider, DWORD key_spec)
+      : provider_(provider), key_spec_(key_spec) {}
 
   ~SSLPlatformKeyCAPI() override {}
 
-  SSLPrivateKey::Type GetType() override { return SSLPrivateKey::Type::RSA; }
-
   std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
     // If the key is in CAPI, assume conservatively that the CAPI service
     // provider may only be able to sign pre-TLS-1.2 and SHA-1 hashes.
     static const SSLPrivateKey::Hash kHashes[] = {
         SSLPrivateKey::Hash::SHA1, SSLPrivateKey::Hash::SHA512,
         SSLPrivateKey::Hash::SHA384, SSLPrivateKey::Hash::SHA256};
     return std::vector<SSLPrivateKey::Hash>(kHashes,
                                             kHashes + arraysize(kHashes));
   }
 
-  size_t GetMaxSignatureLengthInBytes() override { return max_length_; }
-
   Error SignDigest(SSLPrivateKey::Hash hash,
                    const base::StringPiece& input,
                    std::vector<uint8_t>* signature) override {
     ALG_ID hash_alg = 0;
     switch (hash) {
       case SSLPrivateKey::Hash::MD5_SHA1:
         hash_alg = CALG_SSL3_SHAMD5;
         break;
       case SSLPrivateKey::Hash::SHA1:
         hash_alg = CALG_SHA1;
@@ skipping 46 matching lines @@
     signature->resize(signature_len);
 
     // CryptoAPI signs in little-endian, so reverse it.
     std::reverse(signature->begin(), signature->end());
     return OK;
   }
 
  private:
   crypto::ScopedHCRYPTPROV provider_;
   DWORD key_spec_;
-  size_t max_length_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCAPI);
 };
 
 class SSLPlatformKeyCNG : public ThreadedSSLPrivateKey::Delegate {
  public:
   // Takes ownership of |key|.
-  SSLPlatformKeyCNG(NCRYPT_KEY_HANDLE key,
-                    SSLPrivateKey::Type type,
-                    size_t max_length)
+  SSLPlatformKeyCNG(NCRYPT_KEY_HANDLE key, int type, size_t max_length)
       : key_(key), type_(type), max_length_(max_length) {}
 
   ~SSLPlatformKeyCNG() override { NCryptFreeObject(key_); }
 
-  SSLPrivateKey::Type GetType() override { return type_; }
-
   std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
     // If this is an under 1024-bit RSA key, conservatively prefer to sign
     // SHA-1 hashes. Older Estonian ID cards can only sign SHA-1 hashes.
     // However, if the server doesn't advertise SHA-1, the remaining hashes
     // might still be supported.
-    if (type_ == SSLPrivateKey::Type::RSA && max_length_ <= 1024 / 8) {
+    if (type_ == EVP_PKEY_RSA && max_length_ <= 1024 / 8) {
       static const SSLPrivateKey::Hash kHashesSpecial[] = {
           SSLPrivateKey::Hash::SHA1, SSLPrivateKey::Hash::SHA512,
           SSLPrivateKey::Hash::SHA384, SSLPrivateKey::Hash::SHA256};
       return std::vector<SSLPrivateKey::Hash>(
           kHashesSpecial, kHashesSpecial + arraysize(kHashesSpecial));
     }
     static const SSLPrivateKey::Hash kHashes[] = {
         SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384,
         SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1};
     return std::vector<SSLPrivateKey::Hash>(kHashes,
                                             kHashes + arraysize(kHashes));
   }
 
-  size_t GetMaxSignatureLengthInBytes() override { return max_length_; }
-
   Error SignDigest(SSLPrivateKey::Hash hash,
                    const base::StringPiece& input,
                    std::vector<uint8_t>* signature) override {
     crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
 
     BCRYPT_PKCS1_PADDING_INFO rsa_padding_info = {0};
     void* padding_info = nullptr;
     DWORD flags = 0;
-    if (type_ == SSLPrivateKey::Type::RSA) {
+    if (type_ == EVP_PKEY_RSA) {
       switch (hash) {
         case SSLPrivateKey::Hash::MD5_SHA1:
           rsa_padding_info.pszAlgId = nullptr;
           break;
         case SSLPrivateKey::Hash::SHA1:
           rsa_padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM;
           break;
         case SSLPrivateKey::Hash::SHA256:
           rsa_padding_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
           break;
@@ skipping 23 matching lines @@
         const_cast<BYTE*>(reinterpret_cast<const BYTE*>(input.data())),
         input.size(), signature->data(), signature_len, &signature_len, flags);
     if (FAILED(status)) {
       LOG(ERROR) << "NCryptSignHash failed: " << status;
       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
     }
     signature->resize(signature_len);
 
     // CNG emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
     // ECDSA-Sig-Value.
-    if (SSLPrivateKey::IsECDSAType(type_)) {
+    if (type_ == EVP_PKEY_EC) {
       if (signature->size() % 2 != 0) {
         LOG(ERROR) << "Bad signature length";
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       }
       size_t order_len = signature->size() / 2;
 
       // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
       bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
       if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
           !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       }
 
       int len = i2d_ECDSA_SIG(sig.get(), nullptr);
       if (len <= 0)
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       signature->resize(len);
       uint8_t* ptr = signature->data();
       len = i2d_ECDSA_SIG(sig.get(), &ptr);
       if (len <= 0)
         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
       signature->resize(len);
     }
 
     return OK;
   }
 
  private:
   NCRYPT_KEY_HANDLE key_;
-  SSLPrivateKey::Type type_;
+  int type_;
   size_t max_length_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCNG);
 };
 
 }  // namespace
 
 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
     const X509Certificate* certificate) {
   // Rather than query the private key for metadata, extract the public key from
   // the certificate without using Windows APIs. CAPI and CNG do not
   // consistently work depending on the system. See https://crbug.com/468345.
-  SSLPrivateKey::Type key_type;
+  int key_type;
   size_t max_length;
   if (!GetClientCertInfo(certificate, &key_type, &max_length))
     return nullptr;
 
   PCCERT_CONTEXT cert_context = certificate->os_cert_handle();
 
   HCRYPTPROV_OR_NCRYPT_KEY_HANDLE prov_or_key = 0;
   DWORD key_spec = 0;
   BOOL must_free = FALSE;
   DWORD flags = CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
 
   if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
                                          &prov_or_key, &key_spec, &must_free)) {
     PLOG(WARNING) << "Could not acquire private key";
     return nullptr;
   }
 
   // Should never get a cached handle back - ownership must always be
   // transferred.
   CHECK_EQ(must_free, TRUE);
 
   std::unique_ptr<ThreadedSSLPrivateKey::Delegate> delegate;
   if (key_spec == CERT_NCRYPT_KEY_SPEC) {
     delegate.reset(new SSLPlatformKeyCNG(prov_or_key, key_type, max_length));
   } else {
-    DCHECK(SSLPrivateKey::Type::RSA == key_type);
-    delegate.reset(new SSLPlatformKeyCAPI(prov_or_key, key_spec, max_length));
+    DCHECK_EQ(EVP_PKEY_RSA, key_type);
+    delegate.reset(new SSLPlatformKeyCAPI(prov_or_key, key_spec));
   }
   return make_scoped_refptr(new ThreadedSSLPrivateKey(
       std::move(delegate), GetSSLPlatformKeyTaskRunner()));
 }
 
 }  // namespace net