OLD | NEW |
| (Empty) |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <keyhi.h> | |
6 #include <pk11pub.h> | |
7 #include <prerror.h> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/macros.h" | |
11 #include "base/memory/ptr_util.h" | |
12 #include "crypto/scoped_nss_types.h" | |
13 #include "net/cert/x509_certificate.h" | |
14 #include "net/ssl/client_key_store.h" | |
15 #include "net/ssl/ssl_platform_key.h" | |
16 #include "net/ssl/ssl_platform_key_util.h" | |
17 #include "net/ssl/ssl_private_key.h" | |
18 #include "net/ssl/threaded_ssl_private_key.h" | |
19 #include "third_party/boringssl/src/include/openssl/mem.h" | |
20 #include "third_party/boringssl/src/include/openssl/nid.h" | |
21 #include "third_party/boringssl/src/include/openssl/rsa.h" | |
22 | |
23 namespace net { | |
24 | |
25 namespace { | |
26 | |
27 void LogPRError() { | |
28 PRErrorCode err = PR_GetError(); | |
29 const char* err_name = PR_ErrorToName(err); | |
30 if (err_name == nullptr) | |
31 err_name = ""; | |
32 LOG(ERROR) << "Could not sign digest: " << err << " (" << err_name << ")"; | |
33 } | |
34 | |
35 class SSLPlatformKeyChromecast : public ThreadedSSLPrivateKey::Delegate { | |
36 public: | |
37 SSLPlatformKeyChromecast(crypto::ScopedSECKEYPrivateKey key) | |
38 : key_(std::move(key)) {} | |
39 ~SSLPlatformKeyChromecast() override {} | |
40 | |
41 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { | |
42 return std::vector<SSLPrivateKey::Hash>{SSLPrivateKey::Hash::SHA256, | |
43 SSLPrivateKey::Hash::SHA1}; | |
44 } | |
45 | |
46 Error SignDigest(SSLPrivateKey::Hash hash, | |
47 const base::StringPiece& input, | |
48 std::vector<uint8_t>* signature) override { | |
49 SECItem digest_item; | |
50 digest_item.data = | |
51 const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(input.data())); | |
52 digest_item.len = input.size(); | |
53 | |
54 bssl::UniquePtr<uint8_t> free_digest_info; | |
55 // PK11_Sign expects the caller to prepend the DigestInfo. | |
56 int hash_nid = NID_undef; | |
57 switch (hash) { | |
58 case SSLPrivateKey::Hash::MD5_SHA1: | |
59 hash_nid = NID_md5_sha1; | |
60 break; | |
61 case SSLPrivateKey::Hash::SHA1: | |
62 hash_nid = NID_sha1; | |
63 break; | |
64 case SSLPrivateKey::Hash::SHA256: | |
65 hash_nid = NID_sha256; | |
66 break; | |
67 default: | |
68 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | |
69 } | |
70 DCHECK_NE(NID_undef, hash_nid); | |
71 int is_alloced; | |
72 size_t prefix_len; | |
73 if (!RSA_add_pkcs1_prefix(&digest_item.data, &prefix_len, &is_alloced, | |
74 hash_nid, digest_item.data, digest_item.len)) { | |
75 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | |
76 } | |
77 digest_item.len = prefix_len; | |
78 if (is_alloced) | |
79 free_digest_info.reset(digest_item.data); | |
80 | |
81 int len = PK11_SignatureLen(key_.get()); | |
82 if (len <= 0) { | |
83 LogPRError(); | |
84 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | |
85 } | |
86 signature->resize(len); | |
87 SECItem signature_item; | |
88 signature_item.data = signature->data(); | |
89 signature_item.len = signature->size(); | |
90 | |
91 SECStatus rv = PK11_Sign(key_.get(), &signature_item, &digest_item); | |
92 if (rv != SECSuccess) { | |
93 LogPRError(); | |
94 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; | |
95 } | |
96 signature->resize(signature_item.len); | |
97 | |
98 return OK; | |
99 } | |
100 | |
101 private: | |
102 crypto::ScopedSECKEYPrivateKey key_; | |
103 | |
104 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyChromecast); | |
105 }; | |
106 | |
107 } // namespace | |
108 | |
109 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey( | |
110 const X509Certificate* certificate) { | |
111 crypto::ScopedSECKEYPrivateKey key( | |
112 PK11_FindKeyByAnyCert(certificate->os_cert_handle(), nullptr)); | |
113 if (!key) { | |
114 return ClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | |
115 *certificate); | |
116 } | |
117 | |
118 return make_scoped_refptr(new ThreadedSSLPrivateKey( | |
119 base::MakeUnique<SSLPlatformKeyChromecast>(std::move(key)), | |
120 GetSSLPlatformKeyTaskRunner())); | |
121 } | |
122 | |
123 } // namespace net | |
OLD | NEW |