Add the Sign-At-Most-Once restriction the enterprise.platformKeys API.

chrome/browser/chromeos/platform_keys/platform_keys_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 
 #include <cryptohi.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 19 matching lines @@
 using content::BrowserThread;
 
 namespace {
 const char kErrorInternal[] = "Internal Error.";
 const char kErrorKeyNotFound[] = "Key not found.";
 const char kErrorCertificateNotFound[] = "Certificate could not be found.";
 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported.";
 
 // The current maximal RSA modulus length that ChromeOS's TPM supports for key
 // generation.
-const unsigned int kMaxRSAModulusLength = 2048;
+const unsigned int kMaxRSAModulusLengthBits = 2048;
 }
 
 namespace chromeos {
 
 namespace platform_keys {
 
 namespace {
 
 // Base class to store state that is common to all NSS database operations and
 // to provide convenience methods to call back.
@@ skipping 67 matching lines @@
   BrowserThread::PostTask(BrowserThread::IO,
                           FROM_HERE,
                           base::Bind(&GetCertDatabaseOnIOThread,
                                      profile->GetResourceContext(),
                                      callback,
                                      state));
 }
 
 class GenerateRSAKeyState : public NSSOperationState {
  public:
-  GenerateRSAKeyState(unsigned int modulus_length,
-                      const GenerateKeyCallback& callback);
+  GenerateRSAKeyState(unsigned int modulus_length_bits,
+                      const subtle::GenerateKeyCallback& callback);
   virtual ~GenerateRSAKeyState() {}
 
   virtual void OnError(const tracked_objects::Location& from,
                        const std::string& error_message) OVERRIDE {
     CallBack(from, std::string() /* no public key */, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& public_key_spki_der,
                 const std::string& error_message) {
     origin_task_runner_->PostTask(
         from, base::Bind(callback_, public_key_spki_der, error_message));
   }
 
-  unsigned int modulus_length_;
+  unsigned int modulus_length_bits_;
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
-  GenerateKeyCallback callback_;
+  subtle::GenerateKeyCallback callback_;
 };
 
 class SignState : public NSSOperationState {
  public:
   SignState(const std::string& public_key,
             const std::string& data,
-            const SignCallback& callback);
+            const subtle::SignCallback& callback);
   virtual ~SignState() {}
 
   virtual void OnError(const tracked_objects::Location& from,
                        const std::string& error_message) OVERRIDE {
     CallBack(from, std::string() /* no signature */, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& signature,
                 const std::string& error_message) {
     origin_task_runner_->PostTask(
         from, base::Bind(callback_, signature, error_message));
   }
 
   std::string public_key_;
   std::string data_;
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
-  SignCallback callback_;
+  subtle::SignCallback callback_;
 };
 
 class GetCertificatesState : public NSSOperationState {
  public:
   explicit GetCertificatesState(const GetCertificatesCallback& callback);
   virtual ~GetCertificatesState() {}
 
   virtual void OnError(const tracked_objects::Location& from,
                        const std::string& error_message) OVERRIDE {
     CallBack(from,
@@ skipping 58 matching lines @@
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
   RemoveCertificateCallback callback_;
 };
 
 NSSOperationState::NSSOperationState()
     : origin_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
 }
 
-GenerateRSAKeyState::GenerateRSAKeyState(unsigned int modulus_length,
-                                         const GenerateKeyCallback& callback)
-    : modulus_length_(modulus_length), callback_(callback) {
+GenerateRSAKeyState::GenerateRSAKeyState(
+    unsigned int modulus_length_bits,
+    const subtle::GenerateKeyCallback& callback)
+    : modulus_length_bits_(modulus_length_bits), callback_(callback) {
 }
 
 SignState::SignState(const std::string& public_key,
                      const std::string& data,
-                     const SignCallback& callback)
+                     const subtle::SignCallback& callback)
     : public_key_(public_key), data_(data), callback_(callback) {
 }
 
 GetCertificatesState::GetCertificatesState(
     const GetCertificatesCallback& callback)
     : callback_(callback) {
 }
 
 ImportCertificateState::ImportCertificateState(
     scoped_refptr<net::X509Certificate> certificate,
     const ImportCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
 RemoveCertificateState::RemoveCertificateState(
     scoped_refptr<net::X509Certificate> certificate,
     const RemoveCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
 // Does the actual key generation on a worker thread. Used by
 // GenerateRSAKeyWithDB().
 void GenerateRSAKeyOnWorkerThread(scoped_ptr<GenerateRSAKeyState> state) {
   scoped_ptr<crypto::RSAPrivateKey> rsa_key(
       crypto::RSAPrivateKey::CreateSensitive(state->slot_.get(),
-                                             state->modulus_length_));
+                                             state->modulus_length_bits_));
   if (!rsa_key) {
     LOG(ERROR) << "Couldn't create key.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
   }
 
   std::vector<uint8> public_key_spki_der;
   if (!rsa_key->ExportPublicKey(&public_key_spki_der)) {
     // TODO(pneubeck): Remove rsa_key from storage.
     LOG(ERROR) << "Couldn't export public key.";
@@ skipping 163 matching lines @@
   scoped_refptr<net::X509Certificate> certificate = state->certificate_;
   bool certificate_found = certificate->os_cert_handle()->isperm;
   cert_db->DeleteCertAndKeyAsync(
       certificate,
       base::Bind(
           &DidRemoveCertificate, base::Passed(&state), certificate_found));
 }
 
 }  // namespace
 
+namespace subtle {
+
 void GenerateRSAKey(const std::string& token_id,
-                    unsigned int modulus_length,
+                    unsigned int modulus_length_bits,
                     const GenerateKeyCallback& callback,
                     Profile* profile) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<GenerateRSAKeyState> state(
-      new GenerateRSAKeyState(modulus_length, callback));
+      new GenerateRSAKeyState(modulus_length_bits, callback));
 
-  if (modulus_length > kMaxRSAModulusLength) {
+  if (modulus_length_bits > kMaxRSAModulusLengthBits) {
     state->OnError(FROM_HERE, kErrorAlgorithmNotSupported);
     return;
   }
 
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GenerateRSAKeyWithDB, base::Passed(&state)),
                   profile,
                   state_ptr);
@@ skipping 11 matching lines @@
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages and we can double check that
   // we use a key of the correct token.
   GetCertDatabase(token_id,
                   base::Bind(&RSASignWithDB, base::Passed(&state)),
                   profile,
                   state_ptr);
 }
 
+}  // namespace subtle
+
 void GetCertificates(const std::string& token_id,
                      const GetCertificatesCallback& callback,
                      Profile* profile) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<GetCertificatesState> state(new GetCertificatesState(callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GetCertificatesWithDB, base::Passed(&state)),
                   profile,
@@ skipping 33 matching lines @@
   // we would get more informative error messages.
   GetCertDatabase(token_id,
                   base::Bind(&RemoveCertificateWithDB, base::Passed(&state)),
                   profile,
                   state_ptr);
 }
 
 }  // namespace platform_keys
 
 }  // namespace chromeos