enterprise.platformKeys: Respect the 'hash' argument of generateKey.

chrome/browser/chromeos/platform_keys/platform_keys_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 
 #include <cryptohi.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 134 matching lines @@
   const unsigned int modulus_length_bits_;
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
   subtle::GenerateKeyCallback callback_;
 };
 
 class SignState : public NSSOperationState {
  public:
   SignState(const std::string& public_key,
+            HashAlgorithm hash_algorithm,
             const std::string& data,
             const subtle::SignCallback& callback);
   virtual ~SignState() {}
 
   virtual void OnError(const tracked_objects::Location& from,
                        const std::string& error_message) OVERRIDE {
     CallBack(from, std::string() /* no signature */, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& signature,
                 const std::string& error_message) {
     origin_task_runner_->PostTask(
         from, base::Bind(callback_, signature, error_message));
   }
 
   const std::string public_key_;
+  HashAlgorithm hash_algorithm_;
   const std::string data_;
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
   subtle::SignCallback callback_;
 };
 
 class GetCertificatesState : public NSSOperationState {
  public:
   explicit GetCertificatesState(const GetCertificatesCallback& callback);
@@ skipping 70 matching lines @@
     : origin_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
 }
 
 GenerateRSAKeyState::GenerateRSAKeyState(
     unsigned int modulus_length_bits,
     const subtle::GenerateKeyCallback& callback)
     : modulus_length_bits_(modulus_length_bits), callback_(callback) {
 }
 
 SignState::SignState(const std::string& public_key,
+                     HashAlgorithm hash_algorithm,
                      const std::string& data,
                      const subtle::SignCallback& callback)
-    : public_key_(public_key), data_(data), callback_(callback) {
+    : public_key_(public_key),
+      hash_algorithm_(hash_algorithm),
+      data_(data),
+      callback_(callback) {
 }
 
 GetCertificatesState::GetCertificatesState(
     const GetCertificatesCallback& callback)
     : callback_(callback) {
 }
 
 ImportCertificateState::ImportCertificateState(
     scoped_refptr<net::X509Certificate> certificate,
     const ImportCertificateCallback& callback)
@@ skipping 51 matching lines @@
       public_key_uint8, public_key_uint8 + state->public_key_.size());
 
   // TODO(pneubeck): This searches all slots. Change to look only at |slot_|.
   scoped_ptr<crypto::RSAPrivateKey> rsa_key(
       crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector));
   if (!rsa_key || rsa_key->key()->pkcs11Slot != state->slot_) {
     state->OnError(FROM_HERE, kErrorKeyNotFound);
     return;
   }
 
+  SECOidTag sign_alg_tag = SEC_OID_UNKNOWN;
+  switch (state->hash_algorithm_) {
+    case HASH_ALGORITHM_SHA1:
+      sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA256:
+      sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA384:
+      sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA512:
+      sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+      break;
+  }
+
   SECItem sign_result = {siBuffer, NULL, 0};
   if (SEC_SignData(&sign_result,
                    reinterpret_cast<const unsigned char*>(state->data_.data()),
                    state->data_.size(),
                    rsa_key->key(),
-                   SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION) != SECSuccess) {
+                   sign_alg_tag) != SECSuccess) {
     LOG(ERROR) << "Couldn't sign.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
   }
 
   std::string signature(reinterpret_cast<const char*>(sign_result.data),
                         sign_result.len);
   state->CallBack(FROM_HERE, signature, std::string() /* no error */);
 }
 
@@ skipping 136 matching lines @@
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GenerateRSAKeyWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 void Sign(const std::string& token_id,
           const std::string& public_key,
+          HashAlgorithm hash_algorithm,
           const std::string& data,
           const SignCallback& callback,
           BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  scoped_ptr<SignState> state(new SignState(public_key, data, callback));
+  scoped_ptr<SignState> state(
+      new SignState(public_key, hash_algorithm, data, callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages and we can double check that
   // we use a key of the correct token.
   GetCertDatabase(token_id,
                   base::Bind(&RSASignWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
@@ skipping 47 matching lines @@
   // we would get more informative error messages.
   GetCertDatabase(token_id,
                   base::Bind(&RemoveCertificateWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 }  // namespace platform_keys
 
 }  // namespace chromeos