Chromium Code Reviews Chromium Code Reviews
Issue 4670004:
Change NSS's native auth patch to use PCERT_KEY_CONTEXT instead of HCRYPTPROV on Win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Platform specific crypto wrappers | 2 * Platform specific crypto wrappers |
| 3 * | 3 * |
| 4 * ***** BEGIN LICENSE BLOCK ***** | 4 * ***** BEGIN LICENSE BLOCK ***** |
| 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 6 * | 6 * |
| 7 * The contents of this file are subject to the Mozilla Public License Version | 7 * The contents of this file are subject to the Mozilla Public License Version |
| 8 * 1.1 (the "License"); you may not use this file except in compliance with | 8 * 1.1 (the "License"); you may not use this file except in compliance with |
| 9 * the License. You may obtain a copy of the License at | 9 * the License. You may obtain a copy of the License at |
| 10 * http://www.mozilla.org/MPL/ | 10 * http://www.mozilla.org/MPL/ |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 94 if (arena) { | 94 if (arena) { |
| 95 PORT_FreeArena(arena, PR_FALSE); | 95 PORT_FreeArena(arena, PR_FALSE); |
| 96 } | 96 } |
| 97 return NULL; | 97 return NULL; |
| 98 } | 98 } |
| 99 | 99 |
| 100 #if defined(XP_WIN32) | 100 #if defined(XP_WIN32) |
| 101 void | 101 void |
| 102 ssl_FreePlatformKey(PlatformKey key) | 102 ssl_FreePlatformKey(PlatformKey key) |
| 103 { | 103 { |
| 104 CryptReleaseContext(key, 0); | 104 if (!key) |
| 105 return; | |
| 106 if (key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) | |
| 107 CryptReleaseContext(key->hCryptProv, 0); | |
| 108 // FIXME(rsleevi): Close CNG keys. | |
| 109 PORT_Free(key); | |
|
wtc
2011/02/04 01:32:16
Rewrite this in this style:
if (key) {
| |
| 105 } | 110 } |
| 106 | 111 |
| 107 void | 112 void |
| 108 ssl_FreePlatformAuthInfo(PlatformAuthInfo* info) | 113 ssl_FreePlatformAuthInfo(PlatformAuthInfo* info) |
| 109 { | 114 { |
| 110 if (info->provider != NULL) { | 115 if (info->provider != NULL) { |
| 111 PORT_Free(info->provider); | 116 PORT_Free(info->provider); |
| 112 info->provider = NULL; | 117 info->provider = NULL; |
| 113 } | 118 } |
| 114 if (info->container != NULL) { | 119 if (info->container != NULL) { |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 141 CryptReleaseContext(prov, 0); | 146 CryptReleaseContext(prov, 0); |
| 142 return PR_TRUE; | 147 return PR_TRUE; |
| 143 } | 148 } |
| 144 | 149 |
| 145 void | 150 void |
| 146 ssl_GetPlatformAuthInfoForKey(PlatformKey key, | 151 ssl_GetPlatformAuthInfoForKey(PlatformKey key, |
| 147 PlatformAuthInfo *info) | 152 PlatformAuthInfo *info) |
| 148 { | 153 { |
| 149 DWORD bytesNeeded = 0; | 154 DWORD bytesNeeded = 0; |
| 150 ssl_InitPlatformAuthInfo(info); | 155 ssl_InitPlatformAuthInfo(info); |
| 156 if (!key || key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) | |
| 157 goto error; | |
| 158 | |
| 151 bytesNeeded = sizeof(info->provType); | 159 bytesNeeded = sizeof(info->provType); |
| 152 if (!CryptGetProvParam(key, PP_PROVTYPE, (BYTE*)&info->provType, | 160 if (!CryptGetProvParam(key->hCryptProv, PP_PROVTYPE, |
| 153 &bytesNeeded, 0)) | 161 (BYTE*)&info->provType, &bytesNeeded, 0)) |
| 154 goto error; | 162 goto error; |
| 155 | 163 |
| 156 bytesNeeded = 0; | 164 bytesNeeded = 0; |
| 157 if (!CryptGetProvParam(key, PP_CONTAINER, NULL, &bytesNeeded, 0)) | 165 if (!CryptGetProvParam(key->hCryptProv, PP_CONTAINER, NULL, &bytesNeeded, |
| 166 0)) | |
| 158 goto error; | 167 goto error; |
| 159 info->container = (char*)PORT_Alloc(bytesNeeded); | 168 info->container = (char*)PORT_Alloc(bytesNeeded); |
| 160 if (info->container == NULL) | 169 if (info->container == NULL) |
| 161 goto error; | 170 goto error; |
| 162 if (!CryptGetProvParam(key, PP_CONTAINER, (BYTE*)info->container, | 171 if (!CryptGetProvParam(key->hCryptProv, PP_CONTAINER, |
| 163 &bytesNeeded, 0)) | 172 (BYTE*)info->container, &bytesNeeded, 0)) |
| 164 goto error; | 173 goto error; |
| 165 | 174 |
| 166 bytesNeeded = 0; | 175 bytesNeeded = 0; |
| 167 if (!CryptGetProvParam(key, PP_NAME, NULL, &bytesNeeded, 0)) | 176 if (!CryptGetProvParam(key->hCryptProv, PP_NAME, NULL, &bytesNeeded, 0)) |
| 168 goto error; | 177 goto error; |
| 169 info->provider = (char*)PORT_Alloc(bytesNeeded); | 178 info->provider = (char*)PORT_Alloc(bytesNeeded); |
| 170 if (info->provider == NULL) | 179 if (info->provider == NULL) |
| 171 goto error; | 180 goto error; |
| 172 if (!CryptGetProvParam(key, PP_NAME, (BYTE*)info->provider, | 181 if (!CryptGetProvParam(key->hCryptProv, PP_NAME, (BYTE*)info->provider, |
| 173 &bytesNeeded, 0)) | 182 &bytesNeeded, 0)) |
| 174 goto error; | 183 goto error; |
| 175 | 184 |
| 176 goto done; | 185 goto done; |
| 177 error: | 186 error: |
| 178 ssl_FreePlatformAuthInfo(info); | 187 ssl_FreePlatformAuthInfo(info); |
| 179 | 188 |
| 180 done: | 189 done: |
| 181 return; | 190 return; |
| 182 } | 191 } |
| 183 | 192 |
| 184 SECStatus | 193 SECStatus |
| 185 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 194 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 186 PRBool isTLS) | 195 PRBool isTLS) |
| 187 { | 196 { |
| 188 SECStatus rv = SECFailure; | 197 SECStatus rv = SECFailure; |
| 189 PRBool doDerEncode = PR_FALSE; | 198 PRBool doDerEncode = PR_FALSE; |
| 190 SECItem hashItem; | 199 SECItem hashItem; |
| 191 /* TODO(rsleevi): Should AT_SIGNATURE also be checked if doing client | |
| 192 * auth? | |
| 193 */ | |
| 194 DWORD keySpec = AT_KEYEXCHANGE; | |
| 195 HCRYPTKEY hKey = 0; | 200 HCRYPTKEY hKey = 0; |
| 196 DWORD argLen = 0; | 201 DWORD argLen = 0; |
| 197 ALG_ID keyAlg = 0; | 202 ALG_ID keyAlg = 0; |
| 198 DWORD signatureLen = 0; | 203 DWORD signatureLen = 0; |
| 199 ALG_ID hashAlg = 0; | 204 ALG_ID hashAlg = 0; |
| 200 HCRYPTHASH hHash = 0; | 205 HCRYPTHASH hHash = 0; |
| 201 DWORD hashLen = 0; | 206 DWORD hashLen = 0; |
| 202 unsigned int i = 0; | 207 unsigned int i = 0; |
| 203 | 208 |
| 204 buf->data = NULL; | 209 buf->data = NULL; |
| 205 if (!CryptGetUserKey(key, keySpec, &hKey)) { | 210 if (!CryptGetUserKey(key->hCryptProv, key->dwKeySpec, &hKey)) { |
| 206 PORT_SetError(SEC_ERROR_INVALID_KEY); | 211 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 207 goto done; | 212 goto done; |
| 208 } | 213 } |
| 209 | 214 |
| 210 argLen = sizeof(keyAlg); | 215 argLen = sizeof(keyAlg); |
| 211 if (!CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&keyAlg, &argLen, 0)) { | 216 if (!CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&keyAlg, &argLen, 0)) { |
| 212 PORT_SetError(SEC_ERROR_INVALID_KEY); | 217 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 213 goto done; | 218 goto done; |
| 214 } | 219 } |
| 215 | 220 |
| 216 switch (keyAlg) { | 221 switch (keyAlg) { |
| 217 case CALG_RSA_KEYX: | 222 case CALG_RSA_KEYX: |
| 218 case CALG_RSA_SIGN: | 223 case CALG_RSA_SIGN: |
| 219 hashAlg = CALG_SSL3_SHAMD5; | 224 hashAlg = CALG_SSL3_SHAMD5; |
| 220 hashItem.data = hash->md5; | 225 hashItem.data = hash->md5; |
| 221 hashItem.len = sizeof(SSL3Hashes); | 226 hashItem.len = sizeof(SSL3Hashes); |
| 222 break; | 227 break; |
| 223 case CALG_DSS_SIGN: | 228 case CALG_DSS_SIGN: |
| 224 /* TODO: Support CALG_ECDSA once tested */ | |
| 225 case CALG_ECDSA: | 229 case CALG_ECDSA: |
| 226 if (keyAlg == CALG_ECDSA) { | 230 if (keyAlg == CALG_ECDSA) { |
| 227 doDerEncode = PR_TRUE; | 231 doDerEncode = PR_TRUE; |
| 228 } else { | 232 } else { |
| 229 doDerEncode = isTLS; | 233 doDerEncode = isTLS; |
| 230 } | 234 } |
| 231 hashAlg = CALG_SHA1; | 235 hashAlg = CALG_SHA1; |
| 232 hashItem.data = hash->sha; | 236 hashItem.data = hash->sha; |
| 233 hashItem.len = sizeof(hash->sha); | 237 hashItem.len = sizeof(hash->sha); |
| 234 break; | 238 break; |
| 235 default: | 239 default: |
| 236 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 240 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| 237 goto done; | 241 goto done; |
| 238 } | 242 } |
| 239 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); | 243 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); |
| 240 | 244 |
| 241 if (!CryptCreateHash(key, hashAlg, 0, 0, &hHash)) { | 245 if (!CryptCreateHash(key->hCryptProv, hashAlg, 0, 0, &hHash)) { |
| 242 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 246 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 243 goto done; | 247 goto done; |
| 244 } | 248 } |
| 245 argLen = sizeof(hashLen); | 249 argLen = sizeof(hashLen); |
| 246 if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) { | 250 if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) { |
| 247 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 251 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 248 goto done; | 252 goto done; |
| 249 } | 253 } |
| 250 if (hashLen != hashItem.len) { | 254 if (hashLen != hashItem.len) { |
| 251 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 255 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 252 goto done; | 256 goto done; |
| 253 } | 257 } |
| 254 if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) { | 258 if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) { |
| 255 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 259 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 256 goto done; | 260 goto done; |
| 257 } | 261 } |
| 258 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, | 262 if (!CryptSignHash(hHash, key->dwKeySpec, NULL, CRYPT_NOHASHOID, |
| 259 NULL, &signatureLen) || signatureLen == 0) { | 263 NULL, &signatureLen) || signatureLen == 0) { |
| 260 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 264 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 261 goto done; | 265 goto done; |
| 262 } | 266 } |
| 263 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 267 buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
| 264 if (!buf->data) | 268 if (!buf->data) |
| 265 goto done; /* error code was set. */ | 269 goto done; /* error code was set. */ |
| 266 | 270 |
| 267 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, | 271 if (!CryptSignHash(hHash, key->dwKeySpec, NULL, CRYPT_NOHASHOID, |
| 268 (BYTE*)buf->data, &signatureLen)) { | 272 (BYTE*)buf->data, &signatureLen)) { |
| 269 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 273 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
| 270 goto done; | 274 goto done; |
| 271 } | 275 } |
| 272 buf->len = signatureLen; | 276 buf->len = signatureLen; |
| 273 | 277 |
| 274 /* CryptoAPI signs in little-endian, so reverse */ | 278 /* CryptoAPI signs in little-endian, so reverse */ |
| 275 for (i = 0; i < buf->len / 2; ++i) { | 279 for (i = 0; i < buf->len / 2; ++i) { |
| 276 unsigned char tmp = buf->data[i]; | 280 unsigned char tmp = buf->data[i]; |
| 277 buf->data[i] = buf->data[buf->len - 1 - i]; | 281 buf->data[i] = buf->data[buf->len - 1 - i]; |
| (...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 552 SECStatus | 556 SECStatus |
| 553 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 557 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
| 554 PRBool isTLS) | 558 PRBool isTLS) |
| 555 { | 559 { |
| 556 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 560 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 557 return SECFailure; | 561 return SECFailure; |
| 558 } | 562 } |
| 559 #endif | 563 #endif |
| 560 | 564 |
| 561 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 565 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| OLD | NEW |
