| Index: net/ssl/openssl_platform_key_win.cc
|
| diff --git a/net/ssl/openssl_platform_key_win.cc b/net/ssl/openssl_platform_key_win.cc
|
| index c7db5cbd7dcbfbc6f031a922eb0352588e0b3228..8c9589afe0d0247edd887dfa7a897d6f4f6a38c6 100644
|
| --- a/net/ssl/openssl_platform_key_win.cc
|
| +++ b/net/ssl/openssl_platform_key_win.cc
|
| @@ -4,15 +4,707 @@
|
|
|
| #include "net/ssl/openssl_platform_key.h"
|
|
|
| +#include <windows.h>
|
| +#include <NCrypt.h>
|
| +
|
| +#include <string.h>
|
| +
|
| +#include <algorithm>
|
| +#include <vector>
|
| +
|
| +#include <openssl/bn.h>
|
| +#include <openssl/digest.h>
|
| +#include <openssl/ec_key.h>
|
| +#include <openssl/err.h>
|
| +#include <openssl/engine.h>
|
| +#include <openssl/evp.h>
|
| +#include <openssl/md5.h>
|
| +#include <openssl/obj_mac.h>
|
| +#include <openssl/rsa.h>
|
| +#include <openssl/sha.h>
|
| +
|
| +#include "base/debug/debugger.h"
|
| +#include "base/debug/stack_trace.h"
|
| +#include "base/lazy_instance.h"
|
| #include "base/logging.h"
|
| +#include "base/memory/scoped_ptr.h"
|
| +#include "base/win/windows_version.h"
|
| +#include "crypto/scoped_capi_types.h"
|
| +#include "crypto/wincrypt_shim.h"
|
| +#include "net/base/net_errors.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/ssl/openssl_ssl_util.h"
|
|
|
| namespace net {
|
|
|
| +namespace {
|
| +
|
| +using NCryptFreeObjectFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_HANDLE);
|
| +using NCryptGetPropertyFunc =
|
| + SECURITY_STATUS(WINAPI*)(NCRYPT_HANDLE, // hObject
|
| + LPCWSTR, // pszProperty
|
| + PBYTE, // pbOutput
|
| + DWORD, // cbOutput
|
| + DWORD*, // pcbResult
|
| + DWORD); // dwFlags
|
| +using NCryptSignHashFunc =
|
| + SECURITY_STATUS(WINAPI*)(NCRYPT_KEY_HANDLE, // hKey
|
| + VOID*, // pPaddingInfo
|
| + PBYTE, // pbHashValue
|
| + DWORD, // cbHashValue
|
| + PBYTE, // pbSignature
|
| + DWORD, // cbSignature
|
| + DWORD*, // pcbResult
|
| + DWORD); // dwFlags
|
| +
|
| +class CNGFunctions {
|
| + public:
|
| + CNGFunctions()
|
| + : ncrypt_free_object_(nullptr),
|
| + ncrypt_get_property_(nullptr),
|
| + ncrypt_sign_hash_(nullptr) {
|
| + HMODULE ncrypt = GetModuleHandle(L"ncrypt.dll");
|
| + if (ncrypt != nullptr) {
|
| + ncrypt_free_object_ = reinterpret_cast<NCryptFreeObjectFunc>(
|
| + GetProcAddress(ncrypt, "NCryptFreeObject"));
|
| + ncrypt_get_property_ = reinterpret_cast<NCryptGetPropertyFunc>(
|
| + GetProcAddress(ncrypt, "NCryptGetProperty"));
|
| + ncrypt_sign_hash_ = reinterpret_cast<NCryptSignHashFunc>(
|
| + GetProcAddress(ncrypt, "NCryptSignHash"));
|
| + }
|
| + }
|
| +
|
| + NCryptFreeObjectFunc ncrypt_free_object() const {
|
| + return ncrypt_free_object_;
|
| + }
|
| +
|
| + NCryptGetPropertyFunc ncrypt_get_property() const {
|
| + return ncrypt_get_property_;
|
| + }
|
| +
|
| + NCryptSignHashFunc ncrypt_sign_hash() const { return ncrypt_sign_hash_; }
|
| +
|
| + private:
|
| + NCryptFreeObjectFunc ncrypt_free_object_;
|
| + NCryptGetPropertyFunc ncrypt_get_property_;
|
| + NCryptSignHashFunc ncrypt_sign_hash_;
|
| +};
|
| +
|
| +base::LazyInstance<CNGFunctions>::Leaky g_cng_functions =
|
| + LAZY_INSTANCE_INITIALIZER;
|
| +
|
| +struct CERT_KEY_CONTEXTDeleter {
|
| + void operator()(PCERT_KEY_CONTEXT key) {
|
| + if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
|
| + g_cng_functions.Get().ncrypt_free_object()(key->hNCryptKey);
|
| + } else {
|
| + CryptReleaseContext(key->hCryptProv, 0);
|
| + }
|
| + delete key;
|
| + }
|
| +};
|
| +
|
| +using ScopedCERT_KEY_CONTEXT =
|
| + scoped_ptr<CERT_KEY_CONTEXT, CERT_KEY_CONTEXTDeleter>;
|
| +
|
| +// KeyExData contains the data that is contained in the EX_DATA of the
|
| +// RSA and ECDSA objects that are created to wrap Windows system keys.
|
| +struct KeyExData {
|
| + KeyExData(ScopedCERT_KEY_CONTEXT key, DWORD key_length)
|
| + : key(key.Pass()), key_length(key_length) {}
|
| +
|
| + ScopedCERT_KEY_CONTEXT key;
|
| + DWORD key_length;
|
| +};
|
| +
|
| +// ExDataDup is called when one of the RSA or EC_KEY objects is
|
| +// duplicated. This is not supported and should never happen.
|
| +int ExDataDup(CRYPTO_EX_DATA* to,
|
| + const CRYPTO_EX_DATA* from,
|
| + void** from_d,
|
| + int idx,
|
| + long argl,
|
| + void* argp) {
|
| + CHECK_EQ((void*)nullptr, *from_d);
|
| + return 0;
|
| +}
|
| +
|
| +// ExDataFree is called when one of the RSA or EC_KEY objects is freed.
|
| +void ExDataFree(void* parent,
|
| + void* ptr,
|
| + CRYPTO_EX_DATA* ex_data,
|
| + int idx,
|
| + long argl,
|
| + void* argp) {
|
| + KeyExData* data = reinterpret_cast<KeyExData*>(ptr);
|
| + delete data;
|
| +}
|
| +
|
| +extern const RSA_METHOD win_rsa_method;
|
| +extern const ECDSA_METHOD win_ecdsa_method;
|
| +
|
| +// BoringSSLEngine is a BoringSSL ENGINE that implements RSA and ECDSA
|
| +// by forwarding the requested operations to CAPI or CNG.
|
| +class BoringSSLEngine {
|
| + public:
|
| + BoringSSLEngine()
|
| + : rsa_index_(RSA_get_ex_new_index(0 /* argl */,
|
| + nullptr /* argp */,
|
| + nullptr /* new_func */,
|
| + ExDataDup,
|
| + ExDataFree)),
|
| + ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
|
| + nullptr /* argp */,
|
| + nullptr /* new_func */,
|
| + ExDataDup,
|
| + ExDataFree)),
|
| + engine_(ENGINE_new()) {
|
| + ENGINE_set_RSA_method(engine_, &win_rsa_method, sizeof(win_rsa_method));
|
| + ENGINE_set_ECDSA_method(engine_, &win_ecdsa_method,
|
| + sizeof(win_ecdsa_method));
|
| + }
|
| +
|
| + int rsa_ex_index() const { return rsa_index_; }
|
| + int ec_key_ex_index() const { return ec_key_index_; }
|
| +
|
| + const ENGINE* engine() const { return engine_; }
|
| +
|
| + private:
|
| + const int rsa_index_;
|
| + const int ec_key_index_;
|
| + ENGINE* const engine_;
|
| +};
|
| +
|
| +base::LazyInstance<BoringSSLEngine>::Leaky global_boringssl_engine =
|
| + LAZY_INSTANCE_INITIALIZER;
|
| +
|
| +// Custom RSA_METHOD that uses the platform APIs for signing.
|
| +
|
| +const KeyExData* RsaGetExData(const RSA* rsa) {
|
| + return reinterpret_cast<const KeyExData*>(
|
| + RSA_get_ex_data(rsa, global_boringssl_engine.Get().rsa_ex_index()));
|
| +}
|
| +
|
| +size_t RsaMethodSize(const RSA* rsa) {
|
| + const KeyExData* ex_data = RsaGetExData(rsa);
|
| + return (ex_data->key_length + 7) / 8;
|
| +}
|
| +
|
| +// Signs |in| using |rsa| with PKCS #1 padding. If |hash_nid| is NID_md5_sha1,
|
| +// |in| is a TLS MD5/SHA-1 concatenation and should be signed as-is. Otherwise
|
| +// |in| is a standard hash function and should be prefixed with the
|
| +// corresponding DigestInfo before signing. The signature is written to |out|
|
| +// and its length written to |*out_len|. This function returns true on success
|
| +// and false on failure.
|
| +bool RsaSignPKCS1(const RSA* rsa,
|
| + int hash_nid,
|
| + const uint8_t* in,
|
| + size_t in_len,
|
| + uint8_t* out,
|
| + size_t max_out,
|
| + size_t* out_len) {
|
| + const KeyExData* ex_data = RsaGetExData(rsa);
|
| + if (!ex_data) {
|
| + NOTREACHED();
|
| + OPENSSL_PUT_ERROR(RSA, RSA_sign, ERR_R_INTERNAL_ERROR);
|
| + return false;
|
| + }
|
| +
|
| + if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
|
| + BCRYPT_PKCS1_PADDING_INFO rsa_padding_info;
|
| + switch (hash_nid) {
|
| + case NID_md5_sha1:
|
| + rsa_padding_info.pszAlgId = nullptr;
|
| + break;
|
| + case NID_sha1:
|
| + rsa_padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM;
|
| + break;
|
| + case NID_sha256:
|
| + rsa_padding_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
|
| + break;
|
| + case NID_sha384:
|
| + rsa_padding_info.pszAlgId = BCRYPT_SHA384_ALGORITHM;
|
| + break;
|
| + case NID_sha512:
|
| + rsa_padding_info.pszAlgId = BCRYPT_SHA512_ALGORITHM;
|
| + break;
|
| + default:
|
| + OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
|
| + return false;
|
| + }
|
| +
|
| + DWORD signature_len;
|
| + SECURITY_STATUS ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
|
| + ex_data->key->hNCryptKey, &rsa_padding_info, const_cast<PBYTE>(in),
|
| + in_len, out, max_out, &signature_len, BCRYPT_PAD_PKCS1);
|
| + if (FAILED(ncrypt_status) || signature_len == 0) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| + *out_len = signature_len;
|
| + return true;
|
| + }
|
| +
|
| + ALG_ID hash_alg;
|
| + switch (hash_nid) {
|
| + case NID_md5_sha1:
|
| + hash_alg = CALG_SSL3_SHAMD5;
|
| + break;
|
| + case NID_sha1:
|
| + hash_alg = CALG_SHA1;
|
| + break;
|
| + case NID_sha256:
|
| + hash_alg = CALG_SHA_256;
|
| + break;
|
| + case NID_sha384:
|
| + hash_alg = CALG_SHA_384;
|
| + break;
|
| + case NID_sha512:
|
| + hash_alg = CALG_SHA_512;
|
| + break;
|
| + default:
|
| + OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
|
| + return false;
|
| + }
|
| +
|
| + HCRYPTHASH hash;
|
| + if (!CryptCreateHash(ex_data->key->hCryptProv, hash_alg, 0, 0, &hash)) {
|
| + PLOG(ERROR) << "CreateCreateHash failed";
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| + DWORD hash_len;
|
| + DWORD arg_len = sizeof(hash_len);
|
| + if (!CryptGetHashParam(hash, HP_HASHSIZE, reinterpret_cast<BYTE*>(&hash_len),
|
| + &arg_len, 0)) {
|
| + PLOG(ERROR) << "CryptGetHashParam HP_HASHSIZE failed";
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| + if (hash_len != in_len) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| + if (!CryptSetHashParam(hash, HP_HASHVAL, const_cast<BYTE*>(in), 0)) {
|
| + PLOG(ERROR) << "CryptSetHashParam HP_HASHVAL failed";
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| + DWORD signature_len = max_out;
|
| + if (!CryptSignHash(hash, ex_data->key->dwKeySpec, nullptr, 0, out,
|
| + &signature_len)) {
|
| + PLOG(ERROR) << "CryptSignHash failed";
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return false;
|
| + }
|
| +
|
| + /* CryptoAPI signs in little-endian, so reverse it. */
|
| + std::reverse(out, out + signature_len);
|
| + *out_len = signature_len;
|
| + return true;
|
| +}
|
| +
|
| +int RsaMethodSign(int hash_nid,
|
| + const uint8_t* in,
|
| + unsigned in_len,
|
| + uint8_t* out,
|
| + unsigned* out_len,
|
| + const RSA* rsa) {
|
| + // TOD(davidben): Switch BoringSSL's sign hook to using size_t rather than
|
| + // unsigned.
|
| + size_t len;
|
| + if (!RsaSignPKCS1(rsa, hash_nid, in, in_len, out, RSA_size(rsa), &len))
|
| + return 0;
|
| + *out_len = len;
|
| + return 1;
|
| +}
|
| +
|
| +int RsaMethodEncrypt(RSA* rsa,
|
| + size_t* out_len,
|
| + uint8_t* out,
|
| + size_t max_out,
|
| + const uint8_t* in,
|
| + size_t in_len,
|
| + int padding) {
|
| + NOTIMPLEMENTED();
|
| + OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
|
| + return 0;
|
| +}
|
| +
|
| +int RsaMethodSignRaw(RSA* rsa,
|
| + size_t* out_len,
|
| + uint8_t* out,
|
| + size_t max_out,
|
| + const uint8_t* in,
|
| + size_t in_len,
|
| + int padding) {
|
| + DCHECK_EQ(RSA_PKCS1_PADDING, padding);
|
| + if (padding != RSA_PKCS1_PADDING) {
|
| + OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_UNKNOWN_PADDING_TYPE);
|
| + return 0;
|
| + }
|
| +
|
| + // BoringSSL calls only sign_raw, not sign, in pre-TLS-1.2 MD5/SHA1
|
| + // signatures. This hook is implemented only for that case.
|
| + //
|
| + // TODO(davidben): Make client auth in BoringSSL call RSA_sign with
|
| + // NID_md5_sha1. https://crbug.com/437023
|
| + if (in_len != MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH) {
|
| + OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_INVALID_MESSAGE_LENGTH);
|
| + return 0;
|
| + }
|
| + if (!RsaSignPKCS1(rsa, NID_md5_sha1, in, in_len, out, max_out, out_len))
|
| + return 0;
|
| + return 1;
|
| +}
|
| +
|
| +int RsaMethodDecrypt(RSA* rsa,
|
| + size_t* out_len,
|
| + uint8_t* out,
|
| + size_t max_out,
|
| + const uint8_t* in,
|
| + size_t in_len,
|
| + int padding) {
|
| + NOTIMPLEMENTED();
|
| + OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
|
| + return 0;
|
| +}
|
| +
|
| +int RsaMethodVerifyRaw(RSA* rsa,
|
| + size_t* out_len,
|
| + uint8_t* out,
|
| + size_t max_out,
|
| + const uint8_t* in,
|
| + size_t in_len,
|
| + int padding) {
|
| + NOTIMPLEMENTED();
|
| + OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_ALGORITHM_TYPE);
|
| + return 0;
|
| +}
|
| +
|
| +int RsaMethodSupportsDigest(const RSA* rsa, const EVP_MD* md) {
|
| + const KeyExData* ex_data = RsaGetExData(rsa);
|
| + if (!ex_data) {
|
| + NOTREACHED();
|
| + return 0;
|
| + }
|
| +
|
| + int hash_nid = EVP_MD_type(md);
|
| + if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
|
| + // Only hashes which appear in RsaSignPKCS1 are supported.
|
| + if (hash_nid != NID_sha1 && hash_nid != NID_sha256 &&
|
| + hash_nid != NID_sha384 && hash_nid != NID_sha512) {
|
| + return 0;
|
| + }
|
| +
|
| + // If the key is a 1024-bit RSA, assume conservatively that it may only be
|
| + // able to sign SHA-1 hashes. This is the case for older Estonian ID cards
|
| + // that have 1024-bit RSA keys.
|
| + //
|
| + // CNG does provide NCryptIsAlgSupported and NCryptEnumAlgorithms functions,
|
| + // however they seem to both return NTE_NOT_SUPPORTED when querying the
|
| + // NCRYPT_PROV_HANDLE at the key's NCRYPT_PROVIDER_HANDLE_PROPERTY.
|
| + if (ex_data->key_length <= 1024 && hash_nid != NID_sha1)
|
| + return 0;
|
| +
|
| + return 1;
|
| + } else {
|
| + // If the key is in CAPI, assume conservatively that the CAPI service
|
| + // provider may only be able to sign SHA-1 hashes.
|
| + return hash_nid == NID_sha1;
|
| + }
|
| +}
|
| +
|
| +const RSA_METHOD win_rsa_method = {
|
| + {
|
| + 0, // references
|
| + 1, // is_static
|
| + },
|
| + nullptr, // app_data
|
| +
|
| + nullptr, // init
|
| + nullptr, // finish
|
| + RsaMethodSize,
|
| + RsaMethodSign,
|
| + nullptr, // verify
|
| + RsaMethodEncrypt,
|
| + RsaMethodSignRaw,
|
| + RsaMethodDecrypt,
|
| + RsaMethodVerifyRaw,
|
| + nullptr, // private_transform
|
| + nullptr, // mod_exp
|
| + nullptr, // bn_mod_exp
|
| + RSA_FLAG_OPAQUE,
|
| + nullptr, // keygen
|
| + RsaMethodSupportsDigest,
|
| +};
|
| +
|
| +// Custom ECDSA_METHOD that uses the platform APIs.
|
| +// Note that for now, only signing through ECDSA_sign() is really supported.
|
| +// all other method pointers are either stubs returning errors, or no-ops.
|
| +
|
| +const KeyExData* EcKeyGetExData(const EC_KEY* ec_key) {
|
| + return reinterpret_cast<const KeyExData*>(EC_KEY_get_ex_data(
|
| + ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
|
| +}
|
| +
|
| +size_t EcdsaMethodGroupOrderSize(const EC_KEY* ec_key) {
|
| + const KeyExData* ex_data = EcKeyGetExData(ec_key);
|
| + // Windows doesn't distinguish the sizes of the curve's degree (which
|
| + // determines the size of a point on the curve) and the base point's order
|
| + // (which determines the size of a scalar). For P-256, P-384, and P-521, these
|
| + // two sizes are the same.
|
| + //
|
| + // See
|
| + // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375520(v=vs.85).aspx
|
| + // which uses the same length for both.
|
| + return (ex_data->key_length + 7) / 8;
|
| +}
|
| +
|
| +int EcdsaMethodSign(const uint8_t* digest,
|
| + size_t digest_len,
|
| + uint8_t* out_sig,
|
| + unsigned int* out_sig_len,
|
| + EC_KEY* ec_key) {
|
| + const KeyExData* ex_data = EcKeyGetExData(ec_key);
|
| + // Only CNG supports ECDSA.
|
| + if (!ex_data || ex_data->key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
|
| + NOTREACHED();
|
| + OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
|
| + return 0;
|
| + }
|
| +
|
| + size_t degree = (ex_data->key_length + 7) / 8;
|
| + if (degree == 0) {
|
| + NOTREACHED();
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| + std::vector<uint8_t> raw_sig(degree * 2);
|
| +
|
| + DWORD signature_len;
|
| + SECURITY_STATUS ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
|
| + ex_data->key->hNCryptKey, nullptr, const_cast<PBYTE>(digest), digest_len,
|
| + &raw_sig[0], raw_sig.size(), &signature_len, 0);
|
| + if (FAILED(ncrypt_status) || signature_len != raw_sig.size()) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| +
|
| + // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
|
| + crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
|
| + if (!sig) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| + sig->r = BN_bin2bn(&raw_sig[0], degree, nullptr);
|
| + sig->s = BN_bin2bn(&raw_sig[degree], degree, nullptr);
|
| + if (!sig->r || !sig->s) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| +
|
| + // Ensure the DER-encoded signature fits in the bounds.
|
| + int len = i2d_ECDSA_SIG(sig.get(), nullptr);
|
| + if (len < 0 || len > ECDSA_size(ec_key)) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| +
|
| + len = i2d_ECDSA_SIG(sig.get(), &out_sig);
|
| + if (len < 0) {
|
| + OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
|
| + return 0;
|
| + }
|
| + *out_sig_len = len;
|
| + return 1;
|
| +}
|
| +
|
| +int EcdsaMethodVerify(const uint8_t* digest,
|
| + size_t digest_len,
|
| + const uint8_t* sig,
|
| + size_t sig_len,
|
| + EC_KEY* eckey) {
|
| + NOTIMPLEMENTED();
|
| + OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_NOT_IMPLEMENTED);
|
| + return 0;
|
| +}
|
| +
|
| +const ECDSA_METHOD win_ecdsa_method = {
|
| + {
|
| + 0, // references
|
| + 1, // is_static
|
| + },
|
| + nullptr, // app_data
|
| +
|
| + nullptr, // init
|
| + nullptr, // finish
|
| + EcdsaMethodGroupOrderSize,
|
| + EcdsaMethodSign,
|
| + EcdsaMethodVerify,
|
| + ECDSA_FLAG_OPAQUE,
|
| +};
|
| +
|
| +// Determines the key type and length of |key|. The type is returned as an
|
| +// OpenSSL EVP_PKEY type. The key length for RSA key is the size of the RSA
|
| +// modulus in bits. For an ECDSA key, it is the number of bits to represent the
|
| +// group order. It returns true on success and false on failure.
|
| +bool GetKeyInfo(PCERT_KEY_CONTEXT key, int* out_type, DWORD* out_length) {
|
| + if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
|
| + DWORD prop_len;
|
| + SECURITY_STATUS status = g_cng_functions.Get().ncrypt_get_property()(
|
| + key->hNCryptKey, NCRYPT_ALGORITHM_GROUP_PROPERTY, nullptr, 0, &prop_len,
|
| + 0);
|
| + if (FAILED(status) || prop_len == 0 || prop_len % 2 != 0) {
|
| + LOG(ERROR) << "Could not query CNG key type: " << status;
|
| + return false;
|
| + }
|
| +
|
| + std::vector<BYTE> prop_buf(prop_len);
|
| + status = g_cng_functions.Get().ncrypt_get_property()(
|
| + key->hNCryptKey, NCRYPT_ALGORITHM_GROUP_PROPERTY, &prop_buf[0],
|
| + prop_buf.size(), &prop_len, 0);
|
| + if (FAILED(status) || prop_len == 0 || prop_len % 2 != 0) {
|
| + LOG(ERROR) << "Could not query CNG key type: " << status;
|
| + return false;
|
| + }
|
| +
|
| + int type;
|
| + const wchar_t* alg = reinterpret_cast<const wchar_t*>(&prop_buf[0]);
|
| + if (wcsncmp(NCRYPT_RSA_ALGORITHM_GROUP, alg, prop_len / 2) == 0) {
|
| + type = EVP_PKEY_RSA;
|
| + } else if (wcsncmp(NCRYPT_ECDSA_ALGORITHM_GROUP, alg, prop_len / 2) == 0 ||
|
| + wcsncmp(NCRYPT_ECDH_ALGORITHM_GROUP, alg, prop_len / 2) == 0) {
|
| + // Importing an ECDSA key via PKCS #12 seems to label it as ECDH rather
|
| + // than ECDSA, so also allow ECDH.
|
| + type = EVP_PKEY_EC;
|
| + } else {
|
| + LOG(ERROR) << "Unknown CNG key type: "
|
| + << std::wstring(alg, wcsnlen(alg, prop_len / 2));
|
| + return false;
|
| + }
|
| +
|
| + DWORD length;
|
| + prop_len;
|
| + status = g_cng_functions.Get().ncrypt_get_property()(
|
| + key->hNCryptKey, NCRYPT_LENGTH_PROPERTY,
|
| + reinterpret_cast<BYTE*>(&length), sizeof(DWORD), &prop_len, 0);
|
| + if (FAILED(status)) {
|
| + LOG(ERROR) << "Could not get CNG key length " << status;
|
| + return false;
|
| + }
|
| + DCHECK_EQ(sizeof(DWORD), prop_len);
|
| +
|
| + *out_type = type;
|
| + *out_length = length;
|
| + return true;
|
| + }
|
| +
|
| + crypto::ScopedHCRYPTKEY hcryptkey;
|
| + if (!CryptGetUserKey(key->hCryptProv, key->dwKeySpec, hcryptkey.receive())) {
|
| + PLOG(ERROR) << "Could not get CAPI key handle";
|
| + return false;
|
| + }
|
| +
|
| + ALG_ID alg_id;
|
| + DWORD prop_len = sizeof(alg_id);
|
| + if (!CryptGetKeyParam(hcryptkey.get(), KP_ALGID,
|
| + reinterpret_cast<BYTE*>(&alg_id), &prop_len, 0)) {
|
| + PLOG(ERROR) << "Could not query CAPI key type";
|
| + return false;
|
| + }
|
| +
|
| + if (alg_id != CALG_RSA_SIGN && alg_id != CALG_RSA_KEYX) {
|
| + LOG(ERROR) << "Unknown CAPI key type: " << alg_id;
|
| + return false;
|
| + }
|
| +
|
| + DWORD length;
|
| + prop_len = sizeof(DWORD);
|
| + if (!CryptGetKeyParam(hcryptkey.get(), KP_KEYLEN,
|
| + reinterpret_cast<BYTE*>(&length), &prop_len, 0)) {
|
| + PLOG(ERROR) << "Could not get CAPI key length";
|
| + return false;
|
| + }
|
| + DCHECK_EQ(sizeof(DWORD), prop_len);
|
| +
|
| + *out_type = EVP_PKEY_RSA;
|
| + *out_length = length;
|
| + return true;
|
| +}
|
| +
|
| +crypto::ScopedEVP_PKEY CreateRSAWrapper(ScopedCERT_KEY_CONTEXT key,
|
| + DWORD key_length) {
|
| + crypto::ScopedRSA rsa(RSA_new_method(global_boringssl_engine.Get().engine()));
|
| + if (!rsa)
|
| + return nullptr;
|
| +
|
| + RSA_set_ex_data(rsa.get(), global_boringssl_engine.Get().rsa_ex_index(),
|
| + new KeyExData(key.Pass(), key_length));
|
| +
|
| + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
|
| + if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa.get()))
|
| + return nullptr;
|
| + return pkey.Pass();
|
| +}
|
| +
|
| +crypto::ScopedEVP_PKEY CreateECDSAWrapper(ScopedCERT_KEY_CONTEXT key,
|
| + DWORD key_length) {
|
| + crypto::ScopedEC_KEY ec_key(
|
| + EC_KEY_new_method(global_boringssl_engine.Get().engine()));
|
| + if (!ec_key)
|
| + return nullptr;
|
| +
|
| + EC_KEY_set_ex_data(ec_key.get(),
|
| + global_boringssl_engine.Get().ec_key_ex_index(),
|
| + new KeyExData(key.Pass(), key_length));
|
| +
|
| + crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
|
| + if (!pkey || !EVP_PKEY_set1_EC_KEY(pkey.get(), ec_key.get()))
|
| + return nullptr;
|
| +
|
| + return pkey.Pass();
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(
|
| const X509Certificate* certificate) {
|
| - // TODO(davidben): Implement on Windows.
|
| - NOTIMPLEMENTED();
|
| - return crypto::ScopedEVP_PKEY();
|
| + PCCERT_CONTEXT cert_context = certificate->os_cert_handle();
|
| +
|
| + HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
|
| + DWORD key_spec = 0;
|
| + BOOL must_free = FALSE;
|
| + DWORD flags = 0;
|
| + if (base::win::GetVersion() >= base::win::VERSION_VISTA)
|
| + flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
|
| +
|
| + if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
|
| + &crypt_prov, &key_spec, &must_free)) {
|
| + PLOG(WARNING) << "Could not acquire private key";
|
| + return nullptr;
|
| + }
|
| +
|
| + // Should never get a cached handle back - ownership must always be
|
| + // transferred.
|
| + CHECK_EQ(must_free, TRUE);
|
| + ScopedCERT_KEY_CONTEXT key(new CERT_KEY_CONTEXT);
|
| + key->dwKeySpec = key_spec;
|
| + key->hCryptProv = crypt_prov;
|
| +
|
| + int key_type;
|
| + DWORD key_length;
|
| + if (!GetKeyInfo(key.get(), &key_type, &key_length))
|
| + return nullptr;
|
| +
|
| + switch (key_type) {
|
| + case EVP_PKEY_RSA:
|
| + return CreateRSAWrapper(key.Pass(), key_length);
|
| + case EVP_PKEY_EC:
|
| + return CreateECDSAWrapper(key.Pass(), key_length);
|
| + default:
|
| + return nullptr;
|
| + }
|
| }
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master