Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(23)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/child/webcrypto/openssl/ec_algorithm_openssl.cc

Issue 835633002: Change the WebCrypto behavior when importing EC private keys without a public key. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@add_private_tests
Patch Set: Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | content/child/webcrypto/test/ecdsa_unittest.cc » ('j') | content/test/data/webcrypto/ec_private_keys.json » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/child/webcrypto/openssl/ec_algorithm_openssl.h" 5 #include "content/child/webcrypto/openssl/ec_algorithm_openssl.h"
6 6
7 #include <openssl/ec.h> 7 #include <openssl/ec.h>
8 #include <openssl/ec_key.h> 8 #include <openssl/ec_key.h>
9 #include <openssl/evp.h> 9 #include <openssl/evp.h>
10 #include <openssl/pkcs12.h> 10 #include <openssl/pkcs12.h>
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
98 if (kJwkCrvMappings[i].named_curve == named_curve) { 98 if (kJwkCrvMappings[i].named_curve == named_curve) {
99 *jwk_crv = kJwkCrvMappings[i].jwk_curve; 99 *jwk_crv = kJwkCrvMappings[i].jwk_curve;
100 return Status::Success(); 100 return Status::Success();
101 } 101 }
102 } 102 }
103 return Status::ErrorUnexpected(); 103 return Status::ErrorUnexpected();
104 } 104 }
105 105
106 // Verifies that an EC key imported from PKCS8 or SPKI format is correct. 106 // Verifies that an EC key imported from PKCS8 or SPKI format is correct.
107 // This involves verifying the key validity, and the NID for the named curve. 107 // This involves verifying the key validity, and the NID for the named curve.
108 // Also removes the EC_PKEY_NO_PUBKEY flag if present.
108 Status VerifyEcKeyAfterSpkiOrPkcs8Import( 109 Status VerifyEcKeyAfterSpkiOrPkcs8Import(
109 EVP_PKEY* pkey, 110 EVP_PKEY* pkey,
110 blink::WebCryptoNamedCurve expected_named_curve) { 111 blink::WebCryptoNamedCurve expected_named_curve) {
111 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); 112 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
112 113
113 crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey)); 114 crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey));
114 if (!ec.get()) 115 if (!ec.get())
115 return Status::ErrorUnexpected(); 116 return Status::ErrorUnexpected();
116 117
117 // TODO(eroman): Is this necessary? From my tests it seems that BoringSSL 118 // When importing an ECPrivateKey, the public key is optional. If it was
118 // already does these checks when setting the public key's affine coordinates. 119 // omitted then the public key will be calculated by BoringSSL and added into
119 if (!EC_KEY_check_key(ec.get())) 120 // the EC_KEY. However an encoding flag is set such that when exporting to
eroman 2015/01/06 20:16:13 Hmm, this removal was unintentional from having sp
120 return Status::ErrorEcKeyInvalid(); 121 // PKCS8 format the public key is once again omitted.
122 unsigned int enc_flags = EC_KEY_get_enc_flags(ec.get());
123 if (enc_flags & EC_PKEY_NO_PUBKEY) {
124 // Remove the flag which prevents the publicKey from being written during
125 // PKCS8 export.
126 enc_flags &= ~EC_PKEY_NO_PUBKEY;
127 EC_KEY_set_enc_flags(ec.get(), enc_flags);
Ryan Sleevi 2015/01/02 22:45:23 davidben should review this
128 }
121 129
122 // Make sure the curve matches the expected curve name. 130 // Make sure the curve matches the expected curve name.
123 int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get())); 131 int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
124 blink::WebCryptoNamedCurve named_curve = blink::WebCryptoNamedCurveP256; 132 blink::WebCryptoNamedCurve named_curve = blink::WebCryptoNamedCurveP256;
125 Status status = NidToWebCryptoCurve(curve_nid, &named_curve); 133 Status status = NidToWebCryptoCurve(curve_nid, &named_curve);
126 if (status.IsError()) 134 if (status.IsError())
127 return status; 135 return status;
128 136
129 if (named_curve != expected_named_curve) 137 if (named_curve != expected_named_curve)
130 return Status::ErrorImportedEcKeyIncorrectCurve(); 138 return Status::ErrorImportedEcKeyIncorrectCurve();
(...skipping 420 matching lines...) Expand 10 before | Expand all | Expand 10 after
551 key->algorithm().ecParams()->namedCurve()) { 559 key->algorithm().ecParams()->namedCurve()) {
552 return Status::ErrorUnexpected(); 560 return Status::ErrorUnexpected();
553 } 561 }
554 562
555 return Status::Success(); 563 return Status::Success();
556 } 564 }
557 565
558 } // namespace webcrypto 566 } // namespace webcrypto
559 567
560 } // namespace content 568 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | content/child/webcrypto/test/ecdsa_unittest.cc » ('j') | content/test/data/webcrypto/ec_private_keys.json » ('J')

Powered by Google App Engine
This is Rietveld 408576698