Implement chrome.platformKeys.getKeyPair().

chrome/browser/chromeos/platform_keys/platform_keys_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 
+#include <cert.h>
 #include <cryptohi.h>
+#include <keyhi.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/single_thread_task_runner.h"
+#include "base/stl_util.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/threading/worker_pool.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part_chromeos.h"
 #include "chrome/browser/chromeos/net/client_cert_filter_chromeos.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/profiles/profile.h"
@@ skipping 391 matching lines @@
 // Does the actual signing on a worker thread. Used by RSASignWithDB().
 void RSASignOnWorkerThread(scoped_ptr<SignState> state) {
   const uint8* public_key_uint8 =
       reinterpret_cast<const uint8*>(state->public_key_.data());
   std::vector<uint8> public_key_vector(
       public_key_uint8, public_key_uint8 + state->public_key_.size());
 
   // TODO(pneubeck): This searches all slots. Change to look only at |slot_|.
   scoped_ptr<crypto::RSAPrivateKey> rsa_key(
       crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector));
-  if (!rsa_key || rsa_key->key()->pkcs11Slot != state->slot_) {
+
+  // Fail if the key was not found. If a specific slot was requested, also fail
+  // if the key was found in the wrong slot.
+  if (!rsa_key ||
+      (state->slot_ && rsa_key->key()->pkcs11Slot != state->slot_)) {
     state->OnError(FROM_HERE, kErrorKeyNotFound);
     return;
   }
 
-  SECOidTag sign_alg_tag = SEC_OID_UNKNOWN;
-  switch (state->hash_algorithm_) {
-    case HASH_ALGORITHM_SHA1:
-      sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-      break;
-    case HASH_ALGORITHM_SHA256:
-      sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-      break;
-    case HASH_ALGORITHM_SHA384:
-      sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
-      break;
-    case HASH_ALGORITHM_SHA512:
-      sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
-      break;
+  std::vector<unsigned char> data_vec(state->data_.begin(), state->data_.end());
+  std::string signature_str;
+  if (state->hash_algorithm_ == HASH_ALGORITHM_NONE) {
+    SECItem input = {siBuffer, vector_as_array(&data_vec), data_vec.size()};
+
+    // Compute signature of hash.
+    int signature_len = PK11_SignatureLen(rsa_key->key());
+    if (signature_len <= 0) {
+      state->OnError(FROM_HERE, kErrorInternal);
+      return;
+    }
+
+    std::vector<unsigned char> signature(signature_len);
+    SECItem signature_output = {
+        siBuffer, vector_as_array(&signature), signature.size()};
+    if (PK11_Sign(rsa_key->key(), &signature_output, &input) == SECSuccess)
+      signature_str.assign(signature.begin(), signature.end());
+  } else {
+    SECOidTag sign_alg_tag = SEC_OID_UNKNOWN;
+    switch (state->hash_algorithm_) {
+      case HASH_ALGORITHM_SHA1:
+        sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+        break;
+      case HASH_ALGORITHM_SHA256:
+        sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+        break;
+      case HASH_ALGORITHM_SHA384:
+        sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+        break;
+      case HASH_ALGORITHM_SHA512:
+        sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+        break;
+      case HASH_ALGORITHM_NONE:
+        NOTREACHED();
+        break;
+    }
+
+    SECItem sign_result = {siBuffer, nullptr, 0};
+    if (SEC_SignData(&sign_result, vector_as_array(&data_vec), data_vec.size(),
+                     rsa_key->key(), sign_alg_tag) == SECSuccess) {
+      signature_str.assign(sign_result.data,
+                           sign_result.data + sign_result.len);
+    }
   }
 
-  crypto::ScopedSECItem sign_result(SECITEM_AllocItem(NULL, NULL, 0));
-  if (SEC_SignData(sign_result.get(),
-                   reinterpret_cast<const unsigned char*>(state->data_.data()),
-                   state->data_.size(),
-                   rsa_key->key(),
-                   sign_alg_tag) != SECSuccess) {
+  if (signature_str.empty()) {
     LOG(ERROR) << "Couldn't sign.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
   }
 
-  std::string signature(reinterpret_cast<const char*>(sign_result->data),
-                        sign_result->len);
-  state->CallBack(FROM_HERE, signature, std::string() /* no error */);
+  state->CallBack(FROM_HERE, signature_str, std::string() /* no error */);
 }
 
 // Continues signing with the obtained NSSCertDatabase. Used by Sign().
 void RSASignWithDB(scoped_ptr<SignState> state, net::NSSCertDatabase* cert_db) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   // Only the slot and not the NSSCertDatabase is required. Ignore |cert_db|.
   base::WorkerPool::PostTask(
       FROM_HERE,
       base::Bind(&RSASignOnWorkerThread, base::Passed(&state)),
       true /*task is slow*/);
@@ skipping 226 matching lines @@
   scoped_ptr<SelectCertificatesState> state(new SelectCertificatesState(
       user->username_hash(), use_system_key_slot, cert_request_info, callback));
 
   BrowserThread::PostTask(
       BrowserThread::IO, FROM_HERE,
       base::Bind(&SelectCertificatesOnIOThread, base::Passed(&state)));
 }
 
 }  // namespace subtle
 
+bool GetPublicKey(scoped_refptr<net::X509Certificate> certificate,
+                  PublicKeyInfo* info) {
+  crypto::ScopedSECKEYPublicKey public_key(
+      CERT_ExtractPublicKey(certificate->os_cert_handle()));
+  if (!public_key) {
+    LOG(WARNING) << "Could not extract public key of certificate.";
+    return false;
+  }
+  const crypto::ScopedSECItem spki_der(
+      SECKEY_EncodeDERSubjectPublicKeyInfo(public_key.get()));

[Ryan Sleevi, 2015/02/03 01:44:50]

Why this round trip?

why not just certificate->os_cert_handle()->derPublicKey ?

[pneubeck (no reviews), 2015/02/03 20:15:00]

didn't know about that. changed, although it's totally not obvious that this is
the subjectPublicKeyInfo and not the subjectPublicKey ?!

note that this function relates to the mail I wrote you a while ago.
namely, this could be shared with GetPublicKeyInfo in x509_util_nss/
X509Certificate.
Now with your pointer to derPublicKey, there is actually no modification of that
function required anymore to expose the SPKI and I can reuse it as is.

+  if (!spki_der) {
+    LOG(WARNING) << "Could not encode public key as SPKI.";
+    return false;
+  }
+
+  *info = PublicKeyInfo();
+  info->public_key_spki_der.assign(spki_der->data,
+                                   spki_der->data + spki_der->len);
+
+  if (public_key->keyType == rsaKey) {
+    info->key_type = net::X509Certificate::kPublicKeyTypeRSA;
+    info->modulus_length_bits =
+        SECKEY_PublicKeyStrengthInBits(public_key.get());
+    // TODO(pneubeck): Verify that the public exponent equals 65537.

[Ryan Sleevi, 2015/02/03 01:44:50]

Yes, please do :)

[pneubeck (no reviews), 2015/02/04 20:59:20]

Done.

+  }
+  return true;
+}
+
 void GetCertificates(const std::string& token_id,
                      const GetCertificatesCallback& callback,
                      BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<GetCertificatesState> state(new GetCertificatesState(callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GetCertificatesWithDB, base::Passed(&state)),
                   browser_context,
@@ skipping 45 matching lines @@
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(std::string() /* don't get any specific slot */,
                   base::Bind(&GetTokensWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 }  // namespace platform_keys
 
 }  // namespace chromeos