Chromium Code Reviews Chromium Code Reviews
Issue 884073002:
Implement chrome.platformKeys.getKeyPair(). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_impl2| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" | 5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/values.h" | |
| 11 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" | 12 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" |
| 12 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" | 13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" |
| 13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" | 14 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" |
| 14 #include "chrome/common/extensions/api/platform_keys_internal.h" | 15 #include "chrome/common/extensions/api/platform_keys_internal.h" |
| 15 #include "content/public/browser/browser_thread.h" | 16 #include "content/public/browser/browser_thread.h" |
| 16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
| 17 | 18 |
| 18 namespace extensions { | 19 namespace extensions { |
| 19 | 20 |
| 20 namespace api_pk = api::platform_keys; | 21 namespace api_pk = api::platform_keys; |
| 21 namespace api_pki = api::platform_keys_internal; | 22 namespace api_pki = api::platform_keys_internal; |
| 22 | 23 |
| 24 namespace { | |
| 25 | |
| 26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; | |
| 27 | |
| 28 // Builds a partial WebCrypto Algorithm object from the parameters available in | |
| 29 // |key_info|. This doesn't include sign/hash parameters and thus isn't | |
| 30 // complete. | |
| 31 // For RSA, the default public exponent 65537 is assumed. | |
| 32 void BuildWebCryptoAlgorithmDictionary( | |
| 33 const chromeos::platform_keys::PublicKeyInfo& key_info, | |
| 34 base::DictionaryValue* algorithm) { | |
| 35 algorithm->SetStringWithoutPathExpansion("name", "RSASSA-PKCS1-v1_5"); | |
| 36 algorithm->SetIntegerWithoutPathExpansion("modulusLength", | |
| 37 key_info.modulus_length_bits); | |
| 38 | |
| 39 // Equals 65537. | |
| 40 const char defaultPublicExponent[] = {0x01, 0x00, 0x01}; | |
| 41 algorithm->SetWithoutPathExpansion( | |
| 42 "publicExponent", | |
| 43 base::BinaryValue::CreateWithCopiedBuffer( | |
| 44 defaultPublicExponent, arraysize(defaultPublicExponent))); | |
| 45 } | |
| 46 | |
| 47 } // namespace | |
| 48 | |
| 23 namespace platform_keys { | 49 namespace platform_keys { |
| 24 | 50 |
| 25 const char kErrorInvalidToken[] = "The token is not valid."; | 51 const char kErrorInvalidToken[] = "The token is not valid."; |
| 26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; | |
| 27 const char kTokenIdUser[] = "user"; | 52 const char kTokenIdUser[] = "user"; |
| 28 const char kTokenIdSystem[] = "system"; | 53 const char kTokenIdSystem[] = "system"; |
| 29 | 54 |
| 30 // Returns whether |token_id| references a known Token. | 55 // Returns whether |token_id| references a known Token. |
| 31 bool ValidateToken(const std::string& token_id, | 56 bool ValidateToken(const std::string& token_id, |
| 32 std::string* platform_keys_token_id) { | 57 std::string* platform_keys_token_id) { |
| 33 platform_keys_token_id->clear(); | 58 platform_keys_token_id->clear(); |
| 34 if (token_id == kTokenIdUser) { | 59 if (token_id == kTokenIdUser) { |
| 35 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; | 60 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; |
| 36 return true; | 61 return true; |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 47 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) | 72 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) |
| 48 return kTokenIdUser; | 73 return kTokenIdUser; |
| 49 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) | 74 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) |
| 50 return kTokenIdSystem; | 75 return kTokenIdSystem; |
| 51 | 76 |
| 52 return std::string(); | 77 return std::string(); |
| 53 } | 78 } |
| 54 | 79 |
| 55 } // namespace platform_keys | 80 } // namespace platform_keys |
| 56 | 81 |
| 82 PlatformKeysInternalGetPublicKeyFunction:: | |
| 83 ~PlatformKeysInternalGetPublicKeyFunction() { | |
| 84 } | |
| 85 | |
| 86 ExtensionFunction::ResponseAction | |
| 87 PlatformKeysInternalGetPublicKeyFunction::Run() { | |
| 88 scoped_ptr<api_pki::GetPublicKey::Params> params( | |
| 89 api_pki::GetPublicKey::Params::Create(*args_)); | |
| 90 EXTENSION_FUNCTION_VALIDATE(params); | |
| 91 | |
| 92 const std::vector<char>& cert_der = params->certificate; | |
| 93 scoped_refptr<net::X509Certificate> cert_x509 = | |
| 94 net::X509Certificate::CreateFromBytes(vector_as_array(&cert_der), | |
| 95 cert_der.size()); | |
|
Ryan Sleevi
2015/02/03 01:44:50
SECURITY BUG: Validate that |cert_x509| is valid h
pneubeck (no reviews)
2015/02/03 20:15:00
Done.
| |
| 96 | |
| 97 chromeos::platform_keys::PublicKeyInfo info; | |
| 98 if (!chromeos::platform_keys::GetPublicKey(cert_x509, &info) || | |
| 99 info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { | |
| 100 return RespondNow(Error(kErrorAlgorithmNotSupported)); | |
| 101 } | |
| 102 | |
| 103 api_pki::GetPublicKey::Results::Algorithm algorithm; | |
| 104 BuildWebCryptoAlgorithmDictionary(info, &algorithm.additional_properties); | |
| 105 | |
| 106 return RespondNow(ArgumentList(api_pki::GetPublicKey::Results::Create( | |
| 107 info.public_key_spki_der, algorithm))); | |
| 108 } | |
| 109 | |
| 57 PlatformKeysInternalSelectClientCertificatesFunction:: | 110 PlatformKeysInternalSelectClientCertificatesFunction:: |
| 58 ~PlatformKeysInternalSelectClientCertificatesFunction() { | 111 ~PlatformKeysInternalSelectClientCertificatesFunction() { |
| 59 } | 112 } |
| 60 | 113 |
| 61 ExtensionFunction::ResponseAction | 114 ExtensionFunction::ResponseAction |
| 62 PlatformKeysInternalSelectClientCertificatesFunction::Run() { | 115 PlatformKeysInternalSelectClientCertificatesFunction::Run() { |
| 63 scoped_ptr<api_pki::SelectClientCertificates::Params> params( | 116 scoped_ptr<api_pki::SelectClientCertificates::Params> params( |
| 64 api_pki::SelectClientCertificates::Params::Create(*args_)); | 117 api_pki::SelectClientCertificates::Params::Create(*args_)); |
| 65 EXTENSION_FUNCTION_VALIDATE(params); | 118 EXTENSION_FUNCTION_VALIDATE(params); |
| 66 | 119 |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 88 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, | 141 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, |
| 89 const std::string& error_message) { | 142 const std::string& error_message) { |
| 90 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 143 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
| 91 if (!error_message.empty()) { | 144 if (!error_message.empty()) { |
| 92 Respond(Error(error_message)); | 145 Respond(Error(error_message)); |
| 93 return; | 146 return; |
| 94 } | 147 } |
| 95 DCHECK(matches); | 148 DCHECK(matches); |
| 96 std::vector<linked_ptr<api_pk::Match>> result_matches; | 149 std::vector<linked_ptr<api_pk::Match>> result_matches; |
| 97 for (const scoped_refptr<net::X509Certificate>& match : *matches) { | 150 for (const scoped_refptr<net::X509Certificate>& match : *matches) { |
| 151 chromeos::platform_keys::PublicKeyInfo key_info; | |
| 152 if (!chromeos::platform_keys::GetPublicKey(match, &key_info)) { | |
| 153 LOG(ERROR) << "Could not retrieve public key info."; | |
| 154 continue; | |
| 155 } | |
| 156 if (key_info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { | |
| 157 LOG(ERROR) << "Skipping unsupported certificate with non-RSA key."; | |
| 158 continue; | |
| 159 } | |
| 160 | |
| 98 linked_ptr<api_pk::Match> result_match(new api_pk::Match); | 161 linked_ptr<api_pk::Match> result_match(new api_pk::Match); |
| 99 std::string der_encoded_cert; | 162 std::string der_encoded_cert; |
| 100 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), | 163 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), |
| 101 &der_encoded_cert); | 164 &der_encoded_cert); |
| 102 result_match->certificate.assign(der_encoded_cert.begin(), | 165 result_match->certificate.assign(der_encoded_cert.begin(), |
| 103 der_encoded_cert.end()); | 166 der_encoded_cert.end()); |
| 167 | |
| 168 BuildWebCryptoAlgorithmDictionary( | |
| 169 key_info, &result_match->key_algorithm.additional_properties); | |
| 104 result_matches.push_back(result_match); | 170 result_matches.push_back(result_match); |
| 105 } | 171 } |
| 106 Respond(ArgumentList( | 172 Respond(ArgumentList( |
| 107 api_pki::SelectClientCertificates::Results::Create(result_matches))); | 173 api_pki::SelectClientCertificates::Results::Create(result_matches))); |
| 108 } | 174 } |
| 109 | 175 |
| 110 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { | 176 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { |
| 111 } | 177 } |
| 112 | 178 |
| 113 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { | 179 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { |
| 114 scoped_ptr<api_pki::Sign::Params> params( | 180 scoped_ptr<api_pki::Sign::Params> params( |
| 115 api_pki::Sign::Params::Create(*args_)); | 181 api_pki::Sign::Params::Create(*args_)); |
| 116 EXTENSION_FUNCTION_VALIDATE(params); | 182 EXTENSION_FUNCTION_VALIDATE(params); |
| 117 std::string platform_keys_token_id; | 183 std::string platform_keys_token_id; |
| 118 if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id)) | 184 if (!params->token_id.empty() && |
| 185 !platform_keys::ValidateToken(params->token_id, | |
| 186 &platform_keys_token_id)) { | |
| 119 return RespondNow(Error(platform_keys::kErrorInvalidToken)); | 187 return RespondNow(Error(platform_keys::kErrorInvalidToken)); |
| 188 } | |
| 120 | 189 |
| 121 chromeos::platform_keys::HashAlgorithm hash_algorithm; | 190 chromeos::platform_keys::HashAlgorithm hash_algorithm; |
| 122 if (params->hash_algorithm_name == "SHA-1") | 191 if (params->hash_algorithm_name == "none") |
| 192 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_NONE; | |
| 193 else if (params->hash_algorithm_name == "SHA-1") | |
| 123 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; | 194 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; |
| 124 else if (params->hash_algorithm_name == "SHA-256") | 195 else if (params->hash_algorithm_name == "SHA-256") |
| 125 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; | 196 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; |
| 126 else if (params->hash_algorithm_name == "SHA-384") | 197 else if (params->hash_algorithm_name == "SHA-384") |
| 127 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; | 198 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; |
| 128 else if (params->hash_algorithm_name == "SHA-512") | 199 else if (params->hash_algorithm_name == "SHA-512") |
| 129 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; | 200 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; |
| 130 else | 201 else |
| 131 return RespondNow(Error(platform_keys::kErrorAlgorithmNotSupported)); | 202 return RespondNow(Error(kErrorAlgorithmNotSupported)); |
| 132 | 203 |
| 133 chromeos::PlatformKeysService* service = | 204 chromeos::PlatformKeysService* service = |
| 134 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( | 205 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( |
| 135 browser_context()); | 206 browser_context()); |
| 136 DCHECK(service); | 207 DCHECK(service); |
| 137 | 208 |
| 138 service->Sign( | 209 service->Sign( |
| 139 platform_keys_token_id, | 210 platform_keys_token_id, |
| 140 std::string(params->public_key.begin(), params->public_key.end()), | 211 std::string(params->public_key.begin(), params->public_key.end()), |
| 141 hash_algorithm, std::string(params->data.begin(), params->data.end()), | 212 hash_algorithm, std::string(params->data.begin(), params->data.end()), |
| 142 extension_id(), | 213 extension_id(), |
| 143 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); | 214 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); |
| 144 return RespondLater(); | 215 return RespondLater(); |
| 145 } | 216 } |
| 146 | 217 |
| 147 void PlatformKeysInternalSignFunction::OnSigned( | 218 void PlatformKeysInternalSignFunction::OnSigned( |
| 148 const std::string& signature, | 219 const std::string& signature, |
| 149 const std::string& error_message) { | 220 const std::string& error_message) { |
| 150 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 221 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
| 151 if (error_message.empty()) | 222 if (error_message.empty()) |
| 152 Respond(ArgumentList(api_pki::Sign::Results::Create( | 223 Respond(ArgumentList(api_pki::Sign::Results::Create( |
| 153 std::vector<char>(signature.begin(), signature.end())))); | 224 std::vector<char>(signature.begin(), signature.end())))); |
| 154 else | 225 else |
| 155 Respond(Error(error_message)); | 226 Respond(Error(error_message)); |
| 156 } | 227 } |
| 157 | 228 |
| 158 } // namespace extensions | 229 } // namespace extensions |
| OLD | NEW |
