OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" | 5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "base/values.h" | |
11 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" | 12 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" |
12 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" | 13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" |
13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" | 14 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" |
14 #include "chrome/common/extensions/api/platform_keys_internal.h" | 15 #include "chrome/common/extensions/api/platform_keys_internal.h" |
15 #include "content/public/browser/browser_thread.h" | 16 #include "content/public/browser/browser_thread.h" |
16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
17 | 18 |
18 namespace extensions { | 19 namespace extensions { |
19 | 20 |
20 namespace api_pk = api::platform_keys; | 21 namespace api_pk = api::platform_keys; |
21 namespace api_pki = api::platform_keys_internal; | 22 namespace api_pki = api::platform_keys_internal; |
22 | 23 |
24 namespace { | |
25 | |
26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; | |
27 const char kErrorInvalidX509Cert[] = | |
28 "Certificate is not a valid X.509 certificate."; | |
29 | |
30 // Builds a partial WebCrypto Algorithm object from the parameters available in | |
31 // |key_info|, which must the info of a RSA key. This doesn't include sign/hash | |
32 // parameters and thus isn't complete. | |
33 // The default public exponent 65537 is assumed. | |
Ryan Sleevi
2015/02/07 02:09:41
This comment needs updating, doesn't it? You no lo
pneubeck (no reviews)
2015/02/08 10:52:00
Maybe my english understanding is flawed here. Pro
| |
34 void BuildWebCryptoRSAAlgorithmDictionary( | |
35 const chromeos::platform_keys::SubjectPublicKeyInfo& key_info, | |
36 base::DictionaryValue* algorithm) { | |
37 CHECK_EQ(net::X509Certificate::kPublicKeyTypeRSA, key_info.key_type); | |
38 algorithm->SetStringWithoutPathExpansion("name", "RSASSA-PKCS1-v1_5"); | |
39 algorithm->SetIntegerWithoutPathExpansion("modulusLength", | |
40 key_info.key_size_bits); | |
41 | |
42 // Equals 65537. | |
43 const char defaultPublicExponent[] = {0x01, 0x00, 0x01}; | |
44 algorithm->SetWithoutPathExpansion( | |
45 "publicExponent", | |
46 base::BinaryValue::CreateWithCopiedBuffer( | |
47 defaultPublicExponent, arraysize(defaultPublicExponent))); | |
48 } | |
49 | |
50 } // namespace | |
51 | |
23 namespace platform_keys { | 52 namespace platform_keys { |
24 | 53 |
25 const char kErrorInvalidToken[] = "The token is not valid."; | 54 const char kErrorInvalidToken[] = "The token is not valid."; |
26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; | |
27 const char kTokenIdUser[] = "user"; | 55 const char kTokenIdUser[] = "user"; |
28 const char kTokenIdSystem[] = "system"; | 56 const char kTokenIdSystem[] = "system"; |
29 | 57 |
30 // Returns whether |token_id| references a known Token. | 58 // Returns whether |token_id| references a known Token. |
31 bool ValidateToken(const std::string& token_id, | 59 bool ValidateToken(const std::string& token_id, |
32 std::string* platform_keys_token_id) { | 60 std::string* platform_keys_token_id) { |
33 platform_keys_token_id->clear(); | 61 platform_keys_token_id->clear(); |
34 if (token_id == kTokenIdUser) { | 62 if (token_id == kTokenIdUser) { |
35 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; | 63 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; |
36 return true; | 64 return true; |
(...skipping 10 matching lines...) Expand all Loading... | |
47 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) | 75 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) |
48 return kTokenIdUser; | 76 return kTokenIdUser; |
49 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) | 77 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) |
50 return kTokenIdSystem; | 78 return kTokenIdSystem; |
51 | 79 |
52 return std::string(); | 80 return std::string(); |
53 } | 81 } |
54 | 82 |
55 } // namespace platform_keys | 83 } // namespace platform_keys |
56 | 84 |
85 PlatformKeysInternalGetPublicKeyFunction:: | |
86 ~PlatformKeysInternalGetPublicKeyFunction() { | |
87 } | |
88 | |
89 ExtensionFunction::ResponseAction | |
90 PlatformKeysInternalGetPublicKeyFunction::Run() { | |
91 scoped_ptr<api_pki::GetPublicKey::Params> params( | |
92 api_pki::GetPublicKey::Params::Create(*args_)); | |
93 EXTENSION_FUNCTION_VALIDATE(params); | |
94 | |
95 const std::vector<char>& cert_der = params->certificate; | |
96 scoped_refptr<net::X509Certificate> cert_x509 = | |
97 net::X509Certificate::CreateFromBytes(vector_as_array(&cert_der), | |
98 cert_der.size()); | |
99 if (!cert_x509) | |
100 return RespondNow(Error(kErrorInvalidX509Cert)); | |
101 | |
102 chromeos::platform_keys::SubjectPublicKeyInfo info; | |
103 if (!chromeos::platform_keys::GetPublicKey(cert_x509, &info) || | |
104 info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { | |
105 return RespondNow(Error(kErrorAlgorithmNotSupported)); | |
106 } | |
107 | |
108 api_pki::GetPublicKey::Results::Algorithm algorithm; | |
109 BuildWebCryptoRSAAlgorithmDictionary(info, &algorithm.additional_properties); | |
110 | |
111 return RespondNow(ArgumentList(api_pki::GetPublicKey::Results::Create( | |
112 std::vector<char>(info.public_key_spki_der.begin(), | |
113 info.public_key_spki_der.end()), | |
114 algorithm))); | |
115 } | |
116 | |
57 PlatformKeysInternalSelectClientCertificatesFunction:: | 117 PlatformKeysInternalSelectClientCertificatesFunction:: |
58 ~PlatformKeysInternalSelectClientCertificatesFunction() { | 118 ~PlatformKeysInternalSelectClientCertificatesFunction() { |
59 } | 119 } |
60 | 120 |
61 ExtensionFunction::ResponseAction | 121 ExtensionFunction::ResponseAction |
62 PlatformKeysInternalSelectClientCertificatesFunction::Run() { | 122 PlatformKeysInternalSelectClientCertificatesFunction::Run() { |
63 scoped_ptr<api_pki::SelectClientCertificates::Params> params( | 123 scoped_ptr<api_pki::SelectClientCertificates::Params> params( |
64 api_pki::SelectClientCertificates::Params::Create(*args_)); | 124 api_pki::SelectClientCertificates::Params::Create(*args_)); |
65 EXTENSION_FUNCTION_VALIDATE(params); | 125 EXTENSION_FUNCTION_VALIDATE(params); |
66 | 126 |
(...skipping 21 matching lines...) Expand all Loading... | |
88 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, | 148 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, |
89 const std::string& error_message) { | 149 const std::string& error_message) { |
90 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 150 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
91 if (!error_message.empty()) { | 151 if (!error_message.empty()) { |
92 Respond(Error(error_message)); | 152 Respond(Error(error_message)); |
93 return; | 153 return; |
94 } | 154 } |
95 DCHECK(matches); | 155 DCHECK(matches); |
96 std::vector<linked_ptr<api_pk::Match>> result_matches; | 156 std::vector<linked_ptr<api_pk::Match>> result_matches; |
97 for (const scoped_refptr<net::X509Certificate>& match : *matches) { | 157 for (const scoped_refptr<net::X509Certificate>& match : *matches) { |
158 chromeos::platform_keys::SubjectPublicKeyInfo key_info; | |
159 if (!chromeos::platform_keys::GetPublicKey(match, &key_info)) { | |
160 LOG(ERROR) << "Could not retrieve public key info."; | |
161 continue; | |
162 } | |
163 if (key_info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { | |
164 LOG(ERROR) << "Skipping unsupported certificate with non-RSA key."; | |
165 continue; | |
166 } | |
167 | |
98 linked_ptr<api_pk::Match> result_match(new api_pk::Match); | 168 linked_ptr<api_pk::Match> result_match(new api_pk::Match); |
99 std::string der_encoded_cert; | 169 std::string der_encoded_cert; |
100 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), | 170 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), |
101 &der_encoded_cert); | 171 &der_encoded_cert); |
102 result_match->certificate.assign(der_encoded_cert.begin(), | 172 result_match->certificate.assign(der_encoded_cert.begin(), |
103 der_encoded_cert.end()); | 173 der_encoded_cert.end()); |
174 | |
175 BuildWebCryptoRSAAlgorithmDictionary( | |
176 key_info, &result_match->key_algorithm.additional_properties); | |
104 result_matches.push_back(result_match); | 177 result_matches.push_back(result_match); |
105 } | 178 } |
106 Respond(ArgumentList( | 179 Respond(ArgumentList( |
107 api_pki::SelectClientCertificates::Results::Create(result_matches))); | 180 api_pki::SelectClientCertificates::Results::Create(result_matches))); |
108 } | 181 } |
109 | 182 |
110 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { | 183 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { |
111 } | 184 } |
112 | 185 |
113 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { | 186 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { |
114 scoped_ptr<api_pki::Sign::Params> params( | 187 scoped_ptr<api_pki::Sign::Params> params( |
115 api_pki::Sign::Params::Create(*args_)); | 188 api_pki::Sign::Params::Create(*args_)); |
116 EXTENSION_FUNCTION_VALIDATE(params); | 189 EXTENSION_FUNCTION_VALIDATE(params); |
117 std::string platform_keys_token_id; | 190 std::string platform_keys_token_id; |
118 if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id)) | 191 if (!params->token_id.empty() && |
192 !platform_keys::ValidateToken(params->token_id, | |
193 &platform_keys_token_id)) { | |
119 return RespondNow(Error(platform_keys::kErrorInvalidToken)); | 194 return RespondNow(Error(platform_keys::kErrorInvalidToken)); |
195 } | |
120 | 196 |
121 chromeos::platform_keys::HashAlgorithm hash_algorithm; | 197 scoped_ptr<chromeos::platform_keys::SignRSAParams> sign_params( |
122 if (params->hash_algorithm_name == "SHA-1") | 198 new chromeos::platform_keys::SignRSAParams); |
199 | |
200 chromeos::platform_keys::HashAlgorithm& hash_algorithm = | |
201 sign_params->hash_algorithm; | |
202 if (params->hash_algorithm_name == "none") { | |
203 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_NONE; | |
204 sign_params->sign_direct_pkcs_padded = true; | |
205 } else if (params->hash_algorithm_name == "SHA-1") { | |
123 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; | 206 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; |
124 else if (params->hash_algorithm_name == "SHA-256") | 207 } else if (params->hash_algorithm_name == "SHA-256") { |
125 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; | 208 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; |
126 else if (params->hash_algorithm_name == "SHA-384") | 209 } else if (params->hash_algorithm_name == "SHA-384") { |
127 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; | 210 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; |
128 else if (params->hash_algorithm_name == "SHA-512") | 211 } else if (params->hash_algorithm_name == "SHA-512") { |
129 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; | 212 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; |
130 else | 213 } else { |
131 return RespondNow(Error(platform_keys::kErrorAlgorithmNotSupported)); | 214 return RespondNow(Error(kErrorAlgorithmNotSupported)); |
215 } | |
216 | |
217 sign_params->data.assign(params->data.begin(), params->data.end()); | |
218 sign_params->public_key.assign(params->public_key.begin(), | |
219 params->public_key.end()); | |
132 | 220 |
133 chromeos::PlatformKeysService* service = | 221 chromeos::PlatformKeysService* service = |
134 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( | 222 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( |
135 browser_context()); | 223 browser_context()); |
136 DCHECK(service); | 224 DCHECK(service); |
137 | 225 |
138 service->Sign( | 226 service->SignRSA( |
139 platform_keys_token_id, | 227 platform_keys_token_id, sign_params.Pass(), extension_id(), |
140 std::string(params->public_key.begin(), params->public_key.end()), | |
141 hash_algorithm, std::string(params->data.begin(), params->data.end()), | |
142 extension_id(), | |
143 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); | 228 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); |
144 return RespondLater(); | 229 return RespondLater(); |
145 } | 230 } |
146 | 231 |
147 void PlatformKeysInternalSignFunction::OnSigned( | 232 void PlatformKeysInternalSignFunction::OnSigned( |
148 const std::string& signature, | 233 const std::string& signature, |
149 const std::string& error_message) { | 234 const std::string& error_message) { |
150 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 235 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
151 if (error_message.empty()) | 236 if (error_message.empty()) |
152 Respond(ArgumentList(api_pki::Sign::Results::Create( | 237 Respond(ArgumentList(api_pki::Sign::Results::Create( |
153 std::vector<char>(signature.begin(), signature.end())))); | 238 std::vector<char>(signature.begin(), signature.end())))); |
154 else | 239 else |
155 Respond(Error(error_message)); | 240 Respond(Error(error_message)); |
156 } | 241 } |
157 | 242 |
158 } // namespace extensions | 243 } // namespace extensions |
OLD | NEW |