Chromium Code Reviews Chromium Code Reviews
Issue 884073002:
Implement chrome.platformKeys.getKeyPair(). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_impl2| Index: chrome/browser/chromeos/platform_keys/platform_keys.h |
| diff --git a/chrome/browser/chromeos/platform_keys/platform_keys.h b/chrome/browser/chromeos/platform_keys/platform_keys.h |
| index 05d0deff4c727389132ad45e17c9884cda2e8e55..81cef3f2c70239e1f7b5127255b168fce8ff8ba6 100644 |
| --- a/chrome/browser/chromeos/platform_keys/platform_keys.h |
| +++ b/chrome/browser/chromeos/platform_keys/platform_keys.h |
| @@ -12,17 +12,13 @@ |
| #include "base/macros.h" |
| #include "base/memory/ref_counted.h" |
| #include "base/memory/scoped_ptr.h" |
| +#include "net/cert/x509_certificate.h" |
| #include "net/ssl/ssl_client_cert_type.h" |
| namespace content { |
| class BrowserContext; |
| } |
| -namespace net { |
| -class X509Certificate; |
| -typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
| -} |
| - |
| namespace chromeos { |
| namespace platform_keys { |
| @@ -38,12 +34,31 @@ extern const char kTokenIdSystem[]; |
| // Supported hash algorithms. |
| enum HashAlgorithm { |
| + HASH_ALGORITHM_NONE, // The value if no hash function is selected. |
| HASH_ALGORITHM_SHA1, |
| HASH_ALGORITHM_SHA256, |
| HASH_ALGORITHM_SHA384, |
| HASH_ALGORITHM_SHA512 |
| }; |
| +// Parameters to the SignRSA function. |
| +struct SignRSAParams { |
| + // The data that will be signed. |
| + std::string data; |
| + |
| + // Must be the DER encoding of a SubjectPublicKeyInfo. |
| + std::string public_key; |
| + |
| + // If true, |data| will not be hashed before signing. Only PKCS#1 v1.5 padding |
| + // will be applied before signing. |
| + // If false, |hash_algorithm| must be set to a value != NONE. |
| + bool sign_direct_pkcs_padded = false; |
|
Ryan Sleevi
2015/02/07 02:09:40
It feels like by moving this into a struct, you're
pneubeck (no reviews)
2015/02/08 10:52:00
The possibility of using this as default arguments
|
| + |
| + // Determines the hash algorithm that is used to digest |data| before signing. |
| + // Ignored if |sign_direct_pkcs_padded| is true. |
| + HashAlgorithm hash_algorithm = HASH_ALGORITHM_NONE; |
| +}; |
| + |
| struct ClientCertificateRequest { |
| ClientCertificateRequest(); |
| ~ClientCertificateRequest(); |
| @@ -57,6 +72,23 @@ struct ClientCertificateRequest { |
| std::vector<std::string> certificate_authorities; |
| }; |
| +// Holds details about a certificate's (subject) key, i.e. the X.509 Subject |
| +// Public Key Info (SPKI) of the certificate. |
| +// As this class supports only specific types of keys (currently only RSA), this |
| +// does not necessarily mirror the internal structure of a X.509 SPKI. |
| +struct SubjectPublicKeyInfo { |
| + SubjectPublicKeyInfo(); |
| + ~SubjectPublicKeyInfo(); |
| + |
| + std::string public_key_spki_der; |
| + net::X509Certificate::PublicKeyType key_type; |
| + |
| + // For RSA a public exponent of 65537 is assumed, so there is no member for |
| + // that. |
| + |
| + size_t key_size_bits = 0; |
| +}; |
|
Ryan Sleevi
2015/02/07 02:09:40
Ditto this. I don't really understand this structu
pneubeck (no reviews)
2015/02/08 10:52:00
I can only guess what you find problematic here.
A
Ryan Sleevi
2015/02/10 00:59:32
Sorry I wasn't clearer:
I don't understand why yo
|
| + |
| namespace subtle { |
| // Functions of this namespace shouldn't be called directly from the context of |
| // an extension. Instead use PlatformKeysService which enforces restrictions |
| @@ -77,19 +109,14 @@ void GenerateRSAKey(const std::string& token_id, |
| typedef base::Callback<void(const std::string& signature, |
| const std::string& error_message)> SignCallback; |
| -// Digests |data| with |hash_algorithm| and afterwards signs the digest with the |
| -// private key matching |public_key|, if that key is stored in the given token. |
| -// |token_id| is currently ignored, instead the user token associated with |
| -// |browser_context| is always used. |public_key| must be the DER encoding of a |
| -// SubjectPublicKeyInfo. |callback| will be invoked with the signature or an |
| -// error message. |
| -// Currently supports RSA keys only. |
| -void Sign(const std::string& token_id, |
| - const std::string& public_key, |
| - HashAlgorithm hash_algorithm, |
| - const std::string& data, |
| - const SignCallback& callback, |
| - content::BrowserContext* browser_context); |
| +// Optionally digests |data|, applies PKCS1 padding and afterwards signs the |
| +// data with the private key matching |params.public_key|. If a non empty token |
| +// id is provided and the key is not found in that token, the operation aborts. |
| +// |callback| will be invoked with the signature or an error message. |
| +void SignRSA(const std::string& token_id, |
| + scoped_ptr<SignRSAParams> params, |
| + const SignCallback& callback, |
| + content::BrowserContext* browser_context); |
| // If the certificate request could be processed successfully, |matches| will |
| // contain the list of matching certificates (which may be empty) and |
| @@ -107,6 +134,10 @@ void SelectClientCertificates(const ClientCertificateRequest& request, |
| } // namespace subtle |
| +// Fills |info| with information about the key certified by |certificate|. |
| +bool GetPublicKey(scoped_refptr<net::X509Certificate> certificate, |
| + SubjectPublicKeyInfo* info); |
| + |
| // If the list of certificates could be successfully retrieved, |certs| will |
| // contain the list of available certificates (maybe empty) and |error_message| |
| // will be empty. If an error occurred, |certs| will be empty and |
