Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(870)

Unified Diff: chrome/browser/chromeos/platform_keys/platform_keys.h

Issue 884073002: Implement chrome.platformKeys.getKeyPair(). (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_impl2
Patch Set: Bundled Sign() arguments into a struct. Renamed to SignRSA. Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/browser/chromeos/platform_keys/platform_keys.h
diff --git a/chrome/browser/chromeos/platform_keys/platform_keys.h b/chrome/browser/chromeos/platform_keys/platform_keys.h
index 05d0deff4c727389132ad45e17c9884cda2e8e55..81cef3f2c70239e1f7b5127255b168fce8ff8ba6 100644
--- a/chrome/browser/chromeos/platform_keys/platform_keys.h
+++ b/chrome/browser/chromeos/platform_keys/platform_keys.h
@@ -12,17 +12,13 @@
#include "base/macros.h"
#include "base/memory/ref_counted.h"
#include "base/memory/scoped_ptr.h"
+#include "net/cert/x509_certificate.h"
#include "net/ssl/ssl_client_cert_type.h"
namespace content {
class BrowserContext;
}
-namespace net {
-class X509Certificate;
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
-}
-
namespace chromeos {
namespace platform_keys {
@@ -38,12 +34,31 @@ extern const char kTokenIdSystem[];
// Supported hash algorithms.
enum HashAlgorithm {
+ HASH_ALGORITHM_NONE, // The value if no hash function is selected.
HASH_ALGORITHM_SHA1,
HASH_ALGORITHM_SHA256,
HASH_ALGORITHM_SHA384,
HASH_ALGORITHM_SHA512
};
+// Parameters to the SignRSA function.
+struct SignRSAParams {
+ // The data that will be signed.
+ std::string data;
+
+ // Must be the DER encoding of a SubjectPublicKeyInfo.
+ std::string public_key;
+
+ // If true, |data| will not be hashed before signing. Only PKCS#1 v1.5 padding
+ // will be applied before signing.
+ // If false, |hash_algorithm| must be set to a value != NONE.
+ bool sign_direct_pkcs_padded = false;
Ryan Sleevi 2015/02/07 02:09:40 It feels like by moving this into a struct, you're
pneubeck (no reviews) 2015/02/08 10:52:00 The possibility of using this as default arguments
+
+ // Determines the hash algorithm that is used to digest |data| before signing.
+ // Ignored if |sign_direct_pkcs_padded| is true.
+ HashAlgorithm hash_algorithm = HASH_ALGORITHM_NONE;
+};
+
struct ClientCertificateRequest {
ClientCertificateRequest();
~ClientCertificateRequest();
@@ -57,6 +72,23 @@ struct ClientCertificateRequest {
std::vector<std::string> certificate_authorities;
};
+// Holds details about a certificate's (subject) key, i.e. the X.509 Subject
+// Public Key Info (SPKI) of the certificate.
+// As this class supports only specific types of keys (currently only RSA), this
+// does not necessarily mirror the internal structure of a X.509 SPKI.
+struct SubjectPublicKeyInfo {
+ SubjectPublicKeyInfo();
+ ~SubjectPublicKeyInfo();
+
+ std::string public_key_spki_der;
+ net::X509Certificate::PublicKeyType key_type;
+
+ // For RSA a public exponent of 65537 is assumed, so there is no member for
+ // that.
+
+ size_t key_size_bits = 0;
+};
Ryan Sleevi 2015/02/07 02:09:40 Ditto this. I don't really understand this structu
pneubeck (no reviews) 2015/02/08 10:52:00 I can only guess what you find problematic here. A
Ryan Sleevi 2015/02/10 00:59:32 Sorry I wasn't clearer: I don't understand why yo
+
namespace subtle {
// Functions of this namespace shouldn't be called directly from the context of
// an extension. Instead use PlatformKeysService which enforces restrictions
@@ -77,19 +109,14 @@ void GenerateRSAKey(const std::string& token_id,
typedef base::Callback<void(const std::string& signature,
const std::string& error_message)> SignCallback;
-// Digests |data| with |hash_algorithm| and afterwards signs the digest with the
-// private key matching |public_key|, if that key is stored in the given token.
-// |token_id| is currently ignored, instead the user token associated with
-// |browser_context| is always used. |public_key| must be the DER encoding of a
-// SubjectPublicKeyInfo. |callback| will be invoked with the signature or an
-// error message.
-// Currently supports RSA keys only.
-void Sign(const std::string& token_id,
- const std::string& public_key,
- HashAlgorithm hash_algorithm,
- const std::string& data,
- const SignCallback& callback,
- content::BrowserContext* browser_context);
+// Optionally digests |data|, applies PKCS1 padding and afterwards signs the
+// data with the private key matching |params.public_key|. If a non empty token
+// id is provided and the key is not found in that token, the operation aborts.
+// |callback| will be invoked with the signature or an error message.
+void SignRSA(const std::string& token_id,
+ scoped_ptr<SignRSAParams> params,
+ const SignCallback& callback,
+ content::BrowserContext* browser_context);
// If the certificate request could be processed successfully, |matches| will
// contain the list of matching certificates (which may be empty) and
@@ -107,6 +134,10 @@ void SelectClientCertificates(const ClientCertificateRequest& request,
} // namespace subtle
+// Fills |info| with information about the key certified by |certificate|.
+bool GetPublicKey(scoped_refptr<net::X509Certificate> certificate,
+ SubjectPublicKeyInfo* info);
+
// If the list of certificates could be successfully retrieved, |certs| will
// contain the list of available certificates (maybe empty) and |error_message|
// will be empty. If an error occurred, |certs| will be empty and

Powered by Google App Engine
This is Rietveld 408576698