OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" | 5 #include "chrome/browser/extensions/api/platform_keys/platform_keys_api.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/values.h" |
11 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" | 12 #include "chrome/browser/chromeos/platform_keys/platform_keys.h" |
12 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" | 13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" |
13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" | 14 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" |
14 #include "chrome/common/extensions/api/platform_keys_internal.h" | 15 #include "chrome/common/extensions/api/platform_keys_internal.h" |
15 #include "content/public/browser/browser_thread.h" | 16 #include "content/public/browser/browser_thread.h" |
16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
17 | 18 |
18 namespace extensions { | 19 namespace extensions { |
19 | 20 |
20 namespace api_pk = api::platform_keys; | 21 namespace api_pk = api::platform_keys; |
21 namespace api_pki = api::platform_keys_internal; | 22 namespace api_pki = api::platform_keys_internal; |
22 | 23 |
| 24 namespace { |
| 25 |
| 26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; |
| 27 const char kErrorInvalidX509Cert[] = |
| 28 "Certificate is not a valid X.509 certificate."; |
| 29 |
| 30 struct PublicKeyInfo { |
| 31 // The X.509 Subject Public Key Info of the key in DER encoding. |
| 32 std::string public_key_spki_der; |
| 33 |
| 34 // The type of the key. |
| 35 net::X509Certificate::PublicKeyType key_type = |
| 36 net::X509Certificate::kPublicKeyTypeUnknown; |
| 37 |
| 38 // The size of the key in bits. |
| 39 size_t key_size_bits = 0; |
| 40 }; |
| 41 |
| 42 // Builds a partial WebCrypto Algorithm object from the parameters available in |
| 43 // |key_info|, which must the info of an RSA key. This doesn't include sign/hash |
| 44 // parameters and thus isn't complete. |
| 45 // platform_keys::GetPublicKey() enforced the public exponent 65537. |
| 46 void BuildWebCryptoRSAAlgorithmDictionary(const PublicKeyInfo& key_info, |
| 47 base::DictionaryValue* algorithm) { |
| 48 CHECK_EQ(net::X509Certificate::kPublicKeyTypeRSA, key_info.key_type); |
| 49 algorithm->SetStringWithoutPathExpansion("name", "RSASSA-PKCS1-v1_5"); |
| 50 algorithm->SetIntegerWithoutPathExpansion("modulusLength", |
| 51 key_info.key_size_bits); |
| 52 |
| 53 // Equals 65537. |
| 54 const unsigned char defaultPublicExponent[] = {0x01, 0x00, 0x01}; |
| 55 algorithm->SetWithoutPathExpansion( |
| 56 "publicExponent", |
| 57 base::BinaryValue::CreateWithCopiedBuffer( |
| 58 reinterpret_cast<const char*>(defaultPublicExponent), |
| 59 arraysize(defaultPublicExponent))); |
| 60 } |
| 61 |
| 62 } // namespace |
| 63 |
23 namespace platform_keys { | 64 namespace platform_keys { |
24 | 65 |
25 const char kErrorInvalidToken[] = "The token is not valid."; | 66 const char kErrorInvalidToken[] = "The token is not valid."; |
26 const char kErrorAlgorithmNotSupported[] = "Algorithm not supported."; | |
27 const char kTokenIdUser[] = "user"; | 67 const char kTokenIdUser[] = "user"; |
28 const char kTokenIdSystem[] = "system"; | 68 const char kTokenIdSystem[] = "system"; |
29 | 69 |
30 // Returns whether |token_id| references a known Token. | 70 // Returns whether |token_id| references a known Token. |
31 bool ValidateToken(const std::string& token_id, | 71 bool ValidateToken(const std::string& token_id, |
32 std::string* platform_keys_token_id) { | 72 std::string* platform_keys_token_id) { |
33 platform_keys_token_id->clear(); | 73 platform_keys_token_id->clear(); |
34 if (token_id == kTokenIdUser) { | 74 if (token_id == kTokenIdUser) { |
35 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; | 75 *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser; |
36 return true; | 76 return true; |
(...skipping 10 matching lines...) Expand all Loading... |
47 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) | 87 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser) |
48 return kTokenIdUser; | 88 return kTokenIdUser; |
49 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) | 89 if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem) |
50 return kTokenIdSystem; | 90 return kTokenIdSystem; |
51 | 91 |
52 return std::string(); | 92 return std::string(); |
53 } | 93 } |
54 | 94 |
55 } // namespace platform_keys | 95 } // namespace platform_keys |
56 | 96 |
| 97 PlatformKeysInternalGetPublicKeyFunction:: |
| 98 ~PlatformKeysInternalGetPublicKeyFunction() { |
| 99 } |
| 100 |
| 101 ExtensionFunction::ResponseAction |
| 102 PlatformKeysInternalGetPublicKeyFunction::Run() { |
| 103 scoped_ptr<api_pki::GetPublicKey::Params> params( |
| 104 api_pki::GetPublicKey::Params::Create(*args_)); |
| 105 EXTENSION_FUNCTION_VALIDATE(params); |
| 106 |
| 107 const std::vector<char>& cert_der = params->certificate; |
| 108 if (cert_der.empty()) |
| 109 return RespondNow(Error(kErrorInvalidX509Cert)); |
| 110 scoped_refptr<net::X509Certificate> cert_x509 = |
| 111 net::X509Certificate::CreateFromBytes(vector_as_array(&cert_der), |
| 112 cert_der.size()); |
| 113 if (!cert_x509) |
| 114 return RespondNow(Error(kErrorInvalidX509Cert)); |
| 115 |
| 116 PublicKeyInfo key_info; |
| 117 if (!chromeos::platform_keys::GetPublicKey( |
| 118 cert_x509, &key_info.public_key_spki_der, &key_info.key_type, |
| 119 &key_info.key_size_bits) || |
| 120 key_info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { |
| 121 return RespondNow(Error(kErrorAlgorithmNotSupported)); |
| 122 } |
| 123 |
| 124 api_pki::GetPublicKey::Results::Algorithm algorithm; |
| 125 BuildWebCryptoRSAAlgorithmDictionary(key_info, |
| 126 &algorithm.additional_properties); |
| 127 |
| 128 return RespondNow(ArgumentList(api_pki::GetPublicKey::Results::Create( |
| 129 std::vector<char>(key_info.public_key_spki_der.begin(), |
| 130 key_info.public_key_spki_der.end()), |
| 131 algorithm))); |
| 132 } |
| 133 |
57 PlatformKeysInternalSelectClientCertificatesFunction:: | 134 PlatformKeysInternalSelectClientCertificatesFunction:: |
58 ~PlatformKeysInternalSelectClientCertificatesFunction() { | 135 ~PlatformKeysInternalSelectClientCertificatesFunction() { |
59 } | 136 } |
60 | 137 |
61 ExtensionFunction::ResponseAction | 138 ExtensionFunction::ResponseAction |
62 PlatformKeysInternalSelectClientCertificatesFunction::Run() { | 139 PlatformKeysInternalSelectClientCertificatesFunction::Run() { |
63 scoped_ptr<api_pki::SelectClientCertificates::Params> params( | 140 scoped_ptr<api_pki::SelectClientCertificates::Params> params( |
64 api_pki::SelectClientCertificates::Params::Create(*args_)); | 141 api_pki::SelectClientCertificates::Params::Create(*args_)); |
65 EXTENSION_FUNCTION_VALIDATE(params); | 142 EXTENSION_FUNCTION_VALIDATE(params); |
66 | 143 |
(...skipping 21 matching lines...) Expand all Loading... |
88 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, | 165 OnSelectedCertificates(scoped_ptr<net::CertificateList> matches, |
89 const std::string& error_message) { | 166 const std::string& error_message) { |
90 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 167 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
91 if (!error_message.empty()) { | 168 if (!error_message.empty()) { |
92 Respond(Error(error_message)); | 169 Respond(Error(error_message)); |
93 return; | 170 return; |
94 } | 171 } |
95 DCHECK(matches); | 172 DCHECK(matches); |
96 std::vector<linked_ptr<api_pk::Match>> result_matches; | 173 std::vector<linked_ptr<api_pk::Match>> result_matches; |
97 for (const scoped_refptr<net::X509Certificate>& match : *matches) { | 174 for (const scoped_refptr<net::X509Certificate>& match : *matches) { |
| 175 PublicKeyInfo key_info; |
| 176 if (!chromeos::platform_keys::GetPublicKey( |
| 177 match, &key_info.public_key_spki_der, &key_info.key_type, |
| 178 &key_info.key_size_bits)) { |
| 179 LOG(ERROR) << "Could not retrieve public key info."; |
| 180 continue; |
| 181 } |
| 182 if (key_info.key_type != net::X509Certificate::kPublicKeyTypeRSA) { |
| 183 LOG(ERROR) << "Skipping unsupported certificate with non-RSA key."; |
| 184 continue; |
| 185 } |
| 186 |
98 linked_ptr<api_pk::Match> result_match(new api_pk::Match); | 187 linked_ptr<api_pk::Match> result_match(new api_pk::Match); |
99 std::string der_encoded_cert; | 188 std::string der_encoded_cert; |
100 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), | 189 net::X509Certificate::GetDEREncoded(match->os_cert_handle(), |
101 &der_encoded_cert); | 190 &der_encoded_cert); |
102 result_match->certificate.assign(der_encoded_cert.begin(), | 191 result_match->certificate.assign(der_encoded_cert.begin(), |
103 der_encoded_cert.end()); | 192 der_encoded_cert.end()); |
| 193 |
| 194 BuildWebCryptoRSAAlgorithmDictionary( |
| 195 key_info, &result_match->key_algorithm.additional_properties); |
104 result_matches.push_back(result_match); | 196 result_matches.push_back(result_match); |
105 } | 197 } |
106 Respond(ArgumentList( | 198 Respond(ArgumentList( |
107 api_pki::SelectClientCertificates::Results::Create(result_matches))); | 199 api_pki::SelectClientCertificates::Results::Create(result_matches))); |
108 } | 200 } |
109 | 201 |
110 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { | 202 PlatformKeysInternalSignFunction::~PlatformKeysInternalSignFunction() { |
111 } | 203 } |
112 | 204 |
113 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { | 205 ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() { |
114 scoped_ptr<api_pki::Sign::Params> params( | 206 scoped_ptr<api_pki::Sign::Params> params( |
115 api_pki::Sign::Params::Create(*args_)); | 207 api_pki::Sign::Params::Create(*args_)); |
116 EXTENSION_FUNCTION_VALIDATE(params); | 208 EXTENSION_FUNCTION_VALIDATE(params); |
117 std::string platform_keys_token_id; | 209 std::string platform_keys_token_id; |
118 if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id)) | 210 if (!params->token_id.empty() && |
| 211 !platform_keys::ValidateToken(params->token_id, |
| 212 &platform_keys_token_id)) { |
119 return RespondNow(Error(platform_keys::kErrorInvalidToken)); | 213 return RespondNow(Error(platform_keys::kErrorInvalidToken)); |
120 | 214 } |
121 chromeos::platform_keys::HashAlgorithm hash_algorithm; | |
122 if (params->hash_algorithm_name == "SHA-1") | |
123 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; | |
124 else if (params->hash_algorithm_name == "SHA-256") | |
125 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; | |
126 else if (params->hash_algorithm_name == "SHA-384") | |
127 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; | |
128 else if (params->hash_algorithm_name == "SHA-512") | |
129 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; | |
130 else | |
131 return RespondNow(Error(platform_keys::kErrorAlgorithmNotSupported)); | |
132 | 215 |
133 chromeos::PlatformKeysService* service = | 216 chromeos::PlatformKeysService* service = |
134 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( | 217 chromeos::PlatformKeysServiceFactory::GetForBrowserContext( |
135 browser_context()); | 218 browser_context()); |
136 DCHECK(service); | 219 DCHECK(service); |
137 | 220 |
138 service->Sign( | 221 if (params->hash_algorithm_name == "none") { |
139 platform_keys_token_id, | 222 service->SignRSAPKCS1Raw( |
140 std::string(params->public_key.begin(), params->public_key.end()), | 223 platform_keys_token_id, |
141 hash_algorithm, std::string(params->data.begin(), params->data.end()), | 224 std::string(params->data.begin(), params->data.end()), |
142 extension_id(), | 225 std::string(params->public_key.begin(), params->public_key.end()), |
143 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); | 226 extension_id(), |
| 227 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); |
| 228 } else { |
| 229 chromeos::platform_keys::HashAlgorithm hash_algorithm; |
| 230 if (params->hash_algorithm_name == "SHA-1") { |
| 231 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA1; |
| 232 } else if (params->hash_algorithm_name == "SHA-256") { |
| 233 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA256; |
| 234 } else if (params->hash_algorithm_name == "SHA-384") { |
| 235 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA384; |
| 236 } else if (params->hash_algorithm_name == "SHA-512") { |
| 237 hash_algorithm = chromeos::platform_keys::HASH_ALGORITHM_SHA512; |
| 238 } else { |
| 239 return RespondNow(Error(kErrorAlgorithmNotSupported)); |
| 240 } |
| 241 service->SignRSAPKCS1Digest( |
| 242 platform_keys_token_id, |
| 243 std::string(params->data.begin(), params->data.end()), |
| 244 std::string(params->public_key.begin(), params->public_key.end()), |
| 245 hash_algorithm, extension_id(), |
| 246 base::Bind(&PlatformKeysInternalSignFunction::OnSigned, this)); |
| 247 } |
| 248 |
144 return RespondLater(); | 249 return RespondLater(); |
145 } | 250 } |
146 | 251 |
147 void PlatformKeysInternalSignFunction::OnSigned( | 252 void PlatformKeysInternalSignFunction::OnSigned( |
148 const std::string& signature, | 253 const std::string& signature, |
149 const std::string& error_message) { | 254 const std::string& error_message) { |
150 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); | 255 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); |
151 if (error_message.empty()) | 256 if (error_message.empty()) |
152 Respond(ArgumentList(api_pki::Sign::Results::Create( | 257 Respond(ArgumentList(api_pki::Sign::Results::Create( |
153 std::vector<char>(signature.begin(), signature.end())))); | 258 std::vector<char>(signature.begin(), signature.end())))); |
154 else | 259 else |
155 Respond(Error(error_message)); | 260 Respond(Error(error_message)); |
156 } | 261 } |
157 | 262 |
158 } // namespace extensions | 263 } // namespace extensions |
OLD | NEW |