Revert "Implement chrome.platformKeys.getKeyPair()."

chrome/browser/chromeos/platform_keys/platform_keys_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 
-#include <cert.h>
 #include <cryptohi.h>
-#include <keyhi.h>
-#include <secder.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/single_thread_task_runner.h"
-#include "base/stl_util.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/threading/worker_pool.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part_chromeos.h"
 #include "chrome/browser/chromeos/net/client_cert_filter_chromeos.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/profiles/profile.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_database.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/x509_certificate.h"
-#include "net/cert/x509_util_nss.h"
 #include "net/ssl/client_cert_store_chromeos.h"
 #include "net/ssl/ssl_cert_request_info.h"
 
 using content::BrowserContext;
 using content::BrowserThread;
 
 namespace {
 const char kErrorInternal[] = "Internal Error.";
 const char kErrorKeyNotFound[] = "Key not found.";
 const char kErrorCertificateNotFound[] = "Certificate could not be found.";
@@ skipping 115 matching lines @@
         from, base::Bind(callback_, public_key_spki_der, error_message));
   }
 
   const unsigned int modulus_length_bits_;
 
  private:
   // Must be called on origin thread, therefore use CallBack().
   subtle::GenerateKeyCallback callback_;
 };
 
-class SignRSAState : public NSSOperationState {
+class SignState : public NSSOperationState {
  public:
-  SignRSAState(const std::string& data,
-               const std::string& public_key,
-               bool sign_direct_pkcs_padded,
-               HashAlgorithm hash_algorithm,
-               const subtle::SignCallback& callback);
-  ~SignRSAState() override {}
+  SignState(const std::string& public_key,
+            HashAlgorithm hash_algorithm,
+            const std::string& data,
+            const subtle::SignCallback& callback);
+  ~SignState() override {}
 
   void OnError(const tracked_objects::Location& from,
                const std::string& error_message) override {
     CallBack(from, std::string() /* no signature */, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& signature,
                 const std::string& error_message) {
     origin_task_runner_->PostTask(
         from, base::Bind(callback_, signature, error_message));
   }
 
-  // The data that will be signed.
+  const std::string public_key_;
+  HashAlgorithm hash_algorithm_;
   const std::string data_;
 
-  // Must be the DER encoding of a SubjectPublicKeyInfo.
-  const std::string public_key_;
-
-  // If true, |data_| will not be hashed before signing. Only PKCS#1 v1.5
-  // padding will be applied before signing.
-  // If false, |hash_algorithm_| must be set to a value != NONE.
-  const bool sign_direct_pkcs_padded_;
-
-  // Determines the hash algorithm that is used to digest |data| before signing.
-  // Ignored if |sign_direct_pkcs_padded_| is true.
-  const HashAlgorithm hash_algorithm_;
-
  private:
   // Must be called on origin thread, therefore use CallBack().
   subtle::SignCallback callback_;
 };
 
 class SelectCertificatesState : public NSSOperationState {
  public:
   explicit SelectCertificatesState(
       const std::string& username_hash,
       const bool use_system_key_slot,
-      const scoped_refptr<net::SSLCertRequestInfo>& request,
+      scoped_refptr<net::SSLCertRequestInfo> request,
       const subtle::SelectCertificatesCallback& callback);
   ~SelectCertificatesState() override {}
 
   void OnError(const tracked_objects::Location& from,
                const std::string& error_message) override {
     CallBack(from, scoped_ptr<net::CertificateList>() /* no matches */,
              error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
@@ skipping 35 matching lines @@
 
   scoped_ptr<net::CertificateList> certs_;
 
  private:
   // Must be called on origin thread, therefore use CallBack().
   GetCertificatesCallback callback_;
 };
 
 class ImportCertificateState : public NSSOperationState {
  public:
-  ImportCertificateState(const scoped_refptr<net::X509Certificate>& certificate,
+  ImportCertificateState(scoped_refptr<net::X509Certificate> certificate,
                          const ImportCertificateCallback& callback);
   ~ImportCertificateState() override {}
 
   void OnError(const tracked_objects::Location& from,
                const std::string& error_message) override {
     CallBack(from, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& error_message) {
     origin_task_runner_->PostTask(from, base::Bind(callback_, error_message));
   }
 
   scoped_refptr<net::X509Certificate> certificate_;
 
  private:
   // Must be called on origin thread, therefore use CallBack().
   ImportCertificateCallback callback_;
 };
 
 class RemoveCertificateState : public NSSOperationState {
  public:
-  RemoveCertificateState(const scoped_refptr<net::X509Certificate>& certificate,
+  RemoveCertificateState(scoped_refptr<net::X509Certificate> certificate,
                          const RemoveCertificateCallback& callback);
   ~RemoveCertificateState() override {}
 
   void OnError(const tracked_objects::Location& from,
                const std::string& error_message) override {
     CallBack(from, error_message);
   }
 
   void CallBack(const tracked_objects::Location& from,
                 const std::string& error_message) {
@@ skipping 34 matching lines @@
 NSSOperationState::NSSOperationState()
     : origin_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
 }
 
 GenerateRSAKeyState::GenerateRSAKeyState(
     unsigned int modulus_length_bits,
     const subtle::GenerateKeyCallback& callback)
     : modulus_length_bits_(modulus_length_bits), callback_(callback) {
 }
 
-SignRSAState::SignRSAState(const std::string& data,
-                           const std::string& public_key,
-                           bool sign_direct_pkcs_padded,
-                           HashAlgorithm hash_algorithm,
-                           const subtle::SignCallback& callback)
-    : data_(data),
-      public_key_(public_key),
-      sign_direct_pkcs_padded_(sign_direct_pkcs_padded),
+SignState::SignState(const std::string& public_key,
+                     HashAlgorithm hash_algorithm,
+                     const std::string& data,
+                     const subtle::SignCallback& callback)
+    : public_key_(public_key),
       hash_algorithm_(hash_algorithm),
+      data_(data),
       callback_(callback) {
 }
 
 SelectCertificatesState::SelectCertificatesState(
     const std::string& username_hash,
     const bool use_system_key_slot,
-    const scoped_refptr<net::SSLCertRequestInfo>& cert_request_info,
+    scoped_refptr<net::SSLCertRequestInfo> cert_request_info,
     const subtle::SelectCertificatesCallback& callback)
     : username_hash_(username_hash),
       use_system_key_slot_(use_system_key_slot),
       cert_request_info_(cert_request_info),
       callback_(callback) {
 }
 
 GetCertificatesState::GetCertificatesState(
     const GetCertificatesCallback& callback)
     : callback_(callback) {
 }
 
 ImportCertificateState::ImportCertificateState(
-    const scoped_refptr<net::X509Certificate>& certificate,
+    scoped_refptr<net::X509Certificate> certificate,
     const ImportCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
 RemoveCertificateState::RemoveCertificateState(
-    const scoped_refptr<net::X509Certificate>& certificate,
+    scoped_refptr<net::X509Certificate> certificate,
     const RemoveCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
 GetTokensState::GetTokensState(const GetTokensCallback& callback)
     : callback_(callback) {
 }
 
 // Does the actual key generation on a worker thread. Used by
 // GenerateRSAKeyWithDB().
@@ skipping 25 matching lines @@
 void GenerateRSAKeyWithDB(scoped_ptr<GenerateRSAKeyState> state,
                           net::NSSCertDatabase* cert_db) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   // Only the slot and not the NSSCertDatabase is required. Ignore |cert_db|.
   base::WorkerPool::PostTask(
       FROM_HERE,
       base::Bind(&GenerateRSAKeyOnWorkerThread, base::Passed(&state)),
       true /*task is slow*/);
 }
 
-// Does the actual signing on a worker thread. Used by SignRSAWithDB().
-void SignRSAOnWorkerThread(scoped_ptr<SignRSAState> state) {
+// Does the actual signing on a worker thread. Used by RSASignWithDB().
+void RSASignOnWorkerThread(scoped_ptr<SignState> state) {
   const uint8* public_key_uint8 =
       reinterpret_cast<const uint8*>(state->public_key_.data());
   std::vector<uint8> public_key_vector(
       public_key_uint8, public_key_uint8 + state->public_key_.size());
 
   // TODO(pneubeck): This searches all slots. Change to look only at |slot_|.
   scoped_ptr<crypto::RSAPrivateKey> rsa_key(
       crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector));
-
-  // Fail if the key was not found. If a specific slot was requested, also fail
-  // if the key was found in the wrong slot.
-  if (!rsa_key ||
-      (state->slot_ && rsa_key->key()->pkcs11Slot != state->slot_)) {
+  if (!rsa_key || rsa_key->key()->pkcs11Slot != state->slot_) {
     state->OnError(FROM_HERE, kErrorKeyNotFound);
     return;
   }
 
-  std::string signature_str;
-  if (state->sign_direct_pkcs_padded_) {
-    static_assert(
-        sizeof(*state->data_.data()) == sizeof(char),
-        "Can't reinterpret data if it's characters are not 8 bit large.");
-    SECItem input = {siBuffer,
-                     reinterpret_cast<unsigned char*>(
-                         const_cast<char*>(state->data_.data())),
-                     state->data_.size()};
-
-    // Compute signature of hash.
-    int signature_len = PK11_SignatureLen(rsa_key->key());
-    if (signature_len <= 0) {
-      state->OnError(FROM_HERE, kErrorInternal);
-      return;
-    }
-
-    std::vector<unsigned char> signature(signature_len);
-    SECItem signature_output = {
-        siBuffer, vector_as_array(&signature), signature.size()};
-    if (PK11_Sign(rsa_key->key(), &signature_output, &input) == SECSuccess)
-      signature_str.assign(signature.begin(), signature.end());
-  } else {
-    SECOidTag sign_alg_tag = SEC_OID_UNKNOWN;
-    switch (state->hash_algorithm_) {
-      case HASH_ALGORITHM_SHA1:
-        sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-        break;
-      case HASH_ALGORITHM_SHA256:
-        sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-        break;
-      case HASH_ALGORITHM_SHA384:
-        sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
-        break;
-      case HASH_ALGORITHM_SHA512:
-        sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
-        break;
-      case HASH_ALGORITHM_NONE:
-        NOTREACHED();
-        break;
-    }
-
-    SECItem sign_result = {siBuffer, nullptr, 0};
-    if (SEC_SignData(
-            &sign_result,
-            reinterpret_cast<const unsigned char*>(state->data_.data()),
-            state->data_.size(), rsa_key->key(), sign_alg_tag) == SECSuccess) {
-      signature_str.assign(sign_result.data,
-                           sign_result.data + sign_result.len);
-    }
+  SECOidTag sign_alg_tag = SEC_OID_UNKNOWN;
+  switch (state->hash_algorithm_) {
+    case HASH_ALGORITHM_SHA1:
+      sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA256:
+      sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA384:
+      sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+      break;
+    case HASH_ALGORITHM_SHA512:
+      sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+      break;
   }
 
-  if (signature_str.empty()) {
+  crypto::ScopedSECItem sign_result(SECITEM_AllocItem(NULL, NULL, 0));
+  if (SEC_SignData(sign_result.get(),
+                   reinterpret_cast<const unsigned char*>(state->data_.data()),
+                   state->data_.size(),
+                   rsa_key->key(),
+                   sign_alg_tag) != SECSuccess) {
     LOG(ERROR) << "Couldn't sign.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
   }
 
-  state->CallBack(FROM_HERE, signature_str, std::string() /* no error */);
+  std::string signature(reinterpret_cast<const char*>(sign_result->data),
+                        sign_result->len);
+  state->CallBack(FROM_HERE, signature, std::string() /* no error */);
 }
 
 // Continues signing with the obtained NSSCertDatabase. Used by Sign().
-void SignRSAWithDB(scoped_ptr<SignRSAState> state,
-                   net::NSSCertDatabase* cert_db) {
+void RSASignWithDB(scoped_ptr<SignState> state, net::NSSCertDatabase* cert_db) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   // Only the slot and not the NSSCertDatabase is required. Ignore |cert_db|.
   base::WorkerPool::PostTask(
-      FROM_HERE, base::Bind(&SignRSAOnWorkerThread, base::Passed(&state)),
+      FROM_HERE,
+      base::Bind(&RSASignOnWorkerThread, base::Passed(&state)),
       true /*task is slow*/);
 }
 
 // Called when ClientCertStoreChromeOS::GetClientCerts is done. Builds the list
 // of net::CertificateList and calls back. Used by
 // SelectCertificatesOnIOThread().
 void DidSelectCertificatesOnIOThread(
     scoped_ptr<SelectCertificatesState> state) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   state->CallBack(FROM_HERE, state->certs_.Pass(),
@@ skipping 166 matching lines @@
   }
 
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GenerateRSAKeyWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
-void SignRSAPKCS1Digest(const std::string& token_id,
-                        const std::string& data,
-                        const std::string& public_key,
-                        HashAlgorithm hash_algorithm,
-                        const SignCallback& callback,
-                        content::BrowserContext* browser_context) {
+void Sign(const std::string& token_id,
+          const std::string& public_key,
+          HashAlgorithm hash_algorithm,
+          const std::string& data,
+          const SignCallback& callback,
+          BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  scoped_ptr<SignRSAState> state(
-      new SignRSAState(data, public_key, false /* digest before signing */,
-                       hash_algorithm, callback));
+  scoped_ptr<SignState> state(
+      new SignState(public_key, hash_algorithm, data, callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages and we can double check that
   // we use a key of the correct token.
-  GetCertDatabase(token_id, base::Bind(&SignRSAWithDB, base::Passed(&state)),
-                  browser_context, state_ptr);
-}
-
-void SignRSAPKCS1Raw(const std::string& token_id,
-                     const std::string& data,
-                     const std::string& public_key,
-                     const SignCallback& callback,
-                     content::BrowserContext* browser_context) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  scoped_ptr<SignRSAState> state(new SignRSAState(
-      data, public_key, true /* sign directly without hashing */,
-      HASH_ALGORITHM_NONE, callback));
-  // Get the pointer to |state| before base::Passed releases |state|.
-  NSSOperationState* state_ptr = state.get();
-
-  // The NSSCertDatabase object is not required. But in case it's not available
-  // we would get more informative error messages and we can double check that
-  // we use a key of the correct token.
-  GetCertDatabase(token_id, base::Bind(&SignRSAWithDB, base::Passed(&state)),
-                  browser_context, state_ptr);
+  GetCertDatabase(token_id,
+                  base::Bind(&RSASignWithDB, base::Passed(&state)),
+                  browser_context,
+                  state_ptr);
 }
 
 void SelectClientCertificates(const ClientCertificateRequest& request,
                               const SelectCertificatesCallback& callback,
                               content::BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   scoped_refptr<net::SSLCertRequestInfo> cert_request_info(
       new net::SSLCertRequestInfo);
   cert_request_info->cert_key_types = request.certificate_key_types;
@@ skipping 12 matching lines @@
   scoped_ptr<SelectCertificatesState> state(new SelectCertificatesState(
       user->username_hash(), use_system_key_slot, cert_request_info, callback));
 
   BrowserThread::PostTask(
       BrowserThread::IO, FROM_HERE,
       base::Bind(&SelectCertificatesOnIOThread, base::Passed(&state)));
 }
 
 }  // namespace subtle
 
-bool GetPublicKey(const scoped_refptr<net::X509Certificate>& certificate,
-                  std::string* public_key_spki_der,
-                  net::X509Certificate::PublicKeyType* key_type,
-                  size_t* key_size_bits) {
-  const SECItem& spki_der = certificate->os_cert_handle()->derPublicKey;
-
-  net::X509Certificate::PublicKeyType key_type_tmp =
-      net::X509Certificate::kPublicKeyTypeUnknown;
-  size_t key_size_bits_tmp = 0;
-  net::X509Certificate::GetPublicKeyInfo(certificate->os_cert_handle(),
-                                         &key_size_bits_tmp, &key_type_tmp);
-
-  if (key_type_tmp == net::X509Certificate::kPublicKeyTypeUnknown) {
-    LOG(WARNING) << "Could not extract public key of certificate.";
-    return false;
-  }
-  if (key_type_tmp != net::X509Certificate::kPublicKeyTypeRSA) {
-    LOG(WARNING) << "Keys of other type than RSA are not supported.";
-    return false;
-  }
-
-  crypto::ScopedSECKEYPublicKey public_key(
-      CERT_ExtractPublicKey(certificate->os_cert_handle()));
-  if (!public_key) {
-    LOG(WARNING) << "Could not extract public key of certificate.";
-    return false;
-  }
-  long public_exponent = DER_GetInteger(&public_key->u.rsa.publicExponent);
-  if (public_exponent != 65537L) {
-    LOG(ERROR) << "Rejecting RSA public exponent that is unequal 65537.";
-    return false;
-  }
-
-  public_key_spki_der->assign(spki_der.data, spki_der.data + spki_der.len);
-  *key_type = key_type_tmp;
-  *key_size_bits = key_size_bits_tmp;
-
-  return true;
-}
-
 void GetCertificates(const std::string& token_id,
                      const GetCertificatesCallback& callback,
                      BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<GetCertificatesState> state(new GetCertificatesState(callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(token_id,
                   base::Bind(&GetCertificatesWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 void ImportCertificate(const std::string& token_id,
-                       const scoped_refptr<net::X509Certificate>& certificate,
+                       scoped_refptr<net::X509Certificate> certificate,
                        const ImportCertificateCallback& callback,
                        BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<ImportCertificateState> state(
       new ImportCertificateState(certificate, callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages and we can double check that
   // we use a key of the correct token.
   GetCertDatabase(token_id,
                   base::Bind(&ImportCertificateWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 void RemoveCertificate(const std::string& token_id,
-                       const scoped_refptr<net::X509Certificate>& certificate,
+                       scoped_refptr<net::X509Certificate> certificate,
                        const RemoveCertificateCallback& callback,
                        BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<RemoveCertificateState> state(
       new RemoveCertificateState(certificate, callback));
   // Get the pointer to |state| before base::Passed releases |state|.
   NSSOperationState* state_ptr = state.get();
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages.
@@ skipping 11 matching lines @@
   NSSOperationState* state_ptr = state.get();
   GetCertDatabase(std::string() /* don't get any specific slot */,
                   base::Bind(&GetTokensWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
 }  // namespace platform_keys
 
 }  // namespace chromeos