| Index: crypto/ec_private_key_nss.cc
|
| diff --git a/crypto/ec_private_key_nss.cc b/crypto/ec_private_key_nss.cc
|
| deleted file mode 100644
|
| index 2daa0c0f4a38642916981996440a084d09f8adc5..0000000000000000000000000000000000000000
|
| --- a/crypto/ec_private_key_nss.cc
|
| +++ /dev/null
|
| @@ -1,405 +0,0 @@
|
| -// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include "crypto/ec_private_key.h"
|
| -
|
| -extern "C" {
|
| -// Work around NSS missing SEC_BEGIN_PROTOS in secmodt.h. This must come before
|
| -// other NSS headers.
|
| -#include <secmodt.h>
|
| -}
|
| -
|
| -#include <cryptohi.h>
|
| -#include <keyhi.h>
|
| -#include <pk11pub.h>
|
| -#include <secmod.h>
|
| -
|
| -#include "base/lazy_instance.h"
|
| -#include "base/logging.h"
|
| -#include "base/memory/scoped_ptr.h"
|
| -#include "crypto/nss_util.h"
|
| -#include "crypto/nss_util_internal.h"
|
| -#include "crypto/scoped_nss_types.h"
|
| -#include "crypto/third_party/nss/chromium-nss.h"
|
| -
|
| -namespace {
|
| -
|
| -PK11SlotInfo* GetTempKeySlot() {
|
| - return PK11_GetInternalSlot();
|
| -}
|
| -
|
| -class EllipticCurveSupportChecker {
|
| - public:
|
| - EllipticCurveSupportChecker() {
|
| - // NOTE: we can do this check here only because we use the NSS internal
|
| - // slot. If we support other slots in the future, checking whether they
|
| - // support ECDSA may block NSS, and the value may also change as devices are
|
| - // inserted/removed, so we would need to re-check on every use.
|
| - crypto::EnsureNSSInit();
|
| - crypto::ScopedPK11Slot slot(GetTempKeySlot());
|
| - supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) &&
|
| - PK11_DoesMechanism(slot.get(), CKM_ECDSA);
|
| - }
|
| -
|
| - bool Supported() {
|
| - return supported_;
|
| - }
|
| -
|
| - private:
|
| - bool supported_;
|
| -};
|
| -
|
| -static base::LazyInstance<EllipticCurveSupportChecker>::Leaky
|
| - g_elliptic_curve_supported = LAZY_INSTANCE_INITIALIZER;
|
| -
|
| -// Copied from rsa_private_key_nss.cc.
|
| -static bool ReadAttribute(SECKEYPrivateKey* key,
|
| - CK_ATTRIBUTE_TYPE type,
|
| - std::vector<uint8>* output) {
|
| - SECItem item;
|
| - SECStatus rv;
|
| - rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item);
|
| - if (rv != SECSuccess) {
|
| - DLOG(ERROR) << "PK11_ReadRawAttribute: " << PORT_GetError();
|
| - return false;
|
| - }
|
| -
|
| - output->assign(item.data, item.data + item.len);
|
| - SECITEM_FreeItem(&item, PR_FALSE);
|
| - return true;
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -namespace crypto {
|
| -
|
| -ECPrivateKey::~ECPrivateKey() {
|
| - if (key_)
|
| - SECKEY_DestroyPrivateKey(key_);
|
| - if (public_key_)
|
| - SECKEY_DestroyPublicKey(public_key_);
|
| -}
|
| -
|
| -// static
|
| -bool ECPrivateKey::IsSupported() {
|
| - return g_elliptic_curve_supported.Get().Supported();
|
| -}
|
| -
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::Create() {
|
| - EnsureNSSInit();
|
| -
|
| - ScopedPK11Slot slot(GetTempKeySlot());
|
| - return CreateWithParams(slot.get(),
|
| - false /* not permanent */,
|
| - false /* not sensitive */);
|
| -}
|
| -
|
| -#if defined(USE_NSS)
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::CreateSensitive(PK11SlotInfo* slot) {
|
| - return CreateWithParams(
|
| - slot, true /* permanent */, true /* sensitive */);
|
| -}
|
| -#endif
|
| -
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
|
| - const std::string& password,
|
| - const std::vector<uint8>& encrypted_private_key_info,
|
| - const std::vector<uint8>& subject_public_key_info) {
|
| - EnsureNSSInit();
|
| -
|
| - ScopedPK11Slot slot(GetTempKeySlot());
|
| - return CreateFromEncryptedPrivateKeyInfoWithParams(
|
| - slot.get(),
|
| - password,
|
| - encrypted_private_key_info,
|
| - subject_public_key_info,
|
| - false /* not permanent */,
|
| - false /* not sensitive */);
|
| -}
|
| -
|
| -#if defined(USE_NSS)
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::CreateSensitiveFromEncryptedPrivateKeyInfo(
|
| - PK11SlotInfo* slot,
|
| - const std::string& password,
|
| - const std::vector<uint8>& encrypted_private_key_info,
|
| - const std::vector<uint8>& subject_public_key_info) {
|
| - return CreateFromEncryptedPrivateKeyInfoWithParams(
|
| - slot,
|
| - password,
|
| - encrypted_private_key_info,
|
| - subject_public_key_info,
|
| - true /* permanent */,
|
| - true /* sensitive */);
|
| -}
|
| -#endif
|
| -
|
| -// static
|
| -bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
|
| - PK11SlotInfo* slot,
|
| - const std::string& password,
|
| - const uint8* encrypted_private_key_info,
|
| - size_t encrypted_private_key_info_len,
|
| - CERTSubjectPublicKeyInfo* decoded_spki,
|
| - bool permanent,
|
| - bool sensitive,
|
| - SECKEYPrivateKey** key,
|
| - SECKEYPublicKey** public_key) {
|
| - if (!slot)
|
| - return false;
|
| -
|
| - *public_key = SECKEY_ExtractPublicKey(decoded_spki);
|
| -
|
| - if (!*public_key) {
|
| - DLOG(ERROR) << "SECKEY_ExtractPublicKey: " << PORT_GetError();
|
| - return false;
|
| - }
|
| -
|
| - if (SECKEY_GetPublicKeyType(*public_key) != ecKey) {
|
| - DLOG(ERROR) << "The public key is not an EC key";
|
| - SECKEY_DestroyPublicKey(*public_key);
|
| - *public_key = NULL;
|
| - return false;
|
| - }
|
| -
|
| - SECItem encoded_epki = {
|
| - siBuffer,
|
| - const_cast<unsigned char*>(encrypted_private_key_info),
|
| - static_cast<unsigned>(encrypted_private_key_info_len)
|
| - };
|
| - SECKEYEncryptedPrivateKeyInfo epki;
|
| - memset(&epki, 0, sizeof(epki));
|
| -
|
| - ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
|
| -
|
| - SECStatus rv = SEC_QuickDERDecodeItem(
|
| - arena.get(),
|
| - &epki,
|
| - SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
|
| - &encoded_epki);
|
| - if (rv != SECSuccess) {
|
| - DLOG(ERROR) << "SEC_QuickDERDecodeItem: " << PORT_GetError();
|
| - SECKEY_DestroyPublicKey(*public_key);
|
| - *public_key = NULL;
|
| - return false;
|
| - }
|
| -
|
| - SECItem password_item = {
|
| - siBuffer,
|
| - reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
|
| - static_cast<unsigned>(password.size())
|
| - };
|
| -
|
| - rv = ImportEncryptedECPrivateKeyInfoAndReturnKey(
|
| - slot,
|
| - &epki,
|
| - &password_item,
|
| - NULL, // nickname
|
| - &(*public_key)->u.ec.publicValue,
|
| - permanent,
|
| - sensitive,
|
| - key,
|
| - NULL); // wincx
|
| - if (rv != SECSuccess) {
|
| - DLOG(ERROR) << "ImportEncryptedECPrivateKeyInfoAndReturnKey: "
|
| - << PORT_GetError();
|
| - SECKEY_DestroyPublicKey(*public_key);
|
| - *public_key = NULL;
|
| - return false;
|
| - }
|
| -
|
| - return true;
|
| -}
|
| -
|
| -ECPrivateKey* ECPrivateKey::Copy() const {
|
| - scoped_ptr<ECPrivateKey> copy(new ECPrivateKey);
|
| - if (key_) {
|
| - copy->key_ = SECKEY_CopyPrivateKey(key_);
|
| - if (!copy->key_)
|
| - return NULL;
|
| - }
|
| - if (public_key_) {
|
| - copy->public_key_ = SECKEY_CopyPublicKey(public_key_);
|
| - if (!copy->public_key_)
|
| - return NULL;
|
| - }
|
| - return copy.release();
|
| -}
|
| -
|
| -bool ECPrivateKey::ExportEncryptedPrivateKey(
|
| - const std::string& password,
|
| - int iterations,
|
| - std::vector<uint8>* output) {
|
| - // We export as an EncryptedPrivateKeyInfo bundle instead of a plain PKCS #8
|
| - // PrivateKeyInfo because PK11_ImportDERPrivateKeyInfoAndReturnKey doesn't
|
| - // support EC keys.
|
| - // https://bugzilla.mozilla.org/show_bug.cgi?id=327773
|
| - SECItem password_item = {
|
| - siBuffer,
|
| - reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
|
| - static_cast<unsigned>(password.size())
|
| - };
|
| -
|
| - SECKEYEncryptedPrivateKeyInfo* encrypted = PK11_ExportEncryptedPrivKeyInfo(
|
| - NULL, // Slot, optional.
|
| - SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
|
| - &password_item,
|
| - key_,
|
| - iterations,
|
| - NULL); // wincx.
|
| -
|
| - if (!encrypted) {
|
| - DLOG(ERROR) << "PK11_ExportEncryptedPrivKeyInfo: " << PORT_GetError();
|
| - return false;
|
| - }
|
| -
|
| - ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
|
| - SECItem der_key = {siBuffer, NULL, 0};
|
| - SECItem* encoded_item = SEC_ASN1EncodeItem(
|
| - arena.get(),
|
| - &der_key,
|
| - encrypted,
|
| - SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate));
|
| - SECKEY_DestroyEncryptedPrivateKeyInfo(encrypted, PR_TRUE);
|
| - if (!encoded_item) {
|
| - DLOG(ERROR) << "SEC_ASN1EncodeItem: " << PORT_GetError();
|
| - return false;
|
| - }
|
| -
|
| - output->assign(der_key.data, der_key.data + der_key.len);
|
| -
|
| - return true;
|
| -}
|
| -
|
| -bool ECPrivateKey::ExportPublicKey(std::vector<uint8>* output) {
|
| - ScopedSECItem der_pubkey(
|
| - SECKEY_EncodeDERSubjectPublicKeyInfo(public_key_));
|
| - if (!der_pubkey.get()) {
|
| - return false;
|
| - }
|
| -
|
| - output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len);
|
| - return true;
|
| -}
|
| -
|
| -bool ECPrivateKey::ExportRawPublicKey(std::string* output) {
|
| - // public_key_->u.ec.publicValue is an ANSI X9.62 public key which, for
|
| - // a P-256 key, is 0x04 (meaning uncompressed) followed by the x and y field
|
| - // elements as 32-byte, big-endian numbers.
|
| - static const unsigned int kExpectedKeyLength = 65;
|
| -
|
| - CHECK_EQ(ecKey, SECKEY_GetPublicKeyType(public_key_));
|
| - const unsigned char* const data = public_key_->u.ec.publicValue.data;
|
| - const unsigned int len = public_key_->u.ec.publicValue.len;
|
| - if (len != kExpectedKeyLength || data[0] != 0x04)
|
| - return false;
|
| -
|
| - output->assign(reinterpret_cast<const char*>(data + 1),
|
| - kExpectedKeyLength - 1);
|
| - return true;
|
| -}
|
| -
|
| -bool ECPrivateKey::ExportValue(std::vector<uint8>* output) {
|
| - return ReadAttribute(key_, CKA_VALUE, output);
|
| -}
|
| -
|
| -bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) {
|
| - return ReadAttribute(key_, CKA_EC_PARAMS, output);
|
| -}
|
| -
|
| -ECPrivateKey::ECPrivateKey() : key_(NULL), public_key_(NULL) {}
|
| -
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::CreateWithParams(PK11SlotInfo* slot,
|
| - bool permanent,
|
| - bool sensitive) {
|
| - if (!slot)
|
| - return NULL;
|
| -
|
| - scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
|
| -
|
| - SECOidData* oid_data = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
|
| - if (!oid_data) {
|
| - DLOG(ERROR) << "SECOID_FindOIDByTag: " << PORT_GetError();
|
| - return NULL;
|
| - }
|
| -
|
| - // SECKEYECParams is a SECItem containing the DER encoded ASN.1 ECParameters
|
| - // value. For a named curve, that is just the OBJECT IDENTIFIER of the curve.
|
| - // In addition to the oid data, the encoding requires one byte for the ASN.1
|
| - // tag and one byte for the length (assuming the length is <= 127).
|
| - DCHECK_LE(oid_data->oid.len, 127U);
|
| - std::vector<unsigned char> parameters_buf(2 + oid_data->oid.len);
|
| - SECKEYECParams ec_parameters = {
|
| - siDEROID, ¶meters_buf[0],
|
| - static_cast<unsigned>(parameters_buf.size())
|
| - };
|
| -
|
| - ec_parameters.data[0] = SEC_ASN1_OBJECT_ID;
|
| - ec_parameters.data[1] = static_cast<unsigned char>(oid_data->oid.len);
|
| - memcpy(ec_parameters.data + 2, oid_data->oid.data, oid_data->oid.len);
|
| -
|
| - result->key_ = PK11_GenerateKeyPair(slot,
|
| - CKM_EC_KEY_PAIR_GEN,
|
| - &ec_parameters,
|
| - &result->public_key_,
|
| - permanent,
|
| - sensitive,
|
| - NULL);
|
| - if (!result->key_) {
|
| - DLOG(ERROR) << "PK11_GenerateKeyPair: " << PORT_GetError();
|
| - return NULL;
|
| - }
|
| - CHECK_EQ(ecKey, SECKEY_GetPublicKeyType(result->public_key_));
|
| -
|
| - return result.release();
|
| -}
|
| -
|
| -// static
|
| -ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfoWithParams(
|
| - PK11SlotInfo* slot,
|
| - const std::string& password,
|
| - const std::vector<uint8>& encrypted_private_key_info,
|
| - const std::vector<uint8>& subject_public_key_info,
|
| - bool permanent,
|
| - bool sensitive) {
|
| - scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
|
| -
|
| - SECItem encoded_spki = {
|
| - siBuffer,
|
| - const_cast<unsigned char*>(&subject_public_key_info[0]),
|
| - static_cast<unsigned>(subject_public_key_info.size())
|
| - };
|
| - CERTSubjectPublicKeyInfo* decoded_spki = SECKEY_DecodeDERSubjectPublicKeyInfo(
|
| - &encoded_spki);
|
| - if (!decoded_spki) {
|
| - DLOG(ERROR) << "SECKEY_DecodeDERSubjectPublicKeyInfo: " << PORT_GetError();
|
| - return NULL;
|
| - }
|
| -
|
| - bool success = ImportFromEncryptedPrivateKeyInfo(
|
| - slot,
|
| - password,
|
| - &encrypted_private_key_info[0],
|
| - encrypted_private_key_info.size(),
|
| - decoded_spki,
|
| - permanent,
|
| - sensitive,
|
| - &result->key_,
|
| - &result->public_key_);
|
| -
|
| - SECKEY_DestroySubjectPublicKeyInfo(decoded_spki);
|
| -
|
| - if (success) {
|
| - CHECK_EQ(ecKey, SECKEY_GetPublicKeyType(result->public_key_));
|
| - return result.release();
|
| - }
|
| -
|
| - return NULL;
|
| -}
|
| -
|
| -} // namespace crypto
|
|
|
Chromium Code Reviews
Issue 956613002:
Reland "Cut down /crypto and switch what is left of it to boringssl". (Closed)
Base URL: git@github.com:domokit/mojo.git@master