crypto/ec_private_key_openssl.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "crypto/ec_private_key.h"
   6
   7 #include <openssl/ec.h>
   8 #include <openssl/evp.h>
   9 #include <openssl/pkcs12.h>
  10 #include <openssl/x509.h>
  11
  12 #include "base/logging.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "crypto/openssl_util.h"
  15
  16 namespace crypto {
  17
  18 namespace {
  19
  20 // Function pointer definition, for injecting the required key export function
  21 // into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and
  22 // |key| is a handle to the input key object. Return 1 on success, 0 otherwise.
  23 // NOTE: Used with OpenSSL functions, which do not comply with the Chromium
  24 //       style guide, hence the unusual parameter placement / types.
  25 typedef int (*ExportBioFunction)(BIO* bio, const void* key);
  26
  27 // Helper to export |key| into |output| via the specified ExportBioFunction.
  28 bool ExportKeyWithBio(const void* key,
  29                       ExportBioFunction export_fn,
  30                       std::vector<uint8>* output) {
  31   if (!key)
  32     return false;
  33
  34   ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem()));
  35   if (!bio.get())
  36     return false;
  37
  38   if (!export_fn(bio.get(), key))
  39     return false;
  40
  41   char* data = NULL;
  42   long len = BIO_get_mem_data(bio.get(), &data);
  43   if (!data || len < 0)
  44     return false;
  45
  46   output->assign(data, data + len);
  47   return true;
  48 }
  49
  50 // Function pointer definition, for injecting the required key export function
  51 // into ExportKey below. |key| is a pointer to the input key object,
  52 // and |data| is either NULL, or the address of an 'unsigned char*' pointer
  53 // that points to the start of the output buffer. The function must return
  54 // the number of bytes required to export the data, or -1 in case of error.
  55 typedef int (*ExportDataFunction)(const void* key, unsigned char** data);
  56
  57 // Helper to export |key| into |output| via the specified export function.
  58 bool ExportKey(const void* key,
  59                ExportDataFunction export_fn,
  60                std::vector<uint8>* output) {
  61   if (!key)
  62     return false;
  63
  64   int data_len = export_fn(key, NULL);
  65   if (data_len < 0)
  66     return false;
  67
  68   output->resize(static_cast<size_t>(data_len));
  69   unsigned char* data = &(*output)[0];
  70   if (export_fn(key, &data) < 0)
  71     return false;
  72
  73   return true;
  74 }
  75
  76 }  // namespace
  77
  78 ECPrivateKey::~ECPrivateKey() {
  79   if (key_)
  80     EVP_PKEY_free(key_);
  81 }
  82
  83 // static
  84 bool ECPrivateKey::IsSupported() { return true; }
  85
  86 // static
  87 ECPrivateKey* ECPrivateKey::Create() {
  88   OpenSSLErrStackTracer err_tracer(FROM_HERE);
  89
  90   ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(
  91       EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
  92   if (!ec_key.get() || !EC_KEY_generate_key(ec_key.get()))
  93     return NULL;
  94
  95   scoped_ptr<ECPrivateKey> result(new ECPrivateKey());
  96   result->key_ = EVP_PKEY_new();
  97   if (!result->key_ || !EVP_PKEY_set1_EC_KEY(result->key_, ec_key.get()))
  98     return NULL;
  99
 100   return result.release();
 101 }
 102
 103 // static
 104 ECPrivateKey* ECPrivateKey::CreateSensitive() {
 105   NOTIMPLEMENTED();
 106   return NULL;
 107 }
 108
 109 // static
 110 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
 111     const std::string& password,
 112     const std::vector<uint8>& encrypted_private_key_info,
 113     const std::vector<uint8>& subject_public_key_info) {
 114   // NOTE: The |subject_public_key_info| can be ignored here, it is only
 115   // useful for the NSS implementation (which uses the public key's SHA1
 116   // as a lookup key when storing the private one in its store).
 117   if (encrypted_private_key_info.empty())
 118     return NULL;
 119
 120   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 121   // Write the encrypted private key into a memory BIO.
 122   char* private_key_data = reinterpret_cast<char*>(
 123       const_cast<uint8*>(&encrypted_private_key_info[0]));
 124   int private_key_data_len =
 125       static_cast<int>(encrypted_private_key_info.size());
 126   ScopedOpenSSL<BIO, BIO_free_all> bio(
 127       BIO_new_mem_buf(private_key_data, private_key_data_len));
 128   if (!bio.get())
 129     return NULL;
 130
 131   // Convert it, then decrypt it into a PKCS#8 object.
 132   ScopedOpenSSL<X509_SIG, X509_SIG_free> p8_encrypted(
 133       d2i_PKCS8_bio(bio.get(), NULL));
 134   if (!p8_encrypted.get())
 135     return NULL;
 136
 137   ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8_decrypted(
 138       PKCS8_decrypt(p8_encrypted.get(),
 139                     password.c_str(),
 140                     static_cast<int>(password.size())));
 141   if (!p8_decrypted.get())
 142     return NULL;
 143
 144   // Create a new EVP_PKEY for it.
 145   scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
 146   result->key_ = EVP_PKCS82PKEY(p8_decrypted.get());
 147   if (!result->key_)
 148     return NULL;
 149
 150   return result.release();
 151 }
 152
 153 // static
 154 ECPrivateKey* ECPrivateKey::CreateSensitiveFromEncryptedPrivateKeyInfo(
 155     const std::string& password,
 156     const std::vector<uint8>& encrypted_private_key_info,
 157     const std::vector<uint8>& subject_public_key_info) {
 158   NOTIMPLEMENTED();
 159   return NULL;
 160 }
 161
 162 bool ECPrivateKey::ExportEncryptedPrivateKey(
 163     const std::string& password,
 164     int iterations,
 165     std::vector<uint8>* output) {
 166   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 167   // Convert into a PKCS#8 object.
 168   ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> pkcs8(
 169       EVP_PKEY2PKCS8(key_));
 170   if (!pkcs8.get())
 171     return false;
 172
 173   // Encrypt the object.
 174   // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
 175   // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL
 176   // equivalent.
 177   ScopedOpenSSL<X509_SIG, X509_SIG_free> encrypted(
 178       PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
 179                     NULL,
 180                     password.c_str(),
 181                     static_cast<int>(password.size()),
 182                     NULL,
 183                     0,
 184                     iterations,
 185                     pkcs8.get()));
 186   if (!encrypted.get())
 187     return false;
 188
 189   // Write it into |*output|
 190   return ExportKeyWithBio(encrypted.get(),
 191                           reinterpret_cast<ExportBioFunction>(i2d_PKCS8_bio),
 192                           output);
 193 }
 194
 195 bool ECPrivateKey::ExportPublicKey(std::vector<uint8>* output) {
 196   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 197   return ExportKeyWithBio(
 198       key_, reinterpret_cast<ExportBioFunction>(i2d_PUBKEY_bio), output);
 199 }
 200
 201 bool ECPrivateKey::ExportValue(std::vector<uint8>* output) {
 202   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 203   ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_));
 204   return ExportKey(ec_key.get(),
 205                    reinterpret_cast<ExportDataFunction>(i2d_ECPrivateKey),
 206                    output);
 207 }
 208
 209 bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) {
 210   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 211   ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_));
 212   return ExportKey(ec_key.get(),
 213                    reinterpret_cast<ExportDataFunction>(i2d_ECParameters),
 214                    output);
 215 }
 216
 217 ECPrivateKey::ECPrivateKey() : key_(NULL) {}
 218
 219 }  // namespace crypto