search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[Chromoting] Fix bug with handling USB keycodes and remove extra logging.
[chromium-blink-merge.git] / crypto / ec_private_key_nss.cc
blob1fb13e7e9ca91d8673ac397b00bd24dffd3e91b2
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/ec_private_key.h"
6
7 extern "C" {
8 // Work around NSS missing SEC_BEGIN_PROTOS in secmodt.h. This must come before
9 // other NSS headers.
10 #include <secmodt.h>
11 }
12
13 #include <cryptohi.h>
14 #include <keyhi.h>
15 #include <pk11pub.h>
16 #include <secmod.h>
17
18 #include "base/logging.h"
19 #include "base/memory/scoped_ptr.h"
20 #include "crypto/nss_util.h"
21 #include "crypto/nss_util_internal.h"
22 #include "crypto/scoped_nss_types.h"
23 #include "crypto/third_party/nss/chromium-nss.h"
24
25 namespace {
26
27 // Copied from rsa_private_key_nss.cc.
28 static bool ReadAttribute(SECKEYPrivateKey* key,
29 CK_ATTRIBUTE_TYPE type,
30 std::vector<uint8>* output) {
31 SECItem item;
32 SECStatus rv;
33 rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item);
34 if (rv != SECSuccess) {
35 DLOG(ERROR) << "PK11_ReadRawAttribute: " << PORT_GetError();
36 return false;
37 }
38
39 output->assign(item.data, item.data + item.len);
40 SECITEM_FreeItem(&item, PR_FALSE);
41 return true;
42 }
43
44 } // namespace
45
46 namespace crypto {
47
48 ECPrivateKey::~ECPrivateKey() {
49 if (key_)
50 SECKEY_DestroyPrivateKey(key_);
51 if (public_key_)
52 SECKEY_DestroyPublicKey(public_key_);
53 }
54
55 // static
56 ECPrivateKey* ECPrivateKey::Create() {
57 return CreateWithParams(PR_FALSE /* not permanent */,
58 PR_FALSE /* not sensitive */);
59 }
60
61 // static
62 ECPrivateKey* ECPrivateKey::CreateSensitive() {
63 #if defined(USE_NSS)
64 return CreateWithParams(PR_TRUE /* permanent */,
65 PR_TRUE /* sensitive */);
66 #else
67 // If USE_NSS is not defined, we initialize NSS with no databases, so we can't
68 // create permanent keys.
69 NOTREACHED();
70 return NULL;
71 #endif
72 }
73
74 // static
75 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
76 const std::string& password,
77 const std::vector<uint8>& encrypted_private_key_info,
78 const std::vector<uint8>& subject_public_key_info) {
79 return CreateFromEncryptedPrivateKeyInfoWithParams(
80 password,
81 encrypted_private_key_info,
82 subject_public_key_info,
83 PR_FALSE /* not permanent */,
84 PR_FALSE /* not sensitive */);
85 }
86
87 // static
88 ECPrivateKey* ECPrivateKey::CreateSensitiveFromEncryptedPrivateKeyInfo(
89 const std::string& password,
90 const std::vector<uint8>& encrypted_private_key_info,
91 const std::vector<uint8>& subject_public_key_info) {
92 #if defined(USE_NSS)
93 return CreateFromEncryptedPrivateKeyInfoWithParams(
94 password,
95 encrypted_private_key_info,
96 subject_public_key_info,
97 PR_TRUE /* permanent */,
98 PR_TRUE /* sensitive */);
99 #else
100 // If USE_NSS is not defined, we initialize NSS with no databases, so we can't
101 // create permanent keys.
102 NOTREACHED();
103 return NULL;
104 #endif
105 }
106
107 // static
108 bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
109 const std::string& password,
110 const uint8* encrypted_private_key_info,
111 size_t encrypted_private_key_info_len,
112 CERTSubjectPublicKeyInfo* decoded_spki,
113 bool permanent,
114 bool sensitive,
115 SECKEYPrivateKey** key,
116 SECKEYPublicKey** public_key) {
117 ScopedPK11Slot slot(GetPrivateNSSKeySlot());
118 if (!slot.get())
119 return false;
120
121 *public_key = SECKEY_ExtractPublicKey(decoded_spki);
122
123 if (!*public_key) {
124 DLOG(ERROR) << "SECKEY_ExtractPublicKey: " << PORT_GetError();
125 return false;
126 }
127
128 SECItem encoded_epki = {
129 siBuffer,
130 const_cast<unsigned char*>(encrypted_private_key_info),
131 encrypted_private_key_info_len
132 };
133 SECKEYEncryptedPrivateKeyInfo epki;
134 memset(&epki, 0, sizeof(epki));
135
136 ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
137
138 SECStatus rv = SEC_QuickDERDecodeItem(
139 arena.get(),
140 &epki,
141 SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
142 &encoded_epki);
143 if (rv != SECSuccess) {
144 DLOG(ERROR) << "SEC_QuickDERDecodeItem: " << PORT_GetError();
145 SECKEY_DestroyPublicKey(*public_key);
146 *public_key = NULL;
147 return false;
148 }
149
150 SECItem password_item = {
151 siBuffer,
152 reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
153 password.size()
154 };
155
156 rv = ImportEncryptedECPrivateKeyInfoAndReturnKey(
157 slot.get(),
158 &epki,
159 &password_item,
160 NULL, // nickname
161 &(*public_key)->u.ec.publicValue,
162 permanent,
163 sensitive,
164 key,
165 NULL); // wincx
166 if (rv != SECSuccess) {
167 DLOG(ERROR) << "ImportEncryptedECPrivateKeyInfoAndReturnKey: "
168 << PORT_GetError();
169 SECKEY_DestroyPublicKey(*public_key);
170 *public_key = NULL;
171 return false;
172 }
173
174 return true;
175 }
176
177 bool ECPrivateKey::ExportEncryptedPrivateKey(
178 const std::string& password,
179 int iterations,
180 std::vector<uint8>* output) {
181 // We export as an EncryptedPrivateKeyInfo bundle instead of a plain PKCS #8
182 // PrivateKeyInfo because PK11_ImportDERPrivateKeyInfoAndReturnKey doesn't
183 // support EC keys.
184 // https://bugzilla.mozilla.org/show_bug.cgi?id=327773
185 SECItem password_item = {
186 siBuffer,
187 reinterpret_cast<unsigned char*>(const_cast<char*>(password.data())),
188 password.size()
189 };
190
191 SECKEYEncryptedPrivateKeyInfo* encrypted = PK11_ExportEncryptedPrivKeyInfo(
192 NULL, // Slot, optional.
193 SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
194 &password_item,
195 key_,
196 iterations,
197 NULL); // wincx.
198
199 if (!encrypted) {
200 DLOG(ERROR) << "PK11_ExportEncryptedPrivKeyInfo: " << PORT_GetError();
201 return false;
202 }
203
204 ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
205 SECItem der_key = {siBuffer, NULL, 0};
206 SECItem* encoded_item = SEC_ASN1EncodeItem(
207 arena.get(),
208 &der_key,
209 encrypted,
210 SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate));
211 SECKEY_DestroyEncryptedPrivateKeyInfo(encrypted, PR_TRUE);
212 if (!encoded_item) {
213 DLOG(ERROR) << "SEC_ASN1EncodeItem: " << PORT_GetError();
214 return false;
215 }
216
217 output->assign(der_key.data, der_key.data + der_key.len);
218
219 return true;
220 }
221
222 bool ECPrivateKey::ExportPublicKey(std::vector<uint8>* output) {
223 ScopedSECItem der_pubkey(
224 SECKEY_EncodeDERSubjectPublicKeyInfo(public_key_));
225 if (!der_pubkey.get()) {
226 return false;
227 }
228
229 output->assign(der_pubkey->data, der_pubkey->data + der_pubkey->len);
230 return true;
231 }
232
233 bool ECPrivateKey::ExportValue(std::vector<uint8>* output) {
234 return ReadAttribute(key_, CKA_VALUE, output);
235 }
236
237 bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) {
238 return ReadAttribute(key_, CKA_EC_PARAMS, output);
239 }
240
241 ECPrivateKey::ECPrivateKey() : key_(NULL), public_key_(NULL) {}
242
243 // static
244 ECPrivateKey* ECPrivateKey::CreateWithParams(bool permanent,
245 bool sensitive) {
246 EnsureNSSInit();
247
248 scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
249
250 ScopedPK11Slot slot(GetPrivateNSSKeySlot());
251 if (!slot.get())
252 return NULL;
253
254 SECOidData* oid_data = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
255 if (!oid_data) {
256 DLOG(ERROR) << "SECOID_FindOIDByTag: " << PORT_GetError();
257 return NULL;
258 }
259
260 // SECKEYECParams is a SECItem containing the DER encoded ASN.1 ECParameters
261 // value. For a named curve, that is just the OBJECT IDENTIFIER of the curve.
262 // In addition to the oid data, the encoding requires one byte for the ASN.1
263 // tag and one byte for the length (assuming the length is <= 127).
264 DCHECK_LE(oid_data->oid.len, 127U);
265 std::vector<unsigned char> parameters_buf(2 + oid_data->oid.len);
266 SECKEYECParams ec_parameters = {
267 siDEROID, &parameters_buf[0], parameters_buf.size()
268 };
269
270 ec_parameters.data[0] = SEC_ASN1_OBJECT_ID;
271 ec_parameters.data[1] = oid_data->oid.len;
272 memcpy(ec_parameters.data + 2, oid_data->oid.data, oid_data->oid.len);
273
274 result->key_ = PK11_GenerateKeyPair(slot.get(),
275 CKM_EC_KEY_PAIR_GEN,
276 &ec_parameters,
277 &result->public_key_,
278 permanent,
279 sensitive,
280 NULL);
281 if (!result->key_) {
282 DLOG(ERROR) << "PK11_GenerateKeyPair: " << PORT_GetError();
283 return NULL;
284 }
285
286 return result.release();
287 }
288
289 // static
290 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfoWithParams(
291 const std::string& password,
292 const std::vector<uint8>& encrypted_private_key_info,
293 const std::vector<uint8>& subject_public_key_info,
294 bool permanent,
295 bool sensitive) {
296 EnsureNSSInit();
297
298 scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
299
300 SECItem encoded_spki = {
301 siBuffer,
302 const_cast<unsigned char*>(&subject_public_key_info[0]),
303 subject_public_key_info.size()
304 };
305 CERTSubjectPublicKeyInfo* decoded_spki = SECKEY_DecodeDERSubjectPublicKeyInfo(
306 &encoded_spki);
307 if (!decoded_spki) {
308 DLOG(ERROR) << "SECKEY_DecodeDERSubjectPublicKeyInfo: " << PORT_GetError();
309 return NULL;
310 }
311
312 bool success = ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
313 password,
314 &encrypted_private_key_info[0],
315 encrypted_private_key_info.size(),
316 decoded_spki,
317 permanent,
318 sensitive,
319 &result->key_,
320 &result->public_key_);
321
322 SECKEY_DestroySubjectPublicKeyInfo(decoded_spki);
323
324 if (success)
325 return result.release();
326
327 return NULL;
328 }
329
330 } // namespace crypto