The SSL server's RSA private key must be imported with the

KU_KEY_ENCIPHERMENT key usage to support the RSA key exchange algorithm.

Remove the incorrect workarounds for this bug.  In the
SSLServerSocketTest.DataTransfer unit test, do not proceed to data
transfer if the SSL connection cannot be established.

Not required for fixing this bug: create an RSA private key with all
applicable key usage bits to be future-proof.

R=hclam
BUG=67928
TEST=net_unittests --gtest_filter=SSLServerSocketTest.*
Review URL: http://codereview.chromium.org/6297008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@71739 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 3 deletions

diff --git a/base/crypto/rsa_private_key_nss.cc b/base/crypto/rsa_private_key_nss.cc
index 3084636..202aa1d 100644
--- a/base/crypto/rsa_private_key_nss.cc
+++ b/base/crypto/rsa_private_key_nss.cc
@@ -223,9 +223,13 @@ RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams(
   SECItem der_private_key_info;
   der_private_key_info.data = const_cast<unsigned char*>(&input.front());
   der_private_key_info.len = input.size();
-  SECStatus rv =  PK11_ImportDERPrivateKeyInfoAndReturnKey(slot,
-      &der_private_key_info, NULL, NULL, permanent, sensitive,
-      KU_DIGITAL_SIGNATURE, &result->key_, NULL);
+  // Allow the private key to be used for key unwrapping, data decryption,
+  // and signature generation.
+  const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
+                                 KU_DIGITAL_SIGNATURE;
+  SECStatus rv =  PK11_ImportDERPrivateKeyInfoAndReturnKey(
+      slot, &der_private_key_info, NULL, NULL, permanent, sensitive,
+      key_usage, &result->key_, NULL);
   PK11_FreeSlot(slot);
   if (rv != SECSuccess) {
     NOTREACHED();