Reland "Don't use RSAPrivateKey in NSS integration code."

This is a reland of https://codereview.chromium.org/1106103003/ with fixes to
ensure callers never pass in a null slot.

Currently some NSS platform integration logic transits private keys through
RSAPrivateKey on CrOS. This prevents incrementally switching RSAPrivateKey to
BoringSSL while keeping platform integrations on NSS.

The intent of this change is to clarify RSAPrivateKey as a BoringSSL vs NSS
internal crypto library (use_openssl=0 vs use_openssl=1) abstraction. It's
primarily to be used with SignatureCreator. Code which uses NSS based on
use_nss_certs rather than use_openssl because the underlying platform is NSS
should call NSS routines directly, or introduce different abstractions.

Remove the problematic RSAPrivateKey methods and instead add
crypto/nss_key_util.h which contains some helper functions for manipulating NSS
keys. This is sufficient to allow consumers of the removed methods to use NSS
directly with about as much code. (This should not set back migrating that
logic to NSS as that code was already very NSS-specific; those APIs assumed
PK11SlotInfo.)

nss_key_util.h, like nss_util.h, is built whenever NSS is used either
internally or for platform integrations. This is so rsa_private_key_nss.cc can
continue to use the helper functions to implement the NSS-agnostic interface.

With this, the chimera CrOS configuration should build. The RSAPrivateKey logic
is functional with the exception of some logic in components/ownership. That
will be resolved in a future CL.

BUG=478777,483606

Review URL: https://codereview.chromium.org/1128153003

Cr-Commit-Position: refs/heads/master@{#329227}

1 files changed, 87 insertions, 0 deletions

diff --git a/crypto/nss_key_util_unittest.cc b/crypto/nss_key_util_unittest.cc
new file mode 100644
index 0000000..f8de8e2
--- /dev/null
+++ b/crypto/nss_key_util_unittest.cc
@@ -0,0 +1,87 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "crypto/nss_key_util.h"
+
+#include <keyhi.h>
+#include <pk11pub.h>
+
+#include <vector>
+
+#include "crypto/nss_util.h"
+#include "crypto/scoped_nss_types.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace crypto {
+
+class NSSKeyUtilTest : public testing::Test {
+ public:
+  void SetUp() override {
+    EnsureNSSInit();
+
+    internal_slot_.reset(PK11_GetInternalSlot());
+    ASSERT_TRUE(internal_slot_);
+  }
+
+  PK11SlotInfo* internal_slot() { return internal_slot_.get(); }
+
+ private:
+  ScopedPK11Slot internal_slot_;
+};
+
+TEST_F(NSSKeyUtilTest, GenerateRSAKeyPairNSS) {
+  const int kKeySizeBits = 1024;
+
+  ScopedSECKEYPublicKey public_key;
+  ScopedSECKEYPrivateKey private_key;
+  ASSERT_TRUE(GenerateRSAKeyPairNSS(internal_slot(), kKeySizeBits,
+                                    false /* not permanent */, &public_key,
+                                    &private_key));
+
+  EXPECT_EQ(rsaKey, SECKEY_GetPublicKeyType(public_key.get()));
+  EXPECT_EQ(rsaKey, SECKEY_GetPrivateKeyType(private_key.get()));
+  EXPECT_EQ((kKeySizeBits + 7) / 8,
+            PK11_GetPrivateModulusLen(private_key.get()));
+}
+
+#if defined(USE_NSS_CERTS)
+TEST_F(NSSKeyUtilTest, FindNSSKeyFromPublicKeyInfo) {
+  // Create an NSS keypair, which will put the keys in the user's NSSDB.
+  ScopedSECKEYPublicKey public_key;
+  ScopedSECKEYPrivateKey private_key;
+  ASSERT_TRUE(GenerateRSAKeyPairNSS(internal_slot(), 256,
+                                    false /* not permanent */, &public_key,
+                                    &private_key));
+
+  ScopedSECItem item(SECKEY_EncodeDERSubjectPublicKeyInfo(public_key.get()));
+  ASSERT_TRUE(item);
+  std::vector<uint8_t> public_key_der(item->data, item->data + item->len);
+
+  ScopedSECKEYPrivateKey private_key2 =
+      FindNSSKeyFromPublicKeyInfo(public_key_der);
+  ASSERT_TRUE(private_key2);
+  EXPECT_EQ(private_key->pkcs11ID, private_key2->pkcs11ID);
+}
+
+TEST_F(NSSKeyUtilTest, FailedFindNSSKeyFromPublicKeyInfo) {
+  // Create an NSS keypair, which will put the keys in the user's NSSDB.
+  ScopedSECKEYPublicKey public_key;
+  ScopedSECKEYPrivateKey private_key;
+  ASSERT_TRUE(GenerateRSAKeyPairNSS(internal_slot(), 256,
+                                    false /* not permanent */, &public_key,
+                                    &private_key));
+
+  ScopedSECItem item(SECKEY_EncodeDERSubjectPublicKeyInfo(public_key.get()));
+  ASSERT_TRUE(item);
+  std::vector<uint8_t> public_key_der(item->data, item->data + item->len);
+
+  // Remove the keys from the DB, and make sure we can't find them again.
+  PK11_DestroyTokenObject(private_key->pkcs11Slot, private_key->pkcs11ID);
+  PK11_DestroyTokenObject(public_key->pkcs11Slot, public_key->pkcs11ID);
+
+  EXPECT_FALSE(FindNSSKeyFromPublicKeyInfo(public_key_der));
+}
+#endif  // defined(USE_NSS_CERTS)
+
+}  // namespace crypto