diff options
author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-01 02:59:31 +0000 |
---|---|---|
committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-01 02:59:31 +0000 |
commit | c7ff2910aad25eab6d0ec61b14547294cd764958 (patch) | |
tree | 466c046ebd032b40141959e598852183c66ac711 /crypto/third_party/nss/secsign.cc | |
parent | 85c63cb2264f2e4ba3842487fd0835b8cd2f3b3a (diff) | |
download | chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.zip chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.tar.gz chromium_src-c7ff2910aad25eab6d0ec61b14547294cd764958.tar.bz2 |
Reland: Allow signing EC certs and creating EC origin-bound certs.
BUG=88782
TEST=X509UtilNSSTest
Review URL: http://codereview.chromium.org/8537025
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112385 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'crypto/third_party/nss/secsign.cc')
-rw-r--r-- | crypto/third_party/nss/secsign.cc | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/crypto/third_party/nss/secsign.cc b/crypto/third_party/nss/secsign.cc new file mode 100644 index 0000000..9272d4a --- /dev/null +++ b/crypto/third_party/nss/secsign.cc @@ -0,0 +1,130 @@ +/* + * Signature stuff. + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "crypto/third_party/nss/chromium-nss.h" + +#include <vector> + +#include <cryptohi.h> +#include <pk11pub.h> +#include <secerr.h> +#include <sechash.h> + +#include "base/basictypes.h" +#include "base/logging.h" +#include "build/build_config.h" + +SECStatus DerSignData(PLArenaPool *arena, + SECItem *result, + SECItem *input, + SECKEYPrivateKey *key, + SECOidTag algo_id) { + if (key->keyType != ecKey) { + return SEC_DerSignData(arena, result, input->data, input->len, key, + algo_id); + } + + // NSS has a private function sec_DecodeSigAlg it uses to figure out the + // correct hash from the algorithm id. + HASH_HashType hash_type; + switch (algo_id) { + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: + hash_type = HASH_AlgSHA1; + break; +#ifdef SHA224_LENGTH + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + hash_type = HASH_AlgSHA224; + break; +#endif + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + hash_type = HASH_AlgSHA256; + break; + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + hash_type = HASH_AlgSHA384; + break; + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + hash_type = HASH_AlgSHA512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + // Hash the input. + std::vector<uint8> hash_data(HASH_ResultLen(hash_type)); + SECStatus rv = HASH_HashBuf( + hash_type, &hash_data[0], input->data, input->len); + if (rv != SECSuccess) + return rv; + SECItem hash = {siBuffer, &hash_data[0], hash_data.size()}; + + // Compute signature of hash. + int signature_len = PK11_SignatureLen(key); + std::vector<uint8> signature_data(signature_len); + SECItem sig = {siBuffer, &signature_data[0], signature_len}; + rv = PK11_Sign(key, &sig, &hash); + if (rv != SECSuccess) + return rv; + + CERTSignedData sd; + PORT_Memset(&sd, 0, sizeof(sd)); + // Fill in tbsCertificate. + sd.data.data = (unsigned char*) input->data; + sd.data.len = input->len; + + // Fill in signatureAlgorithm. + rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algo_id, 0); + if (rv != SECSuccess) + return rv; + + // Fill in signatureValue. + rv = DSAU_EncodeDerSigWithLen(&sd.signature, &sig, sig.len); + if (rv != SECSuccess) + return rv; + sd.signature.len <<= 3; // Convert to bit string. + + // DER encode the signed data object. + void* encode_result = SEC_ASN1EncodeItem( + arena, result, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate)); + + PORT_Free(sd.signature.data); + + return encode_result ? SECSuccess : SECFailure; +} |