openssl: Implement crypto::ECPrivateKey.

BUG=306176 R=rsleevi@chromium.org, wtc@chromium.org, agl@chromium.org Review URL: https://codereview.chromium.org/27195002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@229153 0039d316-1c4b-4281-b951-d872f2087c98
author: digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-17 16:09:24 +0000
committer: digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-17 16:09:24 +0000
commit: d4db0b6eec1f586314203b0df87a517d9bf22857 (patch)
tree: 987b3df43c87a80d933876672de02f5ec3ead1c2 /crypto
parent: 7f40bac4aaf02afb14e05f9af26e62ee91f0a556 (diff)
download: chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.zip
chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.tar.gz
chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.tar.bz2
2 files changed, 166 insertions, 26 deletions
diff --git a/crypto/ec_private_key_openssl.cc b/crypto/ec_private_key_openssl.cc
index 20214e6..c8d9c25 100644
--- a/crypto/ec_private_key_openssl.cc
+++ b/crypto/ec_private_key_openssl.cc
@@ -4,21 +4,100 @@
 
 #include "crypto/ec_private_key.h"
 
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include <openssl/x509.h>
+
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "crypto/openssl_util.h"
 
 namespace crypto {
 
-ECPrivateKey::~ECPrivateKey() {}
+namespace {
 
-// static
-bool ECPrivateKey::IsSupported() {
-  return false;
+// Function pointer definition, for injecting the required key export function
+// into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and
+// |key| is a handle to the input key object. Return 1 on success, 0 otherwise.
+// NOTE: Used with OpenSSL functions, which do not comply with the Chromium
+//       style guide, hence the unusual parameter placement / types.
+typedef int (*ExportBioFunction)(BIO* bio, const void* key);
+
+// Helper to export |key| into |output| via the specified ExportBioFunction.
+bool ExportKeyWithBio(const void* key,
+                      ExportBioFunction export_fn,
+                      std::vector<uint8>* output) {
+  if (!key)
+    return false;
+
+  ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem()));
+  if (!bio.get())
+    return false;
+
+  if (!export_fn(bio.get(), key))
+    return false;
+
+  char* data = NULL;
+  long len = BIO_get_mem_data(bio.get(), &data);
+  if (!data || len < 0)
+    return false;
+
+  output->assign(data, data + len);
+  return true;
 }
 
+// Function pointer definition, for injecting the required key export function
+// into ExportKey below. |key| is a pointer to the input key object,
+// and |data| is either NULL, or the address of an 'unsigned char*' pointer
+// that points to the start of the output buffer. The function must return
+// the number of bytes required to export the data, or -1 in case of error.
+typedef int (*ExportDataFunction)(const void* key, unsigned char** data);
+
+// Helper to export |key| into |output| via the specified export function.
+bool ExportKey(const void* key,
+               ExportDataFunction export_fn,
+               std::vector<uint8>* output) {
+  if (!key)
+    return false;
+
+  int data_len = export_fn(key, NULL);
+  if (data_len < 0)
+    return false;
+
+  output->resize(static_cast<size_t>(data_len));
+  unsigned char* data = &(*output)[0];
+  if (export_fn(key, &data) < 0)
+    return false;
+
+  return true;
+}
+
+}  // namespace
+
+ECPrivateKey::~ECPrivateKey() {
+  if (key_)
+    EVP_PKEY_free(key_);
+}
+
+// static
+bool ECPrivateKey::IsSupported() { return true; }
+
 // static
 ECPrivateKey* ECPrivateKey::Create() {
-  NOTIMPLEMENTED();
-  return NULL;
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(
+      EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+  if (!ec_key.get() || !EC_KEY_generate_key(ec_key.get()))
+    return NULL;
+
+  scoped_ptr<ECPrivateKey> result(new ECPrivateKey());
+  result->key_ = EVP_PKEY_new();
+  if (!result->key_ || !EVP_PKEY_set1_EC_KEY(result->key_, ec_key.get()))
+    return NULL;
+
+  return result.release();
 }
 
 // static
@@ -32,8 +111,43 @@ ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
     const std::string& password,
     const std::vector<uint8>& encrypted_private_key_info,
     const std::vector<uint8>& subject_public_key_info) {
-  NOTIMPLEMENTED();
-  return NULL;
+  // NOTE: The |subject_public_key_info| can be ignored here, it is only
+  // useful for the NSS implementation (which uses the public key's SHA1
+  // as a lookup key when storing the private one in its store).
+  if (encrypted_private_key_info.empty())
+    return NULL;
+
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  // Write the encrypted private key into a memory BIO.
+  char* private_key_data = reinterpret_cast<char*>(
+      const_cast<uint8*>(&encrypted_private_key_info[0]));
+  int private_key_data_len =
+      static_cast<int>(encrypted_private_key_info.size());
+  ScopedOpenSSL<BIO, BIO_free_all> bio(
+      BIO_new_mem_buf(private_key_data, private_key_data_len));
+  if (!bio.get())
+    return NULL;
+
+  // Convert it, then decrypt it into a PKCS#8 object.
+  ScopedOpenSSL<X509_SIG, X509_SIG_free> p8_encrypted(
+      d2i_PKCS8_bio(bio.get(), NULL));
+  if (!p8_encrypted.get())
+    return NULL;
+
+  ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8_decrypted(
+      PKCS8_decrypt(p8_encrypted.get(),
+                    password.c_str(),
+                    static_cast<int>(password.size())));
+  if (!p8_decrypted.get())
+    return NULL;
+
+  // Create a new EVP_PKEY for it.
+  scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
+  result->key_ = EVP_PKCS82PKEY(p8_decrypted.get());
+  if (!result->key_)
+    return NULL;
+
+  return result.release();
 }
 
 // static
@@ -49,23 +163,57 @@ bool ECPrivateKey::ExportEncryptedPrivateKey(
     const std::string& password,
     int iterations,
     std::vector<uint8>* output) {
-  NOTIMPLEMENTED();
-  return false;
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  // Convert into a PKCS#8 object.
+  ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> pkcs8(
+      EVP_PKEY2PKCS8(key_));
+  if (!pkcs8.get())
+    return false;
+
+  // Encrypt the object.
+  // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
+  // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL
+  // equivalent.
+  ScopedOpenSSL<X509_SIG, X509_SIG_free> encrypted(
+      PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+                    NULL,
+                    password.c_str(),
+                    static_cast<int>(password.size()),
+                    NULL,
+                    0,
+                    iterations,
+                    pkcs8.get()));
+  if (!encrypted.get())
+    return false;
+
+  // Write it into |*output|
+  return ExportKeyWithBio(encrypted.get(),
+                          reinterpret_cast<ExportBioFunction>(i2d_PKCS8_bio),
+                          output);
 }
 
 bool ECPrivateKey::ExportPublicKey(std::vector<uint8>* output) {
-  NOTIMPLEMENTED();
-  return false;
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  return ExportKeyWithBio(
+      key_, reinterpret_cast<ExportBioFunction>(i2d_PUBKEY_bio), output);
 }
 
 bool ECPrivateKey::ExportValue(std::vector<uint8>* output) {
-  NOTIMPLEMENTED();
-  return false;
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_));
+  return ExportKey(ec_key.get(),
+                   reinterpret_cast<ExportDataFunction>(i2d_ECPrivateKey),
+                   output);
 }
 
 bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) {
-  NOTIMPLEMENTED();
-  return false;
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(EVP_PKEY_get1_EC_KEY(key_));
+  return ExportKey(ec_key.get(),
+                   reinterpret_cast<ExportDataFunction>(i2d_ECParameters),
+                   output);
 }
 
+ECPrivateKey::ECPrivateKey() : key_(NULL) {}
+
 }  // namespace crypto
diff --git a/crypto/ec_private_key_unittest.cc b/crypto/ec_private_key_unittest.cc
index d2ec256..d1a4c86 100644
--- a/crypto/ec_private_key_unittest.cc
+++ b/crypto/ec_private_key_unittest.cc
@@ -9,16 +9,9 @@
 #include "base/memory/scoped_ptr.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-#if defined(USE_OPENSSL)
-// Once ECPrivateKey is implemented for OpenSSL, remove this #if block.
-// TODO(mattm): When that happens, also add some exported keys from each to test
+// TODO(mattm): Add some exported keys from each to test
 // interop between NSS and OpenSSL.
-TEST(ECPrivateKeyUnitTest, OpenSSLStub) {
-  scoped_ptr<crypto::ECPrivateKey> keypair1(
-      crypto::ECPrivateKey::Create());
-  ASSERT_FALSE(keypair1.get());
-}
-#else
+
 // Generate random private keys. Export, then re-import. We should get
 // back the same exact public key, and the private key should have the same
 // value and elliptic curve params.
@@ -104,4 +97,3 @@ TEST(ECPrivateKeyUnitTest, BadPasswordTest) {
           password2, privkey1, pubkey1));
   ASSERT_FALSE(keypair2.get());
 }
-#endif  // !defined(USE_OPENSSL)
author	digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-17 16:09:24 +0000
committer	digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-17 16:09:24 +0000
commit	d4db0b6eec1f586314203b0df87a517d9bf22857 (patch)
tree	987b3df43c87a80d933876672de02f5ec3ead1c2 /crypto
parent	7f40bac4aaf02afb14e05f9af26e62ee91f0a556 (diff)
download	chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.zip chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.tar.gz chromium_src-d4db0b6eec1f586314203b0df87a517d9bf22857.tar.bz2