diff options
| author | digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-11 20:13:45 +0000 |
|---|---|---|
| committer | digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-11 20:13:45 +0000 |
| commit | 03a07b2ea1a0cb314a7ef409d142cd0f668b2254 (patch) | |
| tree | 87af038f051e44830d200d5ca7464b67ad3ea3b1 /net/android/keystore_openssl.h | |
| parent | a298f6e45114bdee170ed807033ba9fb5e00f35a (diff) | |
| download | chromium_src-03a07b2ea1a0cb314a7ef409d142cd0f668b2254.zip chromium_src-03a07b2ea1a0cb314a7ef409d142cd0f668b2254.tar.gz chromium_src-03a07b2ea1a0cb314a7ef409d142cd0f668b2254.tar.bz2 | |
This patch adds some Android-support code to allow the network
stack to use platform-specific private key objects to perform
signing in the context of SSL handshakes which require a client
certificate.
More specifically:
- Add net/android/keystore.h, which provides native
functions to operate on JNI references pointing to
java.security.PrivateKey objects provided by the
platform. I.e.:
net::android::GetPrivateKeyType()
net::android::SignWithPrivateKey()
Also provide a function that can get the system's own
EVP_PKEY* handle corresponding to a given PrivateKey
object. This uses reflection and should *only* be used
for RSA private keys when running on Android 4.0 and
4.1, in order to route around a platform bug that was
only fixed in 4.2.
net::android::GetOpenSSLSytstemHandleForPrivateKey()
See the comments in this source file for mode details:
net/android/java/org/chromium/net/AndroidKeyStore.java
- Add net/android/keystore_openssl.h, which provides
a function that can wrap an existing PrivateKey
JNI reference around an OpenSSL EVP_PKEY object
which uses custom DSA/RSA/ECDSA methods to perform
signing as expected to handle client certificates.
net::android::GetOpenSSLPrivateKeyWrapper()
- Add relevant unit tests for the new functions.
Note that the unit test comes with its own Java helper
function, which is used to create a platform PrivateKey
object from encoded PKCS#8 private key data.
This is called from the native unit test, but does not
constitute a new Java test (AndroidKeyStoreTestUtil.java).
- Add corresponding new test key files under
net/data/ssl/certificates/, and their generation
script in net/data/ssl/scripts/.
- Add net/android/private_key_type_list.h which is
used both from C++ and Java to define the list of
supported private key types used by this code.
- Minor improvements: Add a "release()" method to
crypto::ScopedOpenSSL, add missing BASE_EXPORT
to one base/android/jni_array.h function declaration.
BUG=166642
Review URL: https://chromiumcodereview.appspot.com/11571059
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@181741 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/android/keystore_openssl.h')
| -rw-r--r-- | net/android/keystore_openssl.h | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/net/android/keystore_openssl.h b/net/android/keystore_openssl.h new file mode 100644 index 0000000..ceb900c --- /dev/null +++ b/net/android/keystore_openssl.h @@ -0,0 +1,48 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_ANDROID_KEYSTORE_OPENSSL_H +#define NET_ANDROID_KEYSTORE_OPENSSL_H + +#include <jni.h> +#include <openssl/evp.h> + +#include "net/base/net_export.h" + +// OpenSSL-specific functions to use the Android platform keystore. +// The features provided here are highly specific to OpenSSL and are +// segregated from net/android/keystore.h because the latter only provides +// simply JNI stubs to call Java code which only uses platform APIs. + +namespace net { +namespace android { + +// Create a custom OpenSSL EVP_PKEY instance that wraps a platform +// java.security.PrivateKey object, and will call the platform APIs +// through JNI to implement signing (and only signing). +// +// This method can be called from any thread. It shall only be used +// to implement client certificate handling though. +// +// |private_key| is a JNI local (or global) reference to the Java +// PrivateKey object. +// +// Returns a new EVP_PKEY* object with the following features: +// +// - Only contains a private key. +// +// - Owns its own _global_ JNI reference to the object. This means the +// caller can free |private_key| safely after the call, and that the +// the returned EVP_PKEY instance can be used from any thread. +// +// - Uses a custom method to implement the minimum functions required to +// *sign* the digest that is part of the "Verify Certificate" message +// during the OpenSSL handshake. Anything else will result in undefined +// behaviour. +NET_EXPORT EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key); + +} // namespace android +} // namespace net + +#endif // NET_ANDROID_KEYSTORE_OPENSSL_H |