diff options
| -rw-r--r-- | net/base/cert_database_win.cc | 72 | ||||
| -rw-r--r-- | net/base/keygen_handler.cc | 36 | ||||
| -rw-r--r-- | net/base/keygen_handler.h | 52 | ||||
| -rw-r--r-- | net/base/keygen_handler_mac.cc | 6 | ||||
| -rw-r--r-- | net/base/keygen_handler_nss.cc | 5 | ||||
| -rw-r--r-- | net/base/keygen_handler_unittest.cc | 42 | ||||
| -rw-r--r-- | net/base/keygen_handler_win.cc | 95 | ||||
| -rw-r--r-- | net/net.gyp | 1 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsKeygenHandler.cpp | 13 |
9 files changed, 3 insertions, 319 deletions
diff --git a/net/base/cert_database_win.cc b/net/base/cert_database_win.cc index 34485b5..4c5e8df 100644 --- a/net/base/cert_database_win.cc +++ b/net/base/cert_database_win.cc @@ -8,74 +8,11 @@ #include <wincrypt.h> #pragma comment(lib, "crypt32.lib") -#include "base/logging.h" -#include "base/string_util.h" -#include "net/base/keygen_handler.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" namespace net { -namespace { - -// Returns an encoded version of SubjectPublicKeyInfo from |cert| that is -// compatible with KeygenHandler::Cache. If the cert cannot be converted, an -// empty string is returned. -std::string GetSubjectPublicKeyInfo(const X509Certificate* cert) { - DCHECK(cert); - - std::string result; - if (!cert->os_cert_handle() || !cert->os_cert_handle()->pCertInfo) - return result; - - BOOL ok; - DWORD size = 0; - PCERT_PUBLIC_KEY_INFO key_info = - &(cert->os_cert_handle()->pCertInfo->SubjectPublicKeyInfo); - ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info, - NULL, &size); - if (!ok) - return result; - - ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info, - reinterpret_cast<BYTE*>(WriteInto(&result, size + 1)), - &size); - if (!ok) { - result.clear(); - return result; - } - - // Per MSDN, the resultant structure may be smaller than the original size - // supplied, so shrink to the actual size output. - result.resize(size); - - return result; -} - -// Returns true if |cert| was successfully modified to reference |location| to -// obtain the associated private key. -bool LinkCertToPrivateKey(X509Certificate* cert, - KeygenHandler::KeyLocation location) { - DCHECK(cert); - - CRYPT_KEY_PROV_INFO prov_info = { 0 }; - prov_info.pwszContainerName = - const_cast<LPWSTR>(location.container_name.c_str()); - prov_info.pwszProvName = - const_cast<LPWSTR>(location.provider_name.c_str()); - - // Implicit by it being from KeygenHandler, which only supports RSA keys. - prov_info.dwProvType = PROV_RSA_FULL; - prov_info.dwKeySpec = AT_KEYEXCHANGE; - - BOOL ok = CertSetCertificateContextProperty(cert->os_cert_handle(), - CERT_KEY_PROV_INFO_PROP_ID, 0, - &prov_info); - return ok != FALSE; -} - -} // namespace - CertDatabase::CertDatabase() { } @@ -85,12 +22,9 @@ int CertDatabase::CheckUserCert(X509Certificate* cert) { if (cert->HasExpired()) return ERR_CERT_DATE_INVALID; - std::string encoded_info = GetSubjectPublicKeyInfo(cert); - KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance(); - KeygenHandler::KeyLocation location; - - if (encoded_info.empty() || !cache->Find(encoded_info, &location) || - !LinkCertToPrivateKey(cert, location)) + // TODO(rsleevi): Should CRYPT_FIND_SILENT_KEYSET_FLAG be specified? A UI + // may be shown here / this call may block. + if (!CryptFindCertificateKeyProvInfo(cert->os_cert_handle(), 0, NULL)) return ERR_NO_PRIVATE_KEY_FOR_CERT; return OK; diff --git a/net/base/keygen_handler.cc b/net/base/keygen_handler.cc deleted file mode 100644 index e85dc4d..0000000 --- a/net/base/keygen_handler.cc +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/base/keygen_handler.h" - -#include "base/logging.h" - -namespace net { - -KeygenHandler::Cache* KeygenHandler::Cache::GetInstance() { - return Singleton<Cache>::get(); -} - -void KeygenHandler::Cache::Insert(const std::string& public_key_info, - const KeyLocation& location) { - AutoLock lock(lock_); - - DCHECK(!public_key_info.empty()) << "Only insert valid public key structures"; - cache_[public_key_info] = location; -} - -bool KeygenHandler::Cache::Find(const std::string& public_key_info, - KeyLocation* location) { - AutoLock lock(lock_); - - KeyLocationMap::iterator iter = cache_.find(public_key_info); - - if (iter == cache_.end()) - return false; - - *location = iter->second; - return true; -} - -} // namespace net diff --git a/net/base/keygen_handler.h b/net/base/keygen_handler.h index f88ffd5..a582816 100644 --- a/net/base/keygen_handler.h +++ b/net/base/keygen_handler.h @@ -5,12 +5,8 @@ #ifndef NET_BASE_KEYGEN_HANDLER_H_ #define NET_BASE_KEYGEN_HANDLER_H_ -#include <map> #include <string> -#include "base/lock.h" -#include "base/singleton.h" - namespace net { // This class handles keypair generation for generating client @@ -20,54 +16,6 @@ namespace net { class KeygenHandler { public: - // This class stores the relative location for a given private key. It does - // not store the private key, or a handle to the private key, on the basis - // that the key may be located on a smart card or device which may not be - // present at the time of retrieval. - class KeyLocation { - public: -#if defined(OS_WIN) - std::wstring container_name; - std::wstring provider_name; -#elif defined(OS_MACOSX) - std::string keychain_path; -#elif defined(USE_NSS) - std::string slot_name; -#endif - - // Only used by unit tests. - bool Equals(const KeyLocation& location) const; - }; - - // This class stores information about the keys the KeygenHandler has - // generated, so that the private keys can be properly associated with any - // certificates that might be sent to the client based on those keys. - // TODO(wtc): consider adding a Remove() method. - class Cache { - public: - static Cache* GetInstance(); - void Insert(const std::string& public_key_info, - const KeyLocation& location); - - // True if the |public_key_info| was located and the location stored into - // |*location|. - bool Find(const std::string& public_key_info, KeyLocation* location); - - private: - typedef std::map<std::string, KeyLocation> KeyLocationMap; - - // Obtain an instance of the KeyCache by using GetInstance(). - Cache() {} - friend struct DefaultSingletonTraits<Cache>; - - Lock lock_; - - // The key cache. You must obtain |lock_| before using |cache_|. - KeyLocationMap cache_; - - DISALLOW_COPY_AND_ASSIGN(Cache); - }; - // Creates a handler that will generate a key with the given key size // and incorporate the |challenge| into the Netscape SPKAC structure. inline KeygenHandler(int key_size_in_bits, const std::string& challenge); diff --git a/net/base/keygen_handler_mac.cc b/net/base/keygen_handler_mac.cc index a604035..36a4d47 100644 --- a/net/base/keygen_handler_mac.cc +++ b/net/base/keygen_handler_mac.cc @@ -93,12 +93,6 @@ static OSStatus SignData(CSSM_DATA data, SecKeyRef private_key, CSSM_DATA* signature); - -bool KeygenHandler::KeyLocation::Equals( - const KeygenHandler::KeyLocation& location) const { - return keychain_path == location.keychain_path; -} - std::string KeygenHandler::GenKeyAndSignChallenge() { std::string result; OSStatus err; diff --git a/net/base/keygen_handler_nss.cc b/net/base/keygen_handler_nss.cc index 225f940..638fbd5 100644 --- a/net/base/keygen_handler_nss.cc +++ b/net/base/keygen_handler_nss.cc @@ -11,11 +11,6 @@ namespace psm = mozilla_security_manager; namespace net { -bool KeygenHandler::KeyLocation::Equals( - const net::KeygenHandler::KeyLocation& location) const { - return slot_name == location.slot_name; -} - std::string KeygenHandler::GenKeyAndSignChallenge() { return psm::GenKeyAndSignChallenge(key_size_in_bits_, challenge_, stores_key_); diff --git a/net/base/keygen_handler_unittest.cc b/net/base/keygen_handler_unittest.cc index 71c9b03..e6b3641 100644 --- a/net/base/keygen_handler_unittest.cc +++ b/net/base/keygen_handler_unittest.cc @@ -15,20 +15,6 @@ namespace net { namespace { -KeygenHandler::KeyLocation ValidKeyLocation() { - KeygenHandler::KeyLocation result; -#if defined(OS_WIN) - result.container_name = L"Unit tests"; - result.provider_name = L"Test Provider"; -#elif defined(OS_MACOSX) - result.keychain_path = "/Users/tests/test.chain"; -#elif defined(USE_NSS) - result.slot_name = "Sample slot"; -#endif - - return result; -} - class KeygenHandlerTest : public ::testing::Test { public: KeygenHandlerTest() {} @@ -78,34 +64,6 @@ TEST_F(KeygenHandlerTest, FLAKY_SmokeTest) { // openssl asn1parse -inform DER } -TEST_F(KeygenHandlerTest, Cache) { - KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance(); - KeygenHandler::KeyLocation location1; - KeygenHandler::KeyLocation location2; - - std::string key1("abcd"); - cache->Insert(key1, location1); - - // The cache should have stored location1 at key1. - EXPECT_TRUE(cache->Find(key1, &location2)); - - // The cache should have retrieved it into location2, and their equality - // should be reflexive. - EXPECT_TRUE(location1.Equals(location2)); - EXPECT_TRUE(location2.Equals(location1)); - - location2 = ValidKeyLocation(); - KeygenHandler::KeyLocation location3 = ValidKeyLocation(); - EXPECT_FALSE(location1.Equals(location2)); - - // The cache should miss for an unregistered key. - std::string key2("def"); - EXPECT_FALSE(cache->Find(key2, &location2)); - - // A cache miss should leave the original location unmolested. - EXPECT_TRUE(location2.Equals(location3)); -} - } // namespace } // namespace net diff --git a/net/base/keygen_handler_win.cc b/net/base/keygen_handler_win.cc index 3d97d17..8fc32e5 100644 --- a/net/base/keygen_handler_win.cc +++ b/net/base/keygen_handler_win.cc @@ -24,31 +24,6 @@ namespace net { -bool EncodeAndAppendType(LPCSTR type, const void* to_encode, - std::vector<BYTE>* output) { - BOOL ok; - DWORD size = 0; - ok = CryptEncodeObject(X509_ASN_ENCODING, type, to_encode, NULL, &size); - DCHECK(ok); - if (!ok) - return false; - - std::vector<BYTE>::size_type old_size = output->size(); - output->resize(old_size + size); - - ok = CryptEncodeObject(X509_ASN_ENCODING, type, to_encode, - &(*output)[old_size], &size); - DCHECK(ok); - if (!ok) - return false; - - // Sometimes the initial call to CryptEncodeObject gave a generous estimate - // of the size, so shrink back to what was actually used. - output->resize(old_size + size); - - return true; -} - // Assigns the contents of a CERT_PUBLIC_KEY_INFO structure for the signing // key in |prov| to |output|. Returns true if encoding was successful. bool GetSubjectPublicKeyInfo(HCRYPTPROV prov, std::vector<BYTE>* output) { @@ -80,18 +55,6 @@ bool GetSubjectPublicKeyInfo(HCRYPTPROV prov, std::vector<BYTE>* output) { return true; } -// Appends a DER SubjectPublicKeyInfo structure for the signing key in |prov| -// to |output|. -// Returns true if encoding was successful. -bool EncodeSubjectPublicKeyInfo(HCRYPTPROV prov, std::vector<BYTE>* output) { - std::vector<BYTE> public_key_info; - if (!GetSubjectPublicKeyInfo(prov, &public_key_info)) - return false; - - return EncodeAndAppendType(X509_PUBLIC_KEY_INFO, &public_key_info[0], - output); -} - // Generates a DER encoded SignedPublicKeyAndChallenge structure from the // signing key of |prov| and the specified ASCII |challenge| string and // appends it to |output|. @@ -167,62 +130,6 @@ std::wstring GetNewKeyContainerId() { return result; } -void StoreKeyLocationInCache(HCRYPTPROV prov) { - BOOL ok; - DWORD size = 0; - - // Though it is known the container and provider name, as they are supplied - // during GenKeyAndSignChallenge, explicitly resolving them via - // CryptGetProvParam ensures that any defaults (such as provider name being - // NULL) or any CSP modifications to the container name are properly - // reflected. - - // Find the container name. Though the MSDN documentation states it will - // return the exact same value as supplied when the provider was aquired, it - // also notes the return type will be CHAR, /not/ WCHAR. - ok = CryptGetProvParam(prov, PP_CONTAINER, NULL, &size, 0); - if (!ok) - return; - - std::vector<BYTE> buffer(size); - ok = CryptGetProvParam(prov, PP_CONTAINER, &buffer[0], &size, 0); - if (!ok) - return; - - KeygenHandler::KeyLocation key_location; - UTF8ToWide(reinterpret_cast<char*>(&buffer[0]), size, - &key_location.container_name); - - // Get the provider name. This will always resolve, even if NULL (indicating - // the default provider) was supplied to the CryptAcquireContext. - size = 0; - ok = CryptGetProvParam(prov, PP_NAME, NULL, &size, 0); - if (!ok) - return; - - buffer.resize(size); - ok = CryptGetProvParam(prov, PP_NAME, &buffer[0], &size, 0); - if (!ok) - return; - - UTF8ToWide(reinterpret_cast<char*>(&buffer[0]), size, - &key_location.provider_name); - - std::vector<BYTE> public_key_info; - if (!EncodeSubjectPublicKeyInfo(prov, &public_key_info)) - return; - - KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance(); - cache->Insert(std::string(public_key_info.begin(), public_key_info.end()), - key_location); -} - -bool KeygenHandler::KeyLocation::Equals( - const KeygenHandler::KeyLocation& location) const { - return container_name == location.container_name && - provider_name == location.provider_name; -} - std::string KeygenHandler::GenKeyAndSignChallenge() { std::string result; @@ -283,8 +190,6 @@ std::string KeygenHandler::GenKeyAndSignChallenge() { goto failure; } - StoreKeyLocationInCache(prov); - failure: if (!is_success) { LOG(ERROR) << "SSL Keygen failed"; diff --git a/net/net.gyp b/net/net.gyp index 77f4457e..257825d 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -80,7 +80,6 @@ 'base/host_resolver_proc.h', 'base/io_buffer.cc', 'base/io_buffer.h', - 'base/keygen_handler.cc', 'base/keygen_handler.h', 'base/keygen_handler_mac.cc', 'base/keygen_handler_nss.cc', diff --git a/net/third_party/mozilla_security_manager/nsKeygenHandler.cpp b/net/third_party/mozilla_security_manager/nsKeygenHandler.cpp index e829320..8be54a4 100644 --- a/net/third_party/mozilla_security_manager/nsKeygenHandler.cpp +++ b/net/third_party/mozilla_security_manager/nsKeygenHandler.cpp @@ -50,7 +50,6 @@ #include "base/nss_util_internal.h" #include "base/nss_util.h" #include "base/logging.h" -#include "net/base/keygen_handler.h" namespace { @@ -86,16 +85,6 @@ DERTemplate CERTPublicKeyAndChallengeTemplate[] = { { 0, } }; -void StoreKeyLocationInCache(const SECItem& public_key_info, - PK11SlotInfo *slot) { - net::KeygenHandler::Cache* cache = net::KeygenHandler::Cache::GetInstance(); - net::KeygenHandler::KeyLocation key_location; - const char* slot_name = PK11_GetSlotName(slot); - key_location.slot_name.assign(slot_name); - cache->Insert(std::string(reinterpret_cast<char*>(public_key_info.data), - public_key_info.len), key_location); -} - } // namespace namespace mozilla_security_manager { @@ -236,8 +225,6 @@ std::string GenKeyAndSignChallenge(int key_size_in_bits, goto failure; } - StoreKeyLocationInCache(spkiItem, slot); - failure: if (!isSuccess) { LOG(ERROR) << "SSL Keygen failed!"; |