diff options
5 files changed, 105 insertions, 269 deletions
diff --git a/chrome/chrome_common.gypi b/chrome/chrome_common.gypi index 4660500..9333890 100644 --- a/chrome/chrome_common.gypi +++ b/chrome/chrome_common.gypi @@ -275,17 +275,10 @@ 'common/media_galleries/picasa_types.h', 'common/media_galleries/pmp_constants.h', ], - 'chrome_common_networking_private_sources_openssl' : [ + 'chrome_common_networking_private_sources' : [ 'common/extensions/api/networking_private/networking_private_crypto.cc', 'common/extensions/api/networking_private/networking_private_crypto.h', - 'common/extensions/api/networking_private/networking_private_crypto_openssl.cc', ], - 'chrome_common_networking_private_sources_nss' : [ - 'common/extensions/api/networking_private/networking_private_crypto.cc', - 'common/extensions/api/networking_private/networking_private_crypto.h', - 'common/extensions/api/networking_private/networking_private_crypto_nss.cc', - ], - 'chrome_common_mac_sources': [ 'common/media_galleries/iphoto_library.cc', 'common/media_galleries/iphoto_library.h', @@ -382,15 +375,12 @@ ['OS=="win" or OS=="mac"', { 'sources': [ '<@(chrome_common_win_mac_sources)' ], }], - ['(OS=="win" or OS=="mac" or chromeos==1) and use_openssl==1', { - 'sources': [ '<@(chrome_common_networking_private_sources_openssl)' ], + ['OS=="win" or OS=="mac" or chromeos==1', { + 'sources': [ '<@(chrome_common_networking_private_sources)' ], 'dependencies': [ '../third_party/boringssl/boringssl.gyp:boringssl', ], }], - ['(OS=="win" or OS=="mac" or chromeos==1) and use_openssl!=1', { - 'sources': [ '<@(chrome_common_networking_private_sources_nss)' ], - }], ['OS=="mac"', { 'sources': [ '<@(chrome_common_mac_sources)' ], 'dependencies': [ 'app_mode_app_support' ], diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn index b2e0dfc..c076b71 100644 --- a/chrome/common/BUILD.gn +++ b/chrome/common/BUILD.gn @@ -144,20 +144,12 @@ static_library("common") { deps += [ "//breakpad:client" ] } if (is_win || is_mac || is_chromeos) { - if (use_openssl) { - sources += rebase_path( - gypi_values.chrome_common_networking_private_sources_openssl, - ".", - "//chrome") - - # networking_private_crypto_openssl.cc depends on boringssl. - deps += [ "//third_party/boringssl" ] - } else { - sources += - rebase_path(gypi_values.chrome_common_networking_private_sources_nss, - ".", - "//chrome") - } + sources += rebase_path(gypi_values.chrome_common_networking_private_sources, + ".", + "//chrome") + + # networking_private_crypto.cc depends on boringssl. + deps += [ "//third_party/boringssl" ] } if (is_mac) { sources += diff --git a/chrome/common/extensions/api/networking_private/networking_private_crypto.cc b/chrome/common/extensions/api/networking_private/networking_private_crypto.cc index 9bc3364..387b1e1 100644 --- a/chrome/common/extensions/api/networking_private/networking_private_crypto.cc +++ b/chrome/common/extensions/api/networking_private/networking_private_crypto.cc @@ -4,9 +4,18 @@ #include "chrome/common/extensions/api/networking_private/networking_private_crypto.h" +#include <openssl/digest.h> +#include <openssl/evp.h> +#include <openssl/rsa.h> +#include <openssl/x509.h> + #include "base/logging.h" #include "base/memory/scoped_ptr.h" +#include "base/stl_util.h" #include "base/strings/string_util.h" +#include "crypto/openssl_util.h" +#include "crypto/rsa_private_key.h" +#include "crypto/scoped_openssl_types.h" #include "extensions/common/cast/cast_cert_validator.h" #include "net/cert/pem_tokenizer.h" @@ -14,6 +23,23 @@ namespace { namespace cast_crypto = ::extensions::api::cast_crypto; +// Parses |pem_data| for a PEM block of |pem_type|. +// Returns true if a |pem_type| block is found, storing the decoded result in +// |der_output|. +bool GetDERFromPEM(const std::string& pem_data, + const std::string& pem_type, + std::vector<uint8_t>* der_output) { + std::vector<std::string> headers; + headers.push_back(pem_type); + net::PEMTokenizer pem_tokenizer(pem_data, headers); + if (!pem_tokenizer.GetNext()) { + return false; + } + + der_output->assign(pem_tokenizer.data().begin(), pem_tokenizer.data().end()); + return true; +} + } // namespace namespace networking_private_crypto { @@ -30,19 +56,20 @@ bool VerifyCredentials( headers.push_back("CERTIFICATE"); // Convert certificate from PEM to raw DER - net::PEMTokenizer pem_tok(certificate, headers); - if (!pem_tok.GetNext()) { + net::PEMTokenizer pem_tokenizer(certificate, headers); + if (!pem_tokenizer.GetNext()) { LOG(ERROR) << kErrorPrefix << "Failed to parse device certificate."; return false; } - std::string der_certificate = pem_tok.data(); + std::string der_certificate = pem_tokenizer.data(); // Convert intermediate certificates from PEM to raw DER std::vector<std::string> der_intermediate_certificates; for (size_t idx = 0; idx < intermediate_certificates.size(); ++idx) { - net::PEMTokenizer ica_pem_tok(intermediate_certificates[idx], headers); - if (ica_pem_tok.GetNext()) { - der_intermediate_certificates.push_back(ica_pem_tok.data()); + net::PEMTokenizer ica_pem_tokenizer(intermediate_certificates[idx], + headers); + if (ica_pem_tokenizer.GetNext()) { + der_intermediate_certificates.push_back(ica_pem_tokenizer.data()); } else { LOG(WARNING) << "Failed to parse intermediate certificates."; } @@ -83,4 +110,67 @@ bool VerifyCredentials( return true; } +bool EncryptByteString(const std::vector<uint8_t>& pub_key_der, + const std::string& data, + std::vector<uint8_t>* encrypted_output) { + crypto::EnsureOpenSSLInit(); + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); + + const uint8_t* ptr = vector_as_array(&pub_key_der); + const uint8_t* end = ptr + pub_key_der.size(); + crypto::ScopedRSA rsa(d2i_RSAPublicKey(NULL, &ptr, pub_key_der.size())); + if (!rsa || ptr != end || RSA_size(rsa.get()) == 0) { + LOG(ERROR) << "Failed to parse public key"; + return false; + } + + encrypted_output->resize(RSA_size(rsa.get())); + int encrypted_length = RSA_public_encrypt( + data.size(), reinterpret_cast<const uint8_t*>(data.data()), + vector_as_array(encrypted_output), rsa.get(), RSA_PKCS1_PADDING); + if (encrypted_length < 0) { + LOG(ERROR) << "Error during decryption"; + return false; + } + encrypted_output->resize(encrypted_length); + return true; +} + +bool DecryptByteString(const std::string& private_key_pem, + const std::vector<uint8_t>& encrypted_data, + std::string* decrypted_output) { + crypto::EnsureOpenSSLInit(); + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); + + std::vector<uint8_t> private_key_data; + if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_data)) { + LOG(ERROR) << "Failed to parse private key PEM."; + return false; + } + scoped_ptr<crypto::RSAPrivateKey> private_key( + crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(private_key_data)); + if (!private_key || !private_key->key()) { + LOG(ERROR) << "Failed to parse private key DER."; + return false; + } + + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(private_key->key())); + if (!rsa || RSA_size(rsa.get()) == 0) { + LOG(ERROR) << "Failed to get RSA key."; + return false; + } + + uint8_t* output = reinterpret_cast<uint8_t*>( + base::WriteInto(decrypted_output, RSA_size(rsa.get()) + 1)); + int output_length = + RSA_private_decrypt(encrypted_data.size(), &encrypted_data[0], output, + rsa.get(), RSA_PKCS1_PADDING); + if (output_length < 0) { + LOG(ERROR) << "Error during decryption."; + return false; + } + decrypted_output->resize(output_length); + return true; +} + } // namespace networking_private_crypto diff --git a/chrome/common/extensions/api/networking_private/networking_private_crypto_nss.cc b/chrome/common/extensions/api/networking_private/networking_private_crypto_nss.cc deleted file mode 100644 index 0839762..0000000 --- a/chrome/common/extensions/api/networking_private/networking_private_crypto_nss.cc +++ /dev/null @@ -1,126 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chrome/common/extensions/api/networking_private/networking_private_crypto.h" - -#include <cert.h> -#include <cryptohi.h> -#include <keyhi.h> -#include <keythi.h> -#include <pk11pub.h> -#include <sechash.h> -#include <secport.h> - -#include "base/base64.h" -#include "base/memory/scoped_ptr.h" -#include "base/strings/string_number_conversions.h" -#include "base/strings/string_util.h" -#include "base/strings/stringprintf.h" -#include "crypto/nss_util.h" -#include "crypto/rsa_private_key.h" -#include "crypto/scoped_nss_types.h" -#include "net/cert/pem_tokenizer.h" -#include "net/cert/x509_certificate.h" - -namespace { - -// Parses |pem_data| for a PEM block of |pem_type|. -// Returns true if a |pem_type| block is found, storing the decoded result in -// |der_output|. -bool GetDERFromPEM(const std::string& pem_data, - const std::string& pem_type, - std::vector<uint8_t>* der_output) { - std::vector<std::string> headers; - headers.push_back(pem_type); - net::PEMTokenizer pem_tok(pem_data, headers); - if (!pem_tok.GetNext()) { - return false; - } - - der_output->assign(pem_tok.data().begin(), pem_tok.data().end()); - return true; -} - -} // namespace - -namespace networking_private_crypto { - -bool EncryptByteString(const std::vector<uint8_t>& pub_key_der, - const std::string& data, - std::vector<uint8_t>* encrypted_output) { - crypto::EnsureNSSInit(); - - SECItem pub_key_der_item; - pub_key_der_item.type = siDERCertBuffer; - pub_key_der_item.data = const_cast<unsigned char*>(pub_key_der.data()); - pub_key_der_item.len = pub_key_der.size(); - - crypto::ScopedSECKEYPublicKey public_key( - SECKEY_ImportDERPublicKey(&pub_key_der_item, CKK_RSA)); - if (!public_key.get()) { - LOG(ERROR) << "Failed to parse public key."; - return false; - } - - size_t encrypted_length = SECKEY_PublicKeyStrength(public_key.get()); - // RSAES is defined as operating on messages up to a length of k - 11, where - // k is the octet length of the RSA modulus. - if (encrypted_length < data.size() + 11) { - LOG(ERROR) << "Too much data to encrypt."; - return false; - } - - scoped_ptr<unsigned char[]> rsa_output(new unsigned char[encrypted_length]); - SECStatus encrypted = PK11_PubEncryptPKCS1( - public_key.get(), - rsa_output.get(), - reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())), - data.length(), - NULL); - if (encrypted != SECSuccess) { - LOG(ERROR) << "Error during encryption."; - return false; - } - encrypted_output->assign(rsa_output.get(), - rsa_output.get() + encrypted_length); - return true; -} - -bool DecryptByteString(const std::string& private_key_pem, - const std::vector<uint8_t>& encrypted_data, - std::string* decrypted_output) { - crypto::EnsureNSSInit(); - - std::vector<uint8_t> private_key_data; - if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_data)) { - LOG(ERROR) << "Failed to parse private key PEM."; - return false; - } - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(private_key_data)); - if (!private_key || !private_key->public_key()) { - LOG(ERROR) << "Failed to parse private key DER."; - return false; - } - - size_t encrypted_length = SECKEY_SignatureLen(private_key->public_key()); - scoped_ptr<unsigned char[]> rsa_output(new unsigned char[encrypted_length]); - unsigned int output_length = 0; - SECStatus decrypted = - PK11_PrivDecryptPKCS1(private_key->key(), - rsa_output.get(), - &output_length, - encrypted_length, - const_cast<unsigned char*>(encrypted_data.data()), - encrypted_data.size()); - if (decrypted != SECSuccess) { - LOG(ERROR) << "Error during decryption."; - return false; - } - decrypted_output->assign(reinterpret_cast<char*>(rsa_output.get()), - output_length); - return true; -} - -} // namespace networking_private_crypto diff --git a/chrome/common/extensions/api/networking_private/networking_private_crypto_openssl.cc b/chrome/common/extensions/api/networking_private/networking_private_crypto_openssl.cc deleted file mode 100644 index 2a22065..0000000 --- a/chrome/common/extensions/api/networking_private/networking_private_crypto_openssl.cc +++ /dev/null @@ -1,110 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chrome/common/extensions/api/networking_private/networking_private_crypto.h" - -#include <openssl/digest.h> -#include <openssl/evp.h> -#include <openssl/rsa.h> -#include <openssl/x509.h> - -#include "base/logging.h" -#include "crypto/openssl_util.h" -#include "crypto/rsa_private_key.h" -#include "crypto/scoped_openssl_types.h" -#include "net/cert/pem_tokenizer.h" - -namespace { - -// Parses |pem_data| for a PEM block of |pem_type|. -// Returns true if a |pem_type| block is found, storing the decoded result in -// |der_output|. -bool GetDERFromPEM(const std::string& pem_data, - const std::string& pem_type, - std::vector<uint8_t>* der_output) { - std::vector<std::string> headers; - headers.push_back(pem_type); - net::PEMTokenizer pem_tok(pem_data, headers); - if (!pem_tok.GetNext()) { - return false; - } - - der_output->assign(pem_tok.data().begin(), pem_tok.data().end()); - return true; -} - -} // namespace - -namespace networking_private_crypto { - -bool EncryptByteString(const std::vector<uint8_t>& pub_key_der, - const std::string& data, - std::vector<uint8_t>* encrypted_output) { - crypto::EnsureOpenSSLInit(); - crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - - const uint8_t* ptr = pub_key_der.empty() ? NULL : &pub_key_der[0]; - const uint8_t* end = ptr + pub_key_der.size(); - crypto::ScopedRSA rsa(d2i_RSAPublicKey(NULL, &ptr, pub_key_der.size())); - if (!rsa || ptr != end || RSA_size(rsa.get()) == 0) { - LOG(ERROR) << "Failed to parse public key"; - return false; - } - - scoped_ptr<uint8_t[]> rsa_output(new uint8_t[RSA_size(rsa.get())]); - int encrypted_length = - RSA_public_encrypt(data.size(), - reinterpret_cast<const uint8_t*>(data.data()), - rsa_output.get(), - rsa.get(), - RSA_PKCS1_PADDING); - if (encrypted_length < 0) { - LOG(ERROR) << "Error during decryption"; - return false; - } - encrypted_output->assign(rsa_output.get(), - rsa_output.get() + encrypted_length); - return true; -} - -bool DecryptByteString(const std::string& private_key_pem, - const std::vector<uint8_t>& encrypted_data, - std::string* decrypted_output) { - crypto::EnsureOpenSSLInit(); - crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); - - std::vector<uint8_t> private_key_data; - if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_data)) { - LOG(ERROR) << "Failed to parse private key PEM."; - return false; - } - scoped_ptr<crypto::RSAPrivateKey> private_key( - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(private_key_data)); - if (!private_key || !private_key->key()) { - LOG(ERROR) << "Failed to parse private key DER."; - return false; - } - - crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(private_key->key())); - if (!rsa || RSA_size(rsa.get()) == 0) { - LOG(ERROR) << "Failed to get RSA key."; - return false; - } - - scoped_ptr<uint8_t[]> rsa_output(new uint8_t[RSA_size(rsa.get())]); - int output_length = RSA_private_decrypt(encrypted_data.size(), - &encrypted_data[0], - rsa_output.get(), - rsa.get(), - RSA_PKCS1_PADDING); - if (output_length < 0) { - LOG(ERROR) << "Error during decryption."; - return false; - } - decrypted_output->assign(reinterpret_cast<char*>(rsa_output.get()), - output_length); - return true; -} - -} // namespace networking_private_crypto |