diff options
Diffstat (limited to 'chrome')
5 files changed, 72 insertions, 47 deletions
diff --git a/chrome/browser/chromeos/login/auth/cryptohome_authenticator_unittest.cc b/chrome/browser/chromeos/login/auth/cryptohome_authenticator_unittest.cc index 2607ace..c96e922 100644 --- a/chrome/browser/chromeos/login/auth/cryptohome_authenticator_unittest.cc +++ b/chrome/browser/chromeos/login/auth/cryptohome_authenticator_unittest.cc @@ -45,6 +45,7 @@ #include "components/ownership/mock_owner_key_util.h" #include "components/user_manager/fake_user_manager.h" #include "content/public/test/test_browser_thread_bundle.h" +#include "crypto/nss_key_util.h" #include "crypto/nss_util_internal.h" #include "crypto/scoped_test_nss_chromeos_user.h" #include "google_apis/gaia/mock_url_fetcher_factory.h" @@ -118,11 +119,11 @@ std::vector<uint8> GetOwnerPublicKey() { kOwnerPublicKey + arraysize(kOwnerPublicKey)); } -scoped_ptr<crypto::RSAPrivateKey> CreateOwnerKeyInSlot(PK11SlotInfo* slot) { +bool CreateOwnerKeyInSlot(PK11SlotInfo* slot) { const std::vector<uint8> key(kOwnerPrivateKey, kOwnerPrivateKey + arraysize(kOwnerPrivateKey)); - return make_scoped_ptr( - crypto::RSAPrivateKey::CreateSensitiveFromPrivateKeyInfo(slot, key)); + return crypto::ImportNSSKeyFromPrivateKeyInfo(slot, key, + true /* permanent */); } } // namespace @@ -472,7 +473,7 @@ TEST_F(CryptohomeAuthenticatorTest, ResolveOwnerNeededSuccess) { crypto::ScopedPK11Slot user_slot( crypto::GetPublicSlotForChromeOSUser(user_context_.GetUserIDHash())); - CreateOwnerKeyInSlot(user_slot.get()); + ASSERT_TRUE(CreateOwnerKeyInSlot(user_slot.get())); profile_manager_.reset( new TestingProfileManager(TestingBrowserProcess::GetGlobal())); diff --git a/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.cc b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.cc index 3321ed9..46058c1 100644 --- a/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.cc +++ b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.cc @@ -5,6 +5,7 @@ #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h" #include <cryptohi.h> +#include <keyhi.h> #include "base/base64.h" #include "base/bind.h" @@ -22,8 +23,8 @@ #include "chrome/browser/browser_process.h" #include "chrome/common/pref_names.h" #include "content/public/browser/browser_thread.h" +#include "crypto/nss_key_util.h" #include "crypto/nss_util_internal.h" -#include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" namespace { @@ -57,7 +58,7 @@ void GetSystemSlotOnIOThread( // Checks if a private RSA key associated with |public_key| can be found in // |slot|. // Must be called on a worker thread. -scoped_ptr<crypto::RSAPrivateKey> GetPrivateKeyOnWorkerThread( +crypto::ScopedSECKEYPrivateKey GetPrivateKeyOnWorkerThread( PK11SlotInfo* slot, const std::string& public_key) { const uint8* public_key_uint8 = @@ -65,10 +66,14 @@ scoped_ptr<crypto::RSAPrivateKey> GetPrivateKeyOnWorkerThread( std::vector<uint8> public_key_vector( public_key_uint8, public_key_uint8 + public_key.size()); - scoped_ptr<crypto::RSAPrivateKey> rsa_key( - crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector)); - if (!rsa_key || rsa_key->key()->pkcs11Slot != slot) - return scoped_ptr<crypto::RSAPrivateKey>(); + // TODO(davidben): This should be equivalent to calling + // FindNSSKeyFromPublicKeyInfoInSlot. + crypto::ScopedSECKEYPrivateKey rsa_key( + crypto::FindNSSKeyFromPublicKeyInfo(public_key_vector)); + if (!rsa_key || rsa_key->pkcs11Slot != slot || + SECKEY_GetPrivateKeyType(rsa_key.get()) != rsaKey) { + return nullptr; + } return rsa_key.Pass(); } @@ -81,7 +86,7 @@ void SignDataOnWorkerThread( const std::string& data, const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, const base::Callback<void(const std::string&)>& callback) { - scoped_ptr<crypto::RSAPrivateKey> private_key( + crypto::ScopedSECKEYPrivateKey private_key( GetPrivateKeyOnWorkerThread(slot.get(), public_key)); if (!private_key) { LOG(ERROR) << "Private key for signing data not found"; @@ -93,8 +98,7 @@ void SignDataOnWorkerThread( crypto::ScopedSECItem sign_result(SECITEM_AllocItem(NULL, NULL, 0)); if (SEC_SignData(sign_result.get(), reinterpret_cast<const unsigned char*>(data.data()), - data.size(), - private_key->key(), + data.size(), private_key.get(), SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION) != SECSuccess) { LOG(ERROR) << "Failed to sign data"; response_task_runner->PostTask(FROM_HERE, @@ -123,17 +127,20 @@ void CreateTpmKeyPairOnWorkerThread( return; } - scoped_ptr<crypto::RSAPrivateKey> rsa_key( - crypto::RSAPrivateKey::CreateSensitive(slot.get(), kKeyModulusLength)); - if (!rsa_key) { + crypto::ScopedSECKEYPublicKey public_key_obj; + crypto::ScopedSECKEYPrivateKey private_key_obj; + if (!crypto::GenerateRSAKeyPairNSS(slot.get(), kKeyModulusLength, + true /* permanent */, &public_key_obj, + &private_key_obj)) { LOG(ERROR) << "Failed to create an RSA key."; response_task_runner->PostTask(FROM_HERE, base::Bind(callback, std::string())); return; } - std::vector<uint8> created_public_key; - if (!rsa_key->ExportPublicKey(&created_public_key)) { + crypto::ScopedSECItem public_key_der( + SECKEY_EncodeDERSubjectPublicKeyInfo(public_key_obj.get())); + if (!public_key_der) { LOG(ERROR) << "Failed to export public key."; response_task_runner->PostTask(FROM_HERE, base::Bind(callback, std::string())); @@ -141,10 +148,9 @@ void CreateTpmKeyPairOnWorkerThread( } response_task_runner->PostTask( - FROM_HERE, - base::Bind(callback, - std::string(created_public_key.begin(), - created_public_key.end()))); + FROM_HERE, base::Bind(callback, std::string(reinterpret_cast<const char*>( + public_key_der->data), + public_key_der->len))); } } // namespace diff --git a/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc b/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc index a96f0aa..20fdd78 100644 --- a/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc +++ b/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc @@ -4,6 +4,8 @@ #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h" +#include <keyhi.h> + #include <algorithm> #include <string> @@ -29,9 +31,9 @@ #include "content/public/browser/notification_service.h" #include "content/public/browser/notification_source.h" #include "content/public/common/content_switches.h" +#include "crypto/nss_key_util.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" -#include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" #include "crypto/signature_creator.h" @@ -72,9 +74,14 @@ void LoadPrivateKeyByPublicKey( crypto::ScopedPK11Slot private_slot = crypto::GetPrivateSlotForChromeOSUser( username_hash, base::Callback<void(crypto::ScopedPK11Slot)>()); - // If private slot is already available, this will check it. If not, - // we'll get called again later when the TPM Token is ready, and the - // slot will be available then. + // If private slot is already available, this will check it. If not, we'll get + // called again later when the TPM Token is ready, and the slot will be + // available then. FindPrivateKeyInSlot internally checks for a null slot if + // needbe. + // + // TODO(davidben): The null check should be in the caller rather than + // internally in the OwnerKeyUtil implementation. The tests currently get a + // null private_slot and expect the mock OwnerKeyUtil to still be called. scoped_refptr<PrivateKey> private_key( new PrivateKey(owner_key_util->FindPrivateKeyInSlot(public_key->data(), private_slot.get()))); @@ -124,10 +131,9 @@ bool DoesPrivateKeyExistAsyncHelper( std::vector<uint8> public_key; if (!owner_key_util->ImportPublicKey(&public_key)) return false; - scoped_ptr<crypto::RSAPrivateKey> key( - crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key)); - bool is_owner = key.get() != NULL; - return is_owner; + crypto::ScopedSECKEYPrivateKey key = + crypto::FindNSSKeyFromPublicKeyInfo(public_key); + return key && SECKEY_GetPrivateKeyType(key.get()) == rsaKey; } // Checks whether NSS slots with private key are mounted or diff --git a/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h b/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h index 354450b..aea7cc0 100644 --- a/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h +++ b/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h @@ -135,7 +135,9 @@ class OwnerSettingsServiceChromeOS : public ownership::OwnerSettingsService, // OwnerSettingsService protected interface overrides: - // Reloads private key from profile's NSS slots, responds via |callback|. + // Reloads private key from profile's NSS slots, responds via |callback|. On + // success, |private_key| is non-null, but if the private key doesn't exist, + // |private_key->key()| may be null. void ReloadKeypairImpl(const base::Callback< void(const scoped_refptr<ownership::PublicKey>& public_key, const scoped_refptr<ownership::PrivateKey>& private_key)>& callback) diff --git a/chrome/browser/chromeos/platform_keys/platform_keys_nss.cc b/chrome/browser/chromeos/platform_keys/platform_keys_nss.cc index af14d11..5678baf 100644 --- a/chrome/browser/chromeos/platform_keys/platform_keys_nss.cc +++ b/chrome/browser/chromeos/platform_keys/platform_keys_nss.cc @@ -31,7 +31,8 @@ #include "components/policy/core/common/cloud/cloud_policy_constants.h" #include "content/public/browser/browser_context.h" #include "content/public/browser/browser_thread.h" -#include "crypto/rsa_private_key.h" +#include "crypto/nss_key_util.h" +#include "crypto/scoped_nss_types.h" #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/cert/cert_database.h" @@ -400,25 +401,34 @@ GetTokensState::GetTokensState(const GetTokensCallback& callback) // Does the actual key generation on a worker thread. Used by // GenerateRSAKeyWithDB(). void GenerateRSAKeyOnWorkerThread(scoped_ptr<GenerateRSAKeyState> state) { - scoped_ptr<crypto::RSAPrivateKey> rsa_key( - crypto::RSAPrivateKey::CreateSensitive(state->slot_.get(), - state->modulus_length_bits_)); - if (!rsa_key) { + if (!state->slot_) { + LOG(ERROR) << "No slot."; + state->OnError(FROM_HERE, kErrorInternal); + return; + } + + crypto::ScopedSECKEYPublicKey public_key; + crypto::ScopedSECKEYPrivateKey private_key; + if (!crypto::GenerateRSAKeyPairNSS( + state->slot_.get(), state->modulus_length_bits_, true /* permanent */, + &public_key, &private_key)) { LOG(ERROR) << "Couldn't create key."; state->OnError(FROM_HERE, kErrorInternal); return; } - std::vector<uint8> public_key_spki_der; - if (!rsa_key->ExportPublicKey(&public_key_spki_der)) { - // TODO(pneubeck): Remove rsa_key from storage. + crypto::ScopedSECItem public_key_der( + SECKEY_EncodeDERSubjectPublicKeyInfo(public_key.get())); + if (!public_key_der) { + // TODO(pneubeck): Remove private_key and public_key from storage. LOG(ERROR) << "Couldn't export public key."; state->OnError(FROM_HERE, kErrorInternal); return; } state->CallBack( FROM_HERE, - std::string(public_key_spki_der.begin(), public_key_spki_der.end()), + std::string(reinterpret_cast<const char*>(public_key_der->data), + public_key_der->len), std::string() /* no error */); } @@ -442,13 +452,13 @@ void SignRSAOnWorkerThread(scoped_ptr<SignRSAState> state) { public_key_uint8, public_key_uint8 + state->public_key_.size()); // TODO(pneubeck): This searches all slots. Change to look only at |slot_|. - scoped_ptr<crypto::RSAPrivateKey> rsa_key( - crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector)); + crypto::ScopedSECKEYPrivateKey rsa_key( + crypto::FindNSSKeyFromPublicKeyInfo(public_key_vector)); // Fail if the key was not found. If a specific slot was requested, also fail // if the key was found in the wrong slot. - if (!rsa_key || - (state->slot_ && rsa_key->key()->pkcs11Slot != state->slot_)) { + if (!rsa_key || SECKEY_GetPrivateKeyType(rsa_key.get()) != rsaKey || + (state->slot_ && rsa_key->pkcs11Slot != state->slot_)) { state->OnError(FROM_HERE, kErrorKeyNotFound); return; } @@ -464,7 +474,7 @@ void SignRSAOnWorkerThread(scoped_ptr<SignRSAState> state) { state->data_.size()}; // Compute signature of hash. - int signature_len = PK11_SignatureLen(rsa_key->key()); + int signature_len = PK11_SignatureLen(rsa_key.get()); if (signature_len <= 0) { state->OnError(FROM_HERE, kErrorInternal); return; @@ -473,7 +483,7 @@ void SignRSAOnWorkerThread(scoped_ptr<SignRSAState> state) { std::vector<unsigned char> signature(signature_len); SECItem signature_output = { siBuffer, vector_as_array(&signature), signature.size()}; - if (PK11_Sign(rsa_key->key(), &signature_output, &input) == SECSuccess) + if (PK11_Sign(rsa_key.get(), &signature_output, &input) == SECSuccess) signature_str.assign(signature.begin(), signature.end()); } else { SECOidTag sign_alg_tag = SEC_OID_UNKNOWN; @@ -499,7 +509,7 @@ void SignRSAOnWorkerThread(scoped_ptr<SignRSAState> state) { if (SEC_SignData( &sign_result, reinterpret_cast<const unsigned char*>(state->data_.data()), - state->data_.size(), rsa_key->key(), sign_alg_tag) == SECSuccess) { + state->data_.size(), rsa_key.get(), sign_alg_tag) == SECSuccess) { signature_str.assign(sign_result.data, sign_result.data + sign_result.len); } |