1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_EC_PRIVATE_KEY_H_
#define CRYPTO_EC_PRIVATE_KEY_H_
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "build/build_config.h"
#include "crypto/crypto_export.h"
#if defined(USE_OPENSSL)
// Forward declaration for openssl/*.h
typedef struct evp_pkey_st EVP_PKEY;
#else
// Forward declaration.
typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
typedef struct PK11SlotInfoStr PK11SlotInfo;
typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
#endif
namespace crypto {
// Encapsulates an elliptic curve (EC) private key. Can be used to generate new
// keys, export keys to other formats, or to extract a public key.
// TODO(mattm): make this and RSAPrivateKey implement some PrivateKey interface.
// (The difference in types of key() and public_key() make this a little
// tricky.)
class CRYPTO_EXPORT ECPrivateKey {
public:
~ECPrivateKey();
// Returns whether the system supports elliptic curve cryptography.
static bool IsSupported();
// Creates a new random instance. Can return NULL if initialization fails.
// The created key will use the NIST P-256 curve.
// TODO(mattm): Add a curve parameter.
static ECPrivateKey* Create();
#if defined(USE_NSS)
// Creates a new random instance in |slot|. Can return NULL if initialization
// fails. The created key is permanent and is not exportable in plaintext
// form.
static ECPrivateKey* CreateSensitive(PK11SlotInfo* slot);
#endif
// Creates a new instance by importing an existing key pair.
// The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and an X.509 SubjectPublicKeyInfo block.
// Returns NULL if initialization fails.
static ECPrivateKey* CreateFromEncryptedPrivateKeyInfo(
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info);
#if defined(USE_NSS)
// Creates a new instance in |slot| by importing an existing key pair.
// The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and an X.509 SubjectPublicKeyInfo block.
// This can return NULL if initialization fails. The created key is permanent
// and is not exportable in plaintext form.
static ECPrivateKey* CreateSensitiveFromEncryptedPrivateKeyInfo(
PK11SlotInfo* slot,
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info);
#endif
#if !defined(USE_OPENSSL)
// Imports the key pair into |slot| and returns in |public_key| and |key|.
// Shortcut for code that needs to keep a reference directly to NSS types
// without having to create a ECPrivateKey object and make a copy of them.
// TODO(mattm): move this function to some NSS util file.
static bool ImportFromEncryptedPrivateKeyInfo(
PK11SlotInfo* slot,
const std::string& password,
const uint8* encrypted_private_key_info,
size_t encrypted_private_key_info_len,
CERTSubjectPublicKeyInfo* decoded_spki,
bool permanent,
bool sensitive,
SECKEYPrivateKey** key,
SECKEYPublicKey** public_key);
// Returns a copy of the object.
ECPrivateKey* Copy() const;
#endif
#if defined(USE_OPENSSL)
EVP_PKEY* key() { return key_; }
#else
SECKEYPrivateKey* key() { return key_; }
SECKEYPublicKey* public_key() { return public_key_; }
#endif
// Exports the private key as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and the public key as an X.509 SubjectPublicKeyInfo block.
// The |password| and |iterations| are used as inputs to the key derivation
// function for generating the encryption key. PKCS #5 recommends a minimum
// of 1000 iterations, on modern systems a larger value may be preferrable.
bool ExportEncryptedPrivateKey(const std::string& password,
int iterations,
std::vector<uint8>* output);
// Exports the public key to an X.509 SubjectPublicKeyInfo block.
bool ExportPublicKey(std::vector<uint8>* output);
// Exports the public key as an EC point in the uncompressed point format.
bool ExportRawPublicKey(std::string* output);
// Exports private key data for testing. The format of data stored into output
// doesn't matter other than that it is consistent for the same key.
bool ExportValue(std::vector<uint8>* output);
bool ExportECParams(std::vector<uint8>* output);
private:
// Constructor is private. Use one of the Create*() methods above instead.
ECPrivateKey();
#if !defined(USE_OPENSSL)
// Shared helper for Create() and CreateSensitive().
// TODO(cmasone): consider replacing |permanent| and |sensitive| with a
// flags arg created by ORing together some enumerated values.
static ECPrivateKey* CreateWithParams(PK11SlotInfo* slot,
bool permanent,
bool sensitive);
// Shared helper for CreateFromEncryptedPrivateKeyInfo() and
// CreateSensitiveFromEncryptedPrivateKeyInfo().
static ECPrivateKey* CreateFromEncryptedPrivateKeyInfoWithParams(
PK11SlotInfo* slot,
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info,
bool permanent,
bool sensitive);
#endif
#if defined(USE_OPENSSL)
EVP_PKEY* key_;
#else
SECKEYPrivateKey* key_;
SECKEYPublicKey* public_key_;
#endif
DISALLOW_COPY_AND_ASSIGN(ECPrivateKey);
};
} // namespace crypto
#endif // CRYPTO_EC_PRIVATE_KEY_H_
|