blob: 650c4ef484a41013c8bd9e7929ee047857f78fec [file] [log] [blame]
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/ssl/ssl_platform_key.h"
#include <openssl/digest.h>
#include <openssl/evp.h>
#include "base/logging.h"
#include "base/macros.h"
#include "crypto/scoped_openssl_types.h"
#include "net/base/net_errors.h"
#include "net/ssl/openssl_client_key_store.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
#include "net/ssl/ssl_private_key.h"
#include "net/ssl/threaded_ssl_private_key.h"
namespace net {
namespace {
class SSLPlatformKeyAndroid : public ThreadedSSLPrivateKey::Delegate {
public:
SSLPlatformKeyAndroid(crypto::ScopedEVP_PKEY key, SSLPrivateKey::Type type)
: key_(key.Pass()), type_(type) {}
~SSLPlatformKeyAndroid() override {}
SSLPrivateKey::Type GetType() override { return type_; }
std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
static const SSLPrivateKey::Hash kHashes[] = {
SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384,
SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1};
return std::vector<SSLPrivateKey::Hash>(kHashes,
kHashes + arraysize(kHashes));
}
size_t GetMaxSignatureLengthInBytes() override {
return EVP_PKEY_size(key_.get());
}
Error SignDigest(SSLPrivateKey::Hash hash,
const base::StringPiece& input,
std::vector<uint8_t>* signature) override {
crypto::ScopedEVP_PKEY_CTX ctx =
crypto::ScopedEVP_PKEY_CTX(EVP_PKEY_CTX_new(key_.get(), NULL));
if (!ctx)
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
if (!EVP_PKEY_sign_init(ctx.get()))
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
if (type_ == SSLPrivateKey::Type::RSA) {
const EVP_MD* digest = nullptr;
switch (hash) {
case SSLPrivateKey::Hash::MD5_SHA1:
digest = EVP_md5_sha1();
break;
case SSLPrivateKey::Hash::SHA1:
digest = EVP_sha1();
break;
case SSLPrivateKey::Hash::SHA256:
digest = EVP_sha256();
break;
case SSLPrivateKey::Hash::SHA384:
digest = EVP_sha384();
break;
case SSLPrivateKey::Hash::SHA512:
digest = EVP_sha512();
break;
default:
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
DCHECK(digest);
if (!EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_PADDING))
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
if (!EVP_PKEY_CTX_set_signature_md(ctx.get(), digest))
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
const uint8_t* input_ptr = reinterpret_cast<const uint8_t*>(input.data());
size_t input_len = input.size();
size_t sig_len = 0;
if (!EVP_PKEY_sign(ctx.get(), NULL, &sig_len, input_ptr, input_len))
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
signature->resize(sig_len);
if (!EVP_PKEY_sign(ctx.get(), signature->data(), &sig_len, input_ptr,
input_len)) {
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
signature->resize(sig_len);
return OK;
}
private:
crypto::ScopedEVP_PKEY key_;
SSLPrivateKey::Type type_;
DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyAndroid);
};
scoped_refptr<SSLPrivateKey> WrapOpenSSLPrivateKey(crypto::ScopedEVP_PKEY key) {
if (!key)
return nullptr;
SSLPrivateKey::Type type;
switch (EVP_PKEY_id(key.get())) {
case EVP_PKEY_RSA:
type = SSLPrivateKey::Type::RSA;
break;
case EVP_PKEY_EC:
type = SSLPrivateKey::Type::ECDSA;
break;
default:
LOG(ERROR) << "Unknown key type: " << EVP_PKEY_id(key.get());
return nullptr;
}
return make_scoped_refptr(new ThreadedSSLPrivateKey(
make_scoped_ptr(new SSLPlatformKeyAndroid(key.Pass(), type)),
GetSSLPlatformKeyTaskRunner()));
}
} // namespace
scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
X509Certificate* certificate) {
crypto::ScopedEVP_PKEY key =
OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
certificate);
return WrapOpenSSLPrivateKey(key.Pass());
}
} // namespace net