diff options
author | Cronet Mainline Eng <cronet-mainline-eng+copybara@google.com> | 2023-05-26 12:04:12 -0800 |
---|---|---|
committer | Patrick Rohr <prohr@google.com> | 2023-05-30 11:26:09 -0700 |
commit | 6e619ff2daf1f025aed9c3b67a7492b4b858f981 (patch) | |
tree | 155ec8924ad6503a06c8b09c0d1ec7c6a764278d /crypto | |
parent | eddec18c18cdbcbdbbe9bf3c0fa24cb7f8d768ae (diff) | |
download | cronet-6e619ff2daf1f025aed9c3b67a7492b4b858f981.tar.gz |
Import Cronet version 114.0.5735.53
Project import generated by Copybara.
FolderOrigin-RevId: /tmp/copybara-origin/src
Test: none
Change-Id: Ia2e49afefcd2e9ee2014009a31ac2d6786f86fbd
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/nss_key_util.cc | 63 | ||||
-rw-r--r-- | crypto/nss_key_util.h | 9 | ||||
-rw-r--r-- | crypto/nss_util_chromeos.cc | 5 |
3 files changed, 50 insertions, 27 deletions
diff --git a/crypto/nss_key_util.cc b/crypto/nss_key_util.cc index 7bd39120d..a3e7c0ff6 100644 --- a/crypto/nss_key_util.cc +++ b/crypto/nss_key_util.cc @@ -19,30 +19,36 @@ namespace crypto { -namespace { +crypto::ScopedSECItem MakeNssIdFromPublicKey(SECKEYPublicKey* public_key) { + CHECK(public_key); + + // See pk11_MakeIDFromPublicKey from NSS. For now, only RSA and EC public_keys + // are supported. + if (SECKEY_GetPublicKeyType(public_key) == rsaKey) { + return crypto::ScopedSECItem( + PK11_MakeIDFromPubKey(&public_key->u.rsa.modulus)); + } + if (SECKEY_GetPublicKeyType(public_key) == ecKey) { + return crypto::ScopedSECItem( + PK11_MakeIDFromPubKey(&public_key->u.ec.publicValue)); + } + return nullptr; +} -// Decodes |input| as a SubjectPublicKeyInfo and returns a SECItem containing -// the CKA_ID of that public key or nullptr on error. -ScopedSECItem MakeIDFromSPKI(base::span<const uint8_t> input) { +ScopedSECItem MakeNssIdFromSpki(base::span<const uint8_t> input) { ScopedCERTSubjectPublicKeyInfo spki = DecodeSubjectPublicKeyInfoNSS(input); - if (!spki) + if (!spki) { return nullptr; + } - ScopedSECKEYPublicKey result(SECKEY_ExtractPublicKey(spki.get())); - if (!result) + ScopedSECKEYPublicKey public_key(SECKEY_ExtractPublicKey(spki.get())); + if (!public_key) { return nullptr; + } - // See pk11_MakeIDFromPublicKey from NSS. For now, only RSA and EC keys are - // supported. - if (SECKEY_GetPublicKeyType(result.get()) == rsaKey) - return ScopedSECItem(PK11_MakeIDFromPubKey(&result->u.rsa.modulus)); - if (SECKEY_GetPublicKeyType(result.get()) == ecKey) - return ScopedSECItem(PK11_MakeIDFromPubKey(&result->u.ec.publicValue)); - return nullptr; + return MakeNssIdFromPublicKey(public_key.get()); } -} // namespace - bool GenerateRSAKeyPairNSS(PK11SlotInfo* slot, uint16_t num_bits, bool permanent, @@ -57,8 +63,9 @@ bool GenerateRSAKeyPairNSS(PK11SlotInfo* slot, private_key->reset(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, ¶m, &public_key_raw, permanent, permanent /* sensitive */, nullptr)); - if (!*private_key) + if (!*private_key) { return false; + } public_key->reset(public_key_raw); return true; @@ -95,8 +102,9 @@ bool GenerateECKeyPairNSS(PK11SlotInfo* slot, private_key->reset(PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, &ec_parameters, &public_key_raw, permanent, permanent, nullptr)); - if (!*private_key) + if (!*private_key) { return false; + } public_key->reset(public_key_raw); return true; @@ -120,8 +128,9 @@ ScopedSECKEYPrivateKey ImportNSSKeyFromPrivateKeyInfo( SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &der_private_key_info, SEC_ASN1_GET(SEC_AnyTemplate), &input_item); - if (rv != SECSuccess) + if (rv != SECSuccess) { return nullptr; + } // Allow the private key to be used for key unwrapping, data decryption, // and signature generation. @@ -131,8 +140,9 @@ ScopedSECKEYPrivateKey ImportNSSKeyFromPrivateKeyInfo( rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( slot, &der_private_key_info, nullptr, nullptr, permanent, permanent /* sensitive */, key_usage, &key_raw, nullptr); - if (rv != SECSuccess) + if (rv != SECSuccess) { return nullptr; + } return ScopedSECKEYPrivateKey(key_raw); } @@ -140,9 +150,10 @@ ScopedSECKEYPrivateKey FindNSSKeyFromPublicKeyInfo( base::span<const uint8_t> input) { EnsureNSSInit(); - ScopedSECItem cka_id(MakeIDFromSPKI(input)); - if (!cka_id) + ScopedSECItem cka_id(MakeNssIdFromSpki(input)); + if (!cka_id) { return nullptr; + } // Search all slots in all modules for the key with the given ID. AutoSECMODListReadLock auto_lock; @@ -154,8 +165,9 @@ ScopedSECKEYPrivateKey FindNSSKeyFromPublicKeyInfo( // Look for the key in slot |i|. ScopedSECKEYPrivateKey key( PK11_FindKeyByKeyID(item->module->slots[i], cka_id.get(), nullptr)); - if (key) + if (key) { return key; + } } } @@ -168,9 +180,10 @@ ScopedSECKEYPrivateKey FindNSSKeyFromPublicKeyInfoInSlot( PK11SlotInfo* slot) { DCHECK(slot); - ScopedSECItem cka_id(MakeIDFromSPKI(input)); - if (!cka_id) + ScopedSECItem cka_id(MakeNssIdFromSpki(input)); + if (!cka_id) { return nullptr; + } return ScopedSECKEYPrivateKey( PK11_FindKeyByKeyID(slot, cka_id.get(), nullptr)); diff --git a/crypto/nss_key_util.h b/crypto/nss_key_util.h index cbc3ea1c3..bb28f1d1f 100644 --- a/crypto/nss_key_util.h +++ b/crypto/nss_key_util.h @@ -17,6 +17,15 @@ typedef struct PK11SlotInfoStr PK11SlotInfo; namespace crypto { +// Returns a SECItem containing the CKA_ID of the `public_key` or nullptr on +// error. +CRYPTO_EXPORT crypto::ScopedSECItem MakeNssIdFromPublicKey( + SECKEYPublicKey* public_key); + +// Decodes |input| as a SubjectPublicKeyInfo and returns a SECItem containing +// the CKA_ID of that public key or nullptr on error. +CRYPTO_EXPORT ScopedSECItem MakeNssIdFromSpki(base::span<const uint8_t> input); + // Generates a new RSA key pair of size |num_bits| in |slot|. Returns true on // success and false on failure. If |permanent| is true, the resulting key is // permanent and is not exportable in plaintext form. diff --git a/crypto/nss_util_chromeos.cc b/crypto/nss_util_chromeos.cc index 760884079..a33e7c297 100644 --- a/crypto/nss_util_chromeos.cc +++ b/crypto/nss_util_chromeos.cc @@ -25,6 +25,7 @@ #include "base/lazy_instance.h" #include "base/location.h" #include "base/logging.h" +#include "base/memory/raw_ptr.h" #include "base/no_destructor.h" #include "base/path_service.h" #include "base/strings/string_piece.h" @@ -148,7 +149,7 @@ class ChromeOSTokenManager { explicit TPMModuleAndSlot(SECMODModule* init_chaps_module) : chaps_module(init_chaps_module) {} - SECMODModule* chaps_module; + raw_ptr<SECMODModule, ExperimentalAsh> chaps_module; ScopedPK11Slot tpm_slot; }; @@ -487,7 +488,7 @@ class ChromeOSTokenManager { std::unique_ptr<base::OnceClosureList> tpm_ready_callback_list_ = std::make_unique<base::OnceClosureList>(); - SECMODModule* chaps_module_ = nullptr; + raw_ptr<SECMODModule, ExperimentalAsh> chaps_module_ = nullptr; ScopedPK11Slot system_slot_; std::map<std::string, std::unique_ptr<ChromeOSUserData>> chromeos_user_map_; ScopedPK11Slot prepared_test_private_slot_; |