search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll libvpx 861f35:1fff3e
[chromium-blink-merge.git] / net / ssl / openssl_platform_key_win.cc
blobc250581cfa9337e51cdc1a7ef794713dae6376e1
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/openssl_platform_key.h"
6
7 #include <windows.h>
8 #include <NCrypt.h>
9
10 #include <string.h>
11
12 #include <algorithm>
13 #include <vector>
14
15 #include <openssl/bn.h>
16 #include <openssl/digest.h>
17 #include <openssl/ec_key.h>
18 #include <openssl/err.h>
19 #include <openssl/engine.h>
20 #include <openssl/evp.h>
21 #include <openssl/md5.h>
22 #include <openssl/obj_mac.h>
23 #include <openssl/rsa.h>
24 #include <openssl/sha.h>
25 #include <openssl/x509.h>
26
27 #include "base/debug/debugger.h"
28 #include "base/debug/stack_trace.h"
29 #include "base/lazy_instance.h"
30 #include "base/logging.h"
31 #include "base/memory/scoped_ptr.h"
32 #include "base/win/windows_version.h"
33 #include "crypto/openssl_util.h"
34 #include "crypto/scoped_capi_types.h"
35 #include "crypto/wincrypt_shim.h"
36 #include "net/base/net_errors.h"
37 #include "net/cert/x509_certificate.h"
38 #include "net/ssl/openssl_ssl_util.h"
39 #include "net/ssl/scoped_openssl_types.h"
40
41 namespace net {
42
43 namespace {
44
45 using NCryptFreeObjectFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_HANDLE);
46 using NCryptSignHashFunc =
47 SECURITY_STATUS(WINAPI*)(NCRYPT_KEY_HANDLE, // hKey
48 VOID*, // pPaddingInfo
49 PBYTE, // pbHashValue
50 DWORD, // cbHashValue
51 PBYTE, // pbSignature
52 DWORD, // cbSignature
53 DWORD*, // pcbResult
54 DWORD); // dwFlags
55
56 class CNGFunctions {
57 public:
58 CNGFunctions()
59 : ncrypt_free_object_(nullptr),
60 ncrypt_sign_hash_(nullptr) {
61 HMODULE ncrypt = GetModuleHandle(L"ncrypt.dll");
62 if (ncrypt != nullptr) {
63 ncrypt_free_object_ = reinterpret_cast<NCryptFreeObjectFunc>(
64 GetProcAddress(ncrypt, "NCryptFreeObject"));
65 ncrypt_sign_hash_ = reinterpret_cast<NCryptSignHashFunc>(
66 GetProcAddress(ncrypt, "NCryptSignHash"));
67 }
68 }
69
70 NCryptFreeObjectFunc ncrypt_free_object() const {
71 return ncrypt_free_object_;
72 }
73
74 NCryptSignHashFunc ncrypt_sign_hash() const { return ncrypt_sign_hash_; }
75
76 private:
77 NCryptFreeObjectFunc ncrypt_free_object_;
78 NCryptSignHashFunc ncrypt_sign_hash_;
79 };
80
81 base::LazyInstance<CNGFunctions>::Leaky g_cng_functions =
82 LAZY_INSTANCE_INITIALIZER;
83
84 struct CERT_KEY_CONTEXTDeleter {
85 void operator()(PCERT_KEY_CONTEXT key) {
86 if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
87 g_cng_functions.Get().ncrypt_free_object()(key->hNCryptKey);
88 } else {
89 CryptReleaseContext(key->hCryptProv, 0);
90 }
91 delete key;
92 }
93 };
94
95 using ScopedCERT_KEY_CONTEXT =
96 scoped_ptr<CERT_KEY_CONTEXT, CERT_KEY_CONTEXTDeleter>;
97
98 // KeyExData contains the data that is contained in the EX_DATA of the
99 // RSA and ECDSA objects that are created to wrap Windows system keys.
100 struct KeyExData {
101 KeyExData(ScopedCERT_KEY_CONTEXT key, size_t key_length)
102 : key(key.Pass()), key_length(key_length) {}
103
104 ScopedCERT_KEY_CONTEXT key;
105 size_t key_length;
106 };
107
108 // ExDataDup is called when one of the RSA or EC_KEY objects is
109 // duplicated. This is not supported and should never happen.
110 int ExDataDup(CRYPTO_EX_DATA* to,
111 const CRYPTO_EX_DATA* from,
112 void** from_d,
113 int idx,
114 long argl,
115 void* argp) {
116 CHECK_EQ((void*)nullptr, *from_d);
117 return 0;
118 }
119
120 // ExDataFree is called when one of the RSA or EC_KEY objects is freed.
121 void ExDataFree(void* parent,
122 void* ptr,
123 CRYPTO_EX_DATA* ex_data,
124 int idx,
125 long argl,
126 void* argp) {
127 KeyExData* data = reinterpret_cast<KeyExData*>(ptr);
128 delete data;
129 }
130
131 extern const RSA_METHOD win_rsa_method;
132 extern const ECDSA_METHOD win_ecdsa_method;
133
134 // BoringSSLEngine is a BoringSSL ENGINE that implements RSA and ECDSA
135 // by forwarding the requested operations to CAPI or CNG.
136 class BoringSSLEngine {
137 public:
138 BoringSSLEngine()
139 : rsa_index_(RSA_get_ex_new_index(0 /* argl */,
140 nullptr /* argp */,
141 nullptr /* new_func */,
142 ExDataDup,
143 ExDataFree)),
144 ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
145 nullptr /* argp */,
146 nullptr /* new_func */,
147 ExDataDup,
148 ExDataFree)),
149 engine_(ENGINE_new()) {
150 ENGINE_set_RSA_method(engine_, &win_rsa_method, sizeof(win_rsa_method));
151 ENGINE_set_ECDSA_method(engine_, &win_ecdsa_method,
152 sizeof(win_ecdsa_method));
153 }
154
155 int rsa_ex_index() const { return rsa_index_; }
156 int ec_key_ex_index() const { return ec_key_index_; }
157
158 const ENGINE* engine() const { return engine_; }
159
160 private:
161 const int rsa_index_;
162 const int ec_key_index_;
163 ENGINE* const engine_;
164 };
165
166 base::LazyInstance<BoringSSLEngine>::Leaky global_boringssl_engine =
167 LAZY_INSTANCE_INITIALIZER;
168
169 // Signs |in| with |key|, writing the output to |out| and the size to |out_len|.
170 // Although the buffer is preallocated, this calls NCryptSignHash twice. Some
171 // smartcards are buggy and assume the two-call pattern. See
172 // https://crbug.com/470204. Returns true on success and false on error.
173 bool DoNCryptSignHash(NCRYPT_KEY_HANDLE key,
174 void* padding,
175 const BYTE* in,
176 DWORD in_len,
177 BYTE* out,
178 DWORD max_out,
179 DWORD* out_len,
180 DWORD flags) {
181 // Determine the output length.
182 DWORD signature_len;
183 SECURITY_STATUS ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
184 key, padding, const_cast<BYTE*>(in), in_len, nullptr, 0, &signature_len,
185 flags);
186 if (FAILED(ncrypt_status)) {
187 LOG(ERROR) << "NCryptSignHash failed: " << ncrypt_status;
188 return false;
189 }
190 // Check |max_out| externally rather than trust the smartcard.
191 if (signature_len == 0 || signature_len > max_out) {
192 LOG(ERROR) << "Bad signature length.";
193 return false;
194 }
195 // It is important that |signature_len| already be initialized with the
196 // correct size. Some smartcards are buggy and do not write to it on the
197 // second call.
198 ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
199 key, padding, const_cast<PBYTE>(in), in_len, out, signature_len,
200 &signature_len, flags);
201 if (FAILED(ncrypt_status)) {
202 LOG(ERROR) << "NCryptSignHash failed: " << ncrypt_status;
203 return false;
204 }
205 if (signature_len == 0) {
206 LOG(ERROR) << "Bad signature length.";
207 return false;
208 }
209 *out_len = signature_len;
210 return true;
211 }
212
213 // Custom RSA_METHOD that uses the platform APIs for signing.
214
215 const KeyExData* RsaGetExData(const RSA* rsa) {
216 return reinterpret_cast<const KeyExData*>(
217 RSA_get_ex_data(rsa, global_boringssl_engine.Get().rsa_ex_index()));
218 }
219
220 size_t RsaMethodSize(const RSA* rsa) {
221 const KeyExData* ex_data = RsaGetExData(rsa);
222 return (ex_data->key_length + 7) / 8;
223 }
224
225 int RsaMethodSign(int hash_nid,
226 const uint8_t* in,
227 unsigned in_len,
228 uint8_t* out,
229 unsigned* out_len,
230 const RSA* rsa) {
231 // TODO(davidben): Switch BoringSSL's sign hook to using size_t rather than
232 // unsigned.
233 const KeyExData* ex_data = RsaGetExData(rsa);
234 if (!ex_data) {
235 NOTREACHED();
236 OPENSSL_PUT_ERROR(RSA, RSA_sign, ERR_R_INTERNAL_ERROR);
237 return 0;
238 }
239
240 if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
241 BCRYPT_PKCS1_PADDING_INFO rsa_padding_info;
242 switch (hash_nid) {
243 case NID_md5_sha1:
244 rsa_padding_info.pszAlgId = nullptr;
245 break;
246 case NID_sha1:
247 rsa_padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM;
248 break;
249 case NID_sha256:
250 rsa_padding_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
251 break;
252 case NID_sha384:
253 rsa_padding_info.pszAlgId = BCRYPT_SHA384_ALGORITHM;
254 break;
255 case NID_sha512:
256 rsa_padding_info.pszAlgId = BCRYPT_SHA512_ALGORITHM;
257 break;
258 default:
259 OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
260 return 0;
261 }
262
263 DWORD signature_len;
264 if (!DoNCryptSignHash(ex_data->key->hNCryptKey, &rsa_padding_info, in,
265 in_len, out, RSA_size(rsa), &signature_len,
266 BCRYPT_PAD_PKCS1)) {
267 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
268 return 0;
269 }
270 *out_len = signature_len;
271 return 1;
272 }
273
274 ALG_ID hash_alg;
275 switch (hash_nid) {
276 case NID_md5_sha1:
277 hash_alg = CALG_SSL3_SHAMD5;
278 break;
279 case NID_sha1:
280 hash_alg = CALG_SHA1;
281 break;
282 case NID_sha256:
283 hash_alg = CALG_SHA_256;
284 break;
285 case NID_sha384:
286 hash_alg = CALG_SHA_384;
287 break;
288 case NID_sha512:
289 hash_alg = CALG_SHA_512;
290 break;
291 default:
292 OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
293 return 0;
294 }
295
296 HCRYPTHASH hash;
297 if (!CryptCreateHash(ex_data->key->hCryptProv, hash_alg, 0, 0, &hash)) {
298 PLOG(ERROR) << "CreateCreateHash failed";
299 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
300 return 0;
301 }
302 DWORD hash_len;
303 DWORD arg_len = sizeof(hash_len);
304 if (!CryptGetHashParam(hash, HP_HASHSIZE, reinterpret_cast<BYTE*>(&hash_len),
305 &arg_len, 0)) {
306 PLOG(ERROR) << "CryptGetHashParam HP_HASHSIZE failed";
307 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
308 return 0;
309 }
310 if (hash_len != in_len) {
311 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
312 return 0;
313 }
314 if (!CryptSetHashParam(hash, HP_HASHVAL, const_cast<BYTE*>(in), 0)) {
315 PLOG(ERROR) << "CryptSetHashParam HP_HASHVAL failed";
316 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
317 return 0;
318 }
319 DWORD signature_len = RSA_size(rsa);
320 if (!CryptSignHash(hash, ex_data->key->dwKeySpec, nullptr, 0, out,
321 &signature_len)) {
322 PLOG(ERROR) << "CryptSignHash failed";
323 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
324 return 0;
325 }
326
327 /* CryptoAPI signs in little-endian, so reverse it. */
328 std::reverse(out, out + signature_len);
329 *out_len = signature_len;
330 return 1;
331 }
332
333 int RsaMethodEncrypt(RSA* rsa,
334 size_t* out_len,
335 uint8_t* out,
336 size_t max_out,
337 const uint8_t* in,
338 size_t in_len,
339 int padding) {
340 NOTIMPLEMENTED();
341 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
342 return 0;
343 }
344
345 int RsaMethodSignRaw(RSA* rsa,
346 size_t* out_len,
347 uint8_t* out,
348 size_t max_out,
349 const uint8_t* in,
350 size_t in_len,
351 int padding) {
352 NOTIMPLEMENTED();
353 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
354 return 0;
355 }
356
357 int RsaMethodDecrypt(RSA* rsa,
358 size_t* out_len,
359 uint8_t* out,
360 size_t max_out,
361 const uint8_t* in,
362 size_t in_len,
363 int padding) {
364 NOTIMPLEMENTED();
365 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
366 return 0;
367 }
368
369 int RsaMethodVerifyRaw(RSA* rsa,
370 size_t* out_len,
371 uint8_t* out,
372 size_t max_out,
373 const uint8_t* in,
374 size_t in_len,
375 int padding) {
376 NOTIMPLEMENTED();
377 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_ALGORITHM_TYPE);
378 return 0;
379 }
380
381 int RsaMethodSupportsDigest(const RSA* rsa, const EVP_MD* md) {
382 const KeyExData* ex_data = RsaGetExData(rsa);
383 if (!ex_data) {
384 NOTREACHED();
385 return 0;
386 }
387
388 int hash_nid = EVP_MD_type(md);
389 if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
390 // Only hashes which appear in RsaSignPKCS1 are supported.
391 if (hash_nid != NID_sha1 && hash_nid != NID_sha256 &&
392 hash_nid != NID_sha384 && hash_nid != NID_sha512) {
393 return 0;
394 }
395
396 // If the key is a 1024-bit RSA, assume conservatively that it may only be
397 // able to sign SHA-1 hashes. This is the case for older Estonian ID cards
398 // that have 1024-bit RSA keys.
399 //
400 // CNG does provide NCryptIsAlgSupported and NCryptEnumAlgorithms functions,
401 // however they seem to both return NTE_NOT_SUPPORTED when querying the
402 // NCRYPT_PROV_HANDLE at the key's NCRYPT_PROVIDER_HANDLE_PROPERTY.
403 if (ex_data->key_length <= 1024 && hash_nid != NID_sha1)
404 return 0;
405
406 return 1;
407 } else {
408 // If the key is in CAPI, assume conservatively that the CAPI service
409 // provider may only be able to sign SHA-1 hashes.
410 return hash_nid == NID_sha1;
411 }
412 }
413
414 const RSA_METHOD win_rsa_method = {
415 {
416 0, // references
417 1, // is_static
418 },
419 nullptr, // app_data
420
421 nullptr, // init
422 nullptr, // finish
423 RsaMethodSize,
424 RsaMethodSign,
425 nullptr, // verify
426 RsaMethodEncrypt,
427 RsaMethodSignRaw,
428 RsaMethodDecrypt,
429 RsaMethodVerifyRaw,
430 nullptr, // private_transform
431 nullptr, // mod_exp
432 nullptr, // bn_mod_exp
433 RSA_FLAG_OPAQUE,
434 nullptr, // keygen
435 RsaMethodSupportsDigest,
436 };
437
438 // Custom ECDSA_METHOD that uses the platform APIs.
439 // Note that for now, only signing through ECDSA_sign() is really supported.
440 // all other method pointers are either stubs returning errors, or no-ops.
441
442 const KeyExData* EcKeyGetExData(const EC_KEY* ec_key) {
443 return reinterpret_cast<const KeyExData*>(EC_KEY_get_ex_data(
444 ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
445 }
446
447 size_t EcdsaMethodGroupOrderSize(const EC_KEY* ec_key) {
448 const KeyExData* ex_data = EcKeyGetExData(ec_key);
449 // key_length is the size of the group order for EC keys.
450 return (ex_data->key_length + 7) / 8;
451 }
452
453 int EcdsaMethodSign(const uint8_t* digest,
454 size_t digest_len,
455 uint8_t* out_sig,
456 unsigned int* out_sig_len,
457 EC_KEY* ec_key) {
458 const KeyExData* ex_data = EcKeyGetExData(ec_key);
459 // Only CNG supports ECDSA.
460 if (!ex_data || ex_data->key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
461 NOTREACHED();
462 OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
463 return 0;
464 }
465
466 // An ECDSA signature is two integers, modulo the order of the group.
467 size_t order_len = (ex_data->key_length + 7) / 8;
468 if (order_len == 0) {
469 NOTREACHED();
470 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
471 return 0;
472 }
473 std::vector<uint8_t> raw_sig(order_len * 2);
474
475 DWORD signature_len;
476 if (!DoNCryptSignHash(ex_data->key->hNCryptKey, nullptr, digest, digest_len,
477 &raw_sig[0], raw_sig.size(), &signature_len, 0)) {
478 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
479 return 0;
480 }
481 if (signature_len != raw_sig.size()) {
482 LOG(ERROR) << "Bad signature length";
483 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
484 return 0;
485 }
486
487 // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
488 crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
489 if (!sig) {
490 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
491 return 0;
492 }
493 sig->r = BN_bin2bn(&raw_sig[0], order_len, nullptr);
494 sig->s = BN_bin2bn(&raw_sig[order_len], order_len, nullptr);
495 if (!sig->r || !sig->s) {
496 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
497 return 0;
498 }
499
500 // Ensure the DER-encoded signature fits in the bounds.
501 int len = i2d_ECDSA_SIG(sig.get(), nullptr);
502 if (len < 0 || static_cast<size_t>(len) > ECDSA_size(ec_key)) {
503 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
504 return 0;
505 }
506
507 len = i2d_ECDSA_SIG(sig.get(), &out_sig);
508 if (len < 0) {
509 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
510 return 0;
511 }
512 *out_sig_len = len;
513 return 1;
514 }
515
516 int EcdsaMethodVerify(const uint8_t* digest,
517 size_t digest_len,
518 const uint8_t* sig,
519 size_t sig_len,
520 EC_KEY* eckey) {
521 NOTIMPLEMENTED();
522 OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_NOT_IMPLEMENTED);
523 return 0;
524 }
525
526 const ECDSA_METHOD win_ecdsa_method = {
527 {
528 0, // references
529 1, // is_static
530 },
531 nullptr, // app_data
532
533 nullptr, // init
534 nullptr, // finish
535 EcdsaMethodGroupOrderSize,
536 EcdsaMethodSign,
537 EcdsaMethodVerify,
538 ECDSA_FLAG_OPAQUE,
539 };
540
541 // Determines the key type and length of |certificate|'s public key. The type is
542 // returned as an OpenSSL EVP_PKEY type. The key length for RSA key is the size
543 // of the RSA modulus in bits. For an ECDSA key, it is the number of bits to
544 // represent the group order. It returns true on success and false on failure.
545 bool GetKeyInfo(const X509Certificate* certificate,
546 int* out_type,
547 size_t* out_length) {
548 crypto::OpenSSLErrStackTracer tracker(FROM_HERE);
549
550 std::string der_encoded;
551 if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
552 &der_encoded))
553 return false;
554 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
555 ScopedX509 x509(d2i_X509(NULL, &bytes, der_encoded.size()));
556 if (!x509)
557 return false;
558 crypto::ScopedEVP_PKEY key(X509_get_pubkey(x509.get()));
559 if (!key)
560 return false;
561 *out_type = EVP_PKEY_id(key.get());
562 *out_length = EVP_PKEY_bits(key.get());
563 return true;
564 }
565
566 crypto::ScopedEVP_PKEY CreateRSAWrapper(ScopedCERT_KEY_CONTEXT key,
567 size_t key_length) {
568 crypto::ScopedRSA rsa(RSA_new_method(global_boringssl_engine.Get().engine()));
569 if (!rsa)
570 return nullptr;
571
572 RSA_set_ex_data(rsa.get(), global_boringssl_engine.Get().rsa_ex_index(),
573 new KeyExData(key.Pass(), key_length));
574
575 crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
576 if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa.get()))
577 return nullptr;
578 return pkey.Pass();
579 }
580
581 crypto::ScopedEVP_PKEY CreateECDSAWrapper(ScopedCERT_KEY_CONTEXT key,
582 size_t key_length) {
583 crypto::ScopedEC_KEY ec_key(
584 EC_KEY_new_method(global_boringssl_engine.Get().engine()));
585 if (!ec_key)
586 return nullptr;
587
588 EC_KEY_set_ex_data(ec_key.get(),
589 global_boringssl_engine.Get().ec_key_ex_index(),
590 new KeyExData(key.Pass(), key_length));
591
592 crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
593 if (!pkey || !EVP_PKEY_set1_EC_KEY(pkey.get(), ec_key.get()))
594 return nullptr;
595
596 return pkey.Pass();
597 }
598
599 } // namespace
600
601 crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(
602 const X509Certificate* certificate) {
603 PCCERT_CONTEXT cert_context = certificate->os_cert_handle();
604
605 HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
606 DWORD key_spec = 0;
607 BOOL must_free = FALSE;
608 DWORD flags = 0;
609 if (base::win::GetVersion() >= base::win::VERSION_VISTA)
610 flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
611
612 if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
613 &crypt_prov, &key_spec, &must_free)) {
614 PLOG(WARNING) << "Could not acquire private key";
615 return nullptr;
616 }
617
618 // Should never get a cached handle back - ownership must always be
619 // transferred.
620 CHECK_EQ(must_free, TRUE);
621 ScopedCERT_KEY_CONTEXT key(new CERT_KEY_CONTEXT);
622 key->dwKeySpec = key_spec;
623 key->hCryptProv = crypt_prov;
624
625 // Rather than query the private key for metadata, extract the public key from
626 // the certificate without using Windows APIs. CAPI and CNG do not
627 // consistently work depending on the system. See https://crbug.com/468345.
628 int key_type;
629 size_t key_length;
630 if (!GetKeyInfo(certificate, &key_type, &key_length))
631 return nullptr;
632
633 switch (key_type) {
634 case EVP_PKEY_RSA:
635 return CreateRSAWrapper(key.Pass(), key_length);
636 case EVP_PKEY_EC:
637 return CreateECDSAWrapper(key.Pass(), key_length);
638 default:
639 return nullptr;
640 }
641 }
642
643 } // namespace net