search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Clean up extension confirmation prompts and make them consistent between Views and...
[chromium-blink-merge.git] / net / ssl / openssl_platform_key_win.cc
blobd394f18c8fde483c5d2ae84efa4ebfa67e745441
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/openssl_platform_key.h"
6
7 #include <windows.h>
8 #include <NCrypt.h>
9
10 #include <string.h>
11
12 #include <algorithm>
13 #include <vector>
14
15 #include <openssl/bn.h>
16 #include <openssl/digest.h>
17 #include <openssl/ec_key.h>
18 #include <openssl/err.h>
19 #include <openssl/engine.h>
20 #include <openssl/evp.h>
21 #include <openssl/md5.h>
22 #include <openssl/obj_mac.h>
23 #include <openssl/rsa.h>
24 #include <openssl/sha.h>
25 #include <openssl/x509.h>
26
27 #include "base/debug/debugger.h"
28 #include "base/debug/stack_trace.h"
29 #include "base/lazy_instance.h"
30 #include "base/logging.h"
31 #include "base/memory/scoped_ptr.h"
32 #include "base/win/windows_version.h"
33 #include "crypto/openssl_util.h"
34 #include "crypto/scoped_capi_types.h"
35 #include "crypto/wincrypt_shim.h"
36 #include "net/base/net_errors.h"
37 #include "net/cert/x509_certificate.h"
38 #include "net/ssl/openssl_ssl_util.h"
39 #include "net/ssl/scoped_openssl_types.h"
40
41 namespace net {
42
43 namespace {
44
45 using NCryptFreeObjectFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_HANDLE);
46 using NCryptSignHashFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_KEY_HANDLE, // hKey
47 VOID*, // pPaddingInfo
48 BYTE*, // pbHashValue
49 DWORD, // cbHashValue
50 BYTE*, // pbSignature
51 DWORD, // cbSignature
52 DWORD*, // pcbResult
53 DWORD); // dwFlags
54
55 class CNGFunctions {
56 public:
57 CNGFunctions()
58 : ncrypt_free_object_(nullptr),
59 ncrypt_sign_hash_(nullptr) {
60 HMODULE ncrypt = GetModuleHandle(L"ncrypt.dll");
61 if (ncrypt != nullptr) {
62 ncrypt_free_object_ = reinterpret_cast<NCryptFreeObjectFunc>(
63 GetProcAddress(ncrypt, "NCryptFreeObject"));
64 ncrypt_sign_hash_ = reinterpret_cast<NCryptSignHashFunc>(
65 GetProcAddress(ncrypt, "NCryptSignHash"));
66 }
67 }
68
69 NCryptFreeObjectFunc ncrypt_free_object() const {
70 return ncrypt_free_object_;
71 }
72
73 NCryptSignHashFunc ncrypt_sign_hash() const { return ncrypt_sign_hash_; }
74
75 private:
76 NCryptFreeObjectFunc ncrypt_free_object_;
77 NCryptSignHashFunc ncrypt_sign_hash_;
78 };
79
80 base::LazyInstance<CNGFunctions>::Leaky g_cng_functions =
81 LAZY_INSTANCE_INITIALIZER;
82
83 struct CERT_KEY_CONTEXTDeleter {
84 void operator()(PCERT_KEY_CONTEXT key) {
85 if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
86 g_cng_functions.Get().ncrypt_free_object()(key->hNCryptKey);
87 } else {
88 CryptReleaseContext(key->hCryptProv, 0);
89 }
90 delete key;
91 }
92 };
93
94 using ScopedCERT_KEY_CONTEXT =
95 scoped_ptr<CERT_KEY_CONTEXT, CERT_KEY_CONTEXTDeleter>;
96
97 // KeyExData contains the data that is contained in the EX_DATA of the
98 // RSA and ECDSA objects that are created to wrap Windows system keys.
99 struct KeyExData {
100 KeyExData(ScopedCERT_KEY_CONTEXT key, size_t key_length)
101 : key(key.Pass()), key_length(key_length) {}
102
103 ScopedCERT_KEY_CONTEXT key;
104 size_t key_length;
105 };
106
107 // ExDataDup is called when one of the RSA or EC_KEY objects is
108 // duplicated. This is not supported and should never happen.
109 int ExDataDup(CRYPTO_EX_DATA* to,
110 const CRYPTO_EX_DATA* from,
111 void** from_d,
112 int idx,
113 long argl,
114 void* argp) {
115 CHECK_EQ((void*)nullptr, *from_d);
116 return 0;
117 }
118
119 // ExDataFree is called when one of the RSA or EC_KEY objects is freed.
120 void ExDataFree(void* parent,
121 void* ptr,
122 CRYPTO_EX_DATA* ex_data,
123 int idx,
124 long argl,
125 void* argp) {
126 KeyExData* data = reinterpret_cast<KeyExData*>(ptr);
127 delete data;
128 }
129
130 extern const RSA_METHOD win_rsa_method;
131 extern const ECDSA_METHOD win_ecdsa_method;
132
133 // BoringSSLEngine is a BoringSSL ENGINE that implements RSA and ECDSA
134 // by forwarding the requested operations to CAPI or CNG.
135 class BoringSSLEngine {
136 public:
137 BoringSSLEngine()
138 : rsa_index_(RSA_get_ex_new_index(0 /* argl */,
139 nullptr /* argp */,
140 nullptr /* new_func */,
141 ExDataDup,
142 ExDataFree)),
143 ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
144 nullptr /* argp */,
145 nullptr /* new_func */,
146 ExDataDup,
147 ExDataFree)),
148 engine_(ENGINE_new()) {
149 ENGINE_set_RSA_method(engine_, &win_rsa_method, sizeof(win_rsa_method));
150 ENGINE_set_ECDSA_method(engine_, &win_ecdsa_method,
151 sizeof(win_ecdsa_method));
152 }
153
154 int rsa_ex_index() const { return rsa_index_; }
155 int ec_key_ex_index() const { return ec_key_index_; }
156
157 const ENGINE* engine() const { return engine_; }
158
159 private:
160 const int rsa_index_;
161 const int ec_key_index_;
162 ENGINE* const engine_;
163 };
164
165 base::LazyInstance<BoringSSLEngine>::Leaky global_boringssl_engine =
166 LAZY_INSTANCE_INITIALIZER;
167
168 // Signs |in| with |key|, writing the output to |out| and the size to |out_len|.
169 // Although the buffer is preallocated, this calls NCryptSignHash twice. Some
170 // smartcards are buggy and assume the two-call pattern. See
171 // https://crbug.com/470204. Returns true on success and false on error.
172 bool DoNCryptSignHash(NCRYPT_KEY_HANDLE key,
173 void* padding,
174 const BYTE* in,
175 DWORD in_len,
176 BYTE* out,
177 DWORD max_out,
178 DWORD* out_len,
179 DWORD flags) {
180 // Determine the output length.
181 DWORD signature_len;
182 SECURITY_STATUS ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
183 key, padding, const_cast<BYTE*>(in), in_len, nullptr, 0, &signature_len,
184 flags);
185 if (FAILED(ncrypt_status)) {
186 LOG(ERROR) << "NCryptSignHash failed: " << ncrypt_status;
187 return false;
188 }
189 // Check |max_out| externally rather than trust the smartcard.
190 if (signature_len == 0 || signature_len > max_out) {
191 LOG(ERROR) << "Bad signature length.";
192 return false;
193 }
194 // It is important that |signature_len| already be initialized with the
195 // correct size. Some smartcards are buggy and do not write to it on the
196 // second call.
197 ncrypt_status = g_cng_functions.Get().ncrypt_sign_hash()(
198 key, padding, const_cast<BYTE*>(in), in_len, out, signature_len,
199 &signature_len, flags);
200 if (FAILED(ncrypt_status)) {
201 LOG(ERROR) << "NCryptSignHash failed: " << ncrypt_status;
202 return false;
203 }
204 if (signature_len == 0) {
205 LOG(ERROR) << "Bad signature length.";
206 return false;
207 }
208 *out_len = signature_len;
209 return true;
210 }
211
212 // Custom RSA_METHOD that uses the platform APIs for signing.
213
214 const KeyExData* RsaGetExData(const RSA* rsa) {
215 return reinterpret_cast<const KeyExData*>(
216 RSA_get_ex_data(rsa, global_boringssl_engine.Get().rsa_ex_index()));
217 }
218
219 size_t RsaMethodSize(const RSA* rsa) {
220 const KeyExData* ex_data = RsaGetExData(rsa);
221 return (ex_data->key_length + 7) / 8;
222 }
223
224 int RsaMethodSign(int hash_nid,
225 const uint8_t* in,
226 unsigned in_len,
227 uint8_t* out,
228 unsigned* out_len,
229 const RSA* rsa) {
230 // TODO(davidben): Switch BoringSSL's sign hook to using size_t rather than
231 // unsigned.
232 const KeyExData* ex_data = RsaGetExData(rsa);
233 if (!ex_data) {
234 NOTREACHED();
235 OPENSSL_PUT_ERROR(RSA, RSA_sign, ERR_R_INTERNAL_ERROR);
236 return 0;
237 }
238
239 if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
240 BCRYPT_PKCS1_PADDING_INFO rsa_padding_info;
241 switch (hash_nid) {
242 case NID_md5_sha1:
243 rsa_padding_info.pszAlgId = nullptr;
244 break;
245 case NID_sha1:
246 rsa_padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM;
247 break;
248 case NID_sha256:
249 rsa_padding_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
250 break;
251 case NID_sha384:
252 rsa_padding_info.pszAlgId = BCRYPT_SHA384_ALGORITHM;
253 break;
254 case NID_sha512:
255 rsa_padding_info.pszAlgId = BCRYPT_SHA512_ALGORITHM;
256 break;
257 default:
258 OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
259 return 0;
260 }
261
262 DWORD signature_len;
263 if (!DoNCryptSignHash(ex_data->key->hNCryptKey, &rsa_padding_info, in,
264 in_len, out, RSA_size(rsa), &signature_len,
265 BCRYPT_PAD_PKCS1)) {
266 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
267 return 0;
268 }
269 *out_len = signature_len;
270 return 1;
271 }
272
273 ALG_ID hash_alg;
274 switch (hash_nid) {
275 case NID_md5_sha1:
276 hash_alg = CALG_SSL3_SHAMD5;
277 break;
278 case NID_sha1:
279 hash_alg = CALG_SHA1;
280 break;
281 case NID_sha256:
282 hash_alg = CALG_SHA_256;
283 break;
284 case NID_sha384:
285 hash_alg = CALG_SHA_384;
286 break;
287 case NID_sha512:
288 hash_alg = CALG_SHA_512;
289 break;
290 default:
291 OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
292 return 0;
293 }
294
295 crypto::ScopedHCRYPTHASH hash;
296 if (!CryptCreateHash(ex_data->key->hCryptProv, hash_alg, 0, 0,
297 hash.receive())) {
298 PLOG(ERROR) << "CreateCreateHash failed";
299 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
300 return 0;
301 }
302 DWORD hash_len;
303 DWORD arg_len = sizeof(hash_len);
304 if (!CryptGetHashParam(hash.get(), HP_HASHSIZE,
305 reinterpret_cast<BYTE*>(&hash_len), &arg_len, 0)) {
306 PLOG(ERROR) << "CryptGetHashParam HP_HASHSIZE failed";
307 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
308 return 0;
309 }
310 if (hash_len != in_len) {
311 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
312 return 0;
313 }
314 if (!CryptSetHashParam(hash.get(), HP_HASHVAL, const_cast<BYTE*>(in), 0)) {
315 PLOG(ERROR) << "CryptSetHashParam HP_HASHVAL failed";
316 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
317 return 0;
318 }
319 DWORD signature_len = RSA_size(rsa);
320 if (!CryptSignHash(hash.get(), ex_data->key->dwKeySpec, nullptr, 0, out,
321 &signature_len)) {
322 PLOG(ERROR) << "CryptSignHash failed";
323 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
324 return 0;
325 }
326
327 /* CryptoAPI signs in little-endian, so reverse it. */
328 std::reverse(out, out + signature_len);
329 *out_len = signature_len;
330 return 1;
331 }
332
333 int RsaMethodEncrypt(RSA* rsa,
334 size_t* out_len,
335 uint8_t* out,
336 size_t max_out,
337 const uint8_t* in,
338 size_t in_len,
339 int padding) {
340 NOTIMPLEMENTED();
341 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
342 return 0;
343 }
344
345 int RsaMethodSignRaw(RSA* rsa,
346 size_t* out_len,
347 uint8_t* out,
348 size_t max_out,
349 const uint8_t* in,
350 size_t in_len,
351 int padding) {
352 NOTIMPLEMENTED();
353 OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
354 return 0;
355 }
356
357 int RsaMethodDecrypt(RSA* rsa,
358 size_t* out_len,
359 uint8_t* out,
360 size_t max_out,
361 const uint8_t* in,
362 size_t in_len,
363 int padding) {
364 NOTIMPLEMENTED();
365 OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
366 return 0;
367 }
368
369 int RsaMethodVerifyRaw(RSA* rsa,
370 size_t* out_len,
371 uint8_t* out,
372 size_t max_out,
373 const uint8_t* in,
374 size_t in_len,
375 int padding) {
376 NOTIMPLEMENTED();
377 OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_ALGORITHM_TYPE);
378 return 0;
379 }
380
381 int RsaMethodSupportsDigest(const RSA* rsa, const EVP_MD* md) {
382 const KeyExData* ex_data = RsaGetExData(rsa);
383 if (!ex_data) {
384 NOTREACHED();
385 return 0;
386 }
387
388 int hash_nid = EVP_MD_type(md);
389 if (ex_data->key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
390 // Only hashes which appear in RsaSignPKCS1 are supported.
391 if (hash_nid != NID_sha1 && hash_nid != NID_sha256 &&
392 hash_nid != NID_sha384 && hash_nid != NID_sha512) {
393 return 0;
394 }
395
396 // If the key is a 1024-bit RSA, assume conservatively that it may only be
397 // able to sign SHA-1 hashes. This is the case for older Estonian ID cards
398 // that have 1024-bit RSA keys.
399 //
400 // CNG does provide NCryptIsAlgSupported and NCryptEnumAlgorithms functions,
401 // however they seem to both return NTE_NOT_SUPPORTED when querying the
402 // NCRYPT_PROV_HANDLE at the key's NCRYPT_PROVIDER_HANDLE_PROPERTY.
403 if (ex_data->key_length <= 1024 && hash_nid != NID_sha1)
404 return 0;
405
406 return 1;
407 } else {
408 // If the key is in CAPI, assume conservatively that the CAPI service
409 // provider may only be able to sign SHA-1 hashes.
410 return hash_nid == NID_sha1;
411 }
412 }
413
414 const RSA_METHOD win_rsa_method = {
415 {
416 0, // references
417 1, // is_static
418 },
419 nullptr, // app_data
420
421 nullptr, // init
422 nullptr, // finish
423 RsaMethodSize,
424 RsaMethodSign,
425 nullptr, // verify
426 RsaMethodEncrypt,
427 RsaMethodSignRaw,
428 RsaMethodDecrypt,
429 RsaMethodVerifyRaw,
430 nullptr, // private_transform
431 nullptr, // mod_exp
432 nullptr, // bn_mod_exp
433 RSA_FLAG_OPAQUE,
434 nullptr, // keygen
435 RsaMethodSupportsDigest,
436 };
437
438 // Custom ECDSA_METHOD that uses the platform APIs.
439 // Note that for now, only signing through ECDSA_sign() is really supported.
440 // all other method pointers are either stubs returning errors, or no-ops.
441
442 const KeyExData* EcKeyGetExData(const EC_KEY* ec_key) {
443 return reinterpret_cast<const KeyExData*>(EC_KEY_get_ex_data(
444 ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
445 }
446
447 size_t EcdsaMethodGroupOrderSize(const EC_KEY* ec_key) {
448 const KeyExData* ex_data = EcKeyGetExData(ec_key);
449 // key_length is the size of the group order for EC keys.
450 return (ex_data->key_length + 7) / 8;
451 }
452
453 int EcdsaMethodSign(const uint8_t* digest,
454 size_t digest_len,
455 uint8_t* out_sig,
456 unsigned int* out_sig_len,
457 EC_KEY* ec_key) {
458 const KeyExData* ex_data = EcKeyGetExData(ec_key);
459 // Only CNG supports ECDSA.
460 if (!ex_data || ex_data->key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
461 NOTREACHED();
462 OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
463 return 0;
464 }
465
466 // An ECDSA signature is two integers, modulo the order of the group.
467 size_t order_len = (ex_data->key_length + 7) / 8;
468 if (order_len == 0) {
469 NOTREACHED();
470 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
471 return 0;
472 }
473 std::vector<uint8_t> raw_sig(order_len * 2);
474
475 DWORD signature_len;
476 if (!DoNCryptSignHash(ex_data->key->hNCryptKey, nullptr, digest, digest_len,
477 &raw_sig[0], raw_sig.size(), &signature_len, 0)) {
478 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
479 return 0;
480 }
481 if (signature_len != raw_sig.size()) {
482 LOG(ERROR) << "Bad signature length";
483 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
484 return 0;
485 }
486
487 // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
488 crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
489 if (!sig) {
490 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
491 return 0;
492 }
493 sig->r = BN_bin2bn(&raw_sig[0], order_len, nullptr);
494 sig->s = BN_bin2bn(&raw_sig[order_len], order_len, nullptr);
495 if (!sig->r || !sig->s) {
496 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
497 return 0;
498 }
499
500 // Ensure the DER-encoded signature fits in the bounds.
501 int len = i2d_ECDSA_SIG(sig.get(), nullptr);
502 if (len < 0 || static_cast<size_t>(len) > ECDSA_size(ec_key)) {
503 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
504 return 0;
505 }
506
507 len = i2d_ECDSA_SIG(sig.get(), &out_sig);
508 if (len < 0) {
509 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
510 return 0;
511 }
512 *out_sig_len = len;
513 return 1;
514 }
515
516 int EcdsaMethodVerify(const uint8_t* digest,
517 size_t digest_len,
518 const uint8_t* sig,
519 size_t sig_len,
520 EC_KEY* eckey) {
521 NOTIMPLEMENTED();
522 OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_NOT_IMPLEMENTED);
523 return 0;
524 }
525
526 const ECDSA_METHOD win_ecdsa_method = {
527 {
528 0, // references
529 1, // is_static
530 },
531 nullptr, // app_data
532
533 nullptr, // init
534 nullptr, // finish
535 EcdsaMethodGroupOrderSize,
536 EcdsaMethodSign,
537 EcdsaMethodVerify,
538 ECDSA_FLAG_OPAQUE,
539 };
540
541 // Determines the key type and length of |certificate|'s public key. The type is
542 // returned as an OpenSSL EVP_PKEY type. The key length for RSA key is the size
543 // of the RSA modulus in bits. For an ECDSA key, it is the number of bits to
544 // represent the group order. It returns true on success and false on failure.
545 bool GetKeyInfo(const X509Certificate* certificate,
546 int* out_type,
547 size_t* out_length) {
548 crypto::OpenSSLErrStackTracer tracker(FROM_HERE);
549
550 std::string der_encoded;
551 if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
552 &der_encoded))
553 return false;
554 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
555 ScopedX509 x509(d2i_X509(NULL, &bytes, der_encoded.size()));
556 if (!x509)
557 return false;
558 crypto::ScopedEVP_PKEY key(X509_get_pubkey(x509.get()));
559 if (!key)
560 return false;
561 *out_type = EVP_PKEY_id(key.get());
562 *out_length = EVP_PKEY_bits(key.get());
563 return true;
564 }
565
566 crypto::ScopedEVP_PKEY CreateRSAWrapper(ScopedCERT_KEY_CONTEXT key,
567 size_t key_length) {
568 crypto::ScopedRSA rsa(RSA_new_method(global_boringssl_engine.Get().engine()));
569 if (!rsa)
570 return nullptr;
571
572 RSA_set_ex_data(rsa.get(), global_boringssl_engine.Get().rsa_ex_index(),
573 new KeyExData(key.Pass(), key_length));
574
575 crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
576 if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa.get()))
577 return nullptr;
578 return pkey.Pass();
579 }
580
581 crypto::ScopedEVP_PKEY CreateECDSAWrapper(ScopedCERT_KEY_CONTEXT key,
582 size_t key_length) {
583 crypto::ScopedEC_KEY ec_key(
584 EC_KEY_new_method(global_boringssl_engine.Get().engine()));
585 if (!ec_key)
586 return nullptr;
587
588 EC_KEY_set_ex_data(ec_key.get(),
589 global_boringssl_engine.Get().ec_key_ex_index(),
590 new KeyExData(key.Pass(), key_length));
591
592 crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
593 if (!pkey || !EVP_PKEY_set1_EC_KEY(pkey.get(), ec_key.get()))
594 return nullptr;
595
596 return pkey.Pass();
597 }
598
599 } // namespace
600
601 crypto::ScopedEVP_PKEY FetchClientCertPrivateKey(
602 const X509Certificate* certificate) {
603 PCCERT_CONTEXT cert_context = certificate->os_cert_handle();
604
605 HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
606 DWORD key_spec = 0;
607 BOOL must_free = FALSE;
608 DWORD flags = 0;
609 if (base::win::GetVersion() >= base::win::VERSION_VISTA)
610 flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
611
612 if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
613 &crypt_prov, &key_spec, &must_free)) {
614 PLOG(WARNING) << "Could not acquire private key";
615 return nullptr;
616 }
617
618 // Should never get a cached handle back - ownership must always be
619 // transferred.
620 CHECK_EQ(must_free, TRUE);
621 ScopedCERT_KEY_CONTEXT key(new CERT_KEY_CONTEXT);
622 key->dwKeySpec = key_spec;
623 key->hCryptProv = crypt_prov;
624
625 // Rather than query the private key for metadata, extract the public key from
626 // the certificate without using Windows APIs. CAPI and CNG do not
627 // consistently work depending on the system. See https://crbug.com/468345.
628 int key_type;
629 size_t key_length;
630 if (!GetKeyInfo(certificate, &key_type, &key_length))
631 return nullptr;
632
633 switch (key_type) {
634 case EVP_PKEY_RSA:
635 return CreateRSAWrapper(key.Pass(), key_length);
636 case EVP_PKEY_EC:
637 return CreateECDSAWrapper(key.Pass(), key_length);
638 default:
639 return nullptr;
640 }
641 }
642
643 } // namespace net