• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_SSL_PRIVATE_KEY_H_
6 #define NET_SSL_SSL_PRIVATE_KEY_H_
7 
8 #include <stdint.h>
9 
10 #include <vector>
11 
12 #include "base/containers/span.h"
13 #include "base/functional/callback_forward.h"
14 #include "base/memory/ref_counted.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/net_export.h"
17 
18 namespace net {
19 
20 // An interface for a private key for use with SSL client authentication. A
21 // private key may be used with multiple signature algorithms, so methods use
22 // |SSL_SIGN_*| constants from BoringSSL, which correspond to TLS 1.3
23 // SignatureScheme values.
24 //
25 // Note that although ECDSA constants are named like
26 // |SSL_SIGN_ECDSA_SECP256R1_SHA256|, they may be used with any curve for
27 // purposes of this API. This descrepancy is due to differences between TLS 1.2
28 // and TLS 1.3.
29 class NET_EXPORT SSLPrivateKey
30     : public base::RefCountedThreadSafe<SSLPrivateKey> {
31  public:
32   using SignCallback =
33       base::OnceCallback<void(Error, const std::vector<uint8_t>&)>;
34 
35   SSLPrivateKey() = default;
36 
37   SSLPrivateKey(const SSLPrivateKey&) = delete;
38   SSLPrivateKey& operator=(const SSLPrivateKey&) = delete;
39 
40   // Returns a human-readable name of the provider that backs this
41   // SSLPrivateKey, for debugging. If not applicable or available, return the
42   // empty string.
43   virtual std::string GetProviderName() = 0;
44 
45   // Returns the algorithms that are supported by the key in decreasing
46   // preference for TLS 1.2 and later.
47   virtual std::vector<uint16_t> GetAlgorithmPreferences() = 0;
48 
49   // Asynchronously signs an |input| with the specified TLS signing algorithm.
50   // |input| is an unhashed message to be signed. On completion, it calls
51   // |callback| with the signature or an error code if the operation failed.
52   virtual void Sign(uint16_t algorithm,
53                     base::span<const uint8_t> input,
54                     SignCallback callback) = 0;
55 
56   // Returns the default signature algorithm preferences for the specified key
57   // type, which should be a BoringSSL |EVP_PKEY_*| constant. RSA keys which use
58   // this must support PKCS #1 v1.5 signatures with SHA-1, SHA-256, SHA-384, and
59   // SHA-512. If |supports_pss| is true, they must additionally support PSS
60   // signatures with SHA-256, SHA-384, and SHA-512. ECDSA keys must support
61   // SHA-256, SHA-384, SHA-512.
62   //
63   // Keys with more specific capabilities or preferences should return a custom
64   // list.
65   static std::vector<uint16_t> DefaultAlgorithmPreferences(int type,
66                                                            bool supports_pss);
67 
68  protected:
69   virtual ~SSLPrivateKey() = default;
70 
71  private:
72   friend class base::RefCountedThreadSafe<SSLPrivateKey>;
73 };
74 
75 }  // namespace net
76 
77 #endif  // NET_SSL_SSL_PRIVATE_KEY_H_
78