1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CRYPTO_EC_PRIVATE_KEY_H_ 6 #define CRYPTO_EC_PRIVATE_KEY_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/basictypes.h" 12 #include "build/build_config.h" 13 #include "crypto/crypto_export.h" 14 15 #if defined(USE_OPENSSL) 16 // Forward declaration for openssl/*.h 17 typedef struct evp_pkey_st EVP_PKEY; 18 #else 19 // Forward declaration. 20 typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; 21 typedef struct PK11SlotInfoStr PK11SlotInfo; 22 typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey; 23 typedef struct SECKEYPublicKeyStr SECKEYPublicKey; 24 #endif 25 26 namespace crypto { 27 28 // Encapsulates an elliptic curve (EC) private key. Can be used to generate new 29 // keys, export keys to other formats, or to extract a public key. 30 // TODO(mattm): make this and RSAPrivateKey implement some PrivateKey interface. 31 // (The difference in types of key() and public_key() make this a little 32 // tricky.) 33 class CRYPTO_EXPORT ECPrivateKey { 34 public: 35 ~ECPrivateKey(); 36 37 // Returns whether the system supports elliptic curve cryptography. 38 static bool IsSupported(); 39 40 // Creates a new random instance. Can return NULL if initialization fails. 41 // The created key will use the NIST P-256 curve. 42 // TODO(mattm): Add a curve parameter. 43 static ECPrivateKey* Create(); 44 45 #if defined(USE_NSS) 46 // Creates a new random instance in |slot|. Can return NULL if initialization 47 // fails. The created key is permanent and is not exportable in plaintext 48 // form. 49 static ECPrivateKey* CreateSensitive(PK11SlotInfo* slot); 50 #endif 51 52 // Creates a new instance by importing an existing key pair. 53 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 54 // block and an X.509 SubjectPublicKeyInfo block. 55 // Returns NULL if initialization fails. 56 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfo( 57 const std::string& password, 58 const std::vector<uint8>& encrypted_private_key_info, 59 const std::vector<uint8>& subject_public_key_info); 60 61 #if defined(USE_NSS) 62 // Creates a new instance in |slot| by importing an existing key pair. 63 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 64 // block and an X.509 SubjectPublicKeyInfo block. 65 // This can return NULL if initialization fails. The created key is permanent 66 // and is not exportable in plaintext form. 67 static ECPrivateKey* CreateSensitiveFromEncryptedPrivateKeyInfo( 68 PK11SlotInfo* slot, 69 const std::string& password, 70 const std::vector<uint8>& encrypted_private_key_info, 71 const std::vector<uint8>& subject_public_key_info); 72 #endif 73 74 #if !defined(USE_OPENSSL) 75 // Imports the key pair into |slot| and returns in |public_key| and |key|. 76 // Shortcut for code that needs to keep a reference directly to NSS types 77 // without having to create a ECPrivateKey object and make a copy of them. 78 // TODO(mattm): move this function to some NSS util file. 79 static bool ImportFromEncryptedPrivateKeyInfo( 80 PK11SlotInfo* slot, 81 const std::string& password, 82 const uint8* encrypted_private_key_info, 83 size_t encrypted_private_key_info_len, 84 CERTSubjectPublicKeyInfo* decoded_spki, 85 bool permanent, 86 bool sensitive, 87 SECKEYPrivateKey** key, 88 SECKEYPublicKey** public_key); 89 #endif 90 91 #if defined(USE_OPENSSL) key()92 EVP_PKEY* key() { return key_; } 93 #else key()94 SECKEYPrivateKey* key() { return key_; } public_key()95 SECKEYPublicKey* public_key() { return public_key_; } 96 #endif 97 98 // Exports the private key as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 99 // block and the public key as an X.509 SubjectPublicKeyInfo block. 100 // The |password| and |iterations| are used as inputs to the key derivation 101 // function for generating the encryption key. PKCS #5 recommends a minimum 102 // of 1000 iterations, on modern systems a larger value may be preferrable. 103 bool ExportEncryptedPrivateKey(const std::string& password, 104 int iterations, 105 std::vector<uint8>* output); 106 107 // Exports the public key to an X.509 SubjectPublicKeyInfo block. 108 bool ExportPublicKey(std::vector<uint8>* output); 109 110 // Exports private key data for testing. The format of data stored into output 111 // doesn't matter other than that it is consistent for the same key. 112 bool ExportValue(std::vector<uint8>* output); 113 bool ExportECParams(std::vector<uint8>* output); 114 115 private: 116 // Constructor is private. Use one of the Create*() methods above instead. 117 ECPrivateKey(); 118 119 #if !defined(USE_OPENSSL) 120 // Shared helper for Create() and CreateSensitive(). 121 // TODO(cmasone): consider replacing |permanent| and |sensitive| with a 122 // flags arg created by ORing together some enumerated values. 123 static ECPrivateKey* CreateWithParams(PK11SlotInfo* slot, 124 bool permanent, 125 bool sensitive); 126 127 // Shared helper for CreateFromEncryptedPrivateKeyInfo() and 128 // CreateSensitiveFromEncryptedPrivateKeyInfo(). 129 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfoWithParams( 130 PK11SlotInfo* slot, 131 const std::string& password, 132 const std::vector<uint8>& encrypted_private_key_info, 133 const std::vector<uint8>& subject_public_key_info, 134 bool permanent, 135 bool sensitive); 136 #endif 137 138 #if defined(USE_OPENSSL) 139 EVP_PKEY* key_; 140 #else 141 SECKEYPrivateKey* key_; 142 SECKEYPublicKey* public_key_; 143 #endif 144 145 DISALLOW_COPY_AND_ASSIGN(ECPrivateKey); 146 }; 147 148 149 } // namespace crypto 150 151 #endif // CRYPTO_EC_PRIVATE_KEY_H_ 152