1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CRYPTO_EC_PRIVATE_KEY_H_ 6#define CRYPTO_EC_PRIVATE_KEY_H_ 7 8#include <string> 9#include <vector> 10 11#include "base/basictypes.h" 12#include "build/build_config.h" 13#include "crypto/crypto_export.h" 14 15#if defined(USE_OPENSSL) 16// Forward declaration for openssl/*.h 17typedef struct evp_pkey_st EVP_PKEY; 18#else 19// Forward declaration. 20typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; 21typedef struct PK11SlotInfoStr PK11SlotInfo; 22typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey; 23typedef struct SECKEYPublicKeyStr SECKEYPublicKey; 24#endif 25 26namespace crypto { 27 28// Encapsulates an elliptic curve (EC) private key. Can be used to generate new 29// keys, export keys to other formats, or to extract a public key. 30// TODO(mattm): make this and RSAPrivateKey implement some PrivateKey interface. 31// (The difference in types of key() and public_key() make this a little 32// tricky.) 33class CRYPTO_EXPORT ECPrivateKey { 34 public: 35 ~ECPrivateKey(); 36 37 // Returns whether the system supports elliptic curve cryptography. 38 static bool IsSupported(); 39 40 // Creates a new random instance. Can return NULL if initialization fails. 41 // The created key will use the NIST P-256 curve. 42 // TODO(mattm): Add a curve parameter. 43 static ECPrivateKey* Create(); 44 45#if defined(USE_NSS) 46 // Creates a new random instance in |slot|. Can return NULL if initialization 47 // fails. The created key is permanent and is not exportable in plaintext 48 // form. 49 static ECPrivateKey* CreateSensitive(PK11SlotInfo* slot); 50#endif 51 52 // Creates a new instance by importing an existing key pair. 53 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 54 // block and an X.509 SubjectPublicKeyInfo block. 55 // Returns NULL if initialization fails. 56 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfo( 57 const std::string& password, 58 const std::vector<uint8>& encrypted_private_key_info, 59 const std::vector<uint8>& subject_public_key_info); 60 61#if defined(USE_NSS) 62 // Creates a new instance in |slot| by importing an existing key pair. 63 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 64 // block and an X.509 SubjectPublicKeyInfo block. 65 // This can return NULL if initialization fails. The created key is permanent 66 // and is not exportable in plaintext form. 67 static ECPrivateKey* CreateSensitiveFromEncryptedPrivateKeyInfo( 68 PK11SlotInfo* slot, 69 const std::string& password, 70 const std::vector<uint8>& encrypted_private_key_info, 71 const std::vector<uint8>& subject_public_key_info); 72#endif 73 74#if !defined(USE_OPENSSL) 75 // Imports the key pair into |slot| and returns in |public_key| and |key|. 76 // Shortcut for code that needs to keep a reference directly to NSS types 77 // without having to create a ECPrivateKey object and make a copy of them. 78 // TODO(mattm): move this function to some NSS util file. 79 static bool ImportFromEncryptedPrivateKeyInfo( 80 PK11SlotInfo* slot, 81 const std::string& password, 82 const uint8* encrypted_private_key_info, 83 size_t encrypted_private_key_info_len, 84 CERTSubjectPublicKeyInfo* decoded_spki, 85 bool permanent, 86 bool sensitive, 87 SECKEYPrivateKey** key, 88 SECKEYPublicKey** public_key); 89#endif 90 91#if defined(USE_OPENSSL) 92 EVP_PKEY* key() { return key_; } 93#else 94 SECKEYPrivateKey* key() { return key_; } 95 SECKEYPublicKey* public_key() { return public_key_; } 96#endif 97 98 // Exports the private key as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 99 // block and the public key as an X.509 SubjectPublicKeyInfo block. 100 // The |password| and |iterations| are used as inputs to the key derivation 101 // function for generating the encryption key. PKCS #5 recommends a minimum 102 // of 1000 iterations, on modern systems a larger value may be preferrable. 103 bool ExportEncryptedPrivateKey(const std::string& password, 104 int iterations, 105 std::vector<uint8>* output); 106 107 // Exports the public key to an X.509 SubjectPublicKeyInfo block. 108 bool ExportPublicKey(std::vector<uint8>* output); 109 110 // Exports private key data for testing. The format of data stored into output 111 // doesn't matter other than that it is consistent for the same key. 112 bool ExportValue(std::vector<uint8>* output); 113 bool ExportECParams(std::vector<uint8>* output); 114 115 private: 116 // Constructor is private. Use one of the Create*() methods above instead. 117 ECPrivateKey(); 118 119#if !defined(USE_OPENSSL) 120 // Shared helper for Create() and CreateSensitive(). 121 // TODO(cmasone): consider replacing |permanent| and |sensitive| with a 122 // flags arg created by ORing together some enumerated values. 123 static ECPrivateKey* CreateWithParams(PK11SlotInfo* slot, 124 bool permanent, 125 bool sensitive); 126 127 // Shared helper for CreateFromEncryptedPrivateKeyInfo() and 128 // CreateSensitiveFromEncryptedPrivateKeyInfo(). 129 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfoWithParams( 130 PK11SlotInfo* slot, 131 const std::string& password, 132 const std::vector<uint8>& encrypted_private_key_info, 133 const std::vector<uint8>& subject_public_key_info, 134 bool permanent, 135 bool sensitive); 136#endif 137 138#if defined(USE_OPENSSL) 139 EVP_PKEY* key_; 140#else 141 SECKEYPrivateKey* key_; 142 SECKEYPublicKey* public_key_; 143#endif 144 145 DISALLOW_COPY_AND_ASSIGN(ECPrivateKey); 146}; 147 148 149} // namespace crypto 150 151#endif // CRYPTO_EC_PRIVATE_KEY_H_ 152