1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CRYPTO_EC_PRIVATE_KEY_H_ 6#define CRYPTO_EC_PRIVATE_KEY_H_ 7 8#include <string> 9#include <vector> 10 11#include "base/basictypes.h" 12#include "build/build_config.h" 13#include "crypto/crypto_export.h" 14 15#if defined(USE_OPENSSL) 16// Forward declaration for openssl/*.h 17typedef struct evp_pkey_st EVP_PKEY; 18#else 19// Forward declaration. 20typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo; 21typedef struct PK11SlotInfoStr PK11SlotInfo; 22typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey; 23typedef struct SECKEYPublicKeyStr SECKEYPublicKey; 24#endif 25 26namespace crypto { 27 28// Encapsulates an elliptic curve (EC) private key. Can be used to generate new 29// keys, export keys to other formats, or to extract a public key. 30// TODO(mattm): make this and RSAPrivateKey implement some PrivateKey interface. 31// (The difference in types of key() and public_key() make this a little 32// tricky.) 33class CRYPTO_EXPORT ECPrivateKey { 34 public: 35 ~ECPrivateKey(); 36 37 // Returns whether the system supports elliptic curve cryptography. 38 static bool IsSupported(); 39 40 // Creates a new random instance. Can return NULL if initialization fails. 41 // The created key will use the NIST P-256 curve. 42 // TODO(mattm): Add a curve parameter. 43 static ECPrivateKey* Create(); 44 45#if defined(USE_NSS) 46 // Creates a new random instance in |slot|. Can return NULL if initialization 47 // fails. The created key is permanent and is not exportable in plaintext 48 // form. 49 static ECPrivateKey* CreateSensitive(PK11SlotInfo* slot); 50#endif 51 52 // Creates a new instance by importing an existing key pair. 53 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 54 // block and an X.509 SubjectPublicKeyInfo block. 55 // Returns NULL if initialization fails. 56 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfo( 57 const std::string& password, 58 const std::vector<uint8>& encrypted_private_key_info, 59 const std::vector<uint8>& subject_public_key_info); 60 61#if defined(USE_NSS) 62 // Creates a new instance in |slot| by importing an existing key pair. 63 // The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 64 // block and an X.509 SubjectPublicKeyInfo block. 65 // This can return NULL if initialization fails. The created key is permanent 66 // and is not exportable in plaintext form. 67 static ECPrivateKey* CreateSensitiveFromEncryptedPrivateKeyInfo( 68 PK11SlotInfo* slot, 69 const std::string& password, 70 const std::vector<uint8>& encrypted_private_key_info, 71 const std::vector<uint8>& subject_public_key_info); 72#endif 73 74#if !defined(USE_OPENSSL) 75 // Imports the key pair into |slot| and returns in |public_key| and |key|. 76 // Shortcut for code that needs to keep a reference directly to NSS types 77 // without having to create a ECPrivateKey object and make a copy of them. 78 // TODO(mattm): move this function to some NSS util file. 79 static bool ImportFromEncryptedPrivateKeyInfo( 80 PK11SlotInfo* slot, 81 const std::string& password, 82 const uint8* encrypted_private_key_info, 83 size_t encrypted_private_key_info_len, 84 CERTSubjectPublicKeyInfo* decoded_spki, 85 bool permanent, 86 bool sensitive, 87 SECKEYPrivateKey** key, 88 SECKEYPublicKey** public_key); 89 90 // Returns a copy of the object. 91 ECPrivateKey* Copy() const; 92#endif 93 94#if defined(USE_OPENSSL) 95 EVP_PKEY* key() { return key_; } 96#else 97 SECKEYPrivateKey* key() { return key_; } 98 SECKEYPublicKey* public_key() { return public_key_; } 99#endif 100 101 // Exports the private key as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo 102 // block and the public key as an X.509 SubjectPublicKeyInfo block. 103 // The |password| and |iterations| are used as inputs to the key derivation 104 // function for generating the encryption key. PKCS #5 recommends a minimum 105 // of 1000 iterations, on modern systems a larger value may be preferrable. 106 bool ExportEncryptedPrivateKey(const std::string& password, 107 int iterations, 108 std::vector<uint8>* output); 109 110 // Exports the public key to an X.509 SubjectPublicKeyInfo block. 111 bool ExportPublicKey(std::vector<uint8>* output); 112 113 // Exports the public key as an EC point in the uncompressed point format. 114 bool ExportRawPublicKey(std::string* output); 115 116 // Exports private key data for testing. The format of data stored into output 117 // doesn't matter other than that it is consistent for the same key. 118 bool ExportValue(std::vector<uint8>* output); 119 bool ExportECParams(std::vector<uint8>* output); 120 121 private: 122 // Constructor is private. Use one of the Create*() methods above instead. 123 ECPrivateKey(); 124 125#if !defined(USE_OPENSSL) 126 // Shared helper for Create() and CreateSensitive(). 127 // TODO(cmasone): consider replacing |permanent| and |sensitive| with a 128 // flags arg created by ORing together some enumerated values. 129 static ECPrivateKey* CreateWithParams(PK11SlotInfo* slot, 130 bool permanent, 131 bool sensitive); 132 133 // Shared helper for CreateFromEncryptedPrivateKeyInfo() and 134 // CreateSensitiveFromEncryptedPrivateKeyInfo(). 135 static ECPrivateKey* CreateFromEncryptedPrivateKeyInfoWithParams( 136 PK11SlotInfo* slot, 137 const std::string& password, 138 const std::vector<uint8>& encrypted_private_key_info, 139 const std::vector<uint8>& subject_public_key_info, 140 bool permanent, 141 bool sensitive); 142#endif 143 144#if defined(USE_OPENSSL) 145 EVP_PKEY* key_; 146#else 147 SECKEYPrivateKey* key_; 148 SECKEYPublicKey* public_key_; 149#endif 150 151 DISALLOW_COPY_AND_ASSIGN(ECPrivateKey); 152}; 153 154 155} // namespace crypto 156 157#endif // CRYPTO_EC_PRIVATE_KEY_H_ 158