1*6777b538SAndroid Build Coastguard Worker // Copyright 2015 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef CRYPTO_NSS_KEY_UTIL_H_ 6*6777b538SAndroid Build Coastguard Worker #define CRYPTO_NSS_KEY_UTIL_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <secoidt.h> 9*6777b538SAndroid Build Coastguard Worker #include <stdint.h> 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Worker #include "base/containers/span.h" 12*6777b538SAndroid Build Coastguard Worker #include "build/build_config.h" 13*6777b538SAndroid Build Coastguard Worker #include "crypto/crypto_export.h" 14*6777b538SAndroid Build Coastguard Worker #include "crypto/scoped_nss_types.h" 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard Worker typedef struct PK11SlotInfoStr PK11SlotInfo; 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker namespace crypto { 19*6777b538SAndroid Build Coastguard Worker 20*6777b538SAndroid Build Coastguard Worker // Returns a SECItem containing the CKA_ID of the `public_key` or nullptr on 21*6777b538SAndroid Build Coastguard Worker // error. 22*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT crypto::ScopedSECItem MakeNssIdFromPublicKey( 23*6777b538SAndroid Build Coastguard Worker SECKEYPublicKey* public_key); 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker // Decodes |input| as a SubjectPublicKeyInfo and returns a SECItem containing 26*6777b538SAndroid Build Coastguard Worker // the CKA_ID of that public key or nullptr on error. 27*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT ScopedSECItem MakeNssIdFromSpki(base::span<const uint8_t> input); 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard Worker // Generates a new RSA key pair of size |num_bits| in |slot|. Returns true on 30*6777b538SAndroid Build Coastguard Worker // success and false on failure. If |permanent| is true, the resulting key is 31*6777b538SAndroid Build Coastguard Worker // permanent and is not exportable in plaintext form. 32*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT bool GenerateRSAKeyPairNSS( 33*6777b538SAndroid Build Coastguard Worker PK11SlotInfo* slot, 34*6777b538SAndroid Build Coastguard Worker uint16_t num_bits, 35*6777b538SAndroid Build Coastguard Worker bool permanent, 36*6777b538SAndroid Build Coastguard Worker ScopedSECKEYPublicKey* out_public_key, 37*6777b538SAndroid Build Coastguard Worker ScopedSECKEYPrivateKey* out_private_key); 38*6777b538SAndroid Build Coastguard Worker 39*6777b538SAndroid Build Coastguard Worker // Generates a new EC key pair with curve |named_curve| in |slot|. Returns true 40*6777b538SAndroid Build Coastguard Worker // on success and false on failure. If |permanent| is true, the resulting key is 41*6777b538SAndroid Build Coastguard Worker // permanent and is not exportable in plaintext form. 42*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT bool GenerateECKeyPairNSS( 43*6777b538SAndroid Build Coastguard Worker PK11SlotInfo* slot, 44*6777b538SAndroid Build Coastguard Worker const SECOidTag named_curve, 45*6777b538SAndroid Build Coastguard Worker bool permanent, 46*6777b538SAndroid Build Coastguard Worker ScopedSECKEYPublicKey* out_public_key, 47*6777b538SAndroid Build Coastguard Worker ScopedSECKEYPrivateKey* out_private_key); 48*6777b538SAndroid Build Coastguard Worker 49*6777b538SAndroid Build Coastguard Worker // Imports a private key from |input| into |slot|. |input| is interpreted as a 50*6777b538SAndroid Build Coastguard Worker // DER-encoded PrivateKeyInfo block from PKCS #8. Returns nullptr on error. If 51*6777b538SAndroid Build Coastguard Worker // |permanent| is true, the resulting key is permanent and is not exportable in 52*6777b538SAndroid Build Coastguard Worker // plaintext form. 53*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT ScopedSECKEYPrivateKey 54*6777b538SAndroid Build Coastguard Worker ImportNSSKeyFromPrivateKeyInfo(PK11SlotInfo* slot, 55*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> input, 56*6777b538SAndroid Build Coastguard Worker bool permanent); 57*6777b538SAndroid Build Coastguard Worker 58*6777b538SAndroid Build Coastguard Worker // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and searches for 59*6777b538SAndroid Build Coastguard Worker // the private key half in the key database. Returns the private key on success 60*6777b538SAndroid Build Coastguard Worker // or nullptr on error. 61*6777b538SAndroid Build Coastguard Worker // Note: This function assumes the CKA_ID for public/private key pairs is 62*6777b538SAndroid Build Coastguard Worker // derived from the public key. NSS does this, but this is not guaranteed by 63*6777b538SAndroid Build Coastguard Worker // PKCS#11, so keys generated outside of NSS may not be found. 64*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT ScopedSECKEYPrivateKey 65*6777b538SAndroid Build Coastguard Worker FindNSSKeyFromPublicKeyInfo(base::span<const uint8_t> input); 66*6777b538SAndroid Build Coastguard Worker 67*6777b538SAndroid Build Coastguard Worker // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and searches for 68*6777b538SAndroid Build Coastguard Worker // the private key half in the slot specified by |slot|. Returns the private key 69*6777b538SAndroid Build Coastguard Worker // on success or nullptr on error. 70*6777b538SAndroid Build Coastguard Worker // Note: This function assumes the CKA_ID for public/private key pairs is 71*6777b538SAndroid Build Coastguard Worker // derived from the public key. NSS does this, but this is not guaranteed by 72*6777b538SAndroid Build Coastguard Worker // PKCS#11, so keys generated outside of NSS may not be found. 73*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT ScopedSECKEYPrivateKey 74*6777b538SAndroid Build Coastguard Worker FindNSSKeyFromPublicKeyInfoInSlot(base::span<const uint8_t> input, 75*6777b538SAndroid Build Coastguard Worker PK11SlotInfo* slot); 76*6777b538SAndroid Build Coastguard Worker 77*6777b538SAndroid Build Coastguard Worker // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and returns the 78*6777b538SAndroid Build Coastguard Worker // NSS representation of it. 79*6777b538SAndroid Build Coastguard Worker CRYPTO_EXPORT ScopedCERTSubjectPublicKeyInfo 80*6777b538SAndroid Build Coastguard Worker DecodeSubjectPublicKeyInfoNSS(base::span<const uint8_t> input); 81*6777b538SAndroid Build Coastguard Worker 82*6777b538SAndroid Build Coastguard Worker } // namespace crypto 83*6777b538SAndroid Build Coastguard Worker 84*6777b538SAndroid Build Coastguard Worker #endif // CRYPTO_NSS_KEY_UTIL_H_ 85