// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_EC_PRIVATE_KEY_H_
#define CRYPTO_EC_PRIVATE_KEY_H_
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "build/build_config.h"
#include "crypto/crypto_export.h"
#if defined(USE_OPENSSL)
// Forward declaration for openssl/*.h
typedef struct evp_pkey_st EVP_PKEY;
#else
// Forward declaration.
typedef struct CERTSubjectPublicKeyInfoStr CERTSubjectPublicKeyInfo;
typedef struct PK11SlotInfoStr PK11SlotInfo;
typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
#endif
namespace crypto {
// Encapsulates an elliptic curve (EC) private key. Can be used to generate new
// keys, export keys to other formats, or to extract a public key.
// TODO(mattm): make this and RSAPrivateKey implement some PrivateKey interface.
// (The difference in types of key() and public_key() make this a little
// tricky.)
class CRYPTO_EXPORT ECPrivateKey {
public:
~ECPrivateKey();
// Returns whether the system supports elliptic curve cryptography.
static bool IsSupported();
// Creates a new random instance. Can return NULL if initialization fails.
// The created key will use the NIST P-256 curve.
// TODO(mattm): Add a curve parameter.
static ECPrivateKey* Create();
#if defined(USE_NSS)
// Creates a new random instance in |slot|. Can return NULL if initialization
// fails. The created key is permanent and is not exportable in plaintext
// form.
static ECPrivateKey* CreateSensitive(PK11SlotInfo* slot);
#endif
// Creates a new instance by importing an existing key pair.
// The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and an X.509 SubjectPublicKeyInfo block.
// Returns NULL if initialization fails.
static ECPrivateKey* CreateFromEncryptedPrivateKeyInfo(
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info);
#if defined(USE_NSS)
// Creates a new instance in |slot| by importing an existing key pair.
// The key pair is given as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and an X.509 SubjectPublicKeyInfo block.
// This can return NULL if initialization fails. The created key is permanent
// and is not exportable in plaintext form.
static ECPrivateKey* CreateSensitiveFromEncryptedPrivateKeyInfo(
PK11SlotInfo* slot,
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info);
#endif
#if !defined(USE_OPENSSL)
// Imports the key pair into |slot| and returns in |public_key| and |key|.
// Shortcut for code that needs to keep a reference directly to NSS types
// without having to create a ECPrivateKey object and make a copy of them.
// TODO(mattm): move this function to some NSS util file.
static bool ImportFromEncryptedPrivateKeyInfo(
PK11SlotInfo* slot,
const std::string& password,
const uint8* encrypted_private_key_info,
size_t encrypted_private_key_info_len,
CERTSubjectPublicKeyInfo* decoded_spki,
bool permanent,
bool sensitive,
SECKEYPrivateKey** key,
SECKEYPublicKey** public_key);
#endif
#if defined(USE_OPENSSL)
EVP_PKEY* key() { return key_; }
#else
SECKEYPrivateKey* key() { return key_; }
SECKEYPublicKey* public_key() { return public_key_; }
#endif
// Exports the private key as an ASN.1-encoded PKCS #8 EncryptedPrivateKeyInfo
// block and the public key as an X.509 SubjectPublicKeyInfo block.
// The |password| and |iterations| are used as inputs to the key derivation
// function for generating the encryption key. PKCS #5 recommends a minimum
// of 1000 iterations, on modern systems a larger value may be preferrable.
bool ExportEncryptedPrivateKey(const std::string& password,
int iterations,
std::vector<uint8>* output);
// Exports the public key to an X.509 SubjectPublicKeyInfo block.
bool ExportPublicKey(std::vector<uint8>* output);
// Exports private key data for testing. The format of data stored into output
// doesn't matter other than that it is consistent for the same key.
bool ExportValue(std::vector<uint8>* output);
bool ExportECParams(std::vector<uint8>* output);
private:
// Constructor is private. Use one of the Create*() methods above instead.
ECPrivateKey();
#if !defined(USE_OPENSSL)
// Shared helper for Create() and CreateSensitive().
// TODO(cmasone): consider replacing |permanent| and |sensitive| with a
// flags arg created by ORing together some enumerated values.
static ECPrivateKey* CreateWithParams(PK11SlotInfo* slot,
bool permanent,
bool sensitive);
// Shared helper for CreateFromEncryptedPrivateKeyInfo() and
// CreateSensitiveFromEncryptedPrivateKeyInfo().
static ECPrivateKey* CreateFromEncryptedPrivateKeyInfoWithParams(
PK11SlotInfo* slot,
const std::string& password,
const std::vector<uint8>& encrypted_private_key_info,
const std::vector<uint8>& subject_public_key_info,
bool permanent,
bool sensitive);
#endif
#if defined(USE_OPENSSL)
EVP_PKEY* key_;
#else
SECKEYPrivateKey* key_;
SECKEYPublicKey* public_key_;
#endif
DISALLOW_COPY_AND_ASSIGN(ECPrivateKey);
};
} // namespace crypto
#endif // CRYPTO_EC_PRIVATE_KEY_H_