Wire up SSL client authentication for OpenSSL/Android through the net/ stack

net/base/openssl_util.cc

Index: net/base/openssl_util.cc
diff --git a/net/base/openssl_util.cc b/net/base/openssl_util.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0fd887bf6699e1c105f7d048de26c122a4b95477
--- /dev/null
+++ b/net/base/openssl_util.cc
@@ -0,0 +1,81 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "net/base/openssl_util.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+EVP_PKEY* EVP_PKEY_dup(EVP_PKEY* key) {
+  if (key != NULL)
+    CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
+  return key;
+}
+
+OpenSSLKeyPairList::KeyPair::KeyPair(EVP_PKEY* pub_key,
+                                     EVP_PKEY* priv_key) {
+  public_key_ = EVP_PKEY_dup(pub_key);
+  private_key_ = EVP_PKEY_dup(priv_key);
+}
+
+OpenSSLKeyPairList::KeyPair::~KeyPair() {
+  EVP_PKEY_free(public_key_);
+  EVP_PKEY_free(private_key_);
+}
+
+OpenSSLKeyPairList::KeyPair::KeyPair(const KeyPair& other) {
+  public_key_ = EVP_PKEY_dup(other.public_key_);
+  private_key_ = EVP_PKEY_dup(other.private_key_);
+}
+
+// Find the private key corresponding to a given public one.
+// |public_key| is an EVP_PKEY holding a public key.
+// Returns the matching EVP_PKEY holding the private key, or NULL if
+// not found. This increases the returned key's reference count, so
+// the caller shall call EVP_PKEY_free() on it.

[Ryan Sleevi, 2013/02/12 00:25:17]

Why not just take a hash of the public key, to avoid the potentially expensive
comparisons here and have a quick lookup, rather than this search here?

[digit1, 2013/02/12 15:05:25]

I really don't think this is a performance-critical function, and the hash
generation you're mentioning seems much more work with little benefit. Unless
you have a a simple proposal that works without adding too much stuff, I'd
prefer to keep this simple. 

+EVP_PKEY* OpenSSLKeyPairList::FindPrivateKey(EVP_PKEY* public_key) {
+  if (!public_key)
+    return NULL;
+  for (size_t n = 0; n < pairs_.size(); ++n) {
+    if (EVP_PKEY_cmp(pairs_[n].public_key_, public_key) == 1)
+      return EVP_PKEY_dup(pairs_[n].private_key_);
+  }
+  return NULL;
+}
+
+// Add a (public/private) key pair
+// |public_key| is the public key EVP_PKEY. Cannot be NULL.
+// |private_key| is the private key EVP_PKEY, this can be the same
+// object than |public_key| is it holds both a public and a private key.
+// Cannot be NULL.
+// Returns true on success, false otherwise. On success, this increases
+// the reference counts of both objects.
+bool OpenSSLKeyPairList::AddKeyPair(EVP_PKEY* public_key,
+                                    EVP_PKEY* private_key) {
+  if (public_key == NULL || private_key == NULL)
+    return false;
+  for (size_t n = 0; n < pairs_.size(); ++n) {
+    if (EVP_PKEY_cmp(pairs_[n].public_key_, public_key) == 1) {
+      // Already listed, return immediately because the private key
+      // cannot change.
+      return true;
+    }
+  }

[Ryan Sleevi, 2013/02/12 00:25:17]

Why are you duplicating the logic of FindPrivateKey here? Why not just use that?
Worried about lock contention on the EVP_PKEY_dup? Why not just return an
iterator then (in a helper function) that both FindPrivateKey and AddKeyPair can
use?

[digit1, 2013/02/12 15:05:25]

Hmmm... because it's only 3 lines of code. I'll fix this though.

+  // Append new pair.
+  pairs_.push_back(KeyPair(public_key, private_key));
+  return true;
+}
+
+EVP_PKEY* GetCertificatePublicKeyOpenSSL(const X509Certificate& cert) {
+  // X509_PUBKEY_get() increments the reference count of its result.
+  // Unlike X509_get_X509_PUBKEY() which simply returns a direct pointer.
+  return X509_PUBKEY_get(
+      X509_get_X509_PUBKEY(cert.os_cert_handle()));
+}
+
+}  // namespace net