1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CRYPTO_NSS_KEY_UTIL_H_
6 #define CRYPTO_NSS_KEY_UTIL_H_
11 #include "base/containers/span.h"
12 #include "build/build_config.h"
13 #include "crypto/crypto_export.h"
14 #include "crypto/scoped_nss_types.h"
16 typedef struct PK11SlotInfoStr PK11SlotInfo;
20 // Returns a SECItem containing the CKA_ID of the `public_key` or nullptr on
22 CRYPTO_EXPORT crypto::ScopedSECItem MakeNssIdFromPublicKey(
23 SECKEYPublicKey* public_key);
25 // Decodes |input| as a SubjectPublicKeyInfo and returns a SECItem containing
26 // the CKA_ID of that public key or nullptr on error.
27 CRYPTO_EXPORT ScopedSECItem MakeNssIdFromSpki(base::span<const uint8_t> input);
29 // Generates a new RSA key pair of size |num_bits| in |slot|. Returns true on
30 // success and false on failure. If |permanent| is true, the resulting key is
31 // permanent and is not exportable in plaintext form.
32 CRYPTO_EXPORT bool GenerateRSAKeyPairNSS(
36 ScopedSECKEYPublicKey* out_public_key,
37 ScopedSECKEYPrivateKey* out_private_key);
39 // Generates a new EC key pair with curve |named_curve| in |slot|. Returns true
40 // on success and false on failure. If |permanent| is true, the resulting key is
41 // permanent and is not exportable in plaintext form.
42 CRYPTO_EXPORT bool GenerateECKeyPairNSS(
44 const SECOidTag named_curve,
46 ScopedSECKEYPublicKey* out_public_key,
47 ScopedSECKEYPrivateKey* out_private_key);
49 // Imports a private key from |input| into |slot|. |input| is interpreted as a
50 // DER-encoded PrivateKeyInfo block from PKCS #8. Returns nullptr on error. If
51 // |permanent| is true, the resulting key is permanent and is not exportable in
53 CRYPTO_EXPORT ScopedSECKEYPrivateKey
54 ImportNSSKeyFromPrivateKeyInfo(PK11SlotInfo* slot,
55 base::span<const uint8_t> input,
58 // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and searches for
59 // the private key half in the key database. Returns the private key on success
60 // or nullptr on error.
61 // Note: This function assumes the CKA_ID for public/private key pairs is
62 // derived from the public key. NSS does this, but this is not guaranteed by
63 // PKCS#11, so keys generated outside of NSS may not be found.
64 CRYPTO_EXPORT ScopedSECKEYPrivateKey
65 FindNSSKeyFromPublicKeyInfo(base::span<const uint8_t> input);
67 // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and searches for
68 // the private key half in the slot specified by |slot|. Returns the private key
69 // on success or nullptr on error.
70 // Note: This function assumes the CKA_ID for public/private key pairs is
71 // derived from the public key. NSS does this, but this is not guaranteed by
72 // PKCS#11, so keys generated outside of NSS may not be found.
73 CRYPTO_EXPORT ScopedSECKEYPrivateKey
74 FindNSSKeyFromPublicKeyInfoInSlot(base::span<const uint8_t> input,
77 // Decodes |input| as a DER-encoded X.509 SubjectPublicKeyInfo and returns the
78 // NSS representation of it.
79 CRYPTO_EXPORT ScopedCERTSubjectPublicKeyInfo
80 DecodeSubjectPublicKeyInfoNSS(base::span<const uint8_t> input);
84 #endif // CRYPTO_NSS_KEY_UTIL_H_