1*6777b538SAndroid Build Coastguard Worker // Copyright 2015 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_SSL_SSL_PRIVATE_KEY_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_SSL_SSL_PRIVATE_KEY_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stdint.h> 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker #include <vector> 11*6777b538SAndroid Build Coastguard Worker 12*6777b538SAndroid Build Coastguard Worker #include "base/containers/span.h" 13*6777b538SAndroid Build Coastguard Worker #include "base/functional/callback_forward.h" 14*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h" 15*6777b538SAndroid Build Coastguard Worker #include "net/base/net_errors.h" 16*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker namespace net { 19*6777b538SAndroid Build Coastguard Worker 20*6777b538SAndroid Build Coastguard Worker // An interface for a private key for use with SSL client authentication. A 21*6777b538SAndroid Build Coastguard Worker // private key may be used with multiple signature algorithms, so methods use 22*6777b538SAndroid Build Coastguard Worker // |SSL_SIGN_*| constants from BoringSSL, which correspond to TLS 1.3 23*6777b538SAndroid Build Coastguard Worker // SignatureScheme values. 24*6777b538SAndroid Build Coastguard Worker // 25*6777b538SAndroid Build Coastguard Worker // Note that although ECDSA constants are named like 26*6777b538SAndroid Build Coastguard Worker // |SSL_SIGN_ECDSA_SECP256R1_SHA256|, they may be used with any curve for 27*6777b538SAndroid Build Coastguard Worker // purposes of this API. This descrepancy is due to differences between TLS 1.2 28*6777b538SAndroid Build Coastguard Worker // and TLS 1.3. 29*6777b538SAndroid Build Coastguard Worker class NET_EXPORT SSLPrivateKey 30*6777b538SAndroid Build Coastguard Worker : public base::RefCountedThreadSafe<SSLPrivateKey> { 31*6777b538SAndroid Build Coastguard Worker public: 32*6777b538SAndroid Build Coastguard Worker using SignCallback = 33*6777b538SAndroid Build Coastguard Worker base::OnceCallback<void(Error, const std::vector<uint8_t>&)>; 34*6777b538SAndroid Build Coastguard Worker 35*6777b538SAndroid Build Coastguard Worker SSLPrivateKey() = default; 36*6777b538SAndroid Build Coastguard Worker 37*6777b538SAndroid Build Coastguard Worker SSLPrivateKey(const SSLPrivateKey&) = delete; 38*6777b538SAndroid Build Coastguard Worker SSLPrivateKey& operator=(const SSLPrivateKey&) = delete; 39*6777b538SAndroid Build Coastguard Worker 40*6777b538SAndroid Build Coastguard Worker // Returns a human-readable name of the provider that backs this 41*6777b538SAndroid Build Coastguard Worker // SSLPrivateKey, for debugging. If not applicable or available, return the 42*6777b538SAndroid Build Coastguard Worker // empty string. 43*6777b538SAndroid Build Coastguard Worker virtual std::string GetProviderName() = 0; 44*6777b538SAndroid Build Coastguard Worker 45*6777b538SAndroid Build Coastguard Worker // Returns the algorithms that are supported by the key in decreasing 46*6777b538SAndroid Build Coastguard Worker // preference for TLS 1.2 and later. 47*6777b538SAndroid Build Coastguard Worker virtual std::vector<uint16_t> GetAlgorithmPreferences() = 0; 48*6777b538SAndroid Build Coastguard Worker 49*6777b538SAndroid Build Coastguard Worker // Asynchronously signs an |input| with the specified TLS signing algorithm. 50*6777b538SAndroid Build Coastguard Worker // |input| is an unhashed message to be signed. On completion, it calls 51*6777b538SAndroid Build Coastguard Worker // |callback| with the signature or an error code if the operation failed. 52*6777b538SAndroid Build Coastguard Worker virtual void Sign(uint16_t algorithm, 53*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> input, 54*6777b538SAndroid Build Coastguard Worker SignCallback callback) = 0; 55*6777b538SAndroid Build Coastguard Worker 56*6777b538SAndroid Build Coastguard Worker // Returns the default signature algorithm preferences for the specified key 57*6777b538SAndroid Build Coastguard Worker // type, which should be a BoringSSL |EVP_PKEY_*| constant. RSA keys which use 58*6777b538SAndroid Build Coastguard Worker // this must support PKCS #1 v1.5 signatures with SHA-1, SHA-256, SHA-384, and 59*6777b538SAndroid Build Coastguard Worker // SHA-512. If |supports_pss| is true, they must additionally support PSS 60*6777b538SAndroid Build Coastguard Worker // signatures with SHA-256, SHA-384, and SHA-512. ECDSA keys must support 61*6777b538SAndroid Build Coastguard Worker // SHA-256, SHA-384, SHA-512. 62*6777b538SAndroid Build Coastguard Worker // 63*6777b538SAndroid Build Coastguard Worker // Keys with more specific capabilities or preferences should return a custom 64*6777b538SAndroid Build Coastguard Worker // list. 65*6777b538SAndroid Build Coastguard Worker static std::vector<uint16_t> DefaultAlgorithmPreferences(int type, 66*6777b538SAndroid Build Coastguard Worker bool supports_pss); 67*6777b538SAndroid Build Coastguard Worker 68*6777b538SAndroid Build Coastguard Worker protected: 69*6777b538SAndroid Build Coastguard Worker virtual ~SSLPrivateKey() = default; 70*6777b538SAndroid Build Coastguard Worker 71*6777b538SAndroid Build Coastguard Worker private: 72*6777b538SAndroid Build Coastguard Worker friend class base::RefCountedThreadSafe<SSLPrivateKey>; 73*6777b538SAndroid Build Coastguard Worker }; 74*6777b538SAndroid Build Coastguard Worker 75*6777b538SAndroid Build Coastguard Worker } // namespace net 76*6777b538SAndroid Build Coastguard Worker 77*6777b538SAndroid Build Coastguard Worker #endif // NET_SSL_SSL_PRIVATE_KEY_H_ 78