New issue
Advanced search Search tips

Issue 618025 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 603319
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 603319



Sign in to add a comment

Migrate Push API away from ECPrivateKey::ExportEncryptedPrivateKey

Project Member Reported by davidben@chromium.org, Jun 7 2016

Issue description

ECPrivateKey::ExportPrivateKey is a much more sensible serialization and doesn't involve a dummy encrypt/decrypt step. That was an NSS legacy weirdness which we are now rid of.

(Assigning to peter@ per  issue #603319 .)
 

Comment 1 by peter@chromium.org, Jul 5 2016

We serialize these to disk, and since they persist between Chrome releases we'll need an upgrade path. Do you expect our use of PKCS #8 PrivateKeyInfo blocks for exported private keys to remain stable across releases?
Yes, the crazy "encrypted" format depends on the PKCS#8 PrivateKeyInfo serialization anyway. It is a strictly better format in every way.
(The only reason you all are using the crazy format at all is because there was some worry you'd ship this for iOS. In hindsight, this seems to have been a mistake as even iOS is on BoringSSL now and I assume WKWebView does indeed make shipping this prohibitive.)

Comment 4 by peter@chromium.org, Jul 5 2016

Labels: -Pri-3 Pri-2
I'm aware :). I'll send you a patch at some point this week or next.

Is there a timeline for the removal of ExportEncryptedPrivateKey? We'll definitely want an upgrade path in place for a release or two before removing it.
No particular timeline on my end. I figured we'd get everything migrated over and then figure that out.
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b5845fae136bddf795c8b91f49753beddd1134dd

commit b5845fae136bddf795c8b91f49753beddd1134dd
Author: David Benjamin <davidben@chromium.org>
Date: Fri Sep 22 16:37:58 2017

Stop filling in public_key_x509.

This field dates to NSS legacy works on ECPrivateKey import. The
BoringSSL port ignores it. As of M51, all platforms use BoringSSL,
so it hasn't been used for a while. (Moreover, gcm_driver was first
used in M50, at which point only iOS used NSS.)

This does not fully remove the NSS legacy from components/gcm_driver,
but simplifies things slightly. (It should use the usual more efficient
encoding rather than the empty-password "encrypted" one.)

Bug:  618025 
Change-Id: I62349b2dcdc276e56a4d7dcf69db5db564a41868
Reviewed-on: https://chromium-review.googlesource.com/667659
Commit-Queue: David Benjamin <davidben@chromium.org>
Reviewed-by: Peter Beverloo <peter@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503765}
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/gcm_crypto_test_helpers.cc
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/gcm_key_store.cc
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/p256_key_util.cc
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/p256_key_util.h
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/p256_key_util_unittest.cc
[modify] https://crrev.com/b5845fae136bddf795c8b91f49753beddd1134dd/components/gcm_driver/crypto/proto/gcm_encryption_data.proto

Comment 7 by peter@chromium.org, Jan 5 2018

Mergedinto: 603319
Status: Duplicate (was: Assigned)

Sign in to add a comment