Implement NetworkingPrivateCrypto for OpenSSL.

Based on the NSS implementation and loosely on the original OpenSSL code at
https://chromium.googlesource.com/chromiumos/platform/shill/+/master/shims/crypto_util.cc

BUG=393023

Review URL: https://codereview.chromium.org/396463004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285494 0039d316-1c4b-4281-b951-d872f2087c98

chrome/chrome_common.gypi

@@ -273,6 +273,7 @@
     'chrome_common_win_mac_sources': [
       'common/extensions/api/networking_private/networking_private_crypto_nss.cc',
       'common/extensions/api/networking_private/networking_private_crypto_openssl.cc',
+      'common/extensions/api/networking_private/networking_private_crypto.cc',
       'common/extensions/api/networking_private/networking_private_crypto.h',
       'common/media_galleries/itunes_library.cc',
       'common/media_galleries/itunes_library.h',
@@ -355,6 +356,12 @@
         ['OS=="win" or OS=="mac"', {
           'sources': [ '<@(chrome_common_win_mac_sources)' ],
         }],
+        ['(OS=="win" or OS=="mac") and use_openssl==1', {
+          # networking_private_crypto_openssl.cc depends on boringssl.
+          'dependencies': [
+            '../third_party/boringssl/boringssl.gyp:boringssl',
+          ],
+        }],
         ['OS=="mac"', {
           'sources': [ '<@(chrome_common_mac_sources)' ],
         }],

chrome/chrome_tests_unit.gypi

@@ -409,7 +409,6 @@
         }],
         ['OS=="win" or OS=="mac"', {
           'sources': [
-            'common/extensions/api/networking_private/networking_private_crypto_unittest.cc',
             'common/media_galleries/picasa_test_util.cc',
             'common/media_galleries/picasa_test_util.cc',
             'common/media_galleries/pmp_test_util.cc',
@@ -2467,6 +2466,7 @@
           'sources': [
             'browser/media_galleries/fileapi/itunes_file_util_unittest.cc',
             'browser/media_galleries/fileapi/picasa_file_util_unittest.cc',
+            'common/extensions/api/networking_private/networking_private_crypto_unittest.cc',
             'utility/media_galleries/itunes_library_parser_unittest.cc',
             'utility/media_galleries/picasa_album_table_reader_unittest.cc',
             'utility/media_galleries/picasa_albums_indexer_unittest.cc',
@@ -2739,10 +2739,6 @@
           ],
         }],
         ['use_openssl==1', {
-          'sources!': [
-            # networking_private_crypto.cc uses NSS functions.
-            'common/extensions/api/networking_private/networking_private_crypto_unittest.cc',
-          ],
           'sources/': [
             # OpenSSL build does not support firefox importer. See
             # http://crbug.com/64926

chrome/common/BUILD.gn

@@ -113,6 +113,10 @@ static_library("common") {
       sources -= [
         "extensions/api/networking_private/networking_private_crypto_nss.cc",
       ]
+      # networking_private_crypto_openssl.cc depends on boringssl.
+      deps += [
+        "//third_party/boringssl",
+      ]
     } else {
       sources -= [
         "extensions/api/networking_private/networking_private_crypto_openssl.cc",

chrome/common/extensions/api/networking_private/networking_private_crypto.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/extensions/api/networking_private/networking_private_crypto.h"
+
+const uint8 NetworkingPrivateCrypto::kTrustedCAPublicKeyDER[] = {
+    0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0x22, 0x80,
+    0xbd, 0x80, 0xf6, 0x3a, 0x21, 0x00, 0x3b, 0xae, 0x76, 0x5e, 0x35, 0x7f,
+    0x3d, 0xc3, 0x64, 0x5c, 0x55, 0x94, 0x86, 0x34, 0x2f, 0x05, 0x87, 0x28,
+    0xcd, 0xf7, 0x69, 0x8c, 0x17, 0xb3, 0x50, 0xa7, 0xb8, 0x82, 0xfa, 0xdf,
+    0xc7, 0x43, 0x2d, 0xd6, 0x7e, 0xab, 0xa0, 0x6f, 0xb7, 0x13, 0x72, 0x80,
+    0xa4, 0x47, 0x15, 0xc1, 0x20, 0x99, 0x50, 0xcd, 0xec, 0x14, 0x62, 0x09,
+    0x5b, 0xa4, 0x98, 0xcd, 0xd2, 0x41, 0xb6, 0x36, 0x4e, 0xff, 0xe8, 0x2e,
+    0x32, 0x30, 0x4a, 0x81, 0xa8, 0x42, 0xa3, 0x6c, 0x9b, 0x33, 0x6e, 0xca,
+    0xb2, 0xf5, 0x53, 0x66, 0xe0, 0x27, 0x53, 0x86, 0x1a, 0x85, 0x1e, 0xa7,
+    0x39, 0x3f, 0x4a, 0x77, 0x8e, 0xfb, 0x54, 0x66, 0x66, 0xfb, 0x58, 0x54,
+    0xc0, 0x5e, 0x39, 0xc7, 0xf5, 0x50, 0x06, 0x0b, 0xe0, 0x8a, 0xd4, 0xce,
+    0xe1, 0x6a, 0x55, 0x1f, 0x8b, 0x17, 0x00, 0xe6, 0x69, 0xa3, 0x27, 0xe6,
+    0x08, 0x25, 0x69, 0x3c, 0x12, 0x9d, 0x8d, 0x05, 0x2c, 0xd6, 0x2e, 0xa2,
+    0x31, 0xde, 0xb4, 0x52, 0x50, 0xd6, 0x20, 0x49, 0xde, 0x71, 0xa0, 0xf9,
+    0xad, 0x20, 0x40, 0x12, 0xf1, 0xdd, 0x25, 0xeb, 0xd5, 0xe6, 0xb8, 0x36,
+    0xf4, 0xd6, 0x8f, 0x7f, 0xca, 0x43, 0xdc, 0xd7, 0x10, 0x5b, 0xe6, 0x3f,
+    0x51, 0x8a, 0x85, 0xb3, 0xf3, 0xff, 0xf6, 0x03, 0x2d, 0xcb, 0x23, 0x4f,
+    0x9c, 0xad, 0x18, 0xe7, 0x93, 0x05, 0x8c, 0xac, 0x52, 0x9a, 0xf7, 0x4c,
+    0xe9, 0x99, 0x7a, 0xbe, 0x6e, 0x7e, 0x4d, 0x0a, 0xe3, 0xc6, 0x1c, 0xa9,
+    0x93, 0xfa, 0x3a, 0xa5, 0x91, 0x5d, 0x1c, 0xbd, 0x66, 0xeb, 0xcc, 0x60,
+    0xdc, 0x86, 0x74, 0xca, 0xcf, 0xf8, 0x92, 0x1c, 0x98, 0x7d, 0x57, 0xfa,
+    0x61, 0x47, 0x9e, 0xab, 0x80, 0xb7, 0xe4, 0x48, 0x80, 0x2a, 0x92, 0xc5,
+    0x1b, 0x02, 0x03, 0x01, 0x00, 0x01};
+
+const size_t NetworkingPrivateCrypto::kTrustedCAPublicKeyDERLength =
+    sizeof(kTrustedCAPublicKeyDER);
+
+NetworkingPrivateCrypto::NetworkingPrivateCrypto() {
+}
+
+NetworkingPrivateCrypto::~NetworkingPrivateCrypto() {
+}

chrome/common/extensions/api/networking_private/networking_private_crypto.h

@@ -5,8 +5,11 @@
 #ifndef CHROME_COMMON_EXTENSIONS_API_NETWORKING_PRIVATE_NETWORKING_PRIVATE_CRYPTO_H_
 #define CHROME_COMMON_EXTENSIONS_API_NETWORKING_PRIVATE_NETWORKING_PRIVATE_CRYPTO_H_
 
+#include <stdint.h>
+
 #include <string>
 #include <vector>
+
 #include "base/basictypes.h"
 
 // Implementation of Crypto support for networking private API.
@@ -34,9 +37,9 @@ class NetworkingPrivateCrypto {
   //
   // Returns true on success, storing the encrypted result in
   // |encrypted_output|.
-  bool EncryptByteString(const std::vector<uint8>& public_key,
+  bool EncryptByteString(const std::vector<uint8_t>& public_key,
                          const std::string& data,
-                         std::vector<uint8>* encrypted_output);
+                         std::vector<uint8_t>* encrypted_output);
 
  private:
   friend class NetworkingPrivateCryptoTest;
@@ -48,9 +51,16 @@ class NetworkingPrivateCrypto {
   // Returns true on success, storing the decrypted result in
   // |decrypted_output|.
   bool DecryptByteString(const std::string& private_key_pem,
-                         const std::vector<uint8>& encrypted_data,
+                         const std::vector<uint8_t>& encrypted_data,
                          std::string* decrypted_output);
 
+  // The trusted public key as a DER-encoded PKCS#1 RSAPublicKey
+  // structure.
+  static const uint8_t kTrustedCAPublicKeyDER[];
+
+  // The length of |kTrustedCAPublicKeyDER| in bytes.
+  static const size_t kTrustedCAPublicKeyDERLength;
+
   DISALLOW_COPY_AND_ASSIGN(NetworkingPrivateCrypto);
 };
 

chrome/common/extensions/api/networking_private/networking_private_crypto_nss.cc

@@ -23,31 +23,6 @@
 #include "net/cert/pem_tokenizer.h"
 #include "net/cert/x509_certificate.h"
 
-const unsigned char kTrustedCAPublicKeyDER[] = {
-    0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0x22, 0x80,
-    0xbd, 0x80, 0xf6, 0x3a, 0x21, 0x00, 0x3b, 0xae, 0x76, 0x5e, 0x35, 0x7f,
-    0x3d, 0xc3, 0x64, 0x5c, 0x55, 0x94, 0x86, 0x34, 0x2f, 0x05, 0x87, 0x28,
-    0xcd, 0xf7, 0x69, 0x8c, 0x17, 0xb3, 0x50, 0xa7, 0xb8, 0x82, 0xfa, 0xdf,
-    0xc7, 0x43, 0x2d, 0xd6, 0x7e, 0xab, 0xa0, 0x6f, 0xb7, 0x13, 0x72, 0x80,
-    0xa4, 0x47, 0x15, 0xc1, 0x20, 0x99, 0x50, 0xcd, 0xec, 0x14, 0x62, 0x09,
-    0x5b, 0xa4, 0x98, 0xcd, 0xd2, 0x41, 0xb6, 0x36, 0x4e, 0xff, 0xe8, 0x2e,
-    0x32, 0x30, 0x4a, 0x81, 0xa8, 0x42, 0xa3, 0x6c, 0x9b, 0x33, 0x6e, 0xca,
-    0xb2, 0xf5, 0x53, 0x66, 0xe0, 0x27, 0x53, 0x86, 0x1a, 0x85, 0x1e, 0xa7,
-    0x39, 0x3f, 0x4a, 0x77, 0x8e, 0xfb, 0x54, 0x66, 0x66, 0xfb, 0x58, 0x54,
-    0xc0, 0x5e, 0x39, 0xc7, 0xf5, 0x50, 0x06, 0x0b, 0xe0, 0x8a, 0xd4, 0xce,
-    0xe1, 0x6a, 0x55, 0x1f, 0x8b, 0x17, 0x00, 0xe6, 0x69, 0xa3, 0x27, 0xe6,
-    0x08, 0x25, 0x69, 0x3c, 0x12, 0x9d, 0x8d, 0x05, 0x2c, 0xd6, 0x2e, 0xa2,
-    0x31, 0xde, 0xb4, 0x52, 0x50, 0xd6, 0x20, 0x49, 0xde, 0x71, 0xa0, 0xf9,
-    0xad, 0x20, 0x40, 0x12, 0xf1, 0xdd, 0x25, 0xeb, 0xd5, 0xe6, 0xb8, 0x36,
-    0xf4, 0xd6, 0x8f, 0x7f, 0xca, 0x43, 0xdc, 0xd7, 0x10, 0x5b, 0xe6, 0x3f,
-    0x51, 0x8a, 0x85, 0xb3, 0xf3, 0xff, 0xf6, 0x03, 0x2d, 0xcb, 0x23, 0x4f,
-    0x9c, 0xad, 0x18, 0xe7, 0x93, 0x05, 0x8c, 0xac, 0x52, 0x9a, 0xf7, 0x4c,
-    0xe9, 0x99, 0x7a, 0xbe, 0x6e, 0x7e, 0x4d, 0x0a, 0xe3, 0xc6, 0x1c, 0xa9,
-    0x93, 0xfa, 0x3a, 0xa5, 0x91, 0x5d, 0x1c, 0xbd, 0x66, 0xeb, 0xcc, 0x60,
-    0xdc, 0x86, 0x74, 0xca, 0xcf, 0xf8, 0x92, 0x1c, 0x98, 0x7d, 0x57, 0xfa,
-    0x61, 0x47, 0x9e, 0xab, 0x80, 0xb7, 0xe4, 0x48, 0x80, 0x2a, 0x92, 0xc5,
-    0x1b, 0x02, 0x03, 0x01, 0x00, 0x01};
-
 namespace {
 
 // Parses |pem_data| for a PEM block of |pem_type|.
@@ -55,7 +30,7 @@ namespace {
 // |der_output|.
 bool GetDERFromPEM(const std::string& pem_data,
                    const std::string& pem_type,
-                   std::vector<uint8>* der_output) {
+                   std::vector<uint8_t>* der_output) {
   std::vector<std::string> headers;
   headers.push_back(pem_type);
   net::PEMTokenizer pem_tok(pem_data, headers);
@@ -69,12 +44,6 @@ bool GetDERFromPEM(const std::string& pem_data,
 
 }  // namespace
 
-NetworkingPrivateCrypto::NetworkingPrivateCrypto() {
-}
-
-NetworkingPrivateCrypto::~NetworkingPrivateCrypto() {
-}
-
 bool NetworkingPrivateCrypto::VerifyCredentials(
     const std::string& certificate,
     const std::string& signature,
@@ -82,7 +51,7 @@ bool NetworkingPrivateCrypto::VerifyCredentials(
     const std::string& connected_mac) {
   crypto::EnsureNSSInit();
 
-  std::vector<uint8> cert_data;
+  std::vector<uint8_t> cert_data;
   if (!GetDERFromPEM(certificate, "CERTIFICATE", &cert_data)) {
     LOG(ERROR) << "Failed to parse certificate.";
     return false;
@@ -108,8 +77,8 @@ bool NetworkingPrivateCrypto::VerifyCredentials(
   SECItem trusted_ca_key_der_item;
   trusted_ca_key_der_item.type = siDERCertBuffer;
   trusted_ca_key_der_item.data =
-      const_cast<unsigned char*>(kTrustedCAPublicKeyDER),
-  trusted_ca_key_der_item.len = sizeof(kTrustedCAPublicKeyDER);
+      const_cast<unsigned char*>(kTrustedCAPublicKeyDER);
+  trusted_ca_key_der_item.len = kTrustedCAPublicKeyDERLength;
   crypto::ScopedSECKEYPublicKey ca_public_key(
       SECKEY_ImportDERPublicKey(&trusted_ca_key_der_item, CKK_RSA));
   SECStatus verified = CERT_VerifySignedDataWithPublicKey(
@@ -165,9 +134,9 @@ bool NetworkingPrivateCrypto::VerifyCredentials(
 }
 
 bool NetworkingPrivateCrypto::EncryptByteString(
-    const std::vector<uint8>& pub_key_der,
+    const std::vector<uint8_t>& pub_key_der,
     const std::string& data,
-    std::vector<uint8>* encrypted_output) {
+    std::vector<uint8_t>* encrypted_output) {
   crypto::EnsureNSSInit();
 
   SECItem pub_key_der_item;
@@ -208,11 +177,11 @@ bool NetworkingPrivateCrypto::EncryptByteString(
 
 bool NetworkingPrivateCrypto::DecryptByteString(
     const std::string& private_key_pem,
-    const std::vector<uint8>& encrypted_data,
+    const std::vector<uint8_t>& encrypted_data,
     std::string* decrypted_output) {
   crypto::EnsureNSSInit();
 
-  std::vector<uint8> private_key_data;
+  std::vector<uint8_t> private_key_data;
   if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_data)) {
     LOG(ERROR) << "Failed to parse private key PEM.";
     return false;

chrome/common/extensions/api/networking_private/networking_private_crypto_openssl.cc

@@ -4,38 +4,209 @@
 
 #include "chrome/common/extensions/api/networking_private/networking_private_crypto.h"
 
+#include <openssl/digest.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
 #include "base/logging.h"
+#include "base/strings/string_util.h"
+#include "crypto/openssl_util.h"
+#include "crypto/rsa_private_key.h"
+#include "crypto/scoped_openssl_types.h"
+#include "net/cert/pem_tokenizer.h"
 
-NetworkingPrivateCrypto::NetworkingPrivateCrypto() {
-}
+namespace {
+
+typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
 
-NetworkingPrivateCrypto::~NetworkingPrivateCrypto() {
+// Parses |pem_data| for a PEM block of |pem_type|.
+// Returns true if a |pem_type| block is found, storing the decoded result in
+// |der_output|.
+bool GetDERFromPEM(const std::string& pem_data,
+                   const std::string& pem_type,
+                   std::vector<uint8_t>* der_output) {
+  std::vector<std::string> headers;
+  headers.push_back(pem_type);
+  net::PEMTokenizer pem_tok(pem_data, headers);
+  if (!pem_tok.GetNext()) {
+    return false;
+  }
+
+  der_output->assign(pem_tok.data().begin(), pem_tok.data().end());
+  return true;
 }
 
+}  // namespace
+
 bool NetworkingPrivateCrypto::VerifyCredentials(
     const std::string& certificate,
     const std::string& signature,
     const std::string& data,
     const std::string& connected_mac) {
-  // https://crbug.com/393023
-  NOTIMPLEMENTED();
-  return false;
+  crypto::EnsureOpenSSLInit();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  std::vector<uint8_t> cert_data;
+  if (!GetDERFromPEM(certificate, "CERTIFICATE", &cert_data)) {
+    LOG(ERROR) << "Failed to parse certificate.";
+    return false;
+  }
+
+  // Parse into an OpenSSL X509.
+  const uint8_t* ptr = cert_data.empty() ? NULL : &cert_data[0];
+  const uint8_t* end = ptr + cert_data.size();
+  ScopedX509 cert(d2i_X509(NULL, &ptr, cert_data.size()));
+  if (!cert || ptr != end) {
+    LOG(ERROR) << "Failed to parse certificate.";
+    return false;
+  }
+
+  // Import the trusted public key.
+  ptr = kTrustedCAPublicKeyDER;
+  crypto::ScopedRSA ca_public_key_rsa(
+      d2i_RSAPublicKey(NULL, &ptr, kTrustedCAPublicKeyDERLength));
+  if (!ca_public_key_rsa ||
+      ptr != kTrustedCAPublicKeyDER + kTrustedCAPublicKeyDERLength) {
+    NOTREACHED();
+    LOG(ERROR) << "Failed to import trusted public key.";
+    return false;
+  }
+  crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new());
+  if (!ca_public_key ||
+      !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) {
+    LOG(ERROR) << "Failed to initialize EVP_PKEY";
+    return false;
+  }
+
+  // Check that the certificate is signed by the trusted public key.
+  if (X509_verify(cert.get(), ca_public_key.get()) <= 0) {
+    LOG(ERROR) << "Certificate is not issued by the trusted CA.";
+    return false;
+  }
+
+  // Check that the device listed in the certificate is correct.
+  // Something like evt_e161 001a11ffacdf
+  std::string common_name;
+  int common_name_length = X509_NAME_get_text_by_NID(
+      cert->cert_info->subject, NID_commonName, NULL, 0);
+  if (common_name_length < 0) {
+    LOG(ERROR) << "Certificate does not have common name.";
+    return false;
+  }
+  if (common_name_length > 0) {
+    common_name_length = X509_NAME_get_text_by_NID(
+        cert->cert_info->subject,
+        NID_commonName,
+        WriteInto(&common_name, common_name_length + 1),
+        common_name_length + 1);
+    DCHECK_EQ((int)common_name.size(), common_name_length);
+    if (common_name_length < 0) {
+      LOG(ERROR) << "Certificate does not have common name.";
+      return false;
+    }
+    common_name.resize(common_name_length);
+  }
+
+  std::string translated_mac;
+  base::RemoveChars(connected_mac, ":", &translated_mac);
+  if (!EndsWith(common_name, translated_mac, false)) {
+    LOG(ERROR) << "MAC addresses don't match.";
+    return false;
+  }
+
+  // Make sure that the certificate matches the unsigned data presented.
+  // Verify that the |signature| matches |data|.
+  crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(cert.get()));
+  if (!public_key) {
+    LOG(ERROR) << "Unable to extract public key from certificate.";
+    return false;
+  }
+
+  crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+  if (!ctx) {
+    LOG(ERROR) << "Unable to allocate EVP_MD_CTX.";
+    return false;
+  }
+  if (EVP_DigestVerifyInit(
+          ctx.get(), NULL, EVP_sha1(), NULL, public_key.get()) <= 0 ||
+      EVP_DigestVerifyUpdate(ctx.get(), data.data(), data.size()) <= 0 ||
+      EVP_DigestVerifyFinal(ctx.get(),
+                            reinterpret_cast<const uint8_t*>(signature.data()),
+                            signature.size()) <= 0) {
+    LOG(ERROR) << "Signed blobs did not match.";
+    return false;
+  }
+  return true;
 }
 
 bool NetworkingPrivateCrypto::EncryptByteString(
-    const std::vector<uint8>& pub_key_der,
+    const std::vector<uint8_t>& pub_key_der,
     const std::string& data,
-    std::vector<uint8>* encrypted_output) {
-  // https://crbug.com/393023
-  NOTIMPLEMENTED();
-  return false;
+    std::vector<uint8_t>* encrypted_output) {
+  crypto::EnsureOpenSSLInit();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  const uint8_t* ptr = pub_key_der.empty() ? NULL : &pub_key_der[0];
+  const uint8_t* end = ptr + pub_key_der.size();
+  crypto::ScopedRSA rsa(d2i_RSAPublicKey(NULL, &ptr, pub_key_der.size()));
+  if (!rsa || ptr != end || RSA_size(rsa.get()) == 0) {
+    LOG(ERROR) << "Failed to parse public key";
+    return false;
+  }
+
+  scoped_ptr<uint8_t[]> rsa_output(new uint8_t[RSA_size(rsa.get())]);
+  int encrypted_length =
+      RSA_public_encrypt(data.size(),
+                         reinterpret_cast<const uint8_t*>(data.data()),
+                         rsa_output.get(),
+                         rsa.get(),
+                         RSA_PKCS1_PADDING);
+  if (encrypted_length < 0) {
+    LOG(ERROR) << "Error during decryption";
+    return false;
+  }
+  encrypted_output->assign(rsa_output.get(),
+                           rsa_output.get() + encrypted_length);
+  return true;
 }
 
 bool NetworkingPrivateCrypto::DecryptByteString(
     const std::string& private_key_pem,
-    const std::vector<uint8>& encrypted_data,
+    const std::vector<uint8_t>& encrypted_data,
     std::string* decrypted_output) {
-  // https://crbug.com/393023
-  NOTIMPLEMENTED();
-  return false;
+  crypto::EnsureOpenSSLInit();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  std::vector<uint8_t> private_key_data;
+  if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_data)) {
+    LOG(ERROR) << "Failed to parse private key PEM.";
+    return false;
+  }
+  scoped_ptr<crypto::RSAPrivateKey> private_key(
+      crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(private_key_data));
+  if (!private_key || !private_key->key()) {
+    LOG(ERROR) << "Failed to parse private key DER.";
+    return false;
+  }
+
+  crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(private_key->key()));
+  if (!rsa || RSA_size(rsa.get()) == 0) {
+    LOG(ERROR) << "Failed to get RSA key.";
+    return false;
+  }
+
+  scoped_ptr<uint8_t[]> rsa_output(new uint8_t[RSA_size(rsa.get())]);
+  int output_length = RSA_private_decrypt(encrypted_data.size(),
+                                          &encrypted_data[0],
+                                          rsa_output.get(),
+                                          rsa.get(),
+                                          RSA_PKCS1_PADDING);
+  if (output_length < 0) {
+    LOG(ERROR) << "Error during decryption.";
+    return false;
+  }
+  decrypted_output->assign(reinterpret_cast<char*>(rsa_output.get()),
+                           output_length);
+  return true;
 }