Google Git
Sign in
quiche/quiche.git/73d3b6e2ed78b304e41fae23fe50b237b4c9b78a^!/.
commit
73d3b6e2ed78b304e41fae23fe50b237b4c9b78a
[log] [tgz]
author
ripere <ripere@google.com>
Tue Mar 03 11:21:52 2026 -0800
committer
Copybara-Service <copybara-worker@google.com>
Tue Mar 03 11:22:42 2026 -0800
tree
10f5358a7fc6bed0699976bd2a0f400015b80659
parent
9debbeb2156f832bffd00436b0204fcf2434c6f0 [diff]
Add support for PAT generation at prober request time.

The issuer private key is queried from keystore. The public key is already loaded on the gateways with logic identifying the prober as the source of these PATs.

PiperOrigin-RevId: 878042449

diff --git a/quiche/quic/masque/private_tokens.cc b/quiche/quic/masque/private_tokens.cc
index 41983a8..bb9b046 100644
--- a/quiche/quic/masque/private_tokens.cc
+++ b/quiche/quic/masque/private_tokens.cc

@@ -96,7 +96,7 @@
   return base64_encoded;
 }
 
-absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKey(
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKeyFile(
     absl::string_view file_path) {
   BIO* bio = BIO_new_file(file_path.data(), "r");
   if (!bio) {
@@ -112,7 +112,22 @@
   return bssl::UniquePtr<RSA>(rsa_key);
 }
 
-absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKey(
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKeyData(
+    absl::string_view pem_data) {
+  BIO* bio = BIO_new_mem_buf(pem_data.data(), pem_data.size());
+  if (!bio) {
+    return absl::InvalidArgumentError("Failed to create BIO from PEM data");
+  }
+  RSA* rsa_key = PEM_read_bio_RSAPrivateKey(bio, nullptr, nullptr, nullptr);
+  BIO_free(bio);
+  if (!rsa_key) {
+    return absl::InvalidArgumentError(
+        "Failed to read RSA private key from PEM data");
+  }
+  return bssl::UniquePtr<RSA>(rsa_key);
+}
+
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKeyFile(
     absl::string_view file_path) {
   BIO* bio = BIO_new_file(file_path.data(), "r");
   if (!bio) {
@@ -128,6 +143,21 @@
   return bssl::UniquePtr<RSA>(rsa_key);
 }
 
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKeyData(
+    absl::string_view pem_data) {
+  BIO* bio = BIO_new_mem_buf(pem_data.data(), pem_data.size());
+  if (!bio) {
+    return absl::InvalidArgumentError("Failed to create BIO from PEM data");
+  }
+  RSA* rsa_key = PEM_read_bio_RSA_PUBKEY(bio, nullptr, nullptr, nullptr);
+  BIO_free(bio);
+  if (!rsa_key) {
+    return absl::InvalidArgumentError(
+        "Failed to read RSA public key from PEM data");
+  }
+  return bssl::UniquePtr<RSA>(rsa_key);
+}
+
 absl::StatusOr<std::string> EncodePrivacyPassPublicKey(const RSA* public_key) {
   QUICHE_ASSIGN_OR_RETURN(std::string der_encoding,
                           AT::RsaSsaPssPublicKeyToDerEncoding(public_key));

diff --git a/quiche/quic/masque/private_tokens.h b/quiche/quic/masque/private_tokens.h
index 08f2ca4..fbca774 100644
--- a/quiche/quic/masque/private_tokens.h
+++ b/quiche/quic/masque/private_tokens.h

@@ -20,13 +20,21 @@
 std::string Base64UrlEncodeWithPadding(absl::string_view input);
 
 // Parse an RSA private key from the given file path in PEM format.
-absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKey(
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKeyFile(
     absl::string_view file_path);
 
+// Parse an RSA private key from the given string in PEM format.
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPrivateKeyData(
+    absl::string_view pem_data);
+
 // Parse an RSA public key from the given file path in PEM format.
-absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKey(
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKeyFile(
     absl::string_view file_path);
 
+// Parse an RSA public key from the given string in PEM format.
+absl::StatusOr<bssl::UniquePtr<RSA>> ParseRsaPublicKeyData(
+    absl::string_view pem_data);
+
 // Encodes the key into a entry in the base64 token-key object from the
 // PRIVACYPASS RFC. https://www.rfc-editor.org/rfc/rfc9578.html#section-4
 absl::StatusOr<std::string> EncodePrivacyPassPublicKey(const RSA* public_key);

diff --git a/quiche/quic/masque/private_tokens_bin.cc b/quiche/quic/masque/private_tokens_bin.cc
index c699145..af2d996 100644
--- a/quiche/quic/masque/private_tokens_bin.cc
+++ b/quiche/quic/masque/private_tokens_bin.cc

@@ -68,7 +68,7 @@
   bssl::UniquePtr<RSA> public_key;
   std::string encoded_public_key;
   if (!public_key_file.empty()) {
-    QUICHE_ASSIGN_OR_RETURN(public_key, ParseRsaPublicKey(public_key_file));
+    QUICHE_ASSIGN_OR_RETURN(public_key, ParseRsaPublicKeyFile(public_key_file));
     QUICHE_ASSIGN_OR_RETURN(encoded_public_key,
                             EncodePrivacyPassPublicKey(public_key.get()));
     if (!encoded_public_keys.empty()) {
@@ -99,7 +99,7 @@
   }
   if (!private_key_file.empty()) {
     QUICHE_ASSIGN_OR_RETURN(bssl::UniquePtr<RSA> private_key,
-                            ParseRsaPrivateKey(private_key_file));
+                            ParseRsaPrivateKeyFile(private_key_file));
     if (public_key == nullptr) {
       return absl::InvalidArgumentError(
           "--public_key_file is required when --private_key_file is set.");