Google Git
Sign in
android / platform / external / chromium_org / a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7 / . / content / renderer / webcrypto / webcrypto_impl_nss.cc
blob: 105bfbe9f89218d3978e8b6207d02d02b97447c1 [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/renderer/webcrypto/webcrypto_impl.h"
#include <cryptohi.h>
#include <pk11pub.h>
#include <sechash.h>
#include <vector>
#include "base/logging.h"
#include "content/renderer/webcrypto/webcrypto_util.h"
#include "crypto/nss_util.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/secure_util.h"
#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
#include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
namespace content {
namespace {
class SymKeyHandle : public blink::WebCryptoKeyHandle {
public:
explicit SymKeyHandle(crypto::ScopedPK11SymKey key) : key_(key.Pass()) {}
PK11SymKey* key() { return key_.get(); }
private:
crypto::ScopedPK11SymKey key_;
DISALLOW_COPY_AND_ASSIGN(SymKeyHandle);
};
class PublicKeyHandle : public blink::WebCryptoKeyHandle {
public:
explicit PublicKeyHandle(crypto::ScopedSECKEYPublicKey key)
: key_(key.Pass()) {}
SECKEYPublicKey* key() { return key_.get(); }
private:
crypto::ScopedSECKEYPublicKey key_;
DISALLOW_COPY_AND_ASSIGN(PublicKeyHandle);
};
class PrivateKeyHandle : public blink::WebCryptoKeyHandle {
public:
explicit PrivateKeyHandle(crypto::ScopedSECKEYPrivateKey key)
: key_(key.Pass()) {}
SECKEYPrivateKey* key() { return key_.get(); }
private:
crypto::ScopedSECKEYPrivateKey key_;
DISALLOW_COPY_AND_ASSIGN(PrivateKeyHandle);
};
HASH_HashType WebCryptoAlgorithmToNSSHashType(
const blink::WebCryptoAlgorithm& algorithm) {
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdSha1:
return HASH_AlgSHA1;
case blink::WebCryptoAlgorithmIdSha224:
return HASH_AlgSHA224;
case blink::WebCryptoAlgorithmIdSha256:
return HASH_AlgSHA256;
case blink::WebCryptoAlgorithmIdSha384:
return HASH_AlgSHA384;
case blink::WebCryptoAlgorithmIdSha512:
return HASH_AlgSHA512;
default:
// Not a digest algorithm.
return HASH_AlgNULL;
}
}
CK_MECHANISM_TYPE WebCryptoAlgorithmToHMACMechanism(
const blink::WebCryptoAlgorithm& algorithm) {
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdSha1:
return CKM_SHA_1_HMAC;
case blink::WebCryptoAlgorithmIdSha256:
return CKM_SHA256_HMAC;
default:
// Not a supported algorithm.
return CKM_INVALID_MECHANISM;
}
}
bool AesCbcEncryptDecrypt(
CK_ATTRIBUTE_TYPE operation,
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
DCHECK_EQ(blink::WebCryptoAlgorithmIdAesCbc, algorithm.id());
DCHECK_EQ(algorithm.id(), key.algorithm().id());
DCHECK_EQ(blink::WebCryptoKeyTypeSecret, key.type());
DCHECK(operation == CKA_ENCRYPT || operation == CKA_DECRYPT);
SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
const blink::WebCryptoAesCbcParams* params = algorithm.aesCbcParams();
if (params->iv().size() != AES_BLOCK_SIZE)
return false;
SECItem iv_item;
iv_item.type = siBuffer;
iv_item.data = const_cast<unsigned char*>(params->iv().data());
iv_item.len = params->iv().size();
crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
if (!param)
return false;
crypto::ScopedPK11Context context(PK11_CreateContextBySymKey(
CKM_AES_CBC_PAD, operation, sym_key->key(), param.get()));
if (!context.get())
return false;
// Oddly PK11_CipherOp takes input and output lengths as "int" rather than
// "unsigned". Do some checks now to avoid integer overflowing.
if (data_size >= INT_MAX - AES_BLOCK_SIZE) {
// TODO(eroman): Handle this by chunking the input fed into NSS. Right now
// it doesn't make much difference since the one-shot API would end up
// blowing out the memory and crashing anyway. However a newer version of
// the spec allows for a sequence<CryptoData> so this will be relevant.
return false;
}
// PK11_CipherOp does an invalid memory access when given empty decryption
// input, or input which is not a multiple of the block size. See also
// https://bugzilla.mozilla.com/show_bug.cgi?id=921687.
if (operation == CKA_DECRYPT &&
(data_size == 0 || (data_size % AES_BLOCK_SIZE != 0))) {
return false;
}
// TODO(eroman): Refine the output buffer size. It can be computed exactly for
// encryption, and can be smaller for decryption.
unsigned output_max_len = data_size + AES_BLOCK_SIZE;
CHECK_GT(output_max_len, data_size);
*buffer = blink::WebArrayBuffer::create(output_max_len, 1);
unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data());
int output_len;
if (SECSuccess != PK11_CipherOp(context.get(),
buffer_data,
&output_len,
buffer->byteLength(),
data,
data_size)) {
return false;
}
unsigned int final_output_chunk_len;
if (SECSuccess != PK11_DigestFinal(context.get(),
buffer_data + output_len,
&final_output_chunk_len,
output_max_len - output_len)) {
return false;
}
webcrypto::ShrinkBuffer(buffer, final_output_chunk_len + output_len);
return true;
}
CK_MECHANISM_TYPE HmacAlgorithmToGenMechanism(
const blink::WebCryptoAlgorithm& algorithm) {
DCHECK_EQ(algorithm.id(), blink::WebCryptoAlgorithmIdHmac);
const blink::WebCryptoHmacKeyParams* params = algorithm.hmacKeyParams();
DCHECK(params);
switch (params->hash().id()) {
case blink::WebCryptoAlgorithmIdSha1:
return CKM_SHA_1_HMAC;
case blink::WebCryptoAlgorithmIdSha256:
return CKM_SHA256_HMAC;
default:
return CKM_INVALID_MECHANISM;
}
}
CK_MECHANISM_TYPE WebCryptoAlgorithmToGenMechanism(
const blink::WebCryptoAlgorithm& algorithm) {
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdAesCbc:
return CKM_AES_KEY_GEN;
case blink::WebCryptoAlgorithmIdHmac:
return HmacAlgorithmToGenMechanism(algorithm);
default:
return CKM_INVALID_MECHANISM;
}
}
unsigned int WebCryptoHmacAlgorithmToBlockSize(
const blink::WebCryptoAlgorithm& algorithm) {
DCHECK_EQ(algorithm.id(), blink::WebCryptoAlgorithmIdHmac);
const blink::WebCryptoHmacKeyParams* params = algorithm.hmacKeyParams();
DCHECK(params);
switch (params->hash().id()) {
case blink::WebCryptoAlgorithmIdSha1:
return 512;
case blink::WebCryptoAlgorithmIdSha256:
return 512;
default:
return 0;
}
}
// Converts a (big-endian) WebCrypto BigInteger, with or without leading zeros,
// to unsigned long.
bool BigIntegerToLong(const uint8* data,
unsigned data_size,
unsigned long* result) {
// TODO(padolph): Is it correct to say that empty data is an error, or does it
// mean value 0? See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23655
if (data_size == 0)
return false;
*result = 0;
for (size_t i = 0; i < data_size; ++i) {
size_t reverse_i = data_size - i - 1;
if (reverse_i >= sizeof(unsigned long) && data[i])
return false; // Too large for a long.
*result |= data[i] << 8 * reverse_i;
}
return true;
}
bool IsAlgorithmRsa(const blink::WebCryptoAlgorithm& algorithm) {
return algorithm.id() == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
algorithm.id() == blink::WebCryptoAlgorithmIdRsaOaep ||
algorithm.id() == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5;
}
bool ImportKeyInternalRaw(
const unsigned char* key_data,
unsigned key_data_size,
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
DCHECK(!algorithm.isNull());
blink::WebCryptoKeyType type;
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdHmac:
case blink::WebCryptoAlgorithmIdAesCbc:
type = blink::WebCryptoKeyTypeSecret;
break;
// TODO(bryaneyler): Support more key types.
default:
return false;
}
// TODO(bryaneyler): Need to split handling for symmetric and asymmetric keys.
// Currently only supporting symmetric.
CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
// Flags are verified at the Blink layer; here the flags are set to all
// possible operations for this key type.
CK_FLAGS flags = 0;
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdHmac: {
const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
if (!params) {
return false;
}
mechanism = WebCryptoAlgorithmToHMACMechanism(params->hash());
if (mechanism == CKM_INVALID_MECHANISM) {
return false;
}
flags |= CKF_SIGN | CKF_VERIFY;
break;
}
case blink::WebCryptoAlgorithmIdAesCbc: {
mechanism = CKM_AES_CBC;
flags |= CKF_ENCRYPT | CKF_DECRYPT;
break;
}
default:
return false;
}
DCHECK_NE(CKM_INVALID_MECHANISM, mechanism);
DCHECK_NE(0ul, flags);
SECItem key_item = {
siBuffer,
const_cast<unsigned char*>(key_data),
key_data_size
};
crypto::ScopedPK11SymKey pk11_sym_key(
PK11_ImportSymKeyWithFlags(PK11_GetInternalSlot(),
mechanism,
PK11_OriginUnwrap,
CKA_FLAGS_ONLY,
&key_item,
flags,
false,
NULL));
if (!pk11_sym_key.get()) {
return false;
}
*key = blink::WebCryptoKey::create(new SymKeyHandle(pk11_sym_key.Pass()),
type, extractable, algorithm, usage_mask);
return true;
}
bool ExportKeyInternalRaw(
const blink::WebCryptoKey& key,
blink::WebArrayBuffer* buffer) {
DCHECK(key.handle());
DCHECK(buffer);
if (key.type() != blink::WebCryptoKeyTypeSecret || !key.extractable())
return false;
SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
if (PK11_ExtractKeyValue(sym_key->key()) != SECSuccess)
return false;
const SECItem* key_data = PK11_GetKeyData(sym_key->key());
if (!key_data)
return false;
*buffer = webcrypto::CreateArrayBuffer(key_data->data, key_data->len);
return true;
}
typedef scoped_ptr<CERTSubjectPublicKeyInfo,
crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
SECKEY_DestroySubjectPublicKeyInfo> >
ScopedCERTSubjectPublicKeyInfo;
// Validates an NSS KeyType against a WebCrypto algorithm. Some NSS KeyTypes
// contain enough information to fabricate a Web Crypto algorithm, which is
// returned if the input algorithm isNull(). This function indicates failure by
// returning a Null algorithm.
blink::WebCryptoAlgorithm ResolveNssKeyTypeWithInputAlgorithm(
KeyType key_type,
const blink::WebCryptoAlgorithm& algorithm_or_null) {
switch (key_type) {
case rsaKey:
// NSS's rsaKey KeyType maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and
// according to RFCs 4055/5756 this can be used for both encryption and
// signatures. However, this is not specific enough to build a compatible
// Web Crypto algorithm, since in Web Crypto, RSA encryption and signature
// algorithms are distinct. So if the input algorithm isNull() here, we
// have to fail.
if (!algorithm_or_null.isNull() && IsAlgorithmRsa(algorithm_or_null))
return algorithm_or_null;
break;
case dsaKey:
case ecKey:
case rsaPssKey:
case rsaOaepKey:
// TODO(padolph): Handle other key types.
break;
default:
break;
}
return blink::WebCryptoAlgorithm::createNull();
}
bool ImportKeyInternalSpki(
const unsigned char* key_data,
unsigned key_data_size,
const blink::WebCryptoAlgorithm& algorithm_or_null,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
DCHECK(key);
if (!key_data_size)
return false;
DCHECK(key_data);
// The binary blob 'key_data' is expected to be a DER-encoded ASN.1 Subject
// Public Key Info. Decode this to a CERTSubjectPublicKeyInfo.
SECItem spki_item = {siBuffer, const_cast<uint8*>(key_data), key_data_size};
const ScopedCERTSubjectPublicKeyInfo spki(
SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
if (!spki)
return false;
crypto::ScopedSECKEYPublicKey sec_public_key(
SECKEY_ExtractPublicKey(spki.get()));
if (!sec_public_key)
return false;
const KeyType sec_key_type = SECKEY_GetPublicKeyType(sec_public_key.get());
blink::WebCryptoAlgorithm algorithm =
ResolveNssKeyTypeWithInputAlgorithm(sec_key_type, algorithm_or_null);
if (algorithm.isNull())
return false;
*key = blink::WebCryptoKey::create(
new PublicKeyHandle(sec_public_key.Pass()),
blink::WebCryptoKeyTypePublic,
extractable,
algorithm,
usage_mask);
return true;
}
bool ExportKeyInternalSpki(
const blink::WebCryptoKey& key,
blink::WebArrayBuffer* buffer) {
DCHECK(key.handle());
DCHECK(buffer);
if (key.type() != blink::WebCryptoKeyTypePublic || !key.extractable())
return false;
PublicKeyHandle* const pub_key =
reinterpret_cast<PublicKeyHandle*>(key.handle());
const crypto::ScopedSECItem spki_der(
SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key->key()));
if (!spki_der)
return false;
DCHECK(spki_der->data);
DCHECK(spki_der->len);
*buffer = webcrypto::CreateArrayBuffer(spki_der->data, spki_der->len);
return true;
}
bool ImportKeyInternalPkcs8(
const unsigned char* key_data,
unsigned key_data_size,
const blink::WebCryptoAlgorithm& algorithm_or_null,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
DCHECK(key);
if (!key_data_size)
return false;
DCHECK(key_data);
// The binary blob 'key_data' is expected to be a DER-encoded ASN.1 PKCS#8
// private key info object.
SECItem pki_der = {siBuffer, const_cast<uint8*>(key_data), key_data_size};
SECKEYPrivateKey* seckey_private_key = NULL;
if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
PK11_GetInternalSlot(),
&pki_der,
NULL, // nickname
NULL, // publicValue
false, // isPerm
false, // isPrivate
KU_ALL, // usage
&seckey_private_key,
NULL) != SECSuccess) {
return false;
}
DCHECK(seckey_private_key);
crypto::ScopedSECKEYPrivateKey private_key(seckey_private_key);
const KeyType sec_key_type = SECKEY_GetPrivateKeyType(private_key.get());
blink::WebCryptoAlgorithm algorithm =
ResolveNssKeyTypeWithInputAlgorithm(sec_key_type, algorithm_or_null);
if (algorithm.isNull())
return false;
*key = blink::WebCryptoKey::create(
new PrivateKeyHandle(private_key.Pass()),
blink::WebCryptoKeyTypePrivate,
extractable,
algorithm,
usage_mask);
return true;
}
} // namespace
void WebCryptoImpl::Init() {
crypto::EnsureNSSInit();
}
bool WebCryptoImpl::EncryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
DCHECK_EQ(algorithm.id(), key.algorithm().id());
DCHECK(key.handle());
DCHECK(buffer);
if (algorithm.id() == blink::WebCryptoAlgorithmIdAesCbc) {
return AesCbcEncryptDecrypt(
CKA_ENCRYPT, algorithm, key, data, data_size, buffer);
} else if (algorithm.id() == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5) {
// RSAES encryption does not support empty input
if (!data_size)
return false;
DCHECK(data);
if (key.type() != blink::WebCryptoKeyTypePublic)
return false;
PublicKeyHandle* const public_key =
reinterpret_cast<PublicKeyHandle*>(key.handle());
const unsigned encrypted_length_bytes =
SECKEY_PublicKeyStrength(public_key->key());
// RSAES can operate on messages up to a length of k - 11, where k is the
// octet length of the RSA modulus.
if (encrypted_length_bytes < 11 || encrypted_length_bytes - 11 < data_size)
return false;
*buffer = blink::WebArrayBuffer::create(encrypted_length_bytes, 1);
unsigned char* const buffer_data =
reinterpret_cast<unsigned char*>(buffer->data());
if (PK11_PubEncryptPKCS1(public_key->key(),
buffer_data,
const_cast<unsigned char*>(data),
data_size,
NULL) != SECSuccess) {
return false;
}
return true;
}
return false;
}
bool WebCryptoImpl::DecryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
DCHECK_EQ(algorithm.id(), key.algorithm().id());
DCHECK(key.handle());
DCHECK(buffer);
if (algorithm.id() == blink::WebCryptoAlgorithmIdAesCbc) {
return AesCbcEncryptDecrypt(
CKA_DECRYPT, algorithm, key, data, data_size, buffer);
} else if (algorithm.id() == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5) {
// RSAES decryption does not support empty input
if (!data_size)
return false;
DCHECK(data);
if (key.type() != blink::WebCryptoKeyTypePrivate)
return false;
PrivateKeyHandle* const private_key =
reinterpret_cast<PrivateKeyHandle*>(key.handle());
const int modulus_length_bytes =
PK11_GetPrivateModulusLen(private_key->key());
if (modulus_length_bytes <= 0)
return false;
const unsigned max_output_length_bytes = modulus_length_bytes;
*buffer = blink::WebArrayBuffer::create(max_output_length_bytes, 1);
unsigned char* const buffer_data =
reinterpret_cast<unsigned char*>(buffer->data());
unsigned output_length_bytes = 0;
if (PK11_PrivDecryptPKCS1(private_key->key(),
buffer_data,
&output_length_bytes,
max_output_length_bytes,
const_cast<unsigned char*>(data),
data_size) != SECSuccess) {
return false;
}
DCHECK_LE(output_length_bytes, max_output_length_bytes);
webcrypto::ShrinkBuffer(buffer, output_length_bytes);
return true;
}
return false;
}
bool WebCryptoImpl::DigestInternal(
const blink::WebCryptoAlgorithm& algorithm,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm);
if (hash_type == HASH_AlgNULL) {
return false;
}
HASHContext* context = HASH_Create(hash_type);
if (!context) {
return false;
}
HASH_Begin(context);
HASH_Update(context, data, data_size);
unsigned hash_result_length = HASH_ResultLenContext(context);
DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX));
*buffer = blink::WebArrayBuffer::create(hash_result_length, 1);
unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data());
unsigned result_length = 0;
HASH_End(context, digest, &result_length, hash_result_length);
HASH_Destroy(context);
return result_length == hash_result_length;
}
bool WebCryptoImpl::GenerateKeyInternal(
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
CK_MECHANISM_TYPE mech = WebCryptoAlgorithmToGenMechanism(algorithm);
unsigned int keylen_bytes = 0;
blink::WebCryptoKeyType key_type = blink::WebCryptoKeyTypeSecret;
if (mech == CKM_INVALID_MECHANISM) {
return false;
}
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdAesCbc: {
const blink::WebCryptoAesKeyGenParams* params =
algorithm.aesKeyGenParams();
DCHECK(params);
keylen_bytes = params->length() / 8;
if (params->length() % 8)
return false;
key_type = blink::WebCryptoKeyTypeSecret;
break;
}
case blink::WebCryptoAlgorithmIdHmac: {
const blink::WebCryptoHmacKeyParams* params = algorithm.hmacKeyParams();
DCHECK(params);
if (!params->getLength(keylen_bytes)) {
keylen_bytes = WebCryptoHmacAlgorithmToBlockSize(algorithm) / 8;
}
key_type = blink::WebCryptoKeyTypeSecret;
break;
}
default: {
return false;
}
}
if (keylen_bytes == 0) {
return false;
}
crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
if (!slot) {
return false;
}
crypto::ScopedPK11SymKey pk11_key(
PK11_KeyGen(slot.get(), mech, NULL, keylen_bytes, NULL));
if (!pk11_key) {
return false;
}
*key = blink::WebCryptoKey::create(
new SymKeyHandle(pk11_key.Pass()),
key_type, extractable, algorithm, usage_mask);
return true;
}
bool WebCryptoImpl::GenerateKeyPairInternal(
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* public_key,
blink::WebCryptoKey* private_key) {
// TODO(padolph): Handle other asymmetric algorithm key generation.
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
case blink::WebCryptoAlgorithmIdRsaOaep:
case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
const blink::WebCryptoRsaKeyGenParams* const params =
algorithm.rsaKeyGenParams();
DCHECK(params);
crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
unsigned long public_exponent;
if (!slot || !params->modulusLength() ||
!BigIntegerToLong(params->publicExponent().data(),
params->publicExponent().size(),
&public_exponent) ||
!public_exponent) {
return false;
}
PK11RSAGenParams rsa_gen_params;
rsa_gen_params.keySizeInBits = params->modulusLength();
rsa_gen_params.pe = public_exponent;
// Flags are verified at the Blink layer; here the flags are set to all
// possible operations for the given key type.
CK_FLAGS operation_flags;
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
case blink::WebCryptoAlgorithmIdRsaOaep:
operation_flags = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP;
break;
case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
operation_flags = CKF_SIGN | CKF_VERIFY;
break;
default:
NOTREACHED();
return false;
}
const CK_FLAGS operation_flags_mask = CKF_ENCRYPT | CKF_DECRYPT |
CKF_SIGN | CKF_VERIFY | CKF_WRAP |
CKF_UNWRAP;
const PK11AttrFlags attribute_flags = 0; // Default all PK11_ATTR_ flags.
// Note: NSS does not generate an sec_public_key if the call below fails,
// so there is no danger of a leaked sec_public_key.
SECKEYPublicKey* sec_public_key;
crypto::ScopedSECKEYPrivateKey scoped_sec_private_key(
PK11_GenerateKeyPairWithOpFlags(slot.get(),
CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsa_gen_params,
&sec_public_key,
attribute_flags,
operation_flags,
operation_flags_mask,
NULL));
if (!private_key) {
return false;
}
*public_key = blink::WebCryptoKey::create(
new PublicKeyHandle(crypto::ScopedSECKEYPublicKey(sec_public_key)),
blink::WebCryptoKeyTypePublic,
true,
algorithm,
usage_mask);
*private_key = blink::WebCryptoKey::create(
new PrivateKeyHandle(scoped_sec_private_key.Pass()),
blink::WebCryptoKeyTypePrivate,
extractable,
algorithm,
usage_mask);
return true;
}
default:
return false;
}
}
bool WebCryptoImpl::ImportKeyInternal(
blink::WebCryptoKeyFormat format,
const unsigned char* key_data,
unsigned key_data_size,
const blink::WebCryptoAlgorithm& algorithm_or_null,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
switch (format) {
case blink::WebCryptoKeyFormatRaw:
// A 'raw'-formatted key import requires an input algorithm.
if (algorithm_or_null.isNull())
return false;
return ImportKeyInternalRaw(key_data,
key_data_size,
algorithm_or_null,
extractable,
usage_mask,
key);
case blink::WebCryptoKeyFormatSpki:
return ImportKeyInternalSpki(key_data,
key_data_size,
algorithm_or_null,
extractable,
usage_mask,
key);
case blink::WebCryptoKeyFormatPkcs8:
return ImportKeyInternalPkcs8(key_data,
key_data_size,
algorithm_or_null,
extractable,
usage_mask,
key);
default:
// NOTE: blink::WebCryptoKeyFormatJwk is handled one level above.
return false;
}
}
bool WebCryptoImpl::ExportKeyInternal(
blink::WebCryptoKeyFormat format,
const blink::WebCryptoKey& key,
blink::WebArrayBuffer* buffer) {
switch (format) {
case blink::WebCryptoKeyFormatRaw:
return ExportKeyInternalRaw(key, buffer);
case blink::WebCryptoKeyFormatSpki:
return ExportKeyInternalSpki(key, buffer);
case blink::WebCryptoKeyFormatPkcs8:
// TODO(padolph): Implement pkcs8 export
return false;
default:
return false;
}
}
bool WebCryptoImpl::SignInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
blink::WebArrayBuffer result;
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdHmac: {
const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
if (!params) {
return false;
}
SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
DCHECK_EQ(PK11_GetMechanism(sym_key->key()),
WebCryptoAlgorithmToHMACMechanism(params->hash()));
DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
SECItem param_item = { siBuffer, NULL, 0 };
SECItem data_item = {
siBuffer,
const_cast<unsigned char*>(data),
data_size
};
// First call is to figure out the length.
SECItem signature_item = { siBuffer, NULL, 0 };
if (PK11_SignWithSymKey(sym_key->key(),
PK11_GetMechanism(sym_key->key()),
&param_item,
&signature_item,
&data_item) != SECSuccess) {
NOTREACHED();
return false;
}
DCHECK_NE(0u, signature_item.len);
result = blink::WebArrayBuffer::create(signature_item.len, 1);
signature_item.data = reinterpret_cast<unsigned char*>(result.data());
if (PK11_SignWithSymKey(sym_key->key(),
PK11_GetMechanism(sym_key->key()),
&param_item,
&signature_item,
&data_item) != SECSuccess) {
NOTREACHED();
return false;
}
DCHECK_EQ(result.byteLength(), signature_item.len);
break;
}
default:
return false;
}
*buffer = result;
return true;
}
bool WebCryptoImpl::VerifySignatureInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* signature,
unsigned signature_size,
const unsigned char* data,
unsigned data_size,
bool* signature_match) {
switch (algorithm.id()) {
case blink::WebCryptoAlgorithmIdHmac: {
blink::WebArrayBuffer result;
if (!SignInternal(algorithm, key, data, data_size, &result)) {
return false;
}
// Handling of truncated signatures is underspecified in the WebCrypto
// spec, so here we fail verification if a truncated signature is being
// verified.
// See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23097
*signature_match =
result.byteLength() == signature_size &&
crypto::SecureMemEqual(result.data(), signature, signature_size);
break;
}
default:
return false;
}
return true;
}
bool WebCryptoImpl::ImportRsaPublicKeyInternal(
const unsigned char* modulus_data,
unsigned modulus_size,
const unsigned char* exponent_data,
unsigned exponent_size,
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
if (!modulus_size || !exponent_size)
return false;
DCHECK(modulus_data);
DCHECK(exponent_data);
// NSS does not provide a way to create an RSA public key directly from the
// modulus and exponent values, but it can import an DER-encoded ASN.1 blob
// with these values and create the public key from that. The code below
// follows the recommendation described in
// https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note7
// Pack the input values into a struct compatible with NSS ASN.1 encoding, and
// set up an ASN.1 encoder template for it.
struct RsaPublicKeyData {
SECItem modulus;
SECItem exponent;
};
const RsaPublicKeyData pubkey_in = {
{siUnsignedInteger, const_cast<unsigned char*>(modulus_data),
modulus_size},
{siUnsignedInteger, const_cast<unsigned char*>(exponent_data),
exponent_size}};
const SEC_ASN1Template rsa_public_key_template[] = {
{SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RsaPublicKeyData)},
{SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, modulus), },
{SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, exponent), },
{0, }};
// DER-encode the public key.
crypto::ScopedSECItem pubkey_der(SEC_ASN1EncodeItem(
NULL, NULL, &pubkey_in, rsa_public_key_template));
if (!pubkey_der)
return false;
// Import the DER-encoded public key to create an RSA SECKEYPublicKey.
crypto::ScopedSECKEYPublicKey pubkey(
SECKEY_ImportDERPublicKey(pubkey_der.get(), CKK_RSA));
if (!pubkey)
return false;
*key = blink::WebCryptoKey::create(new PublicKeyHandle(pubkey.Pass()),
blink::WebCryptoKeyTypePublic,
extractable,
algorithm,
usage_mask);
return true;
}
} // namespace content