| // Copyright 2013 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/chromeos/settings/token_encryptor.h" |
| |
| #include <vector> |
| |
| #include "base/logging.h" |
| #include "base/strings/string_number_conversions.h" |
| #include "base/strings/string_util.h" |
| #include "base/sys_info.h" |
| #include "chromeos/cryptohome/system_salt_getter.h" |
| #include "crypto/encryptor.h" |
| #include "crypto/nss_util.h" |
| #include "crypto/sha2.h" |
| #include "crypto/symmetric_key.h" |
| |
| namespace chromeos { |
| |
| namespace { |
| const size_t kNonceSize = 16; |
| } // namespace |
| |
| CryptohomeTokenEncryptor::CryptohomeTokenEncryptor( |
| const std::string& system_salt) |
| : system_salt_(system_salt) { |
| DCHECK(!system_salt.empty()); |
| // TODO(davidroche): should this use the system salt for both the password |
| // and the salt value, or should this use a separate salt value? |
| system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); |
| } |
| |
| CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { |
| } |
| |
| std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( |
| const std::string& token) { |
| // Don't care about token encryption while debugging. |
| if (!base::SysInfo::IsRunningOnChromeOS()) |
| return token; |
| |
| if (!system_salt_key_) { |
| LOG(WARNING) << "System salt key is not available for encrypt."; |
| return std::string(); |
| } |
| return EncryptTokenWithKey(system_salt_key_.get(), |
| system_salt_, |
| token); |
| } |
| |
| std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( |
| const std::string& encrypted_token_hex) { |
| // Don't care about token encryption while debugging. |
| if (!base::SysInfo::IsRunningOnChromeOS()) |
| return encrypted_token_hex; |
| |
| if (!system_salt_key_) { |
| LOG(WARNING) << "System salt key is not available for decrypt."; |
| return std::string(); |
| } |
| return DecryptTokenWithKey(system_salt_key_.get(), |
| system_salt_, |
| encrypted_token_hex); |
| } |
| |
| crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( |
| const std::string& passphrase, |
| const std::string& salt) { |
| return crypto::SymmetricKey::DeriveKeyFromPassword( |
| crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); |
| } |
| |
| std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( |
| crypto::SymmetricKey* key, |
| const std::string& salt, |
| const std::string& token) { |
| crypto::Encryptor encryptor; |
| if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
| LOG(WARNING) << "Failed to initialize Encryptor."; |
| return std::string(); |
| } |
| std::string nonce = salt.substr(0, kNonceSize); |
| std::string encoded_token; |
| CHECK(encryptor.SetCounter(nonce)); |
| if (!encryptor.Encrypt(token, &encoded_token)) { |
| LOG(WARNING) << "Failed to encrypt token."; |
| return std::string(); |
| } |
| |
| return StringToLowerASCII(base::HexEncode( |
| reinterpret_cast<const void*>(encoded_token.data()), |
| encoded_token.size())); |
| } |
| |
| std::string CryptohomeTokenEncryptor::DecryptTokenWithKey( |
| crypto::SymmetricKey* key, |
| const std::string& salt, |
| const std::string& encrypted_token_hex) { |
| std::vector<uint8> encrypted_token_bytes; |
| if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { |
| LOG(WARNING) << "Corrupt encrypted token found."; |
| return std::string(); |
| } |
| |
| std::string encrypted_token( |
| reinterpret_cast<char*>(encrypted_token_bytes.data()), |
| encrypted_token_bytes.size()); |
| crypto::Encryptor encryptor; |
| if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
| LOG(WARNING) << "Failed to initialize Encryptor."; |
| return std::string(); |
| } |
| |
| std::string nonce = salt.substr(0, kNonceSize); |
| std::string token; |
| CHECK(encryptor.SetCounter(nonce)); |
| if (!encryptor.Decrypt(encrypted_token, &token)) { |
| LOG(WARNING) << "Failed to decrypt token."; |
| return std::string(); |
| } |
| return token; |
| } |
| |
| } // namespace chromeos |