[webcrypto] Add raw symmetric key AES-KW wrap/unwrap for NSS.

content/renderer/webcrypto/platform_crypto_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/platform_crypto.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 427 matching lines @@
   }
 }
 
 bool CreatePrivateKeyAlgorithm(const blink::WebCryptoAlgorithm& algorithm,
                                SECKEYPrivateKey* key,
                                blink::WebCryptoKeyAlgorithm* key_algorithm) {
   crypto::ScopedSECKEYPublicKey public_key(SECKEY_ConvertToPublicKey(key));
   return CreatePublicKeyAlgorithm(algorithm, public_key.get(), key_algorithm);
 }
 
+// The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt
+// Section 2.2.3.1.
+// TODO(padolph): Move to common place to be shared with OpenSSL implementation.
+const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+
+// Sets NSS CK_MECHANISM_TYPE and CK_FLAGS corresponding to the input Web Crypto
+// algorithm ID.
+Status WebCryptoAlgorithmToNssMechFlags(
+    const blink::WebCryptoAlgorithm& algorithm,
+    CK_MECHANISM_TYPE* mechanism,
+    CK_FLAGS* flags) {
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdHmac: {
+      const blink::WebCryptoAlgorithm& hash = GetInnerHashAlgorithm(algorithm);
+      *mechanism = WebCryptoHashToHMACMechanism(hash);
+      if (*mechanism == CKM_INVALID_MECHANISM)
+        return Status::ErrorUnsupported();
+      *flags = CKF_SIGN | CKF_VERIFY;
+      break;
+    }
+    case blink::WebCryptoAlgorithmIdAesCbc: {
+      *mechanism = CKM_AES_CBC;
+      *flags = CKF_ENCRYPT | CKF_DECRYPT;
+      break;
+    }
+    case blink::WebCryptoAlgorithmIdAesKw: {
+      *mechanism = CKM_NSS_AES_KEY_WRAP;
+      *flags = CKF_WRAP | CKF_WRAP;
+      break;
+    }
+    case blink::WebCryptoAlgorithmIdAesGcm: {
+      if (!g_aes_gcm_support.Get().IsSupported())
+        return Status::ErrorUnsupported();
+      *mechanism = CKM_AES_GCM;
+      *flags = CKF_ENCRYPT | CKF_DECRYPT;
+      break;
+    }
+    default:
+      return Status::ErrorUnsupported();
+  }
+  return Status::Success();
+}
+
 }  // namespace
 
 Status ImportKeyRaw(const blink::WebCryptoAlgorithm& algorithm,
                     const CryptoData& key_data,
                     bool extractable,
                     blink::WebCryptoKeyUsageMask usage_mask,
                     blink::WebCryptoKey* key) {
 
   DCHECK(!algorithm.isNull());
 
-  // TODO(bryaneyler): Need to split handling for symmetric and asymmetric keys.
-  // Currently only supporting symmetric.
-  CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
+  CK_MECHANISM_TYPE mechanism;
   // Flags are verified at the Blink layer; here the flags are set to all
   // possible operations for this key type.

[Ryan Sleevi, 2014/03/01 02:40:13]

This comment needs to be moved. |flags| is no longer configured here, but up
around line 454.

[padolph, 2014/03/01 03:38:28]

Done.

-  CK_FLAGS flags = 0;
-
-  switch (algorithm.id()) {
-    case blink::WebCryptoAlgorithmIdHmac: {
-      const blink::WebCryptoAlgorithm& hash = GetInnerHashAlgorithm(algorithm);
-
-      mechanism = WebCryptoHashToHMACMechanism(hash);
-      if (mechanism == CKM_INVALID_MECHANISM)
-        return Status::ErrorUnsupported();
-
-      flags |= CKF_SIGN | CKF_VERIFY;
-      break;
-    }
-    case blink::WebCryptoAlgorithmIdAesCbc: {
-      mechanism = CKM_AES_CBC;
-      flags |= CKF_ENCRYPT | CKF_DECRYPT;
-      break;
-    }
-    case blink::WebCryptoAlgorithmIdAesKw: {
-      mechanism = CKM_NSS_AES_KEY_WRAP;
-      flags |= CKF_WRAP | CKF_WRAP;
-      break;
-    }
-    case blink::WebCryptoAlgorithmIdAesGcm: {
-      if (!g_aes_gcm_support.Get().IsSupported())
-        return Status::ErrorUnsupported();
-      mechanism = CKM_AES_GCM;
-      flags |= CKF_ENCRYPT | CKF_DECRYPT;
-      break;
-    }
-    default:
-      return Status::ErrorUnsupported();
-  }
-
-  DCHECK_NE(CKM_INVALID_MECHANISM, mechanism);
-  DCHECK_NE(0ul, flags);
+  CK_FLAGS flags;
+  Status status =
+      WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
+  if (status.IsError())
+    return status;
 
   SECItem key_item = MakeSECItemForBuffer(key_data);
 
   crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
   crypto::ScopedPK11SymKey pk11_sym_key(
       PK11_ImportSymKeyWithFlags(slot.get(),
                                  mechanism,
                                  PK11_OriginUnwrap,
                                  CKA_FLAGS_ONLY,
                                  &key_item,
@@ skipping 584 matching lines @@
     return Status::ErrorUnexpected();
 
   *key = blink::WebCryptoKey::create(new PublicKey(pubkey.Pass()),
                                      blink::WebCryptoKeyTypePublic,
                                      extractable,
                                      key_algorithm,
                                      usage_mask);
   return Status::Success();
 }
 
+Status WrapSymKeyAesKw(SymKey* wrapping_key,
+                       SymKey* key,
+                       blink::WebArrayBuffer* buffer) {
+  // The data size must be at least 16 bytes and a multiple of 8 bytes.
+  // RFC 3394 does not specify a maximum allowed data length, but since only
+  // keys are being wrapped in this application (which are small), a reasonable
+  // max limit is whatever will fit into an unsigned. For the max size test,
+  // note that AES Key Wrap always adds 8 bytes to the input data size.
+  const unsigned int input_length = PK11_GetKeyLength(key->key());
+  if (input_length < 16)
+    return Status::ErrorDataTooSmall();
+  if (input_length > UINT_MAX - 8)
+    return Status::ErrorDataTooLarge();
+  if (input_length % 8)
+    return Status::ErrorInvalidAesKwDataLength();
+
+  SECItem iv_item =
+      MakeSECItemForBuffer(CryptoData(kAesIv, ARRAYSIZE_UNSAFE(kAesIv)));

[Ryan Sleevi, 2014/03/01 02:40:13]

sizeof, not ARRAYSIZE - you want the actual byte size of kAesIv

[padolph, 2014/03/01 03:38:28]

Done.

+  crypto::ScopedSECItem param_item(
+      PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
+  if (!param_item)
+    return Status::ErrorUnexpected();
+
+  const unsigned int output_length = input_length + 8;
+  *buffer = blink::WebArrayBuffer::create(output_length, 1);
+  unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data());
+  SECItem wrapped_key_item = {siBuffer, buffer_data, output_length};
+
+  if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP,
+                                    param_item.get(),
+                                    wrapping_key->key(),
+                                    key->key(),
+                                    &wrapped_key_item)) {
+    return Status::Error();
+  }
+  if (output_length != wrapped_key_item.len)
+    return Status::ErrorUnexpected();
+
+  return Status::Success();
+}
+
+Status UnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
+                         SymKey* wrapping_key,
+                         const blink::WebCryptoAlgorithm& algorithm,
+                         bool extractable,
+                         blink::WebCryptoKeyUsageMask usage_mask,
+                         blink::WebCryptoKey* key) {
+  DCHECK(wrapped_key_data.byte_length() >= 24);

[Ryan Sleevi, 2014/03/01 02:40:13]

DCHECK_GE

[padolph, 2014/03/01 03:38:28]

Done.

+  DCHECK(wrapped_key_data.byte_length() % 8 == 0);

[Ryan Sleevi, 2014/03/01 02:40:13]

DCHECK_EQ

[padolph, 2014/03/01 03:38:28]

Done.

+
+  SECItem iv_item =
+      MakeSECItemForBuffer(CryptoData(kAesIv, ARRAYSIZE_UNSAFE(kAesIv)));

[Ryan Sleevi, 2014/03/01 02:40:13]

sizeof

[padolph, 2014/03/01 03:38:28]

Done.

+  crypto::ScopedSECItem param_item(
+      PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
+  if (!param_item)
+    return Status::ErrorUnexpected();
+
+  SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data);
+
+  // The plaintext length is always 64 bits less than the data size.
+  const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8;
+
+  // Determine the proper NSS key properties from the input algorithm.
+  CK_MECHANISM_TYPE mechanism;
+  CK_FLAGS flags;
+  Status status =
+      WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
+  if (status.IsError())
+    return status;
+
+  crypto::ScopedPK11SymKey unwrapped_key(PK11_UnwrapSymKey(wrapping_key->key(),
+                                                           CKM_NSS_AES_KEY_WRAP,
+                                                           param_item.get(),
+                                                           &cipher_text,
+                                                           mechanism,
+                                                           flags,
+                                                           plaintext_length));
+  if (!unwrapped_key)
+    return Status::Error();

[Ryan Sleevi, 2014/03/01 02:40:13]

Future CL idea: Support logging PORT_GetError() and friends to figure out _why_
it failed.

[padolph, 2014/03/01 03:38:28]

Good idea.

+
+  *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()),
+                                     blink::WebCryptoKeyTypeSecret,
+                                     extractable,
+                                     algorithm,
+                                     usage_mask);
+  return Status::Success();
+}
+
 }  // namespace platform
 
 }  // namespace webcrypto
 
 }  // namespace content