| Index: content/child/webcrypto/jwk.cc
|
| diff --git a/content/child/webcrypto/jwk.cc b/content/child/webcrypto/jwk.cc
|
| index 513193021cd83fec9504c1b2e1b0061ca411bc6a..38ae18e82ab2ade8bf0c410d440decd4830dd9a2 100644
|
| --- a/content/child/webcrypto/jwk.cc
|
| +++ b/content/child/webcrypto/jwk.cc
|
| @@ -6,15 +6,14 @@
|
| #include <functional>
|
| #include <map>
|
| #include "base/json/json_reader.h"
|
| +#include "base/json/json_writer.h"
|
| #include "base/lazy_instance.h"
|
| -#include "base/logging.h"
|
| -#include "base/memory/scoped_ptr.h"
|
| -#include "base/strings/string_piece.h"
|
| -#include "base/values.h"
|
| +#include "base/strings/stringprintf.h"
|
| #include "content/child/webcrypto/crypto_data.h"
|
| #include "content/child/webcrypto/platform_crypto.h"
|
| #include "content/child/webcrypto/shared_crypto.h"
|
| #include "content/child/webcrypto/webcrypto_util.h"
|
| +#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
|
|
|
| namespace content {
|
|
|
| @@ -22,6 +21,16 @@ namespace webcrypto {
|
|
|
| namespace {
|
|
|
| +// Web Crypto equivalent usage mask for JWK 'use' = 'enc'.
|
| +// TODO(padolph): Add 'deriveBits' once supported by Blink.
|
| +const blink::WebCryptoKeyUsageMask kJwkEncUsage =
|
| + blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt |
|
| + blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey |
|
| + blink::WebCryptoKeyUsageDeriveKey;
|
| +// Web Crypto equivalent usage mask for JWK 'use' = 'sig'.
|
| +const blink::WebCryptoKeyUsageMask kJwkSigUsage =
|
| + blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
|
| +
|
| typedef blink::WebCryptoAlgorithm (*AlgorithmCreationFunc)();
|
|
|
| class JwkAlgorithmInfo {
|
| @@ -38,7 +47,7 @@ class JwkAlgorithmInfo {
|
| unsigned int required_key_length_bits)
|
| : creation_func_(algorithm_creation_func),
|
| required_key_length_bytes_(required_key_length_bits / 8) {
|
| - DCHECK((required_key_length_bits % 8) == 0);
|
| + DCHECK_EQ(0u, required_key_length_bits % 8);
|
| }
|
|
|
| bool CreateImportAlgorithm(blink::WebCryptoAlgorithm* algorithm) const {
|
| @@ -70,6 +79,9 @@ class JwkAlgorithmRegistry {
|
| // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-20
|
| // says HMAC with SHA-2 should have a key size at least as large as the
|
| // hash output.
|
| + alg_to_info_["HS1"] =
|
| + JwkAlgorithmInfo(&BindAlgorithmId<CreateHmacImportAlgorithm,
|
| + blink::WebCryptoAlgorithmIdSha1>);
|
| alg_to_info_["HS256"] =
|
| JwkAlgorithmInfo(&BindAlgorithmId<CreateHmacImportAlgorithm,
|
| blink::WebCryptoAlgorithmIdSha256>);
|
| @@ -94,15 +106,21 @@ class JwkAlgorithmRegistry {
|
| alg_to_info_["RSA-OAEP"] =
|
| JwkAlgorithmInfo(&BindAlgorithmId<CreateRsaOaepImportAlgorithm,
|
| blink::WebCryptoAlgorithmIdSha1>);
|
| - // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 128 yet
|
| - alg_to_info_["A128KW"] =
|
| - JwkAlgorithmInfo(&blink::WebCryptoAlgorithm::createNull, 128);
|
| - // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 256 yet
|
| - alg_to_info_["A256KW"] =
|
| - JwkAlgorithmInfo(&blink::WebCryptoAlgorithm::createNull, 256);
|
| + alg_to_info_["A128KW"] = JwkAlgorithmInfo(
|
| + &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesKw>,
|
| + 128);
|
| + alg_to_info_["A192KW"] = JwkAlgorithmInfo(
|
| + &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesKw>,
|
| + 192);
|
| + alg_to_info_["A256KW"] = JwkAlgorithmInfo(
|
| + &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesKw>,
|
| + 256);
|
| alg_to_info_["A128GCM"] = JwkAlgorithmInfo(
|
| &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesGcm>,
|
| 128);
|
| + alg_to_info_["A192GCM"] = JwkAlgorithmInfo(
|
| + &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesGcm>,
|
| + 192);
|
| alg_to_info_["A256GCM"] = JwkAlgorithmInfo(
|
| &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesGcm>,
|
| 256);
|
| @@ -197,9 +215,29 @@ Status GetOptionalJwkString(base::DictionaryValue* dict,
|
| return Status::Success();
|
| }
|
|
|
| +// Extracts the optional array property with key |path| from |dict| and saves
|
| +// the result to |*result| if it was found. If the property exists and is not an
|
| +// array, returns an error. Otherwise returns success, and sets
|
| +// |*property_exists| if it was found. Note that |*result| is owned by |dict|.
|
| +Status GetOptionalJwkList(base::DictionaryValue* dict,
|
| + const std::string& path,
|
| + base::ListValue** result,
|
| + bool* property_exists) {
|
| + *property_exists = false;
|
| + base::Value* value = NULL;
|
| + if (!dict->Get(path, &value))
|
| + return Status::Success();
|
| +
|
| + if (!value->GetAsList(result))
|
| + return Status::ErrorJwkPropertyWrongType(path, "list");
|
| +
|
| + *property_exists = true;
|
| + return Status::Success();
|
| +}
|
| +
|
| // Extracts the required string property with key |path| from |dict| and saves
|
| -// the base64-decoded bytes to |*result|. If the property does not exist or is
|
| -// not a string, or could not be base64-decoded, returns an error.
|
| +// the base64url-decoded bytes to |*result|. If the property does not exist or
|
| +// is not a string, or could not be base64url-decoded, returns an error.
|
| Status GetJwkBytes(base::DictionaryValue* dict,
|
| const std::string& path,
|
| std::string* result) {
|
| @@ -234,6 +272,115 @@ Status GetOptionalJwkBool(base::DictionaryValue* dict,
|
| return Status::Success();
|
| }
|
|
|
| +// Returns true if the set bits in b make up a subset of the set bits in a.
|
| +bool ContainsKeyUsages(blink::WebCryptoKeyUsageMask a,
|
| + blink::WebCryptoKeyUsageMask b) {
|
| + return (a & b) == b;
|
| +}
|
| +
|
| +// Writes a secret/symmetric key to a JWK dictionary.
|
| +void WriteSecretKey(const blink::WebArrayBuffer& raw_key,
|
| + base::DictionaryValue* jwk_dict) {
|
| + DCHECK(jwk_dict);
|
| + jwk_dict->SetString("kty", "oct");
|
| + // For a secret/symmetric key, the only extra JWK field is 'k', containing the
|
| + // base64url encoding of the raw key.
|
| + DCHECK(!raw_key.isNull());
|
| + DCHECK(raw_key.data());
|
| + DCHECK(raw_key.byteLength());
|
| + unsigned int key_length_bytes = raw_key.byteLength();
|
| + const base::StringPiece key_str(static_cast<const char*>(raw_key.data()),
|
| + key_length_bytes);
|
| + jwk_dict->SetString("k", Base64EncodeUrlSafe(key_str));
|
| +}
|
| +
|
| +// Writes a Web Crypto usage mask to a JWK dictionary.
|
| +void WriteKeyOps(blink::WebCryptoKeyUsageMask key_usages,
|
| + base::DictionaryValue* jwk_dict) {
|
| + jwk_dict->Set("key_ops", CreateJwkKeyOpsFromWebCryptoUsages(key_usages));
|
| +}
|
| +
|
| +// Writes a Web Crypto extractable value to a JWK dictionary.
|
| +void WriteExt(bool extractable, base::DictionaryValue* jwk_dict) {
|
| + jwk_dict->SetBoolean("ext", extractable);
|
| +}
|
| +
|
| +// Writes a Web Crypto algorithm to a JWK dictionary.
|
| +Status WriteAlg(const blink::WebCryptoKeyAlgorithm& algorithm,
|
| + unsigned int raw_key_length_bytes,
|
| + base::DictionaryValue* jwk_dict) {
|
| + switch (algorithm.paramsType()) {
|
| + case blink::WebCryptoKeyAlgorithmParamsTypeAes: {
|
| + const char* aes_prefix = "";
|
| + switch (raw_key_length_bytes) {
|
| + case 16:
|
| + aes_prefix = "A128";
|
| + break;
|
| + case 24:
|
| + aes_prefix = "A192";
|
| + break;
|
| + case 32:
|
| + aes_prefix = "A256";
|
| + break;
|
| + default:
|
| + NOTREACHED(); // bad key length means algorithm was built improperly
|
| + return Status::ErrorUnexpected();
|
| + }
|
| + const char* aes_suffix = "";
|
| + switch (algorithm.id()) {
|
| + case blink::WebCryptoAlgorithmIdAesCbc:
|
| + aes_suffix = "CBC";
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdAesCtr:
|
| + aes_suffix = "CTR";
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdAesGcm:
|
| + aes_suffix = "GCM";
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdAesKw:
|
| + aes_suffix = "KW";
|
| + break;
|
| + default:
|
| + return Status::ErrorUnsupported();
|
| + }
|
| + jwk_dict->SetString("alg",
|
| + base::StringPrintf("%s%s", aes_prefix, aes_suffix));
|
| + break;
|
| + }
|
| + case blink::WebCryptoKeyAlgorithmParamsTypeHmac: {
|
| + DCHECK(algorithm.hmacParams());
|
| + switch (algorithm.hmacParams()->hash().id()) {
|
| + case blink::WebCryptoAlgorithmIdSha1:
|
| + jwk_dict->SetString("alg", "HS1");
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdSha224:
|
| + jwk_dict->SetString("alg", "HS224");
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdSha256:
|
| + jwk_dict->SetString("alg", "HS256");
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdSha384:
|
| + jwk_dict->SetString("alg", "HS384");
|
| + break;
|
| + case blink::WebCryptoAlgorithmIdSha512:
|
| + jwk_dict->SetString("alg", "HS512");
|
| + break;
|
| + default:
|
| + NOTREACHED();
|
| + return Status::ErrorUnexpected();
|
| + }
|
| + break;
|
| + }
|
| + case blink::WebCryptoKeyAlgorithmParamsTypeRsa:
|
| + case blink::WebCryptoKeyAlgorithmParamsTypeRsaHashed:
|
| + // TODO(padolph): Handle RSA key
|
| + return Status::ErrorUnsupported();
|
| + default:
|
| + return Status::ErrorUnsupported();
|
| + }
|
| + return Status::Success();
|
| +}
|
| +
|
| } // namespace
|
|
|
| Status ImportKeyJwk(const CryptoData& key_data,
|
| @@ -241,22 +388,23 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| bool extractable,
|
| blink::WebCryptoKeyUsageMask usage_mask,
|
| blink::WebCryptoKey* key) {
|
| + // TODO(padolph): Generalize this comment to include export, and move to top
|
| + // of file.
|
|
|
| // The goal of this method is to extract key material and meta data from the
|
| // incoming JWK, combine them with the input parameters, and ultimately import
|
| // a Web Crypto Key.
|
| //
|
| // JSON Web Key Format (JWK)
|
| - // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
|
| - // TODO(padolph): Not all possible values are handled by this code right now
|
| + // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-21
|
| //
|
| // A JWK is a simple JSON dictionary with the following entries
|
| // - "kty" (Key Type) Parameter, REQUIRED
|
| // - <kty-specific parameters, see below>, REQUIRED
|
| // - "use" (Key Use) Parameter, OPTIONAL
|
| + // - "key_ops" (Key Operations) Parameter, OPTIONAL
|
| // - "alg" (Algorithm) Parameter, OPTIONAL
|
| - // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE,
|
| - // see https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796]
|
| + // - "ext" (Key Exportability), OPTIONAL
|
| // (all other entries are ignored)
|
| //
|
| // OPTIONAL here means that this code does not require the entry to be present
|
| @@ -271,13 +419,13 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| // values are parsed out and combined with the method input parameters to
|
| // build a Web Crypto Key:
|
| // Web Crypto Key type <-- (deduced)
|
| - // Web Crypto Key extractable <-- JWK extractable + input extractable
|
| + // Web Crypto Key extractable <-- JWK ext + input extractable
|
| // Web Crypto Key algorithm <-- JWK alg + input algorithm
|
| - // Web Crypto Key keyUsage <-- JWK use + input usage_mask
|
| + // Web Crypto Key keyUsage <-- JWK use, key_ops + input usage_mask
|
| // Web Crypto Key keying material <-- kty-specific parameters
|
| //
|
| // Values for each JWK entry are case-sensitive and defined in
|
| - // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
|
| + // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18.
|
| // Note that not all values specified by JOSE are handled by this code. Only
|
| // handled values are listed.
|
| // - kty (Key Type)
|
| @@ -285,22 +433,50 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| // | "RSA" | RSA [RFC3447] |
|
| // | "oct" | Octet sequence (used to represent symmetric keys) |
|
| // +-------+--------------------------------------------------------------+
|
| + //
|
| + // - key_ops (Key Use Details)
|
| + // The key_ops field is an array that contains one or more strings from
|
| + // the table below, and describes the operations for which this key may be
|
| + // used.
|
| + // +-------+--------------------------------------------------------------+
|
| + // | "encrypt" | encrypt operations |
|
| + // | "decrypt" | decrypt operations |
|
| + // | "sign" | sign (MAC) operations |
|
| + // | "verify" | verify (MAC) operations |
|
| + // | "wrapKey" | key wrap |
|
| + // | "unwrapKey" | key unwrap |
|
| + // | "deriveKey" | key derivation |
|
| + // | "deriveBits" | key derivation TODO(padolph): not currently supported |
|
| + // +-------+--------------------------------------------------------------+
|
| + //
|
| // - use (Key Use)
|
| + // The use field contains a single entry from the table below.
|
| // +-------+--------------------------------------------------------------+
|
| - // | "enc" | encrypt and decrypt operations |
|
| - // | "sig" | sign and verify (MAC) operations |
|
| - // | "wrap"| key wrap and unwrap [not yet part of JOSE] |
|
| + // | "sig" | equivalent to key_ops of [sign, verify] |
|
| + // | "enc" | equivalent to key_ops of [encrypt, decrypt, wrapKey, |
|
| + // | | unwrapKey, deriveKey, deriveBits] |
|
| // +-------+--------------------------------------------------------------+
|
| - // - extractable (Key Exportability)
|
| + //
|
| + // NOTE: If both "use" and "key_ops" JWK members are present, the usages
|
| + // specified by them MUST be consistent. In particular, the "use" value
|
| + // "sig" corresponds to "sign" and/or "verify". The "use" value "enc"
|
| + // corresponds to all other values defined above. If "key_ops" values
|
| + // corresponding to both "sig" and "enc" "use" values are present, the "use"
|
| + // member SHOULD NOT be present, and if present, its value MUST NOT be
|
| + // either "sig" or "enc".
|
| + //
|
| + // - ext (Key Exportability)
|
| // +-------+--------------------------------------------------------------+
|
| // | true | Key may be exported from the trusted environment |
|
| // | false | Key cannot exit the trusted environment |
|
| // +-------+--------------------------------------------------------------+
|
| + //
|
| // - alg (Algorithm)
|
| - // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
|
| + // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18
|
| // +--------------+-------------------------------------------------------+
|
| // | Digital Signature or MAC Algorithm |
|
| // +--------------+-------------------------------------------------------+
|
| + // | "HS1" | HMAC using SHA-1 hash algorithm |
|
| // | "HS256" | HMAC using SHA-256 hash algorithm |
|
| // | "HS384" | HMAC using SHA-384 hash algorithm |
|
| // | "HS512" | HMAC using SHA-512 hash algorithm |
|
| @@ -316,15 +492,16 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| // | | specified by RFC3447 in Section A.2.1 |
|
| // | "A128KW" | Advanced Encryption Standard (AES) Key Wrap Algorithm |
|
| // | | [RFC3394] using 128 bit keys |
|
| + // | "A192KW" | AES Key Wrap Algorithm using 192 bit keys |
|
| // | "A256KW" | AES Key Wrap Algorithm using 256 bit keys |
|
| // | "A128GCM" | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
|
| // | | 128 bit keys |
|
| + // | "A192GCM" | AES GCM using 192 bit keys |
|
| // | "A256GCM" | AES GCM using 256 bit keys |
|
| // | "A128CBC" | AES in Cipher Block Chaining Mode (CBC) with PKCS #5 |
|
| - // | | padding [NIST.800-38A] [not yet part of JOSE, see |
|
| - // | | https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796 |
|
| - // | "A192CBC" | AES CBC using 192 bit keys [not yet part of JOSE] |
|
| - // | "A256CBC" | AES CBC using 256 bit keys [not yet part of JOSE] |
|
| + // | | padding [NIST.800-38A] |
|
| + // | "A192CBC" | AES CBC using 192 bit keys |
|
| + // | "A256CBC" | AES CBC using 256 bit keys |
|
| // +--------------+-------------------------------------------------------+
|
| //
|
| // kty-specific parameters
|
| @@ -366,8 +543,8 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| // algorithm.
|
| //
|
| // extractable
|
| - // If the JWK extractable is true but the input parameter is false, make the
|
| - // Web Crypto Key non-extractable. Conversely, if the JWK extractable is
|
| + // If the JWK ext field is true but the input parameter is false, make the
|
| + // Web Crypto Key non-extractable. Conversely, if the JWK ext field is
|
| // false but the input parameter is true, it is an inconsistency. If both
|
| // are true or both are false, use that value.
|
| //
|
| @@ -396,18 +573,16 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| if (status.IsError())
|
| return status;
|
|
|
| - // JWK "extractable" (optional) --> extractable parameter
|
| + // JWK "ext" (optional) --> extractable parameter
|
| {
|
| - bool jwk_extractable_value = false;
|
| - bool has_jwk_extractable;
|
| - status = GetOptionalJwkBool(dict_value,
|
| - "extractable",
|
| - &jwk_extractable_value,
|
| - &has_jwk_extractable);
|
| + bool jwk_ext_value = false;
|
| + bool has_jwk_ext;
|
| + status =
|
| + GetOptionalJwkBool(dict_value, "ext", &jwk_ext_value, &has_jwk_ext);
|
| if (status.IsError())
|
| return status;
|
| - if (has_jwk_extractable && !jwk_extractable_value && extractable)
|
| - return Status::ErrorJwkExtractableInconsistent();
|
| + if (has_jwk_ext && !jwk_ext_value && extractable)
|
| + return Status::ErrorJwkExtInconsistent();
|
| }
|
|
|
| // JWK "alg" (optional) --> algorithm parameter
|
| @@ -460,6 +635,24 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| }
|
| DCHECK(!algorithm.isNull());
|
|
|
| + // JWK "key_ops" (optional) --> usage_mask parameter
|
| + base::ListValue* jwk_key_ops_value = NULL;
|
| + bool has_jwk_key_ops;
|
| + status = GetOptionalJwkList(
|
| + dict_value, "key_ops", &jwk_key_ops_value, &has_jwk_key_ops);
|
| + if (status.IsError())
|
| + return status;
|
| + blink::WebCryptoKeyUsageMask jwk_key_ops_mask = 0;
|
| + if (has_jwk_key_ops) {
|
| + status =
|
| + GetWebCryptoUsagesFromJwkKeyOps(jwk_key_ops_value, &jwk_key_ops_mask);
|
| + if (status.IsError())
|
| + return status;
|
| + // The input usage_mask must be a subset of jwk_key_ops_mask.
|
| + if (!ContainsKeyUsages(jwk_key_ops_mask, usage_mask))
|
| + return Status::ErrorJwkKeyopsInconsistent();
|
| + }
|
| +
|
| // JWK "use" (optional) --> usage_mask parameter
|
| std::string jwk_use_value;
|
| bool has_jwk_use;
|
| @@ -467,29 +660,26 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| GetOptionalJwkString(dict_value, "use", &jwk_use_value, &has_jwk_use);
|
| if (status.IsError())
|
| return status;
|
| + blink::WebCryptoKeyUsageMask jwk_use_mask = 0;
|
| if (has_jwk_use) {
|
| - blink::WebCryptoKeyUsageMask jwk_usage_mask = 0;
|
| - if (jwk_use_value == "enc") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt;
|
| - } else if (jwk_use_value == "sig") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
|
| - } else if (jwk_use_value == "wrap") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey;
|
| - } else {
|
| - return Status::ErrorJwkUnrecognizedUsage();
|
| - }
|
| - if ((jwk_usage_mask & usage_mask) != usage_mask) {
|
| - // A usage_mask must be a subset of jwk_usage_mask.
|
| - return Status::ErrorJwkUsageInconsistent();
|
| - }
|
| + if (jwk_use_value == "enc")
|
| + jwk_use_mask = kJwkEncUsage;
|
| + else if (jwk_use_value == "sig")
|
| + jwk_use_mask = kJwkSigUsage;
|
| + else
|
| + return Status::ErrorJwkUnrecognizedUse();
|
| + // The input usage_mask must be a subset of jwk_use_mask.
|
| + if (!ContainsKeyUsages(jwk_use_mask, usage_mask))
|
| + return Status::ErrorJwkUseInconsistent();
|
| }
|
|
|
| + // If both 'key_ops' and 'use' are present, ensure they are consistent.
|
| + if (has_jwk_key_ops && has_jwk_use &&
|
| + !ContainsKeyUsages(jwk_use_mask, jwk_key_ops_mask))
|
| + return Status::ErrorJwkUseAndKeyopsInconsistent();
|
| +
|
| // JWK keying material --> ImportKeyInternal()
|
| if (jwk_kty_value == "oct") {
|
| -
|
| std::string jwk_k_value;
|
| status = GetJwkBytes(dict_value, "k", &jwk_k_value);
|
| if (status.IsError())
|
| @@ -513,7 +703,6 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| usage_mask,
|
| key);
|
| } else if (jwk_kty_value == "RSA") {
|
| -
|
| // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
|
| // in the JWK, while an RSA private key must have those, plus at least a "d"
|
| // (private exponent) entry.
|
| @@ -549,6 +738,35 @@ Status ImportKeyJwk(const CryptoData& key_data,
|
| return Status::Success();
|
| }
|
|
|
| +Status ExportKeyJwk(const blink::WebCryptoKey& key,
|
| + blink::WebArrayBuffer* buffer) {
|
| + base::DictionaryValue jwk_dict;
|
| + Status status = Status::Error();
|
| + blink::WebArrayBuffer exported_key;
|
| +
|
| + if (key.type() == blink::WebCryptoKeyTypeSecret) {
|
| + status = ExportKey(blink::WebCryptoKeyFormatRaw, key, &exported_key);
|
| + if (status.IsError())
|
| + return status;
|
| + WriteSecretKey(exported_key, &jwk_dict);
|
| + } else {
|
| + // TODO(padolph): Handle asymmetric keys, at least the public key.
|
| + return Status::ErrorUnsupported();
|
| + }
|
| +
|
| + WriteKeyOps(key.usages(), &jwk_dict);
|
| + WriteExt(key.extractable(), &jwk_dict);
|
| + status = WriteAlg(key.algorithm(), exported_key.byteLength(), &jwk_dict);
|
| + if (status.IsError())
|
| + return status;
|
| +
|
| + std::string json;
|
| + base::JSONWriter::Write(&jwk_dict, &json);
|
| + *buffer = CreateArrayBuffer(reinterpret_cast<const uint8*>(json.data()),
|
| + json.size());
|
| + return Status::Success();
|
| +}
|
| +
|
| } // namespace webcrypto
|
|
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 184043021:
[webcrypto] JWK: Updated import(ext, key_ops) and added export of symmetric keys (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@wcAesKw_nss1