| Index: content/renderer/webcrypto/jwk.cc
|
| diff --git a/content/renderer/webcrypto/jwk.cc b/content/renderer/webcrypto/jwk.cc
|
| deleted file mode 100644
|
| index 5d72f45288e0f7f8409154026733ae21dd94892d..0000000000000000000000000000000000000000
|
| --- a/content/renderer/webcrypto/jwk.cc
|
| +++ /dev/null
|
| @@ -1,554 +0,0 @@
|
| -// Copyright 2014 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include <algorithm>
|
| -#include <functional>
|
| -#include <map>
|
| -#include "base/json/json_reader.h"
|
| -#include "base/lazy_instance.h"
|
| -#include "base/logging.h"
|
| -#include "base/memory/scoped_ptr.h"
|
| -#include "base/strings/string_piece.h"
|
| -#include "base/values.h"
|
| -#include "content/renderer/webcrypto/crypto_data.h"
|
| -#include "content/renderer/webcrypto/platform_crypto.h"
|
| -#include "content/renderer/webcrypto/shared_crypto.h"
|
| -#include "content/renderer/webcrypto/webcrypto_util.h"
|
| -
|
| -namespace content {
|
| -
|
| -namespace webcrypto {
|
| -
|
| -namespace {
|
| -
|
| -typedef blink::WebCryptoAlgorithm (*AlgorithmCreationFunc)();
|
| -
|
| -class JwkAlgorithmInfo {
|
| - public:
|
| - JwkAlgorithmInfo()
|
| - : creation_func_(NULL),
|
| - required_key_length_bytes_(NO_KEY_SIZE_REQUIREMENT) {}
|
| -
|
| - explicit JwkAlgorithmInfo(AlgorithmCreationFunc algorithm_creation_func)
|
| - : creation_func_(algorithm_creation_func),
|
| - required_key_length_bytes_(NO_KEY_SIZE_REQUIREMENT) {}
|
| -
|
| - JwkAlgorithmInfo(AlgorithmCreationFunc algorithm_creation_func,
|
| - unsigned int required_key_length_bits)
|
| - : creation_func_(algorithm_creation_func),
|
| - required_key_length_bytes_(required_key_length_bits / 8) {
|
| - DCHECK((required_key_length_bits % 8) == 0);
|
| - }
|
| -
|
| - bool CreateImportAlgorithm(blink::WebCryptoAlgorithm* algorithm) const {
|
| - *algorithm = creation_func_();
|
| - return !algorithm->isNull();
|
| - }
|
| -
|
| - bool IsInvalidKeyByteLength(size_t byte_length) const {
|
| - if (required_key_length_bytes_ == NO_KEY_SIZE_REQUIREMENT)
|
| - return false;
|
| - return required_key_length_bytes_ != byte_length;
|
| - }
|
| -
|
| - private:
|
| - enum { NO_KEY_SIZE_REQUIREMENT = UINT_MAX };
|
| -
|
| - AlgorithmCreationFunc creation_func_;
|
| -
|
| - // The expected key size for the algorithm or NO_KEY_SIZE_REQUIREMENT.
|
| - unsigned int required_key_length_bytes_;
|
| -};
|
| -
|
| -typedef std::map<std::string, JwkAlgorithmInfo> JwkAlgorithmInfoMap;
|
| -
|
| -class JwkAlgorithmRegistry {
|
| - public:
|
| - JwkAlgorithmRegistry() {
|
| - // TODO(eroman):
|
| - // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-20
|
| - // says HMAC with SHA-2 should have a key size at least as large as the
|
| - // hash output.
|
| - alg_to_info_["HS256"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateHmacImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha256>);
|
| - alg_to_info_["HS384"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateHmacImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha384>);
|
| - alg_to_info_["HS512"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateHmacImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha512>);
|
| - alg_to_info_["RS256"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateRsaSsaImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha256>);
|
| - alg_to_info_["RS384"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateRsaSsaImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha384>);
|
| - alg_to_info_["RS512"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateRsaSsaImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha512>);
|
| - alg_to_info_["RSA1_5"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm,
|
| - blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5>);
|
| - alg_to_info_["RSA-OAEP"] =
|
| - JwkAlgorithmInfo(&BindAlgorithmId<CreateRsaOaepImportAlgorithm,
|
| - blink::WebCryptoAlgorithmIdSha1>);
|
| - // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 128 yet
|
| - alg_to_info_["A128KW"] =
|
| - JwkAlgorithmInfo(&blink::WebCryptoAlgorithm::createNull, 128);
|
| - // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 256 yet
|
| - alg_to_info_["A256KW"] =
|
| - JwkAlgorithmInfo(&blink::WebCryptoAlgorithm::createNull, 256);
|
| - alg_to_info_["A128GCM"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesGcm>,
|
| - 128);
|
| - alg_to_info_["A256GCM"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesGcm>,
|
| - 256);
|
| - alg_to_info_["A128CBC"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesCbc>,
|
| - 128);
|
| - alg_to_info_["A192CBC"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesCbc>,
|
| - 192);
|
| - alg_to_info_["A256CBC"] = JwkAlgorithmInfo(
|
| - &BindAlgorithmId<CreateAlgorithm, blink::WebCryptoAlgorithmIdAesCbc>,
|
| - 256);
|
| - }
|
| -
|
| - // Returns NULL if the algorithm name was not registered.
|
| - const JwkAlgorithmInfo* GetAlgorithmInfo(const std::string& jwk_alg) const {
|
| - const JwkAlgorithmInfoMap::const_iterator pos = alg_to_info_.find(jwk_alg);
|
| - if (pos == alg_to_info_.end())
|
| - return NULL;
|
| - return &pos->second;
|
| - }
|
| -
|
| - private:
|
| - // Binds a WebCryptoAlgorithmId value to a compatible factory function.
|
| - typedef blink::WebCryptoAlgorithm (*FuncWithWebCryptoAlgIdArg)(
|
| - blink::WebCryptoAlgorithmId);
|
| - template <FuncWithWebCryptoAlgIdArg func,
|
| - blink::WebCryptoAlgorithmId algorithm_id>
|
| - static blink::WebCryptoAlgorithm BindAlgorithmId() {
|
| - return func(algorithm_id);
|
| - }
|
| -
|
| - JwkAlgorithmInfoMap alg_to_info_;
|
| -};
|
| -
|
| -base::LazyInstance<JwkAlgorithmRegistry> jwk_alg_registry =
|
| - LAZY_INSTANCE_INITIALIZER;
|
| -
|
| -bool ImportAlgorithmsConsistent(const blink::WebCryptoAlgorithm& alg1,
|
| - const blink::WebCryptoAlgorithm& alg2) {
|
| - DCHECK(!alg1.isNull());
|
| - DCHECK(!alg2.isNull());
|
| - if (alg1.id() != alg2.id())
|
| - return false;
|
| - if (alg1.paramsType() != alg2.paramsType())
|
| - return false;
|
| - switch (alg1.paramsType()) {
|
| - case blink::WebCryptoAlgorithmParamsTypeNone:
|
| - return true;
|
| - case blink::WebCryptoAlgorithmParamsTypeRsaHashedImportParams:
|
| - return ImportAlgorithmsConsistent(alg1.rsaHashedImportParams()->hash(),
|
| - alg2.rsaHashedImportParams()->hash());
|
| - case blink::WebCryptoAlgorithmParamsTypeHmacImportParams:
|
| - return ImportAlgorithmsConsistent(alg1.hmacImportParams()->hash(),
|
| - alg2.hmacImportParams()->hash());
|
| - default:
|
| - return false;
|
| - }
|
| -}
|
| -
|
| -// Extracts the required string property with key |path| from |dict| and saves
|
| -// the result to |*result|. If the property does not exist or is not a string,
|
| -// returns an error.
|
| -Status GetJwkString(base::DictionaryValue* dict,
|
| - const std::string& path,
|
| - std::string* result) {
|
| - base::Value* value = NULL;
|
| - if (!dict->Get(path, &value))
|
| - return Status::ErrorJwkPropertyMissing(path);
|
| - if (!value->GetAsString(result))
|
| - return Status::ErrorJwkPropertyWrongType(path, "string");
|
| - return Status::Success();
|
| -}
|
| -
|
| -// Extracts the optional string property with key |path| from |dict| and saves
|
| -// the result to |*result| if it was found. If the property exists and is not a
|
| -// string, returns an error. Otherwise returns success, and sets
|
| -// |*property_exists| if it was found.
|
| -Status GetOptionalJwkString(base::DictionaryValue* dict,
|
| - const std::string& path,
|
| - std::string* result,
|
| - bool* property_exists) {
|
| - *property_exists = false;
|
| - base::Value* value = NULL;
|
| - if (!dict->Get(path, &value))
|
| - return Status::Success();
|
| -
|
| - if (!value->GetAsString(result))
|
| - return Status::ErrorJwkPropertyWrongType(path, "string");
|
| -
|
| - *property_exists = true;
|
| - return Status::Success();
|
| -}
|
| -
|
| -// Extracts the required string property with key |path| from |dict| and saves
|
| -// the base64-decoded bytes to |*result|. If the property does not exist or is
|
| -// not a string, or could not be base64-decoded, returns an error.
|
| -Status GetJwkBytes(base::DictionaryValue* dict,
|
| - const std::string& path,
|
| - std::string* result) {
|
| - std::string base64_string;
|
| - Status status = GetJwkString(dict, path, &base64_string);
|
| - if (status.IsError())
|
| - return status;
|
| -
|
| - if (!Base64DecodeUrlSafe(base64_string, result))
|
| - return Status::ErrorJwkBase64Decode(path);
|
| -
|
| - return Status::Success();
|
| -}
|
| -
|
| -// Extracts the optional boolean property with key |path| from |dict| and saves
|
| -// the result to |*result| if it was found. If the property exists and is not a
|
| -// boolean, returns an error. Otherwise returns success, and sets
|
| -// |*property_exists| if it was found.
|
| -Status GetOptionalJwkBool(base::DictionaryValue* dict,
|
| - const std::string& path,
|
| - bool* result,
|
| - bool* property_exists) {
|
| - *property_exists = false;
|
| - base::Value* value = NULL;
|
| - if (!dict->Get(path, &value))
|
| - return Status::Success();
|
| -
|
| - if (!value->GetAsBoolean(result))
|
| - return Status::ErrorJwkPropertyWrongType(path, "boolean");
|
| -
|
| - *property_exists = true;
|
| - return Status::Success();
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -Status ImportKeyJwk(const CryptoData& key_data,
|
| - const blink::WebCryptoAlgorithm& algorithm_or_null,
|
| - bool extractable,
|
| - blink::WebCryptoKeyUsageMask usage_mask,
|
| - blink::WebCryptoKey* key) {
|
| -
|
| - // The goal of this method is to extract key material and meta data from the
|
| - // incoming JWK, combine them with the input parameters, and ultimately import
|
| - // a Web Crypto Key.
|
| - //
|
| - // JSON Web Key Format (JWK)
|
| - // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
|
| - // TODO(padolph): Not all possible values are handled by this code right now
|
| - //
|
| - // A JWK is a simple JSON dictionary with the following entries
|
| - // - "kty" (Key Type) Parameter, REQUIRED
|
| - // - <kty-specific parameters, see below>, REQUIRED
|
| - // - "use" (Key Use) Parameter, OPTIONAL
|
| - // - "alg" (Algorithm) Parameter, OPTIONAL
|
| - // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE,
|
| - // see https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796]
|
| - // (all other entries are ignored)
|
| - //
|
| - // OPTIONAL here means that this code does not require the entry to be present
|
| - // in the incoming JWK, because the method input parameters contain similar
|
| - // information. If the optional JWK entry is present, it will be validated
|
| - // against the corresponding input parameter for consistency and combined with
|
| - // it according to rules defined below. A special case is that the method
|
| - // input parameter 'algorithm' is also optional. If it is null, the JWK 'alg'
|
| - // value (if present) is used as a fallback.
|
| - //
|
| - // Input 'key_data' contains the JWK. To build a Web Crypto Key, the JWK
|
| - // values are parsed out and combined with the method input parameters to
|
| - // build a Web Crypto Key:
|
| - // Web Crypto Key type <-- (deduced)
|
| - // Web Crypto Key extractable <-- JWK extractable + input extractable
|
| - // Web Crypto Key algorithm <-- JWK alg + input algorithm
|
| - // Web Crypto Key keyUsage <-- JWK use + input usage_mask
|
| - // Web Crypto Key keying material <-- kty-specific parameters
|
| - //
|
| - // Values for each JWK entry are case-sensitive and defined in
|
| - // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
|
| - // Note that not all values specified by JOSE are handled by this code. Only
|
| - // handled values are listed.
|
| - // - kty (Key Type)
|
| - // +-------+--------------------------------------------------------------+
|
| - // | "RSA" | RSA [RFC3447] |
|
| - // | "oct" | Octet sequence (used to represent symmetric keys) |
|
| - // +-------+--------------------------------------------------------------+
|
| - // - use (Key Use)
|
| - // +-------+--------------------------------------------------------------+
|
| - // | "enc" | encrypt and decrypt operations |
|
| - // | "sig" | sign and verify (MAC) operations |
|
| - // | "wrap"| key wrap and unwrap [not yet part of JOSE] |
|
| - // +-------+--------------------------------------------------------------+
|
| - // - extractable (Key Exportability)
|
| - // +-------+--------------------------------------------------------------+
|
| - // | true | Key may be exported from the trusted environment |
|
| - // | false | Key cannot exit the trusted environment |
|
| - // +-------+--------------------------------------------------------------+
|
| - // - alg (Algorithm)
|
| - // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
|
| - // +--------------+-------------------------------------------------------+
|
| - // | Digital Signature or MAC Algorithm |
|
| - // +--------------+-------------------------------------------------------+
|
| - // | "HS256" | HMAC using SHA-256 hash algorithm |
|
| - // | "HS384" | HMAC using SHA-384 hash algorithm |
|
| - // | "HS512" | HMAC using SHA-512 hash algorithm |
|
| - // | "RS256" | RSASSA using SHA-256 hash algorithm |
|
| - // | "RS384" | RSASSA using SHA-384 hash algorithm |
|
| - // | "RS512" | RSASSA using SHA-512 hash algorithm |
|
| - // +--------------+-------------------------------------------------------|
|
| - // | Key Management Algorithm |
|
| - // +--------------+-------------------------------------------------------+
|
| - // | "RSA1_5" | RSAES-PKCS1-V1_5 [RFC3447] |
|
| - // | "RSA-OAEP" | RSAES using Optimal Asymmetric Encryption Padding |
|
| - // | | (OAEP) [RFC3447], with the default parameters |
|
| - // | | specified by RFC3447 in Section A.2.1 |
|
| - // | "A128KW" | Advanced Encryption Standard (AES) Key Wrap Algorithm |
|
| - // | | [RFC3394] using 128 bit keys |
|
| - // | "A256KW" | AES Key Wrap Algorithm using 256 bit keys |
|
| - // | "A128GCM" | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
|
| - // | | 128 bit keys |
|
| - // | "A256GCM" | AES GCM using 256 bit keys |
|
| - // | "A128CBC" | AES in Cipher Block Chaining Mode (CBC) with PKCS #5 |
|
| - // | | padding [NIST.800-38A] [not yet part of JOSE, see |
|
| - // | | https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796 |
|
| - // | "A192CBC" | AES CBC using 192 bit keys [not yet part of JOSE] |
|
| - // | "A256CBC" | AES CBC using 256 bit keys [not yet part of JOSE] |
|
| - // +--------------+-------------------------------------------------------+
|
| - //
|
| - // kty-specific parameters
|
| - // The value of kty determines the type and content of the keying material
|
| - // carried in the JWK to be imported. Currently only two possibilities are
|
| - // supported: a raw key or an RSA public key. RSA private keys are not
|
| - // supported because typical applications seldom need to import a private key,
|
| - // and the large number of JWK parameters required to describe one.
|
| - // - kty == "oct" (symmetric or other raw key)
|
| - // +-------+--------------------------------------------------------------+
|
| - // | "k" | Contains the value of the symmetric (or other single-valued) |
|
| - // | | key. It is represented as the base64url encoding of the |
|
| - // | | octet sequence containing the key value. |
|
| - // +-------+--------------------------------------------------------------+
|
| - // - kty == "RSA" (RSA public key)
|
| - // +-------+--------------------------------------------------------------+
|
| - // | "n" | Contains the modulus value for the RSA public key. It is |
|
| - // | | represented as the base64url encoding of the value's |
|
| - // | | unsigned big endian representation as an octet sequence. |
|
| - // +-------+--------------------------------------------------------------+
|
| - // | "e" | Contains the exponent value for the RSA public key. It is |
|
| - // | | represented as the base64url encoding of the value's |
|
| - // | | unsigned big endian representation as an octet sequence. |
|
| - // +-------+--------------------------------------------------------------+
|
| - //
|
| - // Consistency and conflict resolution
|
| - // The 'algorithm_or_null', 'extractable', and 'usage_mask' input parameters
|
| - // may be different than the corresponding values inside the JWK. The Web
|
| - // Crypto spec says that if a JWK value is present but is inconsistent with
|
| - // the input value, it is an error and the operation must fail. If no
|
| - // inconsistency is found, the input and JWK values are combined as follows:
|
| - //
|
| - // algorithm
|
| - // If an algorithm is provided by both the input parameter and the JWK,
|
| - // consistency between the two is based only on algorithm ID's (including an
|
| - // inner hash algorithm if present). In this case if the consistency
|
| - // check is passed, the input algorithm is used. If only one of either the
|
| - // input algorithm and JWK alg is provided, it is used as the final
|
| - // algorithm.
|
| - //
|
| - // extractable
|
| - // If the JWK extractable is true but the input parameter is false, make the
|
| - // Web Crypto Key non-extractable. Conversely, if the JWK extractable is
|
| - // false but the input parameter is true, it is an inconsistency. If both
|
| - // are true or both are false, use that value.
|
| - //
|
| - // usage_mask
|
| - // The input usage_mask must be a strict subset of the interpreted JWK use
|
| - // value, else it is judged inconsistent. In all cases the input usage_mask
|
| - // is used as the final usage_mask.
|
| - //
|
| -
|
| - if (!key_data.byte_length())
|
| - return Status::ErrorImportEmptyKeyData();
|
| - DCHECK(key);
|
| -
|
| - // Parse the incoming JWK JSON.
|
| - base::StringPiece json_string(reinterpret_cast<const char*>(key_data.bytes()),
|
| - key_data.byte_length());
|
| - scoped_ptr<base::Value> value(base::JSONReader::Read(json_string));
|
| - // Note, bare pointer dict_value is ok since it points into scoped value.
|
| - base::DictionaryValue* dict_value = NULL;
|
| - if (!value.get() || !value->GetAsDictionary(&dict_value) || !dict_value)
|
| - return Status::ErrorJwkNotDictionary();
|
| -
|
| - // JWK "kty". Exit early if this required JWK parameter is missing.
|
| - std::string jwk_kty_value;
|
| - Status status = GetJwkString(dict_value, "kty", &jwk_kty_value);
|
| - if (status.IsError())
|
| - return status;
|
| -
|
| - // JWK "extractable" (optional) --> extractable parameter
|
| - {
|
| - bool jwk_extractable_value = false;
|
| - bool has_jwk_extractable;
|
| - status = GetOptionalJwkBool(dict_value,
|
| - "extractable",
|
| - &jwk_extractable_value,
|
| - &has_jwk_extractable);
|
| - if (status.IsError())
|
| - return status;
|
| - if (has_jwk_extractable && !jwk_extractable_value && extractable)
|
| - return Status::ErrorJwkExtractableInconsistent();
|
| - }
|
| -
|
| - // JWK "alg" (optional) --> algorithm parameter
|
| - // Note: input algorithm is also optional, so we have six cases to handle.
|
| - // 1. JWK alg present but unrecognized: error
|
| - // 2. JWK alg valid AND input algorithm isNull: use JWK value
|
| - // 3. JWK alg valid AND input algorithm specified, but JWK value
|
| - // inconsistent with input: error
|
| - // 4. JWK alg valid AND input algorithm specified, both consistent: use
|
| - // input value (because it has potentially more details)
|
| - // 5. JWK alg missing AND input algorithm isNull: error
|
| - // 6. JWK alg missing AND input algorithm specified: use input value
|
| - blink::WebCryptoAlgorithm algorithm = blink::WebCryptoAlgorithm::createNull();
|
| - const JwkAlgorithmInfo* algorithm_info = NULL;
|
| - std::string jwk_alg_value;
|
| - bool has_jwk_alg;
|
| - status =
|
| - GetOptionalJwkString(dict_value, "alg", &jwk_alg_value, &has_jwk_alg);
|
| - if (status.IsError())
|
| - return status;
|
| -
|
| - if (has_jwk_alg) {
|
| - // JWK alg present
|
| -
|
| - // TODO(padolph): Validate alg vs kty. For example kty="RSA" implies alg can
|
| - // only be from the RSA family.
|
| -
|
| - blink::WebCryptoAlgorithm jwk_algorithm =
|
| - blink::WebCryptoAlgorithm::createNull();
|
| - algorithm_info = jwk_alg_registry.Get().GetAlgorithmInfo(jwk_alg_value);
|
| - if (!algorithm_info ||
|
| - !algorithm_info->CreateImportAlgorithm(&jwk_algorithm))
|
| - return Status::ErrorJwkUnrecognizedAlgorithm(); // case 1
|
| -
|
| - // JWK alg valid
|
| - if (algorithm_or_null.isNull()) {
|
| - // input algorithm not specified
|
| - algorithm = jwk_algorithm; // case 2
|
| - } else {
|
| - // input algorithm specified
|
| - if (!ImportAlgorithmsConsistent(jwk_algorithm, algorithm_or_null))
|
| - return Status::ErrorJwkAlgorithmInconsistent(); // case 3
|
| - algorithm = algorithm_or_null; // case 4
|
| - }
|
| - } else {
|
| - // JWK alg missing
|
| - if (algorithm_or_null.isNull())
|
| - return Status::ErrorJwkAlgorithmMissing(); // case 5
|
| - algorithm = algorithm_or_null; // case 6
|
| - }
|
| - DCHECK(!algorithm.isNull());
|
| -
|
| - // JWK "use" (optional) --> usage_mask parameter
|
| - std::string jwk_use_value;
|
| - bool has_jwk_use;
|
| - status =
|
| - GetOptionalJwkString(dict_value, "use", &jwk_use_value, &has_jwk_use);
|
| - if (status.IsError())
|
| - return status;
|
| - if (has_jwk_use) {
|
| - blink::WebCryptoKeyUsageMask jwk_usage_mask = 0;
|
| - if (jwk_use_value == "enc") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt;
|
| - } else if (jwk_use_value == "sig") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
|
| - } else if (jwk_use_value == "wrap") {
|
| - jwk_usage_mask =
|
| - blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey;
|
| - } else {
|
| - return Status::ErrorJwkUnrecognizedUsage();
|
| - }
|
| - if ((jwk_usage_mask & usage_mask) != usage_mask) {
|
| - // A usage_mask must be a subset of jwk_usage_mask.
|
| - return Status::ErrorJwkUsageInconsistent();
|
| - }
|
| - }
|
| -
|
| - // JWK keying material --> ImportKeyInternal()
|
| - if (jwk_kty_value == "oct") {
|
| -
|
| - std::string jwk_k_value;
|
| - status = GetJwkBytes(dict_value, "k", &jwk_k_value);
|
| - if (status.IsError())
|
| - return status;
|
| -
|
| - // Some JWK alg ID's embed information about the key length in the alg ID
|
| - // string. For example "A128CBC" implies the JWK carries 128 bits
|
| - // of key material. For such keys validate that enough bytes were provided.
|
| - // If this validation is not done, then it would be possible to select a
|
| - // different algorithm by passing a different lengthed key, since that is
|
| - // how WebCrypto interprets things.
|
| - if (algorithm_info &&
|
| - algorithm_info->IsInvalidKeyByteLength(jwk_k_value.size())) {
|
| - return Status::ErrorJwkIncorrectKeyLength();
|
| - }
|
| -
|
| - return ImportKey(blink::WebCryptoKeyFormatRaw,
|
| - CryptoData(jwk_k_value),
|
| - algorithm,
|
| - extractable,
|
| - usage_mask,
|
| - key);
|
| - } else if (jwk_kty_value == "RSA") {
|
| -
|
| - // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
|
| - // in the JWK, while an RSA private key must have those, plus at least a "d"
|
| - // (private exponent) entry.
|
| - // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
|
| - // section 6.3.
|
| -
|
| - // RSA private key import is not currently supported, so fail here if a "d"
|
| - // entry is found.
|
| - // TODO(padolph): Support RSA private key import.
|
| - if (dict_value->HasKey("d"))
|
| - return Status::ErrorJwkRsaPrivateKeyUnsupported();
|
| -
|
| - std::string jwk_n_value;
|
| - status = GetJwkBytes(dict_value, "n", &jwk_n_value);
|
| - if (status.IsError())
|
| - return status;
|
| - std::string jwk_e_value;
|
| - status = GetJwkBytes(dict_value, "e", &jwk_e_value);
|
| - if (status.IsError())
|
| - return status;
|
| -
|
| - return platform::ImportRsaPublicKey(algorithm,
|
| - extractable,
|
| - usage_mask,
|
| - CryptoData(jwk_n_value),
|
| - CryptoData(jwk_e_value),
|
| - key);
|
| -
|
| - } else {
|
| - return Status::ErrorJwkUnrecognizedKty();
|
| - }
|
| -
|
| - return Status::Success();
|
| -}
|
| -
|
| -} // namespace webcrypto
|
| -
|
| -} // namespace content
|
|
|
Chromium Code Reviews
Issue 188203003:
Move webcrypto to child/ and add support to worker_webkitplatformsupport. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src