OLD | NEW |
| (Empty) |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/quic/crypto/p256_key_exchange.h" | |
6 | |
7 #include "base/logging.h" | |
8 #include "base/numerics/safe_conversions.h" | |
9 #include "base/sys_byteorder.h" | |
10 | |
11 using base::StringPiece; | |
12 using std::string; | |
13 using std::vector; | |
14 | |
15 namespace net { | |
16 | |
17 namespace { | |
18 | |
19 // Password used by |NewPrivateKey| to encrypt exported EC private keys. | |
20 // This is not used to provide any security, but to workaround NSS being | |
21 // unwilling to export unencrypted EC keys. Note that SPDY and ChannelID | |
22 // use the same approach. | |
23 const char kExportPassword[] = ""; | |
24 | |
25 // Convert StringPiece to vector of uint8_t. | |
26 static vector<uint8_t> StringPieceToVector(StringPiece piece) { | |
27 return vector<uint8_t>(piece.data(), piece.data() + piece.length()); | |
28 } | |
29 | |
30 } // namespace | |
31 | |
32 P256KeyExchange::P256KeyExchange(crypto::ECPrivateKey* key_pair, | |
33 const uint8_t* public_key) | |
34 : key_pair_(key_pair) { | |
35 memcpy(public_key_, public_key, sizeof(public_key_)); | |
36 } | |
37 | |
38 P256KeyExchange::~P256KeyExchange() {} | |
39 | |
40 // static | |
41 P256KeyExchange* P256KeyExchange::New(StringPiece key) { | |
42 if (key.size() < 2) { | |
43 DVLOG(1) << "Key pair is too small."; | |
44 return nullptr; | |
45 } | |
46 | |
47 const uint8_t* data = reinterpret_cast<const uint8_t*>(key.data()); | |
48 size_t size = | |
49 static_cast<size_t>(data[0]) | (static_cast<size_t>(data[1]) << 8); | |
50 key.remove_prefix(2); | |
51 if (key.size() < size) { | |
52 DVLOG(1) << "Key pair does not contain key material."; | |
53 return nullptr; | |
54 } | |
55 | |
56 StringPiece private_piece(key.data(), size); | |
57 key.remove_prefix(size); | |
58 if (key.empty()) { | |
59 DVLOG(1) << "Key pair does not contain public key."; | |
60 return nullptr; | |
61 } | |
62 | |
63 StringPiece public_piece(key); | |
64 | |
65 std::unique_ptr<crypto::ECPrivateKey> key_pair( | |
66 crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( | |
67 kExportPassword, | |
68 // TODO(thaidn): fix this interface to avoid copying secrets. | |
69 StringPieceToVector(private_piece), | |
70 StringPieceToVector(public_piece))); | |
71 | |
72 if (!key_pair.get()) { | |
73 DVLOG(1) << "Can't decrypt private key."; | |
74 return nullptr; | |
75 } | |
76 | |
77 // Perform some sanity checks on the public key. | |
78 SECKEYPublicKey* public_key = key_pair->public_key(); | |
79 if (public_key->keyType != ecKey || | |
80 public_key->u.ec.publicValue.len != kUncompressedP256PointBytes || | |
81 !public_key->u.ec.publicValue.data || | |
82 public_key->u.ec.publicValue.data[0] != kUncompressedECPointForm) { | |
83 DVLOG(1) << "Key is invalid."; | |
84 return nullptr; | |
85 } | |
86 | |
87 // Ensure that the key is using the correct curve, i.e., NIST P-256. | |
88 const SECOidData* oid_data = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1); | |
89 if (!oid_data) { | |
90 DVLOG(1) << "Can't get P-256's OID."; | |
91 return nullptr; | |
92 } | |
93 | |
94 if (public_key->u.ec.DEREncodedParams.len != oid_data->oid.len + 2 || | |
95 !public_key->u.ec.DEREncodedParams.data || | |
96 public_key->u.ec.DEREncodedParams.data[0] != SEC_ASN1_OBJECT_ID || | |
97 public_key->u.ec.DEREncodedParams.data[1] != oid_data->oid.len || | |
98 memcmp(public_key->u.ec.DEREncodedParams.data + 2, oid_data->oid.data, | |
99 oid_data->oid.len) != 0) { | |
100 DVLOG(1) << "Key is invalid."; | |
101 } | |
102 | |
103 return new P256KeyExchange(key_pair.release(), | |
104 public_key->u.ec.publicValue.data); | |
105 } | |
106 | |
107 // static | |
108 string P256KeyExchange::NewPrivateKey() { | |
109 std::unique_ptr<crypto::ECPrivateKey> key_pair( | |
110 crypto::ECPrivateKey::Create()); | |
111 | |
112 if (!key_pair.get()) { | |
113 DVLOG(1) << "Can't generate new key pair."; | |
114 return string(); | |
115 } | |
116 | |
117 vector<uint8_t> private_key; | |
118 if (!key_pair->ExportEncryptedPrivateKey(kExportPassword, 1 /* iteration */, | |
119 &private_key)) { | |
120 DVLOG(1) << "Can't export private key."; | |
121 return string(); | |
122 } | |
123 | |
124 // NSS lacks the ability to import an ECC private key without | |
125 // also importing the public key, so it is necessary to also | |
126 // store the public key. | |
127 vector<uint8_t> public_key; | |
128 if (!key_pair->ExportPublicKey(&public_key)) { | |
129 DVLOG(1) << "Can't export public key."; | |
130 return string(); | |
131 } | |
132 | |
133 // TODO(thaidn): determine how large encrypted private key can be | |
134 uint16_t private_key_size = base::checked_cast<uint16_t>(private_key.size()); | |
135 const size_t result_size = | |
136 sizeof(private_key_size) + private_key_size + public_key.size(); | |
137 vector<char> result(result_size); | |
138 char* resultp = &result[0]; | |
139 // Export the key string. | |
140 // The first two bytes are the private key's size in little endian. | |
141 private_key_size = base::ByteSwapToLE16(private_key_size); | |
142 memcpy(resultp, &private_key_size, sizeof(private_key_size)); | |
143 resultp += sizeof(private_key_size); | |
144 memcpy(resultp, &private_key[0], private_key.size()); | |
145 resultp += private_key.size(); | |
146 memcpy(resultp, &public_key[0], public_key.size()); | |
147 | |
148 return string(&result[0], result_size); | |
149 } | |
150 | |
151 KeyExchange* P256KeyExchange::NewKeyPair(QuicRandom* /*rand*/) const { | |
152 // TODO(agl): avoid the serialisation/deserialisation in this function. | |
153 const string private_value = NewPrivateKey(); | |
154 return P256KeyExchange::New(private_value); | |
155 } | |
156 | |
157 bool P256KeyExchange::CalculateSharedKey(StringPiece peer_public_value, | |
158 string* out_result) const { | |
159 if (peer_public_value.size() != kUncompressedP256PointBytes || | |
160 peer_public_value[0] != kUncompressedECPointForm) { | |
161 DVLOG(1) << "Peer public value is invalid."; | |
162 return false; | |
163 } | |
164 | |
165 DCHECK(key_pair_.get()); | |
166 DCHECK(key_pair_->public_key()); | |
167 | |
168 SECKEYPublicKey peer_public_key; | |
169 memset(&peer_public_key, 0, sizeof(peer_public_key)); | |
170 | |
171 peer_public_key.keyType = ecKey; | |
172 // Both sides of a ECDH key exchange need to use the same EC params. | |
173 peer_public_key.u.ec.DEREncodedParams.len = | |
174 key_pair_->public_key()->u.ec.DEREncodedParams.len; | |
175 peer_public_key.u.ec.DEREncodedParams.data = | |
176 key_pair_->public_key()->u.ec.DEREncodedParams.data; | |
177 | |
178 peer_public_key.u.ec.publicValue.type = siBuffer; | |
179 peer_public_key.u.ec.publicValue.data = | |
180 reinterpret_cast<uint8_t*>(const_cast<char*>(peer_public_value.data())); | |
181 peer_public_key.u.ec.publicValue.len = peer_public_value.size(); | |
182 | |
183 // The NSS function performing ECDH key exchange is PK11_PubDeriveWithKDF. | |
184 // As this function is used for SSL/TLS's ECDH key exchanges it has many | |
185 // arguments, most of which are not required in QUIC. | |
186 // Key derivation function CKD_NULL is used because the return value of | |
187 // |CalculateSharedKey| is the actual ECDH shared key, not any derived keys | |
188 // from it. | |
189 crypto::ScopedPK11SymKey premaster_secret( | |
190 PK11_PubDeriveWithKDF(key_pair_->key(), &peer_public_key, PR_FALSE, | |
191 nullptr, nullptr, CKM_ECDH1_DERIVE, /* mechanism */ | |
192 CKM_GENERIC_SECRET_KEY_GEN, /* target */ | |
193 CKA_DERIVE, 0, CKD_NULL, /* kdf */ | |
194 nullptr, nullptr)); | |
195 | |
196 if (!premaster_secret.get()) { | |
197 DVLOG(1) << "Can't derive ECDH shared key."; | |
198 return false; | |
199 } | |
200 | |
201 if (PK11_ExtractKeyValue(premaster_secret.get()) != SECSuccess) { | |
202 DVLOG(1) << "Can't extract raw ECDH shared key."; | |
203 return false; | |
204 } | |
205 | |
206 SECItem* key_data = PK11_GetKeyData(premaster_secret.get()); | |
207 if (!key_data || !key_data->data || key_data->len != kP256FieldBytes) { | |
208 DVLOG(1) << "ECDH shared key is invalid."; | |
209 return false; | |
210 } | |
211 | |
212 out_result->assign(reinterpret_cast<char*>(key_data->data), key_data->len); | |
213 return true; | |
214 } | |
215 | |
216 StringPiece P256KeyExchange::public_value() const { | |
217 return StringPiece(reinterpret_cast<const char*>(public_key_), | |
218 sizeof(public_key_)); | |
219 } | |
220 | |
221 QuicTag P256KeyExchange::tag() const { | |
222 return kP256; | |
223 } | |
224 | |
225 } // namespace net | |
OLD | NEW |