Chromium Code Reviews Chromium Code Reviews
Issue 195893034:
[webcrypto] Add JWK symmetric key RSAES-PKCS1-v1_5 wrap / unwrap for NSS. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/child/webcrypto/shared_crypto.cc |
| diff --git a/content/child/webcrypto/shared_crypto.cc b/content/child/webcrypto/shared_crypto.cc |
| index e20026f2b4cb01d94cf0d1b015c45b3feba16701..2b5e88fcf4b6fe465e1a07a9e8f8663605b242ec 100644 |
| --- a/content/child/webcrypto/shared_crypto.cc |
| +++ b/content/child/webcrypto/shared_crypto.cc |
| @@ -26,11 +26,6 @@ bool KeyUsageAllows(const blink::WebCryptoKey& key, |
| return ((key.usages() & usage) != 0); |
| } |
| -bool KeyUsageAllowsAnyOf(const blink::WebCryptoKey& key, |
|
eroman
2014/03/18 06:18:39
this probably needs to be rebased, these diffs sho
padolph
2014/03/18 17:52:19
'git cl rebase' does not work for me. I get the er
|
| - const blink::WebCryptoKeyUsageMask usage_mask) { |
| - return ((key.usages() & usage_mask) != 0); |
| -} |
| - |
| bool IsValidAesKeyLengthBits(unsigned int length_bits) { |
| return length_bits == 128 || length_bits == 192 || length_bits == 256; |
| } |
| @@ -296,6 +291,39 @@ Status UnwrapKeyRaw(const CryptoData& wrapped_key_data, |
| } |
| } |
| +Status WrapKeyRaw(const blink::WebCryptoKey& wrapping_key, |
| + const blink::WebCryptoKey& key_to_wrap, |
| + const blink::WebCryptoAlgorithm& wrapping_algorithm, |
| + blink::WebArrayBuffer* buffer) { |
| + // A raw key is always a symmetric key. |
| + platform::SymKey* platform_key; |
| + Status status = ToPlatformSymKey(key_to_wrap, &platform_key); |
| + if (status.IsError()) |
| + return status; |
| + |
| + // TODO(padolph): Handle other wrapping algorithms |
| + switch (wrapping_algorithm.id()) { |
| + case blink::WebCryptoAlgorithmIdAesKw: { |
| + platform::SymKey* platform_wrapping_key; |
| + status = ToPlatformSymKey(wrapping_key, &platform_wrapping_key); |
| + if (status.IsError()) |
| + return status; |
| + return platform::WrapSymKeyAesKw( |
| + platform_wrapping_key, platform_key, buffer); |
| + } |
| + case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5: { |
| + platform::PublicKey* platform_wrapping_key; |
| + status = ToPlatformPublicKey(wrapping_key, &platform_wrapping_key); |
| + if (status.IsError()) |
| + return status; |
| + return platform::WrapSymKeyRsaEs( |
| + platform_wrapping_key, platform_key, buffer); |
| + } |
| + default: |
| + return Status::ErrorUnsupported(); |
| + } |
| +} |
| + |
| Status DecryptAesKw(const blink::WebCryptoAlgorithm& algorithm, |
| const blink::WebCryptoKey& key, |
| const CryptoData& data, |
| @@ -330,6 +358,24 @@ Status DecryptDontCheckKeyUsage(const blink::WebCryptoAlgorithm& algorithm, |
| } |
| } |
| +Status EncryptDontCheckUsage(const blink::WebCryptoAlgorithm& algorithm, |
| + const blink::WebCryptoKey& key, |
| + const CryptoData& data, |
| + blink::WebArrayBuffer* buffer) { |
| + if (algorithm.id() != key.algorithm().id()) |
| + return Status::ErrorUnexpected(); |
| + switch (algorithm.id()) { |
| + case blink::WebCryptoAlgorithmIdAesCbc: |
| + return EncryptDecryptAesCbc(ENCRYPT, algorithm, key, data, buffer); |
| + case blink::WebCryptoAlgorithmIdAesGcm: |
| + return EncryptDecryptAesGcm(ENCRYPT, algorithm, key, data, buffer); |
| + case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5: |
| + return EncryptRsaEsPkcs1v1_5(algorithm, key, data, buffer); |
| + default: |
| + return Status::ErrorUnsupported(); |
| + } |
| +} |
| + |
| Status UnwrapKeyDecryptAndImport( |
| blink::WebCryptoKeyFormat format, |
| const CryptoData& wrapped_key_data, |
| @@ -339,8 +385,6 @@ Status UnwrapKeyDecryptAndImport( |
| bool extractable, |
| blink::WebCryptoKeyUsageMask usage_mask, |
| blink::WebCryptoKey* key) { |
| - if (!KeyUsageAllows(wrapping_key, blink::WebCryptoKeyUsageUnwrapKey)) |
| - return Status::ErrorUnexpected(); |
| blink::WebArrayBuffer buffer; |
| Status status = DecryptDontCheckKeyUsage( |
| wrapping_algorithm, wrapping_key, wrapped_key_data, &buffer); |
| @@ -358,6 +402,20 @@ Status UnwrapKeyDecryptAndImport( |
| return status.IsError() ? Status::Error() : Status::Success(); |
| } |
| +Status WrapKeyExportAndEncrypt( |
| + blink::WebCryptoKeyFormat format, |
| + const blink::WebCryptoKey& wrapping_key, |
| + const blink::WebCryptoKey& key_to_wrap, |
| + const blink::WebCryptoAlgorithm& wrapping_algorithm, |
| + blink::WebArrayBuffer* buffer) { |
| + blink::WebArrayBuffer exported_data; |
| + Status status = ExportKey(format, key_to_wrap, &exported_data); |
| + if (status.IsError()) |
| + return status; |
| + return EncryptDontCheckUsage( |
| + wrapping_algorithm, wrapping_key, CryptoData(exported_data), buffer); |
| +} |
| + |
| } // namespace |
| void Init() { platform::Init(); } |
| @@ -368,19 +426,7 @@ Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, |
| blink::WebArrayBuffer* buffer) { |
| if (!KeyUsageAllows(key, blink::WebCryptoKeyUsageEncrypt)) |
| return Status::ErrorUnexpected(); |
| - if (algorithm.id() != key.algorithm().id()) |
| - return Status::ErrorUnexpected(); |
| - |
| - switch (algorithm.id()) { |
| - case blink::WebCryptoAlgorithmIdAesCbc: |
| - return EncryptDecryptAesCbc(ENCRYPT, algorithm, key, data, buffer); |
| - case blink::WebCryptoAlgorithmIdAesGcm: |
| - return EncryptDecryptAesGcm(ENCRYPT, algorithm, key, data, buffer); |
| - case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5: |
| - return EncryptRsaEsPkcs1v1_5(algorithm, key, data, buffer); |
| - default: |
| - return Status::ErrorUnsupported(); |
| - } |
| + return EncryptDontCheckUsage(algorithm, key, data, buffer); |
| } |
| Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, |
| @@ -600,42 +646,22 @@ Status WrapKey(blink::WebCryptoKeyFormat format, |
| const blink::WebCryptoKey& key_to_wrap, |
| const blink::WebCryptoAlgorithm& wrapping_algorithm, |
| blink::WebArrayBuffer* buffer) { |
| - if (!KeyUsageAllows(wrapping_key, blink::WebCryptoKeyUsageUnwrapKey)) |
| + if (!KeyUsageAllows(wrapping_key, blink::WebCryptoKeyUsageWrapKey)) |
|
eroman
2014/03/18 06:18:39
hah! these checks are mainly a precaution, since t
padolph
2014/03/18 17:52:19
Was hoping I could sneak this fix in unnoticed ;-)
|
| return Status::ErrorUnexpected(); |
| if (wrapping_algorithm.id() != wrapping_key.algorithm().id()) |
| return Status::ErrorUnexpected(); |
| - // TODO (padolph): Handle formats other than raw |
| - if (format != blink::WebCryptoKeyFormatRaw) |
| - return Status::ErrorUnsupported(); |
| - // TODO (padolph): Handle key-to-wrap types other than secret/symmetric |
| - if (key_to_wrap.type() != blink::WebCryptoKeyTypeSecret) |
| - return Status::ErrorUnsupported(); |
| - |
| - platform::SymKey* platform_key; |
| - Status status = ToPlatformSymKey(key_to_wrap, &platform_key); |
| - if (status.IsError()) |
| - return status; |
| - |
| - // TODO(padolph): Handle other wrapping algorithms |
| - switch (wrapping_algorithm.id()) { |
| - case blink::WebCryptoAlgorithmIdAesKw: { |
| - platform::SymKey* platform_wrapping_key; |
| - status = ToPlatformSymKey(wrapping_key, &platform_wrapping_key); |
| - if (status.IsError()) |
| - return status; |
| - return platform::WrapSymKeyAesKw( |
| - platform_wrapping_key, platform_key, buffer); |
| - } |
| - case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5: { |
| - platform::PublicKey* platform_wrapping_key; |
| - status = ToPlatformPublicKey(wrapping_key, &platform_wrapping_key); |
| - if (status.IsError()) |
| - return status; |
| - return platform::WrapSymKeyRsaEs( |
| - platform_wrapping_key, platform_key, buffer); |
| - } |
| + switch (format) { |
| + case blink::WebCryptoKeyFormatRaw: |
| + return WrapKeyRaw(wrapping_key, key_to_wrap, wrapping_algorithm, buffer); |
| + case blink::WebCryptoKeyFormatJwk: |
| + return WrapKeyExportAndEncrypt( |
| + format, wrapping_key, key_to_wrap, wrapping_algorithm, buffer); |
| + case blink::WebCryptoKeyFormatSpki: |
| + case blink::WebCryptoKeyFormatPkcs8: |
| + return Status::ErrorUnsupported(); // TODO(padolph) |
| default: |
| + NOTREACHED(); |
| return Status::ErrorUnsupported(); |
| } |
| } |
