OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/renderer/webcrypto_impl.h" | 5 #include "content/renderer/webcrypto_impl.h" |
6 | 6 |
7 #include <pk11pub.h> | |
7 #include <sechash.h> | 8 #include <sechash.h> |
8 | 9 |
9 #include "base/logging.h" | 10 #include "base/logging.h" |
10 #include "crypto/nss_util.h" | 11 #include "crypto/nss_util.h" |
12 #include "crypto/scoped_nss_types.h" | |
11 #include "third_party/WebKit/public/platform/WebArrayBuffer.h" | 13 #include "third_party/WebKit/public/platform/WebArrayBuffer.h" |
12 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" | 14 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" |
15 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" | |
13 | 16 |
14 namespace content { | 17 namespace content { |
15 | 18 |
19 namespace { | |
20 | |
21 class WebCryptoKeyHandleBase : public WebKit::WebCryptoKeyHandle { | |
22 public: | |
23 bool Initialize() { | |
24 slot_.reset(PK11_GetInternalSlot()); | |
25 return slot_.get() != NULL; | |
26 } | |
27 | |
28 WebKit::WebCryptoKeyUsageMask usage() { return usage_; } | |
eroman
2013/09/11 19:42:07
Note that this is a duplication from. What about c
Bryan Eyler
2013/09/11 21:59:16
Done.
| |
29 CK_MECHANISM_TYPE mechanism() const { return mechanism_; } | |
30 PK11SlotInfo* slot() { return slot_.get(); } | |
31 | |
32 protected: | |
33 WebCryptoKeyHandleBase(CK_MECHANISM_TYPE mechanism, | |
34 WebKit::WebCryptoKeyUsageMask usage) | |
35 : usage_(usage), | |
36 mechanism_(mechanism) { | |
37 } | |
38 | |
39 WebKit::WebCryptoKeyUsageMask usage_; | |
40 CK_MECHANISM_TYPE mechanism_; | |
41 crypto::ScopedPK11Slot slot_; | |
42 }; | |
43 | |
44 class WebCryptoSymKeyHandle : public WebCryptoKeyHandleBase { | |
eroman
2013/09/11 19:42:07
You can drop the "WebCrypto" prefix on these class
Bryan Eyler
2013/09/11 21:59:16
Done.
| |
45 public: | |
46 WebCryptoSymKeyHandle(CK_MECHANISM_TYPE mechanism, | |
47 WebKit::WebCryptoKeyUsageMask usage) | |
48 : WebCryptoKeyHandleBase(mechanism, usage) { | |
49 } | |
50 | |
51 void set_key(crypto::ScopedPK11SymKey key) { | |
52 DCHECK(!key_.get()); | |
53 key_ = key.Pass(); | |
54 } | |
55 | |
56 PK11SymKey* key() { return key_.get(); } | |
57 | |
58 private: | |
59 crypto::ScopedPK11SymKey key_; | |
60 | |
61 DISALLOW_COPY_AND_ASSIGN(WebCryptoSymKeyHandle); | |
62 }; | |
63 | |
64 CK_FLAGS WebCryptoKeyUsageMaskToNSSFlags( | |
65 WebKit::WebCryptoKeyUsageMask mask) { | |
66 return ((mask & WebKit::WebCryptoKeyUsageEncrypt) ? CKF_ENCRYPT : 0) | | |
67 ((mask & WebKit::WebCryptoKeyUsageDecrypt) ? CKF_DECRYPT : 0) | | |
68 ((mask & WebKit::WebCryptoKeyUsageSign) ? CKF_SIGN : 0) | | |
69 ((mask & WebKit::WebCryptoKeyUsageVerify) ? CKF_VERIFY : 0) | | |
70 ((mask & WebKit::WebCryptoKeyUsageDeriveKey) ? CKF_DERIVE : 0) | | |
71 ((mask & WebKit::WebCryptoKeyUsageWrapKey) ? CKF_WRAP : 0) | | |
72 ((mask & WebKit::WebCryptoKeyUsageUnwrapKey) ? CKF_UNWRAP : 0); | |
73 } | |
74 | |
75 HASH_HashType WebCryptoAlgorithmToNSSHashType( | |
76 const WebKit::WebCryptoAlgorithm& algorithm) { | |
77 switch (algorithm.id()) { | |
78 case WebKit::WebCryptoAlgorithmIdSha1: | |
79 return HASH_AlgSHA1; | |
80 case WebKit::WebCryptoAlgorithmIdSha224: | |
81 return HASH_AlgSHA224; | |
82 case WebKit::WebCryptoAlgorithmIdSha256: | |
83 return HASH_AlgSHA256; | |
84 case WebKit::WebCryptoAlgorithmIdSha384: | |
85 return HASH_AlgSHA384; | |
86 case WebKit::WebCryptoAlgorithmIdSha512: | |
87 return HASH_AlgSHA512; | |
88 default: | |
89 // Not a digest algorithm. | |
90 return HASH_AlgNULL; | |
91 } | |
92 } | |
93 | |
94 CK_MECHANISM_TYPE WebCryptoAlgorithmToHMACMechanism( | |
95 const WebKit::WebCryptoAlgorithm& algorithm) { | |
96 switch (algorithm.id()) { | |
97 case WebKit::WebCryptoAlgorithmIdSha1: | |
98 return CKM_SHA_1_HMAC; | |
99 case WebKit::WebCryptoAlgorithmIdSha256: | |
100 return CKM_SHA256_HMAC; | |
101 default: | |
102 // Not a supported algorithm. | |
103 return CKM_INVALID_MECHANISM; | |
104 } | |
105 } | |
106 | |
107 } // namespace | |
108 | |
16 bool WebCryptoImpl::DigestInternal( | 109 bool WebCryptoImpl::DigestInternal( |
17 const WebKit::WebCryptoAlgorithm& algorithm, | 110 const WebKit::WebCryptoAlgorithm& algorithm, |
18 const unsigned char* data, | 111 const unsigned char* data, |
19 unsigned data_size, | 112 unsigned data_size, |
20 WebKit::WebArrayBuffer* buffer) { | 113 WebKit::WebArrayBuffer* buffer) { |
21 HASH_HashType hash_type = HASH_AlgNULL; | 114 HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm); |
22 | 115 if (hash_type == HASH_AlgNULL) { |
23 switch (algorithm.id()) { | 116 return false; |
24 case WebKit::WebCryptoAlgorithmIdSha1: | |
25 hash_type = HASH_AlgSHA1; | |
26 break; | |
27 case WebKit::WebCryptoAlgorithmIdSha224: | |
28 hash_type = HASH_AlgSHA224; | |
29 break; | |
30 case WebKit::WebCryptoAlgorithmIdSha256: | |
31 hash_type = HASH_AlgSHA256; | |
32 break; | |
33 case WebKit::WebCryptoAlgorithmIdSha384: | |
34 hash_type = HASH_AlgSHA384; | |
35 break; | |
36 case WebKit::WebCryptoAlgorithmIdSha512: | |
37 hash_type = HASH_AlgSHA512; | |
38 break; | |
39 default: | |
40 // Not a digest algorithm. | |
41 return false; | |
42 } | 117 } |
43 | 118 |
44 crypto::EnsureNSSInit(); | 119 crypto::EnsureNSSInit(); |
45 | 120 |
46 HASHContext* context = HASH_Create(hash_type); | 121 HASHContext* context = HASH_Create(hash_type); |
47 if (!context) { | 122 if (!context) { |
48 return false; | 123 return false; |
49 } | 124 } |
50 | 125 |
51 HASH_Begin(context); | 126 HASH_Begin(context); |
52 | 127 |
53 HASH_Update(context, data, data_size); | 128 HASH_Update(context, data, data_size); |
54 | 129 |
55 size_t hash_result_length = HASH_ResultLenContext(context); | 130 unsigned hash_result_length = HASH_ResultLenContext(context); |
56 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX)); | 131 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX)); |
57 | 132 |
58 *buffer = WebKit::WebArrayBuffer::create(hash_result_length, 1); | 133 *buffer = WebKit::WebArrayBuffer::create(hash_result_length, 1); |
59 | 134 |
60 unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data()); | 135 unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data()); |
61 | 136 |
62 uint32 result_length = 0; | 137 unsigned result_length = 0; |
63 HASH_End(context, digest, &result_length, hash_result_length); | 138 HASH_End(context, digest, &result_length, hash_result_length); |
64 | 139 |
65 HASH_Destroy(context); | 140 HASH_Destroy(context); |
66 | 141 |
67 return result_length == hash_result_length; | 142 return result_length == hash_result_length; |
68 } | 143 } |
69 | 144 |
145 bool WebCryptoImpl::ImportKeyInternal( | |
146 WebKit::WebCryptoKeyFormat format, | |
147 const unsigned char* key_data, | |
148 unsigned key_data_size, | |
149 const WebKit::WebCryptoAlgorithm& algorithm, | |
150 WebKit::WebCryptoKeyUsageMask usage_mask, | |
151 scoped_ptr<WebKit::WebCryptoKeyHandle>* handle, | |
152 WebKit::WebCryptoKeyType* type) { | |
153 switch (algorithm.id()) { | |
154 case WebKit::WebCryptoAlgorithmIdHmac: | |
155 *type = WebKit::WebCryptoKeyTypeSecret; | |
156 break; | |
157 // TODO(bryaneyler): Support more key types. | |
158 default: | |
159 return false; | |
160 } | |
161 | |
162 // TODO(bryaneyler): Need to split handling for symmetric and asymmetric keys. | |
163 // Currently only supporting symmetric. | |
164 scoped_ptr<WebCryptoSymKeyHandle> sym_key; | |
165 | |
166 crypto::EnsureNSSInit(); | |
167 | |
168 switch(algorithm.id()) { | |
169 case WebKit::WebCryptoAlgorithmIdHmac: { | |
170 const WebKit::WebCryptoHmacParams* params = algorithm.hmacParams(); | |
171 if (!params) { | |
172 return false; | |
173 } | |
174 | |
175 CK_MECHANISM_TYPE mechanism = | |
176 WebCryptoAlgorithmToHMACMechanism(params->hash()); | |
177 if (mechanism == CKM_INVALID_MECHANISM) { | |
178 return false; | |
179 } | |
180 | |
181 sym_key.reset(new WebCryptoSymKeyHandle(mechanism, usage_mask)); | |
182 | |
183 if (!sym_key->Initialize()) { | |
184 return false; | |
185 } | |
186 | |
187 break; | |
188 } | |
189 default: | |
190 return false; | |
191 } | |
192 | |
193 SECItem key_item = { siBuffer, NULL, 0 }; | |
194 | |
195 switch (format) { | |
196 case WebKit::WebCryptoKeyFormatRaw: | |
197 key_item.data = const_cast<unsigned char*>(key_data); | |
198 key_item.len = key_data_size; | |
199 break; | |
200 // TODO(bryaneyler): Handle additional formats. | |
201 default: | |
202 return false; | |
203 } | |
204 | |
205 crypto::ScopedPK11SymKey pk11_sym_key( | |
206 PK11_ImportSymKeyWithFlags(sym_key->slot(), | |
207 sym_key->mechanism(), | |
208 PK11_OriginUnwrap, | |
209 CKA_FLAGS_ONLY, | |
210 &key_item, | |
211 WebCryptoKeyUsageMaskToNSSFlags(usage_mask), | |
212 false, | |
213 NULL)); | |
214 sym_key->set_key(pk11_sym_key.Pass()); | |
215 if (!sym_key->key()) { | |
216 NOTREACHED(); | |
217 return false; | |
218 } | |
219 | |
220 *handle = sym_key.Pass(); | |
221 | |
222 return true; | |
223 } | |
224 | |
225 bool WebCryptoImpl::SignInternal( | |
226 const WebKit::WebCryptoAlgorithm& algorithm, | |
227 const WebKit::WebCryptoKeyHandle* key, | |
228 const unsigned char* data, | |
229 unsigned data_size, | |
230 WebKit::WebArrayBuffer* buffer) { | |
231 WebKit::WebArrayBuffer result; | |
232 | |
233 switch (algorithm.id()) { | |
234 case WebKit::WebCryptoAlgorithmIdHmac: { | |
235 const WebKit::WebCryptoHmacParams* params = algorithm.hmacParams(); | |
236 if (!params) { | |
237 return false; | |
238 } | |
239 | |
240 WebCryptoSymKeyHandle* sym_key = | |
241 const_cast<WebCryptoSymKeyHandle*>( | |
242 reinterpret_cast<const WebCryptoSymKeyHandle*>(key)); | |
243 | |
244 DCHECK_EQ(sym_key->mechanism(), | |
245 WebCryptoAlgorithmToHMACMechanism(params->hash())); | |
246 DCHECK_NE(0, sym_key->usage() & WebKit::WebCryptoKeyUsageSign); | |
247 | |
248 SECItem param_item = { siBuffer, NULL, 0 }; | |
249 SECItem data_item = { | |
250 siBuffer, | |
251 const_cast<unsigned char*>(data), | |
252 data_size | |
253 }; | |
254 // First call is to figure out the length. | |
255 SECItem signature_item = { siBuffer, NULL, 0 }; | |
256 | |
257 if (PK11_SignWithSymKey(sym_key->key(), | |
258 sym_key->mechanism(), | |
259 ¶m_item, | |
260 &signature_item, | |
261 &data_item) != SECSuccess) { | |
262 NOTREACHED(); | |
263 return false; | |
264 } | |
265 | |
266 DCHECK_LT(0u, signature_item.len); | |
267 | |
268 result = WebKit::WebArrayBuffer::create(signature_item.len, 1); | |
269 signature_item.data = reinterpret_cast<unsigned char*>(result.data()); | |
270 | |
271 if (PK11_SignWithSymKey(sym_key->key(), | |
272 sym_key->mechanism(), | |
273 ¶m_item, | |
274 &signature_item, | |
275 &data_item) != SECSuccess) { | |
276 NOTREACHED(); | |
277 return false; | |
278 } | |
279 | |
280 break; | |
281 } | |
282 default: | |
283 return false; | |
284 } | |
285 | |
286 *buffer = result; | |
287 return true; | |
288 } | |
289 | |
70 } // namespace content | 290 } // namespace content |
OLD | NEW |