OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/renderer/webcrypto_impl.h" | 5 #include "content/renderer/webcrypto_impl.h" |
6 | 6 |
7 #include <sechash.h> | 7 #include <nss/sechash.h> |
8 #include <nss/pk11pub.h> | |
8 | 9 |
9 #include "base/logging.h" | 10 #include "base/logging.h" |
10 #include "crypto/nss_util.h" | 11 #include "crypto/nss_util.h" |
12 #include "crypto/scoped_nss_types.h" | |
11 #include "third_party/WebKit/public/platform/WebArrayBuffer.h" | 13 #include "third_party/WebKit/public/platform/WebArrayBuffer.h" |
12 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" | 14 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h" |
15 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" | |
13 | 16 |
14 namespace content { | 17 namespace content { |
15 | 18 |
16 bool WebCryptoImpl::digestInternal( | 19 class WebCryptoSymKeyHandle : public WebKit::WebCryptoKeyHandle { |
20 public: | |
21 WebCryptoSymKeyHandle(CK_MECHANISM_TYPE mechanism) | |
eroman
2013/09/06 23:03:16
single-parameter ctors should be marked as "explic
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
22 : mechanism_(mechanism), | |
23 slot_(PK11_GetInternalSlot()) { | |
24 DCHECK(slot_ != NULL); | |
eroman
2013/09/06 23:03:16
It is customary in chrome to omit the != NULL. jus
Bryan Eyler
2013/09/09 22:32:10
Not much documentation on this, but crypto/ seems
| |
25 } | |
26 | |
27 void set_key(crypto::ScopedPK11SymKey key) { | |
eroman
2013/09/06 23:03:16
Good.
I suggest adding a DCHECK(!key_) for good me
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
28 key_ = key.Pass(); | |
29 } | |
30 | |
31 const CK_MECHANISM_TYPE mechanism() const { return mechanism_; } | |
32 PK11SlotInfo* slot() { return slot_.get(); } | |
33 const PK11SymKey* key() const { return key_.get(); } | |
34 | |
35 private: | |
eroman
2013/09/06 23:03:16
Please also add DISALLOW_COPY_AND_ASSIGN (or whate
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
36 CK_MECHANISM_TYPE mechanism_; | |
37 crypto::ScopedPK11Slot slot_; | |
38 crypto::ScopedPK11SymKey key_; | |
39 }; | |
40 | |
41 static CK_FLAGS WebCryptoKeyUsageMaskToNSSFlags( | |
eroman
2013/09/06 23:03:16
I recommend moving all of this section into an unn
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
42 WebKit::WebCryptoKeyUsageMask mask) { | |
43 return ((mask & WebKit::WebCryptoKeyUsageEncrypt) ? CKF_ENCRYPT : 0) | | |
44 ((mask & WebKit::WebCryptoKeyUsageDecrypt) ? CKF_DECRYPT : 0) | | |
45 ((mask & WebKit::WebCryptoKeyUsageSign) ? CKF_SIGN : 0) | | |
46 ((mask & WebKit::WebCryptoKeyUsageVerify) ? CKF_VERIFY : 0) | | |
47 ((mask & WebKit::WebCryptoKeyUsageDeriveKey) ? CKF_DERIVE : 0) | | |
48 ((mask & WebKit::WebCryptoKeyUsageWrapKey) ? CKF_WRAP : 0) | | |
49 ((mask & WebKit::WebCryptoKeyUsageUnwrapKey) ? CKF_UNWRAP : 0); | |
50 } | |
51 | |
52 static HASH_HashType WebCryptoAlgorithmToNSSHashType( | |
53 const WebKit::WebCryptoAlgorithm& algorithm) { | |
54 switch (algorithm.id()) { | |
55 case WebKit::WebCryptoAlgorithmIdSha1: | |
56 return HASH_AlgSHA1; | |
57 case WebKit::WebCryptoAlgorithmIdSha224: | |
58 return HASH_AlgSHA224; | |
59 case WebKit::WebCryptoAlgorithmIdSha256: | |
60 return HASH_AlgSHA256; | |
61 case WebKit::WebCryptoAlgorithmIdSha384: | |
62 return HASH_AlgSHA384; | |
63 case WebKit::WebCryptoAlgorithmIdSha512: | |
64 return HASH_AlgSHA512; | |
65 default: | |
66 // Not a digest algorithm. | |
67 return HASH_AlgNULL; | |
68 } | |
69 } | |
70 | |
71 static CK_MECHANISM_TYPE WebCryptoAlgorithmToNSSMechanism( | |
72 const WebKit::WebCryptoAlgorithm& algorithm) { | |
73 switch (algorithm.id()) { | |
74 case WebKit::WebCryptoAlgorithmIdSha1: | |
75 return CKM_SHA_1_HMAC; | |
76 case WebKit::WebCryptoAlgorithmIdSha256: | |
77 return CKM_SHA256_HMAC; | |
78 default: | |
79 // Not a supported algorithm. | |
80 return CKM_INVALID_MECHANISM; | |
81 } | |
82 } | |
83 | |
84 bool WebCryptoImpl::DigestInternal( | |
17 const WebKit::WebCryptoAlgorithm& algorithm, | 85 const WebKit::WebCryptoAlgorithm& algorithm, |
18 const unsigned char* data, | 86 const unsigned char* data, |
19 size_t data_size, | 87 size_t data_size, |
20 WebKit::WebArrayBuffer* buffer) { | 88 WebKit::WebArrayBuffer* buffer) { |
21 HASH_HashType hash_type = HASH_AlgNULL; | 89 HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm); |
22 | 90 if (hash_type == HASH_AlgNULL) { |
23 switch (algorithm.id()) { | 91 return false; |
24 case WebKit::WebCryptoAlgorithmIdSha1: | |
25 hash_type = HASH_AlgSHA1; | |
26 break; | |
27 case WebKit::WebCryptoAlgorithmIdSha224: | |
28 hash_type = HASH_AlgSHA224; | |
29 break; | |
30 case WebKit::WebCryptoAlgorithmIdSha256: | |
31 hash_type = HASH_AlgSHA256; | |
32 break; | |
33 case WebKit::WebCryptoAlgorithmIdSha384: | |
34 hash_type = HASH_AlgSHA384; | |
35 break; | |
36 case WebKit::WebCryptoAlgorithmIdSha512: | |
37 hash_type = HASH_AlgSHA512; | |
38 break; | |
39 default: | |
40 // Not a digest algorithm. | |
41 return false; | |
42 } | 92 } |
43 | 93 |
44 crypto::EnsureNSSInit(); | 94 crypto::EnsureNSSInit(); |
45 | 95 |
46 HASHContext* context = HASH_Create(hash_type); | 96 HASHContext* context = HASH_Create(hash_type); |
47 if (!context) { | 97 if (!context) { |
48 return false; | 98 return false; |
49 } | 99 } |
50 | 100 |
51 HASH_Begin(context); | 101 HASH_Begin(context); |
52 | 102 |
53 HASH_Update(context, data, data_size); | 103 HASH_Update(context, data, data_size); |
54 | 104 |
55 size_t hash_result_length = HASH_ResultLenContext(context); | 105 size_t hash_result_length = HASH_ResultLenContext(context); |
56 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX)); | 106 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX)); |
57 | 107 |
58 *buffer = WebKit::WebArrayBuffer::create(hash_result_length, 1); | 108 *buffer = WebKit::WebArrayBuffer::create(hash_result_length, 1); |
59 | 109 |
60 unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data()); | 110 unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data()); |
61 | 111 |
62 uint32 result_length = 0; | 112 uint32 result_length = 0; |
63 HASH_End(context, digest, &result_length, hash_result_length); | 113 HASH_End(context, digest, &result_length, hash_result_length); |
64 | 114 |
65 HASH_Destroy(context); | 115 HASH_Destroy(context); |
66 | 116 |
67 return result_length == hash_result_length; | 117 return result_length == hash_result_length; |
68 } | 118 } |
69 | 119 |
120 bool WebCryptoImpl::ImportKeyInternal( | |
121 WebKit::WebCryptoKeyFormat format, | |
122 const unsigned char* key_data, | |
123 size_t key_data_size, | |
124 const WebKit::WebCryptoAlgorithm& algorithm, | |
125 WebKit::WebCryptoKeyUsageMask usage_mask, | |
126 scoped_ptr<WebKit::WebCryptoKeyHandle>* handle, | |
127 WebKit::WebCryptoKeyType* type) { | |
128 switch (algorithm.id()) { | |
129 case WebKit::WebCryptoAlgorithmIdHmac: | |
130 *type = WebKit::WebCryptoKeyTypeSecret; | |
131 break; | |
132 // TODO(bryaneyler): Support more key types. | |
133 default: | |
134 return false; | |
135 } | |
136 | |
137 // TODO(bryaneyler): Need to split handling for symmetric and asymmetric keys. | |
138 // Currently only supporting symmetric. | |
139 scoped_ptr<WebCryptoSymKeyHandle> sym_key; | |
140 | |
141 switch(algorithm.id()) { | |
142 case WebKit::WebCryptoAlgorithmIdHmac: { | |
143 const WebKit::WebCryptoHmacParams* params = algorithm.hmacParams(); | |
144 if (!params) { | |
145 return false; | |
146 } | |
147 | |
148 CK_MECHANISM_TYPE mechanism = | |
149 WebCryptoAlgorithmToNSSMechanism(params->hash()); | |
150 if (mechanism == CKM_INVALID_MECHANISM) { | |
151 return false; | |
152 } | |
153 | |
154 sym_key.reset(new WebCryptoSymKeyHandle(mechanism)); | |
155 break; | |
156 } | |
157 default: | |
158 return false; | |
159 } | |
160 | |
161 SECItem key_item = { | |
eroman
2013/09/06 23:03:16
nit: inconsistent style (later on you initialize a
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
162 siBuffer, | |
163 NULL, | |
164 0 | |
165 }; | |
166 | |
167 switch (format) { | |
168 case WebKit::WebCryptoKeyFormatRaw: | |
169 key_item.data = const_cast<unsigned char*>(key_data); | |
170 key_item.len = key_data_size; | |
eroman
2013/09/06 23:03:16
Hmm.
NSS expects "unsigned int" for lengths, howe
Bryan Eyler
2013/09/09 22:32:10
Will re-based once https://codereview.chromium.org
| |
171 break; | |
172 // TODO(bryaneyler): Handle additional formats. | |
173 default: | |
174 return false; | |
175 } | |
176 | |
177 crypto::ScopedPK11SymKey pk11_sym_key( | |
178 PK11_ImportSymKeyWithFlags(sym_key->slot(), | |
179 sym_key->mechanism(), | |
180 PK11_OriginUnwrap, | |
181 CKA_FLAGS_ONLY, | |
182 &key_item, | |
183 WebCryptoKeyUsageMaskToNSSFlags(usage_mask), | |
184 false, | |
185 NULL)); | |
186 sym_key->set_key(pk11_sym_key.Pass()); | |
187 if (!sym_key->key()) { | |
188 NOTREACHED(); | |
189 return false; | |
190 } | |
191 | |
192 *handle = sym_key.Pass(); | |
193 | |
194 return true; | |
195 } | |
196 | |
197 bool WebCryptoImpl::SignInternal( | |
198 const WebKit::WebCryptoAlgorithm& algorithm, | |
199 const WebKit::WebCryptoKeyHandle* key, | |
200 const unsigned char* data, | |
201 size_t data_size, | |
202 WebKit::WebArrayBuffer* buffer) { | |
203 WebKit::WebArrayBuffer result; | |
204 | |
205 switch (algorithm.id()) { | |
206 case WebKit::WebCryptoAlgorithmIdHmac: { | |
207 const WebKit::WebCryptoHmacParams* params = algorithm.hmacParams(); | |
208 if (!params) { | |
209 return false; | |
210 } | |
211 | |
212 const WebCryptoSymKeyHandle* sym_key = | |
213 reinterpret_cast<const WebCryptoSymKeyHandle*>(key); | |
214 | |
215 HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(params->hash()); | |
216 if (hash_type == HASH_AlgNULL) { | |
217 return false; | |
218 } | |
219 | |
220 size_t digest_length = HASH_ResultLen(hash_type); | |
eroman
2013/09/06 23:03:16
unsigned int for consistency
Bryan Eyler
2013/09/09 22:32:10
This is something James requested I change in my p
| |
221 | |
222 DCHECK_EQ(sym_key->mechanism(), | |
223 WebCryptoAlgorithmToNSSMechanism(params->hash())); | |
224 | |
225 result = WebKit::WebArrayBuffer::create(digest_length, 1); | |
226 | |
227 SECItem param_item = { siBuffer, NULL, 0 }; | |
228 SECItem data_item = { | |
229 siBuffer, | |
230 const_cast<unsigned char*>(data), | |
231 data_size | |
232 }; | |
233 SECItem signature_item = { | |
234 siBuffer, | |
235 reinterpret_cast<unsigned char*>(result.data()), | |
236 digest_length | |
eroman
2013/09/06 23:03:16
I think this is more readable as result.byteLength
Bryan Eyler
2013/09/09 22:32:10
Done.
| |
237 }; | |
238 | |
239 if (PK11_SignWithSymKey(const_cast<PK11SymKey*>(sym_key->key()), | |
eroman
2013/09/06 23:03:16
Commented on other patchset
| |
240 sym_key->mechanism(), | |
241 ¶m_item, | |
242 &signature_item, | |
243 &data_item) != SECSuccess) { | |
244 NOTREACHED(); | |
245 return false; | |
246 } | |
247 | |
248 break; | |
249 } | |
250 default: | |
251 return false; | |
252 } | |
253 | |
254 *buffer = result; | |
255 return true; | |
256 } | |
257 | |
70 } // namespace content | 258 } // namespace content |
OLD | NEW |