OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/browser/chromeos/settings/token_encryptor.h" | |
6 | |
7 #include <vector> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/strings/string_number_conversions.h" | |
11 #include "base/strings/string_util.h" | |
12 #include "base/sys_info.h" | |
13 #include "chromeos/cryptohome/cryptohome_library.h" | |
14 #include "crypto/encryptor.h" | |
15 #include "crypto/nss_util.h" | |
16 #include "crypto/sha2.h" | |
17 #include "crypto/symmetric_key.h" | |
18 | |
19 namespace chromeos { | |
20 | |
21 namespace { | |
22 const size_t kNonceSize = 16; | |
23 } // namespace | |
24 | |
25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor() { | |
26 } | |
27 | |
28 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { | |
29 } | |
30 | |
31 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( | |
32 const std::string& token) { | |
33 // Don't care about token encryption while debugging. | |
34 if (!base::SysInfo::IsRunningOnChromeOS()) | |
35 return token; | |
36 | |
37 if (!LoadSystemSaltKey()) { | |
38 LOG(WARNING) << "System salt key is not available for encrypt."; | |
39 return std::string(); | |
40 } | |
41 return EncryptTokenWithKey(system_salt_key_.get(), | |
42 system_salt_, | |
43 token); | |
44 } | |
45 | |
46 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( | |
47 const std::string& encrypted_token_hex) { | |
48 // Don't care about token encryption while debugging. | |
49 if (!base::SysInfo::IsRunningOnChromeOS()) | |
50 return encrypted_token_hex; | |
51 | |
52 if (!LoadSystemSaltKey()) { | |
53 LOG(WARNING) << "System salt key is not available for decrypt."; | |
54 return std::string(); | |
55 } | |
56 return DecryptTokenWithKey(system_salt_key_.get(), | |
57 system_salt_, | |
58 encrypted_token_hex); | |
59 } | |
60 | |
61 // TODO: should this use the system salt for both the password and the salt | |
62 // value, or should this use a separate salt value? | |
63 bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { | |
64 if (system_salt_.empty()) | |
65 system_salt_ = CryptohomeLibrary::Get()->GetSystemSalt(); | |
satorux1
2013/10/04 06:11:14
As mentioned in the patch description, the two lin
hashimoto
2013/10/04 06:22:28
I don't think we should add a new user of Cryptoho
satorux1
2013/10/04 06:44:01
That's a good point. In the original code, there w
| |
66 if (system_salt_.empty()) | |
67 return false; | |
68 if (!system_salt_key_.get()) | |
69 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); | |
70 return system_salt_key_.get(); | |
71 } | |
72 | |
73 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( | |
74 const std::string& passphrase, | |
75 const std::string& salt) { | |
76 return crypto::SymmetricKey::DeriveKeyFromPassword( | |
77 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); | |
78 } | |
79 | |
80 | |
81 // Encrypts (AES) the token given |key| and |salt|. | |
82 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( | |
83 crypto::SymmetricKey* key, | |
84 const std::string& salt, | |
85 const std::string& token) { | |
86 crypto::Encryptor encryptor; | |
87 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
88 LOG(WARNING) << "Failed to initialize Encryptor."; | |
89 return std::string(); | |
90 } | |
91 std::string nonce = salt.substr(0, kNonceSize); | |
92 std::string encoded_token; | |
93 CHECK(encryptor.SetCounter(nonce)); | |
94 if (!encryptor.Encrypt(token, &encoded_token)) { | |
95 LOG(WARNING) << "Failed to encrypt token."; | |
96 return std::string(); | |
97 } | |
98 | |
99 return StringToLowerASCII(base::HexEncode( | |
100 reinterpret_cast<const void*>(encoded_token.data()), | |
101 encoded_token.size())); | |
102 } | |
103 | |
104 // Decrypts (AES) hex encoded encrypted token given |key| and |salt|. | |
105 std::string CryptohomeTokenEncryptor::DecryptTokenWithKey( | |
106 crypto::SymmetricKey* key, | |
107 const std::string& salt, | |
108 const std::string& encrypted_token_hex) { | |
109 std::vector<uint8> encrypted_token_bytes; | |
110 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { | |
111 LOG(WARNING) << "Corrupt encrypted token found."; | |
112 return std::string(); | |
113 } | |
114 | |
115 std::string encrypted_token( | |
116 reinterpret_cast<char*>(encrypted_token_bytes.data()), | |
117 encrypted_token_bytes.size()); | |
118 crypto::Encryptor encryptor; | |
119 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
120 LOG(WARNING) << "Failed to initialize Encryptor."; | |
121 return std::string(); | |
122 } | |
123 | |
124 std::string nonce = salt.substr(0, kNonceSize); | |
125 std::string token; | |
126 CHECK(encryptor.SetCounter(nonce)); | |
127 if (!encryptor.Decrypt(encrypted_token, &token)) { | |
128 LOG(WARNING) << "Failed to decrypt token."; | |
129 return std::string(); | |
130 } | |
131 return token; | |
132 } | |
133 | |
134 } // namespace chromeos | |
OLD | NEW |