OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/browser/chromeos/settings/token_encryptor.h" | |
6 | |
7 #include <vector> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/strings/string_number_conversions.h" | |
11 #include "base/strings/string_util.h" | |
12 #include "base/sys_info.h" | |
13 #include "chromeos/cryptohome/cryptohome_library.h" | |
14 #include "crypto/encryptor.h" | |
15 #include "crypto/nss_util.h" | |
16 #include "crypto/sha2.h" | |
17 #include "crypto/symmetric_key.h" | |
18 | |
19 namespace chromeos { | |
20 | |
21 namespace { | |
22 const size_t kNonceSize = 16; | |
23 } // namespace | |
24 | |
25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor() { | |
26 } | |
27 | |
28 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { | |
29 } | |
30 | |
31 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( | |
32 const std::string& token) { | |
33 // Don't care about token encryption while debugging. | |
34 if (!base::SysInfo::IsRunningOnChromeOS()) | |
35 return token; | |
36 | |
37 if (!LoadSystemSaltKey()) { | |
38 LOG(WARNING) << "System salt key is not available for encrypt."; | |
39 return std::string(); | |
40 } | |
41 return EncryptTokenWithKey(system_salt_key_.get(), | |
42 system_salt_, | |
43 token); | |
44 } | |
45 | |
46 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( | |
47 const std::string& encrypted_token_hex) { | |
48 // Don't care about token encryption while debugging. | |
49 if (!base::SysInfo::IsRunningOnChromeOS()) | |
50 return encrypted_token_hex; | |
51 | |
52 if (!LoadSystemSaltKey()) { | |
53 LOG(WARNING) << "System salt key is not available for decrypt."; | |
54 return std::string(); | |
55 } | |
56 return DecryptTokenWithKey(system_salt_key_.get(), | |
57 system_salt_, | |
58 encrypted_token_hex); | |
59 } | |
60 | |
61 // TODO: should this use the system salt for both the password and the salt | |
62 // value, or should this use a separate salt value? | |
63 bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { | |
64 // Assume the system salt should be obtained beforehand at login time. | |
65 if (system_salt_.empty()) | |
66 system_salt_ = CryptohomeLibrary::Get()->GetCachedSystemSalt(); | |
67 if (system_salt_.empty()) | |
68 return false; | |
69 if (!system_salt_key_.get()) | |
70 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); | |
71 return system_salt_key_.get(); | |
72 } | |
73 | |
74 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( | |
75 const std::string& passphrase, | |
76 const std::string& salt) { | |
77 return crypto::SymmetricKey::DeriveKeyFromPassword( | |
78 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); | |
79 } | |
80 | |
hashimoto
2013/10/04 08:38:56
nit: Remove this duplicated blank line.
satorux1
2013/10/07 02:19:14
Done.
| |
81 | |
82 // Encrypts (AES) the token given |key| and |salt|. | |
hashimoto
2013/10/04 08:38:56
nit: Do we need to have the same comment written i
satorux1
2013/10/07 02:19:14
Done.
| |
83 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( | |
84 crypto::SymmetricKey* key, | |
85 const std::string& salt, | |
86 const std::string& token) { | |
87 crypto::Encryptor encryptor; | |
88 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
89 LOG(WARNING) << "Failed to initialize Encryptor."; | |
90 return std::string(); | |
91 } | |
92 std::string nonce = salt.substr(0, kNonceSize); | |
93 std::string encoded_token; | |
94 CHECK(encryptor.SetCounter(nonce)); | |
95 if (!encryptor.Encrypt(token, &encoded_token)) { | |
96 LOG(WARNING) << "Failed to encrypt token."; | |
97 return std::string(); | |
98 } | |
99 | |
100 return StringToLowerASCII(base::HexEncode( | |
101 reinterpret_cast<const void*>(encoded_token.data()), | |
102 encoded_token.size())); | |
103 } | |
104 | |
105 // Decrypts (AES) hex encoded encrypted token given |key| and |salt|. | |
hashimoto
2013/10/04 08:38:56
ditto.
satorux1
2013/10/07 02:19:14
Done.
| |
106 std::string CryptohomeTokenEncryptor::DecryptTokenWithKey( | |
107 crypto::SymmetricKey* key, | |
108 const std::string& salt, | |
109 const std::string& encrypted_token_hex) { | |
110 std::vector<uint8> encrypted_token_bytes; | |
111 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { | |
112 LOG(WARNING) << "Corrupt encrypted token found."; | |
113 return std::string(); | |
114 } | |
115 | |
116 std::string encrypted_token( | |
117 reinterpret_cast<char*>(encrypted_token_bytes.data()), | |
118 encrypted_token_bytes.size()); | |
119 crypto::Encryptor encryptor; | |
120 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
121 LOG(WARNING) << "Failed to initialize Encryptor."; | |
122 return std::string(); | |
123 } | |
124 | |
125 std::string nonce = salt.substr(0, kNonceSize); | |
126 std::string token; | |
127 CHECK(encryptor.SetCounter(nonce)); | |
128 if (!encryptor.Decrypt(encrypted_token, &token)) { | |
129 LOG(WARNING) << "Failed to decrypt token."; | |
130 return std::string(); | |
131 } | |
132 return token; | |
133 } | |
134 | |
135 } // namespace chromeos | |
OLD | NEW |