Chromium Code Reviews Chromium Code Reviews
Issue 25975002:
cryptohome: Move Encrypt/DecryptWithSystemSalt() out of CryptohomeLibrary (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/chromeos/settings/token_encryptor.h" | |
| 6 | |
| 7 #include <vector> | |
| 8 | |
| 9 #include "base/logging.h" | |
| 10 #include "base/strings/string_number_conversions.h" | |
| 11 #include "base/strings/string_util.h" | |
| 12 #include "base/sys_info.h" | |
| 13 #include "chromeos/cryptohome/cryptohome_library.h" | |
| 14 #include "crypto/encryptor.h" | |
| 15 #include "crypto/nss_util.h" | |
| 16 #include "crypto/sha2.h" | |
| 17 #include "crypto/symmetric_key.h" | |
| 18 | |
| 19 namespace chromeos { | |
| 20 | |
| 21 namespace { | |
| 22 const size_t kNonceSize = 16; | |
| 23 } // namespace | |
| 24 | |
| 25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor() { | |
| 26 } | |
| 27 | |
| 28 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { | |
| 29 } | |
| 30 | |
| 31 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( | |
| 32 const std::string& token) { | |
| 33 // Don't care about token encryption while debugging. | |
| 34 if (!base::SysInfo::IsRunningOnChromeOS()) | |
| 35 return token; | |
| 36 | |
| 37 if (!LoadSystemSaltKey()) { | |
| 38 LOG(WARNING) << "System salt key is not available for encrypt."; | |
| 39 return std::string(); | |
| 40 } | |
| 41 return EncryptTokenWithKey(system_salt_key_.get(), | |
| 42 system_salt_, | |
| 43 token); | |
| 44 } | |
| 45 | |
| 46 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( | |
| 47 const std::string& encrypted_token_hex) { | |
| 48 // Don't care about token encryption while debugging. | |
| 49 if (!base::SysInfo::IsRunningOnChromeOS()) | |
| 50 return encrypted_token_hex; | |
| 51 | |
| 52 if (!LoadSystemSaltKey()) { | |
| 53 LOG(WARNING) << "System salt key is not available for decrypt."; | |
| 54 return std::string(); | |
| 55 } | |
| 56 return DecryptTokenWithKey(system_salt_key_.get(), | |
| 57 system_salt_, | |
| 58 encrypted_token_hex); | |
| 59 } | |
| 60 | |
| 61 // TODO: should this use the system salt for both the password and the salt | |
| 62 // value, or should this use a separate salt value? | |
| 63 bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { | |
| 64 // Assume the system salt should be obtained beforehand at login time. | |
| 65 if (system_salt_.empty()) | |
| 66 system_salt_ = CryptohomeLibrary::Get()->GetCachedSystemSalt(); | |
| 67 if (system_salt_.empty()) | |
| 68 return false; | |
| 69 if (!system_salt_key_.get()) | |
| 70 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); | |
| 71 return system_salt_key_.get(); | |
| 72 } | |
| 73 | |
| 74 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( | |
| 75 const std::string& passphrase, | |
| 76 const std::string& salt) { | |
| 77 return crypto::SymmetricKey::DeriveKeyFromPassword( | |
| 78 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); | |
| 79 } | |
| 80 | |
|
hashimoto
2013/10/04 08:38:56
nit: Remove this duplicated blank line.
satorux1
2013/10/07 02:19:14
Done.
| |
| 81 | |
| 82 // Encrypts (AES) the token given |key| and |salt|. | |
|
hashimoto
2013/10/04 08:38:56
nit: Do we need to have the same comment written i
satorux1
2013/10/07 02:19:14
Done.
| |
| 83 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( | |
| 84 crypto::SymmetricKey* key, | |
| 85 const std::string& salt, | |
| 86 const std::string& token) { | |
| 87 crypto::Encryptor encryptor; | |
| 88 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
| 89 LOG(WARNING) << "Failed to initialize Encryptor."; | |
| 90 return std::string(); | |
| 91 } | |
| 92 std::string nonce = salt.substr(0, kNonceSize); | |
| 93 std::string encoded_token; | |
| 94 CHECK(encryptor.SetCounter(nonce)); | |
| 95 if (!encryptor.Encrypt(token, &encoded_token)) { | |
| 96 LOG(WARNING) << "Failed to encrypt token."; | |
| 97 return std::string(); | |
| 98 } | |
| 99 | |
| 100 return StringToLowerASCII(base::HexEncode( | |
| 101 reinterpret_cast<const void*>(encoded_token.data()), | |
| 102 encoded_token.size())); | |
| 103 } | |
| 104 | |
| 105 // Decrypts (AES) hex encoded encrypted token given |key| and |salt|. | |
|
hashimoto
2013/10/04 08:38:56
ditto.
satorux1
2013/10/07 02:19:14
Done.
| |
| 106 std::string CryptohomeTokenEncryptor::DecryptTokenWithKey( | |
| 107 crypto::SymmetricKey* key, | |
| 108 const std::string& salt, | |
| 109 const std::string& encrypted_token_hex) { | |
| 110 std::vector<uint8> encrypted_token_bytes; | |
| 111 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { | |
| 112 LOG(WARNING) << "Corrupt encrypted token found."; | |
| 113 return std::string(); | |
| 114 } | |
| 115 | |
| 116 std::string encrypted_token( | |
| 117 reinterpret_cast<char*>(encrypted_token_bytes.data()), | |
| 118 encrypted_token_bytes.size()); | |
| 119 crypto::Encryptor encryptor; | |
| 120 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { | |
| 121 LOG(WARNING) << "Failed to initialize Encryptor."; | |
| 122 return std::string(); | |
| 123 } | |
| 124 | |
| 125 std::string nonce = salt.substr(0, kNonceSize); | |
| 126 std::string token; | |
| 127 CHECK(encryptor.SetCounter(nonce)); | |
| 128 if (!encryptor.Decrypt(encrypted_token, &token)) { | |
| 129 LOG(WARNING) << "Failed to decrypt token."; | |
| 130 return std::string(); | |
| 131 } | |
| 132 return token; | |
| 133 } | |
| 134 | |
| 135 } // namespace chromeos | |
| OLD | NEW |
