OLD | NEW |
(Empty) | |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/chromeos/settings/token_encryptor.h" |
| 6 |
| 7 #include <vector> |
| 8 |
| 9 #include "base/logging.h" |
| 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_util.h" |
| 12 #include "base/sys_info.h" |
| 13 #include "chromeos/cryptohome/cryptohome_library.h" |
| 14 #include "crypto/encryptor.h" |
| 15 #include "crypto/nss_util.h" |
| 16 #include "crypto/sha2.h" |
| 17 #include "crypto/symmetric_key.h" |
| 18 |
| 19 namespace chromeos { |
| 20 |
| 21 namespace { |
| 22 const size_t kNonceSize = 16; |
| 23 } // namespace |
| 24 |
| 25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor() { |
| 26 } |
| 27 |
| 28 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { |
| 29 } |
| 30 |
| 31 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( |
| 32 const std::string& token) { |
| 33 // Don't care about token encryption while debugging. |
| 34 if (!base::SysInfo::IsRunningOnChromeOS()) |
| 35 return token; |
| 36 |
| 37 if (!LoadSystemSaltKey()) { |
| 38 LOG(WARNING) << "System salt key is not available for encrypt."; |
| 39 return std::string(); |
| 40 } |
| 41 return EncryptTokenWithKey(system_salt_key_.get(), |
| 42 system_salt_, |
| 43 token); |
| 44 } |
| 45 |
| 46 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( |
| 47 const std::string& encrypted_token_hex) { |
| 48 // Don't care about token encryption while debugging. |
| 49 if (!base::SysInfo::IsRunningOnChromeOS()) |
| 50 return encrypted_token_hex; |
| 51 |
| 52 if (!LoadSystemSaltKey()) { |
| 53 LOG(WARNING) << "System salt key is not available for decrypt."; |
| 54 return std::string(); |
| 55 } |
| 56 return DecryptTokenWithKey(system_salt_key_.get(), |
| 57 system_salt_, |
| 58 encrypted_token_hex); |
| 59 } |
| 60 |
| 61 // TODO: should this use the system salt for both the password and the salt |
| 62 // value, or should this use a separate salt value? |
| 63 bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { |
| 64 // Assume the system salt should be obtained beforehand at login time. |
| 65 if (system_salt_.empty()) |
| 66 system_salt_ = CryptohomeLibrary::Get()->GetCachedSystemSalt(); |
| 67 if (system_salt_.empty()) |
| 68 return false; |
| 69 if (!system_salt_key_.get()) |
| 70 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); |
| 71 return system_salt_key_.get(); |
| 72 } |
| 73 |
| 74 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( |
| 75 const std::string& passphrase, |
| 76 const std::string& salt) { |
| 77 return crypto::SymmetricKey::DeriveKeyFromPassword( |
| 78 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); |
| 79 } |
| 80 |
| 81 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( |
| 82 crypto::SymmetricKey* key, |
| 83 const std::string& salt, |
| 84 const std::string& token) { |
| 85 crypto::Encryptor encryptor; |
| 86 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
| 87 LOG(WARNING) << "Failed to initialize Encryptor."; |
| 88 return std::string(); |
| 89 } |
| 90 std::string nonce = salt.substr(0, kNonceSize); |
| 91 std::string encoded_token; |
| 92 CHECK(encryptor.SetCounter(nonce)); |
| 93 if (!encryptor.Encrypt(token, &encoded_token)) { |
| 94 LOG(WARNING) << "Failed to encrypt token."; |
| 95 return std::string(); |
| 96 } |
| 97 |
| 98 return StringToLowerASCII(base::HexEncode( |
| 99 reinterpret_cast<const void*>(encoded_token.data()), |
| 100 encoded_token.size())); |
| 101 } |
| 102 |
| 103 std::string CryptohomeTokenEncryptor::DecryptTokenWithKey( |
| 104 crypto::SymmetricKey* key, |
| 105 const std::string& salt, |
| 106 const std::string& encrypted_token_hex) { |
| 107 std::vector<uint8> encrypted_token_bytes; |
| 108 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { |
| 109 LOG(WARNING) << "Corrupt encrypted token found."; |
| 110 return std::string(); |
| 111 } |
| 112 |
| 113 std::string encrypted_token( |
| 114 reinterpret_cast<char*>(encrypted_token_bytes.data()), |
| 115 encrypted_token_bytes.size()); |
| 116 crypto::Encryptor encryptor; |
| 117 if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
| 118 LOG(WARNING) << "Failed to initialize Encryptor."; |
| 119 return std::string(); |
| 120 } |
| 121 |
| 122 std::string nonce = salt.substr(0, kNonceSize); |
| 123 std::string token; |
| 124 CHECK(encryptor.SetCounter(nonce)); |
| 125 if (!encryptor.Decrypt(encrypted_token, &token)) { |
| 126 LOG(WARNING) << "Failed to decrypt token."; |
| 127 return std::string(); |
| 128 } |
| 129 return token; |
| 130 } |
| 131 |
| 132 } // namespace chromeos |
OLD | NEW |