| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/child/webcrypto/platform_crypto.h" | 5 #include "content/child/webcrypto/platform_crypto.h" |
| 6 | 6 |
| 7 #include <cryptohi.h> | 7 #include <cryptohi.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 #include <secerr.h> | 9 #include <secerr.h> |
| 10 #include <sechash.h> | 10 #include <sechash.h> |
| (...skipping 542 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 553 // The plaintext length is always 64 bits less than the data size. | 553 // The plaintext length is always 64 bits less than the data size. |
| 554 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8; | 554 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8; |
| 555 | 555 |
| 556 #if defined(USE_NSS) | 556 #if defined(USE_NSS) |
| 557 // Part of workaround for | 557 // Part of workaround for |
| 558 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation | 558 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation |
| 559 // later in this function. | 559 // later in this function. |
| 560 PORT_SetError(0); | 560 PORT_SetError(0); |
| 561 #endif | 561 #endif |
| 562 | 562 |
| 563 crypto::ScopedPK11SymKey new_key(PK11_UnwrapSymKey(wrapping_key->key(), | 563 crypto::ScopedPK11SymKey new_key( |
| 564 CKM_NSS_AES_KEY_WRAP, | 564 PK11_UnwrapSymKeyWithFlags(wrapping_key->key(), |
| 565 param_item.get(), | 565 CKM_NSS_AES_KEY_WRAP, |
| 566 &cipher_text, | 566 param_item.get(), |
| 567 mechanism, | 567 &cipher_text, |
| 568 flags, | 568 mechanism, |
| 569 plaintext_length)); | 569 CKA_FLAGS_ONLY, |
| 570 plaintext_length, |
| 571 flags)); |
| 572 |
| 570 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more | 573 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more |
| 571 // accurate error, providing if doesn't leak any information to web pages | 574 // accurate error, providing if doesn't leak any information to web pages |
| 572 // about other web crypto users, key details, etc. | 575 // about other web crypto users, key details, etc. |
| 573 if (!new_key) | 576 if (!new_key) |
| 574 return Status::OperationError(); | 577 return Status::OperationError(); |
| 575 | 578 |
| 576 #if defined(USE_NSS) | 579 #if defined(USE_NSS) |
| 577 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170 | 580 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170 |
| 578 // which was fixed in NSS 3.16.0. | 581 // which was fixed in NSS 3.16.0. |
| 579 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey, | 582 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey, |
| (...skipping 988 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1568 return Status::Success(); | 1571 return Status::Success(); |
| 1569 } | 1572 } |
| 1570 | 1573 |
| 1571 Status DecryptAesKw(SymKey* wrapping_key, | 1574 Status DecryptAesKw(SymKey* wrapping_key, |
| 1572 const CryptoData& data, | 1575 const CryptoData& data, |
| 1573 std::vector<uint8>* buffer) { | 1576 std::vector<uint8>* buffer) { |
| 1574 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must be | 1577 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must be |
| 1575 // temporarily viewed as a symmetric key to be unwrapped (decrypted). | 1578 // temporarily viewed as a symmetric key to be unwrapped (decrypted). |
| 1576 crypto::ScopedPK11SymKey decrypted; | 1579 crypto::ScopedPK11SymKey decrypted; |
| 1577 Status status = DoUnwrapSymKeyAesKw( | 1580 Status status = DoUnwrapSymKeyAesKw( |
| 1578 data, wrapping_key, CKK_GENERIC_SECRET, CKA_ENCRYPT, &decrypted); | 1581 data, wrapping_key, CKK_GENERIC_SECRET, 0, &decrypted); |
| 1579 if (status.IsError()) | 1582 if (status.IsError()) |
| 1580 return status; | 1583 return status; |
| 1581 | 1584 |
| 1582 // Once the decrypt is complete, extract the resultant raw bytes from NSS and | 1585 // Once the decrypt is complete, extract the resultant raw bytes from NSS and |
| 1583 // return them to the caller. | 1586 // return them to the caller. |
| 1584 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess) | 1587 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess) |
| 1585 return Status::OperationError(); | 1588 return Status::OperationError(); |
| 1586 const SECItem* const key_data = PK11_GetKeyData(decrypted.get()); | 1589 const SECItem* const key_data = PK11_GetKeyData(decrypted.get()); |
| 1587 if (!key_data) | 1590 if (!key_data) |
| 1588 return Status::OperationError(); | 1591 return Status::OperationError(); |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1672 key_algorithm, | 1675 key_algorithm, |
| 1673 usage_mask); | 1676 usage_mask); |
| 1674 return Status::Success(); | 1677 return Status::Success(); |
| 1675 } | 1678 } |
| 1676 | 1679 |
| 1677 } // namespace platform | 1680 } // namespace platform |
| 1678 | 1681 |
| 1679 } // namespace webcrypto | 1682 } // namespace webcrypto |
| 1680 | 1683 |
| 1681 } // namespace content | 1684 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 269313004:
[webcrypto] Fix AES-KW unwrapping for symmetric keys (NSS). (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src