Implement support for draft-ietf-webpush-encryption-08

components/gcm_driver/crypto/gcm_message_cryptographer.cc

Index: components/gcm_driver/crypto/gcm_message_cryptographer.cc
diff --git a/components/gcm_driver/crypto/gcm_message_cryptographer.cc b/components/gcm_driver/crypto/gcm_message_cryptographer.cc
index 662b9abec892a4c66bd96560758669a16fe0f1ae..deaaba33a50f9981729e08e219c3aec98434e3b9 100644
--- a/components/gcm_driver/crypto/gcm_message_cryptographer.cc
+++ b/components/gcm_driver/crypto/gcm_message_cryptographer.cc
@@ -51,12 +51,18 @@ class WebPushEncryptionDraft03
 
   // GCMMessageCryptographer::EncryptionScheme implementation.
   std::string DerivePseudoRandomKey(
+      const base::StringPiece& /* recipient_public_key */,
+      const base::StringPiece& /* sender_public_key */,
       const base::StringPiece& ecdh_shared_secret,
       const base::StringPiece& auth_secret) override {
-    std::stringstream info_stream;
-    info_stream << "Content-Encoding: auth" << '\x00';
+    const char kInfo[] = "Content-Encoding: auth";

[eroman, 2017/05/22 18:49:48]

What about adding \0 at the end of the literal? I think the array will still be
initialized properly.

[Peter Beverloo, 2017/05/23 18:17:11]

Updated this to use sizeof() here:
https://codereview.chromium.org/2901923002/

+
+    std::string info;
+    info.reserve(sizeof(kInfo) + 1);
+    info.append(kInfo);
+    info.append(1, '\0');
 
-    crypto::HKDF hkdf(ecdh_shared_secret, auth_secret, info_stream.str(),
+    crypto::HKDF hkdf(ecdh_shared_secret, auth_secret, info,
                       32, /* key_bytes_to_generate */
                       0,  /* iv_bytes_to_generate */
                       0 /* subkey_secret_bytes_to_generate */);
@@ -123,6 +129,19 @@ class WebPushEncryptionDraft03
     return record;
   }
 
+  // The |ciphertext| must be at least of size kAuthenticationTagBytes with two
+  // padding bytes, which is the case for an empty message with zero padding.
+  // The |record_size| must be large enough to use only one record.
+  // https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-03#section-2
+  bool ValidateCiphertextSize(size_t ciphertext_size,
+                              size_t record_size) override {
+    return ciphertext_size >=
+               sizeof(uint16_t) +
+                   GCMMessageCryptographer::kAuthenticationTagBytes &&
+           ciphertext_size <=
+               record_size + GCMMessageCryptographer::kAuthenticationTagBytes;
+  }
+
   // The record padding in draft-ietf-webpush-encryption-03 is included at the
   // beginning of the record. The first two bytes indicate the length of the
   // padding. All padding bytes immediately follow, and must be set to zero.
@@ -157,6 +176,118 @@ class WebPushEncryptionDraft03
   DISALLOW_COPY_AND_ASSIGN(WebPushEncryptionDraft03);
 };
 
+// Implementation of draft 08 of the Web Push Encryption standard:
+// https://tools.ietf.org/html/draft-ietf-webpush-encryption-08
+// https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-07
+class WebPushEncryptionDraft08
+    : public GCMMessageCryptographer::EncryptionScheme {
+ public:
+  WebPushEncryptionDraft08() = default;
+  ~WebPushEncryptionDraft08() override = default;
+
+  // GCMMessageCryptographer::EncryptionScheme implementation.
+  std::string DerivePseudoRandomKey(
+      const base::StringPiece& recipient_public_key,
+      const base::StringPiece& sender_public_key,
+      const base::StringPiece& ecdh_shared_secret,
+      const base::StringPiece& auth_secret) override {
+    DCHECK_EQ(recipient_public_key.size(), 65u);
+    DCHECK_EQ(sender_public_key.size(), 65u);
+
+    const char kInfo[] = "WebPush: info";

[eroman, 2017/05/22 18:49:48]

Same comment here, assuming it works.

+
+    std::string info;
+    info.reserve(sizeof(kInfo) + 1 + 65 + 65);
+    info.append(kInfo);
+    info.append(1, '\0');
+
+    recipient_public_key.AppendToString(&info);
+    sender_public_key.AppendToString(&info);
+
+    crypto::HKDF hkdf(ecdh_shared_secret, auth_secret, info,
+                      32, /* key_bytes_to_generate */
+                      0,  /* iv_bytes_to_generate */
+                      0 /* subkey_secret_bytes_to_generate */);
+
+    return hkdf.client_write_key().as_string();
+  }
+
+  // The info string used for generating the content encryption key and the
+  // nonce was simplified in draft-ietf-webpush-encryption-08, because the
+  // public keys of both the recipient and the sender are now in the PRK.
+  std::string GenerateInfoForContentEncoding(
+      EncodingType type,
+      const base::StringPiece& /* recipient_public_key */,
+      const base::StringPiece& /* sender_public_key */) override {
+    std::stringstream info_stream;
+    info_stream << "Content-Encoding: ";
+
+    switch (type) {
+      case EncodingType::CONTENT_ENCRYPTION_KEY:
+        info_stream << "aes128gcm";
+        break;
+      case EncodingType::NONCE:
+        info_stream << "nonce";
+        break;
+    }
+
+    info_stream << '\x00';
+    return info_stream.str();
+  }
+
+  // draft-ietf-webpush-encryption-08 defines that the padding follows the
+  // plaintext of a message. A delimiter byte (0x02 for the final record) will
+  // be added, and then zero or more bytes of padding.
+  //
+  // TODO(peter): Add support for message padding if the GCMMessageCryptographer
+  // starts encrypting payloads for reasons other than testing.
+  std::string CreateRecord(const base::StringPiece& plaintext) override {
+    std::string record;
+    record.reserve(plaintext.size() + sizeof(uint8_t));
+    plaintext.AppendToString(&record);
+
+    record.append(sizeof(uint8_t), '\x02');
+    return record;
+  }
+
+  // The |ciphertext| must be at least of size kAuthenticationTagBytes with one
+  // padding delimiter, which is the case for an empty message with minimal
+  // padding. The |record_size| must be large enough to use only one record.
+  // https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-08#section-2
+  bool ValidateCiphertextSize(size_t ciphertext_size,
+                              size_t record_size) override {
+    return ciphertext_size >=
+               sizeof(uint8_t) +
+                   GCMMessageCryptographer::kAuthenticationTagBytes &&
+           ciphertext_size <=
+               record_size + GCMMessageCryptographer::kAuthenticationTagBytes;
+  }
+
+  // The record padding in draft-ietf-webpush-encryption-08 is included at the
+  // end of the record. The length is not defined, but all padding bytes must be
+  // zero until the delimiter (0x02) is found.
+  bool ValidateAndRemovePadding(base::StringPiece& record) override {
+    DCHECK_GE(record.size(), 1u);
+
+    size_t padding_length = 1;
+    for (; padding_length <= record.size(); ++padding_length) {
+      size_t offset = record.size() - padding_length;
+
+      if (record[offset] == 0x02 /* padding delimiter octet */)
+        break;
+
+      if (record[offset] != 0x00 /* valid padding byte */)
+        return false;
+    }
+
+    record.remove_suffix(padding_length);
+    return true;
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(WebPushEncryptionDraft08);
+};
+
 }  // namespace
 
 const size_t GCMMessageCryptographer::kAuthenticationTagBytes = 16;
@@ -167,6 +298,9 @@ GCMMessageCryptographer::GCMMessageCryptographer(Version version) {
     case Version::DRAFT_03:
       encryption_scheme_ = base::MakeUnique<WebPushEncryptionDraft03>();
       return;
+    case Version::DRAFT_08:
+      encryption_scheme_ = base::MakeUnique<WebPushEncryptionDraft08>();
+      return;
   }
 
   NOTREACHED();
@@ -192,7 +326,7 @@ bool GCMMessageCryptographer::Encrypt(
   DCHECK(ciphertext);
 
   std::string prk = encryption_scheme_->DerivePseudoRandomKey(
-      ecdh_shared_secret, auth_secret);
+      recipient_public_key, sender_public_key, ecdh_shared_secret, auth_secret);
 
   std::string content_encryption_key = DeriveContentEncryptionKey(
       recipient_public_key, sender_public_key, prk, salt);
@@ -235,7 +369,7 @@ bool GCMMessageCryptographer::Decrypt(
     return false;
 
   std::string prk = encryption_scheme_->DerivePseudoRandomKey(
-      ecdh_shared_secret, auth_secret);
+      recipient_public_key, sender_public_key, ecdh_shared_secret, auth_secret);
 
   std::string content_encryption_key = DeriveContentEncryptionKey(
       recipient_public_key, sender_public_key, prk, salt);
@@ -243,12 +377,8 @@ bool GCMMessageCryptographer::Decrypt(
   std::string nonce =
       DeriveNonce(recipient_public_key, sender_public_key, prk, salt);
 
-  // The |ciphertext| must be at least of size kAuthenticationTagBytes, which
-  // is the case when an empty message with a zero padding length has been
-  // received. The |record_size| must be large enough to use only one record.
-  // https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-03#section-2
-  if (ciphertext.size() < sizeof(uint16_t) + kAuthenticationTagBytes ||
-      ciphertext.size() > record_size + kAuthenticationTagBytes) {
+  if (!encryption_scheme_->ValidateCiphertextSize(ciphertext.size(),
+                                                  record_size)) {
     return false;
   }