Add support for RSA-OAEP when using NSS 3.16.2 or later

content/child/webcrypto/platform_crypto_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/webcrypto/platform_crypto.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <secerr.h>
 #include <sechash.h>
@@ skipping 42 matching lines @@
 
 struct CK_GCM_PARAMS {
   CK_BYTE_PTR pIv;
   CK_ULONG ulIvLen;
   CK_BYTE_PTR pAAD;
   CK_ULONG ulAADLen;
   CK_ULONG ulTagBits;
 };
 #endif  // !defined(CKM_AES_GCM)
 
+namespace {
+
 // Signature for PK11_Encrypt and PK11_Decrypt.
 typedef SECStatus (*PK11_EncryptDecryptFunction)(PK11SymKey*,
                                                  CK_MECHANISM_TYPE,
                                                  SECItem*,
                                                  unsigned char*,
                                                  unsigned int*,
                                                  unsigned int,
                                                  const unsigned char*,
                                                  unsigned int);
 
+// Signature for PK11_PubEncrypt
+typedef SECStatus (*PK11_PubEncryptFunction)(SECKEYPublicKey*,
+                                             CK_MECHANISM_TYPE,
+                                             SECItem*,
+                                             unsigned char*,
+                                             unsigned int*,
+                                             unsigned int,
+                                             const unsigned char*,
+                                             unsigned int);
+
+// Signature for PK11_PubDecrypt
+typedef SECStatus (*PK11_PubDecryptFunction)(SECKEYPrivateKey*,
+                                             CK_MECHANISM_TYPE,
+                                             SECItem*,
+                                             unsigned char*,
+                                             unsigned int*,
+                                             unsigned int,
+                                             const unsigned char*,
+                                             unsigned int);
+
 // Singleton to abstract away dynamically loading libnss3.so
-class AesGcmSupport {
+class NssRuntimeSupport {
  public:
-  bool IsSupported() const { return pk11_encrypt_func_ && pk11_decrypt_func_; }
+  bool IsAesGcmSupported() const {
+    return pk11_encrypt_func_ && pk11_decrypt_func_;
+  }
+
+  bool IsRsaOaepSupported() const {
+    return pk11_pub_encrypt_func_ && pk11_pub_decrypt_func_;
+  }

[Ryan Sleevi, 2014/05/14 01:26:00]

Note: For both the AES-GCM case and the RSA-OAEP, the fact that NSS's pk11wrap
layer supports the functions is not an intrinsic guarantee that it will be
linked against a softoken that supports the CK_MECHANISM_TYPEs.

The distinction is that it will likely be treated as an OperationError, rather
than a ErrorUnsupported().

This only really matters for distros that do horrible things (read: FIPS), so
I'm not too worried - just FYI.

 
   // Returns NULL if unsupported.
   PK11_EncryptDecryptFunction pk11_encrypt_func() const {
     return pk11_encrypt_func_;
   }
 
   // Returns NULL if unsupported.
   PK11_EncryptDecryptFunction pk11_decrypt_func() const {
     return pk11_decrypt_func_;
   }
 
+  // Returns NULL if unsupported.
+  PK11_PubEncryptFunction pk11_pub_encrypt_func() const {
+    return pk11_pub_encrypt_func_;
+  }
+
+  // Returns NULL if unsupported.
+  PK11_PubDecryptFunction pk11_pub_decrypt_func() const {
+    return pk11_pub_decrypt_func_;
+  }
+
  private:
-  friend struct base::DefaultLazyInstanceTraits<AesGcmSupport>;
+  friend struct base::DefaultLazyInstanceTraits<NssRuntimeSupport>;
 
-  AesGcmSupport() {
+  NssRuntimeSupport() {
 #if !defined(USE_NSS)
     // Using a bundled version of NSS that is guaranteed to have this symbol.
     pk11_encrypt_func_ = PK11_Encrypt;
     pk11_decrypt_func_ = PK11_Decrypt;
+    pk11_pub_encrypt_func_ = PK11_PubEncrypt;
+    pk11_pub_decrypt_func_ = PK11_PubDecrypt;
 #else
     // Using system NSS libraries and PCKS #11 modules, which may not have the
     // necessary function (PK11_Encrypt) or mechanism support (CKM_AES_GCM).
 
     // If PK11_Encrypt() was successfully resolved, then NSS will support
     // AES-GCM directly. This was introduced in NSS 3.15.
     pk11_encrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
         dlsym(RTLD_DEFAULT, "PK11_Encrypt"));
     pk11_decrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
         dlsym(RTLD_DEFAULT, "PK11_Decrypt"));
+    pk11_pub_encrypt_func_ = reinterpret_cast<PK11_PubEncryptFunction>(
+        dlsym(RTLD_DEFAULT, "PK11_PubEncrypt"));
+    pk11_pub_decrypt_func_ = reinterpret_cast<PK11_PubDecryptFunction>(
+        dlsym(RTLD_DEFAULT, "PK11_PubDecrypt"));
 #endif
   }
 
   PK11_EncryptDecryptFunction pk11_encrypt_func_;
   PK11_EncryptDecryptFunction pk11_decrypt_func_;
+  PK11_PubEncryptFunction pk11_pub_encrypt_func_;
+  PK11_PubDecryptFunction pk11_pub_decrypt_func_;
 };
 
-base::LazyInstance<AesGcmSupport>::Leaky g_aes_gcm_support =
+base::LazyInstance<NssRuntimeSupport>::Leaky g_nss_runtime_support =
     LAZY_INSTANCE_INITIALIZER;
 
+}  // namespace
+
 namespace content {
 
 namespace webcrypto {
 
 namespace platform {
 
 // Each key maintains a copy of its serialized form
 // in either 'raw', 'pkcs8', or 'spki' format. This is to allow
 // structured cloning of keys synchronously from the target Blink
 // thread without having to lock access to the key.
@@ skipping 127 matching lines @@
     case blink::WebCryptoAlgorithmIdSha384:
       return CKM_SHA384_HMAC;
     case blink::WebCryptoAlgorithmIdSha512:
       return CKM_SHA512_HMAC;
     default:
       // Not a supported algorithm.
       return CKM_INVALID_MECHANISM;
   }
 }
 
+CK_MECHANISM_TYPE WebCryptoHashToDigestMechanism(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdSha1:
+      return CKM_SHA_1;
+    case blink::WebCryptoAlgorithmIdSha256:
+      return CKM_SHA256;
+    case blink::WebCryptoAlgorithmIdSha384:
+      return CKM_SHA384;
+    case blink::WebCryptoAlgorithmIdSha512:
+      return CKM_SHA512;
+    default:
+      // Not a supported algorithm.
+      return CKM_INVALID_MECHANISM;
+  }
+}
+
+CK_MECHANISM_TYPE WebCryptoHashToMGFMechanism(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdSha1:
+      return CKG_MGF1_SHA1;
+    case blink::WebCryptoAlgorithmIdSha256:
+      return CKG_MGF1_SHA256;
+    case blink::WebCryptoAlgorithmIdSha384:
+      return CKG_MGF1_SHA384;
+    case blink::WebCryptoAlgorithmIdSha512:
+      return CKG_MGF1_SHA512;
+    default:
+      return CKM_INVALID_MECHANISM;
+  }
+}
+
+void InitializeRsaOaepParams(const blink::WebCryptoAlgorithm& hash,
+                             const CryptoData& label,
+                             CK_RSA_PKCS_OAEP_PARAMS* oaep_params) {
+  oaep_params->source = CKZ_DATA_SPECIFIED;
+  oaep_params->pSourceData = const_cast<unsigned char*>(label.bytes());
+  oaep_params->ulSourceDataLen = label.byte_length();
+  oaep_params->mgf = WebCryptoHashToMGFMechanism(hash);

[eroman, 2014/05/14 01:50:47]

What is the consequence of failure for WebCryptoHashToMGFMechanism()? Does
passing CK_INVALID_MECHANISM do anything weird, should it be checked for and
return failure?

[Ryan Sleevi, 2014/05/14 06:09:57]

Officially: "It depends".
Practically: No

PKCS#11 is underspecified in this regard, but given that it's meant to be
extensible (in terms of CKG_MGF1 functions and CKM_* digest functions). A
"well-behaved" token is meant to handle these gracefully. Softoken is a
"well-behaved" token.

+  oaep_params->hashAlg = WebCryptoHashToDigestMechanism(hash);

[eroman, 2014/05/14 01:50:47]

Same question above, for the sake of future proofing.

+}
+
 Status AesCbcEncryptDecrypt(EncryptOrDecrypt mode,
                             SymKey* key,
                             const CryptoData& iv,
                             const CryptoData& data,
                             std::vector<uint8>* buffer) {
   CK_ATTRIBUTE_TYPE operation = (mode == ENCRYPT) ? CKA_ENCRYPT : CKA_DECRYPT;
 
   SECItem iv_item = MakeSECItemForBuffer(iv);
 
   crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
@@ skipping 57 matching lines @@
 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
 // the concatenation of the ciphertext and the authentication tag. Similarly,
 // this is the expectation for the input to decryption.
 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
                             SymKey* key,
                             const CryptoData& data,
                             const CryptoData& iv,
                             const CryptoData& additional_data,
                             unsigned int tag_length_bits,
                             std::vector<uint8>* buffer) {
-  if (!g_aes_gcm_support.Get().IsSupported())
+  if (!g_nss_runtime_support.Get().IsAesGcmSupported())
     return Status::ErrorUnsupported();
 
   unsigned int tag_length_bytes = tag_length_bits / 8;
 
   CK_GCM_PARAMS gcm_params = {0};
   gcm_params.pIv = const_cast<unsigned char*>(iv.bytes());
   gcm_params.ulIvLen = iv.byte_length();
 
   gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes());
   gcm_params.ulAADLen = additional_data.byte_length();
@@ skipping 25 matching lines @@
     // From the analysis of that bug it looks like it might be safe to pass a
     // correctly sized buffer but lie about its size. Since resizing the
     // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
     buffer_size = data.byte_length();
   }
 
   buffer->resize(buffer_size);
   unsigned char* buffer_data = Uint8VectorStart(buffer);
 
   PK11_EncryptDecryptFunction func =
-      (mode == ENCRYPT) ? g_aes_gcm_support.Get().pk11_encrypt_func()
-                        : g_aes_gcm_support.Get().pk11_decrypt_func();
+      (mode == ENCRYPT) ? g_nss_runtime_support.Get().pk11_encrypt_func()
+                        : g_nss_runtime_support.Get().pk11_decrypt_func();
 
   unsigned int output_len = 0;
   SECStatus result = func(key->key(),
                           CKM_AES_GCM,
                           &param,
                           buffer_data,
                           &output_len,
                           buffer->size(),
                           data.bytes(),
                           data.byte_length());
@@ skipping 117 matching lines @@
       *mechanism = CKM_AES_CBC;
       *flags = CKF_ENCRYPT | CKF_DECRYPT;
       break;
     }
     case blink::WebCryptoAlgorithmIdAesKw: {
       *mechanism = CKM_NSS_AES_KEY_WRAP;
       *flags = CKF_WRAP | CKF_WRAP;
       break;
     }
     case blink::WebCryptoAlgorithmIdAesGcm: {
-      if (!g_aes_gcm_support.Get().IsSupported())
+      if (!g_nss_runtime_support.Get().IsAesGcmSupported())
         return Status::ErrorUnsupported();
       *mechanism = CKM_AES_GCM;
       *flags = CKF_ENCRYPT | CKF_DECRYPT;
       break;
     }
     default:
       return Status::ErrorUnsupported();
   }
   return Status::Success();
 }
@@ skipping 633 matching lines @@
                             const_cast<unsigned char*>(data.bytes()),
                             data.byte_length()) != SECSuccess) {
     return Status::OperationError();
   }
   DCHECK_LE(output_length_bytes, max_output_length_bytes);
   buffer->resize(output_length_bytes);
   return Status::Success();
 }
 
 // -----------------------------------
+// RsaOaep
+// -----------------------------------
+Status EncryptRsaOaep(PublicKey* key,

[eroman, 2014/05/14 01:50:47]

nit: for consistency add a new line after ------------

+                      const blink::WebCryptoAlgorithm& hash,
+                      const CryptoData& label,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  if (!g_nss_runtime_support.Get().IsRsaOaepSupported())
+    return Status::ErrorUnsupported();
+
+  CK_RSA_PKCS_OAEP_PARAMS oaep_params = {0};
+  InitializeRsaOaepParams(hash, label, &oaep_params);
+

[padolph, 2014/05/14 02:00:03]

Do we need to check the length of the input |data|? RSA-OAEP has a limit on the
length data is can encrypt, involving the modulus length and hash block size. Or
are you depending on NSS to do that check?

+  SECItem param;
+  param.type = siBuffer;
+  param.data = reinterpret_cast<unsigned char*>(&oaep_params);
+  param.len = sizeof(oaep_params);
+
+  buffer->resize(SECKEY_PublicKeyStrength(key->key()));
+  unsigned char* buffer_data = Uint8VectorStart(buffer);
+  unsigned int output_len;
+  if (g_nss_runtime_support.Get().pk11_pub_encrypt_func()(
+          key->key(),
+          CKM_RSA_PKCS_OAEP,
+          &param,
+          buffer_data,
+          &output_len,
+          buffer->size(),
+          data.bytes(),
+          data.byte_length() != SECSuccess)) {
+    return Status::OperationError();
+  }
+
+  DCHECK_LE(output_len, buffer->size());
+  buffer->resize(output_len);
+  return Status::Success();
+}
+
+Status DecryptRsaOaep(PrivateKey* key,
+                      const blink::WebCryptoAlgorithm& hash,
+                      const CryptoData& label,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  if (!g_nss_runtime_support.Get().IsRsaOaepSupported())

[eroman, 2014/05/14 01:50:47]

We might consider failing with ErrorUnsupported during key creation as well.

[Ryan Sleevi, 2014/05/14 02:34:30]

Good point.

+    return Status::ErrorUnsupported();
+
+  CK_RSA_PKCS_OAEP_PARAMS oaep_params = {0};
+  InitializeRsaOaepParams(hash, label, &oaep_params);
+
+  SECItem param;
+  param.type = siBuffer;
+  param.data = reinterpret_cast<unsigned char*>(&oaep_params);
+  param.len = sizeof(oaep_params);
+
+  const int modulus_length_bytes = PK11_GetPrivateModulusLen(key->key());
+  if (modulus_length_bytes <= 0)
+    return Status::ErrorUnexpected();
+
+  buffer->resize(modulus_length_bytes);
+
+  unsigned char* buffer_data = Uint8VectorStart(buffer);
+  unsigned int output_len;
+  if (g_nss_runtime_support.Get().pk11_pub_decrypt_func()(
+          key->key(),
+          CKM_RSA_PKCS_OAEP,
+          &param,
+          buffer_data,
+          &output_len,
+          buffer->size(),
+          data.bytes(),
+          data.byte_length() != SECSuccess)) {
+    return Status::OperationError();
+  }
+
+  DCHECK_LE(output_len, buffer->size());
+  buffer->resize(output_len);
+  return Status::Success();
+}
+
+// -----------------------------------
 // RsaSsaPkcs1v1_5
 // -----------------------------------
 
 Status SignRsaSsaPkcs1v1_5(PrivateKey* key,
                            const blink::WebCryptoAlgorithm& hash,
                            const CryptoData& data,
                            std::vector<uint8>* buffer) {
   // Pick the NSS signing algorithm by combining RSA-SSA (RSA PKCS1) and the
   // inner hash of the input Web Crypto algorithm.
   SECOidTag sign_alg_tag;
@@ skipping 486 matching lines @@
                                      key_algorithm,
                                      usage_mask);
   return Status::Success();
 }
 
 }  // namespace platform
 
 }  // namespace webcrypto
 
 }  // namespace content