content/child/webcrypto/platform_crypto_nss.cc - Issue 308523003: [webcrypto] Fix a bug with JWK private key import.

Side by Side Diff: content/child/webcrypto/platform_crypto_nss.cc

Issue 308523003: [webcrypto] Fix a bug with JWK private key import. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Remove some whitespace Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/child/webcrypto/platform_crypto.h"	5 #include "content/child/webcrypto/platform_crypto.h"

6	6

7 #include <cryptohi.h>	7 #include <cryptohi.h>

8 #include <pk11pub.h>	8 #include <pk11pub.h>

9 #include <secerr.h>	9 #include <secerr.h>

10 #include <sechash.h>	10 #include <sechash.h>

11	11

12 #include <vector>	12 #include <vector>

13	13

14 #include "base/lazy_instance.h"	14 #include "base/lazy_instance.h"

15 #include "base/logging.h"	15 #include "base/logging.h"

16 #include "base/memory/scoped_ptr.h"	16 #include "base/memory/scoped_ptr.h"

17 #include "content/child/webcrypto/crypto_data.h"	17 #include "content/child/webcrypto/crypto_data.h"

18 #include "content/child/webcrypto/status.h"	18 #include "content/child/webcrypto/status.h"

19 #include "content/child/webcrypto/webcrypto_util.h"	19 #include "content/child/webcrypto/webcrypto_util.h"

20 #include "crypto/nss_util.h"	20 #include "crypto/nss_util.h"

	21 #include "crypto/random.h"

21 #include "crypto/scoped_nss_types.h"	22 #include "crypto/scoped_nss_types.h"

22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"	23 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"

23 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"	24 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"

24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"	25 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"

25	26

26 #if defined(USE_NSS)	27 #if defined(USE_NSS)

27 #include <dlfcn.h>	28 #include <dlfcn.h>

28 #include <secoid.h>	29 #include <secoid.h>

29 #endif	30 #endif

30	31

(...skipping 1679 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1710 AddAttribute(CKA_KEY_TYPE, &key_type, sizeof(key_type), &key_template);	1711 AddAttribute(CKA_KEY_TYPE, &key_type, sizeof(key_type), &key_template);

1711 AddAttribute(CKA_TOKEN, &ck_false, sizeof(ck_false), &key_template);	1712 AddAttribute(CKA_TOKEN, &ck_false, sizeof(ck_false), &key_template);

1712 AddAttribute(CKA_SENSITIVE, &ck_false, sizeof(ck_false), &key_template);	1713 AddAttribute(CKA_SENSITIVE, &ck_false, sizeof(ck_false), &key_template);

1713 AddAttribute(CKA_PRIVATE, &ck_false, sizeof(ck_false), &key_template);	1714 AddAttribute(CKA_PRIVATE, &ck_false, sizeof(ck_false), &key_template);

1714	1715

1715 // Required properties.	1716 // Required properties.

1716 AddOptionalAttribute(CKA_MODULUS, modulus, &key_template);	1717 AddOptionalAttribute(CKA_MODULUS, modulus, &key_template);

1717 AddOptionalAttribute(CKA_PUBLIC_EXPONENT, public_exponent, &key_template);	1718 AddOptionalAttribute(CKA_PUBLIC_EXPONENT, public_exponent, &key_template);

1718 AddOptionalAttribute(CKA_PRIVATE_EXPONENT, private_exponent, &key_template);	1719 AddOptionalAttribute(CKA_PRIVATE_EXPONENT, private_exponent, &key_template);

1719	1720

	1721 // Manufacture a CKA_ID so the created key can be retrieved later as a

	1722 // SECKEYPrivateKey using FindKeyByKeyID(). Unfortunately there isn't a more

	1723 // direct way to do this in NSS.

	1724 //

	1725 // A randomly generated value is used for the ID.

	1726 //

	1727 // NSS assigns the CKA_ID to PK11_MakeIDFromPubKey() for the other key

	1728 // creation paths. However it is incorrect to try and use that as the CKA_ID

	1729 // here because:

	1730 //

	1731 // (1) CreateGenericObject does not validate its parameters. It is therefore

	1732 // possible to construct a key using the known public modulus, and all

	1733 // the other parameters are bogus. FindKeyByKeyID() returns the first

	1734 // key matching the ID. So this would effectively allow an attacker to

	1735 // retrieve a private key of there choice.
	Ryan Sleevi 2014/06/02 22:57:05 1) Please update this comment, as of NSS 3.16.2 it 1) Please update this comment, as of NSS 3.16.2 it does. 2) there -> their 3) It's entirely possible to check this, so your problem as stated does not argue the necessity of your approach. You could just as well do checking yourself by retrieving (PRIME_1, PRIME_2, EXPONENT_1, EXPONENT_2, CKA_COEFF) and seeing that they all equal the supplied (input) values if they were present. Likewise, even if they're absent, you can see if the private exponent and public exponent match what was supplied. Note that we can detect this programatically on all versions of NSS. eroman 2014/06/02 23:40:18 Done. Show quoted text On 2014/06/02 22:57:05, Ryan Sleevi wrote: > 1) Please update this comment, as of NSS 3.16.2 it does. > 2) there -> their Done. Show quoted text > 3) It's entirely possible to check this, so your problem as stated does not > argue the necessity of your approach. > > You could just as well do checking yourself by retrieving (PRIME_1, PRIME_2, > EXPONENT_1, EXPONENT_2, CKA_COEFF) and seeing that they all equal the supplied > (input) values if they were present. Likewise, even if they're absent, you can > see if the private exponent and public exponent match what was supplied. > > Note that we can detect this programatically on all versions of NSS. Checking the parameters (without validating their meaning) has a different set of problems: - Person A could import a bogus key via JWK, with modulus X. We verified that the parameters of the created key are what was passed in. - Person B tries to import a valid key with modulus X, and gets back the one created by person A. They are prevented from being able to import their key. Ryan Sleevi 2014/06/02 23:55:57 This won't succeed on Windows/Mac/ChromeOS. And we Show quoted text On 2014/06/02 23:40:18, eroman wrote: > On 2014/06/02 22:57:05, Ryan Sleevi wrote: > > 1) Please update this comment, as of NSS 3.16.2 it does. > > 2) there -> their > > Done. > > > 3) It's entirely possible to check this, so your problem as stated does not > > argue the necessity of your approach. > > > > You could just as well do checking yourself by retrieving (PRIME_1, PRIME_2, > > EXPONENT_1, EXPONENT_2, CKA_COEFF) and seeing that they all equal the supplied > > (input) values if they were present. Likewise, even if they're absent, you can > > see if the private exponent and public exponent match what was supplied. > > > > Note that we can detect this programatically on all versions of NSS. > > Checking the parameters (without validating their meaning) has a different set > of problems: > > - Person A could import a bogus key via JWK, with modulus X. We verified that > the parameters of the created key are what was passed in. This won't succeed on Windows/Mac/ChromeOS. And we can ensure it won't succeed on Linux (mod NSS 3.16.2). Show quoted text > > - Person B tries to import a valid key with modulus X, and gets back the one > created by person A. They are prevented from being able to import their key. This also is with respect to multiple origins sharing the same renderer process, which is something we try to avoid as a matter of practice (on Desktop/CrOS). This would present as a DoS bug, and the temporary risk seems low.
	1736 //

	1737 // (2) The ID space is shared by different key types. So even if parameters

	1738 // were validated by NSS, FindKeyByKeyID() could still return the wrong

	1739 // key. For instance it might return a DH key that happens to have same

	1740 // values for its public data.
	Ryan Sleevi 2014/06/02 22:57:05 Please add a note that, as explained, this is not Please add a note that, as explained, this is not an issue in practice. eroman 2014/06/02 23:40:18 Added a comment. Show quoted text On 2014/06/02 22:57:05, Ryan Sleevi wrote: > Please add a note that, as explained, this is not an issue in practice. Added a comment.
	1741 //

	1742 // (3) Even if the above two problems were non-issues, there is no guarantee

	1743 // that FindKeyByKeyID() returns the object just created. If the same

	1744 // private key were imported multiple times, with different flags, using

	1745 // the wrong one could lead to problems.
	Ryan Sleevi 2014/06/02 22:57:05 I still fail to see why (3) is an issue at all. Th I still fail to see why (3) is an issue at all. The NSS flags should be irrelevant for our operation here. If they aren't, it's a bug in our implementation. eroman 2014/06/02 23:40:18 See https://codereview.chromium.org/213423007 and Show quoted text On 2014/06/02 22:57:05, Ryan Sleevi wrote: > I still fail to see why (3) is an issue at all. The NSS flags should be > irrelevant for our operation here. If they aren't, it's a bug in our > implementation. See https://codereview.chromium.org/213423007 and https://codereview.chromium.org/269313004 for examples of where this was an issue. Ryan Sleevi 2014/06/02 23:55:57 I'm still having trouble with this. All WebCrypto Show quoted text On 2014/06/02 23:40:18, eroman wrote: > On 2014/06/02 22:57:05, Ryan Sleevi wrote: > > I still fail to see why (3) is an issue at all. The NSS flags should be > > irrelevant for our operation here. If they aren't, it's a bug in our > > implementation. > > See https://codereview.chromium.org/213423007 and > https://codereview.chromium.org/269313004 for examples of where this was an > issue. I'm still having trouble with this. All WebCrypto keys within the renderer should have the same flags. Both of those bugs seem to be issues where we weren't setting the right NSS flags, but your description is where flags(key-a) != flags (key-b)
	1746 std::vector<uint8> cka_id(20);

	1747 crypto::RandBytes(&cka_id[0], cka_id.size());

	1748 AddOptionalAttribute(CKA_ID, CryptoData(cka_id), &key_template);

	1749 SECItem object_id = MakeSECItemForBuffer(CryptoData(cka_id));

	1750

1720 // Optional properties (all of these will have been specified or none).	1751 // Optional properties (all of these will have been specified or none).

1721 AddOptionalAttribute(CKA_PRIME_1, prime1, &key_template);	1752 AddOptionalAttribute(CKA_PRIME_1, prime1, &key_template);

1722 AddOptionalAttribute(CKA_PRIME_2, prime2, &key_template);	1753 AddOptionalAttribute(CKA_PRIME_2, prime2, &key_template);

1723 AddOptionalAttribute(CKA_EXPONENT_1, exponent1, &key_template);	1754 AddOptionalAttribute(CKA_EXPONENT_1, exponent1, &key_template);

1724 AddOptionalAttribute(CKA_EXPONENT_2, exponent2, &key_template);	1755 AddOptionalAttribute(CKA_EXPONENT_2, exponent2, &key_template);

1725 AddOptionalAttribute(CKA_COEFFICIENT, coefficient, &key_template);	1756 AddOptionalAttribute(CKA_COEFFICIENT, coefficient, &key_template);

1726	1757

1727 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());	1758 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());

1728	1759

1729 ScopedPK11GenericObject key_object(PK11_CreateGenericObject(	1760 ScopedPK11GenericObject key_object(PK11_CreateGenericObject(

1730 slot.get(), &key_template[0], key_template.size(), PR_FALSE));	1761 slot.get(), &key_template[0], key_template.size(), PR_FALSE));

1731	1762

1732 if (!key_object)	1763 if (!key_object)

1733 return Status::OperationError();	1764 return Status::OperationError();

1734	1765

1735 // The ID isn't guaranteed to be set by PKCS#11. However it is by softtoken so

1736 // this should work.

1737 SECItem object_id = {};

1738 if (PK11_ReadRawAttribute(

1739 PK11_TypeGeneric, key_object.get(), CKA_ID, &object_id) != SECSuccess)

1740 return Status::OperationError();

1741

1742 crypto::ScopedSECKEYPrivateKey private_key(	1766 crypto::ScopedSECKEYPrivateKey private_key(

1743 PK11_FindKeyByKeyID(slot.get(), &object_id, NULL));	1767 PK11_FindKeyByKeyID(slot.get(), &object_id, NULL));

1744	1768

1745 SECITEM_FreeItem(&object_id, PR_FALSE);

1746

1747 if (!private_key)	1769 if (!private_key)

1748 return Status::OperationError();	1770 return Status::OperationError();

1749	1771

1750 blink::WebCryptoKeyAlgorithm key_algorithm;	1772 blink::WebCryptoKeyAlgorithm key_algorithm;

1751 if (!CreatePrivateKeyAlgorithm(algorithm, private_key.get(), &key_algorithm))	1773 if (!CreatePrivateKeyAlgorithm(algorithm, private_key.get(), &key_algorithm))

1752 return Status::ErrorUnexpected();	1774 return Status::ErrorUnexpected();

1753	1775

1754 scoped_ptr<PrivateKey> key_handle;	1776 scoped_ptr<PrivateKey> key_handle;

1755 Status status =	1777 Status status =

1756 PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle);	1778 PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle);

(...skipping 106 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1863 buffer->assign(key_data->data, key_data->data + key_data->len);	1885 buffer->assign(key_data->data, key_data->data + key_data->len);

1864	1886

1865 return Status::Success();	1887 return Status::Success();

1866 }	1888 }

1867	1889

1868 } // namespace platform	1890 } // namespace platform

1869	1891

1870 } // namespace webcrypto	1892 } // namespace webcrypto

1871	1893

1872 } // namespace content	1894 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | content/child/webcrypto/shared_crypto_unittest.cc » ('j') | no next file with comments »