Index: content/child/webcrypto/platform_crypto_nss.cc |
diff --git a/content/child/webcrypto/platform_crypto_nss.cc b/content/child/webcrypto/platform_crypto_nss.cc |
index 11c84fc87bbf17018f9c7f58fb0e8646827a4798..7020410ac35d68052376a48cd5a15462c9e34059 100644 |
--- a/content/child/webcrypto/platform_crypto_nss.cc |
+++ b/content/child/webcrypto/platform_crypto_nss.cc |
@@ -277,6 +277,18 @@ class PrivateKey : public Key { |
namespace { |
+Status NssSupportsKeyImport(blink::WebCryptoAlgorithmId algorithm) { |
+ if (IsAlgorithmRsa(algorithm) && !NSS_VersionCheck("3.16.2")) { |
Ryan Sleevi
2014/06/17 19:40:07
Sadly, this isn't sufficient -_-
if (!IsAlgorithm
eroman
2014/06/17 20:00:16
Done.
|
+ // Prior to NSS 3.16.2 RSA key parameters were not validated. This is |
+ // a security problem for RSA private key import from JWK which uses a |
+ // CKA_ID based on the public modulus to retrieve the private key. |
+ return Status::ErrorUnsupported( |
+ "NSS version must be at least 3.16.2 for RSA key import. See " |
+ "http://crbug.com/380424"); |
+ } |
+ return Status::Success(); |
+} |
+ |
// Creates a SECItem for the data in |buffer|. This does NOT make a copy, so |
// |buffer| should outlive the SECItem. |
SECItem MakeSECItemForBuffer(const CryptoData& buffer) { |
@@ -970,6 +982,10 @@ Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm, |
bool extractable, |
blink::WebCryptoKeyUsageMask usage_mask, |
blink::WebCryptoKey* key) { |
+ Status status = NssSupportsKeyImport(algorithm.id()); |
+ if (status.IsError()) |
+ return status; |
+ |
DCHECK(key); |
if (!key_data.byte_length()) |
@@ -999,7 +1015,7 @@ Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm, |
return Status::ErrorUnexpected(); |
scoped_ptr<PublicKey> key_handle; |
- Status status = PublicKey::Create(sec_public_key.Pass(), &key_handle); |
+ status = PublicKey::Create(sec_public_key.Pass(), &key_handle); |
if (status.IsError()) |
return status; |
@@ -1139,6 +1155,10 @@ Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm, |
bool extractable, |
blink::WebCryptoKeyUsageMask usage_mask, |
blink::WebCryptoKey* key) { |
+ Status status = NssSupportsKeyImport(algorithm.id()); |
+ if (status.IsError()) |
+ return status; |
+ |
DCHECK(key); |
if (!key_data.byte_length()) |
@@ -1174,8 +1194,7 @@ Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm, |
return Status::ErrorUnexpected(); |
scoped_ptr<PrivateKey> key_handle; |
- Status status = |
- PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
+ status = PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
if (status.IsError()) |
return status; |
@@ -1669,6 +1688,10 @@ Status ImportRsaPrivateKey(const blink::WebCryptoAlgorithm& algorithm, |
const CryptoData& exponent2, |
const CryptoData& coefficient, |
blink::WebCryptoKey* key) { |
+ Status status = NssSupportsKeyImport(algorithm.id()); |
+ if (status.IsError()) |
+ return status; |
+ |
CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY; |
CK_KEY_TYPE key_type = CKK_RSA; |
CK_BBOOL ck_false = CK_FALSE; |
@@ -1750,8 +1773,7 @@ Status ImportRsaPrivateKey(const blink::WebCryptoAlgorithm& algorithm, |
return Status::ErrorUnexpected(); |
scoped_ptr<PrivateKey> key_handle; |
- Status status = |
- PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
+ status = PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
if (status.IsError()) |
return status; |