Chromium Code Reviews Chromium Code Reviews
Issue 334983006:
[webcrypto] Disable RSA key import for NSS versions less than 3.16.2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/child/webcrypto/platform_crypto_nss.cc |
| diff --git a/content/child/webcrypto/platform_crypto_nss.cc b/content/child/webcrypto/platform_crypto_nss.cc |
| index 11c84fc87bbf17018f9c7f58fb0e8646827a4798..7020410ac35d68052376a48cd5a15462c9e34059 100644 |
| --- a/content/child/webcrypto/platform_crypto_nss.cc |
| +++ b/content/child/webcrypto/platform_crypto_nss.cc |
| @@ -277,6 +277,18 @@ class PrivateKey : public Key { |
| namespace { |
| +Status NssSupportsKeyImport(blink::WebCryptoAlgorithmId algorithm) { |
| + if (IsAlgorithmRsa(algorithm) && !NSS_VersionCheck("3.16.2")) { |
|
Ryan Sleevi
2014/06/17 19:40:07
Sadly, this isn't sufficient -_-
if (!IsAlgorithm
eroman
2014/06/17 20:00:16
Done.
|
| + // Prior to NSS 3.16.2 RSA key parameters were not validated. This is |
| + // a security problem for RSA private key import from JWK which uses a |
| + // CKA_ID based on the public modulus to retrieve the private key. |
| + return Status::ErrorUnsupported( |
| + "NSS version must be at least 3.16.2 for RSA key import. See " |
| + "http://crbug.com/380424"); |
| + } |
| + return Status::Success(); |
| +} |
| + |
| // Creates a SECItem for the data in |buffer|. This does NOT make a copy, so |
| // |buffer| should outlive the SECItem. |
| SECItem MakeSECItemForBuffer(const CryptoData& buffer) { |
| @@ -970,6 +982,10 @@ Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm, |
| bool extractable, |
| blink::WebCryptoKeyUsageMask usage_mask, |
| blink::WebCryptoKey* key) { |
| + Status status = NssSupportsKeyImport(algorithm.id()); |
| + if (status.IsError()) |
| + return status; |
| + |
| DCHECK(key); |
| if (!key_data.byte_length()) |
| @@ -999,7 +1015,7 @@ Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm, |
| return Status::ErrorUnexpected(); |
| scoped_ptr<PublicKey> key_handle; |
| - Status status = PublicKey::Create(sec_public_key.Pass(), &key_handle); |
| + status = PublicKey::Create(sec_public_key.Pass(), &key_handle); |
| if (status.IsError()) |
| return status; |
| @@ -1139,6 +1155,10 @@ Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm, |
| bool extractable, |
| blink::WebCryptoKeyUsageMask usage_mask, |
| blink::WebCryptoKey* key) { |
| + Status status = NssSupportsKeyImport(algorithm.id()); |
| + if (status.IsError()) |
| + return status; |
| + |
| DCHECK(key); |
| if (!key_data.byte_length()) |
| @@ -1174,8 +1194,7 @@ Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm, |
| return Status::ErrorUnexpected(); |
| scoped_ptr<PrivateKey> key_handle; |
| - Status status = |
| - PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
| + status = PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
| if (status.IsError()) |
| return status; |
| @@ -1669,6 +1688,10 @@ Status ImportRsaPrivateKey(const blink::WebCryptoAlgorithm& algorithm, |
| const CryptoData& exponent2, |
| const CryptoData& coefficient, |
| blink::WebCryptoKey* key) { |
| + Status status = NssSupportsKeyImport(algorithm.id()); |
| + if (status.IsError()) |
| + return status; |
| + |
| CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY; |
| CK_KEY_TYPE key_type = CKK_RSA; |
| CK_BBOOL ck_false = CK_FALSE; |
| @@ -1750,8 +1773,7 @@ Status ImportRsaPrivateKey(const blink::WebCryptoAlgorithm& algorithm, |
| return Status::ErrorUnexpected(); |
| scoped_ptr<PrivateKey> key_handle; |
| - Status status = |
| - PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
| + status = PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle); |
| if (status.IsError()) |
| return status; |
