Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(146)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/child/webcrypto/nss/hmac_nss.cc

Issue 379383002: Refactor WebCrypto code (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Put JWK rsa parameters into a struct Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/child/webcrypto/nss/aes_kw_nss.cc ('k') | content/child/webcrypto/nss/key_nss.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cryptohi.h>
6 #include <pk11pub.h>
7 #include <secerr.h>
8 #include <sechash.h>
9
10 #include "base/logging.h"
11 #include "content/child/webcrypto/crypto_data.h"
12 #include "content/child/webcrypto/jwk.h"
13 #include "content/child/webcrypto/nss/key_nss.h"
14 #include "content/child/webcrypto/nss/sym_key_nss.h"
15 #include "content/child/webcrypto/nss/util_nss.h"
16 #include "content/child/webcrypto/status.h"
17 #include "content/child/webcrypto/webcrypto_util.h"
18 #include "crypto/secure_util.h"
19 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
20 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
21
22 namespace content {
23
24 namespace webcrypto {
25
26 namespace {
27
28 const blink::WebCryptoKeyUsageMask kAllKeyUsages =
29 blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
30
31 bool WebCryptoHashToHMACMechanism(const blink::WebCryptoAlgorithm& algorithm,
32 CK_MECHANISM_TYPE* mechanism) {
33 switch (algorithm.id()) {
34 case blink::WebCryptoAlgorithmIdSha1:
35 *mechanism = CKM_SHA_1_HMAC;
36 return true;
37 case blink::WebCryptoAlgorithmIdSha256:
38 *mechanism = CKM_SHA256_HMAC;
39 return true;
40 case blink::WebCryptoAlgorithmIdSha384:
41 *mechanism = CKM_SHA384_HMAC;
42 return true;
43 case blink::WebCryptoAlgorithmIdSha512:
44 *mechanism = CKM_SHA512_HMAC;
45 return true;
46 default:
47 return false;
48 }
49 }
50
51 const char* GetJwkHmacAlgorithmName(blink::WebCryptoAlgorithmId hash) {
52 switch (hash) {
53 case blink::WebCryptoAlgorithmIdSha1:
54 return "HS1";
55 case blink::WebCryptoAlgorithmIdSha256:
56 return "HS256";
57 case blink::WebCryptoAlgorithmIdSha384:
58 return "HS384";
59 case blink::WebCryptoAlgorithmIdSha512:
60 return "HS512";
61 default:
62 return NULL;
63 }
64 }
65
66 bool ShaBlockSizeBits(blink::WebCryptoAlgorithmId hash_id, unsigned int* bits) {
67 switch (hash_id) {
68 case blink::WebCryptoAlgorithmIdSha1:
69 case blink::WebCryptoAlgorithmIdSha256:
70 *bits = 512;
71 return true;
72 case blink::WebCryptoAlgorithmIdSha384:
73 case blink::WebCryptoAlgorithmIdSha512:
74 *bits = 1024;
75 return true;
76 default:
77 return false;
78 }
79 }
80
81 class HmacImplementation : public AlgorithmImplementation {
82 public:
83 HmacImplementation() {}
84
85 virtual Status GenerateSecretKey(const blink::WebCryptoAlgorithm& algorithm,
86 bool extractable,
87 blink::WebCryptoKeyUsageMask usage_mask,
88 blink::WebCryptoKey* key) const OVERRIDE {
89 const blink::WebCryptoHmacKeyGenParams* params =
90 algorithm.hmacKeyGenParams();
91
92 const blink::WebCryptoAlgorithm& hash = params->hash();
93 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
94 if (!WebCryptoHashToHMACMechanism(hash, &mechanism))
95 return Status::ErrorUnsupported();
96
97 unsigned int keylen_bits = 0;
98
99 if (params->hasLengthBits()) {
100 if (params->optionalLengthBits() % 8)
101 return Status::ErrorGenerateKeyLength();
102 keylen_bits = params->optionalLengthBits();
103 } else if (!ShaBlockSizeBits(params->hash().id(), &keylen_bits)) {
104 return Status::ErrorUnsupported();
105 }
106
107 // TODO(eroman): NSS fails when generating a zero-length secret key.
108 if (keylen_bits == 0)
109 return Status::ErrorGenerateKeyLength();
110
111 return GenerateSecretKeyNss(
112 blink::WebCryptoKeyAlgorithm::createHmac(hash.id(), keylen_bits),
113 extractable,
114 usage_mask,
115 keylen_bits / 8,
116 mechanism,
117 key);
118 }
119
120 virtual Status VerifyKeyUsagesBeforeImportKey(
121 blink::WebCryptoKeyFormat format,
122 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE {
123 if (format != blink::WebCryptoKeyFormatRaw &&
124 format != blink::WebCryptoKeyFormatJwk)
125 return Status::ErrorUnsupportedImportKeyFormat();
126
127 if (!ContainsKeyUsages(kAllKeyUsages, usage_mask))
128 return Status::ErrorCreateKeyBadUsages();
129
130 return Status::Success();
131 }
132
133 virtual Status VerifyKeyUsagesBeforeGenerateKey(
134 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE {
135 if (!ContainsKeyUsages(kAllKeyUsages, usage_mask))
136 return Status::ErrorCreateKeyBadUsages();
137
138 return Status::Success();
139 }
140
141 virtual Status ImportKeyRaw(const CryptoData& key_data,
142 const blink::WebCryptoAlgorithm& algorithm,
143 bool extractable,
144 blink::WebCryptoKeyUsageMask usage_mask,
145 blink::WebCryptoKey* key) const OVERRIDE {
146 const blink::WebCryptoAlgorithm& hash =
147 algorithm.hmacImportParams()->hash();
148
149 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
150 if (!WebCryptoHashToHMACMechanism(hash, &mechanism))
151 return Status::ErrorUnsupported();
152
153 // TODO(eroman): check for overflow.
154 unsigned int keylen_bits = key_data.byte_length() * 8;
155 return ImportKeyRawNss(
156 key_data,
157 blink::WebCryptoKeyAlgorithm::createHmac(hash.id(), keylen_bits),
158 extractable,
159 usage_mask,
160 mechanism,
161 CKF_SIGN | CKF_VERIFY,
162 key);
163 }
164
165 virtual Status ImportKeyJwk(const CryptoData& key_data,
166 const blink::WebCryptoAlgorithm& algorithm,
167 bool extractable,
168 blink::WebCryptoKeyUsageMask usage_mask,
169 blink::WebCryptoKey* key) const OVERRIDE {
170 const char* algorithm_name =
171 GetJwkHmacAlgorithmName(algorithm.hmacImportParams()->hash().id());
172 if (!algorithm_name)
173 return Status::ErrorUnexpected();
174
175 std::vector<uint8> raw_data;
176 Status status = ReadSecretKeyJwk(
177 key_data, algorithm_name, extractable, usage_mask, &raw_data, NULL);
178 if (status.IsError())
179 return status;
180
181 return ImportKeyRaw(
182 CryptoData(raw_data), algorithm, extractable, usage_mask, key);
183 }
184
185 virtual Status ExportKeyRaw(const blink::WebCryptoKey& key,
186 std::vector<uint8>* buffer) const OVERRIDE {
187 *buffer = SymKeyNss::Cast(key)->raw_key_data();
188 return Status::Success();
189 }
190
191 virtual Status ExportKeyJwk(const blink::WebCryptoKey& key,
192 std::vector<uint8>* buffer) const OVERRIDE {
193 SymKeyNss* sym_key = SymKeyNss::Cast(key);
194 const std::vector<uint8>& raw_data = sym_key->raw_key_data();
195
196 const char* algorithm_name =
197 GetJwkHmacAlgorithmName(key.algorithm().hmacParams()->hash().id());
198 if (!algorithm_name)
199 return Status::ErrorUnexpected();
200
201 WriteSecretKeyJwk(CryptoData(raw_data),
202 algorithm_name,
203 key.extractable(),
204 key.usages(),
205 buffer);
206
207 return Status::Success();
208 }
209
210 virtual Status Sign(const blink::WebCryptoAlgorithm& algorithm,
211 const blink::WebCryptoKey& key,
212 const CryptoData& data,
213 std::vector<uint8>* buffer) const OVERRIDE {
214 const blink::WebCryptoAlgorithm& hash =
215 key.algorithm().hmacParams()->hash();
216 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key();
217
218 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
219 if (!WebCryptoHashToHMACMechanism(hash, &mechanism))
220 return Status::ErrorUnexpected();
221
222 SECItem param_item = {siBuffer, NULL, 0};
223 SECItem data_item = MakeSECItemForBuffer(data);
224 // First call is to figure out the length.
225 SECItem signature_item = {siBuffer, NULL, 0};
226
227 if (PK11_SignWithSymKey(
228 sym_key, mechanism, &param_item, &signature_item, &data_item) !=
229 SECSuccess) {
230 return Status::OperationError();
231 }
232
233 DCHECK_NE(0u, signature_item.len);
234
235 buffer->resize(signature_item.len);
236 signature_item.data = Uint8VectorStart(buffer);
237
238 if (PK11_SignWithSymKey(
239 sym_key, mechanism, &param_item, &signature_item, &data_item) !=
240 SECSuccess) {
241 return Status::OperationError();
242 }
243
244 DCHECK_EQ(buffer->size(), signature_item.len);
245 return Status::Success();
246 }
247
248 virtual Status Verify(const blink::WebCryptoAlgorithm& algorithm,
249 const blink::WebCryptoKey& key,
250 const CryptoData& signature,
251 const CryptoData& data,
252 bool* signature_match) const OVERRIDE {
253 std::vector<uint8> result;
254 Status status = Sign(algorithm, key, data, &result);
255
256 if (status.IsError())
257 return status;
258
259 // Do not allow verification of truncated MACs.
260 *signature_match = result.size() == signature.byte_length() &&
261 crypto::SecureMemEqual(Uint8VectorStart(result),
262 signature.bytes(),
263 signature.byte_length());
264
265 return Status::Success();
266 }
267 };
268
269 } // namespace
270
271 AlgorithmImplementation* CreatePlatformHmacImplementation() {
272 return new HmacImplementation;
273 }
274
275 } // namespace webcrypto
276
277 } // namespace content
OLDNEW
« no previous file with comments | « content/child/webcrypto/nss/aes_kw_nss.cc ('k') | content/child/webcrypto/nss/key_nss.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698