| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include <secerr.h> |
| 6 |
| 7 #include "content/child/webcrypto/crypto_data.h" |
| 8 #include "content/child/webcrypto/nss/aes_key_nss.h" |
| 9 #include "content/child/webcrypto/nss/key_nss.h" |
| 10 #include "content/child/webcrypto/nss/sym_key_nss.h" |
| 11 #include "content/child/webcrypto/nss/util_nss.h" |
| 12 #include "content/child/webcrypto/status.h" |
| 13 #include "content/child/webcrypto/webcrypto_util.h" |
| 14 #include "crypto/scoped_nss_types.h" |
| 15 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" |
| 16 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" |
| 17 |
| 18 namespace content { |
| 19 |
| 20 namespace webcrypto { |
| 21 |
| 22 namespace { |
| 23 |
| 24 // The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt |
| 25 // Section 2.2.3.1. |
| 26 const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}; |
| 27 |
| 28 // The result of unwrapping is a SymKey rather than a buffer. This is a |
| 29 // consequence of how NSS exposes AES-KW. Subsequent code can extract the value |
| 30 // of the sym key to interpret it as key bytes in another format. |
| 31 Status DoUnwrapSymKeyAesKw(const CryptoData& wrapped_key_data, |
| 32 PK11SymKey* wrapping_key, |
| 33 CK_MECHANISM_TYPE mechanism, |
| 34 CK_FLAGS flags, |
| 35 crypto::ScopedPK11SymKey* unwrapped_key) { |
| 36 DCHECK_GE(wrapped_key_data.byte_length(), 24u); |
| 37 DCHECK_EQ(wrapped_key_data.byte_length() % 8, 0u); |
| 38 |
| 39 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); |
| 40 crypto::ScopedSECItem param_item( |
| 41 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); |
| 42 if (!param_item) |
| 43 return Status::ErrorUnexpected(); |
| 44 |
| 45 SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data); |
| 46 |
| 47 // The plaintext length is always 64 bits less than the data size. |
| 48 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8; |
| 49 |
| 50 #if defined(USE_NSS) |
| 51 // Part of workaround for |
| 52 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation |
| 53 // later in this function. |
| 54 PORT_SetError(0); |
| 55 #endif |
| 56 |
| 57 crypto::ScopedPK11SymKey new_key( |
| 58 PK11_UnwrapSymKeyWithFlags(wrapping_key, |
| 59 CKM_NSS_AES_KEY_WRAP, |
| 60 param_item.get(), |
| 61 &cipher_text, |
| 62 mechanism, |
| 63 CKA_FLAGS_ONLY, |
| 64 plaintext_length, |
| 65 flags)); |
| 66 |
| 67 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more |
| 68 // accurate error, providing if doesn't leak any information to web pages |
| 69 // about other web crypto users, key details, etc. |
| 70 if (!new_key) |
| 71 return Status::OperationError(); |
| 72 |
| 73 #if defined(USE_NSS) |
| 74 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170 |
| 75 // which was fixed in NSS 3.16.0. |
| 76 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey, |
| 77 // with a reasonable length but with key data pointing to uninitialized |
| 78 // memory. |
| 79 // To understand this workaround see the fix for 981170: |
| 80 // https://hg.mozilla.org/projects/nss/rev/753bb69e543c |
| 81 if (!NSS_VersionCheck("3.16") && PORT_GetError() == SEC_ERROR_BAD_DATA) |
| 82 return Status::OperationError(); |
| 83 #endif |
| 84 |
| 85 *unwrapped_key = new_key.Pass(); |
| 86 return Status::Success(); |
| 87 } |
| 88 |
| 89 Status WrapSymKeyAesKw(PK11SymKey* key, |
| 90 PK11SymKey* wrapping_key, |
| 91 std::vector<uint8>* buffer) { |
| 92 // The data size must be at least 16 bytes and a multiple of 8 bytes. |
| 93 // RFC 3394 does not specify a maximum allowed data length, but since only |
| 94 // keys are being wrapped in this application (which are small), a reasonable |
| 95 // max limit is whatever will fit into an unsigned. For the max size test, |
| 96 // note that AES Key Wrap always adds 8 bytes to the input data size. |
| 97 const unsigned int input_length = PK11_GetKeyLength(key); |
| 98 DCHECK_GE(input_length, 16u); |
| 99 DCHECK((input_length % 8) == 0); |
| 100 if (input_length > UINT_MAX - 8) |
| 101 return Status::ErrorDataTooLarge(); |
| 102 |
| 103 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); |
| 104 crypto::ScopedSECItem param_item( |
| 105 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); |
| 106 if (!param_item) |
| 107 return Status::ErrorUnexpected(); |
| 108 |
| 109 const unsigned int output_length = input_length + 8; |
| 110 buffer->resize(output_length); |
| 111 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer)); |
| 112 |
| 113 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP, |
| 114 param_item.get(), |
| 115 wrapping_key, |
| 116 key, |
| 117 &wrapped_key_item)) { |
| 118 return Status::OperationError(); |
| 119 } |
| 120 if (output_length != wrapped_key_item.len) |
| 121 return Status::ErrorUnexpected(); |
| 122 |
| 123 return Status::Success(); |
| 124 } |
| 125 |
| 126 class AesKwCryptoAlgorithmNss : public AesAlgorithm { |
| 127 public: |
| 128 AesKwCryptoAlgorithmNss() |
| 129 : AesAlgorithm( |
| 130 CKM_NSS_AES_KEY_WRAP, |
| 131 CKF_WRAP | CKF_WRAP, |
| 132 blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey, |
| 133 "KW") {} |
| 134 |
| 135 virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 136 const blink::WebCryptoKey& wrapping_key, |
| 137 const CryptoData& data, |
| 138 std::vector<uint8>* buffer) const OVERRIDE { |
| 139 if (data.byte_length() < 16) |
| 140 return Status::ErrorDataTooSmall(); |
| 141 if (data.byte_length() % 8) |
| 142 return Status::ErrorInvalidAesKwDataLength(); |
| 143 |
| 144 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must |
| 145 // be temporarily viewed as a symmetric key to be wrapped (encrypted). |
| 146 SECItem data_item = MakeSECItemForBuffer(data); |
| 147 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); |
| 148 crypto::ScopedPK11SymKey data_as_sym_key( |
| 149 PK11_ImportSymKey(slot.get(), |
| 150 CKK_GENERIC_SECRET, |
| 151 PK11_OriginUnwrap, |
| 152 CKA_SIGN, |
| 153 &data_item, |
| 154 NULL)); |
| 155 if (!data_as_sym_key) |
| 156 return Status::OperationError(); |
| 157 |
| 158 return WrapSymKeyAesKw( |
| 159 data_as_sym_key.get(), SymKeyNss::Cast(wrapping_key)->key(), buffer); |
| 160 } |
| 161 |
| 162 virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 163 const blink::WebCryptoKey& wrapping_key, |
| 164 const CryptoData& data, |
| 165 std::vector<uint8>* buffer) const OVERRIDE { |
| 166 if (data.byte_length() < 24) |
| 167 return Status::ErrorDataTooSmall(); |
| 168 if (data.byte_length() % 8) |
| 169 return Status::ErrorInvalidAesKwDataLength(); |
| 170 |
| 171 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must |
| 172 // be temporarily viewed as a symmetric key to be unwrapped (decrypted). |
| 173 crypto::ScopedPK11SymKey decrypted; |
| 174 Status status = DoUnwrapSymKeyAesKw(data, |
| 175 SymKeyNss::Cast(wrapping_key)->key(), |
| 176 CKK_GENERIC_SECRET, |
| 177 0, |
| 178 &decrypted); |
| 179 if (status.IsError()) |
| 180 return status; |
| 181 |
| 182 // Once the decrypt is complete, extract the resultant raw bytes from NSS |
| 183 // and return them to the caller. |
| 184 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess) |
| 185 return Status::OperationError(); |
| 186 const SECItem* const key_data = PK11_GetKeyData(decrypted.get()); |
| 187 if (!key_data) |
| 188 return Status::OperationError(); |
| 189 buffer->assign(key_data->data, key_data->data + key_data->len); |
| 190 |
| 191 return Status::Success(); |
| 192 } |
| 193 }; |
| 194 |
| 195 } // namespace |
| 196 |
| 197 AlgorithmImplementation* CreatePlatformAesKwImplementation() { |
| 198 return new AesKwCryptoAlgorithmNss; |
| 199 } |
| 200 |
| 201 } // namespace webcrypto |
| 202 |
| 203 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
