| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include <cryptohi.h> |
| 6 #include <pk11pub.h> |
| 7 #include <secerr.h> |
| 8 #include <sechash.h> |
| 9 |
| 10 #include "base/logging.h" |
| 11 #include "content/child/webcrypto/crypto_data.h" |
| 12 #include "content/child/webcrypto/jwk.h" |
| 13 #include "content/child/webcrypto/nss/key_nss.h" |
| 14 #include "content/child/webcrypto/nss/sym_key_nss.h" |
| 15 #include "content/child/webcrypto/nss/util_nss.h" |
| 16 #include "content/child/webcrypto/status.h" |
| 17 #include "content/child/webcrypto/webcrypto_util.h" |
| 18 #include "crypto/secure_util.h" |
| 19 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" |
| 20 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" |
| 21 |
| 22 namespace content { |
| 23 |
| 24 namespace webcrypto { |
| 25 |
| 26 namespace { |
| 27 |
| 28 const blink::WebCryptoKeyUsageMask kAllKeyUsages = |
| 29 blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify; |
| 30 |
| 31 bool WebCryptoHashToHMACMechanism(const blink::WebCryptoAlgorithm& algorithm, |
| 32 CK_MECHANISM_TYPE* mechanism) { |
| 33 switch (algorithm.id()) { |
| 34 case blink::WebCryptoAlgorithmIdSha1: |
| 35 *mechanism = CKM_SHA_1_HMAC; |
| 36 return true; |
| 37 case blink::WebCryptoAlgorithmIdSha256: |
| 38 *mechanism = CKM_SHA256_HMAC; |
| 39 return true; |
| 40 case blink::WebCryptoAlgorithmIdSha384: |
| 41 *mechanism = CKM_SHA384_HMAC; |
| 42 return true; |
| 43 case blink::WebCryptoAlgorithmIdSha512: |
| 44 *mechanism = CKM_SHA512_HMAC; |
| 45 return true; |
| 46 default: |
| 47 return false; |
| 48 } |
| 49 } |
| 50 |
| 51 class HmacImplementation : public AlgorithmImplementation { |
| 52 public: |
| 53 HmacImplementation() {} |
| 54 |
| 55 virtual Status GenerateSecretKey(const blink::WebCryptoAlgorithm& algorithm, |
| 56 bool extractable, |
| 57 blink::WebCryptoKeyUsageMask usage_mask, |
| 58 blink::WebCryptoKey* key) const OVERRIDE { |
| 59 const blink::WebCryptoHmacKeyGenParams* params = |
| 60 algorithm.hmacKeyGenParams(); |
| 61 |
| 62 const blink::WebCryptoAlgorithm& hash = params->hash(); |
| 63 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; |
| 64 if (!WebCryptoHashToHMACMechanism(hash, &mechanism)) |
| 65 return Status::ErrorUnsupported(); |
| 66 |
| 67 unsigned int keylen_bits = 0; |
| 68 Status status = GetHmacKeyGenLengthInBits(params, &keylen_bits); |
| 69 if (status.IsError()) |
| 70 return status; |
| 71 |
| 72 return GenerateSecretKeyNss( |
| 73 blink::WebCryptoKeyAlgorithm::createHmac(hash.id(), keylen_bits), |
| 74 extractable, |
| 75 usage_mask, |
| 76 keylen_bits / 8, |
| 77 mechanism, |
| 78 key); |
| 79 } |
| 80 |
| 81 virtual Status VerifyKeyUsagesBeforeImportKey( |
| 82 blink::WebCryptoKeyFormat format, |
| 83 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 84 switch (format) { |
| 85 case blink::WebCryptoKeyFormatRaw: |
| 86 case blink::WebCryptoKeyFormatJwk: |
| 87 return CheckKeyCreationUsages(kAllKeyUsages, usage_mask); |
| 88 default: |
| 89 return Status::ErrorUnsupportedImportKeyFormat(); |
| 90 } |
| 91 } |
| 92 |
| 93 virtual Status VerifyKeyUsagesBeforeGenerateKey( |
| 94 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 95 return CheckKeyCreationUsages(kAllKeyUsages, usage_mask); |
| 96 } |
| 97 |
| 98 virtual Status ImportKeyRaw(const CryptoData& key_data, |
| 99 const blink::WebCryptoAlgorithm& algorithm, |
| 100 bool extractable, |
| 101 blink::WebCryptoKeyUsageMask usage_mask, |
| 102 blink::WebCryptoKey* key) const OVERRIDE { |
| 103 const blink::WebCryptoAlgorithm& hash = |
| 104 algorithm.hmacImportParams()->hash(); |
| 105 |
| 106 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; |
| 107 if (!WebCryptoHashToHMACMechanism(hash, &mechanism)) |
| 108 return Status::ErrorUnsupported(); |
| 109 |
| 110 // TODO(eroman): check for overflow. |
| 111 unsigned int keylen_bits = key_data.byte_length() * 8; |
| 112 return ImportKeyRawNss( |
| 113 key_data, |
| 114 blink::WebCryptoKeyAlgorithm::createHmac(hash.id(), keylen_bits), |
| 115 extractable, |
| 116 usage_mask, |
| 117 mechanism, |
| 118 CKF_SIGN | CKF_VERIFY, |
| 119 key); |
| 120 } |
| 121 |
| 122 virtual Status ImportKeyJwk(const CryptoData& key_data, |
| 123 const blink::WebCryptoAlgorithm& algorithm, |
| 124 bool extractable, |
| 125 blink::WebCryptoKeyUsageMask usage_mask, |
| 126 blink::WebCryptoKey* key) const OVERRIDE { |
| 127 const char* algorithm_name = |
| 128 GetJwkHmacAlgorithmName(algorithm.hmacImportParams()->hash().id()); |
| 129 if (!algorithm_name) |
| 130 return Status::ErrorUnexpected(); |
| 131 |
| 132 std::vector<uint8> raw_data; |
| 133 Status status = ReadSecretKeyJwk( |
| 134 key_data, algorithm_name, extractable, usage_mask, &raw_data); |
| 135 if (status.IsError()) |
| 136 return status; |
| 137 |
| 138 return ImportKeyRaw( |
| 139 CryptoData(raw_data), algorithm, extractable, usage_mask, key); |
| 140 } |
| 141 |
| 142 virtual Status ExportKeyRaw(const blink::WebCryptoKey& key, |
| 143 std::vector<uint8>* buffer) const OVERRIDE { |
| 144 *buffer = SymKeyNss::Cast(key)->raw_key_data(); |
| 145 return Status::Success(); |
| 146 } |
| 147 |
| 148 virtual Status ExportKeyJwk(const blink::WebCryptoKey& key, |
| 149 std::vector<uint8>* buffer) const OVERRIDE { |
| 150 SymKeyNss* sym_key = SymKeyNss::Cast(key); |
| 151 const std::vector<uint8>& raw_data = sym_key->raw_key_data(); |
| 152 |
| 153 const char* algorithm_name = |
| 154 GetJwkHmacAlgorithmName(key.algorithm().hmacParams()->hash().id()); |
| 155 if (!algorithm_name) |
| 156 return Status::ErrorUnexpected(); |
| 157 |
| 158 WriteSecretKeyJwk(CryptoData(raw_data), |
| 159 algorithm_name, |
| 160 key.extractable(), |
| 161 key.usages(), |
| 162 buffer); |
| 163 |
| 164 return Status::Success(); |
| 165 } |
| 166 |
| 167 virtual Status Sign(const blink::WebCryptoAlgorithm& algorithm, |
| 168 const blink::WebCryptoKey& key, |
| 169 const CryptoData& data, |
| 170 std::vector<uint8>* buffer) const OVERRIDE { |
| 171 const blink::WebCryptoAlgorithm& hash = |
| 172 key.algorithm().hmacParams()->hash(); |
| 173 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key(); |
| 174 |
| 175 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; |
| 176 if (!WebCryptoHashToHMACMechanism(hash, &mechanism)) |
| 177 return Status::ErrorUnexpected(); |
| 178 |
| 179 SECItem param_item = {siBuffer, NULL, 0}; |
| 180 SECItem data_item = MakeSECItemForBuffer(data); |
| 181 // First call is to figure out the length. |
| 182 SECItem signature_item = {siBuffer, NULL, 0}; |
| 183 |
| 184 if (PK11_SignWithSymKey( |
| 185 sym_key, mechanism, ¶m_item, &signature_item, &data_item) != |
| 186 SECSuccess) { |
| 187 return Status::OperationError(); |
| 188 } |
| 189 |
| 190 DCHECK_NE(0u, signature_item.len); |
| 191 |
| 192 buffer->resize(signature_item.len); |
| 193 signature_item.data = Uint8VectorStart(buffer); |
| 194 |
| 195 if (PK11_SignWithSymKey( |
| 196 sym_key, mechanism, ¶m_item, &signature_item, &data_item) != |
| 197 SECSuccess) { |
| 198 return Status::OperationError(); |
| 199 } |
| 200 |
| 201 CHECK_EQ(buffer->size(), signature_item.len); |
| 202 return Status::Success(); |
| 203 } |
| 204 |
| 205 virtual Status Verify(const blink::WebCryptoAlgorithm& algorithm, |
| 206 const blink::WebCryptoKey& key, |
| 207 const CryptoData& signature, |
| 208 const CryptoData& data, |
| 209 bool* signature_match) const OVERRIDE { |
| 210 std::vector<uint8> result; |
| 211 Status status = Sign(algorithm, key, data, &result); |
| 212 |
| 213 if (status.IsError()) |
| 214 return status; |
| 215 |
| 216 // Do not allow verification of truncated MACs. |
| 217 *signature_match = result.size() == signature.byte_length() && |
| 218 crypto::SecureMemEqual(Uint8VectorStart(result), |
| 219 signature.bytes(), |
| 220 signature.byte_length()); |
| 221 |
| 222 return Status::Success(); |
| 223 } |
| 224 }; |
| 225 |
| 226 } // namespace |
| 227 |
| 228 AlgorithmImplementation* CreatePlatformHmacImplementation() { |
| 229 return new HmacImplementation; |
| 230 } |
| 231 |
| 232 } // namespace webcrypto |
| 233 |
| 234 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
