Chromium Code Reviews Chromium Code Reviews| Index: content/child/webcrypto/openssl/hmac_openssl.cc |
| diff --git a/content/child/webcrypto/openssl/hmac_openssl.cc b/content/child/webcrypto/openssl/hmac_openssl.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..c8fe44bb0fc8db7fdb582f018b022b7e9ec1bca8 |
| --- /dev/null |
| +++ b/content/child/webcrypto/openssl/hmac_openssl.cc |
| @@ -0,0 +1,211 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include <openssl/hmac.h> |
| + |
| +#include "base/logging.h" |
| +#include "content/child/webcrypto/crypto_data.h" |
| +#include "content/child/webcrypto/jwk.h" |
| +#include "content/child/webcrypto/openssl/key_openssl.h" |
| +#include "content/child/webcrypto/openssl/sym_key_openssl.h" |
| +#include "content/child/webcrypto/openssl/util_openssl.h" |
| +#include "content/child/webcrypto/status.h" |
| +#include "content/child/webcrypto/webcrypto_util.h" |
| +#include "crypto/openssl_util.h" |
| +#include "crypto/secure_util.h" |
| +#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" |
| +#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" |
| + |
| +namespace content { |
| + |
| +namespace webcrypto { |
| + |
| +namespace { |
| + |
| +const blink::WebCryptoKeyUsageMask kAllKeyUsages = |
| + blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify; |
| + |
| +Status SignHmac(const std::vector<uint8>& raw_key, |
| + const blink::WebCryptoAlgorithm& hash, |
| + const CryptoData& data, |
| + std::vector<uint8>* buffer) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + const EVP_MD* digest_algorithm = GetDigest(hash.id()); |
| + if (!digest_algorithm) |
| + return Status::ErrorUnsupported(); |
| + unsigned int hmac_expected_length = EVP_MD_size(digest_algorithm); |
| + |
| + // OpenSSL wierdness here. |
| + // First, HMAC() needs a void* for the key data, so make one up front as a |
| + // cosmetic to avoid a cast. Second, OpenSSL does not like a NULL key, |
| + // which will result if the raw_key vector is empty; an entirely valid |
| + // case. Handle this specific case by pointing to an empty array. |
|
Ryan Sleevi
2014/07/17 00:06:54
Fixed by BoringSSL?
eroman
2014/07/17 20:37:26
Not sure. Will add it as an action item to investi
|
| + const unsigned char null_key[] = {}; |
| + const void* const raw_key_voidp = raw_key.size() ? &raw_key[0] : null_key; |
| + |
| + buffer->resize(hmac_expected_length); |
| + crypto::ScopedOpenSSLSafeSizeBuffer<EVP_MAX_MD_SIZE> hmac_result( |
| + Uint8VectorStart(buffer), hmac_expected_length); |
| + |
| + unsigned int hmac_actual_length; |
| + unsigned char* const success = HMAC(digest_algorithm, |
| + raw_key_voidp, |
| + raw_key.size(), |
| + data.bytes(), |
| + data.byte_length(), |
| + hmac_result.safe_buffer(), |
| + &hmac_actual_length); |
| + if (!success || hmac_actual_length != hmac_expected_length) |
| + return Status::OperationError(); |
| + |
| + return Status::Success(); |
| +} |
| + |
| +class HmacImplementation : public AlgorithmImplementation { |
| + public: |
| + HmacImplementation() {} |
| + |
| + virtual Status GenerateSecretKey(const blink::WebCryptoAlgorithm& algorithm, |
| + bool extractable, |
| + blink::WebCryptoKeyUsageMask usage_mask, |
| + blink::WebCryptoKey* key) const OVERRIDE { |
| + const blink::WebCryptoHmacKeyGenParams* params = |
| + algorithm.hmacKeyGenParams(); |
| + |
| + unsigned int keylen_bits = 0; |
| + Status status = GetHmacKeyGenLength(params, &keylen_bits); |
| + if (status.IsError()) |
| + return status; |
| + |
| + return GenerateSecretKeyOpenSsl(blink::WebCryptoKeyAlgorithm::createHmac( |
| + params->hash().id(), keylen_bits), |
| + extractable, |
| + usage_mask, |
| + keylen_bits / 8, |
| + key); |
| + } |
| + |
| + virtual Status VerifyKeyUsagesBeforeImportKey( |
| + blink::WebCryptoKeyFormat format, |
| + blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| + switch (format) { |
| + case blink::WebCryptoKeyFormatRaw: |
| + case blink::WebCryptoKeyFormatJwk: |
| + return CheckKeyCreationUsages(kAllKeyUsages, usage_mask); |
| + default: |
| + return Status::ErrorUnsupportedImportKeyFormat(); |
| + } |
| + } |
| + |
| + virtual Status VerifyKeyUsagesBeforeGenerateKey( |
| + blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| + return CheckKeyCreationUsages(kAllKeyUsages, usage_mask); |
| + } |
| + |
| + virtual Status ImportKeyRaw(const CryptoData& key_data, |
| + const blink::WebCryptoAlgorithm& algorithm, |
| + bool extractable, |
| + blink::WebCryptoKeyUsageMask usage_mask, |
| + blink::WebCryptoKey* key) const OVERRIDE { |
| + const blink::WebCryptoAlgorithm& hash = |
| + algorithm.hmacImportParams()->hash(); |
| + |
| + // TODO(eroman): check for overflow. |
| + unsigned int keylen_bits = key_data.byte_length() * 8; |
| + |
| + return ImportKeyRawOpenSsl( |
| + key_data, |
| + blink::WebCryptoKeyAlgorithm::createHmac(hash.id(), keylen_bits), |
| + extractable, |
| + usage_mask, |
| + key); |
| + } |
| + |
| + virtual Status ImportKeyJwk(const CryptoData& key_data, |
| + const blink::WebCryptoAlgorithm& algorithm, |
| + bool extractable, |
| + blink::WebCryptoKeyUsageMask usage_mask, |
| + blink::WebCryptoKey* key) const OVERRIDE { |
| + const char* algorithm_name = |
| + GetJwkHmacAlgorithmName(algorithm.hmacImportParams()->hash().id()); |
| + if (!algorithm_name) |
| + return Status::ErrorUnexpected(); |
| + |
| + std::vector<uint8> raw_data; |
| + Status status = ReadSecretKeyJwk( |
| + key_data, algorithm_name, extractable, usage_mask, &raw_data); |
| + if (status.IsError()) |
| + return status; |
| + |
| + return ImportKeyRaw( |
| + CryptoData(raw_data), algorithm, extractable, usage_mask, key); |
| + } |
| + |
| + virtual Status ExportKeyRaw(const blink::WebCryptoKey& key, |
| + std::vector<uint8>* buffer) const OVERRIDE { |
| + *buffer = SymKeyOpenSsl::Cast(key)->raw_key_data(); |
| + return Status::Success(); |
| + } |
| + |
| + virtual Status ExportKeyJwk(const blink::WebCryptoKey& key, |
| + std::vector<uint8>* buffer) const OVERRIDE { |
| + SymKeyOpenSsl* sym_key = SymKeyOpenSsl::Cast(key); |
| + const std::vector<uint8>& raw_data = sym_key->raw_key_data(); |
| + |
| + const char* algorithm_name = |
| + GetJwkHmacAlgorithmName(key.algorithm().hmacParams()->hash().id()); |
| + if (!algorithm_name) |
| + return Status::ErrorUnexpected(); |
| + |
| + WriteSecretKeyJwk(CryptoData(raw_data), |
| + algorithm_name, |
| + key.extractable(), |
| + key.usages(), |
| + buffer); |
| + |
| + return Status::Success(); |
| + } |
| + |
| + virtual Status Sign(const blink::WebCryptoAlgorithm& algorithm, |
| + const blink::WebCryptoKey& key, |
| + const CryptoData& data, |
| + std::vector<uint8>* buffer) const OVERRIDE { |
| + const blink::WebCryptoAlgorithm& hash = |
| + key.algorithm().hmacParams()->hash(); |
| + |
| + return SignHmac( |
| + SymKeyOpenSsl::Cast(key)->raw_key_data(), hash, data, buffer); |
| + } |
| + |
| + virtual Status Verify(const blink::WebCryptoAlgorithm& algorithm, |
| + const blink::WebCryptoKey& key, |
| + const CryptoData& signature, |
| + const CryptoData& data, |
| + bool* signature_match) const OVERRIDE { |
| + std::vector<uint8> result; |
| + Status status = Sign(algorithm, key, data, &result); |
| + |
| + if (status.IsError()) |
| + return status; |
| + |
| + // Do not allow verification of truncated MACs. |
| + *signature_match = result.size() == signature.byte_length() && |
| + crypto::SecureMemEqual(Uint8VectorStart(result), |
| + signature.bytes(), |
| + signature.byte_length()); |
| + |
| + return Status::Success(); |
| + } |
| +}; |
| + |
| +} // namespace |
| + |
| +AlgorithmImplementation* CreatePlatformHmacImplementation() { |
| + return new HmacImplementation; |
| +} |
| + |
| +} // namespace webcrypto |
| + |
| +} // namespace content |
