| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <secerr.h> | |
| 6 | |
| 7 #include "content/child/webcrypto/crypto_data.h" | |
| 8 #include "content/child/webcrypto/nss/aes_key_nss.h" | |
| 9 #include "content/child/webcrypto/nss/key_nss.h" | |
| 10 #include "content/child/webcrypto/nss/sym_key_nss.h" | |
| 11 #include "content/child/webcrypto/nss/util_nss.h" | |
| 12 #include "content/child/webcrypto/status.h" | |
| 13 #include "content/child/webcrypto/webcrypto_util.h" | |
| 14 #include "crypto/scoped_nss_types.h" | |
| 15 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" | |
| 16 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" | |
| 17 | |
| 18 namespace content { | |
| 19 | |
| 20 namespace webcrypto { | |
| 21 | |
| 22 namespace { | |
| 23 | |
| 24 // The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt | |
| 25 // Section 2.2.3.1. | |
| 26 const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}; | |
| 27 | |
| 28 // The result of unwrapping is a SymKey rather than a buffer. This is a | |
| 29 // consequence of how NSS exposes AES-KW. Subsequent code can extract the value | |
| 30 // of the sym key to interpret it as key bytes in another format. | |
| 31 Status DoUnwrapSymKeyAesKw(const CryptoData& wrapped_key_data, | |
| 32 PK11SymKey* wrapping_key, | |
| 33 CK_MECHANISM_TYPE mechanism, | |
| 34 CK_FLAGS flags, | |
| 35 crypto::ScopedPK11SymKey* unwrapped_key) { | |
| 36 DCHECK_GE(wrapped_key_data.byte_length(), 24u); | |
| 37 DCHECK_EQ(wrapped_key_data.byte_length() % 8, 0u); | |
| 38 | |
| 39 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); | |
| 40 crypto::ScopedSECItem param_item( | |
| 41 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); | |
| 42 if (!param_item) | |
| 43 return Status::ErrorUnexpected(); | |
| 44 | |
| 45 SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data); | |
| 46 | |
| 47 // The plaintext length is always 64 bits less than the data size. | |
| 48 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8; | |
| 49 | |
| 50 #if defined(USE_NSS) | |
| 51 // Part of workaround for | |
| 52 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation | |
| 53 // later in this function. | |
| 54 PORT_SetError(0); | |
| 55 #endif | |
| 56 | |
| 57 crypto::ScopedPK11SymKey new_key( | |
| 58 PK11_UnwrapSymKeyWithFlags(wrapping_key, | |
| 59 CKM_NSS_AES_KEY_WRAP, | |
| 60 param_item.get(), | |
| 61 &cipher_text, | |
| 62 mechanism, | |
| 63 CKA_FLAGS_ONLY, | |
| 64 plaintext_length, | |
| 65 flags)); | |
| 66 | |
| 67 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more | |
| 68 // accurate error, providing if doesn't leak any information to web pages | |
| 69 // about other web crypto users, key details, etc. | |
| 70 if (!new_key) | |
| 71 return Status::OperationError(); | |
| 72 | |
| 73 #if defined(USE_NSS) | |
| 74 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170 | |
| 75 // which was fixed in NSS 3.16.0. | |
| 76 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey, | |
| 77 // with a reasonable length but with key data pointing to uninitialized | |
| 78 // memory. | |
| 79 // To understand this workaround see the fix for 981170: | |
| 80 // https://hg.mozilla.org/projects/nss/rev/753bb69e543c | |
| 81 if (!NSS_VersionCheck("3.16") && PORT_GetError() == SEC_ERROR_BAD_DATA) | |
| 82 return Status::OperationError(); | |
| 83 #endif | |
| 84 | |
| 85 *unwrapped_key = new_key.Pass(); | |
| 86 return Status::Success(); | |
| 87 } | |
| 88 | |
| 89 Status WrapSymKeyAesKw(PK11SymKey* key, | |
| 90 PK11SymKey* wrapping_key, | |
| 91 std::vector<uint8>* buffer) { | |
| 92 // The data size must be at least 16 bytes and a multiple of 8 bytes. | |
| 93 // RFC 3394 does not specify a maximum allowed data length, but since only | |
| 94 // keys are being wrapped in this application (which are small), a reasonable | |
| 95 // max limit is whatever will fit into an unsigned. For the max size test, | |
| 96 // note that AES Key Wrap always adds 8 bytes to the input data size. | |
| 97 const unsigned int input_length = PK11_GetKeyLength(key); | |
| 98 DCHECK_GE(input_length, 16u); | |
| 99 DCHECK((input_length % 8) == 0); | |
| 100 if (input_length > UINT_MAX - 8) | |
| 101 return Status::ErrorDataTooLarge(); | |
| 102 | |
| 103 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv))); | |
| 104 crypto::ScopedSECItem param_item( | |
| 105 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item)); | |
| 106 if (!param_item) | |
| 107 return Status::ErrorUnexpected(); | |
| 108 | |
| 109 const unsigned int output_length = input_length + 8; | |
| 110 buffer->resize(output_length); | |
| 111 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer)); | |
| 112 | |
| 113 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP, | |
| 114 param_item.get(), | |
| 115 wrapping_key, | |
| 116 key, | |
| 117 &wrapped_key_item)) { | |
| 118 return Status::OperationError(); | |
| 119 } | |
| 120 if (output_length != wrapped_key_item.len) | |
| 121 return Status::ErrorUnexpected(); | |
| 122 | |
| 123 return Status::Success(); | |
| 124 } | |
| 125 | |
| 126 class AesKwCryptoAlgorithmNss : public AesAlgorithm { | |
| 127 public: | |
| 128 AesKwCryptoAlgorithmNss() | |
| 129 : AesAlgorithm( | |
| 130 CKM_NSS_AES_KEY_WRAP, | |
| 131 CKF_WRAP | CKF_WRAP, | |
| 132 blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey, | |
| 133 "KW") {} | |
| 134 | |
| 135 virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, | |
| 136 const blink::WebCryptoKey& wrapping_key, | |
| 137 const CryptoData& data, | |
| 138 std::vector<uint8>* buffer) const OVERRIDE { | |
| 139 if (data.byte_length() < 16) | |
| 140 return Status::ErrorDataTooSmall(); | |
| 141 if (data.byte_length() % 8) | |
| 142 return Status::ErrorInvalidAesKwDataLength(); | |
| 143 | |
| 144 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must | |
| 145 // be temporarily viewed as a symmetric key to be wrapped (encrypted). | |
| 146 SECItem data_item = MakeSECItemForBuffer(data); | |
| 147 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); | |
| 148 crypto::ScopedPK11SymKey data_as_sym_key( | |
| 149 PK11_ImportSymKey(slot.get(), | |
| 150 CKK_GENERIC_SECRET, | |
| 151 PK11_OriginUnwrap, | |
| 152 CKA_SIGN, | |
| 153 &data_item, | |
| 154 NULL)); | |
| 155 if (!data_as_sym_key) | |
| 156 return Status::OperationError(); | |
| 157 | |
| 158 return WrapSymKeyAesKw( | |
| 159 data_as_sym_key.get(), SymKeyNss::Cast(wrapping_key)->key(), buffer); | |
| 160 } | |
| 161 | |
| 162 virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, | |
| 163 const blink::WebCryptoKey& wrapping_key, | |
| 164 const CryptoData& data, | |
| 165 std::vector<uint8>* buffer) const OVERRIDE { | |
| 166 if (data.byte_length() < 24) | |
| 167 return Status::ErrorDataTooSmall(); | |
| 168 if (data.byte_length() % 8) | |
| 169 return Status::ErrorInvalidAesKwDataLength(); | |
| 170 | |
| 171 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must | |
| 172 // be temporarily viewed as a symmetric key to be unwrapped (decrypted). | |
| 173 crypto::ScopedPK11SymKey decrypted; | |
| 174 Status status = DoUnwrapSymKeyAesKw(data, | |
| 175 SymKeyNss::Cast(wrapping_key)->key(), | |
| 176 CKK_GENERIC_SECRET, | |
| 177 0, | |
| 178 &decrypted); | |
| 179 if (status.IsError()) | |
| 180 return status; | |
| 181 | |
| 182 // Once the decrypt is complete, extract the resultant raw bytes from NSS | |
| 183 // and return them to the caller. | |
| 184 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess) | |
| 185 return Status::OperationError(); | |
| 186 const SECItem* const key_data = PK11_GetKeyData(decrypted.get()); | |
| 187 if (!key_data) | |
| 188 return Status::OperationError(); | |
| 189 buffer->assign(key_data->data, key_data->data + key_data->len); | |
| 190 | |
| 191 return Status::Success(); | |
| 192 } | |
| 193 }; | |
| 194 | |
| 195 } // namespace | |
| 196 | |
| 197 AlgorithmImplementation* CreatePlatformAesKwImplementation() { | |
| 198 return new AesKwCryptoAlgorithmNss; | |
| 199 } | |
| 200 | |
| 201 } // namespace webcrypto | |
| 202 | |
| 203 } // namespace content | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 401983002:
Revert 284192 due to a failing test. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src