[webcrypto] Implement RSA-OAEP using BoringSSL.

content/child/webcrypto/openssl/rsa_oaep_openssl.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/evp.h>
+
+#include "base/stl_util.h"
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/openssl/rsa_key_openssl.h"
+#include "content/child/webcrypto/openssl/util_openssl.h"
+#include "content/child/webcrypto/status.h"
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
+#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
+
+namespace content {
+
+namespace webcrypto {
+
+namespace {
+
+typedef int (*InitFunc)(EVP_PKEY_CTX* ctx);
+typedef int (*EncryptDecryptFunc)(EVP_PKEY_CTX* ctx,
+                                  unsigned char* out,
+                                  size_t* outlen,
+                                  const unsigned char* in,
+                                  size_t inlen);
+
+// Helper for doing either RSA-OAEP encryption or decryption.
+//
+// To encrypt call with:
+//   init_func=EVP_PKEY_encrypt_init, encrypt_decrypt_func=EVP_PKEY_encrypt
+//
+// To decrypt call with:
+//   init_func=EVP_PKEY_decrypt_init, encrypt_decrypt_func=EVP_PKEY_decrypt
+Status CommonEncryptDecrypt(InitFunc init_func,
+                            EncryptDecryptFunc encrypt_decrypt_func,
+                            const blink::WebCryptoAlgorithm& algorithm,
+                            const blink::WebCryptoKey& key,
+                            const CryptoData& data,
+                            std::vector<uint8_t>* buffer) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  EVP_PKEY* pkey = pkey = AsymKeyOpenSsl::Cast(key)->key();

[davidben, 2014/07/30 16:08:48]

I'm not very familiar with the WebCrypto code; do you also need to check that
this is an RSA key, or is it taken care of for you? (I suppose there actually
isn't any other EVP_PKEY implementation in BoringSSL right now that provides
encrypt and decrypt, and the EVP_PKEY_CTX_set_rsa* ctrls will fail.)

[eroman, 2014/07/30 16:27:59]

tl;dr: It should be safe. 

Here is how it works:

WebCrypto keys are passed back and forth blink <--> chromium. To hide any
NSS/BoringSSL internals, the WebCryptoKey stores an opaque pointer
(WebCryptoKeyHandle) which can be cast and accessed by the chromium side, and
whose lifetime is tied to the WebCryptoKey.

There are two fields on the WebCryptoKey which imply what the concrete handle
type was:
   * algorithm.id()
    * keyType()

A particular "AlgorithmImplementation" is registered for each
WebCryptoAlgorithmId, and only keys with a matching id are dispatched to it. We
can therefore be guaranteed that the key here was in fact created by
RsaOaepImplementation. We then further assume that RsaOeapImplementation only
ever creates AsymKeyOpenSssl handles. So the only question is whether it
represents a public or private key.

That said, I agree the casting is scary and non-obvious. As a safety-net I use
the function AsymKeyOpenSsl::Cast() which tries to do safer casting (rather than
just re-interpret casting, it uses a common base class + virtual method, which
predictably return NULL if the types don't match). So if something does break in
the future, it should just result in a NULL pointer crash rather than something
exploitable.

+  const EVP_MD* digest =
+      GetDigest(key.algorithm().rsaHashedParams()->hash().id());
+  if (!digest)
+    return Status::ErrorUnsupported();
+
+  crypto::ScopedEVP_PKEY_CTX ctx(EVP_PKEY_CTX_new(pkey, NULL));
+
+  if (1 != init_func(ctx.get()) ||
+      1 != EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_OAEP_PADDING) ||
+      1 != EVP_PKEY_CTX_set_rsa_oaep_md(ctx.get(), digest) ||
+      1 != EVP_PKEY_CTX_set_rsa_mgf1_md(ctx.get(), digest)) {
+    return Status::OperationError();
+  }
+
+  const blink::WebVector<uint8_t>& label =
+      algorithm.rsaOaepParams()->optionalLabel();
+
+  if (label.size()) {
+    // Make a copy of the label, since the ctx takes ownership of it when
+    // calling set0_rsa_oaep_label().

[davidben, 2014/07/30 16:08:47]

This is a quirk we inherited from upstream. We should probably add a set1
variant later because this is just obnoxious. :-)

[eroman, 2014/07/30 16:27:59]

I will file a bug, and can investigate as a follow-up.

Would the set1 variant be expected to make a copy itself to save in the ctx, or
simply have the ctx reference unowned bytes? The latter could be confusing since
if the ctx is re-used later the memory could well be gone.

[davidben, 2014/07/30 16:44:13]

I was thinking it could just make a copy. That seems easiest for the caller.

I suppose this version (set0) is actually more consistent with
EVP_PKEY_CTX_set_rsa_keygen_pubexp which also takes ownership from the caller.
Doesn't seem to be anything else that takes a pointer type as parameter.

+    crypto::ScopedOpenSSLBytes label_copy;
+    label_copy.reset(static_cast<uint8_t*>(OPENSSL_malloc(label.size())));
+    memcpy(label_copy.get(), label.data(), label.size());
+
+    if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(
+                 ctx.get(), label_copy.release(), label.size())) {
+      return Status::OperationError();
+    }
+  }
+
+  // Determine the maximum length of the output.
+  size_t outlen = 0;
+  if (1 != encrypt_decrypt_func(
+               ctx.get(), NULL, &outlen, data.bytes(), data.byte_length())) {
+    return Status::OperationError();
+  }
+  buffer->resize(outlen);
+
+  // Do the actual encryption/decryption.
+  if (1 != encrypt_decrypt_func(ctx.get(),
+                                vector_as_array(buffer),
+                                &outlen,
+                                data.bytes(),
+                                data.byte_length())) {
+    return Status::OperationError();
+  }
+  buffer->resize(outlen);
+
+  return Status::Success();
+}
+
+class RsaOaepImplementation : public RsaHashedAlgorithm {
+ public:
+  RsaOaepImplementation()
+      : RsaHashedAlgorithm(
+            blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageWrapKey,
+            blink::WebCryptoKeyUsageDecrypt |
+                blink::WebCryptoKeyUsageUnwrapKey) {}
+
+  virtual const char* GetJwkAlgorithm(
+      const blink::WebCryptoAlgorithmId hash) const OVERRIDE {
+    switch (hash) {
+      case blink::WebCryptoAlgorithmIdSha1:
+        return "RSA-OAEP";
+      case blink::WebCryptoAlgorithmIdSha256:
+        return "RSA-OAEP-256";
+      case blink::WebCryptoAlgorithmIdSha384:
+        return "RSA-OAEP-384";
+      case blink::WebCryptoAlgorithmIdSha512:
+        return "RSA-OAEP-512";
+      default:
+        return NULL;
+    }
+  }
+
+  virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
+                         const blink::WebCryptoKey& key,
+                         const CryptoData& data,
+                         std::vector<uint8_t>* buffer) const OVERRIDE {
+    if (key.type() != blink::WebCryptoKeyTypePublic)
+      return Status::ErrorUnexpectedKeyType();
+
+    return CommonEncryptDecrypt(
+        EVP_PKEY_encrypt_init, EVP_PKEY_encrypt, algorithm, key, data, buffer);
+  }
+
+  virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
+                         const blink::WebCryptoKey& key,
+                         const CryptoData& data,
+                         std::vector<uint8_t>* buffer) const OVERRIDE {
+    if (key.type() != blink::WebCryptoKeyTypePrivate)
+      return Status::ErrorUnexpectedKeyType();
+
+    return CommonEncryptDecrypt(
+        EVP_PKEY_decrypt_init, EVP_PKEY_decrypt, algorithm, key, data, buffer);
+  }
+};
+
+}  // namespace
+
+AlgorithmImplementation* CreatePlatformRsaOaepImplementation() {
+  return new RsaOaepImplementation;
+}
+
+}  // namespace webcrypto
+
+}  // namespace content