net/cert/jwk_serializer_openssl.cc - Issue 431453003: Implement JwkSerializer for OpenSSL.

Side by Side Diff: net/cert/jwk_serializer_openssl.cc

Issue 431453003: Implement JwkSerializer for OpenSSL. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: agl comments Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/jwk_serializer.h"	5 #include "net/cert/jwk_serializer.h"

6	6

	7 #include <openssl/bn.h>

	8 #include <openssl/ec.h>

	9 #include <openssl/ec_key.h>

	10 #include <openssl/evp.h>

	11 #include <openssl/x509.h>

	12

	13 #include "base/base64.h"

7 #include "base/logging.h"	14 #include "base/logging.h"

	15 #include "base/strings/string_util.h"

	16 #include "base/values.h"

	17 #include "crypto/openssl_util.h"

	18 #include "crypto/scoped_openssl_types.h"

8	19

9 namespace net {	20 namespace net {

10	21

11 namespace JwkSerializer {	22 namespace JwkSerializer {

12	23

	24 namespace {

	25

	26 bool ConvertEcKeyToJwk(EVP_PKEY* pkey,

	27 base::DictionaryValue* public_key_jwk,

	28 const crypto::OpenSSLErrStackTracer& err_tracer) {

	29 crypto::ScopedEC_KEY ec_key(EVP_PKEY_get1_EC_KEY(pkey));

	30 if (!ec_key)

	31 return false;

	32 const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key.get());

	33 if (!ec_group)

	34 return false;

	35

	36 std::string curve_name;

	37 int nid = EC_GROUP_get_curve_name(ec_group);

	38 if (nid == NID_X9_62_prime256v1) {

	39 curve_name = "P-256";

	40 } else if (nid == NID_secp384r1) {

	41 curve_name = "P-384";

	42 } else if (nid == NID_secp521r1) {

	43 curve_name = "P-521";

	44 } else {

	45 return false;

	46 }

	47

	48 int degree_bytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;

	49

	50 const EC_POINT* ec_point = EC_KEY_get0_public_key(ec_key.get());

	51 if (!ec_point)

	52 return false;

	53

	54 crypto::ScopedBIGNUM x(BN_new());

	55 crypto::ScopedBIGNUM y(BN_new());

	56 if (!EC_POINT_get_affine_coordinates_GFp(ec_group, ec_point,

	57 x.get(), y.get(), NULL)) {

	58 return false;

	59 }

	60

	61 // The coordinates are encoded with leading zeros included.
	Ryan Sleevi 2014/07/30 00:18:10 This is a violation of JWK, FWIW. Are you matchin This is a violation of JWK, FWIW. Are you matching NSS behaviour? davidben 2014/07/30 00:23:22 Hrm. Are you sure? This guy says: http://tools.iet Show quoted text On 2014/07/30 00:18:10, Ryan Sleevi wrote: > This is a violation of JWK, FWIW. Hrm. Are you sure? This guy says: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17#section-5.2... """ The length of this octet string MUST be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-521", the octet string must be 66 octets long. """ Show quoted text > Are you matching NSS behaviour? Yeah, there's a test that goes out of it's way to assert this code does this. (With an invalid key, but I've fixed it to use a valid key. Had to run openssl ecparam in a loop until it gave me one that worked. :-) ) Ryan Sleevi 2014/07/30 00:36:59 Right, ok. JWK's gotten sloppy again. The issue wi Show quoted text On 2014/07/30 00:23:22, David Benjamin wrote: > On 2014/07/30 00:18:10, Ryan Sleevi wrote: > > This is a violation of JWK, FWIW. > > Hrm. Are you sure? This guy says: > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17#section-5.2... > > """ > The length of this octet string MUST > be the full size of a coordinate for the curve specified in the "crv" > parameter. For example, if the value of "crv" is "P-521", the octet > string must be 66 octets long. > """ > > > Are you matching NSS behaviour? > > Yeah, there's a test that goes out of it's way to assert this code does this. > (With an invalid key, but I've fixed it to use a valid key. Had to run openssl > ecparam in a loop until it gave me one that worked. :-) ) Right, ok. JWK's gotten sloppy again. The issue with JWK is that all encodings must use the "minimum number" of octets to encode, but it's splattered about (see, e.g. 6.1.3.2 of JWA-31, which is the current draft) That said, http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31#section-6.2... is explicit about the x/y having the leading zero, so all good.
	62 std::string x_bytes;

	63 std::string y_bytes;

	64 if (!BN_bn2bin_padded(reinterpret_cast<uint8_t*>(

	65 WriteInto(&x_bytes, degree_bytes + 1)), degree_bytes, x.get()) \|\|

	66 !BN_bn2bin_padded(reinterpret_cast<uint8_t*>(

	67 WriteInto(&y_bytes, degree_bytes + 1)), degree_bytes, y.get())) {

	68 return false;

	69 }

	70

	71 public_key_jwk->SetString("kty", "EC");

	72 public_key_jwk->SetString("crv", curve_name);

	73

	74 std::string x_b64;

	75 base::Base64Encode(x_bytes, &x_b64);
	eroman 2014/11/07 01:04:49 Note that JWK uses base64url not vanilla base64 en Note that JWK uses base64url not vanilla base64 encoding (the difference is how '+' and '/' are output) juanlang (chromium.org) 2014/11/07 01:08:18 Yes, this was logged as bug 364749. I'm sorry I ha Show quoted text On 2014/11/07 01:04:49, eroman wrote: > Note that JWK uses base64url not vanilla base64 encoding (the difference is how > '+' and '/' are output) Yes, this was logged as bug 364749. I'm sorry I haven't gotten to it.
	76 public_key_jwk->SetString("x", x_b64);

	77

	78 std::string y_b64;

	79 base::Base64Encode(y_bytes, &y_b64);

	80 public_key_jwk->SetString("y", y_b64);

	81

	82 return true;

	83 }

	84

	85 } // namespace

	86

13 bool ConvertSpkiFromDerToJwk(	87 bool ConvertSpkiFromDerToJwk(

14 const base::StringPiece& spki_der,	88 const base::StringPiece& spki_der,

15 base::DictionaryValue* public_key_jwk) {	89 base::DictionaryValue* public_key_jwk) {

16 // TODO(juanlang): implement	90 public_key_jwk->Clear();

17 NOTIMPLEMENTED();	91

18 return false;	92 crypto::EnsureOpenSSLInit();

	93 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

	94

	95 const uint8_t data = reinterpret_cast<const uint8_t>(spki_der.data());

	96 const uint8_t *ptr = data;

	97 crypto::ScopedEVP_PKEY pubkey(d2i_PUBKEY(NULL, &ptr, spki_der.size()));

	98 if (!pubkey \|\| ptr != data + spki_der.size())

	99 return false;

	100

	101 if (pubkey->type == EVP_PKEY_EC) {

	102 return ConvertEcKeyToJwk(pubkey.get(), public_key_jwk, err_tracer);

	103 } else {

	104 // TODO(juanlang): other algorithms

	105 return false;

	106 }

19 }	107 }

20	108

21 } // namespace JwkSerializer	109 } // namespace JwkSerializer

22	110

23 } // namespace net	111 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/cert/jwk_serializer_unittest.cc » ('j') | no next file with comments »