| Index: content/child/webcrypto/jwk.h
|
| diff --git a/content/child/webcrypto/jwk.h b/content/child/webcrypto/jwk.h
|
| index a5872090cb7410409038a3b8b1b1fd6d315c5a8d..cb6866df178a126535b748ff91127a6f23817d38 100644
|
| --- a/content/child/webcrypto/jwk.h
|
| +++ b/content/child/webcrypto/jwk.h
|
| @@ -11,9 +11,7 @@
|
| #include "base/strings/string_piece.h"
|
| #include "base/values.h"
|
| #include "content/common/content_export.h"
|
| -#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
|
| #include "third_party/WebKit/public/platform/WebCrypto.h"
|
| -#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
|
|
|
| namespace content {
|
|
|
| @@ -22,6 +20,113 @@ namespace webcrypto {
|
| class CryptoData;
|
| class Status;
|
|
|
| +// Helper class for parsing a JWK from JSON.
|
| +//
|
| +// This primarily exists to ensure strict enforcement of the JWK schema, as the
|
| +// type and presence of particular members is security relevant. For example,
|
| +// GetString() will ensure a given JSON member is present and is a string type,
|
| +// and will fail if these conditions aren't met.
|
| +//
|
| +// Users of JwkReader must call Init() successfully before any other method can
|
| +// be called.
|
| +class JwkReader {
|
| + public:
|
| + JwkReader();
|
| + ~JwkReader();
|
| +
|
| + // Initializes a JWK reader by parsing the JSON |bytes|. To succeed, the JWK
|
| + // must:
|
| + // * Have "kty" matching |expected_kty|
|
| + // * Have "ext" compatible with |expected_extractable|
|
| + // * Have usages ("use", "key_ops") compatible with |expected_usages|
|
| + // * Have an "alg" matching |expected_alg|
|
| + //
|
| + // NOTE: If |expected_alg| is empty, then the test on "alg" is skipped.
|
| + Status Init(const CryptoData& bytes,
|
| + bool expected_extractable,
|
| + blink::WebCryptoKeyUsageMask expected_usages,
|
| + const std::string& expected_kty,
|
| + const std::string& expected_alg);
|
| +
|
| + // Returns true if the member |member_name| is present.
|
| + bool HasMember(const std::string& member_name) const;
|
| +
|
| + // Extracts the required string member |member_name| and saves the result to
|
| + // |*result|. If the member does not exist or is not a string, returns an
|
| + // error.
|
| + Status GetString(const std::string& member_name, std::string* result) const;
|
| +
|
| + // Extracts the optional string member |member_name| and saves the result to
|
| + // |*result| if it was found. If the member exists and is not a string,
|
| + // returns an error. Otherwise returns success, and sets |*member_exists| if
|
| + // it was found.
|
| + Status GetOptionalString(const std::string& member_name,
|
| + std::string* result,
|
| + bool* member_exists) const;
|
| +
|
| + // Extracts the optional array member |member_name| and saves the result to
|
| + // |*result| if it was found. If the member exists and is not an array,
|
| + // returns an error. Otherwise returns success, and sets |*member_exists| if
|
| + // it was found.
|
| + //
|
| + // NOTE: |*result| is owned by the JwkReader.
|
| + Status GetOptionalList(const std::string& member_name,
|
| + base::ListValue** result,
|
| + bool* member_exists) const;
|
| +
|
| + // Extracts the required string member |member_name| and saves the
|
| + // base64url-decoded bytes to |*result|. If the member does not exist or is
|
| + // not a string, or could not be base64url-decoded, returns an error.
|
| + Status GetBytes(const std::string& member_name, std::string* result) const;
|
| +
|
| + // Extracts the required base64url member, which is interpreted as being a
|
| + // big-endian unsigned integer.
|
| + //
|
| + // Sequences that contain leading zeros will be rejected.
|
| + Status GetBigInteger(const std::string& member_name,
|
| + std::string* result) const;
|
| +
|
| + // Extracts the optional boolean member |member_name| and saves the result to
|
| + // |*result| if it was found. If the member exists and is not a boolean,
|
| + // returns an error. Otherwise returns success, and sets |*member_exists| if
|
| + // it was found.
|
| + Status GetOptionalBool(const std::string& member_name,
|
| + bool* result,
|
| + bool* member_exists) const;
|
| +
|
| + // Gets the optional algorithm ("alg") string.
|
| + Status GetAlg(std::string* alg, bool* has_alg) const;
|
| +
|
| + // Checks if the "alg" member matches |expected_alg|.
|
| + Status VerifyAlg(const std::string& expected_alg) const;
|
| +
|
| + private:
|
| + scoped_ptr<base::DictionaryValue> dict_;
|
| +};
|
| +
|
| +// Helper class for building the JSON for a JWK.
|
| +class JwkWriter {
|
| + public:
|
| + // Initializes a writer, and sets the standard JWK members as indicated.
|
| + JwkWriter(const std::string& algorithm,
|
| + bool extractable,
|
| + blink::WebCryptoKeyUsageMask usages,
|
| + const std::string& kty);
|
| +
|
| + // Sets a string member |member_name| to |value|.
|
| + void SetString(const std::string& member_name, const std::string& value);
|
| +
|
| + // Sets a bytes member |value| to |value| by base64 url-safe encoding it.
|
| + void SetBytes(const std::string& member_name, const CryptoData& value);
|
| +
|
| + // Flattens the JWK to JSON (UTF-8 encoded if necessary, however in practice
|
| + // it will be ASCII).
|
| + void ToJson(std::vector<uint8_t>* utf8_bytes) const;
|
| +
|
| + private:
|
| + base::DictionaryValue dict_;
|
| +};
|
| +
|
| // Writes a JWK-formatted symmetric key to |jwk_key_data|.
|
| // * raw_key_data: The actual key data
|
| // * algorithm: The JWK algorithm name (i.e. "alg")
|
| @@ -36,12 +141,12 @@ void WriteSecretKeyJwk(const CryptoData& raw_key_data,
|
| // Parses a UTF-8 encoded JWK (key_data), and extracts the key material to
|
| // |*raw_key_data|. Returns Status::Success() on success, otherwise an error.
|
| // In order for this to succeed:
|
| -// * expected_algorithm must match the JWK's "alg", if present.
|
| +// * expected_alg must match the JWK's "alg", if present.
|
| // * expected_extractable must be consistent with the JWK's "ext", if
|
| // present.
|
| // * expected_usages must be a subset of the JWK's "key_ops" if present.
|
| Status ReadSecretKeyJwk(const CryptoData& key_data,
|
| - const std::string& expected_algorithm,
|
| + const std::string& expected_alg,
|
| bool expected_extractable,
|
| blink::WebCryptoKeyUsageMask expected_usages,
|
| std::vector<uint8_t>* raw_key_data);
|
| @@ -52,7 +157,7 @@ std::string MakeJwkAesAlgorithmName(const std::string& suffix,
|
| unsigned int keylen_bytes);
|
|
|
| // This is very similar to ReadSecretKeyJwk(), except instead of specifying an
|
| -// absolut "expected_algorithm", the suffix for an AES algorithm name is given
|
| +// absolute "expected_alg", the suffix for an AES algorithm name is given
|
| // (See MakeJwkAesAlgorithmName() for an explanation of what the suffix is).
|
| //
|
| // This is because the algorithm name for AES keys is dependent on the length
|
| @@ -110,12 +215,12 @@ struct JwkRsaInfo {
|
| // Parses a UTF-8 encoded JWK (key_data), and extracts the RSA components to
|
| // |*result|. Returns Status::Success() on success, otherwise an error.
|
| // In order for this to succeed:
|
| -// * expected_algorithm must match the JWK's "alg", if present.
|
| +// * expected_alg must match the JWK's "alg", if present.
|
| // * expected_extractable must be consistent with the JWK's "ext", if
|
| // present.
|
| // * expected_usages must be a subset of the JWK's "key_ops" if present.
|
| Status ReadRsaKeyJwk(const CryptoData& key_data,
|
| - const std::string& expected_algorithm,
|
| + const std::string& expected_alg,
|
| bool expected_extractable,
|
| blink::WebCryptoKeyUsageMask expected_usages,
|
| JwkRsaInfo* result);
|
|
|
Chromium Code Reviews
Issue 687063002:
Refactor: Expose JwkReader/JwkWriter helper classes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master