Chromium Code Reviews| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <openssl/ec.h> | |
| 6 #include <openssl/ec_key.h> | |
| 7 #include <openssl/evp.h> | |
| 8 | |
| 9 #include "base/logging.h" | |
| 10 #include "content/child/webcrypto/algorithm_implementation.h" | |
| 11 #include "content/child/webcrypto/crypto_data.h" | |
| 12 #include "content/child/webcrypto/generate_key_result.h" | |
| 13 #include "content/child/webcrypto/openssl/ec_key_openssl.h" | |
| 14 #include "content/child/webcrypto/openssl/key_openssl.h" | |
| 15 #include "content/child/webcrypto/openssl/util_openssl.h" | |
| 16 #include "content/child/webcrypto/status.h" | |
| 17 #include "content/child/webcrypto/webcrypto_util.h" | |
| 18 #include "crypto/openssl_util.h" | |
| 19 #include "crypto/scoped_openssl_types.h" | |
| 20 #include "crypto/secure_util.h" | |
| 21 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" | |
| 22 #include "third_party/WebKit/public/platform/WebCryptoKey.h" | |
| 23 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h" | |
| 24 | |
| 25 namespace content { | |
| 26 | |
| 27 namespace webcrypto { | |
| 28 | |
| 29 namespace { | |
| 30 | |
| 31 // Extracts the OpenSSL key and digest from a WebCrypto key + algorithm. The | |
| 32 // returned pkey pointer will remain valid as long as |key| is alive. | |
| 33 Status GetPKeyAndDigest(const blink::WebCryptoAlgorithm& algorithm, | |
| 34 const blink::WebCryptoKey& key, | |
| 35 EVP_PKEY** pkey, | |
| 36 const EVP_MD** digest) { | |
| 37 *pkey = AsymKeyOpenSsl::Cast(key)->key(); | |
| 38 *digest = GetDigest(algorithm.ecdsaParams()->hash().id()); | |
| 39 if (!*digest) | |
| 40 return Status::ErrorUnsupported(); | |
| 41 return Status::Success(); | |
| 42 } | |
| 43 | |
| 44 // Gets the EC key's group degree in bytes. | |
| 45 Status GetEcGroupDegreeInBytes(EVP_PKEY* pkey, size_t* degree_bytes) { | |
| 46 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 47 | |
| 48 crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey)); | |
| 49 if (!ec.get()) | |
| 50 return Status::ErrorUnexpected(); | |
| 51 | |
| 52 const EC_GROUP* group = EC_KEY_get0_group(ec.get()); | |
| 53 *degree_bytes = (EC_GROUP_get_degree(group) + 7) / 8; | |
| 54 return Status::Success(); | |
| 55 } | |
| 56 | |
| 57 // Formats a DER-encoded signature (ECDSA-Sig-Value as specified in RFC 3279) to | |
| 58 // the signature format expected by WebCrypto (raw concatenated "r" and "s"). | |
| 59 // | |
| 60 // TODO(eroman): Where is the specification for WebCrypto's signature format? | |
| 61 Status ConvertDerSignatureToWebCryptoSignature( | |
| 62 EVP_PKEY* key, | |
| 63 std::vector<uint8_t>* signature) { | |
| 64 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 65 | |
| 66 const unsigned char* der_data = &signature->front(); | |
| 67 crypto::ScopedECDSA_SIG ecdsa_sig( | |
| 68 d2i_ECDSA_SIG(NULL, &der_data, static_cast<long>(signature->size()))); | |
| 69 if (!ecdsa_sig.get()) | |
| 70 return Status::OperationError(); | |
| 71 | |
| 72 // Note that |der_data| is updated to point to past the end of the DER | |
| 73 // structure. It is possible there are unconsumed bytes at the end, and | |
| 74 // this is OK. (Since the ECDSA signature appears to be padded up to | |
| 75 // ECDSA_size()). | |
| 76 | |
| 77 // Determine the maximum length of r and s. | |
| 78 size_t degree_bytes; | |
| 79 Status status = GetEcGroupDegreeInBytes(key, °ree_bytes); | |
|
davidben
2014/11/10 20:24:00
I don't think these are quiiiite the same, are the
eroman
2014/11/10 20:55:52
Thanks David. I thought it was the size of the ord
davidben
2014/11/10 21:00:58
Joy. We get that code from OpenSSL, so I will wave
agl
2014/11/10 21:42:27
Right, r and s are both scalars. So it's the group
eroman
2014/11/10 22:02:59
Done -- using the order size.
| |
| 80 if (status.IsError()) | |
| 81 return status; | |
| 82 | |
| 83 signature->resize(degree_bytes * 2); | |
| 84 | |
| 85 if (!BN_bn2bin_padded(&signature->front(), degree_bytes, ecdsa_sig.get()->r)) | |
| 86 return Status::ErrorUnexpected(); | |
| 87 | |
| 88 if (!BN_bn2bin_padded(&(*signature)[degree_bytes], degree_bytes, | |
| 89 ecdsa_sig.get()->s)) | |
| 90 return Status::ErrorUnexpected(); | |
|
davidben
2014/11/10 20:24:00
Nit: I think if the condition stretched over two l
eroman
2014/11/10 22:02:59
Done.
| |
| 91 | |
| 92 return Status::Success(); | |
| 93 } | |
| 94 | |
| 95 // Formats a WebCrypto ECDSA signature to a DER-encoded signature | |
| 96 // (ECDSA-Sig-Value as specified in RFC 3279). | |
| 97 // | |
| 98 // TODO(eroman): What is the specification for WebCrypto's signature format? | |
| 99 // | |
| 100 // If the signature length is incorrect (not 2 * degree), then | |
| 101 // Status::Success() is returned and |*incorrect_length| is set to true; | |
| 102 // | |
| 103 // Otherwise on success, der_signature is filled with a ASN.1 encoded | |
| 104 // ECDSA-Sig-Value. | |
| 105 Status ConvertWebCryptoSignatureToDerSignature( | |
| 106 EVP_PKEY* key, | |
| 107 const CryptoData& signature, | |
| 108 std::vector<uint8_t>* der_signature, | |
| 109 bool* incorrect_length) { | |
| 110 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 111 | |
| 112 // Determine the length of r and s. | |
| 113 size_t degree_bytes; | |
| 114 Status status = GetEcGroupDegreeInBytes(key, °ree_bytes); | |
| 115 if (status.IsError()) | |
| 116 return status; | |
| 117 | |
| 118 // If the size of the signature is incorrect, verification must fail. Success | |
| 119 // is returned here rather than an error, so that the caller can fail | |
| 120 // verification with a boolean, rather than reject the promise with an | |
| 121 // exception. | |
| 122 if (signature.byte_length() != 2 * degree_bytes) { | |
| 123 *incorrect_length = true; | |
| 124 return Status::Success(); | |
| 125 } | |
| 126 | |
| 127 *incorrect_length = false; | |
| 128 | |
| 129 // Construct an ECDSA_SIG from |signature|. | |
| 130 crypto::ScopedECDSA_SIG ecdsa_sig(ECDSA_SIG_new()); | |
| 131 if (!ecdsa_sig) | |
| 132 return Status::OperationError(); | |
| 133 | |
| 134 ecdsa_sig->r = BN_bin2bn(signature.bytes(), degree_bytes, NULL); | |
| 135 ecdsa_sig->s = | |
| 136 BN_bin2bn(signature.bytes() + degree_bytes, degree_bytes, NULL); | |
| 137 | |
| 138 if (!ecdsa_sig->r || !ecdsa_sig->s) | |
| 139 return Status::ErrorUnexpected(); | |
| 140 | |
| 141 // Determine the size of the DER-encoded signature. | |
| 142 int der_encoding_size = i2d_ECDSA_SIG(ecdsa_sig.get(), NULL); | |
| 143 if (der_encoding_size < 0) | |
| 144 return Status::OperationError(); | |
| 145 | |
| 146 // DER-encode the signature. | |
| 147 der_signature->resize(der_encoding_size); | |
| 148 uint8_t* result = &der_signature->front(); | |
| 149 if (0 > i2d_ECDSA_SIG(ecdsa_sig.get(), &result)) | |
| 150 return Status::OperationError(); | |
| 151 | |
| 152 return Status::Success(); | |
| 153 } | |
| 154 | |
| 155 class EcdsaImplementation : public EcAlgorithm { | |
| 156 public: | |
| 157 EcdsaImplementation() | |
| 158 : EcAlgorithm(blink::WebCryptoKeyUsageVerify, | |
| 159 blink::WebCryptoKeyUsageSign) {} | |
| 160 | |
| 161 const char* GetJwkAlgorithm( | |
| 162 const blink::WebCryptoNamedCurve curve) const override { | |
| 163 switch (curve) { | |
| 164 case blink::WebCryptoNamedCurveP256: | |
| 165 return "ES256"; | |
| 166 case blink::WebCryptoNamedCurveP384: | |
| 167 return "ES384"; | |
| 168 case blink::WebCryptoNamedCurveP521: | |
| 169 // This is not a typo! ES512 means P-521 with SHA-512. | |
| 170 return "ES512"; | |
| 171 default: | |
| 172 return NULL; | |
| 173 } | |
| 174 } | |
| 175 | |
| 176 Status Sign(const blink::WebCryptoAlgorithm& algorithm, | |
| 177 const blink::WebCryptoKey& key, | |
| 178 const CryptoData& data, | |
| 179 std::vector<uint8_t>* buffer) const override { | |
| 180 if (key.type() != blink::WebCryptoKeyTypePrivate) | |
| 181 return Status::ErrorUnexpectedKeyType(); | |
| 182 | |
| 183 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 184 crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); | |
| 185 | |
| 186 EVP_PKEY* private_key = NULL; | |
| 187 const EVP_MD* digest = NULL; | |
| 188 Status status = GetPKeyAndDigest(algorithm, key, &private_key, &digest); | |
| 189 if (status.IsError()) | |
| 190 return status; | |
| 191 | |
| 192 // NOTE: A call to EVP_DigestSignFinal() with a NULL second parameter | |
| 193 // returns a maximum allocation size, while the call without a NULL returns | |
| 194 // the real one, which may be smaller. | |
| 195 size_t sig_len = 0; | |
| 196 if (!ctx.get() || | |
| 197 !EVP_DigestSignInit(ctx.get(), NULL, digest, NULL, private_key) || | |
| 198 !EVP_DigestSignUpdate(ctx.get(), data.bytes(), data.byte_length()) || | |
| 199 !EVP_DigestSignFinal(ctx.get(), NULL, &sig_len)) { | |
| 200 return Status::OperationError(); | |
| 201 } | |
| 202 | |
| 203 buffer->resize(sig_len); | |
| 204 if (!EVP_DigestSignFinal(ctx.get(), &buffer->front(), &sig_len)) | |
| 205 return Status::OperationError(); | |
| 206 buffer->resize(sig_len); | |
| 207 | |
| 208 // ECDSA signing in BoringSSL outputs a DER-encoded (r,s). WebCrypto however | |
| 209 // expects a padded bitstring that is r concatenated to s. Convert to the | |
| 210 // expected format. | |
| 211 return ConvertDerSignatureToWebCryptoSignature(private_key, buffer); | |
| 212 } | |
| 213 | |
| 214 Status Verify(const blink::WebCryptoAlgorithm& algorithm, | |
| 215 const blink::WebCryptoKey& key, | |
| 216 const CryptoData& signature, | |
| 217 const CryptoData& data, | |
| 218 bool* signature_match) const override { | |
| 219 if (key.type() != blink::WebCryptoKeyTypePublic) | |
| 220 return Status::ErrorUnexpectedKeyType(); | |
| 221 | |
| 222 *signature_match = false; | |
|
davidben
2014/11/10 20:24:00
Nit: If this is getting set on errors too, may as
eroman
2014/11/10 22:02:59
I moved this to the end, for consistent style with
| |
| 223 | |
| 224 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 225 crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); | |
| 226 | |
| 227 EVP_PKEY* public_key = NULL; | |
| 228 const EVP_MD* digest = NULL; | |
| 229 Status status = GetPKeyAndDigest(algorithm, key, &public_key, &digest); | |
| 230 if (status.IsError()) | |
| 231 return status; | |
| 232 | |
| 233 std::vector<uint8_t> der_signature; | |
| 234 bool incorrect_length_signature; | |
| 235 status = ConvertWebCryptoSignatureToDerSignature( | |
| 236 public_key, signature, &der_signature, &incorrect_length_signature); | |
| 237 if (status.IsError()) | |
| 238 return status; | |
| 239 | |
| 240 if (incorrect_length_signature) { | |
| 241 *signature_match = false; | |
| 242 return Status::Success(); | |
| 243 } | |
| 244 | |
| 245 if (!EVP_DigestVerifyInit(ctx.get(), NULL, digest, NULL, public_key) || | |
| 246 !EVP_DigestVerifyUpdate(ctx.get(), data.bytes(), data.byte_length())) { | |
| 247 return Status::OperationError(); | |
| 248 } | |
| 249 | |
| 250 if (EVP_DigestVerifyFinal(ctx.get(), &der_signature.front(), | |
| 251 der_signature.size())) { | |
| 252 *signature_match = true; | |
| 253 } | |
| 254 | |
| 255 return Status::Success(); | |
| 256 } | |
| 257 }; | |
| 258 | |
| 259 } // namespace | |
| 260 | |
| 261 AlgorithmImplementation* CreatePlatformEcdsaImplementation() { | |
| 262 return new EcdsaImplementation; | |
| 263 } | |
| 264 | |
| 265 } // namespace webcrypto | |
| 266 | |
| 267 } // namespace content | |
| OLD | NEW |