content/child/webcrypto/openssl/hkdf_openssl.cc - Issue 803173010: Implement HKDF for webcrypto

Side by Side Diff: content/child/webcrypto/openssl/hkdf_openssl.cc

Issue 803173010: Implement HKDF for webcrypto (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 12 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <openssl/err.h>

	6 #include <openssl/hkdf.h>

	7

	8 // TODO: figure out which headers belong here and remove ones that were
	eroman 2014/12/23 23:13:36 (1) TODO(nharper) (2) Address the TODO now :) (1) TODO(nharper) (2) Address the TODO now :) nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > (1) TODO(nharper) > (2) Address the TODO now :) Done.
	9 // just copied over from hmac

	10 #include "base/logging.h"

	11 #include "base/stl_util.h"

	12 #include "content/child/webcrypto/algorithm_implementation.h"

	13 #include "content/child/webcrypto/crypto_data.h"

	14 #include "content/child/webcrypto/jwk.h"

	15 #include "content/child/webcrypto/openssl/key_openssl.h"

	16 #include "content/child/webcrypto/openssl/sym_key_openssl.h"

	17 #include "content/child/webcrypto/openssl/util_openssl.h"

	18 #include "content/child/webcrypto/status.h"

	19 #include "content/child/webcrypto/webcrypto_util.h"

	20 #include "crypto/openssl_util.h"

	21 #include "crypto/secure_util.h"

	22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"

	23 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"

	24

	25 namespace content {

	26

	27 namespace webcrypto {

	28

	29 namespace {

	30

	31 const blink::WebCryptoKeyUsageMask kValidUsages =

	32 blink::WebCryptoKeyUsageDeriveKey \| blink::WebCryptoKeyUsageDeriveBits;

	33

	34 class HkdfImplementation : public AlgorithmImplementation {

	35 public:

	36 HkdfImplementation() {}

	37

	38 // This is doing a check that is only valid for raw format, but since

	39 // ImportKeyRaw is the the only ImportKey implemented here, there's no

	40 // need to check the format here.
	eroman 2014/12/23 23:13:36 You should do the check, otherwise this is inconsi You should do the check, otherwise this is inconsistent with how other algorithms are implemented. In particular consider the case of unwrapping a key with a format other than raw. The errors will differ. nharper 2015/01/06 22:53:42 I added a check here for this. It turns out in bot Show quoted text On 2014/12/23 23:13:36, eroman wrote: > You should do the check, otherwise this is inconsistent with how other > algorithms are implemented. > > In particular consider the case of unwrapping a key with a format other than > raw. The errors will differ. I added a check here for this. It turns out in both cases, the correct thing to do is throw a NotSupportedError, so there's no difference in the errors.
	41 Status VerifyKeyUsagesBeforeImportKey(

	42 blink::WebCryptoKeyFormat format,

	43 blink::WebCryptoKeyUsageMask usages) const override {

	44 return CheckKeyCreationUsages(kValidUsages, usages, false);

	45 }

	46
	eroman 2014/12/23 23:13:36 This also needs support for cloning/de-cloning. This also needs support for cloning/de-cloning. nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > This also needs support for cloning/de-cloning. Done.
	47 Status ImportKeyRaw(const CryptoData& key_data,

	48 const blink::WebCryptoAlgorithm& algorithm,

	49 bool extractable,

	50 blink::WebCryptoKeyUsageMask usages,

	51 blink::WebCryptoKey* key) const override {

	52 *key = blink::WebCryptoKey::create(

	53 new SymKeyOpenSsl(key_data), blink::WebCryptoKeyTypeSecret, extractable,

	54 blink::WebCryptoKeyAlgorithm::createHkdf(), usages);

	55 return Status::Success();

	56 }

	57

	58 Status DeriveBits(const blink::WebCryptoAlgorithm& algorithm,

	59 const blink::WebCryptoKey& base_key,

	60 bool has_optional_length_bits,

	61 unsigned int optional_length_bits,

	62 std::vector<uint8_t>* derived_bytes) const override {

	63 // When called by crypto.subtle.deriveBits(), length will already be present

	64 // and converted to a number. It won't be called as part of deriveKey,
	eroman 2014/12/23 23:13:36 I don't understand this comment. HKDF does support I don't understand this comment. HKDF does support deriveKey(). Seems like this is reachable by calling deriveKey() for HDKF, and specifying the derivedKeyType as also HKDF, right? The spec says to throw a TypeError in this case. nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > I don't understand this comment. HKDF does support deriveKey(). > > Seems like this is reachable by calling deriveKey() for HDKF, and specifying the > derivedKeyType as also HKDF, right? > > The spec says to throw a TypeError in this case. Done.
	65 // because that's not supported for this algorithm. Therefore, it's

	66 // unexpected for this method to ever be called without a length.

	67 if (!has_optional_length_bits)

	68 return Status::ErrorUnexpected();

	69

	70 // "If the hash member of normalizedAlgorithm does not describe a recognized

	71 // algorithm that supports the digest operation, then throw a

	72 // NotSupportedError"

	73 const EVP_MD* digest_algorithm =

	74 GetDigest(algorithm.hkdfParams()->hash().id());
	eroman 2014/12/23 23:13:36 It is guaranteed to already be a digest, since the It is guaranteed to already be a digest, since the Blink Layer ensures it is a HashAlgorithmIdentifier when parsing. nharper 2015/01/06 22:53:42 This same check is done in the HMAC code - any obj Show quoted text On 2014/12/23 23:13:36, eroman wrote: > It is guaranteed to already be a digest, since the Blink Layer ensures it is a > HashAlgorithmIdentifier when parsing. This same check is done in the HMAC code - any objection to leaving it here? eroman 2015/01/07 00:23:42 Nope. Although we should be consistent about when Show quoted text On 2015/01/06 22:53:42, nharper wrote: > On 2014/12/23 23:13:36, eroman wrote: > > It is guaranteed to already be a digest, since the Blink Layer ensures it is a > > HashAlgorithmIdentifier when parsing. > > This same check is done in the HMAC code - any objection to leaving it here? Nope. Although we should be consistent about when it is Unexpected vs NotSupported. We should change the others to be NotSupported as well. nharper 2015/01/08 01:31:23 It looks like sha_openssl.cc is the only one (code Show quoted text On 2015/01/07 00:23:42, eroman wrote: > On 2015/01/06 22:53:42, nharper wrote: > > On 2014/12/23 23:13:36, eroman wrote: > > > It is guaranteed to already be a digest, since the Blink Layer ensures it is > a > > > HashAlgorithmIdentifier when parsing. > > > > This same check is done in the HMAC code - any objection to leaving it here? > > Nope. Although we should be consistent about when it is Unexpected vs > NotSupported. We should change the others to be NotSupported as well. It looks like sha_openssl.cc is the only one (code that calls GetDigest() in src/content/child/webcrypto/openssl) that returns Status::ErrorUnexpected() instead of Status::ErrorUnsupported(). I'll change that in a separate cl.
	75 if (!digest_algorithm)

	76 return Status::ErrorUnsupported();

	77

	78 // Size output to fit length

	79 unsigned int derived_bytes_len = (optional_length_bits + 7) / 8;
	eroman 2014/12/23 23:13:36 Use NumBitsToBytes() instead. It is more readable Use NumBitsToBytes() instead. It is more readable, but more importantly the input is user controlled and we should not allow integer overflowing. nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > Use NumBitsToBytes() instead. > > It is more readable, but more importantly the input is user controlled and we > should not allow integer overflowing. Done.
	80 derived_bytes->resize(derived_bytes_len);

	81

	82 // Algorithm dispatch checks that the algorithm in \|base_key\| matches

	83 // \|algorithm\|.

	84 std::vector<uint8_t> raw_key =
	eroman 2014/12/23 23:13:36 Don't make a copy of the key material. Don't make a copy of the key material. nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > Don't make a copy of the key material. Done.
	85 SymKeyOpenSsl::Cast(base_key)->raw_key_data();

	86 blink::WebVector<unsigned char> salt = algorithm.hkdfParams()->salt();
	eroman 2014/12/23 23:13:36 Don't make copies here. Don't make copies here. nharper 2015/01/06 22:53:42 Done. Show quoted text On 2014/12/23 23:13:36, eroman wrote: > Don't make copies here. Done.
	87 blink::WebVector<unsigned char> info = algorithm.hkdfParams()->info();

	88 if (!HKDF(derived_bytes->data(), derived_bytes_len, digest_algorithm,

	89 raw_key.data(), raw_key.size(), salt.data(), salt.size(),

	90 info.data(), info.size())) {

	91 uint32_t error = ERR_get_error();

	92 if (ERR_GET_LIB(error) == ERR_LIB_HKDF &&

	93 ERR_GET_REASON(error) == HKDF_R_OUTPUT_TOO_LARGE) {

	94 return Status::ErrorHkdfLengthTooLong();

	95 } else {
	eroman 2014/12/23 23:13:36 nit: omit "else" when short-circuiting. nit: omit "else" when short-circuiting. nharper 2015/01/06 22:53:42 Done. Also removed the curly braces from the one-l Show quoted text On 2014/12/23 23:13:36, eroman wrote: > nit: omit "else" when short-circuiting. Done. Also removed the curly braces from the one-line if statement, even though I disagree with that style.
	96 return Status::OperationError();

	97 }

	98 }

	99 return Status::Success();

	100 }

	101 };

	102

	103 } // namespace

	104

	105 AlgorithmImplementation* CreatePlatformHkdfImplementation() {

	106 return new HkdfImplementation;

	107 }

	108

	109 } // namespace webcrypto

	110

	111 } // namespace content

OLD	NEW

« no previous file with comments | « content/child/webcrypto/nss/util_nss.cc ('k') | content/child/webcrypto/platform_crypto.h » ('j') | no next file with comments »