Implement HKDF for webcrypto

content/child/webcrypto/openssl/hkdf_openssl.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/err.h>
+#include <openssl/hkdf.h>
+
+#include "base/logging.h"
+#include "base/stl_util.h"
+#include "content/child/webcrypto/algorithm_implementation.h"
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/openssl/util_openssl.h"
+#include "content/child/webcrypto/status.h"
+#include "content/child/webcrypto/webcrypto_util.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
+#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
+
+namespace content {
+
+namespace webcrypto {
+
+namespace {
+
+const blink::WebCryptoKeyUsageMask kValidUsages =
+    blink::WebCryptoKeyUsageDeriveKey | blink::WebCryptoKeyUsageDeriveBits;
+
+class HkdfImplementation : public AlgorithmImplementation {
+ public:
+  HkdfImplementation() {}
+
+  Status VerifyKeyUsagesBeforeImportKey(
+      blink::WebCryptoKeyFormat format,
+      blink::WebCryptoKeyUsageMask usages) const override {
+    if (format != blink::WebCryptoKeyFormatRaw)
+      return Status::ErrorUnsupportedImportKeyFormat();
+    return CheckKeyCreationUsages(kValidUsages, usages, false);
+  }
+
+  Status ImportKeyRaw(const CryptoData& key_data,
+                      const blink::WebCryptoAlgorithm& algorithm,
+                      bool extractable,
+                      blink::WebCryptoKeyUsageMask usages,
+                      blink::WebCryptoKey* key) const override {
+    return CreateWebCryptoSecretKey(key_data,
+                                    blink::WebCryptoKeyAlgorithm::createKdf(
+                                        blink::WebCryptoAlgorithmIdHkdf),
+                                    extractable, usages, key);
+  }
+
+  Status DeriveBits(const blink::WebCryptoAlgorithm& algorithm,
+                    const blink::WebCryptoKey& base_key,
+                    bool has_optional_length_bits,
+                    unsigned int optional_length_bits,
+                    std::vector<uint8_t>* derived_bytes) const override {
+    if (!has_optional_length_bits)
+      return Status::ErrorHkdfDeriveBitsLengthNotSpecified();
+
+    const blink::WebCryptoHkdfParams* params = algorithm.hkdfParams();
+
+    const EVP_MD* digest_algorithm = GetDigest(params->hash().id());
+    if (!digest_algorithm)
+      return Status::ErrorUnsupported();
+
+    // Size output to fit length
+    unsigned int derived_bytes_len = NumBitsToBytes(optional_length_bits);
+    derived_bytes->resize(derived_bytes_len);
+
+    // Algorithm dispatch checks that the algorithm in |base_key| matches
+    // |algorithm|.
+    const std::vector<uint8_t>& raw_key =
+        SymKeyOpenSsl::Cast(base_key)->raw_key_data();
+    const uint8_t* raw_key_voidp = raw_key.size() ? &raw_key[0] : nullptr;

[eroman, 2015/01/08 02:39:43]

(1) This is called "voidp" however it is not a void pointer
(2) raw_key.size() --> !raw_key.empty() is clearer I think
(3) other code in webcrypto is using NULL not nullptr, can you match that style?
(switching everything to nullptr should be a separate refactor)

[nharper, 2015/01/09 18:35:55]

1) it's now raw_key_p
2) I used raw_key.empty() and switched the 2nd and 3rd args to the ternary to
make it clearer
3) switched to NULL. (After enough time in google3, I finally got trained to use
nullptr instead of NULL, and now I have to unlearn that.)

+    if (!HKDF(&(*derived_bytes)[0], derived_bytes_len, digest_algorithm,

[eroman, 2015/01/08 02:39:43]

derived_bytes might be empty, so dereferncing element 0 is not correct
(certainly was on advantage of using .data().

  (1) Add a test deriving 0 bits
  (2) Maybe things have changed and .data() is supported on all platforms now?
Try sending some jobs to trybots, would certainly be cleaner using .data() in
these places.

[nharper, 2015/01/09 18:35:55]

Good catch on derived_bytes possibly being empty. I changed it to use the same
trick as raw_key_p (I copied that trick from the hmac code). I'd like to leave
it using this trick for now, and later I can refactor this (and hmac, and
possibly other places if there are others) to use .data() if it's supported.

+              raw_key_voidp, raw_key.size(), params->salt().data(),
+              params->salt().size(), params->info().data(),
+              params->info().size())) {
+      uint32_t error = ERR_get_error();
+      if (ERR_GET_LIB(error) == ERR_LIB_HKDF &&
+          ERR_GET_REASON(error) == HKDF_R_OUTPUT_TOO_LARGE)
+        return Status::ErrorHkdfLengthTooLong();
+      return Status::OperationError();
+    }
+
+    TruncateToBitLength(optional_length_bits, derived_bytes);
+    return Status::Success();
+  }
+
+  Status SerializeKeyForClone(
+      const blink::WebCryptoKey& key,
+      blink::WebVector<uint8_t>* key_data) const override {
+    key_data->assign(SymKeyOpenSsl::Cast(key)->serialized_key_data());
+    return Status::Success();
+  }
+
+  Status DeserializeKeyForClone(const blink::WebCryptoKeyAlgorithm& algorithm,
+                                blink::WebCryptoKeyType type,
+                                bool extractable,
+                                blink::WebCryptoKeyUsageMask usages,
+                                const CryptoData& key_data,
+                                blink::WebCryptoKey* key) const override {
+    return CreateWebCryptoSecretKey(key_data, algorithm, extractable, usages,
+                                    key);
+  }
+};
+
+}  // namespace
+
+AlgorithmImplementation* CreatePlatformHkdfImplementation() {
+  return new HkdfImplementation;
+}
+
+}  // namespace webcrypto
+
+}  // namespace content