content/child/webcrypto/nss/rsa_ssa_nss.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <cryptohi.h>
   6
   7 #include "content/child/webcrypto/crypto_data.h"
   8 #include "content/child/webcrypto/nss/key_nss.h"
   9 #include "content/child/webcrypto/nss/rsa_key_nss.h"
  10 #include "content/child/webcrypto/nss/util_nss.h"
  11 #include "content/child/webcrypto/status.h"
  12 #include "crypto/scoped_nss_types.h"
  13 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
  14
  15 namespace content {
  16
  17 namespace webcrypto {
  18
  19 namespace {
  20
  21 class RsaSsaImplementation : public RsaHashedAlgorithm {
  22  public:
  23   RsaSsaImplementation()
  24       : RsaHashedAlgorithm(CKF_SIGN | CKF_VERIFY,
  25                            blink::WebCryptoKeyUsageVerify,
  26                            blink::WebCryptoKeyUsageSign) {}
  27
  28   virtual const char* GetJwkAlgorithm(
  29       const blink::WebCryptoAlgorithmId hash) const OVERRIDE {
  30     switch (hash) {
  31       case blink::WebCryptoAlgorithmIdSha1:
  32         return "RS1";
  33       case blink::WebCryptoAlgorithmIdSha256:
  34         return "RS256";
  35       case blink::WebCryptoAlgorithmIdSha384:
  36         return "RS384";
  37       case blink::WebCryptoAlgorithmIdSha512:
  38         return "RS512";
  39       default:
  40         return NULL;
  41     }
  42   }
  43
  44   virtual Status Sign(const blink::WebCryptoAlgorithm& algorithm,
  45                       const blink::WebCryptoKey& key,
  46                       const CryptoData& data,
  47                       std::vector<uint8_t>* buffer) const OVERRIDE {
  48     if (key.type() != blink::WebCryptoKeyTypePrivate)
  49       return Status::ErrorUnexpectedKeyType();
  50
  51     SECKEYPrivateKey* private_key = PrivateKeyNss::Cast(key)->key();
  52
  53     const blink::WebCryptoAlgorithm& hash =
  54         key.algorithm().rsaHashedParams()->hash();
  55
  56     // Pick the NSS signing algorithm by combining RSA-SSA (RSA PKCS1) and the
  57     // inner hash of the input Web Crypto algorithm.
  58     SECOidTag sign_alg_tag;
  59     switch (hash.id()) {
  60       case blink::WebCryptoAlgorithmIdSha1:
  61         sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
  62         break;
  63       case blink::WebCryptoAlgorithmIdSha256:
  64         sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
  65         break;
  66       case blink::WebCryptoAlgorithmIdSha384:
  67         sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
  68         break;
  69       case blink::WebCryptoAlgorithmIdSha512:
  70         sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
  71         break;
  72       default:
  73         return Status::ErrorUnsupported();
  74     }
  75
  76     crypto::ScopedSECItem signature_item(SECITEM_AllocItem(NULL, NULL, 0));
  77     if (SEC_SignData(signature_item.get(),
  78                      data.bytes(),
  79                      data.byte_length(),
  80                      private_key,
  81                      sign_alg_tag) != SECSuccess) {
  82       return Status::OperationError();
  83     }
  84
  85     buffer->assign(signature_item->data,
  86                    signature_item->data + signature_item->len);
  87     return Status::Success();
  88   }
  89
  90   virtual Status Verify(const blink::WebCryptoAlgorithm& algorithm,
  91                         const blink::WebCryptoKey& key,
  92                         const CryptoData& signature,
  93                         const CryptoData& data,
  94                         bool* signature_match) const OVERRIDE {
  95     if (key.type() != blink::WebCryptoKeyTypePublic)
  96       return Status::ErrorUnexpectedKeyType();
  97
  98     SECKEYPublicKey* public_key = PublicKeyNss::Cast(key)->key();
  99
 100     const blink::WebCryptoAlgorithm& hash =
 101         key.algorithm().rsaHashedParams()->hash();
 102
 103     const SECItem signature_item = MakeSECItemForBuffer(signature);
 104
 105     SECOidTag hash_alg_tag;
 106     switch (hash.id()) {
 107       case blink::WebCryptoAlgorithmIdSha1:
 108         hash_alg_tag = SEC_OID_SHA1;
 109         break;
 110       case blink::WebCryptoAlgorithmIdSha256:
 111         hash_alg_tag = SEC_OID_SHA256;
 112         break;
 113       case blink::WebCryptoAlgorithmIdSha384:
 114         hash_alg_tag = SEC_OID_SHA384;
 115         break;
 116       case blink::WebCryptoAlgorithmIdSha512:
 117         hash_alg_tag = SEC_OID_SHA512;
 118         break;
 119       default:
 120         return Status::ErrorUnsupported();
 121     }
 122
 123     *signature_match =
 124         SECSuccess == VFY_VerifyDataDirect(data.bytes(),
 125                                            data.byte_length(),
 126                                            public_key,
 127                                            &signature_item,
 128                                            SEC_OID_PKCS1_RSA_ENCRYPTION,
 129                                            hash_alg_tag,
 130                                            NULL,
 131                                            NULL);
 132     return Status::Success();
 133   }
 134 };
 135
 136 }  // namespace
 137
 138 AlgorithmImplementation* CreatePlatformRsaSsaImplementation() {
 139   return new RsaSsaImplementation;
 140 }
 141
 142 }  // namespace webcrypto
 143
 144 }  // namespace content