search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added unit test for DevTools' ephemeral port support.
[chromium-blink-merge.git] / content / child / webcrypto / platform_crypto_nss.cc
blobdab8582753cf2329dedec349bba9e40e92c160f3
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/child/webcrypto/platform_crypto.h"
6
7 #include <cryptohi.h>
8 #include <pk11pub.h>
9 #include <secerr.h>
10 #include <sechash.h>
11
12 #include <vector>
13
14 #include "base/lazy_instance.h"
15 #include "base/logging.h"
16 #include "base/memory/scoped_ptr.h"
17 #include "content/child/webcrypto/crypto_data.h"
18 #include "content/child/webcrypto/status.h"
19 #include "content/child/webcrypto/webcrypto_util.h"
20 #include "crypto/nss_util.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
23 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
25
26 #if defined(USE_NSS)
27 #include <dlfcn.h>
28 #include <secoid.h>
29 #endif
30
31 // At the time of this writing:
32 // * Windows and Mac builds ship with their own copy of NSS (3.15+)
33 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
34 // on other distros).
35 //
36 // Since NSS provides AES-GCM support starting in version 3.15, it may be
37 // unavailable for Linux Chrome users.
38 //
39 // * !defined(CKM_AES_GCM)
40 //
41 // This means that at build time, the NSS header pkcs11t.h is older than
42 // 3.15. However at runtime support may be present.
43 //
44 // * !defined(USE_NSS)
45 //
46 // This means that Chrome is being built with an embedded copy of NSS,
47 // which can be assumed to be >= 3.15. On the other hand if USE_NSS is
48 // defined, it also implies running on Linux.
49 //
50 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
51 #if !defined(CKM_AES_GCM)
52 #define CKM_AES_GCM 0x00001087
53
54 struct CK_GCM_PARAMS {
55 CK_BYTE_PTR pIv;
56 CK_ULONG ulIvLen;
57 CK_BYTE_PTR pAAD;
58 CK_ULONG ulAADLen;
59 CK_ULONG ulTagBits;
60 };
61 #endif // !defined(CKM_AES_GCM)
62
63 namespace {
64
65 // Signature for PK11_Encrypt and PK11_Decrypt.
66 typedef SECStatus (*PK11_EncryptDecryptFunction)(PK11SymKey*,
67 CK_MECHANISM_TYPE,
68 SECItem*,
69 unsigned char*,
70 unsigned int*,
71 unsigned int,
72 const unsigned char*,
73 unsigned int);
74
75 // Signature for PK11_PubEncrypt
76 typedef SECStatus (*PK11_PubEncryptFunction)(SECKEYPublicKey*,
77 CK_MECHANISM_TYPE,
78 SECItem*,
79 unsigned char*,
80 unsigned int*,
81 unsigned int,
82 const unsigned char*,
83 unsigned int,
84 void*);
85
86 // Signature for PK11_PrivDecrypt
87 typedef SECStatus (*PK11_PrivDecryptFunction)(SECKEYPrivateKey*,
88 CK_MECHANISM_TYPE,
89 SECItem*,
90 unsigned char*,
91 unsigned int*,
92 unsigned int,
93 const unsigned char*,
94 unsigned int);
95
96 // Singleton to abstract away dynamically loading libnss3.so
97 class NssRuntimeSupport {
98 public:
99 bool IsAesGcmSupported() const {
100 return pk11_encrypt_func_ && pk11_decrypt_func_;
101 }
102
103 bool IsRsaOaepSupported() const {
104 return pk11_pub_encrypt_func_ && pk11_priv_decrypt_func_ &&
105 internal_slot_does_oaep_;
106 }
107
108 // Returns NULL if unsupported.
109 PK11_EncryptDecryptFunction pk11_encrypt_func() const {
110 return pk11_encrypt_func_;
111 }
112
113 // Returns NULL if unsupported.
114 PK11_EncryptDecryptFunction pk11_decrypt_func() const {
115 return pk11_decrypt_func_;
116 }
117
118 // Returns NULL if unsupported.
119 PK11_PubEncryptFunction pk11_pub_encrypt_func() const {
120 return pk11_pub_encrypt_func_;
121 }
122
123 // Returns NULL if unsupported.
124 PK11_PrivDecryptFunction pk11_priv_decrypt_func() const {
125 return pk11_priv_decrypt_func_;
126 }
127
128 private:
129 friend struct base::DefaultLazyInstanceTraits<NssRuntimeSupport>;
130
131 NssRuntimeSupport() : internal_slot_does_oaep_(false) {
132 #if !defined(USE_NSS)
133 // Using a bundled version of NSS that is guaranteed to have this symbol.
134 pk11_encrypt_func_ = PK11_Encrypt;
135 pk11_decrypt_func_ = PK11_Decrypt;
136 pk11_pub_encrypt_func_ = PK11_PubEncrypt;
137 pk11_priv_decrypt_func_ = PK11_PrivDecrypt;
138 internal_slot_does_oaep_ = true;
139 #else
140 // Using system NSS libraries and PCKS #11 modules, which may not have the
141 // necessary function (PK11_Encrypt) or mechanism support (CKM_AES_GCM).
142
143 // If PK11_Encrypt() was successfully resolved, then NSS will support
144 // AES-GCM directly. This was introduced in NSS 3.15.
145 pk11_encrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
146 dlsym(RTLD_DEFAULT, "PK11_Encrypt"));
147 pk11_decrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
148 dlsym(RTLD_DEFAULT, "PK11_Decrypt"));
149
150 // Even though NSS's pk11wrap layer may support
151 // PK11_PubEncrypt/PK11_PubDecrypt (introduced in NSS 3.16.2), it may have
152 // loaded a softoken that does not include OAEP support.
153 pk11_pub_encrypt_func_ = reinterpret_cast<PK11_PubEncryptFunction>(
154 dlsym(RTLD_DEFAULT, "PK11_PubEncrypt"));
155 pk11_priv_decrypt_func_ = reinterpret_cast<PK11_PrivDecryptFunction>(
156 dlsym(RTLD_DEFAULT, "PK11_PrivDecrypt"));
157 if (pk11_priv_decrypt_func_ && pk11_pub_encrypt_func_) {
158 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
159 internal_slot_does_oaep_ =
160 !!PK11_DoesMechanism(slot.get(), CKM_RSA_PKCS_OAEP);
161 }
162 #endif
163 }
164
165 PK11_EncryptDecryptFunction pk11_encrypt_func_;
166 PK11_EncryptDecryptFunction pk11_decrypt_func_;
167 PK11_PubEncryptFunction pk11_pub_encrypt_func_;
168 PK11_PrivDecryptFunction pk11_priv_decrypt_func_;
169 bool internal_slot_does_oaep_;
170 };
171
172 base::LazyInstance<NssRuntimeSupport>::Leaky g_nss_runtime_support =
173 LAZY_INSTANCE_INITIALIZER;
174
175 } // namespace
176
177 namespace content {
178
179 namespace webcrypto {
180
181 namespace platform {
182
183 // Each key maintains a copy of its serialized form
184 // in either 'raw', 'pkcs8', or 'spki' format. This is to allow
185 // structured cloning of keys synchronously from the target Blink
186 // thread without having to lock access to the key.
187 //
188 // TODO(eroman): Take advantage of this for implementing exportKey(): no need
189 // to call into NSS if the serialized form already exists.
190 // http://crubg.com/366836
191 class SymKey : public Key {
192 public:
193 static Status Create(crypto::ScopedPK11SymKey key, scoped_ptr<SymKey>* out) {
194 out->reset(new SymKey(key.Pass()));
195 return ExportKeyRaw(out->get(), &(*out)->serialized_key_);
196 }
197
198 PK11SymKey* key() { return key_.get(); }
199
200 virtual SymKey* AsSymKey() OVERRIDE { return this; }
201 virtual PublicKey* AsPublicKey() OVERRIDE { return NULL; }
202 virtual PrivateKey* AsPrivateKey() OVERRIDE { return NULL; }
203
204 virtual bool ThreadSafeSerializeForClone(
205 blink::WebVector<uint8>* key_data) OVERRIDE {
206 key_data->assign(Uint8VectorStart(serialized_key_), serialized_key_.size());
207 return true;
208 }
209
210 private:
211 explicit SymKey(crypto::ScopedPK11SymKey key) : key_(key.Pass()) {}
212
213 crypto::ScopedPK11SymKey key_;
214 std::vector<uint8> serialized_key_;
215
216 DISALLOW_COPY_AND_ASSIGN(SymKey);
217 };
218
219 class PublicKey : public Key {
220 public:
221 static Status Create(crypto::ScopedSECKEYPublicKey key,
222 scoped_ptr<PublicKey>* out) {
223 out->reset(new PublicKey(key.Pass()));
224 return ExportKeySpki(out->get(), &(*out)->serialized_key_);
225 }
226
227 SECKEYPublicKey* key() { return key_.get(); }
228
229 virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
230 virtual PublicKey* AsPublicKey() OVERRIDE { return this; }
231 virtual PrivateKey* AsPrivateKey() OVERRIDE { return NULL; }
232
233 virtual bool ThreadSafeSerializeForClone(
234 blink::WebVector<uint8>* key_data) OVERRIDE {
235 key_data->assign(Uint8VectorStart(serialized_key_), serialized_key_.size());
236 return true;
237 }
238
239 private:
240 explicit PublicKey(crypto::ScopedSECKEYPublicKey key) : key_(key.Pass()) {}
241
242 crypto::ScopedSECKEYPublicKey key_;
243 std::vector<uint8> serialized_key_;
244
245 DISALLOW_COPY_AND_ASSIGN(PublicKey);
246 };
247
248 class PrivateKey : public Key {
249 public:
250 static Status Create(crypto::ScopedSECKEYPrivateKey key,
251 const blink::WebCryptoKeyAlgorithm& algorithm,
252 scoped_ptr<PrivateKey>* out) {
253 out->reset(new PrivateKey(key.Pass()));
254 return ExportKeyPkcs8(out->get(), algorithm, &(*out)->serialized_key_);
255 }
256
257 SECKEYPrivateKey* key() { return key_.get(); }
258
259 virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
260 virtual PublicKey* AsPublicKey() OVERRIDE { return NULL; }
261 virtual PrivateKey* AsPrivateKey() OVERRIDE { return this; }
262
263 virtual bool ThreadSafeSerializeForClone(
264 blink::WebVector<uint8>* key_data) OVERRIDE {
265 key_data->assign(Uint8VectorStart(serialized_key_), serialized_key_.size());
266 return true;
267 }
268
269 private:
270 explicit PrivateKey(crypto::ScopedSECKEYPrivateKey key) : key_(key.Pass()) {}
271
272 crypto::ScopedSECKEYPrivateKey key_;
273 std::vector<uint8> serialized_key_;
274
275 DISALLOW_COPY_AND_ASSIGN(PrivateKey);
276 };
277
278 namespace {
279
280 // Creates a SECItem for the data in |buffer|. This does NOT make a copy, so
281 // |buffer| should outlive the SECItem.
282 SECItem MakeSECItemForBuffer(const CryptoData& buffer) {
283 SECItem item = {
284 siBuffer,
285 // NSS requires non-const data even though it is just for input.
286 const_cast<unsigned char*>(buffer.bytes()), buffer.byte_length()};
287 return item;
288 }
289
290 HASH_HashType WebCryptoAlgorithmToNSSHashType(
291 blink::WebCryptoAlgorithmId algorithm) {
292 switch (algorithm) {
293 case blink::WebCryptoAlgorithmIdSha1:
294 return HASH_AlgSHA1;
295 case blink::WebCryptoAlgorithmIdSha256:
296 return HASH_AlgSHA256;
297 case blink::WebCryptoAlgorithmIdSha384:
298 return HASH_AlgSHA384;
299 case blink::WebCryptoAlgorithmIdSha512:
300 return HASH_AlgSHA512;
301 default:
302 // Not a digest algorithm.
303 return HASH_AlgNULL;
304 }
305 }
306
307 CK_MECHANISM_TYPE WebCryptoHashToHMACMechanism(
308 const blink::WebCryptoAlgorithm& algorithm) {
309 switch (algorithm.id()) {
310 case blink::WebCryptoAlgorithmIdSha1:
311 return CKM_SHA_1_HMAC;
312 case blink::WebCryptoAlgorithmIdSha256:
313 return CKM_SHA256_HMAC;
314 case blink::WebCryptoAlgorithmIdSha384:
315 return CKM_SHA384_HMAC;
316 case blink::WebCryptoAlgorithmIdSha512:
317 return CKM_SHA512_HMAC;
318 default:
319 // Not a supported algorithm.
320 return CKM_INVALID_MECHANISM;
321 }
322 }
323
324 CK_MECHANISM_TYPE WebCryptoHashToDigestMechanism(
325 const blink::WebCryptoAlgorithm& algorithm) {
326 switch (algorithm.id()) {
327 case blink::WebCryptoAlgorithmIdSha1:
328 return CKM_SHA_1;
329 case blink::WebCryptoAlgorithmIdSha256:
330 return CKM_SHA256;
331 case blink::WebCryptoAlgorithmIdSha384:
332 return CKM_SHA384;
333 case blink::WebCryptoAlgorithmIdSha512:
334 return CKM_SHA512;
335 default:
336 // Not a supported algorithm.
337 return CKM_INVALID_MECHANISM;
338 }
339 }
340
341 CK_MECHANISM_TYPE WebCryptoHashToMGFMechanism(
342 const blink::WebCryptoAlgorithm& algorithm) {
343 switch (algorithm.id()) {
344 case blink::WebCryptoAlgorithmIdSha1:
345 return CKG_MGF1_SHA1;
346 case blink::WebCryptoAlgorithmIdSha256:
347 return CKG_MGF1_SHA256;
348 case blink::WebCryptoAlgorithmIdSha384:
349 return CKG_MGF1_SHA384;
350 case blink::WebCryptoAlgorithmIdSha512:
351 return CKG_MGF1_SHA512;
352 default:
353 return CKM_INVALID_MECHANISM;
354 }
355 }
356
357 bool InitializeRsaOaepParams(const blink::WebCryptoAlgorithm& hash,
358 const CryptoData& label,
359 CK_RSA_PKCS_OAEP_PARAMS* oaep_params) {
360 oaep_params->source = CKZ_DATA_SPECIFIED;
361 oaep_params->pSourceData = const_cast<unsigned char*>(label.bytes());
362 oaep_params->ulSourceDataLen = label.byte_length();
363 oaep_params->mgf = WebCryptoHashToMGFMechanism(hash);
364 oaep_params->hashAlg = WebCryptoHashToDigestMechanism(hash);
365
366 if (oaep_params->mgf == CKM_INVALID_MECHANISM ||
367 oaep_params->hashAlg == CKM_INVALID_MECHANISM) {
368 return false;
369 }
370
371 return true;
372 }
373
374 Status AesCbcEncryptDecrypt(EncryptOrDecrypt mode,
375 SymKey* key,
376 const CryptoData& iv,
377 const CryptoData& data,
378 std::vector<uint8>* buffer) {
379 CK_ATTRIBUTE_TYPE operation = (mode == ENCRYPT) ? CKA_ENCRYPT : CKA_DECRYPT;
380
381 SECItem iv_item = MakeSECItemForBuffer(iv);
382
383 crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
384 if (!param)
385 return Status::OperationError();
386
387 crypto::ScopedPK11Context context(PK11_CreateContextBySymKey(
388 CKM_AES_CBC_PAD, operation, key->key(), param.get()));
389
390 if (!context.get())
391 return Status::OperationError();
392
393 // Oddly PK11_CipherOp takes input and output lengths as "int" rather than
394 // "unsigned int". Do some checks now to avoid integer overflowing.
395 if (data.byte_length() >= INT_MAX - AES_BLOCK_SIZE) {
396 // TODO(eroman): Handle this by chunking the input fed into NSS. Right now
397 // it doesn't make much difference since the one-shot API would end up
398 // blowing out the memory and crashing anyway.
399 return Status::ErrorDataTooLarge();
400 }
401
402 // PK11_CipherOp does an invalid memory access when given empty decryption
403 // input, or input which is not a multiple of the block size. See also
404 // https://bugzilla.mozilla.com/show_bug.cgi?id=921687.
405 if (operation == CKA_DECRYPT &&
406 (data.byte_length() == 0 || (data.byte_length() % AES_BLOCK_SIZE != 0))) {
407 return Status::OperationError();
408 }
409
410 // TODO(eroman): Refine the output buffer size. It can be computed exactly for
411 // encryption, and can be smaller for decryption.
412 unsigned int output_max_len = data.byte_length() + AES_BLOCK_SIZE;
413 CHECK_GT(output_max_len, data.byte_length());
414
415 buffer->resize(output_max_len);
416
417 unsigned char* buffer_data = Uint8VectorStart(buffer);
418
419 int output_len;
420 if (SECSuccess != PK11_CipherOp(context.get(),
421 buffer_data,
422 &output_len,
423 buffer->size(),
424 data.bytes(),
425 data.byte_length())) {
426 return Status::OperationError();
427 }
428
429 unsigned int final_output_chunk_len;
430 if (SECSuccess != PK11_DigestFinal(context.get(),
431 buffer_data + output_len,
432 &final_output_chunk_len,
433 output_max_len - output_len)) {
434 return Status::OperationError();
435 }
436
437 buffer->resize(final_output_chunk_len + output_len);
438 return Status::Success();
439 }
440
441 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
442 // the concatenation of the ciphertext and the authentication tag. Similarly,
443 // this is the expectation for the input to decryption.
444 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
445 SymKey* key,
446 const CryptoData& data,
447 const CryptoData& iv,
448 const CryptoData& additional_data,
449 unsigned int tag_length_bits,
450 std::vector<uint8>* buffer) {
451 if (!g_nss_runtime_support.Get().IsAesGcmSupported())
452 return Status::ErrorUnsupported();
453
454 unsigned int tag_length_bytes = tag_length_bits / 8;
455
456 CK_GCM_PARAMS gcm_params = {0};
457 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes());
458 gcm_params.ulIvLen = iv.byte_length();
459
460 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes());
461 gcm_params.ulAADLen = additional_data.byte_length();
462
463 gcm_params.ulTagBits = tag_length_bits;
464
465 SECItem param;
466 param.type = siBuffer;
467 param.data = reinterpret_cast<unsigned char*>(&gcm_params);
468 param.len = sizeof(gcm_params);
469
470 unsigned int buffer_size = 0;
471
472 // Calculate the output buffer size.
473 if (mode == ENCRYPT) {
474 // TODO(eroman): This is ugly, abstract away the safe integer arithmetic.
475 if (data.byte_length() > (UINT_MAX - tag_length_bytes))
476 return Status::ErrorDataTooLarge();
477 buffer_size = data.byte_length() + tag_length_bytes;
478 } else {
479 // TODO(eroman): In theory the buffer allocated for the plain text should be
480 // sized as |data.byte_length() - tag_length_bytes|.
481 //
482 // However NSS has a bug whereby it will fail if the output buffer size is
483 // not at least as large as the ciphertext:
484 //
485 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
486 //
487 // From the analysis of that bug it looks like it might be safe to pass a
488 // correctly sized buffer but lie about its size. Since resizing the
489 // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
490 buffer_size = data.byte_length();
491 }
492
493 buffer->resize(buffer_size);
494 unsigned char* buffer_data = Uint8VectorStart(buffer);
495
496 PK11_EncryptDecryptFunction func =
497 (mode == ENCRYPT) ? g_nss_runtime_support.Get().pk11_encrypt_func()
498 : g_nss_runtime_support.Get().pk11_decrypt_func();
499
500 unsigned int output_len = 0;
501 SECStatus result = func(key->key(),
502 CKM_AES_GCM,
503 &param,
504 buffer_data,
505 &output_len,
506 buffer->size(),
507 data.bytes(),
508 data.byte_length());
509
510 if (result != SECSuccess)
511 return Status::OperationError();
512
513 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
514 // above).
515 buffer->resize(output_len);
516
517 return Status::Success();
518 }
519
520 CK_MECHANISM_TYPE WebCryptoAlgorithmToGenMechanism(
521 const blink::WebCryptoAlgorithm& algorithm) {
522 switch (algorithm.id()) {
523 case blink::WebCryptoAlgorithmIdAesCbc:
524 case blink::WebCryptoAlgorithmIdAesGcm:
525 case blink::WebCryptoAlgorithmIdAesKw:
526 return CKM_AES_KEY_GEN;
527 case blink::WebCryptoAlgorithmIdHmac:
528 return WebCryptoHashToHMACMechanism(algorithm.hmacKeyGenParams()->hash());
529 default:
530 return CKM_INVALID_MECHANISM;
531 }
532 }
533
534 // Converts a (big-endian) WebCrypto BigInteger, with or without leading zeros,
535 // to unsigned long.
536 bool BigIntegerToLong(const uint8* data,
537 unsigned int data_size,
538 unsigned long* result) {
539 // TODO(padolph): Is it correct to say that empty data is an error, or does it
540 // mean value 0? See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23655
541 if (data_size == 0)
542 return false;
543
544 *result = 0;
545 for (size_t i = 0; i < data_size; ++i) {
546 size_t reverse_i = data_size - i - 1;
547
548 if (reverse_i >= sizeof(unsigned long) && data[i])
549 return false; // Too large for a long.
550
551 *result |= data[i] << 8 * reverse_i;
552 }
553 return true;
554 }
555
556 bool CreatePublicKeyAlgorithm(const blink::WebCryptoAlgorithm& algorithm,
557 SECKEYPublicKey* key,
558 blink::WebCryptoKeyAlgorithm* key_algorithm) {
559 // TODO(eroman): What about other key types rsaPss, rsaOaep.
560 if (!key || key->keyType != rsaKey)
561 return false;
562
563 unsigned int modulus_length_bits = SECKEY_PublicKeyStrength(key) * 8;
564 CryptoData public_exponent(key->u.rsa.publicExponent.data,
565 key->u.rsa.publicExponent.len);
566
567 switch (algorithm.paramsType()) {
568 case blink::WebCryptoAlgorithmParamsTypeRsaHashedImportParams:
569 case blink::WebCryptoAlgorithmParamsTypeRsaHashedKeyGenParams:
570 *key_algorithm = blink::WebCryptoKeyAlgorithm::createRsaHashed(
571 algorithm.id(),
572 modulus_length_bits,
573 public_exponent.bytes(),
574 public_exponent.byte_length(),
575 GetInnerHashAlgorithm(algorithm).id());
576 return true;
577 default:
578 return false;
579 }
580 }
581
582 bool CreatePrivateKeyAlgorithm(const blink::WebCryptoAlgorithm& algorithm,
583 SECKEYPrivateKey* key,
584 blink::WebCryptoKeyAlgorithm* key_algorithm) {
585 crypto::ScopedSECKEYPublicKey public_key(SECKEY_ConvertToPublicKey(key));
586 return CreatePublicKeyAlgorithm(algorithm, public_key.get(), key_algorithm);
587 }
588
589 // The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt
590 // Section 2.2.3.1.
591 // TODO(padolph): Move to common place to be shared with OpenSSL implementation.
592 const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
593
594 // Sets NSS CK_MECHANISM_TYPE and CK_FLAGS corresponding to the input Web Crypto
595 // algorithm ID.
596 Status WebCryptoAlgorithmToNssMechFlags(
597 const blink::WebCryptoAlgorithm& algorithm,
598 CK_MECHANISM_TYPE* mechanism,
599 CK_FLAGS* flags) {
600 // Flags are verified at the Blink layer; here the flags are set to all
601 // possible operations of a key for the input algorithm type.
602 switch (algorithm.id()) {
603 case blink::WebCryptoAlgorithmIdHmac: {
604 const blink::WebCryptoAlgorithm hash = GetInnerHashAlgorithm(algorithm);
605 *mechanism = WebCryptoHashToHMACMechanism(hash);
606 if (*mechanism == CKM_INVALID_MECHANISM)
607 return Status::ErrorUnsupported();
608 *flags = CKF_SIGN | CKF_VERIFY;
609 break;
610 }
611 case blink::WebCryptoAlgorithmIdAesCbc: {
612 *mechanism = CKM_AES_CBC;
613 *flags = CKF_ENCRYPT | CKF_DECRYPT;
614 break;
615 }
616 case blink::WebCryptoAlgorithmIdAesKw: {
617 *mechanism = CKM_NSS_AES_KEY_WRAP;
618 *flags = CKF_WRAP | CKF_WRAP;
619 break;
620 }
621 case blink::WebCryptoAlgorithmIdAesGcm: {
622 if (!g_nss_runtime_support.Get().IsAesGcmSupported())
623 return Status::ErrorUnsupported();
624 *mechanism = CKM_AES_GCM;
625 *flags = CKF_ENCRYPT | CKF_DECRYPT;
626 break;
627 }
628 default:
629 return Status::ErrorUnsupported();
630 }
631 return Status::Success();
632 }
633
634 Status DoUnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
635 SymKey* wrapping_key,
636 CK_MECHANISM_TYPE mechanism,
637 CK_FLAGS flags,
638 crypto::ScopedPK11SymKey* unwrapped_key) {
639 DCHECK_GE(wrapped_key_data.byte_length(), 24u);
640 DCHECK_EQ(wrapped_key_data.byte_length() % 8, 0u);
641
642 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
643 crypto::ScopedSECItem param_item(
644 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
645 if (!param_item)
646 return Status::ErrorUnexpected();
647
648 SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data);
649
650 // The plaintext length is always 64 bits less than the data size.
651 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8;
652
653 #if defined(USE_NSS)
654 // Part of workaround for
655 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation
656 // later in this function.
657 PORT_SetError(0);
658 #endif
659
660 crypto::ScopedPK11SymKey new_key(
661 PK11_UnwrapSymKeyWithFlags(wrapping_key->key(),
662 CKM_NSS_AES_KEY_WRAP,
663 param_item.get(),
664 &cipher_text,
665 mechanism,
666 CKA_FLAGS_ONLY,
667 plaintext_length,
668 flags));
669
670 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more
671 // accurate error, providing if doesn't leak any information to web pages
672 // about other web crypto users, key details, etc.
673 if (!new_key)
674 return Status::OperationError();
675
676 #if defined(USE_NSS)
677 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170
678 // which was fixed in NSS 3.16.0.
679 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey,
680 // with a reasonable length but with key data pointing to uninitialized
681 // memory.
682 // To understand this workaround see the fix for 981170:
683 // https://hg.mozilla.org/projects/nss/rev/753bb69e543c
684 if (!NSS_VersionCheck("3.16") && PORT_GetError() == SEC_ERROR_BAD_DATA)
685 return Status::OperationError();
686 #endif
687
688 *unwrapped_key = new_key.Pass();
689 return Status::Success();
690 }
691
692 void CopySECItemToVector(const SECItem& item, std::vector<uint8>* out) {
693 out->assign(item.data, item.data + item.len);
694 }
695
696 // From PKCS#1 [http://tools.ietf.org/html/rfc3447]:
697 //
698 // RSAPrivateKey ::= SEQUENCE {
699 // version Version,
700 // modulus INTEGER, -- n
701 // publicExponent INTEGER, -- e
702 // privateExponent INTEGER, -- d
703 // prime1 INTEGER, -- p
704 // prime2 INTEGER, -- q
705 // exponent1 INTEGER, -- d mod (p-1)
706 // exponent2 INTEGER, -- d mod (q-1)
707 // coefficient INTEGER, -- (inverse of q) mod p
708 // otherPrimeInfos OtherPrimeInfos OPTIONAL
709 // }
710 //
711 // Note that otherPrimeInfos is only applicable for version=1. Since NSS
712 // doesn't use multi-prime can safely use version=0.
713 struct RSAPrivateKey {
714 SECItem version;
715 SECItem modulus;
716 SECItem public_exponent;
717 SECItem private_exponent;
718 SECItem prime1;
719 SECItem prime2;
720 SECItem exponent1;
721 SECItem exponent2;
722 SECItem coefficient;
723 };
724
725 // The system NSS library doesn't have the new PK11_ExportDERPrivateKeyInfo
726 // function yet (https://bugzilla.mozilla.org/show_bug.cgi?id=519255). So we
727 // provide a fallback implementation.
728 #if defined(USE_NSS)
729 const SEC_ASN1Template RSAPrivateKeyTemplate[] = {
730 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RSAPrivateKey)},
731 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, version)},
732 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, modulus)},
733 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, public_exponent)},
734 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, private_exponent)},
735 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime1)},
736 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime2)},
737 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent1)},
738 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent2)},
739 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, coefficient)},
740 {0}};
741 #endif // defined(USE_NSS)
742
743 // On success |value| will be filled with data which must be freed by
744 // SECITEM_FreeItem(value, PR_FALSE);
745 bool ReadUint(SECKEYPrivateKey* key,
746 CK_ATTRIBUTE_TYPE attribute,
747 SECItem* value) {
748 SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, attribute, value);
749
750 // PK11_ReadRawAttribute() returns items of type siBuffer. However in order
751 // for the ASN.1 encoding to be correct, the items must be of type
752 // siUnsignedInteger.
753 value->type = siUnsignedInteger;
754
755 return rv == SECSuccess;
756 }
757
758 // Fills |out| with the RSA private key properties. Returns true on success.
759 // Regardless of the return value, the caller must invoke FreeRSAPrivateKey()
760 // to free up any allocated memory.
761 //
762 // The passed in RSAPrivateKey must be zero-initialized.
763 bool InitRSAPrivateKey(SECKEYPrivateKey* key, RSAPrivateKey* out) {
764 if (key->keyType != rsaKey)
765 return false;
766
767 // Everything should be zero-ed out. These are just some spot checks.
768 DCHECK(!out->version.data);
769 DCHECK(!out->version.len);
770 DCHECK(!out->modulus.data);
771 DCHECK(!out->modulus.len);
772
773 // Always use version=0 since not using multi-prime.
774 if (!SEC_ASN1EncodeInteger(NULL, &out->version, 0))
775 return false;
776
777 if (!ReadUint(key, CKA_MODULUS, &out->modulus))
778 return false;
779 if (!ReadUint(key, CKA_PUBLIC_EXPONENT, &out->public_exponent))
780 return false;
781 if (!ReadUint(key, CKA_PRIVATE_EXPONENT, &out->private_exponent))
782 return false;
783 if (!ReadUint(key, CKA_PRIME_1, &out->prime1))
784 return false;
785 if (!ReadUint(key, CKA_PRIME_2, &out->prime2))
786 return false;
787 if (!ReadUint(key, CKA_EXPONENT_1, &out->exponent1))
788 return false;
789 if (!ReadUint(key, CKA_EXPONENT_2, &out->exponent2))
790 return false;
791 if (!ReadUint(key, CKA_COEFFICIENT, &out->coefficient))
792 return false;
793
794 return true;
795 }
796
797 struct FreeRsaPrivateKey {
798 void operator()(RSAPrivateKey* out) {
799 SECITEM_FreeItem(&out->version, PR_FALSE);
800 SECITEM_FreeItem(&out->modulus, PR_FALSE);
801 SECITEM_FreeItem(&out->public_exponent, PR_FALSE);
802 SECITEM_FreeItem(&out->private_exponent, PR_FALSE);
803 SECITEM_FreeItem(&out->prime1, PR_FALSE);
804 SECITEM_FreeItem(&out->prime2, PR_FALSE);
805 SECITEM_FreeItem(&out->exponent1, PR_FALSE);
806 SECITEM_FreeItem(&out->exponent2, PR_FALSE);
807 SECITEM_FreeItem(&out->coefficient, PR_FALSE);
808 }
809 };
810
811 } // namespace
812
813 class DigestorNSS : public blink::WebCryptoDigestor {
814 public:
815 explicit DigestorNSS(blink::WebCryptoAlgorithmId algorithm_id)
816 : hash_context_(NULL), algorithm_id_(algorithm_id) {}
817
818 virtual ~DigestorNSS() {
819 if (!hash_context_)
820 return;
821
822 HASH_Destroy(hash_context_);
823 hash_context_ = NULL;
824 }
825
826 virtual bool consume(const unsigned char* data, unsigned int size) {
827 return ConsumeWithStatus(data, size).IsSuccess();
828 }
829
830 Status ConsumeWithStatus(const unsigned char* data, unsigned int size) {
831 // Initialize everything if the object hasn't been initialized yet.
832 if (!hash_context_) {
833 Status error = Init();
834 if (!error.IsSuccess())
835 return error;
836 }
837
838 HASH_Update(hash_context_, data, size);
839
840 return Status::Success();
841 }
842
843 virtual bool finish(unsigned char*& result_data,
844 unsigned int& result_data_size) {
845 Status error = FinishInternal(result_, &result_data_size);
846 if (!error.IsSuccess())
847 return false;
848 result_data = result_;
849 return true;
850 }
851
852 Status FinishWithVectorAndStatus(std::vector<uint8>* result) {
853 if (!hash_context_)
854 return Status::ErrorUnexpected();
855
856 unsigned int result_length = HASH_ResultLenContext(hash_context_);
857 result->resize(result_length);
858 unsigned char* digest = Uint8VectorStart(result);
859 unsigned int digest_size; // ignored
860 return FinishInternal(digest, &digest_size);
861 }
862
863 private:
864 Status Init() {
865 HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm_id_);
866
867 if (hash_type == HASH_AlgNULL)
868 return Status::ErrorUnsupported();
869
870 hash_context_ = HASH_Create(hash_type);
871 if (!hash_context_)
872 return Status::OperationError();
873
874 HASH_Begin(hash_context_);
875
876 return Status::Success();
877 }
878
879 Status FinishInternal(unsigned char* result, unsigned int* result_size) {
880 if (!hash_context_) {
881 Status error = Init();
882 if (!error.IsSuccess())
883 return error;
884 }
885
886 unsigned int hash_result_length = HASH_ResultLenContext(hash_context_);
887 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX));
888
889 HASH_End(hash_context_, result, result_size, hash_result_length);
890
891 if (*result_size != hash_result_length)
892 return Status::ErrorUnexpected();
893 return Status::Success();
894 }
895
896 HASHContext* hash_context_;
897 blink::WebCryptoAlgorithmId algorithm_id_;
898 unsigned char result_[HASH_LENGTH_MAX];
899 };
900
901 Status ImportKeyRaw(const blink::WebCryptoAlgorithm& algorithm,
902 const CryptoData& key_data,
903 bool extractable,
904 blink::WebCryptoKeyUsageMask usage_mask,
905 blink::WebCryptoKey* key) {
906 DCHECK(!algorithm.isNull());
907
908 CK_MECHANISM_TYPE mechanism;
909 CK_FLAGS flags;
910 Status status =
911 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
912 if (status.IsError())
913 return status;
914
915 SECItem key_item = MakeSECItemForBuffer(key_data);
916
917 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
918 crypto::ScopedPK11SymKey pk11_sym_key(
919 PK11_ImportSymKeyWithFlags(slot.get(),
920 mechanism,
921 PK11_OriginUnwrap,
922 CKA_FLAGS_ONLY,
923 &key_item,
924 flags,
925 false,
926 NULL));
927 if (!pk11_sym_key.get())
928 return Status::OperationError();
929
930 blink::WebCryptoKeyAlgorithm key_algorithm;
931 if (!CreateSecretKeyAlgorithm(
932 algorithm, key_data.byte_length(), &key_algorithm))
933 return Status::ErrorUnexpected();
934
935 scoped_ptr<SymKey> key_handle;
936 status = SymKey::Create(pk11_sym_key.Pass(), &key_handle);
937 if (status.IsError())
938 return status;
939
940 *key = blink::WebCryptoKey::create(key_handle.release(),
941 blink::WebCryptoKeyTypeSecret,
942 extractable,
943 key_algorithm,
944 usage_mask);
945 return Status::Success();
946 }
947
948 Status ExportKeyRaw(SymKey* key, std::vector<uint8>* buffer) {
949 if (PK11_ExtractKeyValue(key->key()) != SECSuccess)
950 return Status::OperationError();
951
952 // http://crbug.com/366427: the spec does not define any other failures for
953 // exporting, so none of the subsequent errors are spec compliant.
954 const SECItem* key_data = PK11_GetKeyData(key->key());
955 if (!key_data)
956 return Status::OperationError();
957
958 buffer->assign(key_data->data, key_data->data + key_data->len);
959
960 return Status::Success();
961 }
962
963 namespace {
964
965 typedef scoped_ptr<CERTSubjectPublicKeyInfo,
966 crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
967 SECKEY_DestroySubjectPublicKeyInfo> >
968 ScopedCERTSubjectPublicKeyInfo;
969
970 // Validates an NSS KeyType against a WebCrypto import algorithm.
971 bool ValidateNssKeyTypeAgainstInputAlgorithm(
972 KeyType key_type,
973 const blink::WebCryptoAlgorithm& algorithm) {
974 switch (key_type) {
975 case rsaKey:
976 return IsAlgorithmRsa(algorithm.id());
977 case dsaKey:
978 case ecKey:
979 case rsaPssKey:
980 case rsaOaepKey:
981 // TODO(padolph): Handle other key types.
982 break;
983 default:
984 break;
985 }
986 return false;
987 }
988
989 } // namespace
990
991 Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm,
992 const CryptoData& key_data,
993 bool extractable,
994 blink::WebCryptoKeyUsageMask usage_mask,
995 blink::WebCryptoKey* key) {
996 DCHECK(key);
997
998 if (!key_data.byte_length())
999 return Status::ErrorImportEmptyKeyData();
1000 DCHECK(key_data.bytes());
1001
1002 // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 Subject
1003 // Public Key Info. Decode this to a CERTSubjectPublicKeyInfo.
1004 SECItem spki_item = MakeSECItemForBuffer(key_data);
1005 const ScopedCERTSubjectPublicKeyInfo spki(
1006 SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
1007 if (!spki)
1008 return Status::DataError();
1009
1010 crypto::ScopedSECKEYPublicKey sec_public_key(
1011 SECKEY_ExtractPublicKey(spki.get()));
1012 if (!sec_public_key)
1013 return Status::DataError();
1014
1015 const KeyType sec_key_type = SECKEY_GetPublicKeyType(sec_public_key.get());
1016 if (!ValidateNssKeyTypeAgainstInputAlgorithm(sec_key_type, algorithm))
1017 return Status::DataError();
1018
1019 blink::WebCryptoKeyAlgorithm key_algorithm;
1020 if (!CreatePublicKeyAlgorithm(
1021 algorithm, sec_public_key.get(), &key_algorithm))
1022 return Status::ErrorUnexpected();
1023
1024 scoped_ptr<PublicKey> key_handle;
1025 Status status = PublicKey::Create(sec_public_key.Pass(), &key_handle);
1026 if (status.IsError())
1027 return status;
1028
1029 *key = blink::WebCryptoKey::create(key_handle.release(),
1030 blink::WebCryptoKeyTypePublic,
1031 extractable,
1032 key_algorithm,
1033 usage_mask);
1034
1035 return Status::Success();
1036 }
1037
1038 Status ExportKeySpki(PublicKey* key, std::vector<uint8>* buffer) {
1039 const crypto::ScopedSECItem spki_der(
1040 SECKEY_EncodeDERSubjectPublicKeyInfo(key->key()));
1041 // http://crbug.com/366427: the spec does not define any other failures for
1042 // exporting, so none of the subsequent errors are spec compliant.
1043 if (!spki_der)
1044 return Status::OperationError();
1045
1046 DCHECK(spki_der->data);
1047 DCHECK(spki_der->len);
1048
1049 buffer->assign(spki_der->data, spki_der->data + spki_der->len);
1050
1051 return Status::Success();
1052 }
1053
1054 Status ExportRsaPublicKey(PublicKey* key,
1055 std::vector<uint8>* modulus,
1056 std::vector<uint8>* public_exponent) {
1057 DCHECK(key);
1058 DCHECK(key->key());
1059 if (key->key()->keyType != rsaKey)
1060 return Status::ErrorUnsupported();
1061 CopySECItemToVector(key->key()->u.rsa.modulus, modulus);
1062 CopySECItemToVector(key->key()->u.rsa.publicExponent, public_exponent);
1063 if (modulus->empty() || public_exponent->empty())
1064 return Status::ErrorUnexpected();
1065 return Status::Success();
1066 }
1067
1068 void AssignVectorFromSecItem(const SECItem& item, std::vector<uint8>* output) {
1069 output->assign(item.data, item.data + item.len);
1070 }
1071
1072 Status ExportRsaPrivateKey(PrivateKey* key,
1073 std::vector<uint8>* modulus,
1074 std::vector<uint8>* public_exponent,
1075 std::vector<uint8>* private_exponent,
1076 std::vector<uint8>* prime1,
1077 std::vector<uint8>* prime2,
1078 std::vector<uint8>* exponent1,
1079 std::vector<uint8>* exponent2,
1080 std::vector<uint8>* coefficient) {
1081 RSAPrivateKey key_props = {};
1082 scoped_ptr<RSAPrivateKey, FreeRsaPrivateKey> free_private_key(&key_props);
1083
1084 if (!InitRSAPrivateKey(key->key(), &key_props))
1085 return Status::OperationError();
1086
1087 AssignVectorFromSecItem(key_props.modulus, modulus);
1088 AssignVectorFromSecItem(key_props.public_exponent, public_exponent);
1089 AssignVectorFromSecItem(key_props.private_exponent, private_exponent);
1090 AssignVectorFromSecItem(key_props.prime1, prime1);
1091 AssignVectorFromSecItem(key_props.prime2, prime2);
1092 AssignVectorFromSecItem(key_props.exponent1, exponent1);
1093 AssignVectorFromSecItem(key_props.exponent2, exponent2);
1094 AssignVectorFromSecItem(key_props.coefficient, coefficient);
1095
1096 return Status::Success();
1097 }
1098
1099 Status ExportKeyPkcs8(PrivateKey* key,
1100 const blink::WebCryptoKeyAlgorithm& key_algorithm,
1101 std::vector<uint8>* buffer) {
1102 // TODO(eroman): Support other RSA key types as they are added to Blink.
1103 if (key_algorithm.id() != blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 &&
1104 key_algorithm.id() != blink::WebCryptoAlgorithmIdRsaOaep)
1105 return Status::ErrorUnsupported();
1106
1107 // TODO(rsleevi): Implement OAEP support according to the spec.
1108
1109 #if defined(USE_NSS)
1110 // PK11_ExportDERPrivateKeyInfo isn't available. Use our fallback code.
1111 const SECOidTag algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
1112 const int kPrivateKeyInfoVersion = 0;
1113
1114 SECKEYPrivateKeyInfo private_key_info = {};
1115 RSAPrivateKey rsa_private_key = {};
1116 scoped_ptr<RSAPrivateKey, FreeRsaPrivateKey> free_private_key(
1117 &rsa_private_key);
1118
1119 // http://crbug.com/366427: the spec does not define any other failures for
1120 // exporting, so none of the subsequent errors are spec compliant.
1121 if (!InitRSAPrivateKey(key->key(), &rsa_private_key))
1122 return Status::OperationError();
1123
1124 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
1125 if (!arena.get())
1126 return Status::OperationError();
1127
1128 if (!SEC_ASN1EncodeItem(arena.get(),
1129 &private_key_info.privateKey,
1130 &rsa_private_key,
1131 RSAPrivateKeyTemplate))
1132 return Status::OperationError();
1133
1134 if (SECSuccess !=
1135 SECOID_SetAlgorithmID(
1136 arena.get(), &private_key_info.algorithm, algorithm, NULL))
1137 return Status::OperationError();
1138
1139 if (!SEC_ASN1EncodeInteger(
1140 arena.get(), &private_key_info.version, kPrivateKeyInfoVersion))
1141 return Status::OperationError();
1142
1143 crypto::ScopedSECItem encoded_key(
1144 SEC_ASN1EncodeItem(NULL,
1145 NULL,
1146 &private_key_info,
1147 SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate)));
1148 #else // defined(USE_NSS)
1149 crypto::ScopedSECItem encoded_key(
1150 PK11_ExportDERPrivateKeyInfo(key->key(), NULL));
1151 #endif // defined(USE_NSS)
1152
1153 if (!encoded_key.get())
1154 return Status::OperationError();
1155
1156 buffer->assign(encoded_key->data, encoded_key->data + encoded_key->len);
1157 return Status::Success();
1158 }
1159
1160 Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm,
1161 const CryptoData& key_data,
1162 bool extractable,
1163 blink::WebCryptoKeyUsageMask usage_mask,
1164 blink::WebCryptoKey* key) {
1165 DCHECK(key);
1166
1167 if (!key_data.byte_length())
1168 return Status::ErrorImportEmptyKeyData();
1169 DCHECK(key_data.bytes());
1170
1171 // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 PKCS#8
1172 // private key info object.
1173 SECItem pki_der = MakeSECItemForBuffer(key_data);
1174
1175 SECKEYPrivateKey* seckey_private_key = NULL;
1176 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
1177 if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot.get(),
1178 &pki_der,
1179 NULL, // nickname
1180 NULL, // publicValue
1181 false, // isPerm
1182 false, // isPrivate
1183 KU_ALL, // usage
1184 &seckey_private_key,
1185 NULL) != SECSuccess) {
1186 return Status::DataError();
1187 }
1188 DCHECK(seckey_private_key);
1189 crypto::ScopedSECKEYPrivateKey private_key(seckey_private_key);
1190
1191 const KeyType sec_key_type = SECKEY_GetPrivateKeyType(private_key.get());
1192 if (!ValidateNssKeyTypeAgainstInputAlgorithm(sec_key_type, algorithm))
1193 return Status::DataError();
1194
1195 blink::WebCryptoKeyAlgorithm key_algorithm;
1196 if (!CreatePrivateKeyAlgorithm(algorithm, private_key.get(), &key_algorithm))
1197 return Status::ErrorUnexpected();
1198
1199 scoped_ptr<PrivateKey> key_handle;
1200 Status status =
1201 PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle);
1202 if (status.IsError())
1203 return status;
1204
1205 *key = blink::WebCryptoKey::create(key_handle.release(),
1206 blink::WebCryptoKeyTypePrivate,
1207 extractable,
1208 key_algorithm,
1209 usage_mask);
1210
1211 return Status::Success();
1212 }
1213
1214 // -----------------------------------
1215 // Hmac
1216 // -----------------------------------
1217
1218 Status SignHmac(SymKey* key,
1219 const blink::WebCryptoAlgorithm& hash,
1220 const CryptoData& data,
1221 std::vector<uint8>* buffer) {
1222 DCHECK_EQ(PK11_GetMechanism(key->key()), WebCryptoHashToHMACMechanism(hash));
1223
1224 SECItem param_item = {siBuffer, NULL, 0};
1225 SECItem data_item = MakeSECItemForBuffer(data);
1226 // First call is to figure out the length.
1227 SECItem signature_item = {siBuffer, NULL, 0};
1228
1229 if (PK11_SignWithSymKey(key->key(),
1230 PK11_GetMechanism(key->key()),
1231 &param_item,
1232 &signature_item,
1233 &data_item) != SECSuccess) {
1234 return Status::OperationError();
1235 }
1236
1237 DCHECK_NE(0u, signature_item.len);
1238
1239 buffer->resize(signature_item.len);
1240 signature_item.data = Uint8VectorStart(buffer);
1241
1242 if (PK11_SignWithSymKey(key->key(),
1243 PK11_GetMechanism(key->key()),
1244 &param_item,
1245 &signature_item,
1246 &data_item) != SECSuccess) {
1247 return Status::OperationError();
1248 }
1249
1250 DCHECK_EQ(buffer->size(), signature_item.len);
1251 return Status::Success();
1252 }
1253
1254 // -----------------------------------
1255 // RsaOaep
1256 // -----------------------------------
1257
1258 Status EncryptRsaOaep(PublicKey* key,
1259 const blink::WebCryptoAlgorithm& hash,
1260 const CryptoData& label,
1261 const CryptoData& data,
1262 std::vector<uint8>* buffer) {
1263 if (!g_nss_runtime_support.Get().IsRsaOaepSupported())
1264 return Status::ErrorUnsupported();
1265
1266 CK_RSA_PKCS_OAEP_PARAMS oaep_params = {0};
1267 if (!InitializeRsaOaepParams(hash, label, &oaep_params))
1268 return Status::ErrorUnsupported();
1269
1270 SECItem param;
1271 param.type = siBuffer;
1272 param.data = reinterpret_cast<unsigned char*>(&oaep_params);
1273 param.len = sizeof(oaep_params);
1274
1275 buffer->resize(SECKEY_PublicKeyStrength(key->key()));
1276 unsigned char* buffer_data = Uint8VectorStart(buffer);
1277 unsigned int output_len;
1278 if (g_nss_runtime_support.Get().pk11_pub_encrypt_func()(key->key(),
1279 CKM_RSA_PKCS_OAEP,
1280 &param,
1281 buffer_data,
1282 &output_len,
1283 buffer->size(),
1284 data.bytes(),
1285 data.byte_length(),
1286 NULL) != SECSuccess) {
1287 return Status::OperationError();
1288 }
1289
1290 DCHECK_LE(output_len, buffer->size());
1291 buffer->resize(output_len);
1292 return Status::Success();
1293 }
1294
1295 Status DecryptRsaOaep(PrivateKey* key,
1296 const blink::WebCryptoAlgorithm& hash,
1297 const CryptoData& label,
1298 const CryptoData& data,
1299 std::vector<uint8>* buffer) {
1300 if (!g_nss_runtime_support.Get().IsRsaOaepSupported())
1301 return Status::ErrorUnsupported();
1302
1303 CK_RSA_PKCS_OAEP_PARAMS oaep_params = {0};
1304 if (!InitializeRsaOaepParams(hash, label, &oaep_params))
1305 return Status::ErrorUnsupported();
1306
1307 SECItem param;
1308 param.type = siBuffer;
1309 param.data = reinterpret_cast<unsigned char*>(&oaep_params);
1310 param.len = sizeof(oaep_params);
1311
1312 const int modulus_length_bytes = PK11_GetPrivateModulusLen(key->key());
1313 if (modulus_length_bytes <= 0)
1314 return Status::ErrorUnexpected();
1315
1316 buffer->resize(modulus_length_bytes);
1317
1318 unsigned char* buffer_data = Uint8VectorStart(buffer);
1319 unsigned int output_len;
1320 if (g_nss_runtime_support.Get().pk11_priv_decrypt_func()(
1321 key->key(),
1322 CKM_RSA_PKCS_OAEP,
1323 &param,
1324 buffer_data,
1325 &output_len,
1326 buffer->size(),
1327 data.bytes(),
1328 data.byte_length()) != SECSuccess) {
1329 return Status::OperationError();
1330 }
1331
1332 DCHECK_LE(output_len, buffer->size());
1333 buffer->resize(output_len);
1334 return Status::Success();
1335 }
1336
1337 // -----------------------------------
1338 // RsaSsaPkcs1v1_5
1339 // -----------------------------------
1340
1341 Status SignRsaSsaPkcs1v1_5(PrivateKey* key,
1342 const blink::WebCryptoAlgorithm& hash,
1343 const CryptoData& data,
1344 std::vector<uint8>* buffer) {
1345 // Pick the NSS signing algorithm by combining RSA-SSA (RSA PKCS1) and the
1346 // inner hash of the input Web Crypto algorithm.
1347 SECOidTag sign_alg_tag;
1348 switch (hash.id()) {
1349 case blink::WebCryptoAlgorithmIdSha1:
1350 sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
1351 break;
1352 case blink::WebCryptoAlgorithmIdSha256:
1353 sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
1354 break;
1355 case blink::WebCryptoAlgorithmIdSha384:
1356 sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
1357 break;
1358 case blink::WebCryptoAlgorithmIdSha512:
1359 sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
1360 break;
1361 default:
1362 return Status::ErrorUnsupported();
1363 }
1364
1365 crypto::ScopedSECItem signature_item(SECITEM_AllocItem(NULL, NULL, 0));
1366 if (SEC_SignData(signature_item.get(),
1367 data.bytes(),
1368 data.byte_length(),
1369 key->key(),
1370 sign_alg_tag) != SECSuccess) {
1371 return Status::OperationError();
1372 }
1373
1374 buffer->assign(signature_item->data,
1375 signature_item->data + signature_item->len);
1376 return Status::Success();
1377 }
1378
1379 Status VerifyRsaSsaPkcs1v1_5(PublicKey* key,
1380 const blink::WebCryptoAlgorithm& hash,
1381 const CryptoData& signature,
1382 const CryptoData& data,
1383 bool* signature_match) {
1384 const SECItem signature_item = MakeSECItemForBuffer(signature);
1385
1386 SECOidTag hash_alg_tag;
1387 switch (hash.id()) {
1388 case blink::WebCryptoAlgorithmIdSha1:
1389 hash_alg_tag = SEC_OID_SHA1;
1390 break;
1391 case blink::WebCryptoAlgorithmIdSha256:
1392 hash_alg_tag = SEC_OID_SHA256;
1393 break;
1394 case blink::WebCryptoAlgorithmIdSha384:
1395 hash_alg_tag = SEC_OID_SHA384;
1396 break;
1397 case blink::WebCryptoAlgorithmIdSha512:
1398 hash_alg_tag = SEC_OID_SHA512;
1399 break;
1400 default:
1401 return Status::ErrorUnsupported();
1402 }
1403
1404 *signature_match =
1405 SECSuccess == VFY_VerifyDataDirect(data.bytes(),
1406 data.byte_length(),
1407 key->key(),
1408 &signature_item,
1409 SEC_OID_PKCS1_RSA_ENCRYPTION,
1410 hash_alg_tag,
1411 NULL,
1412 NULL);
1413 return Status::Success();
1414 }
1415
1416 Status EncryptDecryptAesCbc(EncryptOrDecrypt mode,
1417 SymKey* key,
1418 const CryptoData& data,
1419 const CryptoData& iv,
1420 std::vector<uint8>* buffer) {
1421 // TODO(eroman): Inline.
1422 return AesCbcEncryptDecrypt(mode, key, iv, data, buffer);
1423 }
1424
1425 Status EncryptDecryptAesGcm(EncryptOrDecrypt mode,
1426 SymKey* key,
1427 const CryptoData& data,
1428 const CryptoData& iv,
1429 const CryptoData& additional_data,
1430 unsigned int tag_length_bits,
1431 std::vector<uint8>* buffer) {
1432 // TODO(eroman): Inline.
1433 return AesGcmEncryptDecrypt(
1434 mode, key, data, iv, additional_data, tag_length_bits, buffer);
1435 }
1436
1437 // -----------------------------------
1438 // Key generation
1439 // -----------------------------------
1440
1441 Status GenerateRsaKeyPair(const blink::WebCryptoAlgorithm& algorithm,
1442 bool extractable,
1443 blink::WebCryptoKeyUsageMask public_key_usage_mask,
1444 blink::WebCryptoKeyUsageMask private_key_usage_mask,
1445 unsigned int modulus_length_bits,
1446 const CryptoData& public_exponent,
1447 blink::WebCryptoKey* public_key,
1448 blink::WebCryptoKey* private_key) {
1449 if (algorithm.id() == blink::WebCryptoAlgorithmIdRsaOaep &&
1450 !g_nss_runtime_support.Get().IsRsaOaepSupported()) {
1451 return Status::ErrorUnsupported();
1452 }
1453
1454 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
1455 if (!slot)
1456 return Status::OperationError();
1457
1458 unsigned long public_exponent_long;
1459 if (!BigIntegerToLong(public_exponent.bytes(),
1460 public_exponent.byte_length(),
1461 &public_exponent_long) ||
1462 !public_exponent_long) {
1463 return Status::ErrorGenerateKeyPublicExponent();
1464 }
1465
1466 PK11RSAGenParams rsa_gen_params;
1467 rsa_gen_params.keySizeInBits = modulus_length_bits;
1468 rsa_gen_params.pe = public_exponent_long;
1469
1470 // Flags are verified at the Blink layer; here the flags are set to all
1471 // possible operations for the given key type.
1472 CK_FLAGS operation_flags;
1473 switch (algorithm.id()) {
1474 case blink::WebCryptoAlgorithmIdRsaOaep:
1475 operation_flags = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP;
1476 break;
1477 case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
1478 operation_flags = CKF_SIGN | CKF_VERIFY;
1479 break;
1480 default:
1481 NOTREACHED();
1482 return Status::ErrorUnexpected();
1483 }
1484 const CK_FLAGS operation_flags_mask =
1485 CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP;
1486
1487 // The private key must be marked as insensitive and extractable, otherwise it
1488 // cannot later be exported in unencrypted form or structured-cloned.
1489 const PK11AttrFlags attribute_flags =
1490 PK11_ATTR_INSENSITIVE | PK11_ATTR_EXTRACTABLE;
1491
1492 // Note: NSS does not generate an sec_public_key if the call below fails,
1493 // so there is no danger of a leaked sec_public_key.
1494 SECKEYPublicKey* sec_public_key;
1495 crypto::ScopedSECKEYPrivateKey scoped_sec_private_key(
1496 PK11_GenerateKeyPairWithOpFlags(slot.get(),
1497 CKM_RSA_PKCS_KEY_PAIR_GEN,
1498 &rsa_gen_params,
1499 &sec_public_key,
1500 attribute_flags,
1501 operation_flags,
1502 operation_flags_mask,
1503 NULL));
1504 if (!private_key)
1505 return Status::OperationError();
1506
1507 blink::WebCryptoKeyAlgorithm key_algorithm;
1508 if (!CreatePublicKeyAlgorithm(algorithm, sec_public_key, &key_algorithm))
1509 return Status::ErrorUnexpected();
1510
1511 scoped_ptr<PublicKey> public_key_handle;
1512 Status status = PublicKey::Create(
1513 crypto::ScopedSECKEYPublicKey(sec_public_key), &public_key_handle);
1514 if (status.IsError())
1515 return status;
1516
1517 scoped_ptr<PrivateKey> private_key_handle;
1518 status = PrivateKey::Create(
1519 scoped_sec_private_key.Pass(), key_algorithm, &private_key_handle);
1520 if (status.IsError())
1521 return status;
1522
1523 *public_key = blink::WebCryptoKey::create(public_key_handle.release(),
1524 blink::WebCryptoKeyTypePublic,
1525 true,
1526 key_algorithm,
1527 public_key_usage_mask);
1528 *private_key = blink::WebCryptoKey::create(private_key_handle.release(),
1529 blink::WebCryptoKeyTypePrivate,
1530 extractable,
1531 key_algorithm,
1532 private_key_usage_mask);
1533
1534 return Status::Success();
1535 }
1536
1537 void Init() {
1538 crypto::EnsureNSSInit();
1539 }
1540
1541 Status DigestSha(blink::WebCryptoAlgorithmId algorithm,
1542 const CryptoData& data,
1543 std::vector<uint8>* buffer) {
1544 DigestorNSS digestor(algorithm);
1545 Status error = digestor.ConsumeWithStatus(data.bytes(), data.byte_length());
1546 // http://crbug.com/366427: the spec does not define any other failures for
1547 // digest, so none of the subsequent errors are spec compliant.
1548 if (!error.IsSuccess())
1549 return error;
1550 return digestor.FinishWithVectorAndStatus(buffer);
1551 }
1552
1553 scoped_ptr<blink::WebCryptoDigestor> CreateDigestor(
1554 blink::WebCryptoAlgorithmId algorithm_id) {
1555 return scoped_ptr<blink::WebCryptoDigestor>(new DigestorNSS(algorithm_id));
1556 }
1557
1558 Status GenerateSecretKey(const blink::WebCryptoAlgorithm& algorithm,
1559 bool extractable,
1560 blink::WebCryptoKeyUsageMask usage_mask,
1561 unsigned keylen_bytes,
1562 blink::WebCryptoKey* key) {
1563 CK_MECHANISM_TYPE mech = WebCryptoAlgorithmToGenMechanism(algorithm);
1564 blink::WebCryptoKeyType key_type = blink::WebCryptoKeyTypeSecret;
1565
1566 if (mech == CKM_INVALID_MECHANISM)
1567 return Status::ErrorUnsupported();
1568
1569 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
1570 if (!slot)
1571 return Status::OperationError();
1572
1573 crypto::ScopedPK11SymKey pk11_key(
1574 PK11_KeyGen(slot.get(), mech, NULL, keylen_bytes, NULL));
1575
1576 if (!pk11_key)
1577 return Status::OperationError();
1578
1579 blink::WebCryptoKeyAlgorithm key_algorithm;
1580 if (!CreateSecretKeyAlgorithm(algorithm, keylen_bytes, &key_algorithm))
1581 return Status::ErrorUnexpected();
1582
1583 scoped_ptr<SymKey> key_handle;
1584 Status status = SymKey::Create(pk11_key.Pass(), &key_handle);
1585 if (status.IsError())
1586 return status;
1587
1588 *key = blink::WebCryptoKey::create(
1589 key_handle.release(), key_type, extractable, key_algorithm, usage_mask);
1590 return Status::Success();
1591 }
1592
1593 Status ImportRsaPublicKey(const blink::WebCryptoAlgorithm& algorithm,
1594 bool extractable,
1595 blink::WebCryptoKeyUsageMask usage_mask,
1596 const CryptoData& modulus_data,
1597 const CryptoData& exponent_data,
1598 blink::WebCryptoKey* key) {
1599 if (!modulus_data.byte_length())
1600 return Status::ErrorImportRsaEmptyModulus();
1601
1602 if (!exponent_data.byte_length())
1603 return Status::ErrorImportRsaEmptyExponent();
1604
1605 DCHECK(modulus_data.bytes());
1606 DCHECK(exponent_data.bytes());
1607
1608 // NSS does not provide a way to create an RSA public key directly from the
1609 // modulus and exponent values, but it can import an DER-encoded ASN.1 blob
1610 // with these values and create the public key from that. The code below
1611 // follows the recommendation described in
1612 // https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note7
1613
1614 // Pack the input values into a struct compatible with NSS ASN.1 encoding, and
1615 // set up an ASN.1 encoder template for it.
1616 struct RsaPublicKeyData {
1617 SECItem modulus;
1618 SECItem exponent;
1619 };
1620 const RsaPublicKeyData pubkey_in = {
1621 {siUnsignedInteger, const_cast<unsigned char*>(modulus_data.bytes()),
1622 modulus_data.byte_length()},
1623 {siUnsignedInteger, const_cast<unsigned char*>(exponent_data.bytes()),
1624 exponent_data.byte_length()}};
1625 const SEC_ASN1Template rsa_public_key_template[] = {
1626 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RsaPublicKeyData)},
1627 {SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, modulus), },
1628 {SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, exponent), },
1629 {0, }};
1630
1631 // DER-encode the public key.
1632 crypto::ScopedSECItem pubkey_der(
1633 SEC_ASN1EncodeItem(NULL, NULL, &pubkey_in, rsa_public_key_template));
1634 if (!pubkey_der)
1635 return Status::OperationError();
1636
1637 // Import the DER-encoded public key to create an RSA SECKEYPublicKey.
1638 crypto::ScopedSECKEYPublicKey pubkey(
1639 SECKEY_ImportDERPublicKey(pubkey_der.get(), CKK_RSA));
1640 if (!pubkey)
1641 return Status::OperationError();
1642
1643 blink::WebCryptoKeyAlgorithm key_algorithm;
1644 if (!CreatePublicKeyAlgorithm(algorithm, pubkey.get(), &key_algorithm))
1645 return Status::ErrorUnexpected();
1646
1647 scoped_ptr<PublicKey> key_handle;
1648 Status status = PublicKey::Create(pubkey.Pass(), &key_handle);
1649 if (status.IsError())
1650 return status;
1651
1652 *key = blink::WebCryptoKey::create(key_handle.release(),
1653 blink::WebCryptoKeyTypePublic,
1654 extractable,
1655 key_algorithm,
1656 usage_mask);
1657 return Status::Success();
1658 }
1659
1660 struct DestroyGenericObject {
1661 void operator()(PK11GenericObject* o) const {
1662 if (o)
1663 PK11_DestroyGenericObject(o);
1664 }
1665 };
1666
1667 typedef scoped_ptr<PK11GenericObject, DestroyGenericObject>
1668 ScopedPK11GenericObject;
1669
1670 // Helper to add an attribute to a template.
1671 void AddAttribute(CK_ATTRIBUTE_TYPE type,
1672 void* value,
1673 unsigned long length,
1674 std::vector<CK_ATTRIBUTE>* templ) {
1675 CK_ATTRIBUTE attribute = {type, value, length};
1676 templ->push_back(attribute);
1677 }
1678
1679 // Helper to optionally add an attribute to a template, if the provided data is
1680 // non-empty.
1681 void AddOptionalAttribute(CK_ATTRIBUTE_TYPE type,
1682 const CryptoData& data,
1683 std::vector<CK_ATTRIBUTE>* templ) {
1684 if (!data.byte_length())
1685 return;
1686 CK_ATTRIBUTE attribute = {type, const_cast<unsigned char*>(data.bytes()),
1687 data.byte_length()};
1688 templ->push_back(attribute);
1689 }
1690
1691 Status ImportRsaPrivateKey(const blink::WebCryptoAlgorithm& algorithm,
1692 bool extractable,
1693 blink::WebCryptoKeyUsageMask usage_mask,
1694 const CryptoData& modulus,
1695 const CryptoData& public_exponent,
1696 const CryptoData& private_exponent,
1697 const CryptoData& prime1,
1698 const CryptoData& prime2,
1699 const CryptoData& exponent1,
1700 const CryptoData& exponent2,
1701 const CryptoData& coefficient,
1702 blink::WebCryptoKey* key) {
1703 CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY;
1704 CK_KEY_TYPE key_type = CKK_RSA;
1705 CK_BBOOL ck_false = CK_FALSE;
1706
1707 std::vector<CK_ATTRIBUTE> key_template;
1708
1709 AddAttribute(CKA_CLASS, &obj_class, sizeof(obj_class), &key_template);
1710 AddAttribute(CKA_KEY_TYPE, &key_type, sizeof(key_type), &key_template);
1711 AddAttribute(CKA_TOKEN, &ck_false, sizeof(ck_false), &key_template);
1712 AddAttribute(CKA_SENSITIVE, &ck_false, sizeof(ck_false), &key_template);
1713 AddAttribute(CKA_PRIVATE, &ck_false, sizeof(ck_false), &key_template);
1714
1715 // Required properties.
1716 AddOptionalAttribute(CKA_MODULUS, modulus, &key_template);
1717 AddOptionalAttribute(CKA_PUBLIC_EXPONENT, public_exponent, &key_template);
1718 AddOptionalAttribute(CKA_PRIVATE_EXPONENT, private_exponent, &key_template);
1719
1720 // Manufacture a CKA_ID so the created key can be retrieved later as a
1721 // SECKEYPrivateKey using FindKeyByKeyID(). Unfortunately there isn't a more
1722 // direct way to do this in NSS.
1723 //
1724 // For consistency with other NSS key creation methods, set the CKA_ID to
1725 // PK11_MakeIDFromPubKey(). There are some problems with
1726 // this approach:
1727 //
1728 // (1) Prior to NSS 3.16.2, there is no parameter validation when creating
1729 // private keys. It is therefore possible to construct a key using the
1730 // known public modulus, and where all the other parameters are bogus.
1731 // FindKeyByKeyID() returns the first key matching the ID. So this would
1732 // effectively allow an attacker to retrieve a private key of their
1733 // choice.
1734 // TODO(eroman): Once NSS rolls and this is fixed, disallow RSA key
1735 // import on older versions of NSS.
1736 // http://crbug.com/378315
1737 //
1738 // (2) The ID space is shared by different key types. So theoretically
1739 // possible to retrieve a key of the wrong type which has a matching
1740 // CKA_ID. In practice I am told this is not likely except for small key
1741 // sizes, since would require constructing keys with the same public
1742 // data.
1743 //
1744 // (3) FindKeyByKeyID() doesn't necessarily return the object that was just
1745 // created by CreateGenericObject. If the pre-existing key was
1746 // provisioned with flags incompatible with WebCrypto (for instance
1747 // marked sensitive) then this will break things.
1748 SECItem modulus_item = MakeSECItemForBuffer(CryptoData(modulus));
1749 crypto::ScopedSECItem object_id(PK11_MakeIDFromPubKey(&modulus_item));
1750 AddOptionalAttribute(
1751 CKA_ID, CryptoData(object_id->data, object_id->len), &key_template);
1752
1753 // Optional properties (all of these will have been specified or none).
1754 AddOptionalAttribute(CKA_PRIME_1, prime1, &key_template);
1755 AddOptionalAttribute(CKA_PRIME_2, prime2, &key_template);
1756 AddOptionalAttribute(CKA_EXPONENT_1, exponent1, &key_template);
1757 AddOptionalAttribute(CKA_EXPONENT_2, exponent2, &key_template);
1758 AddOptionalAttribute(CKA_COEFFICIENT, coefficient, &key_template);
1759
1760 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
1761
1762 ScopedPK11GenericObject key_object(PK11_CreateGenericObject(
1763 slot.get(), &key_template[0], key_template.size(), PR_FALSE));
1764
1765 if (!key_object)
1766 return Status::OperationError();
1767
1768 crypto::ScopedSECKEYPrivateKey private_key_tmp(
1769 PK11_FindKeyByKeyID(slot.get(), object_id.get(), NULL));
1770
1771 // PK11_FindKeyByKeyID() may return a handle to an existing key, rather than
1772 // the object created by PK11_CreateGenericObject().
1773 crypto::ScopedSECKEYPrivateKey private_key(
1774 SECKEY_CopyPrivateKey(private_key_tmp.get()));
1775
1776 if (!private_key)
1777 return Status::OperationError();
1778
1779 blink::WebCryptoKeyAlgorithm key_algorithm;
1780 if (!CreatePrivateKeyAlgorithm(algorithm, private_key.get(), &key_algorithm))
1781 return Status::ErrorUnexpected();
1782
1783 scoped_ptr<PrivateKey> key_handle;
1784 Status status =
1785 PrivateKey::Create(private_key.Pass(), key_algorithm, &key_handle);
1786 if (status.IsError())
1787 return status;
1788
1789 *key = blink::WebCryptoKey::create(key_handle.release(),
1790 blink::WebCryptoKeyTypePrivate,
1791 extractable,
1792 key_algorithm,
1793 usage_mask);
1794 return Status::Success();
1795 }
1796
1797 Status WrapSymKeyAesKw(SymKey* key,
1798 SymKey* wrapping_key,
1799 std::vector<uint8>* buffer) {
1800 // The data size must be at least 16 bytes and a multiple of 8 bytes.
1801 // RFC 3394 does not specify a maximum allowed data length, but since only
1802 // keys are being wrapped in this application (which are small), a reasonable
1803 // max limit is whatever will fit into an unsigned. For the max size test,
1804 // note that AES Key Wrap always adds 8 bytes to the input data size.
1805 const unsigned int input_length = PK11_GetKeyLength(key->key());
1806 if (input_length < 16)
1807 return Status::ErrorDataTooSmall();
1808 if (input_length > UINT_MAX - 8)
1809 return Status::ErrorDataTooLarge();
1810 if (input_length % 8)
1811 return Status::ErrorInvalidAesKwDataLength();
1812
1813 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
1814 crypto::ScopedSECItem param_item(
1815 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
1816 if (!param_item)
1817 return Status::ErrorUnexpected();
1818
1819 const unsigned int output_length = input_length + 8;
1820 buffer->resize(output_length);
1821 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer));
1822
1823 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP,
1824 param_item.get(),
1825 wrapping_key->key(),
1826 key->key(),
1827 &wrapped_key_item)) {
1828 return Status::OperationError();
1829 }
1830 if (output_length != wrapped_key_item.len)
1831 return Status::ErrorUnexpected();
1832
1833 return Status::Success();
1834 }
1835
1836 Status UnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
1837 SymKey* wrapping_key,
1838 const blink::WebCryptoAlgorithm& algorithm,
1839 bool extractable,
1840 blink::WebCryptoKeyUsageMask usage_mask,
1841 blink::WebCryptoKey* key) {
1842 // Determine the proper NSS key properties from the input algorithm.
1843 CK_MECHANISM_TYPE mechanism;
1844 CK_FLAGS flags;
1845 Status status =
1846 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
1847 if (status.IsError())
1848 return status;
1849
1850 crypto::ScopedPK11SymKey unwrapped_key;
1851 status = DoUnwrapSymKeyAesKw(
1852 wrapped_key_data, wrapping_key, mechanism, flags, &unwrapped_key);
1853 if (status.IsError())
1854 return status;
1855
1856 blink::WebCryptoKeyAlgorithm key_algorithm;
1857 if (!CreateSecretKeyAlgorithm(
1858 algorithm, PK11_GetKeyLength(unwrapped_key.get()), &key_algorithm))
1859 return Status::ErrorUnexpected();
1860
1861 scoped_ptr<SymKey> key_handle;
1862 status = SymKey::Create(unwrapped_key.Pass(), &key_handle);
1863 if (status.IsError())
1864 return status;
1865
1866 *key = blink::WebCryptoKey::create(key_handle.release(),
1867 blink::WebCryptoKeyTypeSecret,
1868 extractable,
1869 key_algorithm,
1870 usage_mask);
1871 return Status::Success();
1872 }
1873
1874 Status DecryptAesKw(SymKey* wrapping_key,
1875 const CryptoData& data,
1876 std::vector<uint8>* buffer) {
1877 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must be
1878 // temporarily viewed as a symmetric key to be unwrapped (decrypted).
1879 crypto::ScopedPK11SymKey decrypted;
1880 Status status = DoUnwrapSymKeyAesKw(
1881 data, wrapping_key, CKK_GENERIC_SECRET, 0, &decrypted);
1882 if (status.IsError())
1883 return status;
1884
1885 // Once the decrypt is complete, extract the resultant raw bytes from NSS and
1886 // return them to the caller.
1887 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess)
1888 return Status::OperationError();
1889 const SECItem* const key_data = PK11_GetKeyData(decrypted.get());
1890 if (!key_data)
1891 return Status::OperationError();
1892 buffer->assign(key_data->data, key_data->data + key_data->len);
1893
1894 return Status::Success();
1895 }
1896
1897 } // namespace platform
1898
1899 } // namespace webcrypto
1900
1901 } // namespace content