| blob | 5d5a1415bb13cf28d5255cd384496e166831419d |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <algorithm>
8 #include <functional>
9 #include <map>
26 // TODO(padolph): include all other asymmetric algorithms once they are
27 // defined, e.g. EC and DH.
31 }
33 // Binds a specific key length value to a compatible factory function.
39 }
41 // Binds a WebCryptoAlgorithmId value to a compatible factory function.
48 }
50 // Defines a map between a JWK 'alg' string ID and a corresponding Web Crypto
51 // factory function.
82 // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 128 yet
84 // TODO(padolph): The Web Crypto spec does not enumerate AES-KW 256 yet
101 }
109 }
112 JwkAlgFactoryMap map_;
113 };
116 LAZY_INSTANCE_INITIALIZER;
132 }
147 }
149 }
160 }
162 }
168 }
182 }
183 }
197 }
198 }
211 }
212 }
236 }
247 }
248 }
249 }
262 key_data_size,
263 algorithm_or_null,
264 extractable,
265 usage_mask,
269 }
272 key_data,
273 key_data_size,
274 algorithm_or_null,
275 extractable,
276 usage_mask,
280 }
281 }
286 }
296 }
298 }
312 }
313 }
326 key,
327 signature,
328 signature_size,
329 data,
330 data_size,
335 }
336 }
346 // The goal of this method is to extract key material and meta data from the
347 // incoming JWK, combine them with the input parameters, and ultimately import
348 // a Web Crypto Key.
349 //
350 // JSON Web Key Format (JWK)
351 // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
352 // TODO(padolph): Not all possible values are handled by this code right now
353 //
354 // A JWK is a simple JSON dictionary with the following entries
355 // - "kty" (Key Type) Parameter, REQUIRED
356 // - <kty-specific parameters, see below>, REQUIRED
357 // - "use" (Key Use) Parameter, OPTIONAL
358 // - "alg" (Algorithm) Parameter, OPTIONAL
359 // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE,
360 // see https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796]
361 // (all other entries are ignored)
362 //
363 // OPTIONAL here means that this code does not require the entry to be present
364 // in the incoming JWK, because the method input parameters contain similar
365 // information. If the optional JWK entry is present, it will be validated
366 // against the corresponding input parameter for consistency and combined with
367 // it according to rules defined below. A special case is that the method
368 // input parameter 'algorithm' is also optional. If it is null, the JWK 'alg'
369 // value (if present) is used as a fallback.
370 //
371 // Input 'key_data' contains the JWK. To build a Web Crypto Key, the JWK
372 // values are parsed out and combined with the method input parameters to
373 // build a Web Crypto Key:
374 // Web Crypto Key type <-- (deduced)
375 // Web Crypto Key extractable <-- JWK extractable + input extractable
376 // Web Crypto Key algorithm <-- JWK alg + input algorithm
377 // Web Crypto Key keyUsage <-- JWK use + input usage_mask
378 // Web Crypto Key keying material <-- kty-specific parameters
379 //
380 // Values for each JWK entry are case-sensitive and defined in
381 // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
382 // Note that not all values specified by JOSE are handled by this code. Only
383 // handled values are listed.
384 // - kty (Key Type)
385 // +-------+--------------------------------------------------------------+
386 // | "RSA" | RSA [RFC3447] |
387 // | "oct" | Octet sequence (used to represent symmetric keys) |
388 // +-------+--------------------------------------------------------------+
389 // - use (Key Use)
390 // +-------+--------------------------------------------------------------+
391 // | "enc" | encrypt and decrypt operations |
392 // | "sig" | sign and verify (MAC) operations |
393 // | "wrap"| key wrap and unwrap [not yet part of JOSE] |
394 // +-------+--------------------------------------------------------------+
395 // - extractable (Key Exportability)
396 // +-------+--------------------------------------------------------------+
397 // | true | Key may be exported from the trusted environment |
398 // | false | Key cannot exit the trusted environment |
399 // +-------+--------------------------------------------------------------+
400 // - alg (Algorithm)
401 // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
402 // +--------------+-------------------------------------------------------+
403 // | Digital Signature or MAC Algorithm |
404 // +--------------+-------------------------------------------------------+
405 // | "HS256" | HMAC using SHA-256 hash algorithm |
406 // | "HS384" | HMAC using SHA-384 hash algorithm |
407 // | "HS512" | HMAC using SHA-512 hash algorithm |
408 // | "RS256" | RSASSA using SHA-256 hash algorithm |
409 // | "RS384" | RSASSA using SHA-384 hash algorithm |
410 // | "RS512" | RSASSA using SHA-512 hash algorithm |
411 // +--------------+-------------------------------------------------------|
412 // | Key Management Algorithm |
413 // +--------------+-------------------------------------------------------+
414 // | "RSA1_5" | RSAES-PKCS1-V1_5 [RFC3447] |
415 // | "RSA-OAEP" | RSAES using Optimal Asymmetric Encryption Padding |
416 // | | (OAEP) [RFC3447], with the default parameters |
417 // | | specified by RFC3447 in Section A.2.1 |
418 // | "A128KW" | Advanced Encryption Standard (AES) Key Wrap Algorithm |
419 // | | [RFC3394] using 128 bit keys |
420 // | "A256KW" | AES Key Wrap Algorithm using 256 bit keys |
421 // | "A128GCM" | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
422 // | | 128 bit keys |
423 // | "A256GCM" | AES GCM using 256 bit keys |
424 // | "A128CBC" | AES in Cipher Block Chaining Mode (CBC) with PKCS #5 |
425 // | | padding [NIST.800-38A] [not yet part of JOSE, see |
426 // | | https://www.w3.org/Bugs/Public/show_bug.cgi?id=23796 |
427 // | "A192CBC" | AES CBC using 192 bit keys [not yet part of JOSE] |
428 // | "A256CBC" | AES CBC using 256 bit keys [not yet part of JOSE] |
429 // +--------------+-------------------------------------------------------+
430 //
431 // kty-specific parameters
432 // The value of kty determines the type and content of the keying material
433 // carried in the JWK to be imported. Currently only two possibilities are
434 // supported: a raw key or an RSA public key. RSA private keys are not
435 // supported because typical applications seldom need to import a private key,
436 // and the large number of JWK parameters required to describe one.
437 // - kty == "oct" (symmetric or other raw key)
438 // +-------+--------------------------------------------------------------+
439 // | "k" | Contains the value of the symmetric (or other single-valued) |
440 // | | key. It is represented as the base64url encoding of the |
441 // | | octet sequence containing the key value. |
442 // +-------+--------------------------------------------------------------+
443 // - kty == "RSA" (RSA public key)
444 // +-------+--------------------------------------------------------------+
445 // | "n" | Contains the modulus value for the RSA public key. It is |
446 // | | represented as the base64url encoding of the value's |
447 // | | unsigned big endian representation as an octet sequence. |
448 // +-------+--------------------------------------------------------------+
449 // | "e" | Contains the exponent value for the RSA public key. It is |
450 // | | represented as the base64url encoding of the value's |
451 // | | unsigned big endian representation as an octet sequence. |
452 // +-------+--------------------------------------------------------------+
453 //
454 // Consistency and conflict resolution
455 // The 'algorithm_or_null', 'extractable', and 'usage_mask' input parameters
456 // may be different than the corresponding values inside the JWK. The Web
457 // Crypto spec says that if a JWK value is present but is inconsistent with
458 // the input value, it is an error and the operation must fail. If no
459 // inconsistency is found, the input and JWK values are combined as follows:
460 //
461 // algorithm
462 // If an algorithm is provided by both the input parameter and the JWK,
463 // consistency between the two is based only on algorithm ID's (including an
464 // inner hash algorithm if present). In this case if the consistency
465 // check is passed, the input algorithm is used. If only one of either the
466 // input algorithm and JWK alg is provided, it is used as the final
467 // algorithm.
468 //
469 // extractable
470 // If the JWK extractable is true but the input parameter is false, make the
471 // Web Crypto Key non-extractable. Conversely, if the JWK extractable is
472 // false but the input parameter is true, it is an inconsistency. If both
473 // are true or both are false, use that value.
474 //
475 // usage_mask
476 // The input usage_mask must be a strict subset of the interpreted JWK use
477 // value, else it is judged inconsistent. In all cases the input usage_mask
478 // is used as the final usage_mask.
479 //
485 // Parse the incoming JWK JSON.
487 key_data_size);
489 // Note, bare pointer dict_value is ok since it points into scoped value.
494 // JWK "kty". Exit early if this required JWK parameter is missing.
499 // JWK "extractable" (optional) --> extractable parameter
500 {
506 }
507 }
509 // JWK "alg" (optional) --> algorithm parameter
510 // Note: input algorithm is also optional, so we have six cases to handle.
511 // 1. JWK alg present but unrecognized: error
512 // 2. JWK alg valid AND input algorithm isNull: use JWK value
513 // 3. JWK alg valid AND input algorithm specified, but JWK value
514 // inconsistent with input: error
515 // 4. JWK alg valid AND input algorithm specified, both consistent: use
516 // input value (because it has potentially more details)
517 // 5. JWK alg missing AND input algorithm isNull: error
518 // 6. JWK alg missing AND input algorithm specified: use input value
522 // JWK alg present
524 // TODO(padolph): Validate alg vs kty. For example kty="RSA" implies alg can
525 // only be from the RSA family.
530 // JWK alg unrecognized
532 }
533 // JWK alg valid
535 // input algorithm not specified
538 // input algorithm specified
542 }
544 // JWK alg missing
548 }
551 // JWK "use" (optional) --> usage_mask parameter
556 jwk_usage_mask =
559 jwk_usage_mask =
562 jwk_usage_mask =
566 }
568 // A usage_mask must be a subset of jwk_usage_mask.
570 }
571 }
573 // JWK keying material --> ImportKeyInternal()
580 // TODO(padolph): Some JWK alg ID's embed information about the key length
581 // in the alg ID string. For example "A128" implies the JWK carries 128 bits
582 // of key material, and "HS512" implies the JWK carries _at least_ 512 bits
583 // of key material. For such keys validate the actual key length against the
584 // value in the ID.
589 algorithm,
590 extractable,
591 usage_mask,
592 key);
595 // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
596 // in the JWK, while an RSA private key must have those, plus at least a "d"
597 // (private exponent) entry.
598 // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
599 // section 6.3.
601 // RSA private key import is not currently supported, so fail here if a "d"
602 // entry is found.
603 // TODO(padolph): Support RSA private key import.
619 algorithm,
620 extractable,
621 usage_mask,
622 key);
626 }
629 }