components/webcrypto/webcrypto_util.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "components/webcrypto/webcrypto_util.h"
   6
   7 #include "base/logging.h"
   8 #include "base/numerics/safe_math.h"
   9 #include "components/webcrypto/status.h"
  10 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
  11 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
  12 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
  13
  14 namespace webcrypto {
  15
  16 namespace {
  17
  18 // Converts a (big-endian) WebCrypto BigInteger, with or without leading zeros,
  19 // to unsigned int.
  20 bool BigIntegerToUint(const uint8_t* data,
  21                       size_t data_size,
  22                       unsigned int* result) {
  23   if (data_size == 0)
  24     return false;
  25
  26   *result = 0;
  27   for (size_t i = 0; i < data_size; ++i) {
  28     size_t reverse_i = data_size - i - 1;
  29
  30     if (reverse_i >= sizeof(*result) && data[i])
  31       return false;  // Too large for a uint.
  32
  33     *result |= data[i] << 8 * reverse_i;
  34   }
  35   return true;
  36 }
  37
  38 Status GetShaBlockSizeBits(const blink::WebCryptoAlgorithm& algorithm,
  39                            unsigned int* block_size_bits) {
  40   switch (algorithm.id()) {
  41     case blink::WebCryptoAlgorithmIdSha1:
  42     case blink::WebCryptoAlgorithmIdSha256:
  43       *block_size_bits = 512;
  44       return Status::Success();
  45     case blink::WebCryptoAlgorithmIdSha384:
  46     case blink::WebCryptoAlgorithmIdSha512:
  47       *block_size_bits = 1024;
  48       return Status::Success();
  49     default:
  50       return Status::ErrorUnsupported();
  51   }
  52 }
  53
  54 }  // namespace
  55
  56 blink::WebCryptoAlgorithm CreateAlgorithm(blink::WebCryptoAlgorithmId id) {
  57   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(id, NULL);
  58 }
  59
  60 blink::WebCryptoAlgorithm CreateHmacImportAlgorithm(
  61     blink::WebCryptoAlgorithmId hash_id,
  62     unsigned int length_bits) {
  63   DCHECK(blink::WebCryptoAlgorithm::isHash(hash_id));
  64   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
  65       blink::WebCryptoAlgorithmIdHmac,
  66       new blink::WebCryptoHmacImportParams(CreateAlgorithm(hash_id), true,
  67                                            length_bits));
  68 }
  69
  70 blink::WebCryptoAlgorithm CreateHmacImportAlgorithmNoLength(
  71     blink::WebCryptoAlgorithmId hash_id) {
  72   DCHECK(blink::WebCryptoAlgorithm::isHash(hash_id));
  73   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
  74       blink::WebCryptoAlgorithmIdHmac,
  75       new blink::WebCryptoHmacImportParams(CreateAlgorithm(hash_id), false, 0));
  76 }
  77
  78 blink::WebCryptoAlgorithm CreateRsaHashedImportAlgorithm(
  79     blink::WebCryptoAlgorithmId id,
  80     blink::WebCryptoAlgorithmId hash_id) {
  81   DCHECK(blink::WebCryptoAlgorithm::isHash(hash_id));
  82   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
  83       id, new blink::WebCryptoRsaHashedImportParams(CreateAlgorithm(hash_id)));
  84 }
  85
  86 blink::WebCryptoAlgorithm CreateEcImportAlgorithm(
  87     blink::WebCryptoAlgorithmId id,
  88     blink::WebCryptoNamedCurve named_curve) {
  89   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
  90       id, new blink::WebCryptoEcKeyImportParams(named_curve));
  91 }
  92
  93 bool ContainsKeyUsages(blink::WebCryptoKeyUsageMask a,
  94                        blink::WebCryptoKeyUsageMask b) {
  95   return (a & b) == b;
  96 }
  97
  98 // The WebCrypto spec defines the default value for the tag length, as well as
  99 // the allowed values for tag length.
 100 Status GetAesGcmTagLengthInBits(const blink::WebCryptoAesGcmParams* params,
 101                                 unsigned int* tag_length_bits) {
 102   *tag_length_bits = 128;
 103   if (params->hasTagLengthBits())
 104     *tag_length_bits = params->optionalTagLengthBits();
 105
 106   if (*tag_length_bits != 32 && *tag_length_bits != 64 &&
 107       *tag_length_bits != 96 && *tag_length_bits != 104 &&
 108       *tag_length_bits != 112 && *tag_length_bits != 120 &&
 109       *tag_length_bits != 128)
 110     return Status::ErrorInvalidAesGcmTagLength();
 111
 112   return Status::Success();
 113 }
 114
 115 Status GetAesKeyGenLengthInBits(const blink::WebCryptoAesKeyGenParams* params,
 116                                 unsigned int* keylen_bits) {
 117   *keylen_bits = params->lengthBits();
 118
 119   if (*keylen_bits == 128 || *keylen_bits == 256)
 120     return Status::Success();
 121
 122   // BoringSSL does not support 192-bit AES.
 123   if (*keylen_bits == 192)
 124     return Status::ErrorAes192BitUnsupported();
 125
 126   return Status::ErrorGenerateAesKeyLength();
 127 }
 128
 129 Status GetHmacKeyGenLengthInBits(const blink::WebCryptoHmacKeyGenParams* params,
 130                                  unsigned int* keylen_bits) {
 131   if (!params->hasLengthBits())
 132     return GetShaBlockSizeBits(params->hash(), keylen_bits);
 133
 134   *keylen_bits = params->optionalLengthBits();
 135
 136   // Zero-length HMAC keys are disallowed by the spec.
 137   if (*keylen_bits == 0)
 138     return Status::ErrorGenerateHmacKeyLengthZero();
 139
 140   return Status::Success();
 141 }
 142
 143 Status GetHmacImportKeyLengthBits(
 144     const blink::WebCryptoHmacImportParams* params,
 145     unsigned int key_data_byte_length,
 146     unsigned int* keylen_bits) {
 147   if (key_data_byte_length == 0)
 148     return Status::ErrorHmacImportEmptyKey();
 149
 150   // Make sure that the key data's length can be represented in bits without
 151   // overflow.
 152   base::CheckedNumeric<unsigned int> checked_keylen_bits(key_data_byte_length);
 153   checked_keylen_bits *= 8;
 154
 155   if (!checked_keylen_bits.IsValid())
 156     return Status::ErrorDataTooLarge();
 157
 158   unsigned int data_keylen_bits = checked_keylen_bits.ValueOrDie();
 159
 160   // Determine how many bits of the input to use.
 161   *keylen_bits = data_keylen_bits;
 162   if (params->hasLengthBits()) {
 163     // The requested bit length must be:
 164     //   * No longer than the input data length
 165     //   * At most 7 bits shorter.
 166     if (NumBitsToBytes(params->optionalLengthBits()) != key_data_byte_length)
 167       return Status::ErrorHmacImportBadLength();
 168     *keylen_bits = params->optionalLengthBits();
 169   }
 170
 171   return Status::Success();
 172 }
 173
 174 Status VerifyAesKeyLengthForImport(unsigned int keylen_bytes) {
 175   if (keylen_bytes == 16 || keylen_bytes == 32)
 176     return Status::Success();
 177
 178   // BoringSSL does not support 192-bit AES.
 179   if (keylen_bytes == 24)
 180     return Status::ErrorAes192BitUnsupported();
 181
 182   return Status::ErrorImportAesKeyLength();
 183 }
 184
 185 Status CheckKeyCreationUsages(blink::WebCryptoKeyUsageMask all_possible_usages,
 186                               blink::WebCryptoKeyUsageMask actual_usages,
 187                               bool allow_empty_usages) {
 188   if (!allow_empty_usages && actual_usages == 0)
 189     return Status::ErrorCreateKeyEmptyUsages();
 190
 191   if (!ContainsKeyUsages(all_possible_usages, actual_usages))
 192     return Status::ErrorCreateKeyBadUsages();
 193   return Status::Success();
 194 }
 195
 196 Status GetRsaKeyGenParameters(
 197     const blink::WebCryptoRsaHashedKeyGenParams* params,
 198     unsigned int* public_exponent,
 199     unsigned int* modulus_length_bits) {
 200   *modulus_length_bits = params->modulusLengthBits();
 201
 202   // Limit key sizes to those supported by NSS:
 203   //   * Multiple of 8 bits
 204   //   * 256 bits to 16K bits
 205   if (*modulus_length_bits < 256 || *modulus_length_bits > 16384 ||
 206       (*modulus_length_bits % 8) != 0) {
 207     return Status::ErrorGenerateRsaUnsupportedModulus();
 208   }
 209
 210   if (!BigIntegerToUint(params->publicExponent().data(),
 211                         params->publicExponent().size(), public_exponent)) {
 212     return Status::ErrorGenerateKeyPublicExponent();
 213   }
 214
 215   // OpenSSL hangs when given bad public exponents, whereas NSS simply fails. To
 216   // avoid feeding OpenSSL data that will hang use a whitelist.
 217   if (*public_exponent != 3 && *public_exponent != 65537)
 218     return Status::ErrorGenerateKeyPublicExponent();
 219
 220   return Status::Success();
 221 }
 222
 223 Status VerifyUsagesBeforeImportAsymmetricKey(
 224     blink::WebCryptoKeyFormat format,
 225     blink::WebCryptoKeyUsageMask all_public_key_usages,
 226     blink::WebCryptoKeyUsageMask all_private_key_usages,
 227     blink::WebCryptoKeyUsageMask usages) {
 228   switch (format) {
 229     case blink::WebCryptoKeyFormatSpki:
 230       return CheckKeyCreationUsages(all_public_key_usages, usages, true);
 231     case blink::WebCryptoKeyFormatPkcs8:
 232       return CheckKeyCreationUsages(all_private_key_usages, usages, false);
 233     case blink::WebCryptoKeyFormatJwk: {
 234       // The JWK could represent either a public key or private key. The usages
 235       // must make sense for one of the two. The usages will be checked again by
 236       // ImportKeyJwk() once the key type has been determined.
 237       if (CheckKeyCreationUsages(all_public_key_usages, usages, true)
 238               .IsError() &&
 239           CheckKeyCreationUsages(all_private_key_usages, usages, false)
 240               .IsError()) {
 241         return Status::ErrorCreateKeyBadUsages();
 242       }
 243       return Status::Success();
 244     }
 245     default:
 246       return Status::ErrorUnsupportedImportKeyFormat();
 247   }
 248 }
 249
 250 void TruncateToBitLength(size_t length_bits, std::vector<uint8_t>* bytes) {
 251   size_t length_bytes = NumBitsToBytes(length_bits);
 252
 253   if (bytes->size() != length_bytes) {
 254     CHECK_LT(length_bytes, bytes->size());
 255     bytes->resize(length_bytes);
 256   }
 257
 258   size_t remainder_bits = length_bits % 8;
 259
 260   // Zero any "unused bits" in the final byte
 261   if (remainder_bits)
 262     (*bytes)[bytes->size() - 1] &= ~((0xFF) >> remainder_bits);
 263 }
 264
 265 Status GetAesKeyLength(const blink::WebCryptoAlgorithm& key_length_algorithm,
 266                        bool* has_length_bits,
 267                        unsigned int* length_bits) {
 268   const blink::WebCryptoAesDerivedKeyParams* params =
 269       key_length_algorithm.aesDerivedKeyParams();
 270
 271   *has_length_bits = true;
 272   *length_bits = params->lengthBits();
 273
 274   if (*length_bits == 128 || *length_bits == 256)
 275     return Status::Success();
 276
 277   // BoringSSL does not support 192-bit AES.
 278   if (*length_bits == 192)
 279     return Status::ErrorAes192BitUnsupported();
 280
 281   return Status::ErrorGetAesKeyLength();
 282 }
 283
 284 Status GetHmacKeyLength(const blink::WebCryptoAlgorithm& key_length_algorithm,
 285                         bool* has_length_bits,
 286                         unsigned int* length_bits) {
 287   const blink::WebCryptoHmacImportParams* params =
 288       key_length_algorithm.hmacImportParams();
 289
 290   if (params->hasLengthBits()) {
 291     *has_length_bits = true;
 292     *length_bits = params->optionalLengthBits();
 293     if (*length_bits == 0)
 294       return Status::ErrorGetHmacKeyLengthZero();
 295     return Status::Success();
 296   }
 297
 298   *has_length_bits = true;
 299   return GetShaBlockSizeBits(params->hash(), length_bits);
 300 }
 301
 302 Status GetUsagesForGenerateAsymmetricKey(
 303     blink::WebCryptoKeyUsageMask combined_usages,
 304     blink::WebCryptoKeyUsageMask all_public_usages,
 305     blink::WebCryptoKeyUsageMask all_private_usages,
 306     blink::WebCryptoKeyUsageMask* public_usages,
 307     blink::WebCryptoKeyUsageMask* private_usages) {
 308   Status status = CheckKeyCreationUsages(all_public_usages | all_private_usages,
 309                                          combined_usages, true);
 310   if (status.IsError())
 311     return status;
 312
 313   *public_usages = combined_usages & all_public_usages;
 314   *private_usages = combined_usages & all_private_usages;
 315
 316   if (*private_usages == 0)
 317     return Status::ErrorCreateKeyEmptyUsages();
 318
 319   return Status::Success();
 320 }
 321
 322 }  // namespace webcrypto