| blob | 5ab62feef1d7c28ac2cb79c12b97a44af7950424 |
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef COMPONENTS_WEBCRYPTO_JWK_H_
6 #define COMPONENTS_WEBCRYPTO_JWK_H_
8 #include <stdint.h>
9 #include <vector>
20 // Helper class for parsing a JWK from JSON.
21 //
22 // This primarily exists to ensure strict enforcement of the JWK schema, as the
23 // type and presence of particular members is security relevant. For example,
24 // GetString() will ensure a given JSON member is present and is a string type,
25 // and will fail if these conditions aren't met.
26 //
27 // Users of JwkReader must call Init() successfully before any other method can
28 // be called.
34 // Initializes a JWK reader by parsing the JSON |bytes|. To succeed, the JWK
35 // must:
36 // * Have "kty" matching |expected_kty|
37 // * Have "ext" compatible with |expected_extractable|
38 // * Have usages ("use", "key_ops") compatible with |expected_usages|
39 // * Have an "alg" matching |expected_alg|
40 //
41 // NOTE: If |expected_alg| is empty, then the test on "alg" is skipped.
48 // Returns true if the member |member_name| is present.
51 // Extracts the required string member |member_name| and saves the result to
52 // |*result|. If the member does not exist or is not a string, returns an
53 // error.
56 // Extracts the optional string member |member_name| and saves the result to
57 // |*result| if it was found. If the member exists and is not a string,
58 // returns an error. Otherwise returns success, and sets |*member_exists| if
59 // it was found.
64 // Extracts the optional array member |member_name| and saves the result to
65 // |*result| if it was found. If the member exists and is not an array,
66 // returns an error. Otherwise returns success, and sets |*member_exists| if
67 // it was found.
68 //
69 // NOTE: |*result| is owned by the JwkReader.
74 // Extracts the required string member |member_name| and saves the
75 // base64url-decoded bytes to |*result|. If the member does not exist or is
76 // not a string, or could not be base64url-decoded, returns an error.
79 // Extracts the required base64url member, which is interpreted as being a
80 // big-endian unsigned integer.
81 //
82 // Sequences that contain leading zeros will be rejected.
86 // Extracts the optional boolean member |member_name| and saves the result to
87 // |*result| if it was found. If the member exists and is not a boolean,
88 // returns an error. Otherwise returns success, and sets |*member_exists| if
89 // it was found.
94 // Gets the optional algorithm ("alg") string.
97 // Checks if the "alg" member matches |expected_alg|.
102 };
104 // Helper class for building the JSON for a JWK.
107 // Initializes a writer, and sets the standard JWK members as indicated.
108 // |algorithm| is optional, and is only written if the provided |algorithm| is
109 // non-empty.
115 // Sets a string member |member_name| to |value|.
118 // Sets a bytes member |value| to |value| by base64 url-safe encoding it.
121 // Flattens the JWK to JSON (UTF-8 encoded if necessary, however in practice
122 // it will be ASCII).
127 };
129 // Writes a JWK-formatted symmetric key to |jwk_key_data|.
130 // * raw_key_data: The actual key data
131 // * algorithm: The JWK algorithm name (i.e. "alg")
132 // * extractable: The JWK extractability (i.e. "ext")
133 // * usages: The JWK usages (i.e. "key_ops")
140 // Parses a UTF-8 encoded JWK (key_data), and extracts the key material to
141 // |*raw_key_data|. Returns Status::Success() on success, otherwise an error.
142 // In order for this to succeed:
143 // * expected_alg must match the JWK's "alg", if present.
144 // * expected_extractable must be consistent with the JWK's "ext", if
145 // present.
146 // * expected_usages must be a subset of the JWK's "key_ops" if present.
153 // Creates an AES algorithm name for the given key size (in bytes). For
154 // instance "A128CBC" is the result of suffix="CBC", keylen_bytes=16.
158 // This is very similar to ReadSecretKeyJwk(), except instead of specifying an
159 // absolute "expected_alg", the suffix for an AES algorithm name is given
160 // (See MakeJwkAesAlgorithmName() for an explanation of what the suffix is).
161 //
162 // This is because the algorithm name for AES keys is dependent on the length
163 // of the key. This function expects key lengths to be either 128, 192, or 256
164 // bits.
171 // Writes a JWK-formated RSA public key and saves the result to
172 // |*jwk_key_data|.
180 // Writes a JWK-formated RSA private key and saves the result to
181 // |*jwk_key_data|.
195 // Describes the RSA components for a parsed key. The names of the properties
196 // correspond with those from the JWK spec. Note that Chromium's WebCrypto
197 // implementation does not support multi-primes, so there is no parsed field
198 // for othinfo.
212 };
214 // Parses a UTF-8 encoded JWK (key_data), and extracts the RSA components to
215 // |*result|. Returns Status::Success() on success, otherwise an error.
216 // In order for this to succeed:
217 // * expected_alg must match the JWK's "alg", if present.
218 // * expected_extractable must be consistent with the JWK's "ext", if
219 // present.
220 // * expected_usages must be a subset of the JWK's "key_ops" if present.
229 // This decodes JWK's flavor of base64 encoding, as described by:
230 // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36#section-2
231 //
232 // In essence it is RFC 4648 'base64url' encoding where padding is omitted.
235 // Encodes |input| using JWK's flavor of base64 encoding. See the description
236 // above for details.
240 // Converts a JWK "key_ops" array to the corresponding WebCrypto usages. Used by
241 // testing.