components/webcrypto/openssl/ecdh_openssl.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <openssl/ec.h>
   6 #include <openssl/ecdh.h>
   7 #include <openssl/evp.h>
   8
   9 #include "base/logging.h"
  10 #include "base/stl_util.h"
  11 #include "components/webcrypto/algorithm_implementation.h"
  12 #include "components/webcrypto/crypto_data.h"
  13 #include "components/webcrypto/generate_key_result.h"
  14 #include "components/webcrypto/openssl/ec_algorithm_openssl.h"
  15 #include "components/webcrypto/openssl/key_openssl.h"
  16 #include "components/webcrypto/openssl/util_openssl.h"
  17 #include "components/webcrypto/status.h"
  18 #include "components/webcrypto/webcrypto_util.h"
  19 #include "crypto/openssl_util.h"
  20 #include "crypto/scoped_openssl_types.h"
  21 #include "crypto/secure_util.h"
  22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
  23 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
  24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
  25
  26 namespace webcrypto {
  27
  28 namespace {
  29
  30 // TODO(eroman): Support the "raw" format for ECDH key import + export, as
  31 // specified by WebCrypto spec.
  32
  33 // TODO(eroman): Allow id-ecDH in SPKI and PKCS#8 import
  34 // (http://crbug.com/389400)
  35
  36 class EcdhImplementation : public EcAlgorithm {
  37  public:
  38   EcdhImplementation()
  39       : EcAlgorithm(0,
  40                     blink::WebCryptoKeyUsageDeriveKey |
  41                         blink::WebCryptoKeyUsageDeriveBits) {}
  42
  43   const char* GetJwkAlgorithm(
  44       const blink::WebCryptoNamedCurve curve) const override {
  45     // JWK import for ECDH does not enforce any required value for "alg".
  46     return "";
  47   }
  48
  49   Status DeriveBits(const blink::WebCryptoAlgorithm& algorithm,
  50                     const blink::WebCryptoKey& base_key,
  51                     bool has_optional_length_bits,
  52                     unsigned int optional_length_bits,
  53                     std::vector<uint8_t>* derived_bytes) const override {
  54     if (base_key.type() != blink::WebCryptoKeyTypePrivate)
  55       return Status::ErrorUnexpectedKeyType();
  56
  57     // Verify the "publicKey" parameter. The only guarantee from Blink is that
  58     // it is a valid WebCryptoKey, but it could be any type.
  59     const blink::WebCryptoKey& public_key =
  60         algorithm.ecdhKeyDeriveParams()->publicKey();
  61
  62     if (public_key.type() != blink::WebCryptoKeyTypePublic)
  63       return Status::ErrorEcdhPublicKeyWrongType();
  64
  65     // Make sure it is an EC key.
  66     if (!public_key.algorithm().ecParams())
  67       return Status::ErrorEcdhPublicKeyWrongType();
  68
  69     // TODO(eroman): This is not described by the spec:
  70     // https://www.w3.org/Bugs/Public/show_bug.cgi?id=27404
  71     if (public_key.algorithm().id() != blink::WebCryptoAlgorithmIdEcdh)
  72       return Status::ErrorEcdhPublicKeyWrongAlgorithm();
  73
  74     // The public and private keys come from different key pairs, however their
  75     // curves must match.
  76     if (public_key.algorithm().ecParams()->namedCurve() !=
  77         base_key.algorithm().ecParams()->namedCurve()) {
  78       return Status::ErrorEcdhCurveMismatch();
  79     }
  80
  81     crypto::ScopedEC_KEY public_key_ec(
  82         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(public_key)->key()));
  83
  84     const EC_POINT* public_key_point =
  85         EC_KEY_get0_public_key(public_key_ec.get());
  86
  87     crypto::ScopedEC_KEY private_key_ec(
  88         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(base_key)->key()));
  89
  90     // The size of the shared secret is the field size in bytes (rounded up).
  91     // Note that, if rounding was required, the most significant bits of the
  92     // secret are zero. So for P-521, the maximum length is 528 bits, not 521.
  93     int field_size_bytes = NumBitsToBytes(
  94         EC_GROUP_get_degree(EC_KEY_get0_group(private_key_ec.get())));
  95
  96     // If a desired key length was not specified, default to the field size
  97     // (rounded up to nearest byte).
  98     unsigned int length_bits =
  99         has_optional_length_bits ? optional_length_bits : field_size_bytes * 8;
 100
 101     // Short-circuit when deriving an empty key.
 102     // TODO(eroman): ECDH_compute_key() is not happy when given a NULL output.
 103     //               http://crbug.com/464194.
 104     if (length_bits == 0) {
 105       derived_bytes->clear();
 106       return Status::Success();
 107     }
 108
 109     if (length_bits > static_cast<unsigned int>(field_size_bytes * 8))
 110       return Status::ErrorEcdhLengthTooBig(field_size_bytes * 8);
 111
 112     // Resize to target length in bytes (BoringSSL can operate on a shorter
 113     // buffer than field_size_bytes).
 114     derived_bytes->resize(NumBitsToBytes(length_bits));
 115
 116     int result =
 117         ECDH_compute_key(vector_as_array(derived_bytes), derived_bytes->size(),
 118                          public_key_point, private_key_ec.get(), 0);
 119     if (result < 0 || static_cast<size_t>(result) != derived_bytes->size())
 120       return Status::OperationError();
 121
 122     TruncateToBitLength(length_bits, derived_bytes);
 123     return Status::Success();
 124   }
 125 };
 126
 127 }  // namespace
 128
 129 AlgorithmImplementation* CreatePlatformEcdhImplementation() {
 130   return new EcdhImplementation;
 131 }
 132
 133 }  // namespace webcrypto