mandoline: Reland "Sandbox mojo:browser and mojo:omnibox."
[chromium-blink-merge.git] / components / webcrypto / nss / util_nss.cc
blob784a98016caca92a2bbc68e4f8ad4a0c0659b857
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/webcrypto/nss/util_nss.h"
7 #include "base/lazy_instance.h"
8 #include "components/webcrypto/crypto_data.h"
9 #include "components/webcrypto/platform_crypto.h"
10 #include "crypto/nss_util.h"
11 #include "crypto/scoped_nss_types.h"
13 #if defined(USE_NSS_CERTS)
14 #include <dlfcn.h>
15 #include <secoid.h>
16 #endif
18 namespace webcrypto {
20 namespace {
21 base::LazyInstance<NssRuntimeSupport>::Leaky g_nss_runtime_support =
22 LAZY_INSTANCE_INITIALIZER;
23 } // namespace
25 // Creates a SECItem for the data in |buffer|. This does NOT make a copy, so
26 // |buffer| should outlive the SECItem.
27 SECItem MakeSECItemForBuffer(const CryptoData& buffer) {
28 SECItem item = {
29 siBuffer,
30 // NSS requires non-const data even though it is just for input.
31 const_cast<unsigned char*>(buffer.bytes()),
32 buffer.byte_length()};
33 return item;
36 CryptoData SECItemToCryptoData(const SECItem& item) {
37 return CryptoData(item.data, item.len);
40 NssRuntimeSupport* NssRuntimeSupport::Get() {
41 return &g_nss_runtime_support.Get();
44 NssRuntimeSupport::NssRuntimeSupport() : internal_slot_does_oaep_(false) {
45 #if !defined(USE_NSS_CERTS)
46 // Using a bundled version of NSS that is guaranteed to have this symbol.
47 pk11_encrypt_func_ = PK11_Encrypt;
48 pk11_decrypt_func_ = PK11_Decrypt;
49 pk11_pub_encrypt_func_ = PK11_PubEncrypt;
50 pk11_priv_decrypt_func_ = PK11_PrivDecrypt;
51 internal_slot_does_oaep_ = true;
52 #else
53 // Using system NSS libraries and PCKS #11 modules, which may not have the
54 // necessary function (PK11_Encrypt) or mechanism support (CKM_AES_GCM).
56 // If PK11_Encrypt() was successfully resolved, then NSS will support
57 // AES-GCM directly. This was introduced in NSS 3.15.
58 pk11_encrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
59 dlsym(RTLD_DEFAULT, "PK11_Encrypt"));
60 pk11_decrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
61 dlsym(RTLD_DEFAULT, "PK11_Decrypt"));
63 // Even though NSS's pk11wrap layer may support
64 // PK11_PubEncrypt/PK11_PubDecrypt (introduced in NSS 3.16.2), it may have
65 // loaded a softoken that does not include OAEP support.
66 pk11_pub_encrypt_func_ = reinterpret_cast<PK11_PubEncryptFunction>(
67 dlsym(RTLD_DEFAULT, "PK11_PubEncrypt"));
68 pk11_priv_decrypt_func_ = reinterpret_cast<PK11_PrivDecryptFunction>(
69 dlsym(RTLD_DEFAULT, "PK11_PrivDecrypt"));
70 if (pk11_priv_decrypt_func_ && pk11_pub_encrypt_func_) {
71 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
72 internal_slot_does_oaep_ =
73 !!PK11_DoesMechanism(slot.get(), CKM_RSA_PKCS_OAEP);
75 #endif
78 void PlatformInit() {
79 crypto::EnsureNSSInit();
82 AlgorithmImplementation* CreatePlatformAesCtrImplementation() {
83 // TODO(eroman): http://crbug.com/399084
84 return NULL;
87 AlgorithmImplementation* CreatePlatformRsaPssImplementation() {
88 // TODO(eroman): http://crbug.com/399090
89 return NULL;
92 AlgorithmImplementation* CreatePlatformEcdsaImplementation() {
93 // TODO(eroman): http://crbug.com/399094
94 return NULL;
97 AlgorithmImplementation* CreatePlatformEcdhImplementation() {
98 // TODO(eroman): http://crbug.com/399093
99 return NULL;
102 AlgorithmImplementation* CreatePlatformHkdfImplementation() {
103 // HKDF is only being imlemented for BoringSSL.
104 return NULL;
107 AlgorithmImplementation* CreatePlatformPbkdf2Implementation() {
108 // PBKDF2 will only be implemented for BoringSSL, since the NSS
109 // implementation is being deprecated.
110 return NULL;
113 } // namespace webcrypto