| blob | 4bc15e2b788aa898ee618bbf31cb0bfba7cf3230 |
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <algorithm>
8 #include <functional>
9 #include <map>
18 // TODO(eroman): The algorithm-specific logic in this file for AES and RSA
19 // should be moved into the corresponding AlgorithmImplementation file. It
20 // exists in this file to avoid duplication between OpenSSL and NSS
21 // implementations.
23 // JSON Web Key Format (JWK)
24 // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-21
25 //
26 // A JWK is a simple JSON dictionary with the following entries
27 // - "kty" (Key Type) Parameter, REQUIRED
28 // - <kty-specific parameters, see below>, REQUIRED
29 // - "use" (Key Use) Parameter, OPTIONAL
30 // - "key_ops" (Key Operations) Parameter, OPTIONAL
31 // - "alg" (Algorithm) Parameter, OPTIONAL
32 // - "ext" (Key Exportability), OPTIONAL
33 // (all other entries are ignored)
34 //
35 // OPTIONAL here means that this code does not require the entry to be present
36 // in the incoming JWK, because the method input parameters contain similar
37 // information. If the optional JWK entry is present, it will be validated
38 // against the corresponding input parameter for consistency and combined with
39 // it according to rules defined below.
40 //
41 // Input 'key_data' contains the JWK. To build a Web Crypto Key, the JWK
42 // values are parsed out and combined with the method input parameters to
43 // build a Web Crypto Key:
44 // Web Crypto Key type <-- (deduced)
45 // Web Crypto Key extractable <-- JWK ext + input extractable
46 // Web Crypto Key algorithm <-- JWK alg + input algorithm
47 // Web Crypto Key keyUsage <-- JWK use, key_ops + input usage_mask
48 // Web Crypto Key keying material <-- kty-specific parameters
49 //
50 // Values for each JWK entry are case-sensitive and defined in
51 // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18.
52 // Note that not all values specified by JOSE are handled by this code. Only
53 // handled values are listed.
54 // - kty (Key Type)
55 // +-------+--------------------------------------------------------------+
56 // | "RSA" | RSA [RFC3447] |
57 // | "oct" | Octet sequence (used to represent symmetric keys) |
58 // +-------+--------------------------------------------------------------+
59 //
60 // - key_ops (Key Use Details)
61 // The key_ops field is an array that contains one or more strings from
62 // the table below, and describes the operations for which this key may be
63 // used.
64 // +-------+--------------------------------------------------------------+
65 // | "encrypt" | encrypt operations |
66 // | "decrypt" | decrypt operations |
67 // | "sign" | sign (MAC) operations |
68 // | "verify" | verify (MAC) operations |
69 // | "wrapKey" | key wrap |
70 // | "unwrapKey" | key unwrap |
71 // | "deriveKey" | key derivation |
72 // | "deriveBits" | key derivation |
73 // +-------+--------------------------------------------------------------+
74 //
75 // - use (Key Use)
76 // The use field contains a single entry from the table below.
77 // +-------+--------------------------------------------------------------+
78 // | "sig" | equivalent to key_ops of [sign, verify] |
79 // | "enc" | equivalent to key_ops of [encrypt, decrypt, wrapKey, |
80 // | | unwrapKey, deriveKey, deriveBits] |
81 // +-------+--------------------------------------------------------------+
82 //
83 // NOTE: If both "use" and "key_ops" JWK members are present, the usages
84 // specified by them MUST be consistent. In particular, the "use" value
85 // "sig" corresponds to "sign" and/or "verify". The "use" value "enc"
86 // corresponds to all other values defined above. If "key_ops" values
87 // corresponding to both "sig" and "enc" "use" values are present, the "use"
88 // member SHOULD NOT be present, and if present, its value MUST NOT be
89 // either "sig" or "enc".
90 //
91 // - ext (Key Exportability)
92 // +-------+--------------------------------------------------------------+
93 // | true | Key may be exported from the trusted environment |
94 // | false | Key cannot exit the trusted environment |
95 // +-------+--------------------------------------------------------------+
96 //
97 // - alg (Algorithm)
98 // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18
99 // +--------------+-------------------------------------------------------+
100 // | Digital Signature or MAC Algorithm |
101 // +--------------+-------------------------------------------------------+
102 // | "HS1" | HMAC using SHA-1 hash algorithm |
103 // | "HS256" | HMAC using SHA-256 hash algorithm |
104 // | "HS384" | HMAC using SHA-384 hash algorithm |
105 // | "HS512" | HMAC using SHA-512 hash algorithm |
106 // | "RS1" | RSASSA using SHA-1 hash algorithm
107 // | "RS256" | RSASSA using SHA-256 hash algorithm |
108 // | "RS384" | RSASSA using SHA-384 hash algorithm |
109 // | "RS512" | RSASSA using SHA-512 hash algorithm |
110 // +--------------+-------------------------------------------------------|
111 // | Key Management Algorithm |
112 // +--------------+-------------------------------------------------------+
113 // | "RSA-OAEP" | RSAES using Optimal Asymmetric Encryption Padding |
114 // | | (OAEP) [RFC3447], with the default parameters |
115 // | | specified by RFC3447 in Section A.2.1 |
116 // | "A128KW" | Advanced Encryption Standard (AES) Key Wrap Algorithm |
117 // | | [RFC3394] using 128 bit keys |
118 // | "A192KW" | AES Key Wrap Algorithm using 192 bit keys |
119 // | "A256KW" | AES Key Wrap Algorithm using 256 bit keys |
120 // | "A128GCM" | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
121 // | | 128 bit keys |
122 // | "A192GCM" | AES GCM using 192 bit keys |
123 // | "A256GCM" | AES GCM using 256 bit keys |
124 // | "A128CBC" | AES in Cipher Block Chaining Mode (CBC) with PKCS #5 |
125 // | | padding [NIST.800-38A] |
126 // | "A192CBC" | AES CBC using 192 bit keys |
127 // | "A256CBC" | AES CBC using 256 bit keys |
128 // +--------------+-------------------------------------------------------+
129 //
130 // kty-specific parameters
131 // The value of kty determines the type and content of the keying material
132 // carried in the JWK to be imported.
133 // // - kty == "oct" (symmetric or other raw key)
134 // +-------+--------------------------------------------------------------+
135 // | "k" | Contains the value of the symmetric (or other single-valued) |
136 // | | key. It is represented as the base64url encoding of the |
137 // | | octet sequence containing the key value. |
138 // +-------+--------------------------------------------------------------+
139 // - kty == "RSA" (RSA public key)
140 // +-------+--------------------------------------------------------------+
141 // | "n" | Contains the modulus value for the RSA public key. It is |
142 // | | represented as the base64url encoding of the value's |
143 // | | unsigned big endian representation as an octet sequence. |
144 // +-------+--------------------------------------------------------------+
145 // | "e" | Contains the exponent value for the RSA public key. It is |
146 // | | represented as the base64url encoding of the value's |
147 // | | unsigned big endian representation as an octet sequence. |
148 // +-------+--------------------------------------------------------------+
149 // - If key == "RSA" and the "d" parameter is present then it is a private key.
150 // All the parameters above for public keys apply, as well as the following.
151 // (Note that except for "d", all of these are optional):
152 // +-------+--------------------------------------------------------------+
153 // | "d" | Contains the private exponent value for the RSA private key. |
154 // | | It is represented as the base64url encoding of the value's |
155 // | | unsigned big endian representation as an octet sequence. |
156 // +-------+--------------------------------------------------------------+
157 // | "p" | Contains the first prime factor value for the RSA private |
158 // | | key. It is represented as the base64url encoding of the |
159 // | | value's |
160 // | | unsigned big endian representation as an octet sequence. |
161 // +-------+--------------------------------------------------------------+
162 // | "q" | Contains the second prime factor value for the RSA private |
163 // | | key. It is represented as the base64url encoding of the |
164 // | | value's unsigned big endian representation as an octet |
165 // | | sequence. |
166 // +-------+--------------------------------------------------------------+
167 // | "dp" | Contains the first factor CRT exponent value for the RSA |
168 // | | private key. It is represented as the base64url encoding of |
169 // | | the value's unsigned big endian representation as an octet |
170 // | | sequence. |
171 // +-------+--------------------------------------------------------------+
172 // | "dq" | Contains the second factor CRT exponent value for the RSA |
173 // | | private key. It is represented as the base64url encoding of |
174 // | | the value's unsigned big endian representation as an octet |
175 // | | sequence. |
176 // +-------+--------------------------------------------------------------+
177 // | "dq" | Contains the first CRT coefficient value for the RSA private |
178 // | | key. It is represented as the base64url encoding of the |
179 // | | value's unsigned big endian representation as an octet |
180 // | | sequence. |
181 // +-------+--------------------------------------------------------------+
182 //
183 // Consistency and conflict resolution
184 // The 'algorithm', 'extractable', and 'usage_mask' input parameters
185 // may be different than the corresponding values inside the JWK. The Web
186 // Crypto spec says that if a JWK value is present but is inconsistent with
187 // the input value, it is an error and the operation must fail. If no
188 // inconsistency is found then the input parameters are used.
189 //
190 // algorithm
191 // If the JWK algorithm is provided, it must match the web crypto input
192 // algorithm (both the algorithm ID and inner hash if applicable).
193 //
194 // extractable
195 // If the JWK ext field is true but the input parameter is false, make the
196 // Web Crypto Key non-extractable. Conversely, if the JWK ext field is
197 // false but the input parameter is true, it is an inconsistency. If both
198 // are true or both are false, use that value.
199 //
200 // usage_mask
201 // The input usage_mask must be a strict subset of the interpreted JWK use
202 // value, else it is judged inconsistent. In all cases the input usage_mask
203 // is used as the final usage_mask.
204 //
212 // Web Crypto equivalent usage mask for JWK 'use' = 'enc'.
217 // Web Crypto equivalent usage mask for JWK 'use' = 'sig'.
231 }
235 }
242 }
248 }
252 };
254 // Extracts the required string property with key |path| from |dict| and saves
255 // the result to |*result|. If the property does not exist or is not a string,
256 // returns an error.
266 }
268 // Extracts the optional string property with key |path| from |dict| and saves
269 // the result to |*result| if it was found. If the property exists and is not a
270 // string, returns an error. Otherwise returns success, and sets
271 // |*property_exists| if it was found.
286 }
288 // Extracts the optional array property with key |path| from |dict| and saves
289 // the result to |*result| if it was found. If the property exists and is not an
290 // array, returns an error. Otherwise returns success, and sets
291 // |*property_exists| if it was found. Note that |*result| is owned by |dict|.
306 }
308 // Extracts the required string property with key |path| from |dict| and saves
309 // the base64url-decoded bytes to |*result|. If the property does not exist or
310 // is not a string, or could not be base64url-decoded, returns an error.
323 }
325 // Extracts the required base64url property, which is interpreted as being a
326 // big-endian unsigned integer.
337 // The JWA spec says that "The octet sequence MUST utilize the minimum number
338 // of octets to represent the value." This means there shouldn't be any
339 // leading zeros.
344 }
346 // Extracts the optional boolean property with key |path| from |dict| and saves
347 // the result to |*result| if it was found. If the property exists and is not a
348 // boolean, returns an error. Otherwise returns success, and sets
349 // |*property_exists| if it was found.
364 }
367 // JWK "ext" (optional) --> extractable parameter
376 }
380 // JWK "key_ops" (optional) --> usage_mask parameter
383 Status status =
389 status =
393 // The input usage_mask must be a subset of jwk_key_ops_mask.
396 }
398 // JWK "use" (optional) --> usage_mask parameter
410 else
412 // The input usage_mask must be a subset of jwk_use_mask.
415 }
417 // If both 'key_ops' and 'use' are present, ensure they are consistent.
423 }
427 // JWK "alg" --> algorithm parameter
430 Status status =
439 }
446 // Parse the incoming JWK JSON.
456 // Release |value|, as ownership will be transferred to |dict| via
457 // |dict_value|, which points to the same object as |value|.
461 // JWK "kty". Exit early if this required JWK parameter is missing.
475 }
502 }
514 }
527 }
538 }
562 // Give a different error message if the key length was wrong.
567 }
569 }
570 }
573 }
575 // Writes an RSA public key to a JWK dictionary
586 }
588 // Writes an RSA private key to a JWK dictionary
606 // Although these are "optional" in the JWA, WebCrypto spec requires them to
607 // be emitted.
614 }
617 }
620 }
644 // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
645 // in the JWK, while an RSA private key must have those, plus at least a "d"
646 // (private exponent) entry.
647 // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
648 // section 6.3.
664 // The "p", "q", "dp", "dq", and "qi" properties are optional in the JWA
665 // spec. However they are required by Chromium's WebCrypto implementation.
688 }
702 }
703 }