content/child/webcrypto/openssl/ecdh_openssl.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <openssl/ec.h>
   6 #include <openssl/ecdh.h>
   7 #include <openssl/evp.h>
   8
   9 #include "base/logging.h"
  10 #include "base/stl_util.h"
  11 #include "content/child/webcrypto/algorithm_implementation.h"
  12 #include "content/child/webcrypto/crypto_data.h"
  13 #include "content/child/webcrypto/generate_key_result.h"
  14 #include "content/child/webcrypto/openssl/ec_algorithm_openssl.h"
  15 #include "content/child/webcrypto/openssl/key_openssl.h"
  16 #include "content/child/webcrypto/openssl/util_openssl.h"
  17 #include "content/child/webcrypto/status.h"
  18 #include "content/child/webcrypto/webcrypto_util.h"
  19 #include "crypto/openssl_util.h"
  20 #include "crypto/scoped_openssl_types.h"
  21 #include "crypto/secure_util.h"
  22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
  23 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
  24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
  25
  26 namespace content {
  27
  28 namespace webcrypto {
  29
  30 namespace {
  31
  32 // TODO(eroman): Support the "raw" format for ECDH key import + export, as
  33 // specified by WebCrypto spec.
  34
  35 // TODO(eroman): Allow id-ecDH in SPKI and PKCS#8 import
  36 // (http://crbug.com/389400)
  37
  38 class EcdhImplementation : public EcAlgorithm {
  39  public:
  40   EcdhImplementation()
  41       : EcAlgorithm(0,
  42                     blink::WebCryptoKeyUsageDeriveKey |
  43                         blink::WebCryptoKeyUsageDeriveBits) {}
  44
  45   const char* GetJwkAlgorithm(
  46       const blink::WebCryptoNamedCurve curve) const override {
  47     // JWK import for ECDH does not enforce any required value for "alg".
  48     return "";
  49   }
  50
  51   Status DeriveBits(const blink::WebCryptoAlgorithm& algorithm,
  52                     const blink::WebCryptoKey& base_key,
  53                     bool has_optional_length_bits,
  54                     unsigned int optional_length_bits,
  55                     std::vector<uint8_t>* derived_bytes) const override {
  56     if (base_key.type() != blink::WebCryptoKeyTypePrivate)
  57       return Status::ErrorUnexpectedKeyType();
  58
  59     // Verify the "publicKey" parameter. The only guarantee from Blink is that
  60     // it is a valid WebCryptoKey, but it could be any type.
  61     const blink::WebCryptoKey& public_key =
  62         algorithm.ecdhKeyDeriveParams()->publicKey();
  63
  64     if (public_key.type() != blink::WebCryptoKeyTypePublic)
  65       return Status::ErrorEcdhPublicKeyWrongType();
  66
  67     // Make sure it is an EC key.
  68     if (!public_key.algorithm().ecParams())
  69       return Status::ErrorEcdhPublicKeyWrongType();
  70
  71     // TODO(eroman): This is not described by the spec:
  72     // https://www.w3.org/Bugs/Public/show_bug.cgi?id=27404
  73     if (public_key.algorithm().id() != blink::WebCryptoAlgorithmIdEcdh)
  74       return Status::ErrorEcdhPublicKeyWrongAlgorithm();
  75
  76     // The public and private keys come from different key pairs, however their
  77     // curves must match.
  78     if (public_key.algorithm().ecParams()->namedCurve() !=
  79         base_key.algorithm().ecParams()->namedCurve()) {
  80       return Status::ErrorEcdhCurveMismatch();
  81     }
  82
  83     crypto::ScopedEC_KEY public_key_ec(
  84         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(public_key)->key()));
  85
  86     const EC_POINT* public_key_point =
  87         EC_KEY_get0_public_key(public_key_ec.get());
  88
  89     crypto::ScopedEC_KEY private_key_ec(
  90         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(base_key)->key()));
  91
  92     // The size of the shared secret is the field size in bytes (rounded up).
  93     // Note that, if rounding was required, the most significant bits of the
  94     // secret are zero. So for P-521, the maximum length is 528 bits, not 521.
  95     int field_size_bytes = NumBitsToBytes(
  96         EC_GROUP_get_degree(EC_KEY_get0_group(private_key_ec.get())));
  97
  98     // If a desired key length was not specified, default to the field size
  99     // (rounded up to nearest byte).
 100     unsigned int length_bits =
 101         has_optional_length_bits ? optional_length_bits : field_size_bytes * 8;
 102
 103     // Short-circuit when deriving an empty key.
 104     // TODO(eroman): ECDH_compute_key() is not happy when given a NULL output.
 105     //               http://crbug.com/464194.
 106     if (length_bits == 0) {
 107       derived_bytes->clear();
 108       return Status::Success();
 109     }
 110
 111     if (length_bits > static_cast<unsigned int>(field_size_bytes * 8))
 112       return Status::ErrorEcdhLengthTooBig(field_size_bytes * 8);
 113
 114     // Resize to target length in bytes (BoringSSL can operate on a shorter
 115     // buffer than field_size_bytes).
 116     derived_bytes->resize(NumBitsToBytes(length_bits));
 117
 118     int result =
 119         ECDH_compute_key(vector_as_array(derived_bytes), derived_bytes->size(),
 120                          public_key_point, private_key_ec.get(), 0);
 121     if (result < 0 || static_cast<size_t>(result) != derived_bytes->size())
 122       return Status::OperationError();
 123
 124     TruncateToBitLength(length_bits, derived_bytes);
 125     return Status::Success();
 126   }
 127 };
 128
 129 }  // namespace
 130
 131 AlgorithmImplementation* CreatePlatformEcdhImplementation() {
 132   return new EcdhImplementation;
 133 }
 134
 135 }  // namespace webcrypto
 136
 137 }  // namespace content