content/child/webcrypto/openssl/ecdh_openssl.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <openssl/ec.h>
   6 #include <openssl/ecdh.h>
   7 #include <openssl/evp.h>
   8
   9 #include "base/logging.h"
  10 #include "content/child/webcrypto/algorithm_implementation.h"
  11 #include "content/child/webcrypto/crypto_data.h"
  12 #include "content/child/webcrypto/generate_key_result.h"
  13 #include "content/child/webcrypto/openssl/ec_algorithm_openssl.h"
  14 #include "content/child/webcrypto/openssl/key_openssl.h"
  15 #include "content/child/webcrypto/openssl/util_openssl.h"
  16 #include "content/child/webcrypto/status.h"
  17 #include "content/child/webcrypto/webcrypto_util.h"
  18 #include "crypto/openssl_util.h"
  19 #include "crypto/scoped_openssl_types.h"
  20 #include "crypto/secure_util.h"
  21 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
  22 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
  23 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
  24
  25 namespace content {
  26
  27 namespace webcrypto {
  28
  29 namespace {
  30
  31 // TODO(eroman): Support the "raw" format for ECDH key import + export, as
  32 // specified by WebCrypto spec.
  33
  34 // TODO(eroman): Allow id-ecDH in SPKI and PKCS#8 import
  35 // (http://crbug.com/389400)
  36
  37 class EcdhImplementation : public EcAlgorithm {
  38  public:
  39   EcdhImplementation()
  40       : EcAlgorithm(0,
  41                     blink::WebCryptoKeyUsageDeriveKey |
  42                         blink::WebCryptoKeyUsageDeriveBits) {}
  43
  44   const char* GetJwkAlgorithm(
  45       const blink::WebCryptoNamedCurve curve) const override {
  46     // JWK import for ECDH does not enforce any required value for "alg".
  47     return "";
  48   }
  49
  50   Status DeriveBits(const blink::WebCryptoAlgorithm& algorithm,
  51                     const blink::WebCryptoKey& base_key,
  52                     bool has_optional_length_bits,
  53                     unsigned int optional_length_bits,
  54                     std::vector<uint8_t>* derived_bytes) const override {
  55     if (base_key.type() != blink::WebCryptoKeyTypePrivate)
  56       return Status::ErrorUnexpectedKeyType();
  57
  58     // Verify the "publicKey" parameter. The only guarantee from Blink is that
  59     // it is a valid WebCryptoKey, but it could be any type.
  60     const blink::WebCryptoKey& public_key =
  61         algorithm.ecdhKeyDeriveParams()->publicKey();
  62
  63     if (public_key.type() != blink::WebCryptoKeyTypePublic)
  64       return Status::ErrorEcdhPublicKeyWrongType();
  65
  66     // Make sure it is an EC key.
  67     if (!public_key.algorithm().ecParams())
  68       return Status::ErrorEcdhPublicKeyWrongType();
  69
  70     // TODO(eroman): This is not described by the spec:
  71     // https://www.w3.org/Bugs/Public/show_bug.cgi?id=27404
  72     if (public_key.algorithm().id() != blink::WebCryptoAlgorithmIdEcdh)
  73       return Status::ErrorEcdhPublicKeyWrongAlgorithm();
  74
  75     // The public and private keys come from different key pairs, however their
  76     // curves must match.
  77     if (public_key.algorithm().ecParams()->namedCurve() !=
  78         base_key.algorithm().ecParams()->namedCurve()) {
  79       return Status::ErrorEcdhCurveMismatch();
  80     }
  81
  82     crypto::ScopedEC_KEY public_key_ec(
  83         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(public_key)->key()));
  84
  85     const EC_POINT* public_key_point =
  86         EC_KEY_get0_public_key(public_key_ec.get());
  87
  88     crypto::ScopedEC_KEY private_key_ec(
  89         EVP_PKEY_get1_EC_KEY(AsymKeyOpenSsl::Cast(base_key)->key()));
  90
  91     // The size of the shared secret is the field size in bytes (rounded up).
  92     // Note that, if rounding was required, the most significant bits of the
  93     // secret are zero. So for P-521, the maximum length is 528 bits, not 521.
  94     int field_size_bytes = NumBitsToBytes(
  95         EC_GROUP_get_degree(EC_KEY_get0_group(private_key_ec.get())));
  96
  97     // If a desired key length was not specified, default to the field size
  98     // (rounded up to nearest byte).
  99     unsigned int length_bits =
 100         has_optional_length_bits ? optional_length_bits : field_size_bytes * 8;
 101
 102     // Handle the empty length case now to avoid calling an undefined
 103     // |&derived_bytes->front()| later.
 104     if (length_bits == 0) {
 105       derived_bytes->clear();
 106       return Status::Success();
 107     }
 108
 109     if (length_bits > static_cast<unsigned int>(field_size_bytes * 8))
 110       return Status::ErrorEcdhLengthTooBig(field_size_bytes * 8);
 111
 112     // Resize to target length in bytes (BoringSSL can operate on a shorter
 113     // buffer than field_size_bytes).
 114     derived_bytes->resize(NumBitsToBytes(length_bits));
 115
 116     int result =
 117         ECDH_compute_key(&derived_bytes->front(), derived_bytes->size(),
 118                          public_key_point, private_key_ec.get(), 0);
 119     if (result < 0 || static_cast<size_t>(result) != derived_bytes->size())
 120       return Status::OperationError();
 121
 122     TruncateToBitLength(length_bits, derived_bytes);
 123     return Status::Success();
 124   }
 125 };
 126
 127 }  // namespace
 128
 129 AlgorithmImplementation* CreatePlatformEcdhImplementation() {
 130   return new EcdhImplementation;
 131 }
 132
 133 }  // namespace webcrypto
 134
 135 }  // namespace content