| blob | 7cd603cfb6fb8acff70fc34d91b49e7860ff4648 |
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_CHILD_WEBCRYPTO_JWK_H_
6 #define CONTENT_CHILD_WEBCRYPTO_JWK_H_
8 #include <stdint.h>
9 #include <vector>
23 // Helper class for parsing a JWK from JSON.
24 //
25 // This primarily exists to ensure strict enforcement of the JWK schema, as the
26 // type and presence of particular members is security relevant. For example,
27 // GetString() will ensure a given JSON member is present and is a string type,
28 // and will fail if these conditions aren't met.
29 //
30 // Users of JwkReader must call Init() successfully before any other method can
31 // be called.
37 // Initializes a JWK reader by parsing the JSON |bytes|. To succeed, the JWK
38 // must:
39 // * Have "kty" matching |expected_kty|
40 // * Have "ext" compatible with |expected_extractable|
41 // * Have usages ("use", "key_ops") compatible with |expected_usages|
42 // * Have an "alg" matching |expected_alg|
43 //
44 // NOTE: If |expected_alg| is empty, then the test on "alg" is skipped.
51 // Returns true if the member |member_name| is present.
54 // Extracts the required string member |member_name| and saves the result to
55 // |*result|. If the member does not exist or is not a string, returns an
56 // error.
59 // Extracts the optional string member |member_name| and saves the result to
60 // |*result| if it was found. If the member exists and is not a string,
61 // returns an error. Otherwise returns success, and sets |*member_exists| if
62 // it was found.
67 // Extracts the optional array member |member_name| and saves the result to
68 // |*result| if it was found. If the member exists and is not an array,
69 // returns an error. Otherwise returns success, and sets |*member_exists| if
70 // it was found.
71 //
72 // NOTE: |*result| is owned by the JwkReader.
77 // Extracts the required string member |member_name| and saves the
78 // base64url-decoded bytes to |*result|. If the member does not exist or is
79 // not a string, or could not be base64url-decoded, returns an error.
82 // Extracts the required base64url member, which is interpreted as being a
83 // big-endian unsigned integer.
84 //
85 // Sequences that contain leading zeros will be rejected.
89 // Extracts the optional boolean member |member_name| and saves the result to
90 // |*result| if it was found. If the member exists and is not a boolean,
91 // returns an error. Otherwise returns success, and sets |*member_exists| if
92 // it was found.
97 // Gets the optional algorithm ("alg") string.
100 // Checks if the "alg" member matches |expected_alg|.
105 };
107 // Helper class for building the JSON for a JWK.
110 // Initializes a writer, and sets the standard JWK members as indicated.
111 // |algorithm| is optional, and is only written if the provided |algorithm| is
112 // non-empty.
118 // Sets a string member |member_name| to |value|.
121 // Sets a bytes member |value| to |value| by base64 url-safe encoding it.
124 // Flattens the JWK to JSON (UTF-8 encoded if necessary, however in practice
125 // it will be ASCII).
130 };
132 // Writes a JWK-formatted symmetric key to |jwk_key_data|.
133 // * raw_key_data: The actual key data
134 // * algorithm: The JWK algorithm name (i.e. "alg")
135 // * extractable: The JWK extractability (i.e. "ext")
136 // * usages: The JWK usages (i.e. "key_ops")
143 // Parses a UTF-8 encoded JWK (key_data), and extracts the key material to
144 // |*raw_key_data|. Returns Status::Success() on success, otherwise an error.
145 // In order for this to succeed:
146 // * expected_alg must match the JWK's "alg", if present.
147 // * expected_extractable must be consistent with the JWK's "ext", if
148 // present.
149 // * expected_usages must be a subset of the JWK's "key_ops" if present.
156 // Creates an AES algorithm name for the given key size (in bytes). For
157 // instance "A128CBC" is the result of suffix="CBC", keylen_bytes=16.
161 // This is very similar to ReadSecretKeyJwk(), except instead of specifying an
162 // absolute "expected_alg", the suffix for an AES algorithm name is given
163 // (See MakeJwkAesAlgorithmName() for an explanation of what the suffix is).
164 //
165 // This is because the algorithm name for AES keys is dependent on the length
166 // of the key. This function expects key lengths to be either 128, 192, or 256
167 // bits.
174 // Writes a JWK-formated RSA public key and saves the result to
175 // |*jwk_key_data|.
183 // Writes a JWK-formated RSA private key and saves the result to
184 // |*jwk_key_data|.
198 // Describes the RSA components for a parsed key. The names of the properties
199 // correspond with those from the JWK spec. Note that Chromium's WebCrypto
200 // implementation does not support multi-primes, so there is no parsed field
201 // for othinfo.
215 };
217 // Parses a UTF-8 encoded JWK (key_data), and extracts the RSA components to
218 // |*result|. Returns Status::Success() on success, otherwise an error.
219 // In order for this to succeed:
220 // * expected_alg must match the JWK's "alg", if present.
221 // * expected_extractable must be consistent with the JWK's "ext", if
222 // present.
223 // * expected_usages must be a subset of the JWK's "key_ops" if present.
232 // This decodes JWK's flavor of base64 encoding, as described by:
233 // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36#section-2
234 //
235 // In essence it is RFC 4648 'base64url' encoding where padding is omitted.
239 // Encodes |input| using JWK's flavor of base64 encoding. See the description
240 // above for details.
245 // Converts a JWK "key_ops" array to the corresponding WebCrypto usages. Used by
246 // testing.
247 CONTENT_EXPORT Status