search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/WebKit f36d5e0:68b67cd (svn 193299:193303)
[chromium-blink-merge.git] / content / child / webcrypto / openssl / ecdsa_openssl.cc
blob49585ee09494a8162121e2106c9d4c12b8fc0a6b
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <openssl/ec.h>
6 #include <openssl/ec_key.h>
7 #include <openssl/evp.h>
8
9 #include "base/logging.h"
10 #include "base/stl_util.h"
11 #include "content/child/webcrypto/algorithm_implementation.h"
12 #include "content/child/webcrypto/crypto_data.h"
13 #include "content/child/webcrypto/generate_key_result.h"
14 #include "content/child/webcrypto/openssl/ec_algorithm_openssl.h"
15 #include "content/child/webcrypto/openssl/key_openssl.h"
16 #include "content/child/webcrypto/openssl/util_openssl.h"
17 #include "content/child/webcrypto/status.h"
18 #include "content/child/webcrypto/webcrypto_util.h"
19 #include "crypto/openssl_util.h"
20 #include "crypto/scoped_openssl_types.h"
21 #include "crypto/secure_util.h"
22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
23 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
25
26 namespace content {
27
28 namespace webcrypto {
29
30 namespace {
31
32 // Extracts the OpenSSL key and digest from a WebCrypto key + algorithm. The
33 // returned pkey pointer will remain valid as long as |key| is alive.
34 Status GetPKeyAndDigest(const blink::WebCryptoAlgorithm& algorithm,
35 const blink::WebCryptoKey& key,
36 EVP_PKEY** pkey,
37 const EVP_MD** digest) {
38 *pkey = AsymKeyOpenSsl::Cast(key)->key();
39 *digest = GetDigest(algorithm.ecdsaParams()->hash().id());
40 if (!*digest)
41 return Status::ErrorUnsupported();
42 return Status::Success();
43 }
44
45 // Gets the EC key's order size in bytes.
46 Status GetEcGroupOrderSize(EVP_PKEY* pkey, size_t* order_size_bytes) {
47 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
48
49 crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey));
50 if (!ec.get())
51 return Status::ErrorUnexpected();
52
53 const EC_GROUP* group = EC_KEY_get0_group(ec.get());
54
55 crypto::ScopedBIGNUM order(BN_new());
56 if (!EC_GROUP_get_order(group, order.get(), NULL))
57 return Status::OperationError();
58
59 *order_size_bytes = BN_num_bytes(order.get());
60 return Status::Success();
61 }
62
63 // Formats a DER-encoded signature (ECDSA-Sig-Value as specified in RFC 3279) to
64 // the signature format expected by WebCrypto (raw concatenated "r" and "s").
65 //
66 // TODO(eroman): Where is the specification for WebCrypto's signature format?
67 Status ConvertDerSignatureToWebCryptoSignature(
68 EVP_PKEY* key,
69 std::vector<uint8_t>* signature) {
70 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
71
72 const unsigned char* der_data = vector_as_array(signature);
73 crypto::ScopedECDSA_SIG ecdsa_sig(
74 d2i_ECDSA_SIG(NULL, &der_data, static_cast<long>(signature->size())));
75 if (!ecdsa_sig.get())
76 return Status::ErrorUnexpected();
77
78 // |der_data| is updated to point to past the end of the DER structure.
79 if (der_data != vector_as_array(signature) + signature->size())
80 return Status::ErrorUnexpected();
81
82 // Determine the maximum length of r and s.
83 size_t order_size_bytes;
84 Status status = GetEcGroupOrderSize(key, &order_size_bytes);
85 if (status.IsError())
86 return status;
87
88 signature->resize(order_size_bytes * 2);
89
90 if (!BN_bn2bin_padded(vector_as_array(signature), order_size_bytes,
91 ecdsa_sig.get()->r)) {
92 return Status::ErrorUnexpected();
93 }
94
95 if (!BN_bn2bin_padded(&(*signature)[order_size_bytes], order_size_bytes,
96 ecdsa_sig.get()->s)) {
97 return Status::ErrorUnexpected();
98 }
99
100 return Status::Success();
101 }
102
103 // Formats a WebCrypto ECDSA signature to a DER-encoded signature
104 // (ECDSA-Sig-Value as specified in RFC 3279).
105 //
106 // TODO(eroman): What is the specification for WebCrypto's signature format?
107 //
108 // If the signature length is incorrect (not 2 * order_size), then
109 // Status::Success() is returned and |*incorrect_length| is set to true;
110 //
111 // Otherwise on success, der_signature is filled with a ASN.1 encoded
112 // ECDSA-Sig-Value.
113 Status ConvertWebCryptoSignatureToDerSignature(
114 EVP_PKEY* key,
115 const CryptoData& signature,
116 std::vector<uint8_t>* der_signature,
117 bool* incorrect_length) {
118 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
119
120 // Determine the length of r and s.
121 size_t order_size_bytes;
122 Status status = GetEcGroupOrderSize(key, &order_size_bytes);
123 if (status.IsError())
124 return status;
125
126 // If the size of the signature is incorrect, verification must fail. Success
127 // is returned here rather than an error, so that the caller can fail
128 // verification with a boolean, rather than reject the promise with an
129 // exception.
130 if (signature.byte_length() != 2 * order_size_bytes) {
131 *incorrect_length = true;
132 return Status::Success();
133 }
134
135 *incorrect_length = false;
136
137 // Construct an ECDSA_SIG from |signature|.
138 crypto::ScopedECDSA_SIG ecdsa_sig(ECDSA_SIG_new());
139 if (!ecdsa_sig)
140 return Status::OperationError();
141
142 if (!BN_bin2bn(signature.bytes(), order_size_bytes, ecdsa_sig->r) ||
143 !BN_bin2bn(signature.bytes() + order_size_bytes, order_size_bytes,
144 ecdsa_sig->s)) {
145 return Status::ErrorUnexpected();
146 }
147
148 // Determine the size of the DER-encoded signature.
149 int der_encoding_size = i2d_ECDSA_SIG(ecdsa_sig.get(), NULL);
150 if (der_encoding_size < 0)
151 return Status::OperationError();
152
153 // DER-encode the signature.
154 der_signature->resize(der_encoding_size);
155 uint8_t* result = vector_as_array(der_signature);
156 if (0 > i2d_ECDSA_SIG(ecdsa_sig.get(), &result))
157 return Status::OperationError();
158
159 return Status::Success();
160 }
161
162 class EcdsaImplementation : public EcAlgorithm {
163 public:
164 EcdsaImplementation()
165 : EcAlgorithm(blink::WebCryptoKeyUsageVerify,
166 blink::WebCryptoKeyUsageSign) {}
167
168 const char* GetJwkAlgorithm(
169 const blink::WebCryptoNamedCurve curve) const override {
170 switch (curve) {
171 case blink::WebCryptoNamedCurveP256:
172 return "ES256";
173 case blink::WebCryptoNamedCurveP384:
174 return "ES384";
175 case blink::WebCryptoNamedCurveP521:
176 // This is not a typo! ES512 means P-521 with SHA-512.
177 return "ES512";
178 default:
179 return NULL;
180 }
181 }
182
183 Status Sign(const blink::WebCryptoAlgorithm& algorithm,
184 const blink::WebCryptoKey& key,
185 const CryptoData& data,
186 std::vector<uint8_t>* buffer) const override {
187 if (key.type() != blink::WebCryptoKeyTypePrivate)
188 return Status::ErrorUnexpectedKeyType();
189
190 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
191 crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
192
193 EVP_PKEY* private_key = NULL;
194 const EVP_MD* digest = NULL;
195 Status status = GetPKeyAndDigest(algorithm, key, &private_key, &digest);
196 if (status.IsError())
197 return status;
198
199 // NOTE: A call to EVP_DigestSignFinal() with a NULL second parameter
200 // returns a maximum allocation size, while the call without a NULL returns
201 // the real one, which may be smaller.
202 size_t sig_len = 0;
203 if (!ctx.get() ||
204 !EVP_DigestSignInit(ctx.get(), NULL, digest, NULL, private_key) ||
205 !EVP_DigestSignUpdate(ctx.get(), data.bytes(), data.byte_length()) ||
206 !EVP_DigestSignFinal(ctx.get(), NULL, &sig_len)) {
207 return Status::OperationError();
208 }
209
210 buffer->resize(sig_len);
211 if (!EVP_DigestSignFinal(ctx.get(), vector_as_array(buffer), &sig_len))
212 return Status::OperationError();
213 buffer->resize(sig_len);
214
215 // ECDSA signing in BoringSSL outputs a DER-encoded (r,s). WebCrypto however
216 // expects a padded bitstring that is r concatenated to s. Convert to the
217 // expected format.
218 return ConvertDerSignatureToWebCryptoSignature(private_key, buffer);
219 }
220
221 Status Verify(const blink::WebCryptoAlgorithm& algorithm,
222 const blink::WebCryptoKey& key,
223 const CryptoData& signature,
224 const CryptoData& data,
225 bool* signature_match) const override {
226 if (key.type() != blink::WebCryptoKeyTypePublic)
227 return Status::ErrorUnexpectedKeyType();
228
229 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
230 crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
231
232 EVP_PKEY* public_key = NULL;
233 const EVP_MD* digest = NULL;
234 Status status = GetPKeyAndDigest(algorithm, key, &public_key, &digest);
235 if (status.IsError())
236 return status;
237
238 std::vector<uint8_t> der_signature;
239 bool incorrect_length_signature = false;
240 status = ConvertWebCryptoSignatureToDerSignature(
241 public_key, signature, &der_signature, &incorrect_length_signature);
242 if (status.IsError())
243 return status;
244
245 if (incorrect_length_signature) {
246 *signature_match = false;
247 return Status::Success();
248 }
249
250 if (!EVP_DigestVerifyInit(ctx.get(), NULL, digest, NULL, public_key) ||
251 !EVP_DigestVerifyUpdate(ctx.get(), data.bytes(), data.byte_length())) {
252 return Status::OperationError();
253 }
254
255 *signature_match =
256 1 == EVP_DigestVerifyFinal(ctx.get(), vector_as_array(&der_signature),
257 der_signature.size());
258 return Status::Success();
259 }
260 };
261
262 } // namespace
263
264 AlgorithmImplementation* CreatePlatformEcdsaImplementation() {
265 return new EcdsaImplementation;
266 }
267
268 } // namespace webcrypto
269
270 } // namespace content