search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Give names to all utility processes.
[chromium-blink-merge.git] / content / child / webcrypto / nss / aes_kw_nss.cc
blobe65e62fe844053ed63caf1226c94608657e1cbf1
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <secerr.h>
6
7 #include "base/numerics/safe_math.h"
8 #include "content/child/webcrypto/crypto_data.h"
9 #include "content/child/webcrypto/nss/aes_algorithm_nss.h"
10 #include "content/child/webcrypto/nss/key_nss.h"
11 #include "content/child/webcrypto/nss/sym_key_nss.h"
12 #include "content/child/webcrypto/nss/util_nss.h"
13 #include "content/child/webcrypto/status.h"
14 #include "content/child/webcrypto/webcrypto_util.h"
15 #include "crypto/scoped_nss_types.h"
16 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
17 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
18
19 namespace content {
20
21 namespace webcrypto {
22
23 namespace {
24
25 // The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt
26 // Section 2.2.3.1.
27 const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
28
29 // The result of unwrapping is a SymKey rather than a buffer. This is a
30 // consequence of how NSS exposes AES-KW. Subsequent code can extract the value
31 // of the sym key to interpret it as key bytes in another format.
32 Status DoUnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
33 PK11SymKey* wrapping_key,
34 CK_MECHANISM_TYPE mechanism,
35 CK_FLAGS flags,
36 crypto::ScopedPK11SymKey* unwrapped_key) {
37 DCHECK_GE(wrapped_key_data.byte_length(), 24u);
38 DCHECK_EQ(wrapped_key_data.byte_length() % 8, 0u);
39
40 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
41 crypto::ScopedSECItem param_item(
42 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
43 if (!param_item)
44 return Status::ErrorUnexpected();
45
46 SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data);
47
48 // The plaintext length is always 64 bits less than the data size.
49 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8;
50
51 #if defined(USE_NSS)
52 // Part of workaround for
53 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation
54 // later in this function.
55 PORT_SetError(0);
56 #endif
57
58 crypto::ScopedPK11SymKey new_key(PK11_UnwrapSymKeyWithFlags(
59 wrapping_key, CKM_NSS_AES_KEY_WRAP, param_item.get(), &cipher_text,
60 mechanism, CKA_FLAGS_ONLY, plaintext_length, flags));
61
62 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more
63 // accurate error, providing if doesn't leak any information to web pages
64 // about other web crypto users, key details, etc.
65 if (!new_key)
66 return Status::OperationError();
67
68 #if defined(USE_NSS)
69 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170
70 // which was fixed in NSS 3.16.0.
71 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey,
72 // with a reasonable length but with key data pointing to uninitialized
73 // memory.
74 // To understand this workaround see the fix for 981170:
75 // https://hg.mozilla.org/projects/nss/rev/753bb69e543c
76 if (!NSS_VersionCheck("3.16") && PORT_GetError() == SEC_ERROR_BAD_DATA)
77 return Status::OperationError();
78 #endif
79
80 *unwrapped_key = new_key.Pass();
81 return Status::Success();
82 }
83
84 Status WrapSymKeyAesKw(PK11SymKey* key,
85 PK11SymKey* wrapping_key,
86 std::vector<uint8_t>* buffer) {
87 // The data size must be at least 16 bytes and a multiple of 8 bytes.
88 // RFC 3394 does not specify a maximum allowed data length, but since only
89 // keys are being wrapped in this application (which are small), a reasonable
90 // max limit is whatever will fit into an unsigned. For the max size test,
91 // note that AES Key Wrap always adds 8 bytes to the input data size.
92 const unsigned int input_length = PK11_GetKeyLength(key);
93 DCHECK_GE(input_length, 16u);
94 DCHECK((input_length % 8) == 0);
95
96 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
97 crypto::ScopedSECItem param_item(
98 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
99 if (!param_item)
100 return Status::ErrorUnexpected();
101
102 base::CheckedNumeric<unsigned int> output_length = input_length;
103 output_length += 8;
104 if (!output_length.IsValid())
105 return Status::ErrorDataTooLarge();
106
107 buffer->resize(output_length.ValueOrDie());
108 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer));
109
110 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP, param_item.get(),
111 wrapping_key, key, &wrapped_key_item)) {
112 return Status::OperationError();
113 }
114 if (output_length.ValueOrDie() != wrapped_key_item.len)
115 return Status::ErrorUnexpected();
116
117 return Status::Success();
118 }
119
120 class AesKwCryptoAlgorithmNss : public AesAlgorithm {
121 public:
122 AesKwCryptoAlgorithmNss()
123 : AesAlgorithm(
124 CKM_NSS_AES_KEY_WRAP,
125 blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey,
126 "KW") {}
127
128 Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
129 const blink::WebCryptoKey& wrapping_key,
130 const CryptoData& data,
131 std::vector<uint8_t>* buffer) const override {
132 if (data.byte_length() < 16)
133 return Status::ErrorDataTooSmall();
134 if (data.byte_length() % 8)
135 return Status::ErrorInvalidAesKwDataLength();
136
137 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must
138 // be temporarily viewed as a symmetric key to be wrapped (encrypted).
139 SECItem data_item = MakeSECItemForBuffer(data);
140 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
141 crypto::ScopedPK11SymKey data_as_sym_key(
142 PK11_ImportSymKey(slot.get(), CKK_GENERIC_SECRET, PK11_OriginUnwrap,
143 CKA_SIGN, &data_item, NULL));
144 if (!data_as_sym_key)
145 return Status::OperationError();
146
147 return WrapSymKeyAesKw(data_as_sym_key.get(),
148 SymKeyNss::Cast(wrapping_key)->key(), buffer);
149 }
150
151 Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
152 const blink::WebCryptoKey& wrapping_key,
153 const CryptoData& data,
154 std::vector<uint8_t>* buffer) const override {
155 if (data.byte_length() < 24)
156 return Status::ErrorDataTooSmall();
157 if (data.byte_length() % 8)
158 return Status::ErrorInvalidAesKwDataLength();
159
160 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must
161 // be temporarily viewed as a symmetric key to be unwrapped (decrypted).
162 crypto::ScopedPK11SymKey decrypted;
163 Status status =
164 DoUnwrapSymKeyAesKw(data, SymKeyNss::Cast(wrapping_key)->key(),
165 CKK_GENERIC_SECRET, 0, &decrypted);
166 if (status.IsError())
167 return status;
168
169 // Once the decrypt is complete, extract the resultant raw bytes from NSS
170 // and return them to the caller.
171 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess)
172 return Status::OperationError();
173 const SECItem* const key_data = PK11_GetKeyData(decrypted.get());
174 if (!key_data)
175 return Status::OperationError();
176 buffer->assign(key_data->data, key_data->data + key_data->len);
177
178 return Status::Success();
179 }
180 };
181
182 } // namespace
183
184 AlgorithmImplementation* CreatePlatformAesKwImplementation() {
185 return new AesKwCryptoAlgorithmNss;
186 }
187
188 } // namespace webcrypto
189
190 } // namespace content