1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/child/webcrypto/platform_crypto.h"
14 #include "base/lazy_instance.h"
15 #include "base/logging.h"
16 #include "content/child/webcrypto/crypto_data.h"
17 #include "content/child/webcrypto/status.h"
18 #include "content/child/webcrypto/webcrypto_util.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/scoped_nss_types.h"
21 #include "third_party/WebKit/public/platform/WebArrayBuffer.h"
22 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
23 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
24 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
31 // At the time of this writing:
32 // * Windows and Mac builds ship with their own copy of NSS (3.15+)
33 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
36 // Since NSS provides AES-GCM support starting in version 3.15, it may be
37 // unavailable for Linux Chrome users.
39 // * !defined(CKM_AES_GCM)
41 // This means that at build time, the NSS header pkcs11t.h is older than
42 // 3.15. However at runtime support may be present.
44 // * !defined(USE_NSS)
46 // This means that Chrome is being built with an embedded copy of NSS,
47 // which can be assumed to be >= 3.15. On the other hand if USE_NSS is
48 // defined, it also implies running on Linux.
50 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
51 #if !defined(CKM_AES_GCM)
52 #define CKM_AES_GCM 0x00001087
54 struct CK_GCM_PARAMS {
61 #endif // !defined(CKM_AES_GCM)
63 // Signature for PK11_Encrypt and PK11_Decrypt.
64 typedef SECStatus (*PK11_EncryptDecryptFunction)(PK11SymKey*,
73 // Singleton to abstract away dynamically loading libnss3.so
76 bool IsSupported() const { return pk11_encrypt_func_ && pk11_decrypt_func_; }
78 // Returns NULL if unsupported.
79 PK11_EncryptDecryptFunction pk11_encrypt_func() const {
80 return pk11_encrypt_func_;
83 // Returns NULL if unsupported.
84 PK11_EncryptDecryptFunction pk11_decrypt_func() const {
85 return pk11_decrypt_func_;
89 friend struct base::DefaultLazyInstanceTraits<AesGcmSupport>;
93 // Using a bundled version of NSS that is guaranteed to have this symbol.
94 pk11_encrypt_func_ = PK11_Encrypt;
95 pk11_decrypt_func_ = PK11_Decrypt;
97 // Using system NSS libraries and PCKS #11 modules, which may not have the
98 // necessary function (PK11_Encrypt) or mechanism support (CKM_AES_GCM).
100 // If PK11_Encrypt() was successfully resolved, then NSS will support
101 // AES-GCM directly. This was introduced in NSS 3.15.
102 pk11_encrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
103 dlsym(RTLD_DEFAULT, "PK11_Encrypt"));
104 pk11_decrypt_func_ = reinterpret_cast<PK11_EncryptDecryptFunction>(
105 dlsym(RTLD_DEFAULT, "PK11_Decrypt"));
109 PK11_EncryptDecryptFunction pk11_encrypt_func_;
110 PK11_EncryptDecryptFunction pk11_decrypt_func_;
113 base::LazyInstance<AesGcmSupport>::Leaky g_aes_gcm_support =
114 LAZY_INSTANCE_INITIALIZER;
118 namespace webcrypto {
122 class SymKey : public Key {
124 explicit SymKey(crypto::ScopedPK11SymKey key) : key_(key.Pass()) {}
126 PK11SymKey* key() { return key_.get(); }
128 virtual SymKey* AsSymKey() OVERRIDE { return this; }
129 virtual PublicKey* AsPublicKey() OVERRIDE { return NULL; }
130 virtual PrivateKey* AsPrivateKey() OVERRIDE { return NULL; }
133 crypto::ScopedPK11SymKey key_;
135 DISALLOW_COPY_AND_ASSIGN(SymKey);
138 class PublicKey : public Key {
140 explicit PublicKey(crypto::ScopedSECKEYPublicKey key) : key_(key.Pass()) {}
142 SECKEYPublicKey* key() { return key_.get(); }
144 virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
145 virtual PublicKey* AsPublicKey() OVERRIDE { return this; }
146 virtual PrivateKey* AsPrivateKey() OVERRIDE { return NULL; }
149 crypto::ScopedSECKEYPublicKey key_;
151 DISALLOW_COPY_AND_ASSIGN(PublicKey);
154 class PrivateKey : public Key {
156 explicit PrivateKey(crypto::ScopedSECKEYPrivateKey key) : key_(key.Pass()) {}
158 SECKEYPrivateKey* key() { return key_.get(); }
160 virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
161 virtual PublicKey* AsPublicKey() OVERRIDE { return NULL; }
162 virtual PrivateKey* AsPrivateKey() OVERRIDE { return this; }
165 crypto::ScopedSECKEYPrivateKey key_;
167 DISALLOW_COPY_AND_ASSIGN(PrivateKey);
172 // Creates a SECItem for the data in |buffer|. This does NOT make a copy, so
173 // |buffer| should outlive the SECItem.
174 SECItem MakeSECItemForBuffer(const CryptoData& buffer) {
177 // NSS requires non-const data even though it is just for input.
178 const_cast<unsigned char*>(buffer.bytes()), buffer.byte_length()};
182 HASH_HashType WebCryptoAlgorithmToNSSHashType(
183 blink::WebCryptoAlgorithmId algorithm) {
185 case blink::WebCryptoAlgorithmIdSha1:
187 case blink::WebCryptoAlgorithmIdSha256:
188 return HASH_AlgSHA256;
189 case blink::WebCryptoAlgorithmIdSha384:
190 return HASH_AlgSHA384;
191 case blink::WebCryptoAlgorithmIdSha512:
192 return HASH_AlgSHA512;
194 // Not a digest algorithm.
199 CK_MECHANISM_TYPE WebCryptoHashToHMACMechanism(
200 const blink::WebCryptoAlgorithm& algorithm) {
201 switch (algorithm.id()) {
202 case blink::WebCryptoAlgorithmIdSha1:
203 return CKM_SHA_1_HMAC;
204 case blink::WebCryptoAlgorithmIdSha256:
205 return CKM_SHA256_HMAC;
206 case blink::WebCryptoAlgorithmIdSha384:
207 return CKM_SHA384_HMAC;
208 case blink::WebCryptoAlgorithmIdSha512:
209 return CKM_SHA512_HMAC;
211 // Not a supported algorithm.
212 return CKM_INVALID_MECHANISM;
216 Status AesCbcEncryptDecrypt(EncryptOrDecrypt mode,
218 const CryptoData& iv,
219 const CryptoData& data,
220 blink::WebArrayBuffer* buffer) {
221 CK_ATTRIBUTE_TYPE operation = (mode == ENCRYPT) ? CKA_ENCRYPT : CKA_DECRYPT;
223 SECItem iv_item = MakeSECItemForBuffer(iv);
225 crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
227 return Status::Error();
229 crypto::ScopedPK11Context context(PK11_CreateContextBySymKey(
230 CKM_AES_CBC_PAD, operation, key->key(), param.get()));
233 return Status::Error();
235 // Oddly PK11_CipherOp takes input and output lengths as "int" rather than
236 // "unsigned int". Do some checks now to avoid integer overflowing.
237 if (data.byte_length() >= INT_MAX - AES_BLOCK_SIZE) {
238 // TODO(eroman): Handle this by chunking the input fed into NSS. Right now
239 // it doesn't make much difference since the one-shot API would end up
240 // blowing out the memory and crashing anyway.
241 return Status::ErrorDataTooLarge();
244 // PK11_CipherOp does an invalid memory access when given empty decryption
245 // input, or input which is not a multiple of the block size. See also
246 // https://bugzilla.mozilla.com/show_bug.cgi?id=921687.
247 if (operation == CKA_DECRYPT &&
248 (data.byte_length() == 0 || (data.byte_length() % AES_BLOCK_SIZE != 0))) {
249 return Status::Error();
252 // TODO(eroman): Refine the output buffer size. It can be computed exactly for
253 // encryption, and can be smaller for decryption.
254 unsigned int output_max_len = data.byte_length() + AES_BLOCK_SIZE;
255 CHECK_GT(output_max_len, data.byte_length());
257 *buffer = blink::WebArrayBuffer::create(output_max_len, 1);
259 unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data());
262 if (SECSuccess != PK11_CipherOp(context.get(),
265 buffer->byteLength(),
267 data.byte_length())) {
268 return Status::Error();
271 unsigned int final_output_chunk_len;
272 if (SECSuccess != PK11_DigestFinal(context.get(),
273 buffer_data + output_len,
274 &final_output_chunk_len,
275 output_max_len - output_len)) {
276 return Status::Error();
279 ShrinkBuffer(buffer, final_output_chunk_len + output_len);
280 return Status::Success();
283 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
284 // the concatenation of the ciphertext and the authentication tag. Similarly,
285 // this is the expectation for the input to decryption.
286 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
288 const CryptoData& data,
289 const CryptoData& iv,
290 const CryptoData& additional_data,
291 unsigned int tag_length_bits,
292 blink::WebArrayBuffer* buffer) {
293 if (!g_aes_gcm_support.Get().IsSupported())
294 return Status::ErrorUnsupported();
296 unsigned int tag_length_bytes = tag_length_bits / 8;
298 CK_GCM_PARAMS gcm_params = {0};
299 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes());
300 gcm_params.ulIvLen = iv.byte_length();
302 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes());
303 gcm_params.ulAADLen = additional_data.byte_length();
305 gcm_params.ulTagBits = tag_length_bits;
308 param.type = siBuffer;
309 param.data = reinterpret_cast<unsigned char*>(&gcm_params);
310 param.len = sizeof(gcm_params);
312 unsigned int buffer_size = 0;
314 // Calculate the output buffer size.
315 if (mode == ENCRYPT) {
316 // TODO(eroman): This is ugly, abstract away the safe integer arithmetic.
317 if (data.byte_length() > (UINT_MAX - tag_length_bytes))
318 return Status::ErrorDataTooLarge();
319 buffer_size = data.byte_length() + tag_length_bytes;
321 // TODO(eroman): In theory the buffer allocated for the plain text should be
322 // sized as |data.byte_length() - tag_length_bytes|.
324 // However NSS has a bug whereby it will fail if the output buffer size is
325 // not at least as large as the ciphertext:
327 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
329 // From the analysis of that bug it looks like it might be safe to pass a
330 // correctly sized buffer but lie about its size. Since resizing the
331 // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
332 buffer_size = data.byte_length();
335 *buffer = blink::WebArrayBuffer::create(buffer_size, 1);
336 unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data());
338 PK11_EncryptDecryptFunction func =
339 (mode == ENCRYPT) ? g_aes_gcm_support.Get().pk11_encrypt_func()
340 : g_aes_gcm_support.Get().pk11_decrypt_func();
342 unsigned int output_len = 0;
343 SECStatus result = func(key->key(),
348 buffer->byteLength(),
352 if (result != SECSuccess)
353 return Status::Error();
355 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
357 ShrinkBuffer(buffer, output_len);
359 return Status::Success();
362 CK_MECHANISM_TYPE WebCryptoAlgorithmToGenMechanism(
363 const blink::WebCryptoAlgorithm& algorithm) {
364 switch (algorithm.id()) {
365 case blink::WebCryptoAlgorithmIdAesCbc:
366 case blink::WebCryptoAlgorithmIdAesGcm:
367 case blink::WebCryptoAlgorithmIdAesKw:
368 return CKM_AES_KEY_GEN;
369 case blink::WebCryptoAlgorithmIdHmac:
370 return WebCryptoHashToHMACMechanism(algorithm.hmacKeyGenParams()->hash());
372 return CKM_INVALID_MECHANISM;
376 // Converts a (big-endian) WebCrypto BigInteger, with or without leading zeros,
378 bool BigIntegerToLong(const uint8* data,
379 unsigned int data_size,
380 unsigned long* result) {
381 // TODO(padolph): Is it correct to say that empty data is an error, or does it
382 // mean value 0? See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23655
387 for (size_t i = 0; i < data_size; ++i) {
388 size_t reverse_i = data_size - i - 1;
390 if (reverse_i >= sizeof(unsigned long) && data[i])
391 return false; // Too large for a long.
393 *result |= data[i] << 8 * reverse_i;
398 bool IsAlgorithmRsa(const blink::WebCryptoAlgorithm& algorithm) {
399 return algorithm.id() == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
400 algorithm.id() == blink::WebCryptoAlgorithmIdRsaOaep ||
401 algorithm.id() == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5;
404 bool CreatePublicKeyAlgorithm(const blink::WebCryptoAlgorithm& algorithm,
405 SECKEYPublicKey* key,
406 blink::WebCryptoKeyAlgorithm* key_algorithm) {
407 // TODO(eroman): What about other key types rsaPss, rsaOaep.
408 if (!key || key->keyType != rsaKey)
411 unsigned int modulus_length_bits = SECKEY_PublicKeyStrength(key) * 8;
412 CryptoData public_exponent(key->u.rsa.publicExponent.data,
413 key->u.rsa.publicExponent.len);
415 switch (algorithm.paramsType()) {
416 case blink::WebCryptoAlgorithmParamsTypeRsaHashedImportParams:
417 case blink::WebCryptoAlgorithmParamsTypeRsaHashedKeyGenParams:
418 *key_algorithm = blink::WebCryptoKeyAlgorithm::createRsaHashed(
421 public_exponent.bytes(),
422 public_exponent.byte_length(),
423 GetInnerHashAlgorithm(algorithm).id());
425 case blink::WebCryptoAlgorithmParamsTypeRsaKeyGenParams:
426 case blink::WebCryptoAlgorithmParamsTypeNone:
427 *key_algorithm = blink::WebCryptoKeyAlgorithm::createRsa(
430 public_exponent.bytes(),
431 public_exponent.byte_length());
438 bool CreatePrivateKeyAlgorithm(const blink::WebCryptoAlgorithm& algorithm,
439 SECKEYPrivateKey* key,
440 blink::WebCryptoKeyAlgorithm* key_algorithm) {
441 crypto::ScopedSECKEYPublicKey public_key(SECKEY_ConvertToPublicKey(key));
442 return CreatePublicKeyAlgorithm(algorithm, public_key.get(), key_algorithm);
445 // The Default IV for AES-KW. See http://www.ietf.org/rfc/rfc3394.txt
447 // TODO(padolph): Move to common place to be shared with OpenSSL implementation.
448 const unsigned char kAesIv[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
450 // Sets NSS CK_MECHANISM_TYPE and CK_FLAGS corresponding to the input Web Crypto
452 Status WebCryptoAlgorithmToNssMechFlags(
453 const blink::WebCryptoAlgorithm& algorithm,
454 CK_MECHANISM_TYPE* mechanism,
456 // Flags are verified at the Blink layer; here the flags are set to all
457 // possible operations of a key for the input algorithm type.
458 switch (algorithm.id()) {
459 case blink::WebCryptoAlgorithmIdHmac: {
460 const blink::WebCryptoAlgorithm hash = GetInnerHashAlgorithm(algorithm);
461 *mechanism = WebCryptoHashToHMACMechanism(hash);
462 if (*mechanism == CKM_INVALID_MECHANISM)
463 return Status::ErrorUnsupported();
464 *flags = CKF_SIGN | CKF_VERIFY;
467 case blink::WebCryptoAlgorithmIdAesCbc: {
468 *mechanism = CKM_AES_CBC;
469 *flags = CKF_ENCRYPT | CKF_DECRYPT;
472 case blink::WebCryptoAlgorithmIdAesKw: {
473 *mechanism = CKM_NSS_AES_KEY_WRAP;
474 *flags = CKF_WRAP | CKF_WRAP;
477 case blink::WebCryptoAlgorithmIdAesGcm: {
478 if (!g_aes_gcm_support.Get().IsSupported())
479 return Status::ErrorUnsupported();
480 *mechanism = CKM_AES_GCM;
481 *flags = CKF_ENCRYPT | CKF_DECRYPT;
485 return Status::ErrorUnsupported();
487 return Status::Success();
490 Status DoUnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
491 SymKey* wrapping_key,
492 CK_MECHANISM_TYPE mechanism,
494 crypto::ScopedPK11SymKey* unwrapped_key) {
495 DCHECK_GE(wrapped_key_data.byte_length(), 24u);
496 DCHECK_EQ(wrapped_key_data.byte_length() % 8, 0u);
498 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
499 crypto::ScopedSECItem param_item(
500 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
502 return Status::ErrorUnexpected();
504 SECItem cipher_text = MakeSECItemForBuffer(wrapped_key_data);
506 // The plaintext length is always 64 bits less than the data size.
507 const unsigned int plaintext_length = wrapped_key_data.byte_length() - 8;
510 // Part of workaround for
511 // https://bugzilla.mozilla.org/show_bug.cgi?id=981170. See the explanation
512 // later in this function.
516 crypto::ScopedPK11SymKey new_key(PK11_UnwrapSymKey(wrapping_key->key(),
517 CKM_NSS_AES_KEY_WRAP,
523 // TODO(padolph): Use NSS PORT_GetError() and friends to report a more
524 // accurate error, providing if doesn't leak any information to web pages
525 // about other web crypto users, key details, etc.
527 return Status::Error();
530 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=981170
531 // which was fixed in NSS 3.16.0.
532 // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey,
533 // with a reasonable length but with key data pointing to uninitialized
535 // To understand this workaround see the fix for 981170:
536 // https://hg.mozilla.org/projects/nss/rev/753bb69e543c
537 if (!NSS_VersionCheck("3.16") && PORT_GetError() == SEC_ERROR_BAD_DATA)
538 return Status::Error();
541 *unwrapped_key = new_key.Pass();
542 return Status::Success();
545 void CopySECItemToVector(const SECItem& item, std::vector<uint8>* out) {
546 out->assign(item.data, item.data + item.len);
549 // The system NSS library doesn't have the new PK11_ExportDERPrivateKeyInfo
550 // function yet (https://bugzilla.mozilla.org/show_bug.cgi?id=519255). So we
551 // provide a fallback implementation.
553 // From PKCS#1 [http://tools.ietf.org/html/rfc3447]:
555 // RSAPrivateKey ::= SEQUENCE {
557 // modulus INTEGER, -- n
558 // publicExponent INTEGER, -- e
559 // privateExponent INTEGER, -- d
560 // prime1 INTEGER, -- p
561 // prime2 INTEGER, -- q
562 // exponent1 INTEGER, -- d mod (p-1)
563 // exponent2 INTEGER, -- d mod (q-1)
564 // coefficient INTEGER, -- (inverse of q) mod p
565 // otherPrimeInfos OtherPrimeInfos OPTIONAL
568 // Note that otherPrimeInfos is only applicable for version=1. Since NSS
569 // doesn't use multi-prime can safely use version=0.
570 struct RSAPrivateKey {
573 SECItem public_exponent;
574 SECItem private_exponent;
582 const SEC_ASN1Template RSAPrivateKeyTemplate[] = {
583 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RSAPrivateKey)},
584 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, version)},
585 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, modulus)},
586 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, public_exponent)},
587 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, private_exponent)},
588 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime1)},
589 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime2)},
590 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent1)},
591 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent2)},
592 {SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, coefficient)},
595 // On success |value| will be filled with data which must be freed by
596 // SECITEM_FreeItem(value, PR_FALSE);
597 bool ReadUint(SECKEYPrivateKey* key,
598 CK_ATTRIBUTE_TYPE attribute,
600 SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, attribute, value);
602 // PK11_ReadRawAttribute() returns items of type siBuffer. However in order
603 // for the ASN.1 encoding to be correct, the items must be of type
604 // siUnsignedInteger.
605 value->type = siUnsignedInteger;
607 return rv == SECSuccess;
610 // Fills |out| with the RSA private key properties. Returns true on success.
611 // Regardless of the return value, the caller must invoke FreeRSAPrivateKey()
612 // to free up any allocated memory.
614 // The passed in RSAPrivateKey must be zero-initialized.
615 bool InitRSAPrivateKey(SECKEYPrivateKey* key, RSAPrivateKey* out) {
616 if (key->keyType != rsaKey)
619 // Everything should be zero-ed out. These are just some spot checks.
620 DCHECK(!out->version.data);
621 DCHECK(!out->version.len);
622 DCHECK(!out->modulus.data);
623 DCHECK(!out->modulus.len);
625 // Always use version=0 since not using multi-prime.
626 if (!SEC_ASN1EncodeInteger(NULL, &out->version, 0))
629 if (!ReadUint(key, CKA_MODULUS, &out->modulus))
631 if (!ReadUint(key, CKA_PUBLIC_EXPONENT, &out->public_exponent))
633 if (!ReadUint(key, CKA_PRIVATE_EXPONENT, &out->private_exponent))
635 if (!ReadUint(key, CKA_PRIME_1, &out->prime1))
637 if (!ReadUint(key, CKA_PRIME_2, &out->prime2))
639 if (!ReadUint(key, CKA_EXPONENT_1, &out->exponent1))
641 if (!ReadUint(key, CKA_EXPONENT_2, &out->exponent2))
643 if (!ReadUint(key, CKA_COEFFICIENT, &out->coefficient))
649 struct FreeRsaPrivateKey {
650 void operator()(RSAPrivateKey* out) {
651 SECITEM_FreeItem(&out->version, PR_FALSE);
652 SECITEM_FreeItem(&out->modulus, PR_FALSE);
653 SECITEM_FreeItem(&out->public_exponent, PR_FALSE);
654 SECITEM_FreeItem(&out->private_exponent, PR_FALSE);
655 SECITEM_FreeItem(&out->prime1, PR_FALSE);
656 SECITEM_FreeItem(&out->prime2, PR_FALSE);
657 SECITEM_FreeItem(&out->exponent1, PR_FALSE);
658 SECITEM_FreeItem(&out->exponent2, PR_FALSE);
659 SECITEM_FreeItem(&out->coefficient, PR_FALSE);
662 #endif // defined(USE_NSS)
666 Status ImportKeyRaw(const blink::WebCryptoAlgorithm& algorithm,
667 const CryptoData& key_data,
669 blink::WebCryptoKeyUsageMask usage_mask,
670 blink::WebCryptoKey* key) {
672 DCHECK(!algorithm.isNull());
674 CK_MECHANISM_TYPE mechanism;
677 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
678 if (status.IsError())
681 SECItem key_item = MakeSECItemForBuffer(key_data);
683 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
684 crypto::ScopedPK11SymKey pk11_sym_key(
685 PK11_ImportSymKeyWithFlags(slot.get(),
693 if (!pk11_sym_key.get())
694 return Status::Error();
696 blink::WebCryptoKeyAlgorithm key_algorithm;
697 if (!CreateSecretKeyAlgorithm(
698 algorithm, key_data.byte_length(), &key_algorithm))
699 return Status::ErrorUnexpected();
701 *key = blink::WebCryptoKey::create(new SymKey(pk11_sym_key.Pass()),
702 blink::WebCryptoKeyTypeSecret,
706 return Status::Success();
709 Status ExportKeyRaw(SymKey* key, blink::WebArrayBuffer* buffer) {
710 if (PK11_ExtractKeyValue(key->key()) != SECSuccess)
711 return Status::Error();
713 const SECItem* key_data = PK11_GetKeyData(key->key());
715 return Status::Error();
717 *buffer = CreateArrayBuffer(key_data->data, key_data->len);
719 return Status::Success();
724 typedef scoped_ptr<CERTSubjectPublicKeyInfo,
725 crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
726 SECKEY_DestroySubjectPublicKeyInfo> >
727 ScopedCERTSubjectPublicKeyInfo;
729 // Validates an NSS KeyType against a WebCrypto import algorithm.
730 bool ValidateNssKeyTypeAgainstInputAlgorithm(
732 const blink::WebCryptoAlgorithm& algorithm) {
735 return IsAlgorithmRsa(algorithm);
740 // TODO(padolph): Handle other key types.
750 Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm,
751 const CryptoData& key_data,
753 blink::WebCryptoKeyUsageMask usage_mask,
754 blink::WebCryptoKey* key) {
758 if (!key_data.byte_length())
759 return Status::ErrorImportEmptyKeyData();
760 DCHECK(key_data.bytes());
762 // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 Subject
763 // Public Key Info. Decode this to a CERTSubjectPublicKeyInfo.
764 SECItem spki_item = MakeSECItemForBuffer(key_data);
765 const ScopedCERTSubjectPublicKeyInfo spki(
766 SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
768 return Status::Error();
770 crypto::ScopedSECKEYPublicKey sec_public_key(
771 SECKEY_ExtractPublicKey(spki.get()));
773 return Status::Error();
775 const KeyType sec_key_type = SECKEY_GetPublicKeyType(sec_public_key.get());
776 if (!ValidateNssKeyTypeAgainstInputAlgorithm(sec_key_type, algorithm))
777 return Status::Error();
779 blink::WebCryptoKeyAlgorithm key_algorithm;
780 if (!CreatePublicKeyAlgorithm(
781 algorithm, sec_public_key.get(), &key_algorithm))
782 return Status::ErrorUnexpected();
784 *key = blink::WebCryptoKey::create(new PublicKey(sec_public_key.Pass()),
785 blink::WebCryptoKeyTypePublic,
790 return Status::Success();
793 Status ExportKeySpki(PublicKey* key, blink::WebArrayBuffer* buffer) {
794 const crypto::ScopedSECItem spki_der(
795 SECKEY_EncodeDERSubjectPublicKeyInfo(key->key()));
797 return Status::Error();
799 DCHECK(spki_der->data);
800 DCHECK(spki_der->len);
802 *buffer = CreateArrayBuffer(spki_der->data, spki_der->len);
804 return Status::Success();
807 Status ExportRsaPublicKey(PublicKey* key,
808 std::vector<uint8>* modulus,
809 std::vector<uint8>* public_exponent) {
812 if (key->key()->keyType != rsaKey)
813 return Status::ErrorUnsupported();
814 CopySECItemToVector(key->key()->u.rsa.modulus, modulus);
815 CopySECItemToVector(key->key()->u.rsa.publicExponent, public_exponent);
816 if (modulus->empty() || public_exponent->empty())
817 return Status::ErrorUnexpected();
818 return Status::Success();
821 Status ExportKeyPkcs8(PrivateKey* key,
822 const blink::WebCryptoKeyAlgorithm& key_algorithm,
823 blink::WebArrayBuffer* buffer) {
824 // TODO(eroman): Support other RSA key types as they are added to Blink.
825 if (key_algorithm.id() != blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 &&
826 key_algorithm.id() != blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5)
827 return Status::ErrorUnsupported();
830 // PK11_ExportDERPrivateKeyInfo isn't available. Use our fallback code.
831 const SECOidTag algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
832 const int kPrivateKeyInfoVersion = 0;
834 SECKEYPrivateKeyInfo private_key_info = {};
835 RSAPrivateKey rsa_private_key = {};
836 scoped_ptr<RSAPrivateKey, FreeRsaPrivateKey> free_private_key(
839 if (!InitRSAPrivateKey(key->key(), &rsa_private_key))
840 return Status::Error();
842 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
844 return Status::Error();
846 if (!SEC_ASN1EncodeItem(arena.get(),
847 &private_key_info.privateKey,
849 RSAPrivateKeyTemplate))
850 return Status::Error();
853 SECOID_SetAlgorithmID(
854 arena.get(), &private_key_info.algorithm, algorithm, NULL))
855 return Status::Error();
857 if (!SEC_ASN1EncodeInteger(
858 arena.get(), &private_key_info.version, kPrivateKeyInfoVersion))
859 return Status::Error();
861 crypto::ScopedSECItem encoded_key(
862 SEC_ASN1EncodeItem(NULL,
865 SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate)));
866 #else // defined(USE_NSS)
867 crypto::ScopedSECItem encoded_key(
868 PK11_ExportDERPrivateKeyInfo(key->key(), NULL));
869 #endif // defined(USE_NSS)
871 if (!encoded_key.get())
872 return Status::Error();
874 *buffer = CreateArrayBuffer(encoded_key->data, encoded_key->len);
875 return Status::Success();
878 Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm,
879 const CryptoData& key_data,
881 blink::WebCryptoKeyUsageMask usage_mask,
882 blink::WebCryptoKey* key) {
886 if (!key_data.byte_length())
887 return Status::ErrorImportEmptyKeyData();
888 DCHECK(key_data.bytes());
890 // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 PKCS#8
891 // private key info object.
892 SECItem pki_der = MakeSECItemForBuffer(key_data);
894 SECKEYPrivateKey* seckey_private_key = NULL;
895 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
896 if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot.get(),
904 NULL) != SECSuccess) {
905 return Status::Error();
907 DCHECK(seckey_private_key);
908 crypto::ScopedSECKEYPrivateKey private_key(seckey_private_key);
910 const KeyType sec_key_type = SECKEY_GetPrivateKeyType(private_key.get());
911 if (!ValidateNssKeyTypeAgainstInputAlgorithm(sec_key_type, algorithm))
912 return Status::Error();
914 blink::WebCryptoKeyAlgorithm key_algorithm;
915 if (!CreatePrivateKeyAlgorithm(algorithm, private_key.get(), &key_algorithm))
916 return Status::ErrorUnexpected();
918 *key = blink::WebCryptoKey::create(new PrivateKey(private_key.Pass()),
919 blink::WebCryptoKeyTypePrivate,
924 return Status::Success();
927 // -----------------------------------
929 // -----------------------------------
931 Status SignHmac(SymKey* key,
932 const blink::WebCryptoAlgorithm& hash,
933 const CryptoData& data,
934 blink::WebArrayBuffer* buffer) {
935 DCHECK_EQ(PK11_GetMechanism(key->key()), WebCryptoHashToHMACMechanism(hash));
937 SECItem param_item = {siBuffer, NULL, 0};
938 SECItem data_item = MakeSECItemForBuffer(data);
939 // First call is to figure out the length.
940 SECItem signature_item = {siBuffer, NULL, 0};
942 if (PK11_SignWithSymKey(key->key(),
943 PK11_GetMechanism(key->key()),
946 &data_item) != SECSuccess) {
947 return Status::Error();
950 DCHECK_NE(0u, signature_item.len);
952 *buffer = blink::WebArrayBuffer::create(signature_item.len, 1);
953 signature_item.data = reinterpret_cast<unsigned char*>(buffer->data());
955 if (PK11_SignWithSymKey(key->key(),
956 PK11_GetMechanism(key->key()),
959 &data_item) != SECSuccess) {
960 return Status::Error();
963 DCHECK_EQ(buffer->byteLength(), signature_item.len);
964 return Status::Success();
967 // -----------------------------------
969 // -----------------------------------
971 Status EncryptRsaEsPkcs1v1_5(PublicKey* key,
972 const CryptoData& data,
973 blink::WebArrayBuffer* buffer) {
974 const unsigned int encrypted_length_bytes =
975 SECKEY_PublicKeyStrength(key->key());
977 // RSAES can operate on messages up to a length of k - 11, where k is the
978 // octet length of the RSA modulus.
979 if (encrypted_length_bytes < 11 ||
980 encrypted_length_bytes - 11 < data.byte_length())
981 return Status::ErrorDataTooLarge();
983 *buffer = blink::WebArrayBuffer::create(encrypted_length_bytes, 1);
984 unsigned char* const buffer_data =
985 reinterpret_cast<unsigned char*>(buffer->data());
987 if (PK11_PubEncryptPKCS1(key->key(),
989 const_cast<unsigned char*>(data.bytes()),
991 NULL) != SECSuccess) {
992 return Status::Error();
994 return Status::Success();
997 Status DecryptRsaEsPkcs1v1_5(PrivateKey* key,
998 const CryptoData& data,
999 blink::WebArrayBuffer* buffer) {
1000 const int modulus_length_bytes = PK11_GetPrivateModulusLen(key->key());
1001 if (modulus_length_bytes <= 0)
1002 return Status::ErrorUnexpected();
1003 const unsigned int max_output_length_bytes = modulus_length_bytes;
1005 *buffer = blink::WebArrayBuffer::create(max_output_length_bytes, 1);
1006 unsigned char* const buffer_data =
1007 reinterpret_cast<unsigned char*>(buffer->data());
1009 unsigned int output_length_bytes = 0;
1010 if (PK11_PrivDecryptPKCS1(key->key(),
1012 &output_length_bytes,
1013 max_output_length_bytes,
1014 const_cast<unsigned char*>(data.bytes()),
1015 data.byte_length()) != SECSuccess) {
1016 return Status::Error();
1018 DCHECK_LE(output_length_bytes, max_output_length_bytes);
1019 ShrinkBuffer(buffer, output_length_bytes);
1020 return Status::Success();
1023 // -----------------------------------
1025 // -----------------------------------
1027 Status SignRsaSsaPkcs1v1_5(PrivateKey* key,
1028 const blink::WebCryptoAlgorithm& hash,
1029 const CryptoData& data,
1030 blink::WebArrayBuffer* buffer) {
1031 // Pick the NSS signing algorithm by combining RSA-SSA (RSA PKCS1) and the
1032 // inner hash of the input Web Crypto algorithm.
1033 SECOidTag sign_alg_tag;
1034 switch (hash.id()) {
1035 case blink::WebCryptoAlgorithmIdSha1:
1036 sign_alg_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
1038 case blink::WebCryptoAlgorithmIdSha256:
1039 sign_alg_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
1041 case blink::WebCryptoAlgorithmIdSha384:
1042 sign_alg_tag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
1044 case blink::WebCryptoAlgorithmIdSha512:
1045 sign_alg_tag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
1048 return Status::ErrorUnsupported();
1051 crypto::ScopedSECItem signature_item(SECITEM_AllocItem(NULL, NULL, 0));
1052 if (SEC_SignData(signature_item.get(),
1056 sign_alg_tag) != SECSuccess) {
1057 return Status::Error();
1060 *buffer = CreateArrayBuffer(signature_item->data, signature_item->len);
1061 return Status::Success();
1064 Status VerifyRsaSsaPkcs1v1_5(PublicKey* key,
1065 const blink::WebCryptoAlgorithm& hash,
1066 const CryptoData& signature,
1067 const CryptoData& data,
1068 bool* signature_match) {
1069 const SECItem signature_item = MakeSECItemForBuffer(signature);
1071 SECOidTag hash_alg_tag;
1072 switch (hash.id()) {
1073 case blink::WebCryptoAlgorithmIdSha1:
1074 hash_alg_tag = SEC_OID_SHA1;
1076 case blink::WebCryptoAlgorithmIdSha256:
1077 hash_alg_tag = SEC_OID_SHA256;
1079 case blink::WebCryptoAlgorithmIdSha384:
1080 hash_alg_tag = SEC_OID_SHA384;
1082 case blink::WebCryptoAlgorithmIdSha512:
1083 hash_alg_tag = SEC_OID_SHA512;
1086 return Status::ErrorUnsupported();
1090 SECSuccess == VFY_VerifyDataDirect(data.bytes(),
1094 SEC_OID_PKCS1_RSA_ENCRYPTION,
1098 return Status::Success();
1101 Status EncryptDecryptAesCbc(EncryptOrDecrypt mode,
1103 const CryptoData& data,
1104 const CryptoData& iv,
1105 blink::WebArrayBuffer* buffer) {
1106 // TODO(eroman): Inline.
1107 return AesCbcEncryptDecrypt(mode, key, iv, data, buffer);
1110 Status EncryptDecryptAesGcm(EncryptOrDecrypt mode,
1112 const CryptoData& data,
1113 const CryptoData& iv,
1114 const CryptoData& additional_data,
1115 unsigned int tag_length_bits,
1116 blink::WebArrayBuffer* buffer) {
1117 // TODO(eroman): Inline.
1118 return AesGcmEncryptDecrypt(
1119 mode, key, data, iv, additional_data, tag_length_bits, buffer);
1122 // -----------------------------------
1124 // -----------------------------------
1126 Status GenerateRsaKeyPair(const blink::WebCryptoAlgorithm& algorithm,
1128 blink::WebCryptoKeyUsageMask usage_mask,
1129 unsigned int modulus_length_bits,
1130 const CryptoData& public_exponent,
1131 const blink::WebCryptoAlgorithm& hash_or_null,
1132 blink::WebCryptoKey* public_key,
1133 blink::WebCryptoKey* private_key) {
1134 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
1136 return Status::Error();
1138 unsigned long public_exponent_long;
1139 if (!BigIntegerToLong(public_exponent.bytes(),
1140 public_exponent.byte_length(),
1141 &public_exponent_long) ||
1142 !public_exponent_long) {
1143 return Status::ErrorGenerateKeyPublicExponent();
1146 PK11RSAGenParams rsa_gen_params;
1147 rsa_gen_params.keySizeInBits = modulus_length_bits;
1148 rsa_gen_params.pe = public_exponent_long;
1150 // Flags are verified at the Blink layer; here the flags are set to all
1151 // possible operations for the given key type.
1152 CK_FLAGS operation_flags;
1153 switch (algorithm.id()) {
1154 case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
1155 case blink::WebCryptoAlgorithmIdRsaOaep:
1156 operation_flags = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP;
1158 case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
1159 operation_flags = CKF_SIGN | CKF_VERIFY;
1163 return Status::ErrorUnexpected();
1165 const CK_FLAGS operation_flags_mask =
1166 CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP;
1168 // The private key must be marked as insensitive and extractable, otherwise it
1169 // cannot later be exported in unencrypted form or structured-cloned.
1170 const PK11AttrFlags attribute_flags =
1171 PK11_ATTR_INSENSITIVE | PK11_ATTR_EXTRACTABLE;
1173 // Note: NSS does not generate an sec_public_key if the call below fails,
1174 // so there is no danger of a leaked sec_public_key.
1175 SECKEYPublicKey* sec_public_key;
1176 crypto::ScopedSECKEYPrivateKey scoped_sec_private_key(
1177 PK11_GenerateKeyPairWithOpFlags(slot.get(),
1178 CKM_RSA_PKCS_KEY_PAIR_GEN,
1183 operation_flags_mask,
1186 return Status::Error();
1188 blink::WebCryptoKeyAlgorithm key_algorithm;
1189 if (!CreatePublicKeyAlgorithm(algorithm, sec_public_key, &key_algorithm))
1190 return Status::ErrorUnexpected();
1192 *public_key = blink::WebCryptoKey::create(
1193 new PublicKey(crypto::ScopedSECKEYPublicKey(sec_public_key)),
1194 blink::WebCryptoKeyTypePublic,
1199 blink::WebCryptoKey::create(new PrivateKey(scoped_sec_private_key.Pass()),
1200 blink::WebCryptoKeyTypePrivate,
1205 return Status::Success();
1208 void Init() { crypto::EnsureNSSInit(); }
1210 Status DigestSha(blink::WebCryptoAlgorithmId algorithm,
1211 const CryptoData& data,
1212 blink::WebArrayBuffer* buffer) {
1213 HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm);
1214 if (hash_type == HASH_AlgNULL)
1215 return Status::ErrorUnsupported();
1217 HASHContext* context = HASH_Create(hash_type);
1219 return Status::Error();
1221 HASH_Begin(context);
1223 HASH_Update(context, data.bytes(), data.byte_length());
1225 unsigned int hash_result_length = HASH_ResultLenContext(context);
1226 DCHECK_LE(hash_result_length, static_cast<size_t>(HASH_LENGTH_MAX));
1228 *buffer = blink::WebArrayBuffer::create(hash_result_length, 1);
1230 unsigned char* digest = reinterpret_cast<unsigned char*>(buffer->data());
1232 unsigned int result_length = 0;
1233 HASH_End(context, digest, &result_length, hash_result_length);
1235 HASH_Destroy(context);
1237 if (result_length != hash_result_length)
1238 return Status::ErrorUnexpected();
1239 return Status::Success();
1242 Status GenerateSecretKey(const blink::WebCryptoAlgorithm& algorithm,
1244 blink::WebCryptoKeyUsageMask usage_mask,
1245 unsigned keylen_bytes,
1246 blink::WebCryptoKey* key) {
1247 CK_MECHANISM_TYPE mech = WebCryptoAlgorithmToGenMechanism(algorithm);
1248 blink::WebCryptoKeyType key_type = blink::WebCryptoKeyTypeSecret;
1250 if (mech == CKM_INVALID_MECHANISM)
1251 return Status::ErrorUnsupported();
1253 crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
1255 return Status::Error();
1257 crypto::ScopedPK11SymKey pk11_key(
1258 PK11_KeyGen(slot.get(), mech, NULL, keylen_bytes, NULL));
1261 return Status::Error();
1263 blink::WebCryptoKeyAlgorithm key_algorithm;
1264 if (!CreateSecretKeyAlgorithm(algorithm, keylen_bytes, &key_algorithm))
1265 return Status::ErrorUnexpected();
1267 *key = blink::WebCryptoKey::create(new SymKey(pk11_key.Pass()),
1272 return Status::Success();
1275 Status ImportRsaPublicKey(const blink::WebCryptoAlgorithm& algorithm,
1277 blink::WebCryptoKeyUsageMask usage_mask,
1278 const CryptoData& modulus_data,
1279 const CryptoData& exponent_data,
1280 blink::WebCryptoKey* key) {
1282 if (!modulus_data.byte_length())
1283 return Status::ErrorImportRsaEmptyModulus();
1285 if (!exponent_data.byte_length())
1286 return Status::ErrorImportRsaEmptyExponent();
1288 DCHECK(modulus_data.bytes());
1289 DCHECK(exponent_data.bytes());
1291 // NSS does not provide a way to create an RSA public key directly from the
1292 // modulus and exponent values, but it can import an DER-encoded ASN.1 blob
1293 // with these values and create the public key from that. The code below
1294 // follows the recommendation described in
1295 // https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note7
1297 // Pack the input values into a struct compatible with NSS ASN.1 encoding, and
1298 // set up an ASN.1 encoder template for it.
1299 struct RsaPublicKeyData {
1303 const RsaPublicKeyData pubkey_in = {
1304 {siUnsignedInteger, const_cast<unsigned char*>(modulus_data.bytes()),
1305 modulus_data.byte_length()},
1306 {siUnsignedInteger, const_cast<unsigned char*>(exponent_data.bytes()),
1307 exponent_data.byte_length()}};
1308 const SEC_ASN1Template rsa_public_key_template[] = {
1309 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RsaPublicKeyData)},
1310 {SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, modulus), },
1311 {SEC_ASN1_INTEGER, offsetof(RsaPublicKeyData, exponent), },
1314 // DER-encode the public key.
1315 crypto::ScopedSECItem pubkey_der(
1316 SEC_ASN1EncodeItem(NULL, NULL, &pubkey_in, rsa_public_key_template));
1318 return Status::Error();
1320 // Import the DER-encoded public key to create an RSA SECKEYPublicKey.
1321 crypto::ScopedSECKEYPublicKey pubkey(
1322 SECKEY_ImportDERPublicKey(pubkey_der.get(), CKK_RSA));
1324 return Status::Error();
1326 blink::WebCryptoKeyAlgorithm key_algorithm;
1327 if (!CreatePublicKeyAlgorithm(algorithm, pubkey.get(), &key_algorithm))
1328 return Status::ErrorUnexpected();
1330 *key = blink::WebCryptoKey::create(new PublicKey(pubkey.Pass()),
1331 blink::WebCryptoKeyTypePublic,
1335 return Status::Success();
1338 Status WrapSymKeyAesKw(SymKey* wrapping_key,
1340 blink::WebArrayBuffer* buffer) {
1341 // The data size must be at least 16 bytes and a multiple of 8 bytes.
1342 // RFC 3394 does not specify a maximum allowed data length, but since only
1343 // keys are being wrapped in this application (which are small), a reasonable
1344 // max limit is whatever will fit into an unsigned. For the max size test,
1345 // note that AES Key Wrap always adds 8 bytes to the input data size.
1346 const unsigned int input_length = PK11_GetKeyLength(key->key());
1347 if (input_length < 16)
1348 return Status::ErrorDataTooSmall();
1349 if (input_length > UINT_MAX - 8)
1350 return Status::ErrorDataTooLarge();
1351 if (input_length % 8)
1352 return Status::ErrorInvalidAesKwDataLength();
1354 SECItem iv_item = MakeSECItemForBuffer(CryptoData(kAesIv, sizeof(kAesIv)));
1355 crypto::ScopedSECItem param_item(
1356 PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP, &iv_item));
1358 return Status::ErrorUnexpected();
1360 const unsigned int output_length = input_length + 8;
1361 *buffer = blink::WebArrayBuffer::create(output_length, 1);
1362 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer));
1364 if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP,
1366 wrapping_key->key(),
1368 &wrapped_key_item)) {
1369 return Status::Error();
1371 if (output_length != wrapped_key_item.len)
1372 return Status::ErrorUnexpected();
1374 return Status::Success();
1377 Status UnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
1378 SymKey* wrapping_key,
1379 const blink::WebCryptoAlgorithm& algorithm,
1381 blink::WebCryptoKeyUsageMask usage_mask,
1382 blink::WebCryptoKey* key) {
1383 // Determine the proper NSS key properties from the input algorithm.
1384 CK_MECHANISM_TYPE mechanism;
1387 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
1388 if (status.IsError())
1391 crypto::ScopedPK11SymKey unwrapped_key;
1392 status = DoUnwrapSymKeyAesKw(
1393 wrapped_key_data, wrapping_key, mechanism, flags, &unwrapped_key);
1394 if (status.IsError())
1397 blink::WebCryptoKeyAlgorithm key_algorithm;
1398 if (!CreateSecretKeyAlgorithm(
1399 algorithm, PK11_GetKeyLength(unwrapped_key.get()), &key_algorithm))
1400 return Status::ErrorUnexpected();
1402 *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()),
1403 blink::WebCryptoKeyTypeSecret,
1407 return Status::Success();
1410 Status DecryptAesKw(SymKey* wrapping_key,
1411 const CryptoData& data,
1412 blink::WebArrayBuffer* buffer) {
1413 // Due to limitations in the NSS API for the AES-KW algorithm, |data| must be
1414 // temporarily viewed as a symmetric key to be unwrapped (decrypted).
1415 crypto::ScopedPK11SymKey decrypted;
1416 Status status = DoUnwrapSymKeyAesKw(
1417 data, wrapping_key, CKK_GENERIC_SECRET, CKA_ENCRYPT, &decrypted);
1418 if (status.IsError())
1421 // Once the decrypt is complete, extract the resultant raw bytes from NSS and
1422 // return them to the caller.
1423 if (PK11_ExtractKeyValue(decrypted.get()) != SECSuccess)
1424 return Status::Error();
1425 const SECItem* const key_data = PK11_GetKeyData(decrypted.get());
1427 return Status::Error();
1428 *buffer = webcrypto::CreateArrayBuffer(key_data->data, key_data->len);
1430 return Status::Success();
1433 Status WrapSymKeyRsaEs(PublicKey* wrapping_key,
1435 blink::WebArrayBuffer* buffer) {
1436 // Check the raw length of the key to be wrapped against the max size allowed
1437 // by the RSA wrapping key. With PKCS#1 v1.5 padding used in this function,
1438 // the maximum data length that can be encrypted is the wrapping_key's modulus
1439 // byte length minus eleven bytes.
1440 const unsigned int input_length_bytes = PK11_GetKeyLength(key->key());
1441 const unsigned int modulus_length_bytes =
1442 SECKEY_PublicKeyStrength(wrapping_key->key());
1443 if (modulus_length_bytes < 11 ||
1444 modulus_length_bytes - 11 < input_length_bytes)
1445 return Status::ErrorDataTooLarge();
1447 *buffer = blink::WebArrayBuffer::create(modulus_length_bytes, 1);
1448 SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(*buffer));
1452 CKM_RSA_PKCS, wrapping_key->key(), key->key(), &wrapped_key_item)) {
1453 return Status::Error();
1455 if (wrapped_key_item.len != modulus_length_bytes)
1456 return Status::ErrorUnexpected();
1458 return Status::Success();
1461 Status UnwrapSymKeyRsaEs(const CryptoData& wrapped_key_data,
1462 PrivateKey* wrapping_key,
1463 const blink::WebCryptoAlgorithm& algorithm,
1465 blink::WebCryptoKeyUsageMask usage_mask,
1466 blink::WebCryptoKey* key) {
1468 // Verify wrapped_key_data size does not exceed the modulus of the RSA key.
1469 const int modulus_length_bytes =
1470 PK11_GetPrivateModulusLen(wrapping_key->key());
1471 if (modulus_length_bytes <= 0)
1472 return Status::ErrorUnexpected();
1473 if (wrapped_key_data.byte_length() >
1474 static_cast<unsigned int>(modulus_length_bytes))
1475 return Status::ErrorDataTooLarge();
1477 // Determine the proper NSS key properties from the input algorithm.
1478 CK_MECHANISM_TYPE mechanism;
1481 WebCryptoAlgorithmToNssMechFlags(algorithm, &mechanism, &flags);
1482 if (status.IsError())
1485 SECItem wrapped_key_item = MakeSECItemForBuffer(wrapped_key_data);
1487 crypto::ScopedPK11SymKey unwrapped_key(
1488 PK11_PubUnwrapSymKeyWithFlagsPerm(wrapping_key->key(),
1496 return Status::Error();
1498 const unsigned int key_length = PK11_GetKeyLength(unwrapped_key.get());
1500 blink::WebCryptoKeyAlgorithm key_algorithm;
1501 if (!CreateSecretKeyAlgorithm(algorithm, key_length, &key_algorithm))
1502 return Status::ErrorUnexpected();
1504 *key = blink::WebCryptoKey::create(new SymKey(unwrapped_key.Pass()),
1505 blink::WebCryptoKeyTypeSecret,
1509 return Status::Success();
1512 } // namespace platform
1514 } // namespace webcrypto
1516 } // namespace content