#include "base/strings/string_piece.h"
#include "base/values.h"
#include "content/common/content_export.h"
-#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
#include "third_party/WebKit/public/platform/WebCrypto.h"
-#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
namespace content {
class CryptoData;
class Status;
+// Helper class for parsing a JWK from JSON.
+//
+// This primarily exists to ensure strict enforcement of the JWK schema, as the
+// type and presence of particular members is security relevant. For example,
+// GetString() will ensure a given JSON member is present and is a string type,
+// and will fail if these conditions aren't met.
+//
+// Users of JwkReader must call Init() successfully before any other method can
+// be called.
+class JwkReader {
+ public:
+ JwkReader();
+ ~JwkReader();
+
+ // Initializes a JWK reader by parsing the JSON |bytes|. To succeed, the JWK
+ // must:
+ // * Have "kty" matching |expected_kty|
+ // * Have "ext" compatible with |expected_extractable|
+ // * Have usages ("use", "key_ops") compatible with |expected_usages|
+ // * Have an "alg" matching |expected_alg|
+ //
+ // NOTE: If |expected_alg| is empty, then the test on "alg" is skipped.
+ Status Init(const CryptoData& bytes,
+ bool expected_extractable,
+ blink::WebCryptoKeyUsageMask expected_usages,
+ const std::string& expected_kty,
+ const std::string& expected_alg);
+
+ // Returns true if the member |member_name| is present.
+ bool HasMember(const std::string& member_name) const;
+
+ // Extracts the required string member |member_name| and saves the result to
+ // |*result|. If the member does not exist or is not a string, returns an
+ // error.
+ Status GetString(const std::string& member_name, std::string* result) const;
+
+ // Extracts the optional string member |member_name| and saves the result to
+ // |*result| if it was found. If the member exists and is not a string,
+ // returns an error. Otherwise returns success, and sets |*member_exists| if
+ // it was found.
+ Status GetOptionalString(const std::string& member_name,
+ std::string* result,
+ bool* member_exists) const;
+
+ // Extracts the optional array member |member_name| and saves the result to
+ // |*result| if it was found. If the member exists and is not an array,
+ // returns an error. Otherwise returns success, and sets |*member_exists| if
+ // it was found.
+ //
+ // NOTE: |*result| is owned by the JwkReader.
+ Status GetOptionalList(const std::string& member_name,
+ base::ListValue** result,
+ bool* member_exists) const;
+
+ // Extracts the required string member |member_name| and saves the
+ // base64url-decoded bytes to |*result|. If the member does not exist or is
+ // not a string, or could not be base64url-decoded, returns an error.
+ Status GetBytes(const std::string& member_name, std::string* result) const;
+
+ // Extracts the required base64url member, which is interpreted as being a
+ // big-endian unsigned integer.
+ //
+ // Sequences that contain leading zeros will be rejected.
+ Status GetBigInteger(const std::string& member_name,
+ std::string* result) const;
+
+ // Extracts the optional boolean member |member_name| and saves the result to
+ // |*result| if it was found. If the member exists and is not a boolean,
+ // returns an error. Otherwise returns success, and sets |*member_exists| if
+ // it was found.
+ Status GetOptionalBool(const std::string& member_name,
+ bool* result,
+ bool* member_exists) const;
+
+ // Gets the optional algorithm ("alg") string.
+ Status GetAlg(std::string* alg, bool* has_alg) const;
+
+ // Checks if the "alg" member matches |expected_alg|.
+ Status VerifyAlg(const std::string& expected_alg) const;
+
+ private:
+ scoped_ptr<base::DictionaryValue> dict_;
+};
+
+// Helper class for building the JSON for a JWK.
+class JwkWriter {
+ public:
+ // Initializes a writer, and sets the standard JWK members as indicated.
+ JwkWriter(const std::string& algorithm,
+ bool extractable,
+ blink::WebCryptoKeyUsageMask usages,
+ const std::string& kty);
+
+ // Sets a string member |member_name| to |value|.
+ void SetString(const std::string& member_name, const std::string& value);
+
+ // Sets a bytes member |value| to |value| by base64 url-safe encoding it.
+ void SetBytes(const std::string& member_name, const CryptoData& value);
+
+ // Flattens the JWK to JSON (UTF-8 encoded if necessary, however in practice
+ // it will be ASCII).
+ void ToJson(std::vector<uint8_t>* utf8_bytes) const;
+
+ private:
+ base::DictionaryValue dict_;
+};
+
// Writes a JWK-formatted symmetric key to |jwk_key_data|.
// * raw_key_data: The actual key data
// * algorithm: The JWK algorithm name (i.e. "alg")
// * extractable: The JWK extractability (i.e. "ext")
-// * usage_mask: The JWK usages (i.e. "key_ops")
+// * usages: The JWK usages (i.e. "key_ops")
void WriteSecretKeyJwk(const CryptoData& raw_key_data,
const std::string& algorithm,
bool extractable,
- blink::WebCryptoKeyUsageMask usage_mask,
+ blink::WebCryptoKeyUsageMask usages,
std::vector<uint8_t>* jwk_key_data);
// Parses a UTF-8 encoded JWK (key_data), and extracts the key material to
// |*raw_key_data|. Returns Status::Success() on success, otherwise an error.
// In order for this to succeed:
-// * expected_algorithm must match the JWK's "alg", if present.
+// * expected_alg must match the JWK's "alg", if present.
// * expected_extractable must be consistent with the JWK's "ext", if
// present.
-// * expected_usage_mask must be a subset of the JWK's "key_ops" if present.
+// * expected_usages must be a subset of the JWK's "key_ops" if present.
Status ReadSecretKeyJwk(const CryptoData& key_data,
- const std::string& expected_algorithm,
+ const std::string& expected_alg,
bool expected_extractable,
- blink::WebCryptoKeyUsageMask expected_usage_mask,
+ blink::WebCryptoKeyUsageMask expected_usages,
std::vector<uint8_t>* raw_key_data);
// Creates an AES algorithm name for the given key size (in bytes). For
unsigned int keylen_bytes);
// This is very similar to ReadSecretKeyJwk(), except instead of specifying an
-// absolut "expected_algorithm", the suffix for an AES algorithm name is given
+// absolute "expected_alg", the suffix for an AES algorithm name is given
// (See MakeJwkAesAlgorithmName() for an explanation of what the suffix is).
//
// This is because the algorithm name for AES keys is dependent on the length
Status ReadAesSecretKeyJwk(const CryptoData& key_data,
const std::string& algorithm_name_suffix,
bool expected_extractable,
- blink::WebCryptoKeyUsageMask expected_usage_mask,
+ blink::WebCryptoKeyUsageMask expected_usages,
std::vector<uint8_t>* raw_key_data);
// Writes a JWK-formated RSA public key and saves the result to
const CryptoData& e,
const std::string& algorithm,
bool extractable,
- blink::WebCryptoKeyUsageMask usage_mask,
+ blink::WebCryptoKeyUsageMask usages,
std::vector<uint8_t>* jwk_key_data);
// Writes a JWK-formated RSA private key and saves the result to
const CryptoData& qi,
const std::string& algorithm,
bool extractable,
- blink::WebCryptoKeyUsageMask usage_mask,
+ blink::WebCryptoKeyUsageMask usages,
std::vector<uint8_t>* jwk_key_data);
// Describes the RSA components for a parsed key. The names of the properties
// Parses a UTF-8 encoded JWK (key_data), and extracts the RSA components to
// |*result|. Returns Status::Success() on success, otherwise an error.
// In order for this to succeed:
-// * expected_algorithm must match the JWK's "alg", if present.
+// * expected_alg must match the JWK's "alg", if present.
// * expected_extractable must be consistent with the JWK's "ext", if
// present.
-// * expected_usage_mask must be a subset of the JWK's "key_ops" if present.
+// * expected_usages must be a subset of the JWK's "key_ops" if present.
Status ReadRsaKeyJwk(const CryptoData& key_data,
- const std::string& expected_algorithm,
+ const std::string& expected_alg,
bool expected_extractable,
- blink::WebCryptoKeyUsageMask expected_usage_mask,
+ blink::WebCryptoKeyUsageMask expected_usages,
JwkRsaInfo* result);
const char* GetJwkHmacAlgorithmName(blink::WebCryptoAlgorithmId hash);