1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_CHILD_WEBCRYPTO_JWK_H_ 6 #define CONTENT_CHILD_WEBCRYPTO_JWK_H_ 7 8 #include <stdint.h> 9 #include <vector> 10 11 #include "base/strings/string_piece.h" 12 #include "base/values.h" 13 #include "content/common/content_export.h" 14 #include "third_party/WebKit/public/platform/WebArrayBuffer.h" 15 #include "third_party/WebKit/public/platform/WebCrypto.h" 16 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" 17 18 namespace content { 19 20 namespace webcrypto { 21 22 class CryptoData; 23 class Status; 24 25 // Writes a JWK-formatted symmetric key to |jwk_key_data|. 26 // * raw_key_data: The actual key data 27 // * algorithm: The JWK algorithm name (i.e. "alg") 28 // * extractable: The JWK extractability (i.e. "ext") 29 // * usage_mask: The JWK usages (i.e. "key_ops") 30 void WriteSecretKeyJwk(const CryptoData& raw_key_data, 31 const std::string& algorithm, 32 bool extractable, 33 blink::WebCryptoKeyUsageMask usage_mask, 34 std::vector<uint8_t>* jwk_key_data); 35 36 // Parses a UTF-8 encoded JWK (key_data), and extracts the key material to 37 // |*raw_key_data|. Returns Status::Success() on success, otherwise an error. 38 // In order for this to succeed: 39 // * expected_algorithm must match the JWK's "alg", if present. 40 // * expected_extractable must be consistent with the JWK's "ext", if 41 // present. 42 // * expected_usage_mask must be a subset of the JWK's "key_ops" if present. 43 Status ReadSecretKeyJwk(const CryptoData& key_data, 44 const std::string& expected_algorithm, 45 bool expected_extractable, 46 blink::WebCryptoKeyUsageMask expected_usage_mask, 47 std::vector<uint8_t>* raw_key_data); 48 49 // Creates an AES algorithm name for the given key size (in bytes). For 50 // instance "A128CBC" is the result of suffix="CBC", keylen_bytes=16. 51 std::string MakeJwkAesAlgorithmName(const std::string& suffix, 52 unsigned int keylen_bytes); 53 54 // This is very similar to ReadSecretKeyJwk(), except instead of specifying an 55 // absolut "expected_algorithm", the suffix for an AES algorithm name is given 56 // (See MakeJwkAesAlgorithmName() for an explanation of what the suffix is). 57 // 58 // This is because the algorithm name for AES keys is dependent on the length 59 // of the key. This function expects key lengths to be either 128, 192, or 256 60 // bits. 61 Status ReadAesSecretKeyJwk(const CryptoData& key_data, 62 const std::string& algorithm_name_suffix, 63 bool expected_extractable, 64 blink::WebCryptoKeyUsageMask expected_usage_mask, 65 std::vector<uint8_t>* raw_key_data); 66 67 // Writes a JWK-formated RSA public key and saves the result to 68 // |*jwk_key_data|. 69 void WriteRsaPublicKeyJwk(const CryptoData& n, 70 const CryptoData& e, 71 const std::string& algorithm, 72 bool extractable, 73 blink::WebCryptoKeyUsageMask usage_mask, 74 std::vector<uint8_t>* jwk_key_data); 75 76 // Writes a JWK-formated RSA private key and saves the result to 77 // |*jwk_key_data|. 78 void WriteRsaPrivateKeyJwk(const CryptoData& n, 79 const CryptoData& e, 80 const CryptoData& d, 81 const CryptoData& p, 82 const CryptoData& q, 83 const CryptoData& dp, 84 const CryptoData& dq, 85 const CryptoData& qi, 86 const std::string& algorithm, 87 bool extractable, 88 blink::WebCryptoKeyUsageMask usage_mask, 89 std::vector<uint8_t>* jwk_key_data); 90 91 // Describes the RSA components for a parsed key. The names of the properties 92 // correspond with those from the JWK spec. Note that Chromium's WebCrypto 93 // implementation does not support multi-primes, so there is no parsed field 94 // for othinfo. 95 struct JwkRsaInfo { 96 JwkRsaInfo(); 97 ~JwkRsaInfo(); 98 99 bool is_private_key; 100 std::string n; 101 std::string e; 102 std::string d; 103 std::string p; 104 std::string q; 105 std::string dp; 106 std::string dq; 107 std::string qi; 108 }; 109 110 // Parses a UTF-8 encoded JWK (key_data), and extracts the RSA components to 111 // |*result|. Returns Status::Success() on success, otherwise an error. 112 // In order for this to succeed: 113 // * expected_algorithm must match the JWK's "alg", if present. 114 // * expected_extractable must be consistent with the JWK's "ext", if 115 // present. 116 // * expected_usage_mask must be a subset of the JWK's "key_ops" if present. 117 Status ReadRsaKeyJwk(const CryptoData& key_data, 118 const std::string& expected_algorithm, 119 bool expected_extractable, 120 blink::WebCryptoKeyUsageMask expected_usage_mask, 121 JwkRsaInfo* result); 122 123 const char* GetJwkHmacAlgorithmName(blink::WebCryptoAlgorithmId hash); 124 125 // This function decodes unpadded 'base64url' encoded data, as described in 126 // RFC4648 (http://www.ietf.org/rfc/rfc4648.txt) Section 5. 127 CONTENT_EXPORT bool Base64DecodeUrlSafe(const std::string& input, 128 std::string* output); 129 130 // Returns an unpadded 'base64url' encoding of the input data, the opposite of 131 // Base64DecodeUrlSafe() above. 132 CONTENT_EXPORT std::string Base64EncodeUrlSafe(const base::StringPiece& input); 133 CONTENT_EXPORT std::string Base64EncodeUrlSafe( 134 const std::vector<uint8_t>& input); 135 136 } // namespace webcrypto 137 138 } // namespace content 139 140 #endif // CONTENT_CHILD_WEBCRYPTO_JWK_H_ 141