1/*
2 * Copyright (C) 2014 Igalia S.L. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
14 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
15 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
17 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
18 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
19 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
21 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
22 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
23 * THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "config.h"
27#include "CryptoAlgorithmRSA_OAEP.h"
28
29#if ENABLE(WEB_CRYPTO)
30
31#include "CryptoAlgorithmRsaOaepParams.h"
32#include "CryptoKeyRSA.h"
33#include "GCryptUtilities.h"
34#include "NotImplemented.h"
35
36namespace WebCore {
37
38static Optional<Vector<uint8_t>> gcryptEncrypt(CryptoAlgorithmIdentifier hashAlgorithmIdentifier, gcry_sexp_t keySexp, const Vector<uint8_t>& labelVector, const Vector<uint8_t>& plainText, size_t keySizeInBytes)
39{
40 // Embed the plain-text data in a data s-expression using OAEP padding.
41 // Empty label data is properly handled by gcry_sexp_build().
42 PAL::GCrypt::Handle<gcry_sexp_t> dataSexp;
43 {
44 auto shaAlgorithm = hashAlgorithmName(hashAlgorithmIdentifier);
45 if (!shaAlgorithm)
46 return WTF::nullopt;
47
48 gcry_error_t error = gcry_sexp_build(&dataSexp, nullptr, "(data(flags oaep)(hash-algo %s)(label %b)(value %b))",
49 *shaAlgorithm, labelVector.size(), labelVector.data(), plainText.size(), plainText.data());
50 if (error != GPG_ERR_NO_ERROR) {
51 PAL::GCrypt::logError(error);
52 return WTF::nullopt;
53 }
54 }
55
56 // Encrypt data with the provided key. The returned s-expression is of this form:
57 // (enc-val
58 // (flags oaep)
59 // (rsa
60 // (a a-mpi)))
61 PAL::GCrypt::Handle<gcry_sexp_t> cipherSexp;
62 gcry_error_t error = gcry_pk_encrypt(&cipherSexp, dataSexp, keySexp);
63 if (error != GPG_ERR_NO_ERROR) {
64 PAL::GCrypt::logError(error);
65 return WTF::nullopt;
66 }
67
68 // Return MPI data of the embedded a integer.
69 PAL::GCrypt::Handle<gcry_sexp_t> aSexp(gcry_sexp_find_token(cipherSexp, "a", 0));
70 if (!aSexp)
71 return WTF::nullopt;
72
73 return mpiZeroPrefixedData(aSexp, keySizeInBytes);
74}
75
76static Optional<Vector<uint8_t>> gcryptDecrypt(CryptoAlgorithmIdentifier hashAlgorithmIdentifier, gcry_sexp_t keySexp, const Vector<uint8_t>& labelVector, const Vector<uint8_t>& cipherText)
77{
78 // Embed the cipher-text data in an enc-val s-expression using OAEP padding.
79 // Empty label data is properly handled by gcry_sexp_build().
80 PAL::GCrypt::Handle<gcry_sexp_t> encValSexp;
81 {
82 auto shaAlgorithm = hashAlgorithmName(hashAlgorithmIdentifier);
83 if (!shaAlgorithm)
84 return WTF::nullopt;
85
86 gcry_error_t error = gcry_sexp_build(&encValSexp, nullptr, "(enc-val(flags oaep)(hash-algo %s)(label %b)(rsa(a %b)))",
87 *shaAlgorithm, labelVector.size(), labelVector.data(), cipherText.size(), cipherText.data());
88 if (error != GPG_ERR_NO_ERROR) {
89 PAL::GCrypt::logError(error);
90 return WTF::nullopt;
91 }
92 }
93
94 // Decrypt data with the provided key. The returned s-expression is of this form:
95 // (data
96 // (flags oaep)
97 // (value block))
98 PAL::GCrypt::Handle<gcry_sexp_t> plainSexp;
99 gcry_error_t error = gcry_pk_decrypt(&plainSexp, encValSexp, keySexp);
100 if (error != GPG_ERR_NO_ERROR) {
101 PAL::GCrypt::logError(error);
102 return WTF::nullopt;
103 }
104
105 // Return MPI data of the embedded value integer.
106 PAL::GCrypt::Handle<gcry_sexp_t> valueSexp(gcry_sexp_find_token(plainSexp, "value", 0));
107 if (!valueSexp)
108 return WTF::nullopt;
109
110 return mpiData(valueSexp);
111}
112
113ExceptionOr<Vector<uint8_t>> CryptoAlgorithmRSA_OAEP::platformEncrypt(const CryptoAlgorithmRsaOaepParams& parameters, const CryptoKeyRSA& key, const Vector<uint8_t>& plainText)
114{
115 RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!(key.keySizeInBits() % 8));
116 auto output = gcryptEncrypt(key.hashAlgorithmIdentifier(), key.platformKey(), parameters.labelVector(), plainText, key.keySizeInBits() / 8);
117 if (!output)
118 return Exception { OperationError };
119 return WTFMove(*output);
120}
121
122ExceptionOr<Vector<uint8_t>> CryptoAlgorithmRSA_OAEP::platformDecrypt(const CryptoAlgorithmRsaOaepParams& parameters, const CryptoKeyRSA& key, const Vector<uint8_t>& cipherText)
123{
124 auto output = gcryptDecrypt(key.hashAlgorithmIdentifier(), key.platformKey(), parameters.labelVector(), cipherText);
125 if (!output)
126 return Exception { OperationError };
127 return WTFMove(*output);
128}
129
130} // namespace WebCore
131
132#endif // ENABLE(WEB_CRYPTO)
133