/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ use std::num::NonZero; use std::ptr; use std::rc::Rc; use aes::cipher::block_padding::Pkcs7; use aes::cipher::generic_array::GenericArray; use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit, StreamCipher}; use aes::{Aes128, Aes192, Aes256}; use base64::prelude::*; use dom_struct::dom_struct; use js::conversions::ConversionResult; use js::jsapi::{JSObject, JS_NewObject}; use js::jsval::ObjectValue; use js::rust::MutableHandleObject; use js::typedarray::ArrayBufferU8; use ring::{digest, hkdf, hmac, pbkdf2}; use servo_rand::{RngCore, ServoRng}; use crate::dom::bindings::buffer_source::create_buffer_source; use crate::dom::bindings::cell::DomRefCell; use crate::dom::bindings::codegen::Bindings::CryptoKeyBinding::{ CryptoKeyMethods, KeyType, KeyUsage, }; use crate::dom::bindings::codegen::Bindings::SubtleCryptoBinding::{ AesCbcParams, AesCtrParams, AesDerivedKeyParams, AesKeyAlgorithm, AesKeyGenParams, Algorithm, AlgorithmIdentifier, HkdfParams, HmacImportParams, HmacKeyAlgorithm, HmacKeyGenParams, JsonWebKey, KeyAlgorithm, KeyFormat, Pbkdf2Params, SubtleCryptoMethods, }; use crate::dom::bindings::codegen::UnionTypes::{ ArrayBufferViewOrArrayBuffer, ArrayBufferViewOrArrayBufferOrJsonWebKey, }; use crate::dom::bindings::error::{Error, Fallible}; use crate::dom::bindings::import::module::SafeJSContext; use crate::dom::bindings::inheritance::Castable; use crate::dom::bindings::refcounted::{Trusted, TrustedPromise}; use crate::dom::bindings::reflector::{reflect_dom_object, DomObject, Reflector}; use crate::dom::bindings::root::DomRoot; use crate::dom::bindings::str::DOMString; use crate::dom::bindings::trace::RootedTraceableBox; use crate::dom::cryptokey::{CryptoKey, Handle}; use crate::dom::globalscope::GlobalScope; use crate::dom::promise::Promise; use crate::dom::window::Window; use crate::dom::workerglobalscope::WorkerGlobalScope; use crate::realms::InRealm; use crate::script_runtime::{CanGc, JSContext}; use crate::task::TaskCanceller; use crate::task_source::dom_manipulation::DOMManipulationTaskSource; use crate::task_source::TaskSource; // String constants for algorithms/curves const ALG_AES_CBC: &str = "AES-CBC"; const ALG_AES_CTR: &str = "AES-CTR"; const ALG_AES_GCM: &str = "AES-GCM"; const ALG_AES_KW: &str = "AES-KW"; const ALG_SHA1: &str = "SHA-1"; const ALG_SHA256: &str = "SHA-256"; const ALG_SHA384: &str = "SHA-384"; const ALG_SHA512: &str = "SHA-512"; const ALG_HMAC: &str = "HMAC"; const ALG_HKDF: &str = "HKDF"; const ALG_PBKDF2: &str = "PBKDF2"; const ALG_RSASSA_PKCS1: &str = "RSASSA-PKCS1-v1_5"; const ALG_RSA_OAEP: &str = "RSA-OAEP"; const ALG_RSA_PSS: &str = "RSA-PSS"; const ALG_ECDH: &str = "ECDH"; const ALG_ECDSA: &str = "ECDSA"; #[allow(dead_code)] static SUPPORTED_ALGORITHMS: &[&str] = &[ ALG_AES_CBC, ALG_AES_CTR, ALG_AES_GCM, ALG_AES_KW, ALG_SHA1, ALG_SHA256, ALG_SHA384, ALG_SHA512, ALG_HMAC, ALG_HKDF, ALG_PBKDF2, ALG_RSASSA_PKCS1, ALG_RSA_OAEP, ALG_RSA_PSS, ALG_ECDH, ALG_ECDSA, ]; const NAMED_CURVE_P256: &str = "P-256"; const NAMED_CURVE_P384: &str = "P-384"; const NAMED_CURVE_P521: &str = "P-521"; #[allow(dead_code)] static SUPPORTED_CURVES: &[&str] = &[NAMED_CURVE_P256, NAMED_CURVE_P384, NAMED_CURVE_P521]; type Aes128CbcEnc = cbc::Encryptor; type Aes128CbcDec = cbc::Decryptor; type Aes192CbcEnc = cbc::Encryptor; type Aes192CbcDec = cbc::Decryptor; type Aes256CbcEnc = cbc::Encryptor; type Aes256CbcDec = cbc::Decryptor; type Aes128Ctr = ctr::Ctr64BE; type Aes192Ctr = ctr::Ctr64BE; type Aes256Ctr = ctr::Ctr64BE; #[dom_struct] pub struct SubtleCrypto { reflector_: Reflector, #[no_trace] rng: DomRefCell, } impl SubtleCrypto { fn new_inherited() -> SubtleCrypto { SubtleCrypto { reflector_: Reflector::new(), rng: DomRefCell::new(ServoRng::default()), } } pub(crate) fn new(global: &GlobalScope) -> DomRoot { reflect_dom_object(Box::new(SubtleCrypto::new_inherited()), global) } fn task_source_with_canceller(&self) -> (DOMManipulationTaskSource, TaskCanceller) { if let Some(window) = self.global().downcast::() { window .task_manager() .dom_manipulation_task_source_with_canceller() } else if let Some(worker_global) = self.global().downcast::() { let task_source = worker_global.dom_manipulation_task_source(); let canceller = worker_global.task_canceller(); (task_source, canceller) } else { unreachable!("Couldn't downcast to Window or WorkerGlobalScope!"); } } } impl SubtleCryptoMethods for SubtleCrypto { /// fn Encrypt( &self, cx: JSContext, algorithm: AlgorithmIdentifier, key: &CryptoKey, data: ArrayBufferViewOrArrayBuffer, comp: InRealm, can_gc: CanGc, ) -> Rc { let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_encrypt_or_decrypt(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { promise.reject_error(e); return promise; }, }; let data = match data { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; let (task_source, canceller) = self.task_source_with_canceller(); let this = Trusted::new(self); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_key = Trusted::new(key); let key_alg = key.algorithm(); let valid_usage = key.usages().contains(&KeyUsage::Encrypt); let _ = task_source.queue_with_canceller( task!(encrypt: move || { let subtle = this.root(); let promise = trusted_promise.root(); let key = trusted_key.root(); if !valid_usage || normalized_algorithm.name() != key_alg { promise.reject_error(Error::InvalidAccess); return; } let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); if let Err(e) = normalized_algorithm.encrypt(&subtle, &key, &data, cx, array_buffer_ptr.handle_mut()) { promise.reject_error(e); return; } promise.resolve_native(&*array_buffer_ptr.handle()); }), &canceller, ); promise } /// fn Decrypt( &self, cx: JSContext, algorithm: AlgorithmIdentifier, key: &CryptoKey, data: ArrayBufferViewOrArrayBuffer, comp: InRealm, can_gc: CanGc, ) -> Rc { let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_encrypt_or_decrypt(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { promise.reject_error(e); return promise; }, }; let data = match data { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; let (task_source, canceller) = self.task_source_with_canceller(); let this = Trusted::new(self); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_key = Trusted::new(key); let key_alg = key.algorithm(); let valid_usage = key.usages().contains(&KeyUsage::Decrypt); let _ = task_source.queue_with_canceller( task!(decrypt: move || { let subtle = this.root(); let promise = trusted_promise.root(); let key = trusted_key.root(); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); if !valid_usage || normalized_algorithm.name() != key_alg { promise.reject_error(Error::InvalidAccess); return; } if let Err(e) = normalized_algorithm.decrypt(&subtle, &key, &data, cx, array_buffer_ptr.handle_mut()) { promise.reject_error(e); return; } promise.resolve_native(&*array_buffer_ptr.handle()); }), &canceller, ); promise } /// fn Sign( &self, cx: SafeJSContext, algorithm: AlgorithmIdentifier, key: &CryptoKey, data: ArrayBufferViewOrArrayBuffer, comp: InRealm, can_gc: CanGc, ) -> Rc { // Step 1. Let algorithm and key be the algorithm and key parameters passed to the sign() method, respectively. // Step 2. Let data be the result of getting a copy of the bytes held by the data parameter passed to // the sign() method. let data = match &data { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; // Step 3. Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to algorithm and // op set to "sign". let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_sign_or_verify(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { // Step 4. If an error occurred, return a Promise rejected with normalizedAlgorithm. promise.reject_error(e); return promise; }, }; // Step 5. Let promise be a new Promise. // NOTE: We did that in preparation of Step 4. // Step 6. Return promise and perform the remaining steps in parallel. let (task_source, canceller) = self.task_source_with_canceller(); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_key = Trusted::new(key); let _ = task_source.queue_with_canceller( task!(sign: move || { // Step 7. If the following steps or referenced procedures say to throw an error, reject promise // with the returned error and then terminate the algorithm. let promise = trusted_promise.root(); let key = trusted_key.root(); // Step 8. If the name member of normalizedAlgorithm is not equal to the name attribute of the // [[algorithm]] internal slot of key then throw an InvalidAccessError. if normalized_algorithm.name() != key.algorithm() { promise.reject_error(Error::InvalidAccess); return; } // Step 9. If the [[usages]] internal slot of key does not contain an entry that is "sign", // then throw an InvalidAccessError. if !key.usages().contains(&KeyUsage::Sign) { promise.reject_error(Error::InvalidAccess); return; } // Step 10. Let result be the result of performing the sign operation specified by normalizedAlgorithm // using key and algorithm and with data as message. let cx = GlobalScope::get_cx(); let result = match normalized_algorithm.sign(cx, &key, &data) { Ok(signature) => signature, Err(e) => { promise.reject_error(e); return; } }; rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); create_buffer_source::(cx, &result, array_buffer_ptr.handle_mut()) .expect("failed to create buffer source for exported key."); // Step 9. Resolve promise with result. promise.resolve_native(&*array_buffer_ptr); }), &canceller, ); promise } /// fn Verify( &self, cx: SafeJSContext, algorithm: AlgorithmIdentifier, key: &CryptoKey, signature: ArrayBufferViewOrArrayBuffer, data: ArrayBufferViewOrArrayBuffer, comp: InRealm, can_gc: CanGc, ) -> Rc { // Step 1. Let algorithm and key be the algorithm and key parameters passed to the verify() method, // respectively. // Step 2. Let signature be the result of getting a copy of the bytes held by the signature parameter passed // to the verify() method. let signature = match &signature { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; // Step 3. Let data be the result of getting a copy of the bytes held by the data parameter passed to the // verify() method. let data = match &data { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; // Step 4. Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to // algorithm and op set to "verify". let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_sign_or_verify(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { // Step 5. If an error occurred, return a Promise rejected with normalizedAlgorithm. promise.reject_error(e); return promise; }, }; // Step 6. Let promise be a new Promise. // NOTE: We did that in preparation of Step 6. // Step 7. Return promise and perform the remaining steps in parallel. let (task_source, canceller) = self.task_source_with_canceller(); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_key = Trusted::new(key); let _ = task_source.queue_with_canceller( task!(sign: move || { // Step 8. If the following steps or referenced procedures say to throw an error, reject promise // with the returned error and then terminate the algorithm. let promise = trusted_promise.root(); let key = trusted_key.root(); // Step 9. If the name member of normalizedAlgorithm is not equal to the name attribute of the // [[algorithm]] internal slot of key then throw an InvalidAccessError. if normalized_algorithm.name() != key.algorithm() { promise.reject_error(Error::InvalidAccess); return; } // Step 10. If the [[usages]] internal slot of key does not contain an entry that is "verify", // then throw an InvalidAccessError. if !key.usages().contains(&KeyUsage::Verify) { promise.reject_error(Error::InvalidAccess); return; } // Step 1. Let result be the result of performing the verify operation specified by normalizedAlgorithm // using key, algorithm and signature and with data as message. let cx = GlobalScope::get_cx(); let result = match normalized_algorithm.verify(cx, &key, &data, &signature) { Ok(result) => result, Err(e) => { promise.reject_error(e); return; } }; // Step 9. Resolve promise with result. promise.resolve_native(&result); }), &canceller, ); promise } /// fn Digest( &self, cx: SafeJSContext, algorithm: AlgorithmIdentifier, data: ArrayBufferViewOrArrayBuffer, comp: InRealm, can_gc: CanGc, ) -> Rc { // Step 1. Let algorithm be the algorithm parameter passed to the digest() method. // Step 2. Let data be the result of getting a copy of the bytes held by the // data parameter passed to the digest() method. let data = match data { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; // Step 3. Let normalizedAlgorithm be the result of normalizing an algorithm, // with alg set to algorithm and op set to "digest". let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_digest(cx, &algorithm) { Ok(normalized_algorithm) => normalized_algorithm, Err(e) => { // Step 4. If an error occurred, return a Promise rejected with normalizedAlgorithm. promise.reject_error(e); return promise; }, }; // Step 5. Let promise be a new Promise. // NOTE: We did that in preparation of Step 4. // Step 6. Return promise and perform the remaining steps in parallel. let (task_source, canceller) = self.task_source_with_canceller(); let trusted_promise = TrustedPromise::new(promise.clone()); let _ = task_source.queue_with_canceller( task!(generate_key: move || { // Step 7. If the following steps or referenced procedures say to throw an error, reject promise // with the returned error and then terminate the algorithm. let promise = trusted_promise.root(); // Step 8. Let result be the result of performing the digest operation specified by // normalizedAlgorithm using algorithm, with data as message. let digest = match normalized_algorithm.digest(&data) { Ok(digest) => digest, Err(e) => { promise.reject_error(e); return; } }; let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); create_buffer_source::(cx, digest.as_ref(), array_buffer_ptr.handle_mut()) .expect("failed to create buffer source for exported key."); // Step 9. Resolve promise with result. promise.resolve_native(&*array_buffer_ptr); }), &canceller, ); promise } /// fn GenerateKey( &self, cx: JSContext, algorithm: AlgorithmIdentifier, extractable: bool, key_usages: Vec, comp: InRealm, can_gc: CanGc, ) -> Rc { let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_generate_key(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { promise.reject_error(e); return promise; }, }; let (task_source, canceller) = self.task_source_with_canceller(); let this = Trusted::new(self); let trusted_promise = TrustedPromise::new(promise.clone()); let _ = task_source.queue_with_canceller( task!(generate_key: move || { let subtle = this.root(); let promise = trusted_promise.root(); let key = normalized_algorithm.generate_key(&subtle, key_usages, extractable); match key { Ok(key) => promise.resolve_native(&key), Err(e) => promise.reject_error(e), } }), &canceller, ); promise } /// fn DeriveKey( &self, cx: SafeJSContext, algorithm: AlgorithmIdentifier, base_key: &CryptoKey, derived_key_type: AlgorithmIdentifier, extractable: bool, key_usages: Vec, comp: InRealm, can_gc: CanGc, ) -> Rc { // Step 1. Let algorithm, baseKey, derivedKeyType, extractable and usages be the algorithm, baseKey, // derivedKeyType, extractable and keyUsages parameters passed to the deriveKey() method, respectively. // Step 2. Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to algorithm // and op set to "deriveBits". let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_derive_bits(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { // Step 3. If an error occurred, return a Promise rejected with normalizedAlgorithm. promise.reject_error(e); return promise; }, }; // Step 4. Let normalizedDerivedKeyAlgorithmImport be the result of normalizing an algorithm, // with alg set to derivedKeyType and op set to "importKey". let normalized_derived_key_algorithm_import = match normalize_algorithm_for_import_key(cx, &derived_key_type) { Ok(algorithm) => algorithm, Err(e) => { // Step 5. If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmImport. promise.reject_error(e); return promise; }, }; // Step 6. Let normalizedDerivedKeyAlgorithmLength be the result of normalizing an algorithm, with alg set // to derivedKeyType and op set to "get key length". let normalized_derived_key_algorithm_length = match normalize_algorithm_for_get_key_length(cx, &derived_key_type) { Ok(algorithm) => algorithm, Err(e) => { // Step 7. If an error occurred, return a Promise rejected with normalizedDerivedKeyAlgorithmLength. promise.reject_error(e); return promise; }, }; // Step 8. Let promise be a new Promise. // NOTE: We created the promise earlier, after Step 1. // Step 9. Return promise and perform the remaining steps in parallel. let (task_source, canceller) = self.task_source_with_canceller(); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_base_key = Trusted::new(base_key); let this = Trusted::new(self); let _ = task_source.queue_with_canceller( task!(derive_key: move || { // Step 10. If the following steps or referenced procedures say to throw an error, reject promise // with the returned error and then terminate the algorithm. // TODO Step 11. If the name member of normalizedAlgorithm is not equal to the name attribute of the # // [[algorithm]] internal slot of baseKey then throw an InvalidAccessError. let promise = trusted_promise.root(); let base_key = trusted_base_key.root(); let subtle = this.root(); // Step 12. If the [[usages]] internal slot of baseKey does not contain an entry that is // "deriveKey", then throw an InvalidAccessError. if !base_key.usages().contains(&KeyUsage::DeriveKey) { promise.reject_error(Error::InvalidAccess); return; } // Step 13. Let length be the result of performing the get key length algorithm specified by // normalizedDerivedKeyAlgorithmLength using derivedKeyType. let length = match normalized_derived_key_algorithm_length.get_key_length() { Ok(length) => length, Err(e) => { promise.reject_error(e); return; } }; // Step 14. Let secret be the result of performing the derive bits operation specified by // normalizedAlgorithm using key, algorithm and length. let secret = match normalized_algorithm.derive_bits(&base_key, Some(length)){ Ok(secret) => secret, Err(e) => { promise.reject_error(e); return; } }; // Step 15. Let result be the result of performing the import key operation specified by // normalizedDerivedKeyAlgorithmImport using "raw" as format, secret as keyData, derivedKeyType as // algorithm and using extractable and usages. let result = normalized_derived_key_algorithm_import.import_key( &subtle, KeyFormat::Raw, &secret, extractable, key_usages ); let result = match result { Ok(key) => key, Err(e) => { promise.reject_error(e); return; } }; // Step 17. If the [[type]] internal slot of result is "secret" or "private" and usages // is empty, then throw a SyntaxError. if matches!(result.Type(), KeyType::Secret | KeyType::Private) && result.usages().is_empty() { promise.reject_error(Error::Syntax); return; } // Step 17. Resolve promise with result. promise.resolve_native(&*result); }), &canceller, ); promise } /// fn DeriveBits( &self, cx: SafeJSContext, algorithm: AlgorithmIdentifier, base_key: &CryptoKey, length: Option, comp: InRealm, can_gc: CanGc, ) -> Rc { // Step 1. Let algorithm, baseKey and length, be the algorithm, baseKey and // length parameters passed to the deriveBits() method, respectively. // Step 2. Let normalizedAlgorithm be the result of normalizing an algorithm, // with alg set to algorithm and op set to "deriveBits". let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_derive_bits(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { // Step 3. If an error occurred, return a Promise rejected with normalizedAlgorithm. promise.reject_error(e); return promise; }, }; // Step 4. Let promise be a new Promise object. // NOTE: We did that in preparation of Step 3. // Step 5. Return promise and perform the remaining steps in parallel. let (task_source, canceller) = self.task_source_with_canceller(); let trusted_promise = TrustedPromise::new(promise.clone()); let trusted_base_key = Trusted::new(base_key); let _ = task_source.queue_with_canceller( task!(import_key: move || { // Step 6. If the following steps or referenced procedures say to throw an error, // reject promise with the returned error and then terminate the algorithm. // TODO Step 7. If the name member of normalizedAlgorithm is not equal to the name attribute // of the [[algorithm]] internal slot of baseKey then throw an InvalidAccessError. let promise = trusted_promise.root(); let base_key = trusted_base_key.root(); // Step 8. If the [[usages]] internal slot of baseKey does not contain an entry that // is "deriveBits", then throw an InvalidAccessError. if !base_key.usages().contains(&KeyUsage::DeriveBits) { promise.reject_error(Error::InvalidAccess); return; } // Step 9. Let result be the result of creating an ArrayBuffer containing the result of performing the // derive bits operation specified by normalizedAlgorithm using baseKey, algorithm and length. let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); let result = match normalized_algorithm.derive_bits(&base_key, length) { Ok(derived_bits) => derived_bits, Err(e) => { promise.reject_error(e); return; } }; create_buffer_source::(cx, &result, array_buffer_ptr.handle_mut()) .expect("failed to create buffer source for derived bits."); // Step 10. Resolve promise with result. promise.resolve_native(&*array_buffer_ptr); }), &canceller, ); promise } /// fn ImportKey( &self, cx: JSContext, format: KeyFormat, key_data: ArrayBufferViewOrArrayBufferOrJsonWebKey, algorithm: AlgorithmIdentifier, extractable: bool, key_usages: Vec, comp: InRealm, can_gc: CanGc, ) -> Rc { let promise = Promise::new_in_current_realm(comp, can_gc); let normalized_algorithm = match normalize_algorithm_for_import_key(cx, &algorithm) { Ok(algorithm) => algorithm, Err(e) => { promise.reject_error(e); return promise; }, }; // TODO: Figure out a way to Send this data so per-algorithm JWK checks can happen let data = match key_data { ArrayBufferViewOrArrayBufferOrJsonWebKey::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBufferOrJsonWebKey::JsonWebKey(json_web_key) => { if let Some(mut data_string) = json_web_key.k { while data_string.len() % 4 != 0 { data_string.push_str("="); } match BASE64_STANDARD.decode(data_string.to_string()) { Ok(data) => data, Err(_) => { promise.reject_error(Error::Syntax); return promise; }, } } else { promise.reject_error(Error::Syntax); return promise; } }, ArrayBufferViewOrArrayBufferOrJsonWebKey::ArrayBuffer(array_buffer) => { array_buffer.to_vec() }, }; let (task_source, canceller) = self.task_source_with_canceller(); let this = Trusted::new(self); let trusted_promise = TrustedPromise::new(promise.clone()); let _ = task_source.queue_with_canceller( task!(import_key: move || { let subtle = this.root(); let promise = trusted_promise.root(); let imported_key = normalized_algorithm.import_key(&subtle, format, &data, extractable, key_usages); match imported_key { Ok(k) => promise.resolve_native(&k), Err(e) => promise.reject_error(e), }; }), &canceller, ); promise } /// fn ExportKey( &self, format: KeyFormat, key: &CryptoKey, comp: InRealm, can_gc: CanGc, ) -> Rc { let promise = Promise::new_in_current_realm(comp, can_gc); let (task_source, canceller) = self.task_source_with_canceller(); let this = Trusted::new(self); let trusted_key = Trusted::new(key); let trusted_promise = TrustedPromise::new(promise.clone()); let _ = task_source.queue_with_canceller( task!(export_key: move || { let subtle = this.root(); let promise = trusted_promise.root(); let key = trusted_key.root(); let alg_name = key.algorithm(); if matches!( alg_name.as_str(), ALG_SHA1 | ALG_SHA256 | ALG_SHA384 | ALG_SHA512 | ALG_HKDF | ALG_PBKDF2 ) { promise.reject_error(Error::NotSupported); return; } if !key.Extractable() { promise.reject_error(Error::InvalidAccess); return; } let exported_key = match alg_name.as_str() { ALG_AES_CBC | ALG_AES_CTR => subtle.export_key_aes(format, &key), _ => Err(Error::NotSupported), }; match exported_key { Ok(k) => { match k { AesExportedKey::Raw(k) => { let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut array_buffer_ptr = ptr::null_mut::()); create_buffer_source::(cx, &k, array_buffer_ptr.handle_mut()) .expect("failed to create buffer source for exported key."); promise.resolve_native(&array_buffer_ptr.get()) }, AesExportedKey::Jwk(k) => { promise.resolve_native(&k) }, } }, Err(e) => promise.reject_error(e), } }), &canceller, ); promise } } // These "subtle" structs are proxies for the codegen'd dicts which don't hold a DOMString // so they can be sent safely when running steps in parallel. #[derive(Clone, Debug)] pub struct SubtleAlgorithm { #[allow(dead_code)] pub name: String, } impl From for SubtleAlgorithm { fn from(name: DOMString) -> Self { SubtleAlgorithm { name: name.to_string(), } } } #[derive(Clone, Debug)] pub struct SubtleAesCbcParams { #[allow(dead_code)] pub name: String, pub iv: Vec, } impl From> for SubtleAesCbcParams { fn from(params: RootedTraceableBox) -> Self { let iv = match ¶ms.iv { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; SubtleAesCbcParams { name: params.parent.name.to_string(), iv, } } } #[derive(Clone, Debug)] pub struct SubtleAesCtrParams { pub name: String, pub counter: Vec, pub length: u8, } impl From> for SubtleAesCtrParams { fn from(params: RootedTraceableBox) -> Self { let counter = match ¶ms.counter { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; SubtleAesCtrParams { name: params.parent.name.to_string(), counter, length: params.length, } } } #[derive(Clone, Debug)] pub struct SubtleAesKeyGenParams { pub name: String, pub length: u16, } impl From for SubtleAesKeyGenParams { fn from(params: AesKeyGenParams) -> Self { SubtleAesKeyGenParams { name: params.parent.name.to_string().to_uppercase(), length: params.length, } } } /// struct SubtleHmacImportParams { /// hash: DigestAlgorithm, /// length: Option, } impl SubtleHmacImportParams { fn new(cx: JSContext, params: RootedTraceableBox) -> Fallible { let hash = normalize_algorithm_for_digest(cx, ¶ms.hash)?; let params = Self { hash, length: params.length, }; Ok(params) } /// fn get_key_length(&self) -> Result { // Step 1. let length = match self.length { // If the length member of normalizedDerivedKeyAlgorithm is not present: None => { // Let length be the block size in bits of the hash function identified by the hash member of // normalizedDerivedKeyAlgorithm. match self.hash { DigestAlgorithm::Sha1 => 160, DigestAlgorithm::Sha256 => 256, DigestAlgorithm::Sha384 => 384, DigestAlgorithm::Sha512 => 512, } }, // Otherwise, if the length member of normalizedDerivedKeyAlgorithm is non-zero: Some(length) if length != 0 => { // Let length be equal to the length member of normalizedDerivedKeyAlgorithm. length }, // Otherwise: _ => { // throw a TypeError. return Err(Error::Type("[[length]] must not be zero".to_string())); }, }; // Step 2. Return length. Ok(length) } } struct SubtleHmacKeyGenParams { /// hash: DigestAlgorithm, /// length: Option, } impl SubtleHmacKeyGenParams { fn new(cx: JSContext, params: RootedTraceableBox) -> Fallible { let hash = normalize_algorithm_for_digest(cx, ¶ms.hash)?; let params = Self { hash, length: params.length, }; Ok(params) } } /// #[derive(Clone, Debug)] pub struct SubtleHkdfParams { /// hash: DigestAlgorithm, /// salt: Vec, /// info: Vec, } impl SubtleHkdfParams { fn new(cx: JSContext, params: RootedTraceableBox) -> Fallible { let hash = normalize_algorithm_for_digest(cx, ¶ms.hash)?; let salt = match ¶ms.salt { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; let info = match ¶ms.info { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; let params = Self { hash, salt, info }; Ok(params) } } /// #[derive(Clone, Debug)] pub struct SubtlePbkdf2Params { /// salt: Vec, /// iterations: u32, /// hash: DigestAlgorithm, } impl SubtlePbkdf2Params { fn new(cx: JSContext, params: RootedTraceableBox) -> Fallible { let salt = match ¶ms.salt { ArrayBufferViewOrArrayBuffer::ArrayBufferView(view) => view.to_vec(), ArrayBufferViewOrArrayBuffer::ArrayBuffer(buffer) => buffer.to_vec(), }; let params = Self { salt, iterations: params.iterations, hash: normalize_algorithm_for_digest(cx, ¶ms.hash)?, }; Ok(params) } } enum GetKeyLengthAlgorithm { Aes(u16), Hmac(SubtleHmacImportParams), } #[derive(Clone, Copy, Debug)] enum DigestAlgorithm { /// Sha1, /// Sha256, /// Sha384, /// Sha512, } /// A normalized algorithm returned by [`normalize_algorithm`] with operation `"importKey"` /// /// [`normalize_algorithm`]: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm enum ImportKeyAlgorithm { AesCbc, AesCtr, Hmac(SubtleHmacImportParams), Pbkdf2, Hkdf, } /// A normalized algorithm returned by [`normalize_algorithm`] with operation `"deriveBits"` /// /// [`normalize_algorithm`]: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm enum DeriveBitsAlgorithm { Pbkdf2(SubtlePbkdf2Params), Hkdf(SubtleHkdfParams), } /// A normalized algorithm returned by [`normalize_algorithm`] with operation `"encrypt"` or `"decrypt"` /// /// [`normalize_algorithm`]: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm enum EncryptionAlgorithm { AesCbc(SubtleAesCbcParams), AesCtr(SubtleAesCtrParams), } /// A normalized algorithm returned by [`normalize_algorithm`] with operation `"sign"` or `"verify"` /// /// [`normalize_algorithm`]: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm enum SignatureAlgorithm { Hmac, } /// A normalized algorithm returned by [`normalize_algorithm`] with operation `"generateKey"` /// /// [`normalize_algorithm`]: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm enum KeyGenerationAlgorithm { Aes(SubtleAesKeyGenParams), Hmac(SubtleHmacKeyGenParams), } macro_rules! value_from_js_object { ($t: ty, $cx: ident, $value: ident) => {{ let params_result = <$t>::new($cx, $value.handle()).map_err(|_| Error::JSFailed)?; let ConversionResult::Success(params) = params_result else { return Err(Error::Syntax); }; params }}; } /// with operation `"get key length"` fn normalize_algorithm_for_get_key_length( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { match algorithm { AlgorithmIdentifier::Object(obj) => { rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); let name = algorithm.name.str(); let normalized_algorithm = if name.eq_ignore_ascii_case(ALG_AES_CBC) || name.eq_ignore_ascii_case(ALG_AES_CTR) { let params = value_from_js_object!(AesDerivedKeyParams, cx, value); GetKeyLengthAlgorithm::Aes(params.length) } else if name.eq_ignore_ascii_case(ALG_HMAC) { let params = value_from_js_object!(HmacImportParams, cx, value); let subtle_params = SubtleHmacImportParams::new(cx, params)?; return Ok(GetKeyLengthAlgorithm::Hmac(subtle_params)); } else { return Err(Error::NotSupported); }; Ok(normalized_algorithm) }, AlgorithmIdentifier::String(_) => { // All algorithms that support "get key length" require additional parameters Err(Error::NotSupported) }, } } /// with operation `"digest"` fn normalize_algorithm_for_digest( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let name = match algorithm { AlgorithmIdentifier::Object(obj) => { rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); algorithm.name.str().to_uppercase() }, AlgorithmIdentifier::String(name) => name.str().to_uppercase(), }; let normalized_algorithm = match name.as_str() { ALG_SHA1 => DigestAlgorithm::Sha1, ALG_SHA256 => DigestAlgorithm::Sha256, ALG_SHA384 => DigestAlgorithm::Sha384, ALG_SHA512 => DigestAlgorithm::Sha512, _ => return Err(Error::NotSupported), }; Ok(normalized_algorithm) } /// with operation `"importKey"` fn normalize_algorithm_for_import_key( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let name = match algorithm { AlgorithmIdentifier::Object(obj) => { rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); let name = algorithm.name.str().to_uppercase(); if name == ALG_HMAC { let params = value_from_js_object!(HmacImportParams, cx, value); let subtle_params = SubtleHmacImportParams::new(cx, params)?; return Ok(ImportKeyAlgorithm::Hmac(subtle_params)); } name }, AlgorithmIdentifier::String(name) => name.str().to_uppercase(), }; let normalized_algorithm = match name.as_str() { ALG_AES_CBC => ImportKeyAlgorithm::AesCbc, ALG_AES_CTR => ImportKeyAlgorithm::AesCtr, ALG_PBKDF2 => ImportKeyAlgorithm::Pbkdf2, ALG_HKDF => ImportKeyAlgorithm::Hkdf, _ => return Err(Error::NotSupported), }; Ok(normalized_algorithm) } /// with operation `"deriveBits"` fn normalize_algorithm_for_derive_bits( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let AlgorithmIdentifier::Object(obj) = algorithm else { // All algorithms that support "deriveBits" require additional parameters return Err(Error::NotSupported); }; rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); let normalized_algorithm = if algorithm.name.str().eq_ignore_ascii_case(ALG_PBKDF2) { let params = value_from_js_object!(Pbkdf2Params, cx, value); let subtle_params = SubtlePbkdf2Params::new(cx, params)?; DeriveBitsAlgorithm::Pbkdf2(subtle_params) } else if algorithm.name.str().eq_ignore_ascii_case(ALG_HKDF) { let params = value_from_js_object!(HkdfParams, cx, value); let subtle_params = SubtleHkdfParams::new(cx, params)?; DeriveBitsAlgorithm::Hkdf(subtle_params) } else { return Err(Error::NotSupported); }; Ok(normalized_algorithm) } /// with operation `"deriveBits"` fn normalize_algorithm_for_encrypt_or_decrypt( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let AlgorithmIdentifier::Object(obj) = algorithm else { // All algorithms that support "encrypt" or "decrypt" require additional parameters return Err(Error::NotSupported); }; rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); let name = algorithm.name.str(); let normalized_algorithm = if name.eq_ignore_ascii_case(ALG_AES_CBC) { let params = value_from_js_object!(AesCbcParams, cx, value); EncryptionAlgorithm::AesCbc(params.into()) } else if name.eq_ignore_ascii_case(ALG_AES_CTR) { let params = value_from_js_object!(AesCtrParams, cx, value); EncryptionAlgorithm::AesCtr(params.into()) } else { return Err(Error::NotSupported); }; Ok(normalized_algorithm) } /// with operation `"sign"` /// or `"verify"` fn normalize_algorithm_for_sign_or_verify( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let name = match algorithm { AlgorithmIdentifier::Object(obj) => { rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); algorithm.name.str().to_uppercase() }, AlgorithmIdentifier::String(name) => name.str().to_uppercase(), }; let normalized_algorithm = match name.as_str() { ALG_HMAC => SignatureAlgorithm::Hmac, _ => return Err(Error::NotSupported), }; Ok(normalized_algorithm) } /// with operation `"generateKey"` fn normalize_algorithm_for_generate_key( cx: JSContext, algorithm: &AlgorithmIdentifier, ) -> Result { let AlgorithmIdentifier::Object(obj) = algorithm else { // All algorithms that support "generateKey" require additional parameters return Err(Error::NotSupported); }; rooted!(in(*cx) let value = ObjectValue(obj.get())); let algorithm = value_from_js_object!(Algorithm, cx, value); let name = algorithm.name.str(); let normalized_algorithm = if name.eq_ignore_ascii_case(ALG_AES_CBC) || name.eq_ignore_ascii_case(ALG_AES_CTR) { let params = value_from_js_object!(AesKeyGenParams, cx, value); KeyGenerationAlgorithm::Aes(params.into()) } else if name.eq_ignore_ascii_case(ALG_HMAC) { let params = value_from_js_object!(HmacKeyGenParams, cx, value); let subtle_params = SubtleHmacKeyGenParams::new(cx, params)?; KeyGenerationAlgorithm::Hmac(subtle_params) } else { return Err(Error::NotSupported); }; Ok(normalized_algorithm) } impl SubtleCrypto { /// fn encrypt_aes_cbc( &self, params: &SubtleAesCbcParams, key: &CryptoKey, data: &[u8], cx: JSContext, handle: MutableHandleObject, ) -> Result<(), Error> { if params.iv.len() != 16 { return Err(Error::Operation); } let plaintext = Vec::from(data); let iv = GenericArray::from_slice(¶ms.iv); let ct = match key.handle() { Handle::Aes128(data) => { let key_data = GenericArray::from_slice(data); Aes128CbcEnc::new(key_data, iv).encrypt_padded_vec_mut::(&plaintext) }, Handle::Aes192(data) => { let key_data = GenericArray::from_slice(data); Aes192CbcEnc::new(key_data, iv).encrypt_padded_vec_mut::(&plaintext) }, Handle::Aes256(data) => { let key_data = GenericArray::from_slice(data); Aes256CbcEnc::new(key_data, iv).encrypt_padded_vec_mut::(&plaintext) }, _ => return Err(Error::Data), }; create_buffer_source::(cx, &ct, handle) .expect("failed to create buffer source for exported key."); Ok(()) } /// fn decrypt_aes_cbc( &self, params: &SubtleAesCbcParams, key: &CryptoKey, data: &[u8], cx: JSContext, handle: MutableHandleObject, ) -> Result<(), Error> { if params.iv.len() != 16 { return Err(Error::Operation); } let mut ciphertext = Vec::from(data); let iv = GenericArray::from_slice(¶ms.iv); let plaintext = match key.handle() { Handle::Aes128(data) => { let key_data = GenericArray::from_slice(data); Aes128CbcDec::new(key_data, iv) .decrypt_padded_mut::(ciphertext.as_mut_slice()) .map_err(|_| Error::Operation)? }, Handle::Aes192(data) => { let key_data = GenericArray::from_slice(data); Aes192CbcDec::new(key_data, iv) .decrypt_padded_mut::(ciphertext.as_mut_slice()) .map_err(|_| Error::Operation)? }, Handle::Aes256(data) => { let key_data = GenericArray::from_slice(data); Aes256CbcDec::new(key_data, iv) .decrypt_padded_mut::(ciphertext.as_mut_slice()) .map_err(|_| Error::Operation)? }, _ => return Err(Error::Data), }; create_buffer_source::(cx, plaintext, handle) .expect("failed to create buffer source for exported key."); Ok(()) } /// fn encrypt_decrypt_aes_ctr( &self, params: &SubtleAesCtrParams, key: &CryptoKey, data: &[u8], cx: JSContext, handle: MutableHandleObject, ) -> Result<(), Error> { if params.counter.len() != 16 || params.length == 0 || params.length > 128 { return Err(Error::Operation); } let mut ciphertext = Vec::from(data); let counter = GenericArray::from_slice(¶ms.counter); match key.handle() { Handle::Aes128(data) => { let key_data = GenericArray::from_slice(data); Aes128Ctr::new(key_data, counter).apply_keystream(&mut ciphertext) }, Handle::Aes192(data) => { let key_data = GenericArray::from_slice(data); Aes192Ctr::new(key_data, counter).apply_keystream(&mut ciphertext) }, Handle::Aes256(data) => { let key_data = GenericArray::from_slice(data); Aes256Ctr::new(key_data, counter).apply_keystream(&mut ciphertext) }, _ => return Err(Error::Data), }; create_buffer_source::(cx, &ciphertext, handle) .expect("failed to create buffer source for exported key."); Ok(()) } /// /// #[allow(unsafe_code)] fn generate_key_aes( &self, usages: Vec, key_gen_params: &SubtleAesKeyGenParams, extractable: bool, ) -> Result, Error> { let mut rand = vec![0; key_gen_params.length as usize]; self.rng.borrow_mut().fill_bytes(&mut rand); let handle = match key_gen_params.length { 128 => Handle::Aes128(rand), 192 => Handle::Aes192(rand), 256 => Handle::Aes256(rand), _ => return Err(Error::Operation), }; if usages.iter().any(|usage| { !matches!( usage, KeyUsage::Encrypt | KeyUsage::Decrypt | KeyUsage::WrapKey | KeyUsage::UnwrapKey ) }) || usages.is_empty() { return Err(Error::Syntax); } let name = match key_gen_params.name.as_str() { ALG_AES_CBC => DOMString::from(ALG_AES_CBC), ALG_AES_CTR => DOMString::from(ALG_AES_CTR), _ => return Err(Error::NotSupported), }; let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); AesKeyAlgorithm::from_name_and_size( name.clone(), key_gen_params.length, algorithm_object.handle_mut(), cx, ); let crypto_key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, handle, ); Ok(crypto_key) } /// #[allow(unsafe_code)] fn generate_key_hmac( &self, usages: Vec, params: &SubtleHmacKeyGenParams, extractable: bool, ) -> Result, Error> { // Step 1. If usages contains any entry which is not "sign" or "verify", then throw a SyntaxError. if usages .iter() .any(|usage| !matches!(usage, KeyUsage::Sign | KeyUsage::Verify)) { return Err(Error::Syntax); } // Step 2. let length = match params.length { // If the length member of normalizedAlgorithm is not present: None => { // Let length be the block size in bits of the hash function identified by the // hash member of normalizedAlgorithm. params.hash.block_size_in_bits() as u32 }, // Otherwise, if the length member of normalizedAlgorithm is non-zero: Some(length) if length != 0 => { // Let length be equal to the length member of normalizedAlgorithm. length }, // Otherwise: _ => { // throw an OperationError. return Err(Error::Operation); }, }; // Step 3. Generate a key of length length bits. let mut key_data = vec![0; length as usize]; self.rng.borrow_mut().fill_bytes(&mut key_data); // Step 4. If the key generation step fails, then throw an OperationError. // NOTE: Our key generation is infallible. // Step 5. Let key be a new CryptoKey object representing the generated key. // Step 6. Let algorithm be a new HmacKeyAlgorithm. // Step 7. Set the name attribute of algorithm to "HMAC". // Step 8. Let hash be a new KeyAlgorithm. // Step 9. Set the name attribute of hash to equal the name member of the hash member of normalizedAlgorithm. // Step 10. Set the hash attribute of algorithm to hash. // Step 11. Set the [[type]] internal slot of key to "secret". // Step 12. Set the [[algorithm]] internal slot of key to algorithm. // Step 13. Set the [[extractable]] internal slot of key to be extractable. // Step 14. Set the [[usages]] internal slot of key to be usages. let name = DOMString::from(ALG_HMAC); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); HmacKeyAlgorithm::from_length_and_hash( length, params.hash, algorithm_object.handle_mut(), cx, ); let key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, Handle::Hmac(key_data), ); // Step 15. Return key. Ok(key) } /// /// #[allow(unsafe_code)] fn import_key_aes( &self, format: KeyFormat, data: &[u8], extractable: bool, usages: Vec, alg_name: &str, ) -> Result, Error> { if usages.iter().any(|usage| { !matches!( usage, KeyUsage::Encrypt | KeyUsage::Decrypt | KeyUsage::WrapKey | KeyUsage::UnwrapKey ) }) || usages.is_empty() { return Err(Error::Syntax); } if !matches!(format, KeyFormat::Raw | KeyFormat::Jwk) { return Err(Error::NotSupported); } let handle = match data.len() * 8 { 128 => Handle::Aes128(data.to_vec()), 192 => Handle::Aes192(data.to_vec()), 256 => Handle::Aes256(data.to_vec()), _ => return Err(Error::Data), }; let name = DOMString::from(alg_name.to_string()); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); AesKeyAlgorithm::from_name_and_size( name.clone(), (data.len() * 8) as u16, algorithm_object.handle_mut(), cx, ); let crypto_key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, handle, ); Ok(crypto_key) } /// /// fn export_key_aes(&self, format: KeyFormat, key: &CryptoKey) -> Result { match format { KeyFormat::Raw => match key.handle() { Handle::Aes128(key_data) => Ok(AesExportedKey::Raw(key_data.as_slice().to_vec())), Handle::Aes192(key_data) => Ok(AesExportedKey::Raw(key_data.as_slice().to_vec())), Handle::Aes256(key_data) => Ok(AesExportedKey::Raw(key_data.as_slice().to_vec())), _ => Err(Error::Data), }, KeyFormat::Jwk => { let (alg, k) = match key.handle() { Handle::Aes128(key_data) => { data_to_jwk_params(key.algorithm().as_str(), "128", key_data.as_slice()) }, Handle::Aes192(key_data) => { data_to_jwk_params(key.algorithm().as_str(), "192", key_data.as_slice()) }, Handle::Aes256(key_data) => { data_to_jwk_params(key.algorithm().as_str(), "256", key_data.as_slice()) }, _ => return Err(Error::Data), }; let jwk = JsonWebKey { alg: Some(alg), crv: None, d: None, dp: None, dq: None, e: None, ext: Some(key.Extractable()), k: Some(k), key_ops: None, kty: Some(DOMString::from("oct")), n: None, oth: None, p: None, q: None, qi: None, use_: None, x: None, y: None, }; Ok(AesExportedKey::Jwk(Box::new(jwk))) }, _ => Err(Error::NotSupported), } } /// #[allow(unsafe_code)] fn import_key_hkdf( &self, format: KeyFormat, data: &[u8], extractable: bool, usages: Vec, ) -> Result, Error> { // Step 1. Let keyData be the key data to be imported. // Step 2. If format is "raw": if format == KeyFormat::Raw { // Step 1. If usages contains a value that is not "deriveKey" or "deriveBits", then throw a SyntaxError. if usages .iter() .any(|usage| !matches!(usage, KeyUsage::DeriveKey | KeyUsage::DeriveBits)) { return Err(Error::Syntax); } // Step 2. If extractable is not false, then throw a SyntaxError. if extractable { return Err(Error::Syntax); } // Step 3. Let key be a new CryptoKey representing the key data provided in keyData. // Step 4. Set the [[type]] internal slot of key to "secret". // Step 5. Let algorithm be a new KeyAlgorithm object. // Step 6. Set the name attribute of algorithm to "HKDF". // Step 7. Set the [[algorithm]] internal slot of key to algorithm. let name = DOMString::from(ALG_HKDF); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); KeyAlgorithm::from_name(name.clone(), algorithm_object.handle_mut(), cx); let key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, Handle::Hkdf(data.to_vec()), ); // Step 8. Return key. Ok(key) } else { // throw a NotSupportedError. Err(Error::NotSupported) } } /// #[allow(unsafe_code)] fn import_key_hmac( &self, normalized_algorithm: &SubtleHmacImportParams, format: KeyFormat, key_data: &[u8], extractable: bool, usages: Vec, ) -> Result, Error> { // Step 1. Let keyData be the key data to be imported. // Step 2. If usages contains an entry which is not "sign" or "verify", then throw a SyntaxError. if usages .iter() .any(|usage| !matches!(usage, KeyUsage::Sign | KeyUsage::Verify)) { return Err(Error::Syntax); } // Step 3. Let hash be a new KeyAlgorithm. let hash; // Step 4. let data; match format { // If format is "raw": KeyFormat::Raw => { // Step 4.1 Let data be the octet string contained in keyData. data = key_data; // Step 4.2 Set hash to equal the hash member of normalizedAlgorithm. hash = normalized_algorithm.hash; }, // If format is "jwk": KeyFormat::Jwk => { // TODO: This seems to require having key_data be more than just &[u8] return Err(Error::NotSupported); }, // Otherwise: _ => { // throw a NotSupportedError. return Err(Error::NotSupported); }, } // Step 5. Let length be equivalent to the length, in octets, of data, multiplied by 8. let mut length = data.len() as u32 * 8; // Step 6. If length is zero then throw a DataError. if length == 0 { return Err(Error::Data); } // Step 7. If the length member of normalizedAlgorithm is present: if let Some(given_length) = normalized_algorithm.length { // If the length member of normalizedAlgorithm is greater than length: if given_length > length { // throw a DataError. return Err(Error::Data); } // Otherwise: else { // Set length equal to the length member of normalizedAlgorithm. length = given_length; } } // Step 8. Let key be a new CryptoKey object representing an HMAC key with the first length bits of data. // Step 9. Set the [[type]] internal slot of key to "secret". // Step 10. Let algorithm be a new HmacKeyAlgorithm. // Step 11. Set the name attribute of algorithm to "HMAC". // Step 12. Set the length attribute of algorithm to length. // Step 13. Set the hash attribute of algorithm to hash. // Step 14. Set the [[algorithm]] internal slot of key to algorithm. let truncated_data = data[..length as usize / 8].to_vec(); let name = DOMString::from(ALG_HMAC); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); HmacKeyAlgorithm::from_length_and_hash(length, hash, algorithm_object.handle_mut(), cx); let key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, Handle::Hmac(truncated_data), ); // Step 15. Return key. Ok(key) } /// #[allow(unsafe_code)] fn import_key_pbkdf2( &self, format: KeyFormat, data: &[u8], extractable: bool, usages: Vec, ) -> Result, Error> { // Step 1. If format is not "raw", throw a NotSupportedError if format != KeyFormat::Raw { return Err(Error::NotSupported); } // Step 2. If usages contains a value that is not "deriveKey" or "deriveBits", then throw a SyntaxError. if usages .iter() .any(|usage| !matches!(usage, KeyUsage::DeriveKey | KeyUsage::DeriveBits)) { return Err(Error::Syntax); } // Step 3. If extractable is not false, then throw a SyntaxError. if extractable { return Err(Error::Syntax); } // Step 4. Let key be a new CryptoKey representing keyData. // Step 5. Set the [[type]] internal slot of key to "secret". // Step 6. Let algorithm be a new KeyAlgorithm object. // Step 7. Set the name attribute of algorithm to "PBKDF2". // Step 8. Set the [[algorithm]] internal slot of key to algorithm. let name = DOMString::from(ALG_PBKDF2); let cx = GlobalScope::get_cx(); rooted!(in(*cx) let mut algorithm_object = unsafe {JS_NewObject(*cx, ptr::null()) }); assert!(!algorithm_object.is_null()); KeyAlgorithm::from_name(name.clone(), algorithm_object.handle_mut(), cx); let key = CryptoKey::new( &self.global(), KeyType::Secret, extractable, name, algorithm_object.handle(), usages, Handle::Pbkdf2(data.to_vec()), ); // Step 9. Return key. Ok(key) } } pub enum AesExportedKey { Raw(Vec), Jwk(Box), } fn data_to_jwk_params(alg: &str, size: &str, key: &[u8]) -> (DOMString, DOMString) { let jwk_alg = match alg { ALG_AES_CBC => DOMString::from(format!("A{}CBC", size)), ALG_AES_CTR => DOMString::from(format!("A{}CTR", size)), _ => unreachable!(), }; let mut data = BASE64_STANDARD.encode(key); data.retain(|c| c != '='); (jwk_alg, DOMString::from(data)) } impl KeyAlgorithm { /// Fill the object referenced by `out` with an [KeyAlgorithm] /// of the specified name and size. #[allow(unsafe_code)] fn from_name(name: DOMString, out: MutableHandleObject, cx: JSContext) { let key_algorithm = Self { name }; unsafe { key_algorithm.to_jsobject(*cx, out); } } } impl HmacKeyAlgorithm { #[allow(unsafe_code)] fn from_length_and_hash( length: u32, hash: DigestAlgorithm, out: MutableHandleObject, cx: JSContext, ) { let hmac_key_algorithm = Self { parent: KeyAlgorithm { name: ALG_HMAC.into(), }, length, hash: KeyAlgorithm { name: hash.name() }, }; unsafe { hmac_key_algorithm.to_jsobject(*cx, out); } } } impl AesKeyAlgorithm { /// Fill the object referenced by `out` with an [AesKeyAlgorithm] /// of the specified name and size. #[allow(unsafe_code)] fn from_name_and_size(name: DOMString, size: u16, out: MutableHandleObject, cx: JSContext) { let key_algorithm = Self { parent: KeyAlgorithm { name }, length: size, }; unsafe { key_algorithm.to_jsobject(*cx, out); } } } impl SubtleHkdfParams { /// fn derive_bits(&self, key: &CryptoKey, length: Option) -> Result, Error> { // Step 1. If length is null or zero, or is not a multiple of 8, then throw an OperationError. let Some(length) = length else { return Err(Error::Operation); }; if length == 0 || length % 8 != 0 { return Err(Error::Operation); }; // Step 3. Let keyDerivationKey be the secret represented by [[handle]] internal slot of key. let key_derivation_key = key.handle().as_bytes(); // Step 4. Let result be the result of performing the HKDF extract and then the HKDF expand step described // in Section 2 of [RFC5869] using: // * the hash member of normalizedAlgorithm as Hash, // * keyDerivationKey as the input keying material, IKM, // * the contents of the salt member of normalizedAlgorithm as salt, // * the contents of the info member of normalizedAlgorithm as info, // * length divided by 8 as the value of L, let mut result = vec![0; length as usize / 8]; let algorithm = match self.hash { DigestAlgorithm::Sha1 => hkdf::HKDF_SHA1_FOR_LEGACY_USE_ONLY, DigestAlgorithm::Sha256 => hkdf::HKDF_SHA256, DigestAlgorithm::Sha384 => hkdf::HKDF_SHA384, DigestAlgorithm::Sha512 => hkdf::HKDF_SHA512, }; let salt = hkdf::Salt::new(algorithm, &self.salt); let info = self.info.as_slice(); let pseudo_random_key = salt.extract(key_derivation_key); let Ok(output_key_material) = pseudo_random_key.expand(std::slice::from_ref(&info), algorithm) else { // Step 5. If the key derivation operation fails, then throw an OperationError. return Err(Error::Operation); }; if output_key_material.fill(&mut result).is_err() { return Err(Error::Operation); }; // Step 6. Return the result of creating an ArrayBuffer containing result. // NOTE: The ArrayBuffer is created by the caller Ok(result) } } impl SubtlePbkdf2Params { /// fn derive_bits(&self, key: &CryptoKey, length: Option) -> Result, Error> { // Step 1. If length is null or zero, or is not a multiple of 8, then throw an OperationError. let Some(length) = length else { return Err(Error::Operation); }; if length == 0 || length % 8 != 0 { return Err(Error::Operation); }; // Step 2. If the iterations member of normalizedAlgorithm is zero, then throw an OperationError. let Ok(iterations) = NonZero::::try_from(self.iterations) else { return Err(Error::Operation); }; // Step 3. Let prf be the MAC Generation function described in Section 4 of [FIPS-198-1] // using the hash function described by the hash member of normalizedAlgorithm. let prf = match self.hash { DigestAlgorithm::Sha1 => pbkdf2::PBKDF2_HMAC_SHA1, DigestAlgorithm::Sha256 => pbkdf2::PBKDF2_HMAC_SHA256, DigestAlgorithm::Sha384 => pbkdf2::PBKDF2_HMAC_SHA384, DigestAlgorithm::Sha512 => pbkdf2::PBKDF2_HMAC_SHA512, }; // Step 4. Let result be the result of performing the PBKDF2 operation defined in Section 5.2 of [RFC8018] using // prf as the pseudo-random function, PRF, the password represented by [[handle]] internal slot of key as // the password, P, the contents of the salt attribute of normalizedAlgorithm as the salt, S, the value of // the iterations attribute of normalizedAlgorithm as the iteration count, c, and length divided by 8 as the // intended key length, dkLen. let mut result = vec![0; length as usize / 8]; pbkdf2::derive( prf, iterations, &self.salt, key.handle().as_bytes(), &mut result, ); // Step 5. If the key derivation operation fails, then throw an OperationError. // TODO: Investigate when key derivation can fail and how ring handles that case // (pbkdf2::derive does not return a Result type) // Step 6. Return result Ok(result) } } /// fn get_key_length_for_aes(length: u16) -> Result { // Step 1. If the length member of normalizedDerivedKeyAlgorithm is not 128, 192 or 256, // then throw an OperationError. if !matches!(length, 128 | 192 | 256) { return Err(Error::Operation); } // Step 2. Return the length member of normalizedDerivedKeyAlgorithm. Ok(length as u32) } impl GetKeyLengthAlgorithm { fn get_key_length(&self) -> Result { match self { Self::Aes(length) => get_key_length_for_aes(*length), Self::Hmac(params) => params.get_key_length(), } } } impl DigestAlgorithm { /// fn name(&self) -> DOMString { match self { Self::Sha1 => ALG_SHA1, Self::Sha256 => ALG_SHA256, Self::Sha384 => ALG_SHA384, Self::Sha512 => ALG_SHA512, } .into() } fn digest(&self, data: &[u8]) -> Result, Error> { let algorithm = match self { Self::Sha1 => &digest::SHA1_FOR_LEGACY_USE_ONLY, Self::Sha256 => &digest::SHA256, Self::Sha384 => &digest::SHA384, Self::Sha512 => &digest::SHA512, }; Ok(digest::digest(algorithm, data)) } fn block_size_in_bits(&self) -> usize { match self { Self::Sha1 => 160, Self::Sha256 => 256, Self::Sha384 => 384, Self::Sha512 => 512, } } } impl ImportKeyAlgorithm { fn import_key( &self, subtle: &SubtleCrypto, format: KeyFormat, secret: &[u8], extractable: bool, key_usages: Vec, ) -> Result, Error> { match self { Self::AesCbc => { subtle.import_key_aes(format, secret, extractable, key_usages, ALG_AES_CBC) }, Self::AesCtr => { subtle.import_key_aes(format, secret, extractable, key_usages, ALG_AES_CTR) }, Self::Hmac(params) => { subtle.import_key_hmac(params, format, secret, extractable, key_usages) }, Self::Pbkdf2 => subtle.import_key_pbkdf2(format, secret, extractable, key_usages), Self::Hkdf => subtle.import_key_hkdf(format, secret, extractable, key_usages), } } } impl DeriveBitsAlgorithm { fn derive_bits(&self, key: &CryptoKey, length: Option) -> Result, Error> { match self { Self::Pbkdf2(pbkdf2_params) => pbkdf2_params.derive_bits(key, length), Self::Hkdf(hkdf_params) => hkdf_params.derive_bits(key, length), } } } impl EncryptionAlgorithm { /// fn name(&self) -> &str { match self { Self::AesCbc(key_gen_params) => &key_gen_params.name, Self::AesCtr(key_gen_params) => &key_gen_params.name, } } // FIXME: This doesn't really need the "SubtleCrypto" argument fn encrypt( &self, subtle: &SubtleCrypto, key: &CryptoKey, data: &[u8], cx: JSContext, result: MutableHandleObject, ) -> Result<(), Error> { match self { Self::AesCbc(key_gen_params) => { subtle.encrypt_aes_cbc(key_gen_params, key, data, cx, result) }, Self::AesCtr(key_gen_params) => { subtle.encrypt_decrypt_aes_ctr(key_gen_params, key, data, cx, result) }, } } // FIXME: This doesn't really need the "SubtleCrypto" argument fn decrypt( &self, subtle: &SubtleCrypto, key: &CryptoKey, data: &[u8], cx: JSContext, result: MutableHandleObject, ) -> Result<(), Error> { match self { Self::AesCbc(key_gen_params) => { subtle.decrypt_aes_cbc(key_gen_params, key, data, cx, result) }, Self::AesCtr(key_gen_params) => { subtle.encrypt_decrypt_aes_ctr(key_gen_params, key, data, cx, result) }, } } } impl SignatureAlgorithm { fn name(&self) -> &str { match self { Self::Hmac => ALG_HMAC, } } fn sign(&self, cx: JSContext, key: &CryptoKey, data: &[u8]) -> Result, Error> { match self { Self::Hmac => sign_hmac(cx, key, data).map(|s| s.as_ref().to_vec()), } } fn verify( &self, cx: JSContext, key: &CryptoKey, data: &[u8], signature: &[u8], ) -> Result { match self { Self::Hmac => verify_hmac(cx, key, data, signature), } } } impl KeyGenerationAlgorithm { // FIXME: This doesn't really need the "SubtleCrypto" argument fn generate_key( &self, subtle: &SubtleCrypto, usages: Vec, extractable: bool, ) -> Result, Error> { match self { Self::Aes(params) => subtle.generate_key_aes(usages, params, extractable), Self::Hmac(params) => subtle.generate_key_hmac(usages, params, extractable), } } } /// fn sign_hmac(cx: JSContext, key: &CryptoKey, data: &[u8]) -> Result, Error> { // Step 1. Let mac be the result of performing the MAC Generation operation described in Section 4 of [FIPS-198-1] // using the key represented by [[handle]] internal slot of key, the hash function identified by the hash attribute // of the [[algorithm]] internal slot of key and message as the input data text. rooted!(in(*cx) let mut algorithm_slot = ObjectValue(key.Algorithm(cx).as_ptr())); let params = value_from_js_object!(HmacKeyAlgorithm, cx, algorithm_slot); let hash_algorithm = match params.hash.name.str() { ALG_SHA1 => hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY, ALG_SHA256 => hmac::HMAC_SHA256, ALG_SHA384 => hmac::HMAC_SHA384, ALG_SHA512 => hmac::HMAC_SHA512, _ => return Err(Error::NotSupported), }; let sign_key = hmac::Key::new(hash_algorithm, key.handle().as_bytes()); let mac = hmac::sign(&sign_key, data); // Step 2. Return the result of creating an ArrayBuffer containing mac. // NOTE: This is done by the caller Ok(mac) } /// fn verify_hmac( cx: JSContext, key: &CryptoKey, data: &[u8], signature: &[u8], ) -> Result { // Step 1. Let mac be the result of performing the MAC Generation operation described in Section 4 of [FIPS-198-1] // using the key represented by [[handle]] internal slot of key, the hash function identified by the hash attribute // of the [[algorithm]] internal slot of key and message as the input data text. let mac = sign_hmac(cx, key, data)?; // Step 2. Return true if mac is equal to signature and false otherwise. let is_valid = mac.as_ref() == signature; Ok(is_valid) }