1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/chromeos/settings/token_encryptor.h"
#include <vector>
#include "base/logging.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/sys_info.h"
#include "chromeos/cryptohome/system_salt_getter.h"
#include "crypto/encryptor.h"
#include "crypto/nss_util.h"
#include "crypto/sha2.h"
#include "crypto/symmetric_key.h"
namespace chromeos {
namespace {
const size_t kNonceSize = 16;
} // namespace
CryptohomeTokenEncryptor::CryptohomeTokenEncryptor(
const std::string& system_salt)
: system_salt_(system_salt) {
DCHECK(!system_salt.empty());
// TODO(davidroche): should this use the system salt for both the password
// and the salt value, or should this use a separate salt value?
system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_));
}
CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() {
}
std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt(
const std::string& token) {
// Don't care about token encryption while debugging.
if (!base::SysInfo::IsRunningOnChromeOS())
return token;
if (!system_salt_key_) {
LOG(WARNING) << "System salt key is not available for encrypt.";
return std::string();
}
return EncryptTokenWithKey(system_salt_key_.get(),
system_salt_,
token);
}
std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt(
const std::string& encrypted_token_hex) {
// Don't care about token encryption while debugging.
if (!base::SysInfo::IsRunningOnChromeOS())
return encrypted_token_hex;
if (!system_salt_key_) {
LOG(WARNING) << "System salt key is not available for decrypt.";
return std::string();
}
return DecryptTokenWithKey(system_salt_key_.get(),
system_salt_,
encrypted_token_hex);
}
crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey(
const std::string& passphrase,
const std::string& salt) {
return crypto::SymmetricKey::DeriveKeyFromPassword(
crypto::SymmetricKey::AES, passphrase, salt, 1000, 256);
}
std::string CryptohomeTokenEncryptor::EncryptTokenWithKey(
crypto::SymmetricKey* key,
const std::string& salt,
const std::string& token) {
crypto::Encryptor encryptor;
if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) {
LOG(WARNING) << "Failed to initialize Encryptor.";
return std::string();
}
std::string nonce = salt.substr(0, kNonceSize);
std::string encoded_token;
CHECK(encryptor.SetCounter(nonce));
if (!encryptor.Encrypt(token, &encoded_token)) {
LOG(WARNING) << "Failed to encrypt token.";
return std::string();
}
return StringToLowerASCII(base::HexEncode(
reinterpret_cast<const void*>(encoded_token.data()),
encoded_token.size()));
}
std::string CryptohomeTokenEncryptor::DecryptTokenWithKey(
crypto::SymmetricKey* key,
const std::string& salt,
const std::string& encrypted_token_hex) {
std::vector<uint8> encrypted_token_bytes;
if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) {
LOG(WARNING) << "Corrupt encrypted token found.";
return std::string();
}
std::string encrypted_token(
reinterpret_cast<char*>(encrypted_token_bytes.data()),
encrypted_token_bytes.size());
crypto::Encryptor encryptor;
if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) {
LOG(WARNING) << "Failed to initialize Encryptor.";
return std::string();
}
std::string nonce = salt.substr(0, kNonceSize);
std::string token;
CHECK(encryptor.SetCounter(nonce));
if (!encryptor.Decrypt(encrypted_token, &token)) {
LOG(WARNING) << "Failed to decrypt token.";
return std::string();
}
return token;
}
} // namespace chromeos
|
