diff --git a/chrome/browser/chromeos/login/easy_unlock/easy_unlock_create_keys_operation.cc b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_create_keys_operation.cc index 2a2aee9a9b9486..abbe1be72f5996 100644 --- a/chrome/browser/chromeos/login/easy_unlock/easy_unlock_create_keys_operation.cc +++ b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_create_keys_operation.cc @@ -291,17 +291,10 @@ void EasyUnlockCreateKeysOperation::CreateKeyForDeviceAtIndex(size_t index) { return; } - std::string raw_session_key; - session_key->GetRawKey(&raw_session_key); - challenge_creator_.reset(new ChallengeCreator( - user_key, - raw_session_key, - tpm_public_key_, - device, + user_key, session_key->key(), tpm_public_key_, device, base::Bind(&EasyUnlockCreateKeysOperation::OnChallengeCreated, - weak_ptr_factory_.GetWeakPtr(), - index))); + weak_ptr_factory_.GetWeakPtr(), index))); challenge_creator_->Start(); } diff --git a/chrome/browser/chromeos/login/supervised/supervised_user_authentication.cc b/chrome/browser/chromeos/login/supervised/supervised_user_authentication.cc index aa69f57a1fffe3..28446d16fdb190 100644 --- a/chrome/browser/chromeos/login/supervised/supervised_user_authentication.cc +++ b/chrome/browser/chromeos/login/supervised/supervised_user_authentication.cc @@ -47,9 +47,8 @@ std::string BuildRawHMACKey() { std::unique_ptr key( crypto::SymmetricKey::GenerateRandomKey(crypto::SymmetricKey::AES, kHMACKeySizeInBits)); - std::string raw_result, result; - key->GetRawKey(&raw_result); - base::Base64Encode(raw_result, &result); + std::string result; + base::Base64Encode(key->key(), &result); return result; } diff --git a/chrome/browser/signin/local_auth.cc b/chrome/browser/signin/local_auth.cc index 9cf1e08ccc6fed..5ce69c4add6962 100644 --- a/chrome/browser/signin/local_auth.cc +++ b/chrome/browser/signin/local_auth.cc @@ -108,9 +108,7 @@ std::string CreateSecurePasswordHash(const std::string& salt, crypto::SymmetricKey::DeriveKeyFromPassword( crypto::SymmetricKey::AES, password, salt, encoding.iteration_count, encoding.hash_bits)); - std::string password_hash; - const bool success = password_key->GetRawKey(&password_hash); - DCHECK(success); + std::string password_hash = password_key->key(); DCHECK_EQ(encoding.hash_bytes, password_hash.length()); UMA_HISTOGRAM_TIMES("PasswordHash.CreateTime", diff --git a/chromecast/media/base/decrypt_context_impl_clearkey.cc b/chromecast/media/base/decrypt_context_impl_clearkey.cc index e3c8cc737c364b..29c9b24a6d97f0 100644 --- a/chromecast/media/base/decrypt_context_impl_clearkey.cc +++ b/chromecast/media/base/decrypt_context_impl_clearkey.cc @@ -51,11 +51,7 @@ bool DecryptContextImplClearKey::DoDecrypt(CastDecoderBuffer* buffer, output += data_offset; // Get the key. - std::string raw_key; - if (!key_->GetRawKey(&raw_key)) { - LOG(ERROR) << "Failed to get the underlying AES key"; - return false; - } + const std::string& raw_key = key_->key(); DCHECK_EQ(static_cast(raw_key.length()), AES_BLOCK_SIZE); const uint8_t* key_u8 = reinterpret_cast(raw_key.data()); AES_KEY aes_key; diff --git a/chromeos/login/auth/key.cc b/chromeos/login/auth/key.cc index e9dada20f0af13..101806454f5eb6 100644 --- a/chromeos/login/auth/key.cc +++ b/chromeos/login/auth/key.cc @@ -94,9 +94,7 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) { crypto::SymmetricKey::DeriveKeyFromPassword( crypto::SymmetricKey::AES, secret_, salt, kNumIterations, kKeySizeInBits)); - std::string raw_secret; - key->GetRawKey(&raw_secret); - base::Base64Encode(raw_secret, &secret_); + base::Base64Encode(key->key(), &secret_); break; } case KEY_TYPE_SALTED_SHA256: diff --git a/components/sync/base/cryptographer.cc b/components/sync/base/cryptographer.cc index c585965969ffff..30790ea71b5b6c 100644 --- a/components/sync/base/cryptographer.cc +++ b/components/sync/base/cryptographer.cc @@ -348,10 +348,8 @@ std::string Cryptographer::GetDefaultNigoriKeyData() const { if (iter == nigoris_.end()) return std::string(); sync_pb::NigoriKey key; - if (!iter->second->ExportKeys(key.mutable_user_key(), - key.mutable_encryption_key(), - key.mutable_mac_key())) - return std::string(); + iter->second->ExportKeys(key.mutable_user_key(), key.mutable_encryption_key(), + key.mutable_mac_key()); return key.SerializeAsString(); } diff --git a/components/sync/base/nigori.cc b/components/sync/base/nigori.cc index e3067cc6c4cbb0..5204521e36ba8b 100644 --- a/components/sync/base/nigori.cc +++ b/components/sync/base/nigori.cc @@ -75,25 +75,21 @@ bool Nigori::InitByDerivation(const std::string& hostname, kSaltKeySizeInBits)); DCHECK(user_salt); - std::string raw_user_salt; - if (!user_salt->GetRawKey(&raw_user_salt)) - return false; - // Kuser = PBKDF2(P, Suser, Nuser, 16) user_key_ = SymmetricKey::DeriveKeyFromPassword( - SymmetricKey::AES, password, raw_user_salt, kUserIterations, + SymmetricKey::AES, password, user_salt->key(), kUserIterations, kDerivedKeySizeInBits); DCHECK(user_key_); // Kenc = PBKDF2(P, Suser, Nenc, 16) encryption_key_ = SymmetricKey::DeriveKeyFromPassword( - SymmetricKey::AES, password, raw_user_salt, kEncryptionIterations, + SymmetricKey::AES, password, user_salt->key(), kEncryptionIterations, kDerivedKeySizeInBits); DCHECK(encryption_key_); // Kmac = PBKDF2(P, Suser, Nmac, 16) mac_key_ = SymmetricKey::DeriveKeyFromPassword( - SymmetricKey::HMAC_SHA1, password, raw_user_salt, kSigningIterations, + SymmetricKey::HMAC_SHA1, password, user_salt->key(), kSigningIterations, kDerivedKeySizeInBits); DCHECK(mac_key_); @@ -132,12 +128,8 @@ bool Nigori::Permute(Type type, if (!encryptor.Encrypt(plaintext.str(), &ciphertext)) return false; - std::string raw_mac_key; - if (!mac_key_->GetRawKey(&raw_mac_key)) - return false; - HMAC hmac(HMAC::SHA256); - if (!hmac.Init(raw_mac_key)) + if (!hmac.Init(mac_key_->key())) return false; std::vector hash(kHashSize); @@ -168,12 +160,8 @@ bool Nigori::Encrypt(const std::string& value, std::string* encrypted) const { if (!encryptor.Encrypt(value, &ciphertext)) return false; - std::string raw_mac_key; - if (!mac_key_->GetRawKey(&raw_mac_key)) - return false; - HMAC hmac(HMAC::SHA256); - if (!hmac.Init(raw_mac_key)) + if (!hmac.Init(mac_key_->key())) return false; std::vector hash(kHashSize); @@ -206,12 +194,8 @@ bool Nigori::Decrypt(const std::string& encrypted, std::string* value) const { input.substr(kIvSize, input.size() - (kIvSize + kHashSize))); std::string hash(input.substr(input.size() - kHashSize, kHashSize)); - std::string raw_mac_key; - if (!mac_key_->GetRawKey(&raw_mac_key)) - return false; - HMAC hmac(HMAC::SHA256); - if (!hmac.Init(raw_mac_key)) + if (!hmac.Init(mac_key_->key())) return false; std::vector expected(kHashSize); @@ -232,7 +216,7 @@ bool Nigori::Decrypt(const std::string& encrypted, std::string* value) const { return true; } -bool Nigori::ExportKeys(std::string* user_key, +void Nigori::ExportKeys(std::string* user_key, std::string* encryption_key, std::string* mac_key) const { DCHECK(encryption_key); @@ -240,12 +224,12 @@ bool Nigori::ExportKeys(std::string* user_key, DCHECK(user_key); if (user_key_) - user_key_->GetRawKey(user_key); + *user_key = user_key_->key(); else user_key->clear(); - return encryption_key_->GetRawKey(encryption_key) && - mac_key_->GetRawKey(mac_key); + *encryption_key = encryption_key_->key(); + *mac_key = mac_key_->key(); } } // namespace syncer diff --git a/components/sync/base/nigori.h b/components/sync/base/nigori.h index 92c77b4079e07b..72b351ee3b357a 100644 --- a/components/sync/base/nigori.h +++ b/components/sync/base/nigori.h @@ -60,7 +60,7 @@ class Nigori { bool Decrypt(const std::string& value, std::string* decrypted) const; // Exports the raw derived keys. - bool ExportKeys(std::string* user_key, + void ExportKeys(std::string* user_key, std::string* encryption_key, std::string* mac_key) const; diff --git a/components/sync/base/nigori_unittest.cc b/components/sync/base/nigori_unittest.cc index 3dfdb6407d08fd..567237e279ef21 100644 --- a/components/sync/base/nigori_unittest.cc +++ b/components/sync/base/nigori_unittest.cc @@ -129,7 +129,7 @@ TEST(SyncNigoriTest, ExportImport) { std::string user_key; std::string encryption_key; std::string mac_key; - EXPECT_TRUE(nigori1.ExportKeys(&user_key, &encryption_key, &mac_key)); + nigori1.ExportKeys(&user_key, &encryption_key, &mac_key); Nigori nigori2; EXPECT_TRUE(nigori2.InitByImport(user_key, encryption_key, mac_key)); @@ -159,7 +159,7 @@ TEST(SyncNigoriTest, InitByDerivationSetsUserKey) { std::string user_key = ""; std::string encryption_key; std::string mac_key; - EXPECT_TRUE(nigori.ExportKeys(&user_key, &encryption_key, &mac_key)); + nigori.ExportKeys(&user_key, &encryption_key, &mac_key); EXPECT_NE(user_key, ""); } @@ -171,7 +171,7 @@ TEST(SyncNigoriTest, ToleratesEmptyUserKey) { std::string user_key; std::string encryption_key; std::string mac_key; - EXPECT_TRUE(nigori1.ExportKeys(&user_key, &encryption_key, &mac_key)); + nigori1.ExportKeys(&user_key, &encryption_key, &mac_key); EXPECT_FALSE(user_key.empty()); EXPECT_FALSE(encryption_key.empty()); EXPECT_FALSE(mac_key.empty()); @@ -180,7 +180,7 @@ TEST(SyncNigoriTest, ToleratesEmptyUserKey) { EXPECT_TRUE(nigori2.InitByImport("", encryption_key, mac_key)); user_key = "non-empty-value"; - EXPECT_TRUE(nigori2.ExportKeys(&user_key, &encryption_key, &mac_key)); + nigori2.ExportKeys(&user_key, &encryption_key, &mac_key); EXPECT_TRUE(user_key.empty()); EXPECT_FALSE(encryption_key.empty()); EXPECT_FALSE(mac_key.empty()); diff --git a/crypto/hmac.cc b/crypto/hmac.cc index 0480099e9cbebc..4db1f6e1bf0133 100644 --- a/crypto/hmac.cc +++ b/crypto/hmac.cc @@ -50,12 +50,7 @@ bool HMAC::Init(const unsigned char* key, size_t key_length) { } bool HMAC::Init(const SymmetricKey* key) { - std::string raw_key; - bool result = key->GetRawKey(&raw_key) && Init(raw_key); - // Zero out key copy. This might get optimized away, but one can hope. - // Using std::string to store key info at all is a larger problem. - std::fill(raw_key.begin(), raw_key.end(), 0); - return result; + return Init(key->key()); } bool HMAC::Sign(const base::StringPiece& data, diff --git a/crypto/symmetric_key.cc b/crypto/symmetric_key.cc index b75080aab5db04..55ffb72fb855e8 100644 --- a/crypto/symmetric_key.cc +++ b/crypto/symmetric_key.cc @@ -100,11 +100,6 @@ std::unique_ptr SymmetricKey::Import(Algorithm algorithm, return key; } -bool SymmetricKey::GetRawKey(std::string* raw_key) const { - *raw_key = key_; - return true; -} - SymmetricKey::SymmetricKey() = default; } // namespace crypto diff --git a/crypto/symmetric_key.h b/crypto/symmetric_key.h index e762555a2c6933..9803cdcf2498ed 100644 --- a/crypto/symmetric_key.h +++ b/crypto/symmetric_key.h @@ -50,18 +50,14 @@ class CRYPTO_EXPORT SymmetricKey { // Imports an array of key bytes in |raw_key|. This key may have been // generated by GenerateRandomKey or DeriveKeyFromPassword and exported with - // GetRawKey, or via another compatible method. The key must be of suitable - // size for use with |algorithm|. The caller owns the returned SymmetricKey. + // key(). The key must be of suitable size for use with |algorithm|. + // The caller owns the returned SymmetricKey. static std::unique_ptr Import(Algorithm algorithm, const std::string& raw_key); + // Returns the raw platform specific key data. const std::string& key() const { return key_; } - // Extracts the raw key from the platform specific data. - // Warning: |raw_key| holds the raw key as bytes and thus must be handled - // carefully. - bool GetRawKey(std::string* raw_key) const; - private: SymmetricKey(); diff --git a/crypto/symmetric_key_unittest.cc b/crypto/symmetric_key_unittest.cc index d954761d75a561..02f12e5defa73a 100644 --- a/crypto/symmetric_key_unittest.cc +++ b/crypto/symmetric_key_unittest.cc @@ -15,36 +15,27 @@ TEST(SymmetricKeyTest, GenerateRandomKey) { std::unique_ptr key( crypto::SymmetricKey::GenerateRandomKey(crypto::SymmetricKey::AES, 256)); ASSERT_TRUE(key); - std::string raw_key; - EXPECT_TRUE(key->GetRawKey(&raw_key)); - EXPECT_EQ(32U, raw_key.size()); + EXPECT_EQ(32U, key->key().size()); // Do it again and check that the keys are different. // (Note: this has a one-in-10^77 chance of failure!) std::unique_ptr key2( crypto::SymmetricKey::GenerateRandomKey(crypto::SymmetricKey::AES, 256)); ASSERT_TRUE(key2); - std::string raw_key2; - EXPECT_TRUE(key2->GetRawKey(&raw_key2)); - EXPECT_EQ(32U, raw_key2.size()); - EXPECT_NE(raw_key, raw_key2); + EXPECT_EQ(32U, key2->key().size()); + EXPECT_NE(key->key(), key2->key()); } TEST(SymmetricKeyTest, ImportGeneratedKey) { std::unique_ptr key1( crypto::SymmetricKey::GenerateRandomKey(crypto::SymmetricKey::AES, 256)); ASSERT_TRUE(key1); - std::string raw_key1; - EXPECT_TRUE(key1->GetRawKey(&raw_key1)); std::unique_ptr key2( - crypto::SymmetricKey::Import(crypto::SymmetricKey::AES, raw_key1)); + crypto::SymmetricKey::Import(crypto::SymmetricKey::AES, key1->key())); ASSERT_TRUE(key2); - std::string raw_key2; - EXPECT_TRUE(key2->GetRawKey(&raw_key2)); - - EXPECT_EQ(raw_key1, raw_key2); + EXPECT_EQ(key1->key(), key2->key()); } TEST(SymmetricKeyTest, ImportDerivedKey) { @@ -52,17 +43,12 @@ TEST(SymmetricKeyTest, ImportDerivedKey) { crypto::SymmetricKey::DeriveKeyFromPassword( crypto::SymmetricKey::HMAC_SHA1, "password", "somesalt", 1024, 160)); ASSERT_TRUE(key1); - std::string raw_key1; - EXPECT_TRUE(key1->GetRawKey(&raw_key1)); - std::unique_ptr key2( - crypto::SymmetricKey::Import(crypto::SymmetricKey::HMAC_SHA1, raw_key1)); + std::unique_ptr key2(crypto::SymmetricKey::Import( + crypto::SymmetricKey::HMAC_SHA1, key1->key())); ASSERT_TRUE(key2); - std::string raw_key2; - EXPECT_TRUE(key2->GetRawKey(&raw_key2)); - - EXPECT_EQ(raw_key1, raw_key2); + EXPECT_EQ(key1->key(), key2->key()); } struct PBKDF2TestVector { @@ -86,8 +72,7 @@ TEST_P(SymmetricKeyDeriveKeyFromPasswordTest, DeriveKeyFromPassword) { test_data.rounds, test_data.key_size_in_bits)); ASSERT_TRUE(key); - std::string raw_key; - key->GetRawKey(&raw_key); + const std::string& raw_key = key->key(); EXPECT_EQ(test_data.key_size_in_bits / 8, raw_key.size()); EXPECT_EQ(test_data.expected, base::ToLowerASCII(base::HexEncode(raw_key.data(),