Diff
Modified: trunk/Source/WebCore/ChangeLog (164180 => 164181)
--- trunk/Source/WebCore/ChangeLog 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/ChangeLog 2014-02-15 23:26:21 UTC (rev 164181)
@@ -1,3 +1,26 @@
+2014-02-15 Alexey Proskuryakov <[email protected]>
+
+ [Mac] All WebKit clients should encrypt WebCrypto keys automatically
+ https://bugs.webkit.org/show_bug.cgi?id=128852
+
+ Reviewed by Oliver Hunt.
+
+ Install a persistent master key in Keychain on first use of WebCrypto key serialization.
+ The key is per application, protected with ACL.
+
+ * English.lproj/Localizable.strings:
+ * WebCore.exp.in:
+ * crypto/SerializedCryptoKeyWrap.h:
+ * crypto/mac/SerializedCryptoKeyWrapMac.mm:
+ (WebCore::masterKeyAccountNameForCurrentApplication):
+ (WebCore::getDefaultWebCryptoMasterKey):
+ (WebCore::createAndStoreMasterKey):
+ (WebCore::findMasterKey):
+ * platform/LocalizedStrings.cpp:
+ (WebCore::webCryptoMasterKeyKeychainLabel):
+ (WebCore::webCryptoMasterKeyKeychainComment):
+ * platform/LocalizedStrings.h:
+
2014-02-15 Ryosuke Niwa <[email protected]>
computeSelectionStart and computeSelectionEnd shouldn't trigger synchronous layout
Modified: trunk/Source/WebCore/English.lproj/Localizable.strings (164180 => 164181)
--- trunk/Source/WebCore/English.lproj/Localizable.strings 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/English.lproj/Localizable.strings 2014-02-15 23:26:21 UTC (rev 164181)
@@ -40,6 +40,9 @@
/* Visible name of the web process. The argument is the application name. */
"%@ Web Content" = "%@ Web Content";
+/* Name of application's single WebCrypto master key in Keychain */
+"%@ WebCrypto Master Key" = "%@ WebCrypto Master Key";
+
/* Label to describe the number of files selected in a file upload control that allows multiple files */
"%d files" = "%d files";
@@ -595,6 +598,9 @@
/* Undo action name */
"Use Standard Ligatures (Undo action name)" = "Use Standard Ligatures";
+/* Description of WebCrypto master keys in Keychain */
+"Used to encrypt WebCrypto keys in persistent storage, such as IndexedDB" = "Used to encrypt WebCrypto keys in persistent storage, such as IndexedDB";
+
/* Web Inspector window title */
"Web Inspector — %@" = "Web Inspector — %@";
Modified: trunk/Source/WebCore/WebCore.exp.in (164180 => 164181)
--- trunk/Source/WebCore/WebCore.exp.in 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/WebCore.exp.in 2014-02-15 23:26:21 UTC (rev 164181)
@@ -2625,6 +2625,7 @@
_wkCTFontTransformGlyphs
__ZN7WebCore23wrapSerializedCryptoKeyERKN3WTF6VectorIhLm0ENS0_15CrashOnOverflowEEES5_RS3_
__ZN7WebCore25unwrapSerializedCryptoKeyERKN3WTF6VectorIhLm0ENS0_15CrashOnOverflowEEES5_RS3_
+__ZN7WebCore28getDefaultWebCryptoMasterKeyERN3WTF6VectorIhLm0ENS0_15CrashOnOverflowEEE
#endif
#if ENABLE(3D_RENDERING)
Modified: trunk/Source/WebCore/crypto/SerializedCryptoKeyWrap.h (164180 => 164181)
--- trunk/Source/WebCore/crypto/SerializedCryptoKeyWrap.h 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/crypto/SerializedCryptoKeyWrap.h 2014-02-15 23:26:21 UTC (rev 164181)
@@ -33,6 +33,8 @@
namespace WebCore {
+bool getDefaultWebCryptoMasterKey(Vector<uint8_t>&);
+
bool wrapSerializedCryptoKey(const Vector<uint8_t>& masterKey, const Vector<uint8_t>& key, Vector<uint8_t>& result);
bool unwrapSerializedCryptoKey(const Vector<uint8_t>& masterKey, const Vector<uint8_t>& wrappedKey, Vector<uint8_t>& key);
Modified: trunk/Source/WebCore/crypto/mac/SerializedCryptoKeyWrapMac.mm (164180 => 164181)
--- trunk/Source/WebCore/crypto/mac/SerializedCryptoKeyWrapMac.mm 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/crypto/mac/SerializedCryptoKeyWrapMac.mm 2014-02-15 23:26:21 UTC (rev 164181)
@@ -29,9 +29,12 @@
#if ENABLE(SUBTLE_CRYPTO)
#include "CommonCryptoUtilities.h"
+#include "LocalizedStrings.h"
#include <CommonCrypto/CommonSymmetricKeywrap.h>
+#include <wtf/text/Base64.h>
#include <wtf/text/CString.h>
#include <wtf/CryptographicUtilities.h>
+#include <wtf/RetainPtr.h>
namespace WebCore {
@@ -42,6 +45,8 @@
const NSString* encryptedKeyKey = @"encryptedKey";
const NSString* tagKey = @"tag";
+const size_t masterKeySizeInBytes = 16;
+
inline Vector<uint8_t> vectorFromNSData(NSData* data)
{
Vector<uint8_t> result;
@@ -49,6 +54,109 @@
return result;
}
+#if PLATFORM(IOS)
+
+bool getDefaultWebCryptoMasterKey(Vector<uint8_t>& masterKey)
+{
+ // FIXME: Implement.
+ masterKey.resize(masterKeySizeInBytes);
+ memset(masterKey.data(), 0, masterKey.size());
+ return true;
+}
+
+#else
+
+static NSString* masterKeyAccountNameForCurrentApplication()
+{
+ return [NSString stringWithFormat:@"com.apple.WebKit.WebCrypto.master+%@", [[NSRunningApplication currentApplication] bundleIdentifier]];
+}
+
+static bool createAndStoreMasterKey(Vector<uint8_t>& masterKeyData)
+{
+ masterKeyData.resize(masterKeySizeInBytes);
+ CCRandomCopyBytes(kCCRandomDefault, masterKeyData.data(), masterKeyData.size());
+
+ NSString *localizedItemName = webCryptoMasterKeyKeychainLabel([[NSRunningApplication currentApplication] localizedName]);
+
+ SecAccessRef accessRef;
+ OSStatus status = SecAccessCreate((CFStringRef)localizedItemName, nullptr, &accessRef);
+ if (status) {
+ WTFLogAlways("Cannot create a security access object for storing WebCrypto master key, error %d", (int)status);
+ return nullptr;
+ }
+ RetainPtr<SecAccessRef> access = adoptCF(accessRef);
+
+ RetainPtr<CFArrayRef> acls = adoptCF(SecAccessCopyMatchingACLList(accessRef, kSecACLAuthorizationExportClear));
+ SecACLRef acl = (SecACLRef)CFArrayGetValueAtIndex(acls.get(), 0);
+
+ SecTrustedApplicationRef trustedAppRef;
+ status = SecTrustedApplicationCreateFromPath(0, &trustedAppRef);
+ if (status) {
+ WTFLogAlways("Cannot create a trusted application object for storing WebCrypto master key, error %d", (int)status);
+ return nullptr;
+ }
+ RetainPtr<SecTrustedApplicationRef> trustedApp = adoptCF(trustedAppRef);
+
+ status = SecACLSetContents(acl, (CFArrayRef)@[ (id)trustedApp.get() ], (CFStringRef)localizedItemName, kSecKeychainPromptRequirePassphase);
+ if (status) {
+ WTFLogAlways("Cannot set ACL for WebCrypto master key, error %d", (int)status);
+ return nullptr;
+ }
+
+ Vector<char> base64EncodedMasterKeyData;
+ base64Encode(masterKeyData, base64EncodedMasterKeyData);
+
+ // Cannot use kSecClassKey because of <rdar://problem/16068207>.
+ NSDictionary *attributes = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrSynchronizable : @NO,
+ (id)kSecAttrIsPermanent : @YES,
+ (id)kSecAttrAccess : (id)access.get(),
+ (id)kSecAttrComment : webCryptoMasterKeyKeychainComment(),
+ (id)kSecAttrLabel : localizedItemName,
+ (id)kSecAttrAccount : masterKeyAccountNameForCurrentApplication(),
+ (id)kSecValueData : [NSData dataWithBytes:base64EncodedMasterKeyData.data() length:base64EncodedMasterKeyData.size()],
+ };
+
+ status = SecItemAdd((CFDictionaryRef)attributes, nullptr);
+ if (status) {
+ WTFLogAlways("Cannot store WebCrypto master key, error %d", (int)status);
+ return nullptr;
+ }
+ return true;
+}
+
+static bool findMasterKey(Vector<uint8_t>& masterKeyData)
+{
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccount : masterKeyAccountNameForCurrentApplication(),
+ (id)kSecReturnData : @YES,
+ };
+
+ CFDataRef keyDataRef;
+ OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&keyDataRef);
+ if (status) {
+ if (status != errSecItemNotFound && status != errSecUserCanceled)
+ WTFLogAlways("Could not find WebCrypto master key in Keychain, error %d", (int)status);
+ return false;
+ }
+ RetainPtr<CFDataRef> keyData = adoptCF(keyDataRef);
+
+ Vector<uint8_t> base64EncodedMasterKeyData = vectorFromNSData((NSData *)keyData.get());
+ return base64Decode((const char*)base64EncodedMasterKeyData.data(), base64EncodedMasterKeyData.size(), masterKeyData);
+}
+
+bool getDefaultWebCryptoMasterKey(Vector<uint8_t>& masterKey)
+{
+ if (!findMasterKey(masterKey) && !createAndStoreMasterKey(masterKey))
+ return false;
+ RELEASE_ASSERT(masterKey.size() == masterKeySizeInBytes);
+ return true;
+}
+
+#endif
+
bool wrapSerializedCryptoKey(const Vector<uint8_t>& masterKey, const Vector<uint8_t>& key, Vector<uint8_t>& result)
{
Vector<uint8_t> kek(16);
Modified: trunk/Source/WebCore/platform/LocalizedStrings.cpp (164180 => 164181)
--- trunk/Source/WebCore/platform/LocalizedStrings.cpp 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/platform/LocalizedStrings.cpp 2014-02-15 23:26:21 UTC (rev 164181)
@@ -1118,4 +1118,16 @@
return formatLocalizedString(WEB_UI_STRING("Show in blocked plug-in", "Title of the context menu item to show when PDFPlugin was used instead of a blocked plugin"));
}
+#if ENABLE(SUBTLE_CRYPTO)
+String webCryptoMasterKeyKeychainLabel(const String& localizedApplicationName)
+{
+ return formatLocalizedString(WEB_UI_STRING("%@ WebCrypto Master Key", "Name of application's single WebCrypto master key in Keychain"), localizedApplicationName.createCFString().get());
+}
+
+String webCryptoMasterKeyKeychainComment()
+{
+ return WEB_UI_STRING("Used to encrypt WebCrypto keys in persistent storage, such as IndexedDB", "Description of WebCrypto master keys in Keychain");
+}
+#endif
+
} // namespace WebCore
Modified: trunk/Source/WebCore/platform/LocalizedStrings.h (164180 => 164181)
--- trunk/Source/WebCore/platform/LocalizedStrings.h 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebCore/platform/LocalizedStrings.h 2014-02-15 23:26:21 UTC (rev 164181)
@@ -263,6 +263,11 @@
String useBlockedPlugInContextMenuTitle();
+#if ENABLE(SUBTLE_CRYPTO)
+ String webCryptoMasterKeyKeychainLabel(const String& localizedApplicationName);
+ String webCryptoMasterKeyKeychainComment();
+#endif
+
#define WEB_UI_STRING(string, description) WebCore::localizedString(string)
#define WEB_UI_STRING_KEY(string, key, description) WebCore::localizedString(key)
Modified: trunk/Source/WebKit/mac/ChangeLog (164180 => 164181)
--- trunk/Source/WebKit/mac/ChangeLog 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebKit/mac/ChangeLog 2014-02-15 23:26:21 UTC (rev 164181)
@@ -1,3 +1,15 @@
+2014-02-15 Alexey Proskuryakov <[email protected]>
+
+ [Mac] All WebKit clients should encrypt WebCrypto keys automatically
+ https://bugs.webkit.org/show_bug.cgi?id=128852
+
+ Reviewed by Oliver Hunt.
+
+ * WebCoreSupport/WebChromeClient.mm:
+ (WebChromeClient::wrapCryptoKey):
+ (WebChromeClient::unwrapCryptoKey):
+ Call the default implementation if key is not provided by a client.
+
2014-02-14 Anders Carlsson <[email protected]>
Control tints don't update inside WebViews
Modified: trunk/Source/WebKit/mac/WebCoreSupport/WebChromeClient.mm (164180 => 164181)
--- trunk/Source/WebKit/mac/WebCoreSupport/WebChromeClient.mm 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebKit/mac/WebCoreSupport/WebChromeClient.mm 2014-02-15 23:26:21 UTC (rev 164181)
@@ -1002,27 +1002,27 @@
#if ENABLE(SUBTLE_CRYPTO)
bool WebChromeClient::wrapCryptoKey(const Vector<uint8_t>& key, Vector<uint8_t>& wrappedKey) const
{
+ Vector<uint8_t> masterKey;
SEL selector = @selector(webCryptoMasterKeyForWebView:);
- if (![[m_webView UIDelegate] respondsToSelector:selector])
+ if ([[m_webView UIDelegate] respondsToSelector:selector]) {
+ NSData *keyData = CallUIDelegate(m_webView, selector);
+ masterKey.append((uint8_t*)[keyData bytes], [keyData length]);
+ } else if (!getDefaultWebCryptoMasterKey(masterKey))
return false;
- NSData* keyData = CallUIDelegate(m_webView, selector);
-
- Vector<uint8_t> masterKey;
- masterKey.append((uint8_t*)[keyData bytes], [keyData length]);
return wrapSerializedCryptoKey(masterKey, key, wrappedKey);
}
bool WebChromeClient::unwrapCryptoKey(const Vector<uint8_t>& wrappedKey, Vector<uint8_t>& key) const
{
+ Vector<uint8_t> masterKey;
SEL selector = @selector(webCryptoMasterKeyForWebView:);
- if (![[m_webView UIDelegate] respondsToSelector:selector])
+ if ([[m_webView UIDelegate] respondsToSelector:selector]) {
+ NSData *keyData = CallUIDelegate(m_webView, selector);
+ masterKey.append((uint8_t*)[keyData bytes], [keyData length]);
+ } else if (!getDefaultWebCryptoMasterKey(masterKey))
return false;
- NSData *keyData = CallUIDelegate(m_webView, selector);
-
- Vector<uint8_t> masterKey;
- masterKey.append((uint8_t*)[keyData bytes], [keyData length]);
return unwrapSerializedCryptoKey(masterKey, wrappedKey, key);
}
#endif
Modified: trunk/Source/WebKit2/ChangeLog (164180 => 164181)
--- trunk/Source/WebKit2/ChangeLog 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebKit2/ChangeLog 2014-02-15 23:26:21 UTC (rev 164181)
@@ -1,3 +1,15 @@
+2014-02-15 Alexey Proskuryakov <[email protected]>
+
+ [Mac] All WebKit clients should encrypt WebCrypto keys automatically
+ https://bugs.webkit.org/show_bug.cgi?id=128852
+
+ Reviewed by Oliver Hunt.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::wrapCryptoKey):
+ (WebKit::WebPageProxy::unwrapCryptoKey):
+ Call the default implementation if key is not provided by a client.
+
2014-02-15 Raphael Kubo da Costa <[email protected]>
[EFL][WK2] Stop calling mktemp(3).
Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp (164180 => 164181)
--- trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2014-02-15 22:32:05 UTC (rev 164180)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2014-02-15 23:26:21 UTC (rev 164181)
@@ -4483,25 +4483,29 @@
#if ENABLE(SUBTLE_CRYPTO)
void WebPageProxy::wrapCryptoKey(const Vector<uint8_t>& key, bool& succeeded, Vector<uint8_t>& wrappedKey)
{
+ Vector<uint8_t> masterKey;
RefPtr<API::Data> keyData = m_process->context().client().copyWebCryptoMasterKey(&m_process->context());
- if (!keyData) {
+ if (keyData)
+ masterKey = keyData->dataReference().vector();
+ else if (!getDefaultWebCryptoMasterKey(masterKey)) {
succeeded = false;
return;
}
- Vector<uint8_t> masterKey = keyData->dataReference().vector();
succeeded = wrapSerializedCryptoKey(masterKey, key, wrappedKey);
}
void WebPageProxy::unwrapCryptoKey(const Vector<uint8_t>& wrappedKey, bool& succeeded, Vector<uint8_t>& key)
{
+ Vector<uint8_t> masterKey;
RefPtr<API::Data> keyData = m_process->context().client().copyWebCryptoMasterKey(&m_process->context());
- if (!keyData) {
+ if (keyData)
+ masterKey = keyData->dataReference().vector();
+ else if (!getDefaultWebCryptoMasterKey(masterKey)) {
succeeded = false;
return;
}
- Vector<uint8_t> masterKey = keyData->dataReference().vector();
succeeded = unwrapSerializedCryptoKey(masterKey, wrappedKey, key);
}
#endif
