1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
|
---
breadcrumbs:
- - /blink
- Blink (Rendering Engine)
page_name: webcrypto
title: WebCrypto
---
[TOC]
## Accessing it
* The WebCrypto API was enabled by default starting in **Chrome 37**
(August 26, 2014)
* Access to the WebCrypto API is restricted to [secure
origins](http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-)
(which is to say https:// pages).
* Note: [In the spec](https://github.com/w3c/webcrypto/issues/28),
crypto.subtle is supposed to be undefined in insecure contexts,
whereas in Chrome it is defined however any operation on it
fails with NotSupportedError. (This will be updated in the
future).
## Standards compliance
Chromium's implementation follows the [Web Cryptography API Editor's
Draft](https://w3c.github.io/webcrypto/Overview.html).
Be sure to refer to the copy of the spec on github **NOT the one hosted on
w3c.org**.
The version on w3c.org is horribly out of date (as of October 3 2016).
## Reporting bugs
* Issues with the implementation should be filed on [Chromium's bug
tracker](https://code.google.com/p/chromium/issues/list), and given
the component
[Blink>WebCrypto](https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebCrypto).
* Issues with the [Web Cryptography
specification](https://w3c.github.io/webcrypto/Overview.html) should
be filed on the [github](https://github.com/w3c/webcrypto/issues).
## Supported algorithms (as of Chrome 53)
The WebCrypto specification does not mandate any particular algorithms.
At this time Chromium implements all of the algorithms described by the main
specification:
> <table>
> <tr>
> <td><b> Algorithm</b></td>
> <td><b> Supported</b></td>
> <td><b> Notes</b></td>
> </tr>
> <tr>
> <td> RSASSA-PKCS1-v1_5</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> RSA-PSS </td>
> <td> YES</td>
> </tr>
> <tr>
> <td> RSA-OAEP</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> ECDSA</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> ECDH</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> AES-CTR</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> AES-CBC</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> AES-GCM</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> AES-KW</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> HMAC</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> SHA-1</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> SHA-256</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> SHA-384</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> SHA-512</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> HKDF</td>
> <td> YES</td>
> </tr>
> <tr>
> <td> PBKDF2</td>
> <td> YES</td>
> </tr>
> </table>
**Abandoned algorithms**
Earlier drafts of the specification contained additional algorithms, which have
since been pulled from both the spec and from Chromium's implementation:
> <table>
> <tr>
> <td><b> Algorithm</b></td>
> <td><b> Supported</b></td>
> <td><b> Notes</b></td>
> </tr>
> <tr>
> <td> AES-CMAC</td>
> <td> NO</td>
> * <td>No longer part of the spec</td>
> * <td>Was never implemented by Chrome</td>
> </tr>
> <tr>
> <td> AES-CFB</td>
> <td> NO</td>
> * <td>No longer part of the spec</td>
> * <td>Was never implemented by Chrome</td>
> </tr>
> <tr>
> <td> Diffie-Hellman</td>
> <td> NO</td>
> * <td>No longer part of the spec</td>
> * <td>Was never implemented by Chrome</td>
> </tr>
> <tr>
> <td> Concat KDF</td>
> <td> NO</td>
> * <td>No longer part of the spec</td>
> * <td>Was never implemented by Chrome</td>
> </tr>
> <tr>
> <td> HKDF-CTR</td>
> <td> NO</td>
> * <td>No longer part of the spec</td>
> * <td>Was never implemented by Chrome</td>
> * <td>The spec has redefined this as <a
href="https://github.com/w3c/webcrypto/issues/27">redefined this
as HKDF</a></td>
> </tr>
> <tr>
> <td> RSAES-PKCS1-v1_5</td>
> <td> NO</td>
> * <td>No longer part of the spec.</td>
> * <td>Chrome supported this in early days before Web Crypto was
enabled by default, but has since dropped support.</td>
> </tr>
> </table>
> ### RSA support
* The modulus length must be a multiple of 8 bits
* The modulus length must be >= 256 and <= 16384 bits
* When *generating* RSA keys the public exponent must be 3 or
65537. This limitation does not apply when importing keys.
> ### AES support
* The supported key sizes are:
* 128 bits
* 256 bits
* 192 bit AES keys are not supported
> ### EC support
* The supported
[namedCurves](https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-NamedCurve)
are:
* P-256
* P-384
* P-521
## Supported key formats
Chromium's WebCrypto implementation supports all of the key formats - "raw",
"spki", "pkcs8", "jwk", with the following caveats:
* There are differences in DER key format handling between Web Crypto
implementations. Where possible for compatibility prefer using "raw"
keys or "jwk" which have better interoperability.
* When importing/exporting "spki" and "pkcs8" formats, the only OIDs
supported by Chromiumare those recognized by OpenSSL/BoringSSL.
* Importing ECDH keys [does not accept
id-ecDH](https://bugs.chromium.org/p/chromium/issues/detail?id=532728).
The OID must instead be id-ecPublicKey (This can cause problems
importing keys generated by Firefox; use "raw" EC keys as a
workaround; Chromium in this case is not spec compliant)
* Importing RSA-PSS keys does not accept id-RSASSA-PSS. The OID
must instead be rsaEncryption
* Importing RSA-OAEP keys does not accept id-RSAES-OAEP. The OID
must instead be rsaEncryption.
* Exporting ECDH keys uses OID id-ecPublicKey, whereas the
WebCrypto spec says to use id-ecDH.
* Exporting RSA-PSS keys uses OID rsaEncryption, whereas the
WebCrypto spec says to use RSA-PSS.
* Exporting RSA-OAEP keys uses OID rsaEncryption, whereas the
WebCrypto spec says to use id-RSAES-OAEP.
## Examples of how to use WebCrypto
Some examples of using WebCrypto can be found in the [Blink
LayoutTests](https://chromium.googlesource.com/chromium/blink/+/HEAD/LayoutTests/crypto/).
(These can't be run directly in the browser because they access functionality
from the test harness, however it gives an idea of how to call the various
operations)
## Usage data for WebCrypto
Google Chrome measures how commonly WebCrypto algorithms and methods are across
web pages.
To explore the data use the [Chromium feature stack rank
dashboard](https://www.chromestatus.com/metrics/feature/popularity). This counts
the number of pageloads that made use of the given feature (internal users can
navigate an equivalent histogram using "WebCore.FeatureObserver").
For details on how the metrics are measured read the comment block in
[CryptoHistograms.h](https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/modules/crypto/CryptoHistograms.h).
Here is the correspondence between the feature names found on the [Chromium
feature stack rank
dashboard](https://www.chromestatus.com/metrics/feature/popularity) and
WebCrypto's operations/algorithms:
<table>
<tr>
<td> <b>Feature</b></td>
<td> <b>WebCrypto method</b></td>
</tr>
<tr>
<td> `CryptoGetRandomValues` </td>
<td> crypto.getRandomValues()</td>
</tr>
<tr>
<td> `SubtleCryptoEncrypt`</td>
<td> crypto.subtle.encrypt()</td>
</tr>
<tr>
<td> `SubtleCryptoDecrypt`</td>
<td> crypto.subtle.decrypt() </td>
</tr>
<tr>
<td> `SubtleCryptoSign`</td>
<td> crypto.subtle.sign() </td>
</tr>
<tr>
<td> `SubtleCryptoVerify`</td>
<td> crypto.subtle.verify() </td>
</tr>
<tr>
<td> `SubtleCryptoDigest`</td>
<td> crypto.subtle.digest()</td>
</tr>
<tr>
<td> `SubtleCryptoGenerateKey`</td>
<td> crypto.subtle.generateKey() </td>
</tr>
<tr>
<td> `SubtleCryptoImportKey`</td>
<td> crypto.subtle.importKey() </td>
</tr>
<tr>
<td> `SubtleCryptoExportKey`</td>
<td> crypto.subtle.exportKey() </td>
</tr>
<tr>
<td> `SubtleCryptoDeriveBits`</td>
<td> crypto.subtle.deriveBits()</td>
</tr>
<tr>
<td> `SubtleCryptoDeriveKey`</td>
<td> crypto.subtle.deriveKey() </td>
</tr>
<tr>
<td> `SubtleCryptoWrapKey`</td>
<td> crypto.subtle.wrapKey() </td>
</tr>
<tr>
<td> `SubtleCryptoUnwrapKey`</td>
<td> crypto.subtle.unwrapKey() </td>
</tr>
</table>
<table>
<tr>
<td> <b>Feature</b></td>
<td><b>WebCrypto algorithm</b></td>
</tr>
<tr>
<td> CryptoAlgorithmAesCbc `</td>
<td> AES-CBC</td>
</tr>
<tr>
<td> `CryptoAlgorithmHmac`</td>
<td> HMAC</td>
</tr>
<tr>
<td> `CryptoAlgorithmRsaSsaPkcs1v1_5`</td>
<td> RSASSA-PKCS1-v1_5</td>
</tr>
<tr>
<td> `CryptoAlgorithmSha1`</td>
<td> SHA-1</td>
</tr>
<tr>
<td> `CryptoAlgorithmSha256`</td>
<td> SHA-256</td>
</tr>
<tr>
<td> `CryptoAlgorithmSha384`</td>
<td> SHA-384 </td>
</tr>
<tr>
<td> `CryptoAlgorithmSha512`</td>
<td> SHA-512</td>
</tr>
<tr>
<td> `CryptoAlgorithmAesGcm`</td>
<td> AES-GCM</td>
</tr>
<tr>
<td> `CryptoAlgorithmRsaOaep`</td>
<td> RSA-OAEP</td>
</tr>
<tr>
<td> `CryptoAlgorithmAesCtr`</td>
<td> AES-CTR</td>
</tr>
<tr>
<td> `CryptoAlgorithmAesKw`</td>
<td> AES-KW</td>
</tr>
<tr>
<td> `CryptoAlgorithmRsaPss`</td>
<td> RSA-PSS</td>
</tr>
<tr>
<td> `CryptoAlgorithmEcdsa`</td>
<td> ECDSA</td>
</tr>
<tr>
<td> `CryptoAlgorithmEcdh`</td>
<td> ECDH</td>
</tr>
<tr>
<td> `CryptoAlgorithmHkdf`</td>
<td> HKDF</td>
</tr>
<tr>
<td> `CryptoAlgorithmPbkdf2`</td>
<td> PBKDF2</td>
</tr>
</table>
## Chromium developer's guide
This section is intended for Chromium developers writing patches to address
WebCrypto bugs/features.
### Code location reference
* [src/components/webcrypto](https://chromium.googlesource.com/chromium/src/+/HEAD/components/webcrypto)
Contains the actual crypto algorithm implementations (HMAC, ECDH, RSA-PSS,
etc.).
* [src/components/test/data/webcrypto](https://chromium.googlesource.com/chromium/src/+/HEAD/components/test/data/webcrypto)
Test data used by
[src/components/webcrypto](https://chromium.googlesource.com/chromium/src/+/HEAD/components/webcrypto).
Note that more extensive tests live in LayoutTests, and these will
eventually be transitioned there too.
* [src/third_party/WebKit/LayoutTests/crypto](https://chromium.googlesource.com/chromium/blink/+/HEAD/LayoutTests/crypto)
The end-to-end Javascript tests that exercise WebCrypto's crypto.subtle.\*
methods.
* [src/third_party/WebKit/public/platform/WebCrypto.h](https://chromium.googlesource.com/chromium/blink/+/HEAD/public/platform/WebCrypto.h)
Public interface that defines the Blink <--> Chromium layer
* [src/third_party/WebKit/Source/modules/crypto](https://chromium.googlesource.com/chromium/blink/+/HEAD/Source/modules/crypto)
The Blink layer (responsible for interacting with the Javascript), and then
calling into Chromium side using the WebCrypto interface.
* [src/third_party/WebKit/Source/bindings/modules/v8/ScriptValueSerializerForModules.cpp](https://chromium.googlesource.com/chromium/blink/+/HEAD/Source/bindings/modules/v8/ScriptValueSerializerForModules.cpp)
Implements the structured clone for CryptoKey
### Running the Chromium unit-tests
> `cd src`
> `ninja -C out/Debug components_unittests`
> `./out/Debug/components_unittests --gtest_filter="WebCrypto*"`
### Running the Blink LayoutTests
> ### `cd src/third_party/WebKit`
> ### `ninja -C out/Debug blink_tests`
> ### `./Tools/Scripts/run-webkit-tests --debug crypto`
### Getting "XOpenDisplay failed" when running unittests
Unfortunately `components_unittests` requires a display to run, even though
WebCrypto itself has no such dependency. If you are running from a terminal and
get this error the easiest fix is to use Xvfb to create a mock display server
(on port 4 in my example)
> `#Run this in the background....`
> Xvfb :4 -screen 0 1024x768x24
> # And once it is up, re-run the unit-tests with its display port
> DISPLAY:4 ./out/Debug/components_unittests --gtest_filter="WebCrypto\*"
|
