Use crypto.subtle for AES on Browser WASM

src/libraries/Common/src/Interop/Browser/System.Security.Cryptography.Native.Browser/Interop.SimpleDigestHash.cs → src/libraries/Common/src/Interop/Browser/System.Security.Cryptography.Native.Browser/Interop.SubtleCrypto.cs

@@ -18,8 +18,10 @@ internal enum SimpleDigest
             Sha512,
         };
 
+        internal static readonly bool CanUseSubtleCrypto = CanUseSubtleCryptoImpl() == 1;
+
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "SystemCryptoNativeBrowser_CanUseSubtleCryptoImpl")]
-        internal static partial int CanUseSubtleCryptoImpl();
+        private static partial int CanUseSubtleCryptoImpl();
 
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "SystemCryptoNativeBrowser_SimpleDigestHash")]
         internal static unsafe partial int SimpleDigestHash(
@@ -28,5 +30,27 @@ internal static unsafe partial int SimpleDigestHash(
             int input_len,
             byte* output_buffer,
             int output_len);
+
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "SystemCryptoNativeBrowser_Sign")]
+        internal static unsafe partial int Sign(
+            SimpleDigest hashAlgorithm,
+            byte* key_buffer,
+            int key_len,
+            byte* input_buffer,
+            int input_len,
+            byte* output_buffer,
+            int output_len);
+
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "SystemCryptoNativeBrowser_EncryptDecrypt")]
+        internal static unsafe partial int EncryptDecrypt(
+            int encrypting,
+            byte* key_buffer,
+            int key_len,
+            byte* iv_buffer,
+            int iv_len,
+            byte* input_buffer,
+            int input_len,
+            byte* output_buffer,
+            int output_len);
     }
 }

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/AES/AesCipherTests.cs

@@ -34,6 +34,7 @@ public static void RandomKeyRoundtrip_128()
         }
 
         [Fact]
+        [SkipOnPlatform(TestPlatforms.Browser, "AES-192 is not supported on Browser")]
         public static void RandomKeyRoundtrip_192()
         {
             using (Aes aes = AesFactory.Create())
@@ -485,6 +486,7 @@ public static void VerifyKnownTransform_CFB128_128_NoPadding_3()
         }
 
         [Fact]
+        [SkipOnPlatform(TestPlatforms.Browser, "AES-192 is not supported on Browser")]
         public static void VerifyKnownTransform_CBC192_NoPadding()
         {
             TestAesTransformDirectKey(
@@ -525,6 +527,7 @@ public static void VerifyKnownTransform_CFB8_192_NoPadding()
         }
 
         [Fact]
+        [SkipOnPlatform(TestPlatforms.Browser, "AES-192 is not supported on Browser")]
         public static void VerifyKnownTransform_CBC192_NoPadding_2()
         {
             TestAesTransformDirectKey(

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/AES/AesContractTests.cs

@@ -55,7 +55,10 @@ public static void LegalKeySizes()
 
                 Assert.Equal(128, keySizeLimits.MinSize);
                 Assert.Equal(256, keySizeLimits.MaxSize);
-                Assert.Equal(64, keySizeLimits.SkipSize);
+
+                // Browser's SubtleCrypto doesn't support AES-192
+                int expectedKeySkipSize = PlatformDetection.IsBrowser ? 128 : 64;
+                Assert.Equal(expectedKeySkipSize, keySizeLimits.SkipSize);
             }
         }
 
@@ -214,6 +217,7 @@ public static void VerifyKeyGeneration_128()
         }
 
         [Fact]
+        [SkipOnPlatform(TestPlatforms.Browser, "AES-192 is not supported on Browser")]
         public static void VerifyKeyGeneration_192()
         {
             using (Aes aes = AesFactory.Create())

src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj

@@ -541,14 +541,13 @@
              Link="Common\Interop\Browser\Interop.Libraries.cs" />
     <Compile Include="$(CommonPath)System\Sha1ForNonSecretPurposes.cs"
              Link="Common\System\Sha1ForNonSecretPurposes.cs" />
-    <Compile Include="$(CommonPath)Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.SimpleDigestHash.cs"
-             Link="Common\Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.SimpleDigestHash.cs" /> 
-    <Compile Include="$(CommonPath)Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.Sign.cs"
-             Link="Common\Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.Sign.cs" /> 
+    <Compile Include="$(CommonPath)Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.SubtleCrypto.cs"
+             Link="Common\Interop\Browser\System.Security.Cryptography.Native.Browser\Interop.SubtleCrypto.cs" /> 
     <Compile Include="System\Security\Cryptography\AesCcm.NotSupported.cs" />
     <Compile Include="System\Security\Cryptography\AesGcm.NotSupported.cs" />
     <Compile Include="System\Security\Cryptography\AesImplementation.Browser.cs" />
     <Compile Include="System\Security\Cryptography\AesManagedTransform.Browser.cs" />
+    <Compile Include="System\Security\Cryptography\AesSubtleCryptoTransform.Browser.cs" />
     <Compile Include="System\Security\Cryptography\AsnFormatter.Managed.cs" />
     <Compile Include="System\Security\Cryptography\CapiHelper.Browser.cs" />
     <Compile Include="System\Security\Cryptography\ChaCha20Poly1305.NotSupported.cs" />
@@ -583,6 +582,9 @@
     <Compile Include="System\Security\Cryptography\X509Certificates\StorePal.NotSupported.cs" />
     <Compile Include="System\Security\Cryptography\X509Certificates\X509Pal.NotSupported.cs" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetPlatformIdentifier)' != 'Browser'">
+    <Compile Include="System\Security\Cryptography\AesImplementation.NonBrowser.cs" />
+  </ItemGroup>
   <ItemGroup Condition="'$(NeedOpenSslInitializer)' == 'true'">
     <Compile Include="$(CommonPath)Interop\Unix\Interop.Libraries.cs"
              Link="Common\Interop\Unix\Interop.Libraries.cs" />

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Aes.cs

@@ -11,7 +11,7 @@ public abstract class Aes : SymmetricAlgorithm
         protected Aes()
         {
             LegalBlockSizesValue = s_legalBlockSizes.CloneKeySizesArray();
-            LegalKeySizesValue = s_legalKeySizes.CloneKeySizesArray();
+            LegalKeySizesValue = AesImplementation.s_legalKeySizes.CloneKeySizesArray();
 
             BlockSizeValue = 128;
             FeedbackSizeValue = 8;
@@ -31,6 +31,5 @@ protected Aes()
         }
 
         private static readonly KeySizes[] s_legalBlockSizes = { new KeySizes(128, 128, 0) };
-        private static readonly KeySizes[] s_legalKeySizes = { new KeySizes(128, 256, 64) };
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesImplementation.Browser.cs

@@ -2,12 +2,16 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics;
-using Internal.Cryptography;
 
 namespace System.Security.Cryptography
 {
     internal sealed partial class AesImplementation
     {
+        internal const int BlockSizeBytes = 16; // 128 bits
+
+        // SubtleCrypto doesn't support AES-192. http://crbug.com/533699
+        internal static readonly KeySizes[] s_legalKeySizes = { new KeySizes(128, 256, 128) };
+
         private static UniversalCryptoTransform CreateTransformCore(
             CipherMode cipherMode,
             PaddingMode paddingMode,
@@ -19,11 +23,17 @@ private static UniversalCryptoTransform CreateTransformCore(
             bool encrypting)
         {
             ValidateCipherMode(cipherMode);
+            if (iv is null)
+                throw new CryptographicException(SR.Cryptography_MissingIV);
 
-            Debug.Assert(blockSize == AesManagedTransform.BlockSizeBytes);
+            Debug.Assert(blockSize == BlockSizeBytes);
             Debug.Assert(paddingSize == blockSize);
 
-            return UniversalCryptoTransform.Create(paddingMode, new AesManagedTransform(key, iv, encrypting), encrypting);
+            BasicSymmetricCipher cipher = Interop.BrowserCrypto.CanUseSubtleCrypto ?
+                new AesSubtleCryptoTransform(key, iv, encrypting) :
+                new AesManagedTransform(key, iv, encrypting);
+
+            return UniversalCryptoTransform.Create(paddingMode, cipher, encrypting);
         }
 
         private static ILiteSymmetricCipher CreateLiteCipher(
@@ -37,10 +47,12 @@ private static ILiteSymmetricCipher CreateLiteCipher(
         {
             ValidateCipherMode(cipherMode);
 
-            Debug.Assert(blockSize == AesManagedTransform.BlockSizeBytes);
+            Debug.Assert(blockSize == BlockSizeBytes);
             Debug.Assert(paddingSize == blockSize);
 
-            return new AesManagedTransform(key, iv, encrypting);
+            return Interop.BrowserCrypto.CanUseSubtleCrypto ?
+                new AesSubtleCryptoTransform(key, iv, encrypting) :
+                new AesManagedTransform(key, iv, encrypting);
         }
 
         private static void ValidateCipherMode(CipherMode cipherMode)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesImplementation.NonBrowser.cs

@@ -0,0 +1,10 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace System.Security.Cryptography
+{
+    internal sealed partial class AesImplementation
+    {
+        internal static readonly KeySizes[] s_legalKeySizes = { new KeySizes(128, 256, 64) };
+    }
+}

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesManagedTransform.Browser.cs

@@ -9,7 +9,7 @@ namespace System.Security.Cryptography
 {
     internal sealed class AesManagedTransform : BasicSymmetricCipher, ILiteSymmetricCipher
     {
-        public const int BlockSizeBytes = 16; // 128 bits
+        private const int BlockSizeBytes = AesImplementation.BlockSizeBytes;
         private const int BlockSizeInts = BlockSizeBytes / 4;
 
         private readonly bool _encrypting;
@@ -30,13 +30,7 @@ public AesManagedTransform(ReadOnlySpan<byte> key,
             : base(iv: null, BlockSizeBytes, BlockSizeBytes)
         {
             Debug.Assert(BitConverter.IsLittleEndian, "The logic of casting Span<int> to Span<byte> below assumes little endian");
-
-            if (iv.IsEmpty)
-                throw new CryptographicException(SR.Cryptography_MissingIV);
-
-            // we only support the standard AES block size
-            if (iv.Length != BlockSizeBytes)
-                throw new CryptographicException(SR.Cryptography_InvalidIVSize);
+            Debug.Assert(iv.Length == BlockSizeBytes);
 
             _encrypting = encrypting;
             _Nr = GetNumberOfRounds(key);
@@ -331,7 +325,7 @@ private static int GetNumberOfRounds(ReadOnlySpan<byte> key)
             return (BlockSizeBytes > key.Length ? BlockSizeBytes : key.Length) switch
             {
                 16 => 10, // 128 bits
-                24 => 12, // 192 bits
+                // 24 => 12, // 192 bits is not supported by SubtleCrypto, so the managed implementation doesn't support it either
                 32 => 14, // 256 bits
                 _ => throw new CryptographicException(SR.Cryptography_InvalidKeySize)
             };