Use crypto.subtle for AES on Browser WASM (#71501)

* Use crypto.subtle for AES on Browser WASM

Implement the browser "native" portion for AES on Browser WASM.

There are two issues to solve .NET's Aes API on crypto.subtle:
1. The .NET API supports streaming while crypto.subtle only supports "one shot" APIs.
2. The .NET API supports multiple padding modes while crypto.subtle only supports PKCS7.

To solve these issues, we use the following approach:

1. We only invoke crypto.subtle with complete AES "blocks" of data. This allows us to make assumptions about the padding behavior.
2. To implement streaming, remember the last block of the previous cipher text to use as the IV for the next stream of data.
3. When encrypting, since we have a complete block of data and crypto.subtle uses PKCS7 padding, strip off the last block of cipher text which will always be a full block of padding.
4. When decrypting do the inverse of encrypting - append an encrypted block of padding to the cipher text so crypto.subtle will return the full message as plain text.

Other changes:
- Make a few refactoring / simplifications where necessary.
- SubtleCrypto doesn't support 192 bit AES keys, so no longer support AES-192 on Browser.

Contributes to #40074

* Use an empty array to create encrypted padding block.

2 files changed, 36 insertions, 0 deletions

diff --git a/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.c b/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.c
index 60b665dced1..0c78013ac34 100644
--- a/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.c
+++ b/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.c
@@ -21,6 +21,17 @@ extern int32_t dotnet_browser_sign(
     uint8_t* output_buffer,
     int32_t output_len);
 
+extern int32_t dotnet_browser_encrypt_decrypt(
+    int32_t encrypting,
+    uint8_t* key_buffer,
+    int32_t key_len,
+    uint8_t* iv_buffer,
+    int32_t iv_len,
+    uint8_t* input_buffer,
+    int32_t input_len,
+    uint8_t* output_buffer,
+    int32_t output_len);
+
 extern int32_t dotnet_browser_can_use_subtle_crypto_impl(void);
 
 int32_t SystemCryptoNativeBrowser_SimpleDigestHash(
@@ -45,6 +56,20 @@ int32_t SystemCryptoNativeBrowser_Sign(
     return dotnet_browser_sign(hashAlgorithm, key_buffer, key_len, input_buffer, input_len, output_buffer, output_len);
 }
 
+int32_t SystemCryptoNativeBrowser_EncryptDecrypt(
+    int32_t encrypting,
+    uint8_t* key_buffer,
+    int32_t key_len,
+    uint8_t* iv_buffer,
+    int32_t iv_len,
+    uint8_t* input_buffer,
+    int32_t input_len,
+    uint8_t* output_buffer,
+    int32_t output_len)
+{
+    return dotnet_browser_encrypt_decrypt(encrypting, key_buffer, key_len, iv_buffer, iv_len, input_buffer, input_len, output_buffer, output_len);
+}
+
 int32_t SystemCryptoNativeBrowser_CanUseSubtleCryptoImpl(void)
 {
     return dotnet_browser_can_use_subtle_crypto_impl();
diff --git a/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.h b/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.h
index c0b598edb0d..2166a4a2177 100644
--- a/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.h
+++ b/src/native/libs/System.Security.Cryptography.Native.Browser/pal_crypto_webworker.h
@@ -31,4 +31,15 @@ PALEXPORT int32_t SystemCryptoNativeBrowser_Sign(
     uint8_t* output_buffer,
     int32_t output_len);
 
+PALEXPORT int32_t SystemCryptoNativeBrowser_EncryptDecrypt(
+    int32_t encrypting,
+    uint8_t* key_buffer,
+    int32_t key_len,
+    uint8_t* iv_buffer,
+    int32_t iv_len,
+    uint8_t* input_buffer,
+    int32_t input_len,
+    uint8_t* output_buffer,
+    int32_t output_len);
+
 PALEXPORT int32_t SystemCryptoNativeBrowser_CanUseSubtleCryptoImpl(void);