[webcrypto] Add symmetric key export for NSS and OpenSSL.

content/renderer/webcrypto/webcrypto_impl_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 80 matching lines @@
          algorithm_id == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
          algorithm_id == blink::WebCryptoAlgorithmIdRsaOaep);
   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
       algorithm_id,
       new blink::WebCryptoRsaKeyGenParams(
           modulus_length, Start(public_exponent), public_exponent.size()));
 }
 
 #endif  // #if !defined(USE_OPENSSL)
 
+// MIT HAKMEM Bit Count for 8-bit Unsigned Char
+int BitCount8(unsigned char b) {
+  b = (b & 0x55u) + ((b >> 1) & 0x55u);
+  b = (b & 0x33u) + ((b >> 2) & 0x33u);
+  b = (b & 0x0fu) + ((b >> 4) & 0x0fu);
+  return (b);
+}
+
+// Use a binary entropy calculation to check whether the input data appears
+// random. See http://en.wikipedia.org/wiki/Binary_entropy.
+void ExpectDataAppearsRandom(const blink::WebArrayBuffer& key_bytes) {
+  DCHECK(key_bytes.data());
+  DCHECK(key_bytes.byteLength());
+  int n_set_bits = 0;
+  unsigned char* data_ptr = static_cast<unsigned char*>(key_bytes.data());
+  unsigned char* const data_ptr_end = data_ptr + key_bytes.byteLength();
+  while (data_ptr < data_ptr_end) {
+    n_set_bits += BitCount8(*data_ptr++);
+  }
+  // Binary entropy is calculated as -p * log2(p) - (1 - p) * log2(1 - p), where
+  // p is the percentage of set bits in the input data. This function has a
+  // maximum of 1.0 at p = 0.5. Arbitrarily say the input data is random if the
+  // calculated entropy is > 0.75, which solves to 0.2145 ~< p ~< 0.7855.

[eroman, 2013/12/04 19:04:00]

Doesn't this mean that truly random buffers will fail the heuristic 25% of the
time?

That would be an unacceptably high failure rate for unittests, which are
expected to pass 100% of the time.

The existing tests for crypto.getRandomValues() take the approach of generating
multiple random buffers, and then seeing if they match exactly (the probability
of two randomly selected 128-bit values being the same is extremely low). This
does mean that a sequence of incrementing numbers would be classified as
"random", but at least it isn't flaky.

My recommendation is to use some form of iteration to improve the odds. If there
is a 25% probability to fail with 1 pass, then iterating that 10 times would
drop the chance to 0.0001%.

[padolph, 2013/12/04 22:22:13]

No, the math does not work that way. However, I realize I did not
apply the correct technique here.

Binary entropy measures the 'randomness' of a given bit sequence.
The sequence with the most entropy is one that has an equal number
of 1's and 0's. A bit sequence with all 0's for example is not very
'random'.

However, what I am testing here is a single output of the PRNG. A
sample size of 1 can't say much about the quality of the PRNG, and
also as you note, we are interested in the variation of output to
output, not the variation in the bits in a single output. And it
is possible that the PRNG will occasionally produce a 'low binary
entropy' output of mostly 1's or mostly 0's too.

I apologize I did not think this through further.

What we really need is to compute the Shannon Entropy on a large sample set of
outputs from the PRNG. But I don't think that level
of diligence is required here. I think your approach of taking a
small sample set and just comparing each value will be sufficient
and is easy to do. I'll code that up and re-upload.

Thanks for your help!

+  double p = static_cast<double>(n_set_bits) / (key_bytes.byteLength() * 8);
+  EXPECT_GT(p, 0.2145);
+  EXPECT_LT(p, 0.7855);
+}
+
 }  // namespace
 
 namespace content {
 
 class WebCryptoImplTest : public testing::Test {
  protected:
   blink::WebCryptoKey ImportSecretKeyFromRawHexString(
       const std::string& key_hex,
       const blink::WebCryptoAlgorithm& algorithm,
       blink::WebCryptoKeyUsageMask usage) {
@@ skipping 303 matching lines @@
   for (size_t test_index = 0; test_index < ARRAYSIZE_UNSAFE(kTests);
        ++test_index) {
     SCOPED_TRACE(test_index);
     const TestCase& test = kTests[test_index];
 
     blink::WebCryptoAlgorithm algorithm = CreateHmacAlgorithm(test.algorithm);
 
     blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
         test.key, algorithm, blink::WebCryptoKeyUsageSign);
 
+    // Verify exported raw key is identical to the imported data
+    blink::WebArrayBuffer raw_key;
+    EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+    ExpectArrayBufferMatchesHex(test.key, raw_key);
+
     std::vector<uint8> message_raw = HexStringToBytes(test.message);
 
     blink::WebArrayBuffer output;
 
     ASSERT_TRUE(SignInternal(algorithm, key, message_raw, &output));
 
     ExpectArrayBufferMatchesHex(test.mac, output);
 
     bool signature_match = false;
     EXPECT_TRUE(VerifySignatureInternal(
@@ skipping 22 matching lines @@
         key,
         kLongSignature,
         sizeof(kLongSignature),
         message_raw,
         &signature_match));
     EXPECT_FALSE(signature_match);
   }
 }
 
 TEST_F(WebCryptoImplTest, AesCbcFailures) {
+  const std::string key_hex = "2b7e151628aed2a6abf7158809cf4f3c";
   blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
-      "2b7e151628aed2a6abf7158809cf4f3c",
+      key_hex,
       CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
       blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
+  // Verify exported raw key is identical to the imported data
+  blink::WebArrayBuffer raw_key;
+  EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+  ExpectArrayBufferMatchesHex(key_hex, raw_key);
+
   blink::WebArrayBuffer output;
 
   // Use an invalid |iv| (fewer than 16 bytes)
   {
     std::vector<uint8> input(32);
     std::vector<uint8> iv;
     EXPECT_FALSE(
         EncryptInternal(CreateAesCbcAlgorithm(iv), key, input, &output));
     EXPECT_FALSE(
         DecryptInternal(CreateAesCbcAlgorithm(iv), key, input, &output));
@@ skipping 33 matching lines @@
 
     blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
     EXPECT_FALSE(ImportKeyInternal(blink::WebCryptoKeyFormatRaw,
                                    key_raw,
                                    CreateAesCbcAlgorithm(iv),
                                    true,
                                    blink::WebCryptoKeyUsageEncrypt,
                                    &key));
   }
 
-  // Fail exporting the key in SPKI format (SPKI export not allowed for secret
-  // keys)
+  // Fail exporting the key in SPKI and PKCS#8 formats (not allowed for secret
+  // keys).
   EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
+  EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatPkcs8, key, &output));
 }
 
 TEST_F(WebCryptoImplTest, AesCbcSampleSets) {
   struct TestCase {
     const char* key;
     const char* iv;
     const char* plain_text;
     const char* cipher_text;
   };
 
@@ skipping 69 matching lines @@
 
   for (size_t index = 0; index < ARRAYSIZE_UNSAFE(kTests); index++) {
     SCOPED_TRACE(index);
     const TestCase& test = kTests[index];
 
     blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
         test.key,
         CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
         blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
+    // Verify exported raw key is identical to the imported data
+    blink::WebArrayBuffer raw_key;
+    EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+    ExpectArrayBufferMatchesHex(test.key, raw_key);
+
     std::vector<uint8> plain_text = HexStringToBytes(test.plain_text);
     std::vector<uint8> iv = HexStringToBytes(test.iv);
 
     blink::WebArrayBuffer output;
 
     // Test encryption.
     EXPECT_TRUE(EncryptInternal(CreateAesCbcAlgorithm(iv),
                                 key,
                                 plain_text,
                                 &output));
@@ skipping 24 matching lines @@
     if (cipher_text.size() > 3) {
       EXPECT_FALSE(DecryptInternal(CreateAesCbcAlgorithm(iv),
                                    key,
                                    &cipher_text[0],
                                    cipher_text.size() - 3,
                                    &output));
     }
   }
 }
 
-// TODO(padolph): Add test to verify generated symmetric keys appear random.
-
 TEST_F(WebCryptoImplTest, GenerateKeyAes) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_TRUE(GenerateKeyInternal(CreateAesCbcAlgorithm(128), &key));
   EXPECT_TRUE(key.handle());
   EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+  blink::WebArrayBuffer key_bytes;
+  ASSERT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &key_bytes));
+  ExpectDataAppearsRandom(key_bytes);
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyAesBadLength) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   EXPECT_FALSE(GenerateKeyInternal(CreateAesCbcAlgorithm(0), &key));
   EXPECT_FALSE(GenerateKeyInternal(CreateAesCbcAlgorithm(129), &key));
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyHmac) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   blink::WebCryptoAlgorithm algorithm =
       CreateHmacKeyAlgorithm(blink::WebCryptoAlgorithmIdSha1, 128);
   ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
   EXPECT_FALSE(key.isNull());
   EXPECT_TRUE(key.handle());
   EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+  blink::WebArrayBuffer key_bytes;
+  ASSERT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &key_bytes));
+  ExpectDataAppearsRandom(key_bytes);
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyHmacNoLength) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   blink::WebCryptoAlgorithm algorithm =
       CreateHmacKeyAlgorithm(blink::WebCryptoAlgorithmIdSha1, 0);
   ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
   EXPECT_TRUE(key.handle());
   EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
 }
@@ skipping 80 matching lines @@
       true,
       blink::WebCryptoKeyUsageEncrypt,
       &key));
 
   // Passing case: Export a previously imported RSA public key in SPKI format
   // and compare to original data.
   blink::WebArrayBuffer output;
   ASSERT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
   ExpectArrayBufferMatchesHex(hex_rsa_spki_der, output);
 
+  // Failing case: Try to export a previously imported RSA public key in raw
+  // format (not allowed for a public key).
+  EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &output));
+
   // Failing case: Try to export a non-extractable key
   ASSERT_TRUE(ImportKeyInternal(
       blink::WebCryptoKeyFormatSpki,
       HexStringToBytes(hex_rsa_spki_der),
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
       false,
       blink::WebCryptoKeyUsageEncrypt,
       &key));
   EXPECT_TRUE(key.handle());
   EXPECT_FALSE(key.extractable());
@@ skipping 445 matching lines @@
       private_key,
       reinterpret_cast<const unsigned char*>(encrypted_data.data()),
       encrypted_data.byteLength(),
       &decrypted_data));
   ExpectArrayBufferMatchesHex(message_hex_str, decrypted_data);
 }
 
 #endif  // #if !defined(USE_OPENSSL)
 
 }  // namespace content