[webcrypto] Add symmetric key export for NSS and OpenSSL.

content/renderer/webcrypto/webcrypto_impl_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 76 matching lines @@
   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
       algorithm_id,
       new blink::WebCryptoRsaKeyGenParams(
           modulus_length,
           webcrypto::Uint8VectorStart(public_exponent),
           public_exponent.size()));
 }
 
 #endif  // #if !defined(USE_OPENSSL)
 
+// Determines if two ArrayBuffers have identical content.
+bool ArrayBuffersEqual(
+    const blink::WebArrayBuffer& a,
+    const blink::WebArrayBuffer& b) {
+  if (a.byteLength() != b.byteLength())
+    return false;
+  const uint8* a_begin = static_cast<uint8*>(a.data());
+  const uint8* const a_end = a_begin + a.byteLength();
+  const uint8* b_begin = static_cast<uint8*>(b.data());
+  return std::equal(a_begin, a_end, b_begin);

[eroman, 2013/12/05 01:47:53]

[no change necessary] My inclination would have been to write a 1 liner:

return a.byteLength() == b.byteLength() && memcmp(a.data(), b.data(),
a.byteLength() == 0);

Not sure how the boolean specialization of std::equal gets optimized, but
memcmp() is always pretty good.

[padolph, 2013/12/05 02:45:57]

I'm sure std::equal optimizes down to memcmp in this case. But I like your
1-liner better.

Done.

+}
+
+// Adapts ArrayBufferEqual() into a unary predicate for use with std::count_if
+// in CopiesExist().
+class ArrayBufferEqualTo {
+ public:
+  ArrayBufferEqualTo(const blink::WebArrayBuffer& b) : b_(b) {}
+  bool operator()(const blink::WebArrayBuffer& a) const {
+    return ArrayBuffersEqual(a, b_);
+  }
+
+ private:
+  const blink::WebArrayBuffer& b_;
+};
+
+// Given a vector of WebArrayBuffers, determines if there are any copies. Not
+// the most efficient implementation, but the vector is expected to be small.
+bool CopiesExist(std::vector<blink::WebArrayBuffer> bufs) {
+  for (std::vector<blink::WebArrayBuffer>::const_iterator it = bufs.begin();

[eroman, 2013/12/05 01:47:53]

I much prefer the old-fashioned double-for-loop here:

for (size_t i = 0; i < bufs.size(); ++i) {
  for (size_t j = i + 1; j < bufs.size(); ++j) {
    if (ArrayBuffersEqual(bufs[i], bufs[j])
      return false;
  }
}

Which has the advantage of doing half as many arraybuffer comparisons, doesn't
require the ArrayBufferEqualTo helper class, and in my humble opinion is more
readable :)

[padolph, 2013/12/05 02:45:57]

I can't argue with that. 1/3 the lines and faster. Hard to shake my STL habit.
Done.

+       it != bufs.end();
+       ++it) {
+    if (std::count_if(bufs.begin(), bufs.end(), ArrayBufferEqualTo(*it)) != 1)
+      return true;
+  }
+  return false;
+}
+
 }  // namespace
 
 class WebCryptoImplTest : public testing::Test {
  protected:
   blink::WebCryptoKey ImportSecretKeyFromRawHexString(
       const std::string& key_hex,
       const blink::WebCryptoAlgorithm& algorithm,
       blink::WebCryptoKeyUsageMask usage) {
     std::vector<uint8> key_raw = HexStringToBytes(key_hex);
 
@@ skipping 318 matching lines @@
        ++test_index) {
     SCOPED_TRACE(test_index);
     const TestCase& test = kTests[test_index];
 
     blink::WebCryptoAlgorithm algorithm =
         webcrypto::CreateHmacAlgorithmByHashId(test.algorithm);
 
     blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
         test.key, algorithm, blink::WebCryptoKeyUsageSign);
 
+    // Verify exported raw key is identical to the imported data
+    blink::WebArrayBuffer raw_key;
+    EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+    ExpectArrayBufferMatchesHex(test.key, raw_key);
+
     std::vector<uint8> message_raw = HexStringToBytes(test.message);
 
     blink::WebArrayBuffer output;
 
     ASSERT_TRUE(SignInternal(algorithm, key, message_raw, &output));
 
     ExpectArrayBufferMatchesHex(test.mac, output);
 
     bool signature_match = false;
     EXPECT_TRUE(VerifySignatureInternal(
@@ skipping 24 matching lines @@
         sizeof(kLongSignature),
         message_raw,
         &signature_match));
     EXPECT_FALSE(signature_match);
   }
 }
 
 #if !defined(USE_OPENSSL)
 
 TEST_F(WebCryptoImplTest, AesCbcFailures) {
+  const std::string key_hex = "2b7e151628aed2a6abf7158809cf4f3c";
   blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
-      "2b7e151628aed2a6abf7158809cf4f3c",
+      key_hex,
       webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
       blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
+  // Verify exported raw key is identical to the imported data
+  blink::WebArrayBuffer raw_key;
+  EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+  ExpectArrayBufferMatchesHex(key_hex, raw_key);
+
   blink::WebArrayBuffer output;
 
   // Use an invalid |iv| (fewer than 16 bytes)
   {
     std::vector<uint8> input(32);
     std::vector<uint8> iv;
     EXPECT_FALSE(EncryptInternal(
         webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
     EXPECT_FALSE(DecryptInternal(
         webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
@@ skipping 33 matching lines @@
 
     blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
     EXPECT_FALSE(ImportKeyInternal(blink::WebCryptoKeyFormatRaw,
                                    key_raw,
                                    webcrypto::CreateAesCbcAlgorithm(iv),
                                    true,
                                    blink::WebCryptoKeyUsageEncrypt,
                                    &key));
   }
 
-  // Fail exporting the key in SPKI format (SPKI export not allowed for secret
-  // keys)
+  // Fail exporting the key in SPKI and PKCS#8 formats (not allowed for secret
+  // keys).
   EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
+  EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatPkcs8, key, &output));
 }
 
 TEST_F(WebCryptoImplTest, AesCbcSampleSets) {
   struct TestCase {
     const char* key;
     const char* iv;
     const char* plain_text;
     const char* cipher_text;
   };
 
@@ skipping 69 matching lines @@
 
   for (size_t index = 0; index < ARRAYSIZE_UNSAFE(kTests); index++) {
     SCOPED_TRACE(index);
     const TestCase& test = kTests[index];
 
     blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
         test.key,
         webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
         blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
+    // Verify exported raw key is identical to the imported data
+    blink::WebArrayBuffer raw_key;
+    EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
+    ExpectArrayBufferMatchesHex(test.key, raw_key);
+
     std::vector<uint8> plain_text = HexStringToBytes(test.plain_text);
     std::vector<uint8> iv = HexStringToBytes(test.iv);
 
     blink::WebArrayBuffer output;
 
     // Test encryption.
     EXPECT_TRUE(EncryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
                                 key,
                                 plain_text,
                                 &output));
@@ skipping 24 matching lines @@
     if (cipher_text.size() > 3) {
       EXPECT_FALSE(DecryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
                                    key,
                                    &cipher_text[0],
                                    cipher_text.size() - 3,
                                    &output));
     }
   }
 }
 
-// TODO(padolph): Add test to verify generated symmetric keys appear random.
-
 TEST_F(WebCryptoImplTest, GenerateKeyAes) {
-  blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
-  ASSERT_TRUE(
-      GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(128), &key));
-  EXPECT_TRUE(key.handle());
-  EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+  // Generate a small sample of AES keys.
+  std::vector<blink::WebArrayBuffer> keys;
+  blink::WebArrayBuffer key_bytes;
+  for (int i = 0; i < 16; ++i) {
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+    ASSERT_TRUE(
+        GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(128), &key));
+    EXPECT_TRUE(key.handle());
+    EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+    ASSERT_TRUE(
+        ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &key_bytes));
+    keys.push_back(key_bytes);
+  }
+  // Ensure all entries in the key sample set are unique. This is a simplistic
+  // estimate of whether the generated keys appear random.
+  EXPECT_FALSE(CopiesExist(keys));
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyAesBadLength) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   EXPECT_FALSE(
       GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(0), &key));
   EXPECT_FALSE(
       GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(0), &key));
   EXPECT_FALSE(
       GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(129), &key));
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyHmac) {
-  blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
-  blink::WebCryptoAlgorithm algorithm = webcrypto::CreateHmacKeyGenAlgorithm(
-      blink::WebCryptoAlgorithmIdSha1, 128);
-  ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
-  EXPECT_FALSE(key.isNull());
-  EXPECT_TRUE(key.handle());
-  EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+  // Generate a small sample of HMAC keys.
+  std::vector<blink::WebArrayBuffer> keys;
+  for (int i = 0; i < 16; ++i) {
+    blink::WebArrayBuffer key_bytes;
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+    blink::WebCryptoAlgorithm algorithm = webcrypto::CreateHmacKeyGenAlgorithm(
+        blink::WebCryptoAlgorithmIdSha1, 128);
+    ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
+    EXPECT_FALSE(key.isNull());
+    EXPECT_TRUE(key.handle());
+    EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+  }
+  // Ensure all entries in the key sample set are unique. This is a simplistic
+  // estimate of whether the generated keys appear random.
+  EXPECT_FALSE(CopiesExist(keys));
 }
 
 TEST_F(WebCryptoImplTest, GenerateKeyHmacNoLength) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   blink::WebCryptoAlgorithm algorithm =
       webcrypto::CreateHmacKeyGenAlgorithm(blink::WebCryptoAlgorithmIdSha1, 0);
   ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
   EXPECT_TRUE(key.handle());
   EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
 }
@@ skipping 401 matching lines @@
       true,
       blink::WebCryptoKeyUsageEncrypt,
       &key));
 
   // Passing case: Export a previously imported RSA public key in SPKI format
   // and compare to original data.
   blink::WebArrayBuffer output;
   ASSERT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
   ExpectArrayBufferMatchesHex(hex_rsa_spki_der, output);
 
+  // Failing case: Try to export a previously imported RSA public key in raw
+  // format (not allowed for a public key).
+  EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &output));
+
   // Failing case: Try to export a non-extractable key
   ASSERT_TRUE(ImportKeyInternal(
       blink::WebCryptoKeyFormatSpki,
       HexStringToBytes(hex_rsa_spki_der),
       webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
       false,
       blink::WebCryptoKeyUsageEncrypt,
       &key));
   EXPECT_TRUE(key.handle());
   EXPECT_FALSE(key.extractable());
@@ skipping 443 matching lines @@
       private_key,
       reinterpret_cast<const unsigned char*>(encrypted_data.data()),
       encrypted_data.byteLength(),
       &decrypted_data));
   ExpectArrayBufferMatchesHex(message_hex_str, decrypted_data);
 }
 
 #endif  // #if !defined(USE_OPENSSL)
 
 }  // namespace content