[webcrypto] Add raw symmetric key AES-KW wrap/unwrap for NSS.

content/renderer/webcrypto/shared_crypto_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/shared_crypto.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 120 matching lines @@
   corrupted_data[corrupted_data.size() / 2] ^= 0x01;
   return corrupted_data;
 }
 
 std::vector<uint8> HexStringToBytes(const std::string& hex) {
   std::vector<uint8> bytes;
   base::HexStringToBytes(hex, &bytes);
   return bytes;
 }
 
-void ExpectArrayBufferMatches(const std::vector<uint8>& expected,
-                              const blink::WebArrayBuffer& actual) {
-  EXPECT_EQ(
-      base::HexEncode(webcrypto::Uint8VectorStart(expected), expected.size()),
-      base::HexEncode(actual.data(), actual.byteLength()));
+::testing::AssertionResult ArrayBufferMatches(
+    const std::vector<uint8>& expected,
+    const blink::WebArrayBuffer& actual) {
+  if (base::HexEncode(webcrypto::Uint8VectorStart(expected), expected.size()) ==
+      base::HexEncode(actual.data(), actual.byteLength()))
+    return ::testing::AssertionSuccess();
+  return ::testing::AssertionFailure();
 }
 
 void ExpectCryptoDataMatchesHex(const std::string& expected_hex,
                                 const CryptoData& actual) {
   EXPECT_STRCASEEQ(
       expected_hex.c_str(),
       base::HexEncode(actual.bytes(), actual.byte_length()).c_str());
 }
 
 void ExpectArrayBufferMatchesHex(const std::string& expected_hex,
@@ skipping 403 matching lines @@
     ASSERT_TRUE(tests->GetDictionary(test_index, &test));
 
     blink::WebCryptoAlgorithm test_algorithm =
         GetDigestAlgorithm(test, "algorithm");
     std::vector<uint8> test_input = GetBytesFromHexString(test, "input");
     std::vector<uint8> test_output = GetBytesFromHexString(test, "output");
 
     blink::WebArrayBuffer output;
     ASSERT_STATUS_SUCCESS(
         Digest(test_algorithm, CryptoData(test_input), &output));
-    ExpectArrayBufferMatches(test_output, output);
+    EXPECT_TRUE(ArrayBufferMatches(test_output, output));
   }
 }
 
 TEST_F(SharedCryptoTest, HMACSampleSets) {
   scoped_ptr<base::ListValue> tests;
   ASSERT_TRUE(ReadJsonTestFileToList("hmac.json", &tests));
 
   for (size_t test_index = 0; test_index < tests->GetSize(); ++test_index) {
     SCOPED_TRACE(test_index);
     base::DictionaryValue* test;
@@ skipping 15 matching lines @@
         test_key,
         importAlgorithm,
         blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify);
 
     EXPECT_EQ(test_hash.id(), key.algorithm().hmacParams()->hash().id());
 
     // Verify exported raw key is identical to the imported data
     blink::WebArrayBuffer raw_key;
     EXPECT_STATUS_SUCCESS(
         ExportKey(blink::WebCryptoKeyFormatRaw, key, &raw_key));
-    ExpectArrayBufferMatches(test_key, raw_key);
+    EXPECT_TRUE(ArrayBufferMatches(test_key, raw_key));
 
     blink::WebArrayBuffer output;
 
     ASSERT_STATUS_SUCCESS(
         Sign(algorithm, key, CryptoData(test_message), &output));
 
-    ExpectArrayBufferMatches(test_mac, output);
+    EXPECT_TRUE(ArrayBufferMatches(test_mac, output));
 
     bool signature_match = false;
     EXPECT_STATUS_SUCCESS(VerifySignature(algorithm,
                                           key,
                                           CryptoData(output),
                                           CryptoData(test_message),
                                           &signature_match));
     EXPECT_TRUE(signature_match);
 
     // Ensure truncated signature does not verify by passing one less byte.
@@ skipping 131 matching lines @@
         test_key,
         CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
         blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
     EXPECT_EQ(test_key.size() * 8, key.algorithm().aesParams()->lengthBits());
 
     // Verify exported raw key is identical to the imported data
     blink::WebArrayBuffer raw_key;
     EXPECT_STATUS_SUCCESS(
         ExportKey(blink::WebCryptoKeyFormatRaw, key, &raw_key));
-    ExpectArrayBufferMatches(test_key, raw_key);
+    EXPECT_TRUE(ArrayBufferMatches(test_key, raw_key));
 
     blink::WebArrayBuffer output;
 
     // Test encryption.
     EXPECT_STATUS(Status::Success(),
                   Encrypt(webcrypto::CreateAesCbcAlgorithm(test_iv),
                           key,
                           CryptoData(test_plain_text),
                           &output));
-    ExpectArrayBufferMatches(test_cipher_text, output);
+    EXPECT_TRUE(ArrayBufferMatches(test_cipher_text, output));
 
     // Test decryption.
     EXPECT_STATUS(Status::Success(),
                   Decrypt(webcrypto::CreateAesCbcAlgorithm(test_iv),
                           key,
                           CryptoData(test_cipher_text),
                           &output));
-    ExpectArrayBufferMatches(test_plain_text, output);
+    EXPECT_TRUE(ArrayBufferMatches(test_plain_text, output));
 
     const unsigned int kAesCbcBlockSize = 16;
 
     // Decrypt with a padding error by stripping the last block. This also ends
     // up testing decryption over empty cipher text.
     if (test_cipher_text.size() >= kAesCbcBlockSize) {
       EXPECT_STATUS(
           Status::Error(),
           Decrypt(CreateAesCbcAlgorithm(test_iv),
                   key,
@@ skipping 860 matching lines @@
       blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
       &public_key,
       &private_key);
 
   // Decrypt the known-good ciphertext with the private key. As a check we must
   // get the known original cleartext.
   blink::WebArrayBuffer decrypted_data;
   ASSERT_STATUS_SUCCESS(
       Decrypt(algorithm, private_key, CryptoData(ciphertext), &decrypted_data));
   EXPECT_FALSE(decrypted_data.isNull());
-  ExpectArrayBufferMatches(cleartext, decrypted_data);
+  EXPECT_TRUE(ArrayBufferMatches(cleartext, decrypted_data));
 
   // Encrypt this decrypted data with the public key.
   blink::WebArrayBuffer encrypted_data;
   ASSERT_STATUS_SUCCESS(Encrypt(
       algorithm, public_key, CryptoData(decrypted_data), &encrypted_data));
   EXPECT_EQ(128u, encrypted_data.byteLength());
 
   // Finally, decrypt the newly encrypted result with the private key, and
   // compare to the known original cleartext.
   decrypted_data.reset();
   ASSERT_STATUS_SUCCESS(Decrypt(
       algorithm, private_key, CryptoData(encrypted_data), &decrypted_data));
   EXPECT_FALSE(decrypted_data.isNull());
-  ExpectArrayBufferMatches(cleartext, decrypted_data);
+  EXPECT_TRUE(ArrayBufferMatches(cleartext, decrypted_data));
 }
 
 TEST_F(SharedCryptoTest, MAYBE(RsaEsFailures)) {
   // Import a key pair.
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
   ImportRsaKeyPair(
       HexStringToBytes(kPublicKeySpkiDerHex),
@@ skipping 229 matching lines @@
     ASSERT_TRUE(tests->GetDictionary(test_index, &test));
 
     std::vector<uint8> test_message =
         GetBytesFromHexString(test, "message_hex");
     std::vector<uint8> test_signature =
         GetBytesFromHexString(test, "signature_hex");
 
     signature.reset();
     ASSERT_STATUS_SUCCESS(
         Sign(algorithm, private_key, CryptoData(test_message), &signature));
-    ExpectArrayBufferMatches(test_signature, signature);
+    EXPECT_TRUE(ArrayBufferMatches(test_signature, signature));
 
     bool is_match = false;
     ASSERT_STATUS_SUCCESS(VerifySignature(algorithm,
                                           public_key,
                                           CryptoData(test_signature),
                                           CryptoData(test_message),
                                           &is_match));
     EXPECT_TRUE(is_match);
   }
 }
@@ skipping 75 matching lines @@
       "72d4e475ff34215416c9ad9c8281247a4d730c5f275ac23f376e73e3bce8d7d5a";
   EXPECT_STATUS(Status::Error(),
                 ImportKey(blink::WebCryptoKeyFormatRaw,
                           CryptoData(HexStringToBytes(key_raw_hex_in)),
                           algorithm,
                           true,
                           blink::WebCryptoKeyUsageWrapKey,
                           &key));
 }
 
+TEST_F(SharedCryptoTest, MAYBE(AesKwRawSymkeyWrapUnwrapKnownAnswer)) {
+  scoped_ptr<base::ListValue> tests;
+  ASSERT_TRUE(ReadJsonTestFileToList("aes_kw.json", &tests));
+
+  for (size_t test_index = 0; test_index < tests->GetSize(); ++test_index) {
+    SCOPED_TRACE(test_index);
+    base::DictionaryValue* test;
+    ASSERT_TRUE(tests->GetDictionary(test_index, &test));
+    const std::vector<uint8> test_kek = GetBytesFromHexString(test, "kek");
+    const std::vector<uint8> test_key = GetBytesFromHexString(test, "key");
+    const std::vector<uint8> test_ciphertext =
+        GetBytesFromHexString(test, "ciphertext");
+    const blink::WebCryptoAlgorithm wrapping_algorithm =
+        webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+
+    // Import the wrapping key.
+    blink::WebCryptoKey wrapping_key = ImportSecretKeyFromRaw(
+        test_kek,
+        wrapping_algorithm,
+        blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey);
+
+    // Import the key to be wrapped.
+    blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+        test_key,
+        webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
+        blink::WebCryptoKeyUsageEncrypt);
+
+    // Wrap the key and verify the ciphertext result against the known answer.
+    blink::WebArrayBuffer wrapped_key;
+    ASSERT_STATUS_SUCCESS(WrapKey(blink::WebCryptoKeyFormatRaw,
+                                  wrapping_key,
+                                  key,
+                                  wrapping_algorithm,
+                                  &wrapped_key));
+    EXPECT_TRUE(ArrayBufferMatches(test_ciphertext, wrapped_key));
+
+    // Unwrap the known ciphertext to get a new test_key.
+    blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
+    ASSERT_STATUS_SUCCESS(
+        UnwrapKey(blink::WebCryptoKeyFormatRaw,
+                  CryptoData(test_ciphertext),
+                  wrapping_key,
+                  wrapping_algorithm,
+                  webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
+                  true,
+                  blink::WebCryptoKeyUsageEncrypt,
+                  &unwrapped_key));
+    EXPECT_FALSE(key.isNull());
+    EXPECT_TRUE(key.handle());
+    EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
+    EXPECT_EQ(
+        webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc).id(),
+        key.algorithm().id());
+    EXPECT_EQ(true, key.extractable());
+    EXPECT_EQ(blink::WebCryptoKeyUsageEncrypt, key.usages());
+
+    // Export the new key and compare its raw bytes with the original known key.
+    blink::WebArrayBuffer raw_key;
+    EXPECT_STATUS_SUCCESS(
+        ExportKey(blink::WebCryptoKeyFormatRaw, unwrapped_key, &raw_key));
+    EXPECT_TRUE(ArrayBufferMatches(test_key, raw_key));
+  }
+}
+
+TEST_F(SharedCryptoTest, MAYBE(AesKwRawSymkeyWrapUnwrapErrors)) {
+  scoped_ptr<base::ListValue> tests;
+  ASSERT_TRUE(ReadJsonTestFileToList("aes_kw.json", &tests));
+  base::DictionaryValue* test;
+  // Use 256 bits of data with a 256-bit KEK
+  ASSERT_TRUE(tests->GetDictionary(5, &test));
+  const std::vector<uint8> test_kek = GetBytesFromHexString(test, "kek");
+  const std::vector<uint8> test_key = GetBytesFromHexString(test, "key");
+  const std::vector<uint8> test_ciphertext =
+      GetBytesFromHexString(test, "ciphertext");
+  const blink::WebCryptoAlgorithm wrapping_algorithm =
+      webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+  const blink::WebCryptoAlgorithm key_algorithm =
+      webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
+  // Import the wrapping key.
+  blink::WebCryptoKey wrapping_key = ImportSecretKeyFromRaw(
+      test_kek,
+      wrapping_algorithm,
+      blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey);
+  // Import the key to be wrapped.
+  blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+      test_key,
+      webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
+      blink::WebCryptoKeyUsageEncrypt);
+
+  // Unwrap with null algorithm must fail.
+  blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
+  EXPECT_STATUS(Status::ErrorMissingAlgorithmUnwrapRawKey(),
+                UnwrapKey(blink::WebCryptoKeyFormatRaw,
+                          CryptoData(test_ciphertext),
+                          wrapping_key,
+                          wrapping_algorithm,
+                          blink::WebCryptoAlgorithm::createNull(),
+                          true,
+                          blink::WebCryptoKeyUsageEncrypt,
+                          &unwrapped_key));
+
+  // Unwrap with wrapped data too small must fail.
+  const std::vector<uint8> small_data(test_ciphertext.begin(),
+                                      test_ciphertext.begin() + 23);
+  EXPECT_STATUS(Status::ErrorDataTooSmall(),
+                UnwrapKey(blink::WebCryptoKeyFormatRaw,
+                          CryptoData(small_data),
+                          wrapping_key,
+                          wrapping_algorithm,
+                          key_algorithm,
+                          true,
+                          blink::WebCryptoKeyUsageEncrypt,
+                          &unwrapped_key));
+
+  // Unwrap with wrapped data size not a multiple of 8 bytes must fail.
+  const std::vector<uint8> unaligned_data(test_ciphertext.begin(),
+                                          test_ciphertext.end() - 2);
+  EXPECT_STATUS(Status::ErrorInvalidAesKwDataLength(),
+                UnwrapKey(blink::WebCryptoKeyFormatRaw,
+                          CryptoData(unaligned_data),
+                          wrapping_key,
+                          wrapping_algorithm,
+                          key_algorithm,
+                          true,
+                          blink::WebCryptoKeyUsageEncrypt,
+                          &unwrapped_key));
+}
+
+TEST_F(SharedCryptoTest, MAYBE(AesKwRawSymkeyUnwrapCorruptData)) {
+  scoped_ptr<base::ListValue> tests;
+  ASSERT_TRUE(ReadJsonTestFileToList("aes_kw.json", &tests));
+  base::DictionaryValue* test;
+  // Use 256 bits of data with a 256-bit KEK
+  ASSERT_TRUE(tests->GetDictionary(5, &test));
+  const std::vector<uint8> test_kek = GetBytesFromHexString(test, "kek");
+  const std::vector<uint8> test_key = GetBytesFromHexString(test, "key");
+  const std::vector<uint8> test_ciphertext =
+      GetBytesFromHexString(test, "ciphertext");
+  const blink::WebCryptoAlgorithm wrapping_algorithm =
+      webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+
+  // Import the wrapping key.
+  blink::WebCryptoKey wrapping_key = ImportSecretKeyFromRaw(
+      test_kek,
+      wrapping_algorithm,
+      blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey);
+
+  // Unwrap a corrupted version of the known ciphertext. Unwrap should pass but
+  // will produce a key that is different than the known original.
+  blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
+  ASSERT_STATUS_SUCCESS(
+      UnwrapKey(blink::WebCryptoKeyFormatRaw,
+                CryptoData(Corrupted(test_ciphertext)),
+                wrapping_key,
+                wrapping_algorithm,
+                webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
+                true,
+                blink::WebCryptoKeyUsageEncrypt,
+                &unwrapped_key));
+
+  // Export the new key and compare its raw bytes with the original known key.
+  // The comparison should fail.
+  blink::WebArrayBuffer raw_key;
+  EXPECT_STATUS_SUCCESS(
+      ExportKey(blink::WebCryptoKeyFormatRaw, unwrapped_key, &raw_key));
+  EXPECT_FALSE(ArrayBufferMatches(test_key, raw_key));
+}
+
 // TODO(eroman):
 //   * Test decryption when the tag length exceeds input size
 //   * Test decryption with empty input
 //   * Test decryption with tag length of 0.
 TEST_F(SharedCryptoTest, MAYBE(AesGcmSampleSets)) {
   // Some Linux test runners may not have a new enough version of NSS.
   if (!SupportsAesGcm()) {
     LOG(WARNING) << "AES GCM not supported, skipping tests";
     return;
   }
@@ skipping 22 matching lines @@
     blink::WebCryptoKey key = ImportSecretKeyFromRaw(
         test_key,
         CreateAlgorithm(blink::WebCryptoAlgorithmIdAesGcm),
         blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
 
     // Verify exported raw key is identical to the imported data
     blink::WebArrayBuffer raw_key;
     EXPECT_STATUS_SUCCESS(
         ExportKey(blink::WebCryptoKeyFormatRaw, key, &raw_key));
 
-    ExpectArrayBufferMatches(test_key, raw_key);
+    EXPECT_TRUE(ArrayBufferMatches(test_key, raw_key));
 
     // Test encryption.
     std::vector<uint8> cipher_text;
     std::vector<uint8> authentication_tag;
     EXPECT_STATUS_SUCCESS(AesGcmEncrypt(key,
                                         test_iv,
                                         test_additional_data,
                                         test_tag_size_bits,
                                         test_plain_text,
                                         &cipher_text,
                                         &authentication_tag));
 
     ExpectVectorMatches(test_cipher_text, cipher_text);
     ExpectVectorMatches(test_authentication_tag, authentication_tag);
 
     // Test decryption.
     blink::WebArrayBuffer plain_text;
     EXPECT_STATUS_SUCCESS(AesGcmDecrypt(key,
                                         test_iv,
                                         test_additional_data,
                                         test_tag_size_bits,
                                         test_cipher_text,
                                         test_authentication_tag,
                                         &plain_text));
-    ExpectArrayBufferMatches(test_plain_text, plain_text);
+    EXPECT_TRUE(ArrayBufferMatches(test_plain_text, plain_text));
 
     // Decryption should fail if any of the inputs are tampered with.
     EXPECT_STATUS(Status::Error(),
                   AesGcmDecrypt(key,
                                 Corrupted(test_iv),
                                 test_additional_data,
                                 test_tag_size_bits,
                                 test_cipher_text,
                                 test_authentication_tag,
                                 &plain_text));
@@ skipping 35 matching lines @@
                                         test_cipher_text,
                                         test_authentication_tag,
                                         &plain_text));
     }
   }
 }
 
 }  // namespace webcrypto
 
 }  // namespace content