[webcrypto] JWK: Updated import(ext, key_ops) and added export of symmetric keys

content/child/webcrypto/shared_crypto_unittest.cc

Index: content/child/webcrypto/shared_crypto_unittest.cc
diff --git a/content/child/webcrypto/shared_crypto_unittest.cc b/content/child/webcrypto/shared_crypto_unittest.cc
index 48db1a6da8d72e5a49c27bc39cc298fb41fc6402..a63260ff953e89cc9a7397dcf4473e0f3b28c042 100644
--- a/content/child/webcrypto/shared_crypto_unittest.cc
+++ b/content/child/webcrypto/shared_crypto_unittest.cc
@@ -51,6 +51,25 @@ namespace webcrypto {
 
 namespace {
 
+// TODO(eroman): For Linux builds using system NSS, AES-GCM support is a
+// runtime dependency. Test it by trying to import a key.
+// TODO(padolph): Consider caching the result of the import key test.
+bool SupportsAesGcm() {
+  std::vector<uint8> key_raw(16, 0);
+
+  blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+  Status status = ImportKey(blink::WebCryptoKeyFormatRaw,
+                            CryptoData(key_raw),
+                            CreateAlgorithm(blink::WebCryptoAlgorithmIdAesGcm),
+                            true,
+                            blink::WebCryptoKeyUsageEncrypt,
+                            &key);
+
+  if (status.IsError())
+    EXPECT_EQ(Status::ErrorUnsupported().ToString(), status.ToString());

[eroman, 2014/03/13 22:31:13]

[optional] update this to use EXPECT_STATUS()

[padolph, 2014/03/13 22:39:34]

Done.

+  return status.IsSuccess();
+}
+
 blink::WebCryptoAlgorithm CreateRsaKeyGenAlgorithm(
     blink::WebCryptoAlgorithmId algorithm_id,
     unsigned int modulus_length,
@@ -93,6 +112,7 @@ blink::WebCryptoAlgorithm CreateAesGcmAlgorithm(
     const std::vector<uint8>& iv,
     const std::vector<uint8>& additional_data,
     unsigned int tag_length_bits) {
+  DCHECK(SupportsAesGcm());

[eroman, 2014/03/13 22:31:13]

Instead of DCHECK() please use EXPECT_TRUE(). DCHECK() is only run for debug
builds, whereas EXPECT_TRUE() will give useful log messages for all builds.

[padolph, 2014/03/13 22:39:34]

Done.

   return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
       blink::WebCryptoAlgorithmIdAesGcm,
       new blink::WebCryptoAesGcmParams(Uint8VectorStart(iv),
@@ -343,6 +363,7 @@ blink::WebCryptoAlgorithm CreateAesCbcKeyGenAlgorithm(
 
 blink::WebCryptoAlgorithm CreateAesGcmKeyGenAlgorithm(
     unsigned short key_length_bits) {
+  DCHECK(SupportsAesGcm());

[eroman, 2014/03/13 22:31:13]

ditto

[padolph, 2014/03/13 22:39:34]

Done.

   return CreateAesKeyGenAlgorithm(blink::WebCryptoAlgorithmIdAesGcm,
                                   key_length_bits);
 }
@@ -450,24 +471,6 @@ void ImportRsaKeyPair(const std::vector<uint8>& spki_der,
   EXPECT_EQ(usage_mask, private_key->usages());
 }
 
-// TODO(eroman): For Linux builds using system NSS, AES-GCM support is a
-// runtime dependency. Test it by trying to import a key.
-bool SupportsAesGcm() {
-  std::vector<uint8> key_raw(16, 0);
-
-  blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
-  Status status = ImportKey(blink::WebCryptoKeyFormatRaw,
-                            CryptoData(key_raw),
-                            CreateAlgorithm(blink::WebCryptoAlgorithmIdAesGcm),
-                            true,
-                            blink::WebCryptoKeyUsageEncrypt,
-                            &key);
-
-  if (status.IsError())
-    EXPECT_EQ(Status::ErrorUnsupported().ToString(), status.ToString());
-  return status.IsSuccess();
-}
-
 Status AesGcmEncrypt(const blink::WebCryptoKey& key,
                      const std::vector<uint8>& iv,
                      const std::vector<uint8>& additional_data,
@@ -475,6 +478,7 @@ Status AesGcmEncrypt(const blink::WebCryptoKey& key,
                      const std::vector<uint8>& plain_text,
                      std::vector<uint8>* cipher_text,
                      std::vector<uint8>* authentication_tag) {
+  DCHECK(SupportsAesGcm());
   blink::WebCryptoAlgorithm algorithm =
       CreateAesGcmAlgorithm(iv, additional_data, tag_length_bits);
 
@@ -506,6 +510,7 @@ Status AesGcmDecrypt(const blink::WebCryptoKey& key,
                      const std::vector<uint8>& cipher_text,
                      const std::vector<uint8>& authentication_tag,
                      blink::WebArrayBuffer* plain_text) {
+  DCHECK(SupportsAesGcm());
   blink::WebCryptoAlgorithm algorithm =
       CreateAesGcmAlgorithm(iv, additional_data, tag_length_bits);
 
@@ -535,6 +540,14 @@ Status ImportKeyJwkFromDict(const base::DictionaryValue& dict,
 
 }  // namespace
 
+TEST_F(SharedCryptoTest, CheckAesGcm) {
+    if (!SupportsAesGcm()) {
+      LOG(WARNING) << "AES GCM not supported on this platform, so some tests "
+          "will be skipped. Consider upgrading local NSS libraries";
+      return;
+    }
+}
+
 TEST_F(SharedCryptoTest, StatusToString) {
   EXPECT_EQ("Success", Status::Success().ToString());
   EXPECT_EQ("", Status::Error().ToString());
@@ -814,8 +827,9 @@ TEST_F(SharedCryptoTest, MAYBE(GenerateKeyAes)) {
   const unsigned short kKeyLength[] = {128, 192, 256};
   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kKeyLength); ++i) {
     algorithm.push_back(CreateAesCbcKeyGenAlgorithm(kKeyLength[i]));
-    algorithm.push_back(CreateAesGcmKeyGenAlgorithm(kKeyLength[i]));
     algorithm.push_back(CreateAesKwKeyGenAlgorithm(kKeyLength[i]));
+    if (SupportsAesGcm())

[eroman, 2014/03/13 22:31:13]

Interesting. So generating AES-GCM key works without GCM support, however import
doesn't.

Yuck! I look forward to when Chromium has moved off NSS alltogether and we can
rely on a particular version of OpenSSL :(

[padolph, 2014/03/13 22:39:34]

Yes, appears so. Strange.
Hmm. Something tells me I might be working on project for a long time. :-)

+      algorithm.push_back(CreateAesGcmKeyGenAlgorithm(kKeyLength[i]));
   }
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   std::vector<blink::WebArrayBuffer> keys;
@@ -850,10 +864,12 @@ TEST_F(SharedCryptoTest, MAYBE(GenerateKeyAesBadLength)) {
                       CreateAesCbcKeyGenAlgorithm(kKeyLen[i]), true, 0, &key));
     EXPECT_STATUS(Status::ErrorGenerateKeyLength(),
                   GenerateSecretKey(
-                      CreateAesGcmKeyGenAlgorithm(kKeyLen[i]), true, 0, &key));
-    EXPECT_STATUS(Status::ErrorGenerateKeyLength(),
-                  GenerateSecretKey(
                       CreateAesKwKeyGenAlgorithm(kKeyLen[i]), true, 0, &key));
+    if (SupportsAesGcm()) {
+      EXPECT_STATUS(Status::ErrorGenerateKeyLength(),
+          GenerateSecretKey(
+              CreateAesGcmKeyGenAlgorithm(kKeyLen[i]), true, 0, &key));
+    }
   }
 }
 
@@ -919,7 +935,6 @@ TEST_F(SharedCryptoTest, MAYBE(ImportSecretKeyNoAlgorithm)) {
 }
 
 TEST_F(SharedCryptoTest, ImportJwkFailures) {
-
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
@@ -1005,7 +1020,6 @@ TEST_F(SharedCryptoTest, ImportJwkFailures) {
 }
 
 TEST_F(SharedCryptoTest, ImportJwkOctFailures) {
-
   base::DictionaryValue dict;
   RestoreJwkOctDictionary(&dict);
   blink::WebCryptoAlgorithm algorithm =
@@ -1057,7 +1071,6 @@ TEST_F(SharedCryptoTest, ImportJwkOctFailures) {
 }
 
 TEST_F(SharedCryptoTest, MAYBE(ImportJwkRsaFailures)) {
-
   base::DictionaryValue dict;
   RestoreJwkRsaDictionary(&dict);
   blink::WebCryptoAlgorithm algorithm =
@@ -1084,7 +1097,6 @@ TEST_F(SharedCryptoTest, MAYBE(ImportJwkRsaFailures)) {
   // Fail if either "n" or "e" is not present or malformed.
   const std::string kKtyParmName[] = {"n", "e"};
   for (size_t idx = 0; idx < ARRAYSIZE_UNSAFE(kKtyParmName); ++idx) {
-
     // Fail on missing parameter.
     dict.Remove(kKtyParmName[idx], NULL);
     EXPECT_STATUS_ERROR(
@@ -1233,7 +1245,6 @@ TEST_F(SharedCryptoTest, MAYBE(ImportJwkInputConsistency)) {
 }
 
 TEST_F(SharedCryptoTest, MAYBE(ImportJwkHappy)) {
-
   // This test verifies the happy path of JWK import, including the application
   // of the imported key material.