Add a utility method to convert SPKI from DER to JWK, so far implemented only for EC P256v1 (which …

net/cert/jwk_serializer_nss.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/jwk_serializer.h"
+
+#include <cert.h>
+#include <keyhi.h>
+#include <nss.h>
+
+#include "base/base64.h"
+#include "base/values.h"
+
+namespace net {
+
+namespace JwkSerializer {
+
+namespace {
+
+bool ConvertEcPrime256v1PublicKeyInfoToJwk(
+    CERTSubjectPublicKeyInfo* spki,
+    base::DictionaryValue* public_key_jwk) {
+  static const int kPrime256v1EncodingType = 4;
+  static const int kPrime256v1PublicKeyLength = 64;
+  // The public key value is encoded as 0x04 + 64 bytes of public key.
+  // NSS gives the length as the bit length.
+  //

[Ryan Sleevi, 2013/08/06 19:50:38]

nit: extraneous //

[juanlang, 2013/08/06 21:32:59]

Done.

+  if (spki->subjectPublicKey.len != (kPrime256v1PublicKeyLength + 1) * 8 ||
+      spki->subjectPublicKey.data[0] != kPrime256v1EncodingType)
+    return false;
+
+  public_key_jwk->SetString("alg", "EC");
+  public_key_jwk->SetString("crv", "P-256");
+
+  base::StringPiece x(
+      reinterpret_cast<char*>(spki->subjectPublicKey.data + 1),
+      kPrime256v1PublicKeyLength / 2);
+  std::string x_b64;
+  base::Base64Encode(x, &x_b64);
+  public_key_jwk->SetString("x", x_b64);
+
+  base::StringPiece y(
+      reinterpret_cast<char*>(spki->subjectPublicKey.data + 1 +
+                              kPrime256v1PublicKeyLength / 2),
+      kPrime256v1PublicKeyLength / 2);
+  std::string y_b64;
+  base::Base64Encode(y, &y_b64);
+  public_key_jwk->SetString("y", y_b64);
+  return true;
+}
+
+bool ConvertEcPublicKeyInfoToJwk(
+    CERTSubjectPublicKeyInfo* spki,
+    base::DictionaryValue* public_key_jwk) {
+  // 1.2.840.10045.3.1.7
+  // (iso.member-body.us.ansi-x9-62.ellipticCurve.primeCurve.prime256v1)
+  // (This includes the DER-encoded type (OID) and length: parameters can be
+  // anything, so the DER type isn't implied, and NSS includes it.)
+  static const uint8_t kPrime256v1[] = {
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+  };
+  if (spki->algorithm.parameters.len == sizeof(kPrime256v1) &&
+      !memcmp(spki->algorithm.parameters.data, kPrime256v1,
+              sizeof(kPrime256v1))) {
+    return ConvertEcPrime256v1PublicKeyInfoToJwk(spki, public_key_jwk);
+  }
+  // TODO(juanlang): other curves
+  return false;
+}
+
+}  // namespace
+
+bool ConvertSPKIFromDERToJWK(
+    const base::StringPiece& spki_der,
+    base::DictionaryValue* public_key_jwk) {
+  public_key_jwk->Clear();
+
+  SECItem sec_item;
+  sec_item.data = const_cast<unsigned char*>(
+      reinterpret_cast<const unsigned char*>(spki_der.data()));
+  sec_item.len = spki_der.size();
+  CERTSubjectPublicKeyInfo* spki =
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&sec_item);
+  if (!spki)
+    return false;
+
+  // 1.2.840.10045.2
+  // (iso.member-body.us.ansi-x9-62.id-ecPublicKey)
+  // (This omits the ASN.1 encoding of the type (OID) and length: the fact that
+  // this is an OID is already clear, and NSS omits it here.)
+  static const uint8 kIdEcPublicKey[] = {
+    0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01
+  };
+  bool rv = false;
+  if (spki->algorithm.algorithm.len == sizeof(kIdEcPublicKey) &&
+      !memcmp(spki->algorithm.algorithm.data, kIdEcPublicKey,
+              sizeof(kIdEcPublicKey))) {
+    rv = ConvertEcPublicKeyInfoToJwk(spki, public_key_jwk);
+  }
+  // TODO(juanlang): other algorithms
+  SECKEY_DestroySubjectPublicKeyInfo(spki);

[Ryan Sleevi, 2013/08/06 19:50:38]

If you want added RAII safety,
https://code.google.com/p/chromium/codesearch#chromium/src/google_apis/cup/cl...

[juanlang, 2013/08/06 21:32:59]

Nifty. Done.

+  return rv;
+}
+
+}  // namespace JwkSerializer
+
+}  // namespace net