Transfer WebCrypto databuffers across the Blink API using blink::WebVector.

third_party/WebKit/public/platform/WebCrypto.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 154 matching lines @@
     //     Blink thread.
     //
     //   * WebCryptoKey and WebCryptoAlgorithm ARE threadsafe. They can be
     //     safely copied between threads and accessed. Copying is cheap because
     //     they are internally reference counted.
     //
     // -----------------------
     // Inputs
     // -----------------------
     //
-    //   * Data buffers are passed as (basePointer, byteLength) pairs.
-    //     These buffers are only valid during the call itself. Asynchronous
-    //     implementations wishing to access it after the function returns
-    //     should make a copy.
+    //   * Data buffers are transfered as WebVectors. Implementations are free
+    //     to re-use or transfer their storage.
     //
     //   * All WebCryptoKeys are guaranteeed to be !isNull().
     //
     //   * All WebCryptoAlgorithms are guaranteed to be !isNull()
     //
     //   * Look to the Web Crypto spec for an explanation of the parameter. The
     //     method names here have a 1:1 correspondence with those of
     //     crypto.subtle, with the exception of "verify" which is here called
     //     "verifySignature".
     //
     // -----------------------
     // Guarantees on input validity
     // -----------------------
     //
     // Implementations MUST carefully sanitize algorithm inputs before using
     // them, as they come directly from the user. Few checks have been done on
     // algorithm parameters prior to passing to the embedder.
     //
     // Only the following checks can be assumed as having already passed:
     //
     //  * The key is extractable when calling into exportKey/wrapKey.
     //  * The key usages permit the operation being requested.
     //  * The key's algorithm matches that of the requested operation.
     //
-    virtual void encrypt(const WebCryptoAlgorithm&, const WebCryptoKey&, const unsigned char* data, unsigned dataSize, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void decrypt(const WebCryptoAlgorithm&, const WebCryptoKey&, const unsigned char* data, unsigned dataSize, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void sign(const WebCryptoAlgorithm&, const WebCryptoKey&, const unsigned char* data, unsigned dataSize, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void verifySignature(const WebCryptoAlgorithm&, const WebCryptoKey&, const unsigned char* signature, unsigned signatureSize, const unsigned char* data, unsigned dataSize, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void digest(const WebCryptoAlgorithm&, const unsigned char* data, unsigned dataSize, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void encrypt(const WebCryptoAlgorithm&, const WebCryptoKey&, WebVector<unsigned char> data, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }

[jochen (gone - plz use gerrit), 2016/07/19 12:27:40]

why not WebVector<unsigned char>&

[eroman, 2016/07/19 16:17:41]

My preference for pass-by-value is:
  * Makes it clear that it is an input parameter (and not an out or in/out
parameter)
  * Self-describes the "pass ownership" semantics
  * [weaker argument] Harder to mis-use, as the implementation cannot
accidentally save a reference to variable owned by caller.

For the other direction, the main advantage I can think of for pass-by-reference
approach, is it makes it harder to accidentally create a copy of vectors when
Blink calls into this interface. This is a consequence of WebVector having
implicit single-parameter constructors that make *copies* of things :(

For instance, in an earlier patchset I was passing in std::move(x) as expected,
and it looked correct. However, "x" was of type "Vector" rather than WeVector.
What this meant is that in reality it was calling into the WebVector(const
Vector& x) constructor, and hence making a copy instead of transferring.

I think the best fix for the problem above is to mark the constructors as
explicit as per the Chromium style guide. In the meantime though, making the
databuffer parameters be of type WebVector& would also catch such bugs since you
cannot take references of temporaries so that would have been a compile failure
I believe.

WDYT?

+    virtual void decrypt(const WebCryptoAlgorithm&, const WebCryptoKey&, WebVector<unsigned char> data, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void sign(const WebCryptoAlgorithm&, const WebCryptoKey&, WebVector<unsigned char> data, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void verifySignature(const WebCryptoAlgorithm&, const WebCryptoKey&, WebVector<unsigned char> signature, WebVector<unsigned char> data, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void digest(const WebCryptoAlgorithm&, WebVector<unsigned char> data, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
     virtual void generateKey(const WebCryptoAlgorithm&, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void importKey(WebCryptoKeyFormat, const unsigned char* keyData, unsigned keyDataSize, const WebCryptoAlgorithm&, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void importKey(WebCryptoKeyFormat, WebVector<unsigned char> keyData, const WebCryptoAlgorithm&, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
     virtual void exportKey(WebCryptoKeyFormat, const WebCryptoKey&, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
     virtual void wrapKey(WebCryptoKeyFormat, const WebCryptoKey& key, const WebCryptoKey& wrappingKey, const WebCryptoAlgorithm&, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
-    virtual void unwrapKey(WebCryptoKeyFormat, const unsigned char* wrappedKey, unsigned wrappedKeySize, const WebCryptoKey&, const WebCryptoAlgorithm& unwrapAlgorithm, const WebCryptoAlgorithm& unwrappedKeyAlgorithm, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
+    virtual void unwrapKey(WebCryptoKeyFormat, WebVector<unsigned char> wrappedKey, const WebCryptoKey&, const WebCryptoAlgorithm& unwrapAlgorithm, const WebCryptoAlgorithm& unwrappedKeyAlgorithm, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
     virtual void deriveBits(const WebCryptoAlgorithm&, const WebCryptoKey&, unsigned length, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
     virtual void deriveKey(const WebCryptoAlgorithm& algorithm, const WebCryptoKey& baseKey, const WebCryptoAlgorithm& importAlgorithm, const WebCryptoAlgorithm& keyLengthAlgorithm, bool extractable, WebCryptoKeyUsageMask, WebCryptoResult result) { result.completeWithError(WebCryptoErrorTypeNotSupported, ""); }
 
     // This is the exception to the "Completing the request" guarantees
     // outlined above. This is useful for Blink internal crypto and is not part
     // of the WebCrypto standard. createDigestor must provide the result via
     // the WebCryptoDigestor object synchronously. This will never return null.
     virtual std::unique_ptr<WebCryptoDigestor> createDigestor(WebCryptoAlgorithmId algorithmId) { return nullptr; }
 
     // -----------------------
@@ skipping 44 matching lines @@
     // Returns true on success.
     virtual bool serializeKeyForClone(const WebCryptoKey&, WebVector<unsigned char>&) { return false; }
 
 protected:
     virtual ~WebCrypto() { }
 };
 
 } // namespace blink
 
 #endif // WebCrypto_h