[webcrypto] Add JWK import for HMAC and AES-CBC key.

content/renderer/webcrypto/webcrypto_impl_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webcrypto_impl.h"
 
 #include "base/basictypes.h"
+#include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/strings/string_number_conversions.h"
 #include "content/public/renderer/content_renderer_client.h"
 #include "content/renderer/renderer_webkitplatformsupport_impl.h"
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/WebKit/public/platform/WebArrayBuffer.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
@@ skipping 34 matching lines @@
   return &data[0];
 }
 
 WebKit::WebCryptoAlgorithm CreateAesCbcAlgorithm(
     const std::vector<uint8>& iv) {
   return WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
       WebKit::WebCryptoAlgorithmIdAesCbc,
       new WebKit::WebCryptoAesCbcParams(Start(iv), iv.size()));
 }
 
+std::vector<uint8> MakeJsonVector(const std::string& json_string) {
+  return std::vector<uint8>(json_string.begin(), json_string.end());
+}
+
+std::vector<uint8> MakeJsonVector(const base::DictionaryValue& dict) {
+  std::string json;
+  base::JSONWriter::Write(&dict, &json);
+  return MakeJsonVector(json);
+}
+
 }  // namespace
 
 namespace content {
 
 class WebCryptoImplTest : public testing::Test {
  protected:
   WebKit::WebCryptoKey ImportSecretKeyFromRawHexString(
       const std::string& key_hex,
       const WebKit::WebCryptoAlgorithm& algorithm,
       WebKit::WebCryptoKeyUsageMask usage) {
@@ skipping 104 matching lines @@
 
   bool DecryptInternal(
       const WebKit::WebCryptoAlgorithm& algorithm,
       const WebKit::WebCryptoKey& key,
       const std::vector<uint8>& data,
       WebKit::WebArrayBuffer* buffer) {
     return crypto_.DecryptInternal(
         algorithm, key, Start(data), data.size(), buffer);
   }
 
+  bool ImportKeyJwk(
+      const std::vector<uint8>& key_data,
+      bool extractable,
+      const WebKit::WebCryptoAlgorithm& algorithm,
+      WebKit::WebCryptoKeyUsageMask usage_mask,
+      scoped_ptr<WebKit::WebCryptoKeyHandle>* handle,
+      WebKit::WebCryptoKeyType* type) {
+    return crypto_.ImportKeyJwk(Start(key_data),
+                                key_data.size(),
+                                extractable,
+                                algorithm,
+                                usage_mask,
+                                handle,
+                                type);
+  }
+
  private:
   WebCryptoImpl crypto_;
 };
 
 TEST_F(WebCryptoImplTest, DigestSampleSets) {
   // The results are stored here in hex format for readability.
   //
   // TODO(bryaneyler): Eventually, all these sample test sets should be replaced
   // with the sets here: http://csrc.nist.gov/groups/STM/cavp/index.html#03
   //
@@ skipping 65 matching lines @@
 
     WebKit::WebCryptoAlgorithm algorithm = CreateAlgorithm(test.algorithm);
     std::vector<uint8> input = HexStringToBytes(test.hex_input);
 
     WebKit::WebArrayBuffer output;
     ASSERT_TRUE(DigestInternal(algorithm, input, &output));
     ExpectArrayBufferMatchesHex(test.hex_result, output);
   }
 }
 
-// TODO(padolph) Enable these tests for OpenSSL once matching impl is available
-#if !defined(USE_OPENSSL)
 
 TEST_F(WebCryptoImplTest, HMACSampleSets) {
   struct TestCase {
     WebKit::WebCryptoAlgorithmId algorithm;
     const char* key;
     const char* message;
     const char* mac;
   };
 
   const TestCase kTests[] = {
@@ skipping 120 matching lines @@
         algorithm,
         key,
         kLongSignature,
         sizeof(kLongSignature),
         message_raw,
         &signature_match));
     EXPECT_FALSE(signature_match);
   }
 }
 
+#if !defined(USE_OPENSSL)
+
 TEST_F(WebCryptoImplTest, AesCbcFailures) {
   WebKit::WebCryptoKey key = ImportSecretKeyFromRawHexString(
       "2b7e151628aed2a6abf7158809cf4f3c",
       CreateAlgorithm(WebKit::WebCryptoAlgorithmIdAesCbc),
       WebKit::WebCryptoKeyUsageEncrypt | WebKit::WebCryptoKeyUsageDecrypt);
 
   WebKit::WebArrayBuffer output;
 
   // Use an invalid |iv| (fewer than 16 bytes)
   {
@@ skipping 173 matching lines @@
     if (cipher_text.size() > 3) {
       EXPECT_FALSE(DecryptInternal(CreateAesCbcAlgorithm(iv),
                                    key,
                                    &cipher_text[0],
                                    cipher_text.size() - 3,
                                    &output));
     }
   }
 }
 
-#endif // !defined(USE_OPENSSL)
 
-#if !defined(USE_OPENSSL)
 TEST_F(WebCryptoImplTest, GenerateKeyAes) {
   scoped_ptr<WebKit::WebCryptoAesKeyGenParams> params(
       new WebKit::WebCryptoAesKeyGenParams(128));
   WebKit::WebCryptoAlgorithm algorithm(
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdAesCbc, params.release()));
 
   scoped_ptr<WebKit::WebCryptoKeyHandle> result;
   WebKit::WebCryptoKeyType type = WebKit::WebCryptoKeyTypePublic;
 
@@ skipping 11 matching lines @@
 
   WebCryptoImpl crypto;
   scoped_ptr<WebKit::WebCryptoKeyHandle> result;
   WebKit::WebCryptoKeyType type = WebKit::WebCryptoKeyTypePublic;
 
   EXPECT_FALSE(GenerateKeyInternal(algorithm, &result, &type));
   EXPECT_FALSE(bool(result));
   EXPECT_EQ(type, WebKit::WebCryptoKeyTypePublic);
 }
 
+
 TEST_F(WebCryptoImplTest, GenerateKeyHmac) {
   WebKit::WebCryptoAlgorithm sha1_alg(
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdSha1, NULL));
   scoped_ptr<WebKit::WebCryptoHmacKeyParams> params(
       new WebKit::WebCryptoHmacKeyParams(sha1_alg, true, 128));
   WebKit::WebCryptoAlgorithm algorithm(
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdHmac, params.release()));
 
@@ skipping 15 matching lines @@
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdHmac, params.release()));
 
   scoped_ptr<WebKit::WebCryptoKeyHandle> result;
   WebKit::WebCryptoKeyType type = WebKit::WebCryptoKeyTypePublic;
 
   ASSERT_TRUE(GenerateKeyInternal(algorithm, &result, &type));
   EXPECT_TRUE(bool(result));
   EXPECT_EQ(type, WebKit::WebCryptoKeyTypeSecret);
 }
-#endif /* !defined(USE_OPENSSL) */
+
+#endif //#if !defined(USE_OPENSSL)
+
+TEST_F(WebCryptoImplTest, ImportJwkBadJwk) {
+
+  WebKit::WebCryptoKeyType type;
+  scoped_ptr<WebKit::WebCryptoKeyHandle> handle;
+  std::vector<uint8> iv(16);
+  WebKit::WebCryptoAlgorithm algorithm = CreateAesCbcAlgorithm(iv);
+  bool extractable = false;
+  WebKit::WebCryptoKeyUsageMask usage_mask = WebKit::WebCryptoKeyUsageSign;
+
+  // Empty JSON
+  std::vector<uint8> json_vec = MakeJsonVector("");
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+
+  // Invalid JSON
+  json_vec = MakeJsonVector(
+      "{"
+        "\"kty\"         : \"oct\","
+        "\"alg\"         : \"HS256\","
+        "\"use\"         : "
+  );
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+
+  // Note, each subtest below resets the dictionary so there is less chance of
+  // failure if they happen to be reordered.
+
+  // Invalid kty
+  base::DictionaryValue dict;
+  dict.SetString("kty", "foo");
+  dict.SetString("alg", "HS256");
+  dict.SetString("use", "sig");
+  dict.SetBoolean("extractable", true);
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("kty", "oct");
+
+  // Missing kty
+  dict.Remove("kty", NULL);
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("kty", "oct");
+
+  // Invalid alg
+  dict.SetString("alg", "foo");
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("alg", "HS256");
+
+  // Invalid use
+  dict.SetString("use", "foo");
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("use", "sig");
+
+  // Missing k when kty = "oct"
+  dict.Remove("k", NULL);
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+
+  // Bad b64 encoding for k
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3r #$% jhdY8vOkbIvh4lxTuMao9Y_--hdg");
+  json_vec = MakeJsonVector(dict);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+
+  // TODO(padolph) RSA public key bad data:
+  // Missing n or e when kty = "RSA"
+  // Bad encoding for n or e
+  // Size check on n??
+  // Value check on e??
+}
+
+TEST_F(WebCryptoImplTest, ImportJwkCollision) {
+  // The Web Crypto spec says that if a JWK value is present, but is
+  // inconsistent with the input value, the operation must fail.
+
+  // Collision rules when JWK value is not present: Inputs should be unmodified.
+  scoped_ptr<WebKit::WebCryptoKeyHandle> handle;
+  WebKit::WebCryptoKeyType type = WebKit::WebCryptoKeyTypeSecret;
+  bool extractable = true;
+  WebKit::WebCryptoAlgorithm algorithm =
+      CreateHmacAlgorithm(WebKit::WebCryptoAlgorithmIdSha256);
+  WebKit::WebCryptoKeyUsageMask usage_mask = WebKit::WebCryptoKeyUsageVerify;
+  base::DictionaryValue dict;
+  dict.SetString("kty", "oct");
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+  std::vector<uint8> json_vec = MakeJsonVector(dict);
+  EXPECT_TRUE(ImportKeyJwk(json_vec,
+                           extractable,
+                           algorithm,
+                           usage_mask,
+                           &handle,
+                           &type));
+  EXPECT_TRUE(handle.get() != NULL);
+  EXPECT_EQ(WebKit::WebCryptoKeyTypeSecret, type);
+  EXPECT_TRUE(extractable);
+  EXPECT_EQ(WebKit::WebCryptoAlgorithmIdHmac, algorithm.id());
+  EXPECT_EQ(WebKit::WebCryptoAlgorithmIdSha256,
+            algorithm.hmacParams()->hash().id());
+  EXPECT_EQ(WebKit::WebCryptoKeyUsageVerify, usage_mask);
+  handle.reset();
+
+  // Collision rules when JWK value exists: Fail if inconsistency is found.
+  // Happy path: all input values are consistent with the JWK values
+  dict.Clear();
+  dict.SetString("kty", "oct");
+  dict.SetString("alg", "HS256");
+  dict.SetString("use", "sig");
+  dict.SetBoolean("extractable", true);
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+  json_vec = MakeJsonVector(dict);
+  EXPECT_TRUE(ImportKeyJwk(json_vec,
+                           extractable,
+                           algorithm,
+                           usage_mask,
+                           &handle,
+                           &type));
+
+  // Fail: Input type (public) is inconsistent with JWK value (secret).
+  type = WebKit::WebCryptoKeyTypePublic;
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  type = WebKit::WebCryptoKeyTypeSecret;
+
+  // Fail: Input extractable (false) is inconsistent with JWK value (true).
+  extractable = false;
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  extractable = true;
+
+  // Fail: Input algorithm (HMAC SHA1) is inconsistent with JWK value
+  // (HMAC SHA256).
+  algorithm = CreateHmacAlgorithm(WebKit::WebCryptoAlgorithmIdSha1);
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  algorithm = CreateHmacAlgorithm(WebKit::WebCryptoAlgorithmIdSha256);
+
+  // Fail: Input usage_mask (sign) is inconsistent with JWK value (sign|verify)
+  usage_mask = WebKit::WebCryptoKeyUsageEncrypt;
+  EXPECT_FALSE(ImportKeyJwk(json_vec,
+                            extractable,
+                            algorithm,
+                            usage_mask,
+                            &handle,
+                            &type));
+  usage_mask = WebKit::WebCryptoKeyUsageSign | WebKit::WebCryptoKeyUsageVerify;
+}
+
+TEST_F(WebCryptoImplTest, ImportJwkHappy) {
+
+  // This test verifies the happy path of JWK import, including the application
+  // of the imported key material.
+
+  scoped_ptr<WebKit::WebCryptoKeyHandle> handle;
+  WebKit::WebCryptoKeyType type = WebKit::WebCryptoKeyTypeSecret;
+  bool extractable = false;
+  WebKit::WebCryptoAlgorithm algorithm =
+      CreateHmacAlgorithm(WebKit::WebCryptoAlgorithmIdSha256);;
+  WebKit::WebCryptoKeyUsageMask usage_mask = WebKit::WebCryptoKeyUsageSign;
+
+  // Import a symmetric key JWK and HMAC-SHA256 sign()
+  // Uses the first SHA256 test vector from the HMAC sample set above.
+
+  base::DictionaryValue dict;
+  dict.SetString("kty", "oct");
+  dict.SetString("alg", "HS256");
+  dict.SetString("use", "sig");
+  dict.SetBoolean("extractable", false);
+  dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
+  std::vector<uint8> json_vec = MakeJsonVector(dict);
+
+  ASSERT_TRUE(ImportKeyJwk(json_vec,
+                           extractable,
+                           algorithm,
+                           usage_mask,
+                           &handle,
+                           &type));
+
+  WebKit::WebCryptoKey key = WebKit::WebCryptoKey::create(handle.release(),
+      type, extractable, algorithm, usage_mask);
+
+  const std::vector<uint8> message_raw = HexStringToBytes(
+      "b1689c2591eaf3c9e66070f8a77954ffb81749f1b00346f9dfe0b2ee905dcc288baf4a"
+      "92de3f4001dd9f44c468c3d07d6c6ee82faceafc97c2fc0fc0601719d2dcd0aa2aec92"
+      "d1b0ae933c65eb06a03c9c935c2bad0459810241347ab87e9f11adb30415424c6c7f5f"
+      "22a003b8ab8de54f6ded0e3ab9245fa79568451dfa258e");
+
+  WebKit::WebArrayBuffer output;
+
+  ASSERT_TRUE(SignInternal(algorithm, key, message_raw, &output));
+
+  const std::string mac_raw =
+      "769f00d3e6a6cc1fb426a14a4f76c6462e6149726e0dee0ec0cf97a16605ac8b";
+
+  ExpectArrayBufferMatchesHex(mac_raw, output);
+
+  // TODO(padolph)
+  // Import an RSA public key JWK and use it
+}
 
 }  // namespace content