[webcrypto] Add JWK import for HMAC and AES-CBC key.

content/renderer/webcrypto/webcrypto_impl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
+#include <algorithm>
+#include <functional>
+#include <map>
+#include "base/json/json_reader.h"
+#include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
+#include "base/strings/string_piece.h"
+#include "base/values.h"
+#include "content/renderer/webcrypto/webcrypto_util.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
 
 namespace content {
 
+namespace {
+
+// Binds a specific key length value to a compatible factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncWithOneShortArg)(
+    unsigned short key_length);
+template <AlgFactoryFuncWithOneShortArg func, unsigned short key_length>
+WebKit::WebCryptoAlgorithm BindAlgFactoryWithKeyLen() {
+  return func(key_length);
+}
+
+// Defines a map between a JWK 'alg' string ID and a corresponding Web Crypto
+// factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncNoArgs)();
+typedef std::map<std::string, AlgFactoryFuncNoArgs> JwkAlgFactoryMap;
+
+class JwkAlgorithmFactoryMap {
+ public:
+  JwkAlgorithmFactoryMap() {
+    map_["HS256"] = &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByKeyLen, 256>;
+    map_["HS256"] = &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByKeyLen, 256>;
+    map_["HS384"] = &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByKeyLen, 384>;
+    map_["HS384"] = &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByKeyLen, 512>;
+    map_["RS256"] =
+        &BindAlgFactoryWithKeyLen<CreateRsaSsaAlgorithmByKeyLen, 256>;
+    map_["RS384"] =
+        &BindAlgFactoryWithKeyLen<CreateRsaSsaAlgorithmByKeyLen, 384>;
+    map_["RS512"] =
+        &BindAlgFactoryWithKeyLen<CreateRsaSsaAlgorithmByKeyLen, 512>;
+    map_["RSA1_5"] = &CreateRsaEsAlgorithm;
+    map_["RSA-OAEP"] =
+        &BindAlgFactoryWithKeyLen<CreateRsaOaepAlgorithmByKeyLen, 512>;
+    map_["A128KW"] = &WebKit::WebCryptoAlgorithm::createNull;
+    map_["A256KW"] = &WebKit::WebCryptoAlgorithm::createNull;
+    map_["A128GCM"] =
+        &BindAlgFactoryWithKeyLen<CreateAesGcmKeyGenAlgorithm, 256>;
+    map_["A256GCM"] =
+        &BindAlgFactoryWithKeyLen<CreateAesGcmKeyGenAlgorithm, 256>;
+    map_["A128CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 128>;
+    map_["A256CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 256>;
+    map_["A384CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 384>;
+    map_["A512CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 512>;
+  }
+  WebKit::WebCryptoAlgorithm CreateAlgorithmFromName(
+      const std::string& alg_id) {
+    const JwkAlgFactoryMap::const_iterator pos = map_.find(alg_id);
+    if (pos == map_.end())
+      return WebKit::WebCryptoAlgorithm::createNull();
+    return pos->second();
+  }
+
+ private:
+  JwkAlgFactoryMap map_;
+};
+base::LazyInstance<JwkAlgorithmFactoryMap> jwk_alg_factory =
+    LAZY_INSTANCE_INITIALIZER;
+
+// TODO(padolph): Verify this logic is sufficient to judge algorithm
+// "consistency" for JWK import, and for all supported algorithms.
+bool WebCryptoAlgorithmsConsistent(const WebKit::WebCryptoAlgorithm& lhs,
+                                   const WebKit::WebCryptoAlgorithm& rhs) {
+  if (lhs.id() == rhs.id()) {
+    if (lhs.id() == WebKit::WebCryptoAlgorithmIdHmac ||
+        lhs.id() == WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
+        lhs.id() == WebKit::WebCryptoAlgorithmIdRsaOaep) {
+      if (WebCryptoAlgorithmsConsistent(GetInnerHashAlgorithm(lhs),
+                                        GetInnerHashAlgorithm(rhs))) {
+        return true;
+      }
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+
+}  // namespace
+
 WebCryptoImpl::WebCryptoImpl() {
   Init();
 }
 
-// static
-// TODO(eroman): This works by re-allocating a new buffer. It would be better if
-//               the WebArrayBuffer could just be truncated instead.
-void WebCryptoImpl::ShrinkBuffer(
-    WebKit::WebArrayBuffer* buffer,
-    unsigned new_size) {
-  DCHECK_LE(new_size, buffer->byteLength());
-
-  if (new_size == buffer->byteLength())
-    return;
-
-  WebKit::WebArrayBuffer new_buffer =
-      WebKit::WebArrayBuffer::create(new_size, 1);
-  DCHECK(!new_buffer.isNull());
-  memcpy(new_buffer.data(), buffer->data(), new_size);
-  *buffer = new_buffer;
-}
+WebCryptoImpl::~WebCryptoImpl() {}
 
 void WebCryptoImpl::encrypt(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     WebKit::WebCryptoResult result) {
   WebKit::WebArrayBuffer buffer;
   if (!EncryptInternal(algorithm, key, data, data_size, &buffer)) {
     result.completeWithError();
@@ skipping 50 matching lines @@
     WebKit::WebCryptoKeyFormat format,
     const unsigned char* key_data,
     unsigned key_data_size,
     const WebKit::WebCryptoAlgorithm& algorithm,
     bool extractable,
     WebKit::WebCryptoKeyUsageMask usage_mask,
     WebKit::WebCryptoResult result) {
   WebKit::WebCryptoKeyType type;
   scoped_ptr<WebKit::WebCryptoKeyHandle> handle;
 
-  if (!ImportKeyInternal(format,
-                         key_data,
-                         key_data_size,
-                         algorithm,
-                         usage_mask,
-                         &handle,
-                         &type)) {
-    result.completeWithError();
-    return;
+  if (format == WebKit::WebCryptoKeyFormatJwk) {
+    if (!ImportKeyJwk(key_data,
+                      key_data_size,
+                      extractable,
+                      algorithm,
+                      usage_mask,
+                      &handle,
+                      &type)) {
+      result.completeWithError();
+    }
+  } else {
+    if (!ImportKeyInternal(format,
+                           key_data,
+                           key_data_size,
+                           algorithm,
+                           usage_mask,
+                           &handle,
+                           &type)) {
+      result.completeWithError();
+    }
   }
 
-  WebKit::WebCryptoKey key(
-      WebKit::WebCryptoKey::create(
-          handle.release(), type, extractable, algorithm, usage_mask));
+  WebKit::WebCryptoKey key(WebKit::WebCryptoKey::create(
+      handle.release(), type, extractable, algorithm, usage_mask));
 
   result.completeWithKey(key);
 }
 
 void WebCryptoImpl::sign(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     WebKit::WebCryptoResult result) {
@@ skipping 20 matching lines @@
                                signature_size,
                                data,
                                data_size,
                                &signature_match)) {
     result.completeWithError();
   } else {
     result.completeWithBoolean(signature_match);
   }
 }
 
+bool WebCryptoImpl::ImportKeyJwk(
+    const unsigned char* key_data,
+    unsigned key_data_size,
+    bool extractable,
+    const WebKit::WebCryptoAlgorithm& algorithm,
+    WebKit::WebCryptoKeyUsageMask usage_mask,
+    scoped_ptr<WebKit::WebCryptoKeyHandle>* handle,
+    WebKit::WebCryptoKeyType* type) {
+
+  // JSON Web Key Format (JWK)
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
+  // TODO(padolph): Not all possible values are handled by this code right now
+  //
+  // A JWK is a simple JSON dictionary with the following entries
+  // - "kty" (Key Type) Parameter, REQUIRED
+  // - <kty-specific parameters, see below>, REQUIRED
+  // - "use" (Key Use) Parameter, OPTIONAL
+  // - "alg" (Algorithm) Parameter, OPTIONAL
+  // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE]
+  // (all other entries are ignored)
+  //
+  // Input key_data contains the JWK. To build a Web Crypto Key, the JWK values
+  // are parsed out and used as follows:
+  // Web Crypto Key type            <-- (deduced)
+  // Web Crypto Key extractable     <-- extractable
+  // Web Crypto Key algorithm       <-- alg
+  // Web Crypto Key keyUsage        <-- usage
+  // Web Crypto Key keying material <-- kty-specific parameters
+  //
+  // Values for each entry are case-sensitive and defined in
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
+  // Note that not all values specified by JOSE are handled by this code. Only
+  // handled values are listed.
+  // - kty (Key Type)
+  //   +-------+--------------------------------------------------------------+
+  //   | "RSA" | RSA [RFC3447]                                                |
+  //   | "oct" | Octet sequence (used to represent symmetric keys)            |
+  //   +-------+--------------------------------------------------------------+
+  // - use (Key Use)
+  //   +-------+--------------------------------------------------------------+
+  //   | "enc" | encrypt and decrypt operations                               |
+  //   | "sig" | sign and verify (MAC) operations                             |
+  //   | "wrap"| key wrap and unwrap [not yet part of JOSE]                   |
+  //   +-------+--------------------------------------------------------------+
+  // - extractable (Key Exportability)
+  //   +-------+--------------------------------------------------------------+
+  //   | true  | Key may be exported from the trusted environment             |
+  //   | false | Key cannot exit the trusted environment                      |
+  //   +-------+--------------------------------------------------------------+
+  // - alg (Algorithm)
+  //   See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
+  //   +--------------+-------------------------------------------------------+
+  //   | Digital Signature or MAC Algorithm                                   |
+  //   +--------------+-------------------------------------------------------+
+  //   | "HS256"      | HMAC using SHA-256 hash algorithm                     |
+  //   | "HS384"      | HMAC using SHA-384 hash algorithm                     |
+  //   | "HS512"      | HMAC using SHA-512 hash algorithm                     |
+  //   | "RS256"      | RSASSA using SHA-256 hash algorithm                   |
+  //   | "RS384"      | RSASSA using SHA-384 hash algorithm                   |
+  //   | "RS512"      | RSASSA using SHA-512 hash algorithm                   |
+  //   +--------------+-------------------------------------------------------|
+  //   | Key Management Algorithm                                             |
+  //   +--------------+-------------------------------------------------------+
+  //   | "RSA1_5"     | RSAES-PKCS1-V1_5 [RFC3447]                            |
+  //   | "RSA-OAEP"   | RSAES using Optimal Asymmetric Encryption Padding     |
+  //   |              | (OAEP) [RFC3447], with the default parameters         |
+  //   |              | specified by RFC3447 in Section A.2.1                 |
+  //   | "A128KW"     | Advanced Encryption Standard (AES) Key Wrap Algorithm |
+  //   |              | [RFC3394] using 128 bit keys                          |
+  //   | "A256KW"     | AES Key Wrap Algorithm using 256 bit keys             |
+  //   | "A128GCM"    | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
+  //   |              | 128 bit keys                                          |
+  //   | "A256GCM"    | AES GCM using 256 bit keys                            |
+  //   | "A128CBC"    | AES in Cipher Block Chaining Mode (CBC) with PKCS #5  |
+  //   |              | padding [NIST.800-38A] [not yet part of JOSE]         |
+  //   | "A256CBC"    | AES CBC using 256 bit keys [not yet part of JOSE]     |
+  //   | "A384CBC"    | AES CBC using 384 bit keys [not yet part of JOSE]     |
+  //   | "A512CBC"    | AES CBC using 512 bit keys [not yet part of JOSE]     |
+  //   +--------------+-------------------------------------------------------+
+  //
+  // kty-specific parameters
+  // The value of kty determines the type and content of the keying material
+  // carried in the JWK to be imported. Currently only two possibilities are
+  // supported: a raw key or an RSA public key. RSA private keys are not
+  // supported because typical applications seldom need to import a private key,
+  // and the large number of JWK parameters required to describe one.
+  // - kty == "oct" (symmetric or other raw key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "k"   | Contains the value of the symmetric (or other single-valued) |
+  //   |       | key.  It is represented as the base64url encoding of the     |
+  //   |       | octet sequence containing the key value.                     |
+  //   +-------+--------------------------------------------------------------+
+  // - kty == "RSA" (RSA public key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "n"   | Contains the modulus value for the RSA public key.  It is    |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //   | "e"   | Contains the exponent value for the RSA public key.  It is   |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //
+  // Conflict resolution
+  // The type, algorithm, extractable, and usage_mask input parameters may be
+  // different from similar values inside the JWK. The Web Crypto spec says that
+  // if a JWK value is present, but is inconsistent with the input value, it is
+  // an error and the operation must fail.
+
+  // Initial argument sanity check.
+  if (!key_data || !key_data_size || algorithm.isNull() || !handle || !type)

[eroman, 2013/10/29 03:03:46]

My interpretation is that it is legitimate for the input algorithm to be null.

The algorithm only needs to be specified to "fill in" the data which cannot be
inferred from the JWK. So for some imports it may be unnecessary for the caller
to specify algorithm at all.

When the algorithm is specified and it repeats information encoded by the JWK,
then the implementation must verify that things match.

It is fine not to handle null algorithm at this time, but in that case please
write a TODO explaining that it needs to be handled.

Lastly, please remove the tests on "!handle || !type". I view those as an
illegal call to ImportKeyJwk(), and something that can DCHECK/crash instead.

[padolph, 2013/10/29 22:57:01]

I put in logic to handle input and JWK algorithms when they are both optional
plus corresponding tests. The logic works but is quite ugly, but I've stared at
it too long now to have any more insights. Can you please take a look to see if
can be simplified?
Done.

+    return false;
+
+  // Parse the incoming JWK JSON.
+  base::StringPiece json_string(reinterpret_cast<const char*>(key_data),
+                                key_data_size);
+  scoped_ptr<base::Value> value(base::JSONReader::Read(json_string));
+  // Note, bare pointer dict_value is ok since it points into scoped value.
+  base::DictionaryValue* dict_value = NULL;
+  if (!value.get() || !value->GetAsDictionary(&dict_value) || !dict_value)
+    return false;
+
+  // JWK "kty". Exit early if this required JWK parameter is missing.
+  std::string jwk_kty_value;
+  if (!dict_value->GetString("kty", &jwk_kty_value))
+    return false;
+
+  // JWK "extractable" --> extractable parameter
+  bool jwk_extractable_value;
+  if (dict_value->GetBoolean("extractable", &jwk_extractable_value)) {
+    if (jwk_extractable_value != extractable)
+      return false;
+  }
+
+  // JWK "alg" --> algorithm parameter
+  std::string jwk_alg_value;
+  if (dict_value->GetString("alg", &jwk_alg_value)) {
+    const WebKit::WebCryptoAlgorithm webcrypto_algorithm_from_jwk =
+        jwk_alg_factory.Get().CreateAlgorithmFromName(jwk_alg_value);
+    if (webcrypto_algorithm_from_jwk.isNull())
+      return false;
+    if (!WebCryptoAlgorithmsConsistent(webcrypto_algorithm_from_jwk, algorithm))
+      return false;
+  }
+
+  // JWK "use" --> usage_mask parameter
+  std::string jwk_use_value;
+  if (dict_value->GetString("use", &jwk_use_value)) {
+    unsigned jwk_usage_mask;
+    if (jwk_use_value == "enc") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageEncrypt | WebKit::WebCryptoKeyUsageDecrypt;
+    } else if (jwk_use_value == "sig") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageSign | WebKit::WebCryptoKeyUsageVerify;
+    } else if (jwk_use_value == "wrap") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageWrapKey | WebKit::WebCryptoKeyUsageUnwrapKey;
+    } else {
+      return false;
+    }
+    if ((jwk_usage_mask & usage_mask) != usage_mask) {
+      // A usage_mask must be a subset of jwk_usage_mask.
+      return false;
+    }
+  }
+
+  // JWK keying material --> ImportKeyInternal()
+  if (jwk_kty_value == "oct") {
+    if (*type != WebKit::WebCryptoKeyTypeSecret)
+      return false;
+    std::string jwk_k_value_url64;
+    if (!dict_value->GetString("k", &jwk_k_value_url64))
+      return false;
+    std::string jwk_k_value;
+    if (!Base64DecodeUrlSafe(jwk_k_value_url64, &jwk_k_value) ||
+        !jwk_k_value.size()) {
+      return false;
+    }
+    if (!ImportKeyInternal(WebKit::WebCryptoKeyFormatRaw,
+                           reinterpret_cast<const uint8*>(jwk_k_value.data()),
+                           jwk_k_value.size(),
+                           algorithm,
+                           usage_mask,
+                           handle,
+                           type)) {
+      return false;
+    }
+  } else if (jwk_kty_value == "RSA") {
+    // Only an RSA public key is currently handled.
+    if (*type != WebKit::WebCryptoKeyTypePublic)
+      return false;
+    // TODO(padolph): JWK import RSA public key
+    return false;
+  } else {
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace content