[webcrypto] Add JWK import for HMAC and AES-CBC key.

content/renderer/webcrypto/webcrypto_impl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
+#include <algorithm>
+#include <functional>
+#include <map>
+#include "base/json/json_reader.h"
+#include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
+#include "base/strings/string_piece.h"
+#include "base/values.h"
+#include "content/renderer/webcrypto/webcrypto_util.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
 
 namespace content {
 
+namespace {
+
+// Binds a specific key length value to a compatible factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncWithOneShortArg)(
+    unsigned short);
+template <AlgFactoryFuncWithOneShortArg func, unsigned short key_length>
+WebKit::WebCryptoAlgorithm BindAlgFactoryWithKeyLen() {
+  return func(key_length);
+}
+
+// Binds a WebCryptoAlgorithmId value to a compatible factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncWithWebCryptoAlgIdArg)(
+    WebKit::WebCryptoAlgorithmId);
+template <AlgFactoryFuncWithWebCryptoAlgIdArg func,
+          WebKit::WebCryptoAlgorithmId algorithm_id>
+WebKit::WebCryptoAlgorithm BindAlgFactoryAlgorithmId() {
+  return func(algorithm_id);
+}
+
+// Defines a map between a JWK 'alg' string ID and a corresponding Web Crypto
+// factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncNoArgs)();
+typedef std::map<std::string, AlgFactoryFuncNoArgs> JwkAlgFactoryMap;
+
+class JwkAlgorithmFactoryMap {
+ public:
+  JwkAlgorithmFactoryMap() {
+    map_["HS256"] =
+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 256>;
+    map_["HS256"] =

[eroman, 2013/11/04 21:01:15]

This is a duplication of the one above.

[padolph, 2013/11/05 03:30:55]

Done.

+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 256>;
+    map_["HS384"] =
+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 384>;
+    map_["HS384"] =

[eroman, 2013/11/04 21:01:15]

This is a duplication of the key above. I presume you meant HS512 ?

[padolph, 2013/11/05 03:30:55]

Done.

+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 512>;
+    map_["RS256"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha256>;
+    map_["RS384"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha384>;
+    map_["RS512"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha512>;
+    map_["RSA1_5"] = &CreateRsaEsAlgorithm;
+    map_["RSA-OAEP"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaOaepAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha1>;
+    map_["A128KW"] = &WebKit::WebCryptoAlgorithm::createNull;
+    map_["A256KW"] = &WebKit::WebCryptoAlgorithm::createNull;
+    map_["A128GCM"] =
+        &BindAlgFactoryWithKeyLen<CreateAesGcmKeyGenAlgorithm, 128>;

[eroman, 2013/11/04 21:01:15]

Are you sure it is correct for these to be using the "Gen" version of the
algorithm parameters? According to the registration tables in webcrypto spec
importKey() doesn't expect any parameters on this (meaning the key length is
implicit from the raw key data).

[padolph, 2013/11/05 03:30:55]

The final call to ImportKey() at the end of ImportKeyJwk() requires an
Algorithm, which gets bound to the subsequently-created Key object. I guess you
are saying the best choice for the parameters struct for that Algorithm is NULL.
I'll do that, but I thought the Gen version made more sense because we know the
key length.

[eroman, 2013/11/07 05:49:41]

Background: The spec alas does not define what if any normalization happens to
key.algorithm. I have raised this in:

  https://www.w3.org/Bugs/Public/show_bug.cgi?id=23098

In my opinion it would be inconsistent for some keys to have parameters like the
key length, whereas others do not -- merely by virtue of whether they were
created using generateKey() vs importKey(). Right now in Blink we reflect the
generation parameters, but honestly it seems backwards. If you generated the key
yourself then the generation parameters will be known to you and this is mostly
just extra API cruft which requires a bunch more bindings work in Blink to
support (i.e. define interfaces for each of the possible parameter types, sigh).

I am hoping that key.algorithm will ultimately be defined to not reflect
parameters, since their usefulness seems rather limited.

[padolph, 2013/11/07 17:58:21]

Thanks for the background. I struggled with this in NfWebCrypto and eventually
just gave up on normalization, which we obviously can't do here.

+    map_["A256GCM"] =
+        &BindAlgFactoryWithKeyLen<CreateAesGcmKeyGenAlgorithm, 256>;

[eroman, 2013/11/04 21:01:15]

same comment here regarding the "Gen" version of the algorithm. Since
importKey() is being called with this algorithm, the parameter type should match
the expectations.

[padolph, 2013/11/05 03:30:55]

See above.

+    map_["A128CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 128>;
+    map_["A256CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 256>;
+    map_["A384CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 384>;
+    map_["A512CBC"] =
+        &BindAlgFactoryWithKeyLen<CreateAesCbcKeyGenAlgorithm, 512>;
+  }
+
+  WebKit::WebCryptoAlgorithm CreateAlgorithmFromName(
+      const std::string& alg_id) {

[eroman, 2013/11/04 21:01:15]

please tag this function as "const".

[padolph, 2013/11/05 03:30:55]

Done.

+    const JwkAlgFactoryMap::const_iterator pos = map_.find(alg_id);
+    if (pos == map_.end())
+      return WebKit::WebCryptoAlgorithm::createNull();
+    return pos->second();
+  }
+
+ private:
+  JwkAlgFactoryMap map_;
+};
+
+base::LazyInstance<JwkAlgorithmFactoryMap> jwk_alg_factory =
+    LAZY_INSTANCE_INITIALIZER;
+
+// TODO(padolph): Verify this logic is sufficient to judge algorithm
+// "consistency" for JWK import, and for all supported algorithms.
+bool WebCryptoAlgorithmsConsistent(const WebKit::WebCryptoAlgorithm& alg1,
+                                   const WebKit::WebCryptoAlgorithm& alg2) {
+  DCHECK(!alg1.isNull());
+  DCHECK(!alg2.isNull());
+  if (alg1.id() == alg2.id()) {
+    if (alg1.id() == WebKit::WebCryptoAlgorithmIdHmac ||
+        alg1.id() == WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
+        alg1.id() == WebKit::WebCryptoAlgorithmIdRsaOaep) {
+      if (WebCryptoAlgorithmsConsistent(GetInnerHashAlgorithm(alg1),
+                                        GetInnerHashAlgorithm(alg2))) {
+        return true;
+      }
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+
+}  // namespace
+
 WebCryptoImpl::WebCryptoImpl() {
   Init();
 }
 
-// static
-// TODO(eroman): This works by re-allocating a new buffer. It would be better if
-//               the WebArrayBuffer could just be truncated instead.
-void WebCryptoImpl::ShrinkBuffer(
-    WebKit::WebArrayBuffer* buffer,
-    unsigned new_size) {
-  DCHECK_LE(new_size, buffer->byteLength());
-
-  if (new_size == buffer->byteLength())
-    return;
-
-  WebKit::WebArrayBuffer new_buffer =
-      WebKit::WebArrayBuffer::create(new_size, 1);
-  DCHECK(!new_buffer.isNull());
-  memcpy(new_buffer.data(), buffer->data(), new_size);
-  *buffer = new_buffer;
-}
+WebCryptoImpl::~WebCryptoImpl() {}
 
 // static
 // TODO(eroman): Expose functionality in Blink instead.
 WebKit::WebCryptoKey WebCryptoImpl::NullKey() {
   // Needs a non-null algorithm to succeed.
   return WebKit::WebCryptoKey::create(
       NULL, WebKit::WebCryptoKeyTypeSecret, false,
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdAesGcm, NULL), 0);
 }
@@ skipping 62 matching lines @@
 
 void WebCryptoImpl::importKey(
     WebKit::WebCryptoKeyFormat format,
     const unsigned char* key_data,
     unsigned key_data_size,
     const WebKit::WebCryptoAlgorithm& algorithm_or_null,
     bool extractable,
     WebKit::WebCryptoKeyUsageMask usage_mask,
     WebKit::WebCryptoResult result) {
   WebKit::WebCryptoKey key = NullKey();
-  if (!ImportKeyInternal(format,
-                         key_data,
-                         key_data_size,
-                         algorithm_or_null,
-                         extractable,
-                         usage_mask,
-                         &key)) {
-    result.completeWithError();
-    return;
+  if (format == WebKit::WebCryptoKeyFormatJwk) {
+    if (!ImportKeyJwk(key_data,
+                      key_data_size,
+                      algorithm_or_null,
+                      extractable,
+                      usage_mask,
+                      &key)) {
+      result.completeWithError();
+    }
+  } else {
+    if (!ImportKeyInternal(format,
+                           key_data,
+                           key_data_size,
+                           algorithm_or_null,
+                           extractable,
+                           usage_mask,
+                           &key)) {
+      result.completeWithError();
+    }
   }
   DCHECK(key.handle());
   DCHECK(!key.algorithm().isNull());
   DCHECK_EQ(extractable, key.extractable());
   result.completeWithKey(key);
 }
 
 void WebCryptoImpl::sign(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
@@ skipping 25 matching lines @@
                                signature_size,
                                data,
                                data_size,
                                &signature_match)) {
     result.completeWithError();
   } else {
     result.completeWithBoolean(signature_match);
   }
 }
 
+bool WebCryptoImpl::ImportKeyJwk(
+    const unsigned char* key_data,
+    unsigned key_data_size,
+    const WebKit::WebCryptoAlgorithm& input_algorithm,

[eroman, 2013/11/04 21:01:15]

This name differs from the declaration. Can they be unified? You may also
consider calling this algorithm_or_null to match importKey()

[padolph, 2013/11/05 03:30:55]

Done.

+    bool extractable,
+    WebKit::WebCryptoKeyUsageMask usage_mask,
+    WebKit::WebCryptoKey* key) {
+
+  // JSON Web Key Format (JWK)
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
+  // TODO(padolph): Not all possible values are handled by this code right now
+  //
+  // A JWK is a simple JSON dictionary with the following entries
+  // - "kty" (Key Type) Parameter, REQUIRED
+  // - <kty-specific parameters, see below>, REQUIRED
+  // - "use" (Key Use) Parameter, OPTIONAL
+  // - "alg" (Algorithm) Parameter, OPTIONAL
+  // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE]
+  // (all other entries are ignored)
+  //
+  // Input key_data contains the JWK. To build a Web Crypto Key, the JWK values
+  // are parsed out and used as follows:
+  // Web Crypto Key type            <-- (deduced)
+  // Web Crypto Key extractable     <-- extractable
+  // Web Crypto Key algorithm       <-- alg
+  // Web Crypto Key keyUsage        <-- usage
+  // Web Crypto Key keying material <-- kty-specific parameters
+  //
+  // Values for each entry are case-sensitive and defined in
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
+  // Note that not all values specified by JOSE are handled by this code. Only
+  // handled values are listed.
+  // - kty (Key Type)
+  //   +-------+--------------------------------------------------------------+
+  //   | "RSA" | RSA [RFC3447]                                                |
+  //   | "oct" | Octet sequence (used to represent symmetric keys)            |
+  //   +-------+--------------------------------------------------------------+
+  // - use (Key Use)
+  //   +-------+--------------------------------------------------------------+
+  //   | "enc" | encrypt and decrypt operations                               |
+  //   | "sig" | sign and verify (MAC) operations                             |
+  //   | "wrap"| key wrap and unwrap [not yet part of JOSE]                   |
+  //   +-------+--------------------------------------------------------------+
+  // - extractable (Key Exportability)
+  //   +-------+--------------------------------------------------------------+
+  //   | true  | Key may be exported from the trusted environment             |
+  //   | false | Key cannot exit the trusted environment                      |
+  //   +-------+--------------------------------------------------------------+
+  // - alg (Algorithm)
+  //   See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
+  //   +--------------+-------------------------------------------------------+
+  //   | Digital Signature or MAC Algorithm                                   |
+  //   +--------------+-------------------------------------------------------+
+  //   | "HS256"      | HMAC using SHA-256 hash algorithm                     |
+  //   | "HS384"      | HMAC using SHA-384 hash algorithm                     |
+  //   | "HS512"      | HMAC using SHA-512 hash algorithm                     |
+  //   | "RS256"      | RSASSA using SHA-256 hash algorithm                   |
+  //   | "RS384"      | RSASSA using SHA-384 hash algorithm                   |
+  //   | "RS512"      | RSASSA using SHA-512 hash algorithm                   |
+  //   +--------------+-------------------------------------------------------|
+  //   | Key Management Algorithm                                             |
+  //   +--------------+-------------------------------------------------------+
+  //   | "RSA1_5"     | RSAES-PKCS1-V1_5 [RFC3447]                            |
+  //   | "RSA-OAEP"   | RSAES using Optimal Asymmetric Encryption Padding     |
+  //   |              | (OAEP) [RFC3447], with the default parameters         |
+  //   |              | specified by RFC3447 in Section A.2.1                 |
+  //   | "A128KW"     | Advanced Encryption Standard (AES) Key Wrap Algorithm |
+  //   |              | [RFC3394] using 128 bit keys                          |
+  //   | "A256KW"     | AES Key Wrap Algorithm using 256 bit keys             |
+  //   | "A128GCM"    | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
+  //   |              | 128 bit keys                                          |
+  //   | "A256GCM"    | AES GCM using 256 bit keys                            |
+  //   | "A128CBC"    | AES in Cipher Block Chaining Mode (CBC) with PKCS #5  |
+  //   |              | padding [NIST.800-38A] [not yet part of JOSE]         |
+  //   | "A256CBC"    | AES CBC using 256 bit keys [not yet part of JOSE]     |
+  //   | "A384CBC"    | AES CBC using 384 bit keys [not yet part of JOSE]     |
+  //   | "A512CBC"    | AES CBC using 512 bit keys [not yet part of JOSE]     |
+  //   +--------------+-------------------------------------------------------+
+  //
+  // kty-specific parameters
+  // The value of kty determines the type and content of the keying material
+  // carried in the JWK to be imported. Currently only two possibilities are
+  // supported: a raw key or an RSA public key. RSA private keys are not
+  // supported because typical applications seldom need to import a private key,
+  // and the large number of JWK parameters required to describe one.
+  // - kty == "oct" (symmetric or other raw key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "k"   | Contains the value of the symmetric (or other single-valued) |
+  //   |       | key.  It is represented as the base64url encoding of the     |
+  //   |       | octet sequence containing the key value.                     |
+  //   +-------+--------------------------------------------------------------+
+  // - kty == "RSA" (RSA public key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "n"   | Contains the modulus value for the RSA public key.  It is    |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //   | "e"   | Contains the exponent value for the RSA public key.  It is   |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //
+  // Conflict resolution
+  // The input_algorithm, extractable, and usage_mask input parameters may be
+  // different from similar values inside the JWK. The Web Crypto spec says that
+  // if a JWK value is present but is inconsistent with the input value, it is
+  // an error and the operation must fail. Conversely, should they be missing
+  // from the JWK, the input values should be used to "fill-in" for the
+  // corresponding JWK-optional values (use, alg, extractable).
+
+  DCHECK(key);
+
+  // Parse the incoming JWK JSON.
+  if (!key_data || !key_data_size)
+    return false;
+  base::StringPiece json_string(reinterpret_cast<const char*>(key_data),
+                                key_data_size);
+  scoped_ptr<base::Value> value(base::JSONReader::Read(json_string));
+  // Note, bare pointer dict_value is ok since it points into scoped value.
+  base::DictionaryValue* dict_value = NULL;
+  if (!value.get() || !value->GetAsDictionary(&dict_value) || !dict_value)
+    return false;
+
+  // JWK "kty". Exit early if this required JWK parameter is missing.
+  std::string jwk_kty_value;
+  if (!dict_value->GetString("kty", &jwk_kty_value))
+    return false;
+
+  // JWK "extractable" (optional) --> extractable parameter
+  {
+    bool jwk_extractable_value;
+    if (dict_value->GetBoolean("extractable", &jwk_extractable_value)) {
+      if (jwk_extractable_value != extractable)
+        return false;
+    }
+  }
+
+  // JWK "alg" (optional) --> algorithm parameter
+  // Note: input algorithm is also optional, so we have six cases to handle.
+  // 1. JWK alg present but unrecognized: error
+  // 2. JWK alg valid AND input algorithm isNull: use JWK value
+  // 3. JWK alg valid AND input algorithm specified, but JWK value
+  //      inconsistent with input: error
+  // 4. JWK alg valid AND input algorithm specified, both consistent: use
+  //      input value (because it has potentially more details)
+  // 5. JWK alg missing AND input algorithm isNull: error
+  // 6. JWK alg missing AND input algorithm specified: use input value
+  WebKit::WebCryptoAlgorithm algorithm =
+      WebKit::WebCryptoAlgorithm::createNull();
+  std::string jwk_alg_value;
+  if (dict_value->GetString("alg", &jwk_alg_value)) {
+    // JWK alg present
+    const WebKit::WebCryptoAlgorithm jwk_algorithm =
+        jwk_alg_factory.Get().CreateAlgorithmFromName(jwk_alg_value);
+    if (jwk_algorithm.isNull()) {
+      // JWK alg unrecognized
+      return false;  // case 1
+    }
+    // JWK alg valid
+    if (input_algorithm.isNull()) {
+      // input algorithm not specified
+      algorithm = jwk_algorithm;  // case 2
+    } else {
+      // input algorithm specified
+      if (!WebCryptoAlgorithmsConsistent(jwk_algorithm, input_algorithm))
+        return false;               // case 3
+      algorithm = input_algorithm;  // case 4
+    }
+  } else {
+    // JWK alg missing
+    if (input_algorithm.isNull())
+      return false;               // case 5
+    algorithm = input_algorithm;  // case 6
+  }
+  DCHECK(!algorithm.isNull());
+
+  // JWK "use" (optional) --> usage_mask parameter
+  std::string jwk_use_value;
+  if (dict_value->GetString("use", &jwk_use_value)) {
+    WebKit::WebCryptoKeyUsageMask jwk_usage_mask = 0;
+    if (jwk_use_value == "enc") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageEncrypt | WebKit::WebCryptoKeyUsageDecrypt;
+    } else if (jwk_use_value == "sig") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageSign | WebKit::WebCryptoKeyUsageVerify;
+    } else if (jwk_use_value == "wrap") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageWrapKey | WebKit::WebCryptoKeyUsageUnwrapKey;
+    } else {
+      return false;
+    }
+    if ((jwk_usage_mask & usage_mask) != usage_mask) {
+      // A usage_mask must be a subset of jwk_usage_mask.
+      return false;
+    }
+  }
+
+  // JWK keying material --> ImportKeyInternal()
+  if (jwk_kty_value == "oct") {
+    std::string jwk_k_value_url64;
+    if (!dict_value->GetString("k", &jwk_k_value_url64))
+      return false;
+    std::string jwk_k_value;
+    if (!Base64DecodeUrlSafe(jwk_k_value_url64, &jwk_k_value) ||
+        !jwk_k_value.size()) {
+      return false;
+    }
+    return ImportKeyInternal(WebKit::WebCryptoKeyFormatRaw,
+                             reinterpret_cast<const uint8*>(jwk_k_value.data()),
+                             jwk_k_value.size(),
+                             algorithm,
+                             extractable,
+                             usage_mask,
+                             key);
+  } else if (jwk_kty_value == "RSA") {
+    // TODO(padolph): JWK import RSA public key
+    return false;
+  } else {
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace content