[webcrypto] Add JWK import for HMAC and AES-CBC key.

content/renderer/webcrypto/webcrypto_impl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
+#include <algorithm>
+#include <functional>
+#include <map>
+#include <sstream>

[eroman, 2013/11/07 20:54:37]

remove

[padolph, 2013/11/09 00:33:38]

Done.

+#include "base/json/json_reader.h"
+#include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
+#include "base/strings/string_piece.h"
+#include "base/values.h"
+#include "content/renderer/webcrypto/webcrypto_util.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
 
 namespace content {
 
 namespace {
 
 bool IsAlgorithmAsymmetric(const WebKit::WebCryptoAlgorithm& algorithm) {
   // TODO(padolph): include all other asymmetric algorithms once they are
   // defined, e.g. EC and DH.
   return (algorithm.id() == WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
           algorithm.id() == WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
           algorithm.id() == WebKit::WebCryptoAlgorithmIdRsaOaep);
 }
 
+// Binds a specific key length value to a compatible factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncWithOneShortArg)(
+    unsigned short);
+template <AlgFactoryFuncWithOneShortArg func, unsigned short key_length>
+WebKit::WebCryptoAlgorithm BindAlgFactoryWithKeyLen() {
+  return func(key_length);
+}
+
+// Binds a WebCryptoAlgorithmId value to a compatible factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncWithWebCryptoAlgIdArg)(
+    WebKit::WebCryptoAlgorithmId);
+template <AlgFactoryFuncWithWebCryptoAlgIdArg func,
+          WebKit::WebCryptoAlgorithmId algorithm_id>
+WebKit::WebCryptoAlgorithm BindAlgFactoryAlgorithmId() {
+  return func(algorithm_id);
+}
+
+// Defines a map between a JWK 'alg' string ID and a corresponding Web Crypto
+// factory function.
+typedef WebKit::WebCryptoAlgorithm (*AlgFactoryFuncNoArgs)();
+typedef std::map<std::string, AlgFactoryFuncNoArgs> JwkAlgFactoryMap;
+
+class JwkAlgorithmFactoryMap {
+ public:
+  JwkAlgorithmFactoryMap() {
+    map_["HS256"] =
+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 256>;
+    map_["HS384"] =
+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 384>;
+    map_["HS512"] =
+        &BindAlgFactoryWithKeyLen<CreateHmacAlgorithmByDigestLen, 512>;
+    map_["RS256"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha256>;
+    map_["RS384"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha384>;
+    map_["RS512"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaSsaAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha512>;
+    map_["RSA1_5"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5>;
+    map_["RSA-OAEP"] =
+        &BindAlgFactoryAlgorithmId<CreateRsaOaepAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdSha1>;
+    map_["A128KW"] = &WebKit::WebCryptoAlgorithm::createNull;

[eroman, 2013/11/07 20:54:37]

Either add a TODO for these, or delete the "null" entries.

[padolph, 2013/11/09 00:33:38]

Added a TODO.

rsleevi: Would you consider adding AES-KW as an Algorithm to the Web Crypto API
spec? Is this something I can enter a bug for on my own, or is this a Mark
Watson thing? Please advise.

+    map_["A256KW"] = &WebKit::WebCryptoAlgorithm::createNull;
+    map_["A128GCM"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesGcm>;
+    map_["A256GCM"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesGcm>;
+    map_["A128CBC"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesCbc>;
+    map_["A256CBC"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesCbc>;
+    map_["A384CBC"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesCbc>;
+    map_["A512CBC"] =
+        &BindAlgFactoryAlgorithmId<CreateAlgorithm,
+                                   WebKit::WebCryptoAlgorithmIdAesCbc>;
+  }
+
+  WebKit::WebCryptoAlgorithm CreateAlgorithmFromName(
+      const std::string& alg_id) const {
+    const JwkAlgFactoryMap::const_iterator pos = map_.find(alg_id);
+    if (pos == map_.end())
+      return WebKit::WebCryptoAlgorithm::createNull();
+    return pos->second();
+  }
+
+ private:
+  JwkAlgFactoryMap map_;
+};
+
+base::LazyInstance<JwkAlgorithmFactoryMap> jwk_alg_factory =
+    LAZY_INSTANCE_INITIALIZER;
+
+// TODO(padolph): Verify this logic is sufficient to judge algorithm
+// "consistency" for JWK import, and for all supported algorithms.
+bool WebCryptoAlgorithmsConsistent(const WebKit::WebCryptoAlgorithm& alg1,
+                                   const WebKit::WebCryptoAlgorithm& alg2) {
+  DCHECK(!alg1.isNull());
+  DCHECK(!alg2.isNull());
+  if (alg1.id() == alg2.id()) {
+    if (alg1.id() == WebKit::WebCryptoAlgorithmIdHmac ||
+        alg1.id() == WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
+        alg1.id() == WebKit::WebCryptoAlgorithmIdRsaOaep) {
+      if (WebCryptoAlgorithmsConsistent(GetInnerHashAlgorithm(alg1),
+                                        GetInnerHashAlgorithm(alg2))) {
+        return true;
+      }
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+
 }  // namespace
 
 WebCryptoImpl::WebCryptoImpl() {
   Init();
 }
 
 // static
-// TODO(eroman): This works by re-allocating a new buffer. It would be better if
-//               the WebArrayBuffer could just be truncated instead.
-void WebCryptoImpl::ShrinkBuffer(
-    WebKit::WebArrayBuffer* buffer,
-    unsigned new_size) {
-  DCHECK_LE(new_size, buffer->byteLength());
-
-  if (new_size == buffer->byteLength())
-    return;
-
-  WebKit::WebArrayBuffer new_buffer =
-      WebKit::WebArrayBuffer::create(new_size, 1);
-  DCHECK(!new_buffer.isNull());
-  memcpy(new_buffer.data(), buffer->data(), new_size);
-  *buffer = new_buffer;
-}
-
-// static
 // TODO(eroman): Expose functionality in Blink instead.
 WebKit::WebCryptoKey WebCryptoImpl::NullKey() {
   // Needs a non-null algorithm to succeed.
   return WebKit::WebCryptoKey::create(
       NULL, WebKit::WebCryptoKeyTypeSecret, false,
       WebKit::WebCryptoAlgorithm::adoptParamsAndCreate(
           WebKit::WebCryptoAlgorithmIdAesGcm, NULL), 0);
 }
 
 void WebCryptoImpl::encrypt(
@@ skipping 83 matching lines @@
 
 void WebCryptoImpl::importKey(
     WebKit::WebCryptoKeyFormat format,
     const unsigned char* key_data,
     unsigned key_data_size,
     const WebKit::WebCryptoAlgorithm& algorithm_or_null,
     bool extractable,
     WebKit::WebCryptoKeyUsageMask usage_mask,
     WebKit::WebCryptoResult result) {
   WebKit::WebCryptoKey key = WebKit::WebCryptoKey::createNull();
-  if (!ImportKeyInternal(format,
-                         key_data,
-                         key_data_size,
-                         algorithm_or_null,
-                         extractable,
-                         usage_mask,
-                         &key)) {
-    result.completeWithError();
-    return;
+  if (format == WebKit::WebCryptoKeyFormatJwk) {
+    if (!ImportKeyJwk(key_data,
+                      key_data_size,
+                      algorithm_or_null,
+                      extractable,
+                      usage_mask,
+                      &key)) {
+      result.completeWithError();
+    }
+  } else {
+    if (!ImportKeyInternal(format,
+                           key_data,
+                           key_data_size,
+                           algorithm_or_null,
+                           extractable,
+                           usage_mask,
+                           &key)) {
+      result.completeWithError();
+    }
   }
   DCHECK(key.handle());
   DCHECK(!key.algorithm().isNull());
   DCHECK_EQ(extractable, key.extractable());
   result.completeWithKey(key);
 }
 
 void WebCryptoImpl::sign(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
@@ skipping 25 matching lines @@
                                signature_size,
                                data,
                                data_size,
                                &signature_match)) {
     result.completeWithError();
   } else {
     result.completeWithBoolean(signature_match);
   }
 }
 
+bool WebCryptoImpl::ImportKeyJwk(
+    const unsigned char* key_data,
+    unsigned key_data_size,
+    const WebKit::WebCryptoAlgorithm& algorithm_or_null,
+    bool extractable,
+    WebKit::WebCryptoKeyUsageMask usage_mask,
+    WebKit::WebCryptoKey* key) {
+
+  // JSON Web Key Format (JWK)
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-key-16
+  // TODO(padolph): Not all possible values are handled by this code right now
+  //
+  // A JWK is a simple JSON dictionary with the following entries
+  // - "kty" (Key Type) Parameter, REQUIRED
+  // - <kty-specific parameters, see below>, REQUIRED
+  // - "use" (Key Use) Parameter, OPTIONAL

[eroman, 2013/11/07 20:54:37]

It is worth also mentioning what OPTIONAL means. (Since right now optional
parameters are disregarded when their type mismatches). I believe we will want
to revisit or clarify this later.

[padolph, 2013/11/09 00:33:38]

I added some text to clarify this. Please take a look.

+  // - "alg" (Algorithm) Parameter, OPTIONAL
+  // - "extractable" (Key Exportability), OPTIONAL [NOTE: not yet part of JOSE]
+  // (all other entries are ignored)
+  //
+  // Input key_data contains the JWK. To build a Web Crypto Key, the JWK values
+  // are parsed out and used as follows:
+  // Web Crypto Key type            <-- (deduced)
+  // Web Crypto Key extractable     <-- extractable
+  // Web Crypto Key algorithm       <-- alg
+  // Web Crypto Key keyUsage        <-- usage
+  // Web Crypto Key keying material <-- kty-specific parameters
+  //
+  // Values for each entry are case-sensitive and defined in
+  // http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16.
+  // Note that not all values specified by JOSE are handled by this code. Only
+  // handled values are listed.
+  // - kty (Key Type)
+  //   +-------+--------------------------------------------------------------+
+  //   | "RSA" | RSA [RFC3447]                                                |
+  //   | "oct" | Octet sequence (used to represent symmetric keys)            |
+  //   +-------+--------------------------------------------------------------+
+  // - use (Key Use)
+  //   +-------+--------------------------------------------------------------+
+  //   | "enc" | encrypt and decrypt operations                               |
+  //   | "sig" | sign and verify (MAC) operations                             |
+  //   | "wrap"| key wrap and unwrap [not yet part of JOSE]                   |
+  //   +-------+--------------------------------------------------------------+
+  // - extractable (Key Exportability)
+  //   +-------+--------------------------------------------------------------+
+  //   | true  | Key may be exported from the trusted environment             |
+  //   | false | Key cannot exit the trusted environment                      |
+  //   +-------+--------------------------------------------------------------+
+  // - alg (Algorithm)
+  //   See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-16
+  //   +--------------+-------------------------------------------------------+
+  //   | Digital Signature or MAC Algorithm                                   |
+  //   +--------------+-------------------------------------------------------+
+  //   | "HS256"      | HMAC using SHA-256 hash algorithm                     |
+  //   | "HS384"      | HMAC using SHA-384 hash algorithm                     |
+  //   | "HS512"      | HMAC using SHA-512 hash algorithm                     |
+  //   | "RS256"      | RSASSA using SHA-256 hash algorithm                   |
+  //   | "RS384"      | RSASSA using SHA-384 hash algorithm                   |
+  //   | "RS512"      | RSASSA using SHA-512 hash algorithm                   |
+  //   +--------------+-------------------------------------------------------|
+  //   | Key Management Algorithm                                             |
+  //   +--------------+-------------------------------------------------------+
+  //   | "RSA1_5"     | RSAES-PKCS1-V1_5 [RFC3447]                            |
+  //   | "RSA-OAEP"   | RSAES using Optimal Asymmetric Encryption Padding     |
+  //   |              | (OAEP) [RFC3447], with the default parameters         |
+  //   |              | specified by RFC3447 in Section A.2.1                 |
+  //   | "A128KW"     | Advanced Encryption Standard (AES) Key Wrap Algorithm |
+  //   |              | [RFC3394] using 128 bit keys                          |
+  //   | "A256KW"     | AES Key Wrap Algorithm using 256 bit keys             |
+  //   | "A128GCM"    | AES in Galois/Counter Mode (GCM) [NIST.800-38D] using |
+  //   |              | 128 bit keys                                          |
+  //   | "A256GCM"    | AES GCM using 256 bit keys                            |
+  //   | "A128CBC"    | AES in Cipher Block Chaining Mode (CBC) with PKCS #5  |
+  //   |              | padding [NIST.800-38A] [not yet part of JOSE]         |
+  //   | "A256CBC"    | AES CBC using 256 bit keys [not yet part of JOSE]     |
+  //   | "A384CBC"    | AES CBC using 384 bit keys [not yet part of JOSE]     |
+  //   | "A512CBC"    | AES CBC using 512 bit keys [not yet part of JOSE]     |
+  //   +--------------+-------------------------------------------------------+
+  //
+  // kty-specific parameters
+  // The value of kty determines the type and content of the keying material
+  // carried in the JWK to be imported. Currently only two possibilities are
+  // supported: a raw key or an RSA public key. RSA private keys are not
+  // supported because typical applications seldom need to import a private key,
+  // and the large number of JWK parameters required to describe one.
+  // - kty == "oct" (symmetric or other raw key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "k"   | Contains the value of the symmetric (or other single-valued) |
+  //   |       | key.  It is represented as the base64url encoding of the     |
+  //   |       | octet sequence containing the key value.                     |
+  //   +-------+--------------------------------------------------------------+
+  // - kty == "RSA" (RSA public key)
+  //   +-------+--------------------------------------------------------------+
+  //   | "n"   | Contains the modulus value for the RSA public key.  It is    |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //   | "e"   | Contains the exponent value for the RSA public key.  It is   |
+  //   |       | represented as the base64url encoding of the value's         |
+  //   |       | unsigned big endian representation as an octet sequence.     |
+  //   +-------+--------------------------------------------------------------+
+  //
+  // Conflict resolution
+  // The algorithm_or_null, extractable, and usage_mask input parameters may be
+  // different from similar values inside the JWK. The Web Crypto spec says that
+  // if a JWK value is present but is inconsistent with the input value, it is
+  // an error and the operation must fail. Conversely, should they be missing
+  // from the JWK, the input values should be used to "fill-in" for the
+  // corresponding JWK-optional values (use, alg, extractable).
+
+  DCHECK(key);
+
+  // Parse the incoming JWK JSON.
+  if (!key_data || !key_data_size)

[eroman, 2013/11/07 20:54:37]

Same comment as on the other CL, I would prefer this as:

if (!key_data_size)
  return false
DCHECK(key_data);

To reinforce to the reader that NULL key data is not the right way to call it.

[padolph, 2013/11/09 00:33:38]

Done.

+    return false;
+  base::StringPiece json_string(reinterpret_cast<const char*>(key_data),
+                                key_data_size);
+  scoped_ptr<base::Value> value(base::JSONReader::Read(json_string));
+  // Note, bare pointer dict_value is ok since it points into scoped value.
+  base::DictionaryValue* dict_value = NULL;
+  if (!value.get() || !value->GetAsDictionary(&dict_value) || !dict_value)
+    return false;
+
+  // JWK "kty". Exit early if this required JWK parameter is missing.
+  std::string jwk_kty_value;
+  if (!dict_value->GetString("kty", &jwk_kty_value))
+    return false;
+
+  // JWK "extractable" (optional) --> extractable parameter
+  {
+    bool jwk_extractable_value;
+    if (dict_value->GetBoolean("extractable", &jwk_extractable_value)) {
+      if (jwk_extractable_value != extractable)

[eroman, 2013/11/07 20:54:37]

To be "consistent", it seems like it should alway be OK for the caller to say
extractable=false. For instance if the JWK says extractable=true, I think it is
legitimate for the caller to import it with extractable=false, and for the final
key to be un-extractable.

[padolph, 2013/11/09 00:33:38]

Done.

+        return false;
+    }
+  }
+
+  // JWK "alg" (optional) --> algorithm parameter
+  // Note: input algorithm is also optional, so we have six cases to handle.
+  // 1. JWK alg present but unrecognized: error
+  // 2. JWK alg valid AND input algorithm isNull: use JWK value
+  // 3. JWK alg valid AND input algorithm specified, but JWK value
+  //      inconsistent with input: error
+  // 4. JWK alg valid AND input algorithm specified, both consistent: use
+  //      input value (because it has potentially more details)
+  // 5. JWK alg missing AND input algorithm isNull: error
+  // 6. JWK alg missing AND input algorithm specified: use input value
+  WebKit::WebCryptoAlgorithm algorithm =
+      WebKit::WebCryptoAlgorithm::createNull();
+  std::string jwk_alg_value;
+  if (dict_value->GetString("alg", &jwk_alg_value)) {
+    // JWK alg present
+    const WebKit::WebCryptoAlgorithm jwk_algorithm =
+        jwk_alg_factory.Get().CreateAlgorithmFromName(jwk_alg_value);
+    if (jwk_algorithm.isNull()) {
+      // JWK alg unrecognized
+      return false;  // case 1
+    }
+    // JWK alg valid
+    if (algorithm_or_null.isNull()) {
+      // input algorithm not specified
+      algorithm = jwk_algorithm;  // case 2
+    } else {
+      // input algorithm specified
+      if (!WebCryptoAlgorithmsConsistent(jwk_algorithm, algorithm_or_null))
+        return false;               // case 3

[eroman, 2013/11/07 20:54:37]

Please indent this comment by just 2 spaces (style rules, not mine :)

[padolph, 2013/11/09 00:33:38]

Done.

[eroman, 2013/11/09 02:22:14]

not quite. What I meant is:
     return false;  // case 3

[padolph, 2013/11/11 00:53:26]

Ic. The current format is what clang-format told me to do. But will fix.

+      algorithm = algorithm_or_null;  // case 4
+    }
+  } else {
+    // JWK alg missing
+    if (algorithm_or_null.isNull())
+      return false;               // case 5

[eroman, 2013/11/07 20:54:37]

same

[padolph, 2013/11/09 00:33:38]

Done.

[eroman, 2013/11/09 02:22:14]

Same.

[padolph, 2013/11/11 00:53:26]

Done.

+    algorithm = algorithm_or_null;  // case 6
+  }
+  DCHECK(!algorithm.isNull());
+
+  // JWK "use" (optional) --> usage_mask parameter
+  std::string jwk_use_value;
+  if (dict_value->GetString("use", &jwk_use_value)) {
+    WebKit::WebCryptoKeyUsageMask jwk_usage_mask = 0;
+    if (jwk_use_value == "enc") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageEncrypt | WebKit::WebCryptoKeyUsageDecrypt;
+    } else if (jwk_use_value == "sig") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageSign | WebKit::WebCryptoKeyUsageVerify;
+    } else if (jwk_use_value == "wrap") {
+      jwk_usage_mask =
+          WebKit::WebCryptoKeyUsageWrapKey | WebKit::WebCryptoKeyUsageUnwrapKey;
+    } else {
+      return false;
+    }
+    if ((jwk_usage_mask & usage_mask) != usage_mask) {
+      // A usage_mask must be a subset of jwk_usage_mask.
+      return false;
+    }
+  }
+
+  // JWK keying material --> ImportKeyInternal()
+  if (jwk_kty_value == "oct") {
+    std::string jwk_k_value_url64;
+    if (!dict_value->GetString("k", &jwk_k_value_url64))
+      return false;
+    std::string jwk_k_value;
+    if (!Base64DecodeUrlSafe(jwk_k_value_url64, &jwk_k_value) ||
+        !jwk_k_value.size()) {
+      return false;
+    }
+    // TODO(padolph): AES JWK alg ID's embed the intended key length in the alg
+    // ID string. For such keys validate the actual key length against the value
+    // in the ID.
+    return ImportKeyInternal(WebKit::WebCryptoKeyFormatRaw,
+                             reinterpret_cast<const uint8*>(jwk_k_value.data()),
+                             jwk_k_value.size(),
+                             algorithm,
+                             extractable,
+                             usage_mask,
+                             key);
+  } else if (jwk_kty_value == "RSA") {
+    // TODO(padolph): JWK import RSA public key
+    return false;
+  } else {
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace content