Add support for RSA-OAEP when using NSS 3.16.2 or later

content/child/webcrypto/shared_crypto.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/webcrypto/shared_crypto.h"
 
 #include "base/logging.h"
 #include "content/child/webcrypto/crypto_data.h"
 #include "content/child/webcrypto/jwk.h"
 #include "content/child/webcrypto/platform_crypto.h"
@@ skipping 141 matching lines @@
   if (status.IsError())
     return status;
 
   // RSAES decryption does not support empty input
   if (!data.byte_length())
     return Status::ErrorDataTooSmall();
 
   return platform::DecryptRsaEsPkcs1v1_5(private_key, data, buffer);
 }
 
+Status EncryptRsaOaep(const blink::WebCryptoAlgorithm& algorithm,
+                      const blink::WebCryptoKey& key,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  platform::PublicKey* public_key;
+  Status status = ToPlatformPublicKey(key, &public_key);
+  if (status.IsError())
+    return status;
+
+  const blink::WebCryptoRsaOaepParams* params = algorithm.rsaOaepParams();
+  if (!params)
+    return Status::ErrorUnexpected();
+
+  return platform::EncryptRsaOaep(public_key,
+                                  key.algorithm().rsaHashedParams()->hash(),
+                                  CryptoData(params->optionalLabel()),
+                                  data,
+                                  buffer);
+}
+
+Status DecryptRsaOaep(const blink::WebCryptoAlgorithm& algorithm,
+                      const blink::WebCryptoKey& key,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  platform::PrivateKey* private_key;
+  Status status = ToPlatformPrivateKey(key, &private_key);
+  if (status.IsError())
+    return status;
+
+  const blink::WebCryptoRsaOaepParams* params = algorithm.rsaOaepParams();
+  if (!params)
+    return Status::ErrorUnexpected();
+
+  return platform::DecryptRsaOaep(private_key,
+                                  key.algorithm().rsaHashedParams()->hash(),
+                                  CryptoData(params->optionalLabel()),
+                                  data,
+                                  buffer);
+}
+
 Status SignHmac(const blink::WebCryptoAlgorithm& algorithm,
                 const blink::WebCryptoKey& key,
                 const CryptoData& data,
                 std::vector<uint8>* buffer) {
   platform::SymKey* sym_key;
   Status status = ToPlatformSymKey(key, &sym_key);
   if (status.IsError())
     return status;
 
   return platform::SignHmac(
@@ skipping 256 matching lines @@
                                 std::vector<uint8>* buffer) {
   if (algorithm.id() != key.algorithm().id())
     return Status::ErrorUnexpected();
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdAesCbc:
       return EncryptDecryptAesCbc(DECRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdAesGcm:
       return EncryptDecryptAesGcm(DECRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
       return DecryptRsaEsPkcs1v1_5(algorithm, key, data, buffer);
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      return DecryptRsaOaep(algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdAesKw:
       return DecryptAesKw(algorithm, key, data, buffer);
     default:
       return Status::ErrorUnsupported();
   }
 }
 
 Status EncryptDontCheckUsage(const blink::WebCryptoAlgorithm& algorithm,
                              const blink::WebCryptoKey& key,
                              const CryptoData& data,
                              std::vector<uint8>* buffer) {
   if (algorithm.id() != key.algorithm().id())
     return Status::ErrorUnexpected();
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdAesCbc:
       return EncryptDecryptAesCbc(ENCRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdAesGcm:
       return EncryptDecryptAesGcm(ENCRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
       return EncryptRsaEsPkcs1v1_5(algorithm, key, data, buffer);
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      return EncryptRsaOaep(algorithm, key, data, buffer);
     default:
       return Status::ErrorUnsupported();
   }
 }
 
 Status UnwrapKeyDecryptAndImport(
     blink::WebCryptoKeyFormat format,
     const CryptoData& wrapped_key_data,
     const blink::WebCryptoKey& wrapping_key,
     const blink::WebCryptoAlgorithm& wrapping_algorithm,
@@ skipping 287 matching lines @@
                const blink::WebCryptoKey& wrapping_key,
                const blink::WebCryptoAlgorithm& wrapping_algorithm,
                std::vector<uint8>* buffer) {
   if (!KeyUsageAllows(wrapping_key, blink::WebCryptoKeyUsageWrapKey))
     return Status::ErrorUnexpected();
   if (wrapping_algorithm.id() != wrapping_key.algorithm().id())
     return Status::ErrorUnexpected();
 
   switch (format) {
     case blink::WebCryptoKeyFormatRaw:
-      return WrapKeyRaw(key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      if (wrapping_algorithm.id() == blink::WebCryptoAlgorithmIdAesKw) {
+        // AES-KW is a special case, due to NSS's implementation only
+        // supporting C_Wrap/C_Unwrap with AES-KW

[Ryan Sleevi, 2014/05/14 01:26:00]

This does feel kinda hacky. It could be wrapped into some helper function
"DoesSupportRawWrapAndUnwrap" or something, but that seems overkill.

+        return WrapKeyRaw(
+            key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      } else {
+        return WrapKeyExportAndEncrypt(
+            format, key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      }
     case blink::WebCryptoKeyFormatJwk:
       return WrapKeyExportAndEncrypt(
           format, key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
     case blink::WebCryptoKeyFormatSpki:
     case blink::WebCryptoKeyFormatPkcs8:
       return Status::ErrorUnsupported();  // TODO(padolph)
     default:
       NOTREACHED();
       return Status::ErrorUnsupported();
   }
 }
 
 Status UnwrapKey(blink::WebCryptoKeyFormat format,
                  const CryptoData& wrapped_key_data,
                  const blink::WebCryptoKey& wrapping_key,
                  const blink::WebCryptoAlgorithm& wrapping_algorithm,
                  const blink::WebCryptoAlgorithm& algorithm,
                  bool extractable,
                  blink::WebCryptoKeyUsageMask usage_mask,
                  blink::WebCryptoKey* key) {
   if (!KeyUsageAllows(wrapping_key, blink::WebCryptoKeyUsageUnwrapKey))
     return Status::ErrorUnexpected();
   if (wrapping_algorithm.id() != wrapping_key.algorithm().id())
     return Status::ErrorUnexpected();
 
   switch (format) {
     case blink::WebCryptoKeyFormatRaw:
-      return UnwrapKeyRaw(wrapped_key_data,
-                          wrapping_key,
-                          wrapping_algorithm,
-                          algorithm,
-                          extractable,
-                          usage_mask,
-                          key);
+      if (wrapping_algorithm.id() == blink::WebCryptoAlgorithmIdAesKw) {

[padolph, 2014/05/14 02:14:41]

I don't understand the special-casing here. UnwrapKeyRaw() currently also
handles RSA-ES via PK11_PubUnwrapSymKeyWithFlagsPerm(). Are you saying that
PK11_PubUnwrapSymKeyWithFlagsPerm() cannot do RSA-OAEP? If not, we should rename
UnwrapKeyRaw() to something specifically mentioning AES-KW since it will only be
used for that alg.

[Ryan Sleevi, 2014/05/14 02:34:30]

Correct. Much of the pk11wrap layer is not situated to handle mechanisms with
arguments well - as demonstrated by the patches we needed for AES-GCM and now
here.

In particular, PubWrap/PubUnwrap assume all they need to know is the mechanism
type of the key to determine the wrapping algorithm, which is incorrect, since
they also need to be able to supply key parameters (label, mgf, hash function)

Fixing pk11wrap is a much larger effort - as it also does its own layer of SSA
encoding when handling RSA keys.

I'm fine renaming this.

Note: the reason AES-KW is a special snowflake is the PKCS mechanism is
documented to only work with C_Wrap/C_Unwrap, whereas OAEP works with
C_Encrypt/C_Decrypt as well.

+        // AES-KW is a special case, due to NSS's implementation only
+        // supporting C_Wrap/C_Unwrap with AES-KW
+        return UnwrapKeyRaw(wrapped_key_data,
+                            wrapping_key,
+                            wrapping_algorithm,
+                            algorithm,
+                            extractable,
+                            usage_mask,
+                            key);
+      } else {
+        return UnwrapKeyDecryptAndImport(format,

[eroman, 2014/05/14 01:50:47]

I thought style was to not use an "else" after a return?

[Ryan Sleevi, 2014/05/14 02:34:30]

D'oh! Well spotted.

+                                         wrapped_key_data,
+                                         wrapping_key,
+                                         wrapping_algorithm,
+                                         algorithm,
+                                         extractable,
+                                         usage_mask,
+                                         key);
+      }
     case blink::WebCryptoKeyFormatJwk:
       return UnwrapKeyDecryptAndImport(format,
                                        wrapped_key_data,
                                        wrapping_key,
                                        wrapping_algorithm,
                                        algorithm,
                                        extractable,
                                        usage_mask,
                                        key);
     case blink::WebCryptoKeyFormatSpki:
@@ skipping 34 matching lines @@
                             usage_mask,
                             key);
   if (status.IsError())
     return false;
   return ValidateDeserializedKey(*key, algorithm, type);
 }
 
 }  // namespace webcrypto
 
 }  // namespace content