Add support for RSA-OAEP when using NSS 3.16.2 or later

content/child/webcrypto/shared_crypto.cc

Index: content/child/webcrypto/shared_crypto.cc
diff --git a/content/child/webcrypto/shared_crypto.cc b/content/child/webcrypto/shared_crypto.cc
index 7d4704fc656ec7aca87fdefa3ffe22201bd70608..50062ddd2bbe23fe8455e4a23ae8e01cd0604e68 100644
--- a/content/child/webcrypto/shared_crypto.cc
+++ b/content/child/webcrypto/shared_crypto.cc
@@ -159,6 +159,46 @@ Status DecryptRsaEsPkcs1v1_5(const blink::WebCryptoAlgorithm& algorithm,
   return platform::DecryptRsaEsPkcs1v1_5(private_key, data, buffer);
 }
 
+Status EncryptRsaOaep(const blink::WebCryptoAlgorithm& algorithm,
+                      const blink::WebCryptoKey& key,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  platform::PublicKey* public_key;
+  Status status = ToPlatformPublicKey(key, &public_key);
+  if (status.IsError())
+    return status;
+
+  const blink::WebCryptoRsaOaepParams* params = algorithm.rsaOaepParams();
+  if (!params)
+    return Status::ErrorUnexpected();
+
+  return platform::EncryptRsaOaep(public_key,
+                                  key.algorithm().rsaHashedParams()->hash(),
+                                  CryptoData(params->optionalLabel()),
+                                  data,
+                                  buffer);
+}
+
+Status DecryptRsaOaep(const blink::WebCryptoAlgorithm& algorithm,
+                      const blink::WebCryptoKey& key,
+                      const CryptoData& data,
+                      std::vector<uint8>* buffer) {
+  platform::PrivateKey* private_key;
+  Status status = ToPlatformPrivateKey(key, &private_key);
+  if (status.IsError())
+    return status;
+
+  const blink::WebCryptoRsaOaepParams* params = algorithm.rsaOaepParams();
+  if (!params)
+    return Status::ErrorUnexpected();
+
+  return platform::DecryptRsaOaep(private_key,
+                                  key.algorithm().rsaHashedParams()->hash(),
+                                  CryptoData(params->optionalLabel()),
+                                  data,
+                                  buffer);
+}
+
 Status SignHmac(const blink::WebCryptoAlgorithm& algorithm,
                 const blink::WebCryptoKey& key,
                 const CryptoData& data,
@@ -435,6 +475,8 @@ Status DecryptDontCheckKeyUsage(const blink::WebCryptoAlgorithm& algorithm,
       return EncryptDecryptAesGcm(DECRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
       return DecryptRsaEsPkcs1v1_5(algorithm, key, data, buffer);
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      return DecryptRsaOaep(algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdAesKw:
       return DecryptAesKw(algorithm, key, data, buffer);
     default:
@@ -455,6 +497,8 @@ Status EncryptDontCheckUsage(const blink::WebCryptoAlgorithm& algorithm,
       return EncryptDecryptAesGcm(ENCRYPT, algorithm, key, data, buffer);
     case blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
       return EncryptRsaEsPkcs1v1_5(algorithm, key, data, buffer);
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      return EncryptRsaOaep(algorithm, key, data, buffer);
     default:
       return Status::ErrorUnsupported();
   }
@@ -762,7 +806,15 @@ Status WrapKey(blink::WebCryptoKeyFormat format,
 
   switch (format) {
     case blink::WebCryptoKeyFormatRaw:
-      return WrapKeyRaw(key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      if (wrapping_algorithm.id() == blink::WebCryptoAlgorithmIdAesKw) {
+        // AES-KW is a special case, due to NSS's implementation only
+        // supporting C_Wrap/C_Unwrap with AES-KW

[Ryan Sleevi, 2014/05/14 01:26:00]

This does feel kinda hacky. It could be wrapped into some helper function
"DoesSupportRawWrapAndUnwrap" or something, but that seems overkill.

+        return WrapKeyRaw(
+            key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      } else {
+        return WrapKeyExportAndEncrypt(
+            format, key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
+      }
     case blink::WebCryptoKeyFormatJwk:
       return WrapKeyExportAndEncrypt(
           format, key_to_wrap, wrapping_key, wrapping_algorithm, buffer);
@@ -790,13 +842,26 @@ Status UnwrapKey(blink::WebCryptoKeyFormat format,
 
   switch (format) {
     case blink::WebCryptoKeyFormatRaw:
-      return UnwrapKeyRaw(wrapped_key_data,
-                          wrapping_key,
-                          wrapping_algorithm,
-                          algorithm,
-                          extractable,
-                          usage_mask,
-                          key);
+      if (wrapping_algorithm.id() == blink::WebCryptoAlgorithmIdAesKw) {

[padolph, 2014/05/14 02:14:41]

I don't understand the special-casing here. UnwrapKeyRaw() currently also
handles RSA-ES via PK11_PubUnwrapSymKeyWithFlagsPerm(). Are you saying that
PK11_PubUnwrapSymKeyWithFlagsPerm() cannot do RSA-OAEP? If not, we should rename
UnwrapKeyRaw() to something specifically mentioning AES-KW since it will only be
used for that alg.

[Ryan Sleevi, 2014/05/14 02:34:30]

Correct. Much of the pk11wrap layer is not situated to handle mechanisms with
arguments well - as demonstrated by the patches we needed for AES-GCM and now
here.

In particular, PubWrap/PubUnwrap assume all they need to know is the mechanism
type of the key to determine the wrapping algorithm, which is incorrect, since
they also need to be able to supply key parameters (label, mgf, hash function)

Fixing pk11wrap is a much larger effort - as it also does its own layer of SSA
encoding when handling RSA keys.

I'm fine renaming this.

Note: the reason AES-KW is a special snowflake is the PKCS mechanism is
documented to only work with C_Wrap/C_Unwrap, whereas OAEP works with
C_Encrypt/C_Decrypt as well.

+        // AES-KW is a special case, due to NSS's implementation only
+        // supporting C_Wrap/C_Unwrap with AES-KW
+        return UnwrapKeyRaw(wrapped_key_data,
+                            wrapping_key,
+                            wrapping_algorithm,
+                            algorithm,
+                            extractable,
+                            usage_mask,
+                            key);
+      } else {
+        return UnwrapKeyDecryptAndImport(format,

[eroman, 2014/05/14 01:50:47]

I thought style was to not use an "else" after a return?

[Ryan Sleevi, 2014/05/14 02:34:30]

D'oh! Well spotted.

+                                         wrapped_key_data,
+                                         wrapping_key,
+                                         wrapping_algorithm,
+                                         algorithm,
+                                         extractable,
+                                         usage_mask,
+                                         key);
+      }
     case blink::WebCryptoKeyFormatJwk:
       return UnwrapKeyDecryptAndImport(format,
                                        wrapped_key_data,