[webcryto] Validate key usages during key creation.

content/child/webcrypto/jwk.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "jwk.h"
 
 #include <algorithm>
 #include <functional>
 #include <map>
 
@@ skipping 491 matching lines @@
   if (!dict->Get(path, &value))
     return Status::Success();
 
   if (!value->GetAsBoolean(result))
     return Status::ErrorJwkPropertyWrongType(path, "boolean");
 
   *property_exists = true;
   return Status::Success();
 }
 
-// Returns true if the set bits in b make up a subset of the set bits in a.
-bool ContainsKeyUsages(blink::WebCryptoKeyUsageMask a,
-                       blink::WebCryptoKeyUsageMask b) {
-  return (a & b) == b;
-}
-
 // Writes a secret/symmetric key to a JWK dictionary.
 void WriteSecretKey(const std::vector<uint8>& raw_key,
                     base::DictionaryValue* jwk_dict) {
   DCHECK(jwk_dict);
   jwk_dict->SetString("kty", "oct");
   // For a secret/symmetric key, the only extra JWK field is 'k', containing the
   // base64url encoding of the raw key.
   const base::StringPiece key_str(
       reinterpret_cast<const char*>(Uint8VectorStart(raw_key)), raw_key.size());
   jwk_dict->SetString("k", Base64EncodeUrlSafe(key_str));
@@ skipping 179 matching lines @@
           return Status::ErrorUnexpected();
       }
       break;
     default:
       return Status::ErrorUnsupported();
   }
   return Status::Success();
 }
 
 bool IsRsaKey(const blink::WebCryptoKey& key) {
-  const blink::WebCryptoAlgorithmId algorithm_id = key.algorithm().id();
-  return algorithm_id == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
-         algorithm_id == blink::WebCryptoAlgorithmIdRsaOaep;
+  return IsAlgorithmRsa(key.algorithm().id());
 }
 
 Status ImportRsaKey(base::DictionaryValue* dict,
                     const blink::WebCryptoAlgorithm& algorithm,
                     bool extractable,
                     blink::WebCryptoKeyUsageMask usage_mask,
                     blink::WebCryptoKey* key) {
   // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
   // in the JWK, while an RSA private key must have those, plus at least a "d"
   // (private exponent) entry.
   // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
   // section 6.3.
   std::string jwk_n_value;
   Status status = GetJwkBytes(dict, "n", &jwk_n_value);
   if (status.IsError())
     return status;
   std::string jwk_e_value;
   status = GetJwkBytes(dict, "e", &jwk_e_value);
   if (status.IsError())
     return status;
 
-  if (!dict->HasKey("d")) {
+  bool is_public_key = !dict->HasKey("d");
+
+  // Now that the key type is known, do an additional check on the usages to
+  // make sure they are all applicable for this algorithm + key type.
+  status = CheckKeyUsages(algorithm.id(),
+                          is_public_key ? blink::WebCryptoKeyTypePublic
+                                        : blink::WebCryptoKeyTypePrivate,
+                          usage_mask);
+
+  if (status.IsError())
+    return status;
+
+  if (is_public_key) {
     return platform::ImportRsaPublicKey(algorithm,
                                         extractable,
                                         usage_mask,
                                         CryptoData(jwk_n_value),
                                         CryptoData(jwk_e_value),
                                         key);
   }
 
   std::string jwk_d_value;
   status = GetJwkBytes(dict, "d", &jwk_d_value);
@@ skipping 253 matching lines @@
 
   std::string json;
   base::JSONWriter::Write(&jwk_dict, &json);
   buffer->assign(json.data(), json.data() + json.size());
   return Status::Success();
 }
 
 }  // namespace webcrypto
 
 }  // namespace content