[webcryto] Validate key usages during key creation.

content/child/webcrypto/shared_crypto_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/webcrypto/shared_crypto.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 418 matching lines @@
   EXPECT_EQ(algorithm.id(), key.algorithm().id());
   EXPECT_EQ(extractable, key.extractable());
   EXPECT_EQ(usage, key.usages());
   return key;
 }
 
 void ImportRsaKeyPair(const std::vector<uint8>& spki_der,
                       const std::vector<uint8>& pkcs8_der,
                       const blink::WebCryptoAlgorithm& algorithm,
                       bool extractable,
-                      blink::WebCryptoKeyUsageMask usage_mask,
+                      blink::WebCryptoKeyUsageMask public_key_usage_mask,
+                      blink::WebCryptoKeyUsageMask private_key_usage_mask,
                       blink::WebCryptoKey* public_key,
                       blink::WebCryptoKey* private_key) {
   EXPECT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatSpki,
                       CryptoData(spki_der),
                       algorithm,
                       true,
-                      usage_mask,
+                      public_key_usage_mask,
                       public_key));
   EXPECT_FALSE(public_key->isNull());
   EXPECT_TRUE(public_key->handle());
   EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key->type());
   EXPECT_EQ(algorithm.id(), public_key->algorithm().id());
-  EXPECT_EQ(extractable, extractable);
-  EXPECT_EQ(usage_mask, public_key->usages());
+  EXPECT_TRUE(public_key->extractable());
+  EXPECT_EQ(public_key_usage_mask, public_key->usages());
 
   EXPECT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatPkcs8,
                       CryptoData(pkcs8_der),
                       algorithm,
                       extractable,
-                      usage_mask,
+                      private_key_usage_mask,
                       private_key));
   EXPECT_FALSE(private_key->isNull());
   EXPECT_TRUE(private_key->handle());
   EXPECT_EQ(blink::WebCryptoKeyTypePrivate, private_key->type());
   EXPECT_EQ(algorithm.id(), private_key->algorithm().id());
-  EXPECT_EQ(extractable, extractable);
-  EXPECT_EQ(usage_mask, private_key->usages());
+  EXPECT_EQ(extractable, private_key->extractable());
+  EXPECT_EQ(private_key_usage_mask, private_key->usages());
 }
 
 Status AesGcmEncrypt(const blink::WebCryptoKey& key,
                      const std::vector<uint8>& iv,
                      const std::vector<uint8>& additional_data,
                      unsigned int tag_length_bits,
                      const std::vector<uint8>& plain_text,
                      std::vector<uint8>* cipher_text,
                      std::vector<uint8>* authentication_tag) {
   EXPECT_TRUE(SupportsAesGcm());
@@ skipping 709 matching lines @@
   // TODO(padolph): Add 'deriveBits' key_ops value once it is supported.
   const TestCase test_case[] = {
       {"encrypt", "A128CBC", aes_cbc_algorithm,
        blink::WebCryptoKeyUsageEncrypt},
       {"decrypt", "A128CBC", aes_cbc_algorithm,
        blink::WebCryptoKeyUsageDecrypt},
       {"sign", "HS256", hmac_algorithm, blink::WebCryptoKeyUsageSign},
       {"verify", "HS256", hmac_algorithm, blink::WebCryptoKeyUsageVerify},
       {"wrapKey", "A128KW", aes_kw_algorithm, blink::WebCryptoKeyUsageWrapKey},
       {"unwrapKey", "A128KW", aes_kw_algorithm,
-       blink::WebCryptoKeyUsageUnwrapKey},
-      {"deriveKey", "HS256", hmac_algorithm,
-       blink::WebCryptoKeyUsageDeriveKey}};
+       blink::WebCryptoKeyUsageUnwrapKey}};
   for (size_t test_index = 0; test_index < ARRAYSIZE_UNSAFE(test_case);
        ++test_index) {
     SCOPED_TRACE(test_index);
     dict.SetString("alg", test_case[test_index].jwk_alg);
     key_ops->Clear();
     key_ops->AppendString(test_case[test_index].jwk_key_op);
     EXPECT_EQ(Status::Success(),
               ImportKeyJwkFromDict(dict,
                                    test_case[test_index].algorithm,
                                    false,
@@ skipping 70 matching lines @@
   // Test JWK composite use 'enc' usage
   dict.SetString("alg", "A128CBC");
   dict.SetString("use", "enc");
   EXPECT_EQ(Status::Success(),
             ImportKeyJwkFromDict(dict,
                                  aes_cbc_algorithm,
                                  false,
                                  blink::WebCryptoKeyUsageDecrypt |
                                      blink::WebCryptoKeyUsageEncrypt |
                                      blink::WebCryptoKeyUsageWrapKey |
-                                     blink::WebCryptoKeyUsageUnwrapKey |
-                                     blink::WebCryptoKeyUsageDeriveKey,
+                                     blink::WebCryptoKeyUsageUnwrapKey,
                                  &key));
   EXPECT_EQ(blink::WebCryptoKeyUsageDecrypt | blink::WebCryptoKeyUsageEncrypt |
                 blink::WebCryptoKeyUsageWrapKey |
-                blink::WebCryptoKeyUsageUnwrapKey |
-                blink::WebCryptoKeyUsageDeriveKey,
+                blink::WebCryptoKeyUsageUnwrapKey,
             key.usages());
 }
 
 TEST_F(SharedCryptoTest, ImportJwkFailures) {
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
   blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageEncrypt;
 
   // Baseline pass: each test below breaks a single item, so we start with a
@@ skipping 147 matching lines @@
     const char* const jwk_alg;
   };
   const TestCase kTests[] = {
       // RSAES-PKCS1-v1_5
       {CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
        blink::WebCryptoKeyUsageEncrypt, "RSA1_5"},
       // RSASSA-PKCS1-v1_5 SHA-1
       {CreateRsaHashedImportAlgorithm(
            blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
            blink::WebCryptoAlgorithmIdSha1),
-       blink::WebCryptoKeyUsageSign, "RS1"},
+       blink::WebCryptoKeyUsageVerify, "RS1"},
       // RSASSA-PKCS1-v1_5 SHA-256
       {CreateRsaHashedImportAlgorithm(
            blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
            blink::WebCryptoAlgorithmIdSha256),
-       blink::WebCryptoKeyUsageSign, "RS256"},
+       blink::WebCryptoKeyUsageVerify, "RS256"},
       // RSASSA-PKCS1-v1_5 SHA-384
       {CreateRsaHashedImportAlgorithm(
            blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
            blink::WebCryptoAlgorithmIdSha384),
-       blink::WebCryptoKeyUsageSign, "RS384"},
+       blink::WebCryptoKeyUsageVerify, "RS384"},
       // RSASSA-PKCS1-v1_5 SHA-512
       {CreateRsaHashedImportAlgorithm(
            blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
            blink::WebCryptoAlgorithmIdSha512),
-       blink::WebCryptoKeyUsageSign, "RS512"}};
+       blink::WebCryptoKeyUsageVerify, "RS512"}};
 
   for (size_t test_index = 0; test_index < ARRAYSIZE_UNSAFE(kTests);
        ++test_index) {
     SCOPED_TRACE(test_index);
     const TestCase& test = kTests[test_index];
 
     // Import the spki to create a public key
     blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
     ASSERT_EQ(Status::Success(),
               ImportKey(blink::WebCryptoKeyFormatSpki,
@@ skipping 10 matching lines @@
     EXPECT_TRUE(VerifyPublicJwk(jwk, test.jwk_alg, n_hex, e_hex, test.usage));
 
     // Import the JWK back in to create a new key
     blink::WebCryptoKey public_key2 = blink::WebCryptoKey::createNull();
     EXPECT_EQ(
         Status::Success(),
         ImportKeyJwk(
             CryptoData(jwk), test.algorithm, true, test.usage, &public_key2));
     EXPECT_TRUE(public_key2.handle());
     EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key2.type());
-    EXPECT_EQ(true, public_key2.extractable());
+    EXPECT_TRUE(public_key2.extractable());
     EXPECT_EQ(test.algorithm.id(), public_key2.algorithm().id());
 
     // Export the new key as spki and compare to the original.
     std::vector<uint8> spki;
     ASSERT_EQ(Status::Success(),
               ExportKey(blink::WebCryptoKeyFormatSpki, public_key2, &spki));
     EXPECT_BYTES_EQ_HEX(kPublicKeySpkiDerHex, CryptoData(spki));
   }
 }
 
@@ skipping 705 matching lines @@
   EXPECT_EQ(Status::ErrorUnexpectedKeyType(),
             ExportKey(blink::WebCryptoKeyFormatSpki, private_key, &output));
 }
 
 TEST_F(SharedCryptoTest, MAYBE(RsaEsRoundTrip)) {
   // Import a key pair.
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      HexStringToBytes(kPublicKeySpkiDerHex),
-      HexStringToBytes(kPrivateKeyPkcs8DerHex),
-      algorithm,
-      false,
-      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
+                   HexStringToBytes(kPrivateKeyPkcs8DerHex),
+                   algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageEncrypt,
+                   blink::WebCryptoKeyUsageDecrypt,
+                   &public_key,
+                   &private_key);
 
   // Make a maximum-length data message. RSAES can operate on messages up to
   // length of k - 11 bytes, where k is the octet length of the RSA modulus.
   const unsigned int kMaxMsgSizeBytes = kModulusLengthBits / 8 - 11;
   // There are two hex chars for each byte.
   const unsigned int kMsgHexSize = kMaxMsgSizeBytes * 2;
   char max_data_hex[kMsgHexSize + 1];
   std::fill(&max_data_hex[0], &max_data_hex[0] + kMsgHexSize, 'a');
   max_data_hex[kMsgHexSize] = '\0';
 
@@ skipping 40 matching lines @@
       GetBytesFromHexString(test, "rsa_pkcs8_der");
   const std::vector<uint8> ciphertext =
       GetBytesFromHexString(test, "ciphertext");
   const std::vector<uint8> cleartext = GetBytesFromHexString(test, "cleartext");
 
   // Import the key pair.
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      rsa_spki_der,
-      rsa_pkcs8_der,
-      algorithm,
-      false,
-      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(rsa_spki_der,
+                   rsa_pkcs8_der,
+                   algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageEncrypt,
+                   blink::WebCryptoKeyUsageDecrypt,
+                   &public_key,
+                   &private_key);
 
   // Decrypt the known-good ciphertext with the private key. As a check we must
   // get the known original cleartext.
   std::vector<uint8> decrypted_data;
   ASSERT_EQ(
       Status::Success(),
       Decrypt(algorithm, private_key, CryptoData(ciphertext), &decrypted_data));
   EXPECT_BYTES_EQ(cleartext, decrypted_data);
 
   // Encrypt this decrypted data with the public key.
@@ skipping 13 matching lines @@
           algorithm, private_key, CryptoData(encrypted_data), &decrypted_data));
   EXPECT_EQ(cleartext, decrypted_data);
 }
 
 TEST_F(SharedCryptoTest, MAYBE(RsaEsFailures)) {
   // Import a key pair.
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      HexStringToBytes(kPublicKeySpkiDerHex),
-      HexStringToBytes(kPrivateKeyPkcs8DerHex),
-      algorithm,
-      false,
-      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
+                   HexStringToBytes(kPrivateKeyPkcs8DerHex),
+                   algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageEncrypt,
+                   blink::WebCryptoKeyUsageDecrypt,
+                   &public_key,
+                   &private_key);
 
-  // Fail encrypt with a private key.
   std::vector<uint8> encrypted_data;
   const std::string message_hex_str("0102030405060708090a0b0c0d0e0f");
   const std::vector<uint8> message_hex(HexStringToBytes(message_hex_str));
-  EXPECT_EQ(
-      Status::ErrorUnexpectedKeyType(),
-      Encrypt(
-          algorithm, private_key, CryptoData(message_hex), &encrypted_data));
 
   // Fail encrypt with empty message.
   EXPECT_EQ(Status::ErrorDataTooSmall(),
             Encrypt(algorithm,
                     public_key,
                     CryptoData(std::vector<uint8>()),
                     &encrypted_data));
 
   // Fail encrypt with message too large. RSAES can operate on messages up to
   // length of k - 11 bytes, where k is the octet length of the RSA modulus.
   const unsigned int kMaxMsgSizeBytes = kModulusLengthBits / 8 - 11;
   EXPECT_EQ(Status::ErrorDataTooLarge(),
             Encrypt(algorithm,
                     public_key,
                     CryptoData(std::vector<uint8>(kMaxMsgSizeBytes + 1, '0')),
                     &encrypted_data));
 
   // Generate encrypted data.
   EXPECT_EQ(
       Status::Success(),
       Encrypt(algorithm, public_key, CryptoData(message_hex), &encrypted_data));
 
-  // Fail decrypt with a public key.
   std::vector<uint8> decrypted_data;
-  EXPECT_EQ(
-      Status::ErrorUnexpectedKeyType(),
-      Decrypt(
-          algorithm, public_key, CryptoData(encrypted_data), &decrypted_data));
 
   // Corrupt encrypted data; ensure decrypt fails because padding was disrupted.
   EXPECT_EQ(Status::OperationError(),
             Decrypt(algorithm,
                     private_key,
                     CryptoData(Corrupted(encrypted_data)),
                     &decrypted_data));
 
   // TODO(padolph): Are there other specific data corruption scenarios to
   // consider?
 
   // Do a successful decrypt with good data just for confirmation.
   EXPECT_EQ(
       Status::Success(),
       Decrypt(
           algorithm, private_key, CryptoData(encrypted_data), &decrypted_data));
   EXPECT_BYTES_EQ_HEX(message_hex_str, decrypted_data);
 }
 
 TEST_F(SharedCryptoTest, MAYBE(RsaSsaSignVerifyFailures)) {
   // Import a key pair.
-  blink::WebCryptoKeyUsageMask usage_mask =
-      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
   blink::WebCryptoAlgorithm importAlgorithm =
       CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                                      blink::WebCryptoAlgorithmIdSha1);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
   ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
                    HexStringToBytes(kPrivateKeyPkcs8DerHex),
                    importAlgorithm,
                    false,
-                   usage_mask,
+                   blink::WebCryptoKeyUsageVerify,
+                   blink::WebCryptoKeyUsageSign,
                    &public_key,
                    &private_key);
 
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5);
 
   std::vector<uint8> signature;
   bool signature_match;
 
   // Compute a signature.
@@ skipping 36 matching lines @@
   DCHECK_GT(long_message_size_bytes, kModulusLengthBits / 8);
   const unsigned char kLongSignature[long_message_size_bytes] = {0};
   EXPECT_EQ(Status::Success(),
             VerifySignature(algorithm,
                             public_key,
                             CryptoData(kLongSignature, sizeof(kLongSignature)),
                             CryptoData(data),
                             &signature_match));
   EXPECT_FALSE(signature_match);
 
-  // Ensure that verifying using a private key, rather than a public key, fails.
-  EXPECT_EQ(Status::ErrorUnexpectedKeyType(),
-            VerifySignature(algorithm,
-                            private_key,
-                            CryptoData(signature),
-                            CryptoData(data),
-                            &signature_match));
-
-  // Ensure that signing using a public key, rather than a private key, fails.
-  EXPECT_EQ(Status::ErrorUnexpectedKeyType(),
-            Sign(algorithm, public_key, CryptoData(data), &signature));
-
   // Ensure that signing and verifying with an incompatible algorithm fails.
   algorithm = CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
 
   EXPECT_EQ(Status::ErrorUnexpected(),
             Sign(algorithm, private_key, CryptoData(data), &signature));
   EXPECT_EQ(Status::ErrorUnexpected(),
             VerifySignature(algorithm,
                             public_key,
                             CryptoData(signature),
                             CryptoData(data),
@@ skipping 16 matching lines @@
                  &signature));
 
   blink::WebCryptoKey public_key_256 = blink::WebCryptoKey::createNull();
   EXPECT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatSpki,
                       CryptoData(HexStringToBytes(kPublicKeySpkiDerHex)),
                       CreateRsaHashedImportAlgorithm(
                           blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                           blink::WebCryptoAlgorithmIdSha256),
                       true,
-                      usage_mask,
+                      blink::WebCryptoKeyUsageVerify,
                       &public_key_256));
 
   // Now verify using an algorithm whose inner hash is SHA-256, not SHA-1. The
   // signature should not verify.
   // NOTE: public_key was produced by generateKey, and so its associated
   // algorithm has WebCryptoRsaKeyGenParams and not WebCryptoRsaSsaParams. Thus
   // it has no inner hash to conflict with the input algorithm.
   EXPECT_EQ(blink::WebCryptoAlgorithmIdSha1,
             private_key.algorithm().rsaHashedParams()->hash().id());
   EXPECT_EQ(blink::WebCryptoAlgorithmIdSha256,
@@ skipping 13 matching lines @@
 TEST_F(SharedCryptoTest, MAYBE(RsaSignVerifyKnownAnswer)) {
   scoped_ptr<base::ListValue> tests;
   ASSERT_TRUE(ReadJsonTestFileToList("pkcs1v15_sign.json", &tests));
 
   // Import the key pair.
   blink::WebCryptoAlgorithm importAlgorithm =
       CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                                      blink::WebCryptoAlgorithmIdSha1);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      HexStringToBytes(kPublicKeySpkiDerHex),
-      HexStringToBytes(kPrivateKeyPkcs8DerHex),
-      importAlgorithm,
-      false,
-      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
+                   HexStringToBytes(kPrivateKeyPkcs8DerHex),
+                   importAlgorithm,
+                   false,
+                   blink::WebCryptoKeyUsageVerify,
+                   blink::WebCryptoKeyUsageSign,
+                   &public_key,
+                   &private_key);
 
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5);
 
   // Validate the signatures are computed and verified as expected.
   std::vector<uint8> signature;
   for (size_t test_index = 0; test_index < tests->GetSize(); ++test_index) {
     SCOPED_TRACE(test_index);
 
     base::DictionaryValue* test;
@@ skipping 111 matching lines @@
 TEST_F(SharedCryptoTest, MAYBE(UnwrapFailures)) {
   // This test exercises the code path common to all unwrap operations.
   scoped_ptr<base::ListValue> tests;
   ASSERT_TRUE(ReadJsonTestFileToList("aes_kw.json", &tests));
   base::DictionaryValue* test;
   ASSERT_TRUE(tests->GetDictionary(0, &test));
   const std::vector<uint8> test_kek = GetBytesFromHexString(test, "kek");
   const std::vector<uint8> test_ciphertext =
       GetBytesFromHexString(test, "ciphertext");
 
-  // Using a key that does not have unwrapKey usage should fail.
-  blink::WebCryptoKey bad_wrapping_key = ImportSecretKeyFromRaw(
-      test_kek,
-      webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw),
-      blink::WebCryptoKeyUsageDecrypt);  // <-- should be UnwrapKey
   blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
-  EXPECT_EQ(
-      Status::ErrorUnexpected(),
-      UnwrapKey(blink::WebCryptoKeyFormatRaw,
-                CryptoData(test_ciphertext),
-                bad_wrapping_key,
-                webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw),
-                webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
-                true,
-                blink::WebCryptoKeyUsageEncrypt,
-                &unwrapped_key));
 
   // Using a wrapping algorithm that does not match the wrapping key algorithm
   // should fail.
   blink::WebCryptoKey wrapping_key = ImportSecretKeyFromRaw(
       test_kek,
       webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw),
       blink::WebCryptoKeyUsageUnwrapKey);
   EXPECT_EQ(
       Status::ErrorUnexpected(),
       UnwrapKey(blink::WebCryptoKeyFormatRaw,
@@ skipping 406 matching lines @@
       GetBytesFromHexString(test, "ciphertext");
   const std::vector<uint8> cleartext = GetBytesFromHexString(test, "cleartext");
   blink::WebCryptoAlgorithm key_algorithm =
       CreateHmacImportAlgorithm(blink::WebCryptoAlgorithmIdSha256);
 
   // Import the RSA key pair.
   blink::WebCryptoAlgorithm algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      rsa_spki_der,
-      rsa_pkcs8_der,
-      algorithm,
-      false,
-      blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(rsa_spki_der,
+                   rsa_pkcs8_der,
+                   algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageWrapKey,
+                   blink::WebCryptoKeyUsageUnwrapKey,
+                   &public_key,
+                   &private_key);
 
   // Import the symmetric key.
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatRaw,
                       CryptoData(cleartext),
                       key_algorithm,
                       true,
                       blink::WebCryptoKeyUsageSign,
                       &key));
@@ skipping 49 matching lines @@
 TEST_F(SharedCryptoTest, MAYBE(RsaEsRawSymkeyWrapUnwrapErrors)) {
   const std::vector<uint8> data(64, 0);
   blink::WebCryptoAlgorithm key_algorithm =
       CreateHmacImportAlgorithm(blink::WebCryptoAlgorithmIdSha256);
 
   // Import the RSA key pair.
   blink::WebCryptoAlgorithm wrapping_algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      HexStringToBytes(kPublicKeySpkiDerHex),
-      HexStringToBytes(kPrivateKeyPkcs8DerHex),
-      wrapping_algorithm,
-      false,
-      blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey,
-      &public_key,
-      &private_key);
+  ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
+                   HexStringToBytes(kPrivateKeyPkcs8DerHex),
+                   wrapping_algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageWrapKey,
+                   blink::WebCryptoKeyUsageUnwrapKey,
+                   &public_key,
+                   &private_key);
 
   // Import the symmetric key.
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatRaw,
                       CryptoData(data),
                       key_algorithm,
                       true,
                       blink::WebCryptoKeyUsageSign,
                       &key));
 
-  // Wrapping with a private key should fail.
   std::vector<uint8> wrapped_key;
-  EXPECT_EQ(Status::ErrorUnexpectedKeyType(),
-            WrapKey(blink::WebCryptoKeyFormatRaw,
-                    key,
-                    private_key,
-                    wrapping_algorithm,
-                    &wrapped_key));
 
   // Wrapping a key whose raw keying material is too large for the wrapping key
   // should fail.
   // RSAES can encrypt data up to length of k - 11 bytes, where k is the octet
   // length of the RSA modulus, and can decrypt data up to length k. Fabricate a
   // big piece of data here that fails both of these criteria, so it can be used
   // for both wrap and unwrap negative tests below.
   const std::vector<uint8> big_data(kModulusLengthBits / 8 + 1, 0);
   blink::WebCryptoKey big_key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatRaw,
                       CryptoData(big_data),
                       key_algorithm,
                       true,
                       blink::WebCryptoKeyUsageSign,
                       &big_key));
   EXPECT_EQ(Status::ErrorDataTooLarge(),
             WrapKey(blink::WebCryptoKeyFormatRaw,
                     big_key,
                     public_key,
                     wrapping_algorithm,
                     &wrapped_key));
 
-  // Unwrapping with a public key should fail.
   blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
-  EXPECT_EQ(Status::ErrorUnexpectedKeyType(),
-            UnwrapKey(blink::WebCryptoKeyFormatRaw,
-                      CryptoData(data),
-                      public_key,
-                      wrapping_algorithm,
-                      key_algorithm,
-                      true,
-                      blink::WebCryptoKeyUsageSign,
-                      &unwrapped_key));
 
   // Unwrapping empty data should fail.
   const std::vector<uint8> emtpy_data;
   EXPECT_EQ(Status::ErrorDataTooSmall(),
             UnwrapKey(blink::WebCryptoKeyFormatRaw,
                       CryptoData(emtpy_data),
                       private_key,
                       wrapping_algorithm,
                       key_algorithm,
                       true,
@@ skipping 72 matching lines @@
   ASSERT_EQ(
       Status::Success(),
       GenerateSecretKey(
           gen_algorithm, true, blink::WebCryptoKeyUsageEncrypt, &key_to_wrap));
 
   // Import the wrapping key pair.
   const blink::WebCryptoAlgorithm wrapping_algorithm =
       CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
   blink::WebCryptoKey public_wrapping_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_wrapping_key = blink::WebCryptoKey::createNull();
-  ImportRsaKeyPair(
-      HexStringToBytes(kPublicKeySpkiDerHex),
-      HexStringToBytes(kPrivateKeyPkcs8DerHex),
-      wrapping_algorithm,
-      false,
-      blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey,
-      &public_wrapping_key,
-      &private_wrapping_key);
+  ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
+                   HexStringToBytes(kPrivateKeyPkcs8DerHex),
+                   wrapping_algorithm,
+                   false,
+                   blink::WebCryptoKeyUsageWrapKey,
+                   blink::WebCryptoKeyUsageUnwrapKey,
+                   &public_wrapping_key,
+                   &private_wrapping_key);
 
   // Wrap the symkey in JWK format, using the public wrapping key.
   std::vector<uint8> wrapped_data;
   ASSERT_EQ(Status::Success(),
             WrapKey(blink::WebCryptoKeyFormatJwk,
                     key_to_wrap,
                     public_wrapping_key,
                     wrapping_algorithm,
                     &wrapped_data));
 
@@ skipping 67 matching lines @@
   // it has unwrap rather than decrypt usage.
   blink::WebCryptoKey private_wrapping_key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatPkcs8,
                       CryptoData(HexStringToBytes(kPrivateKeyPkcs8DerHex)),
                       algorithm,
                       false,
                       blink::WebCryptoKeyUsageUnwrapKey,
                       &private_wrapping_key));
 
-  // Treat the ciphertext as a wrapped key and try to unwrap it. Ensure a
-  // generic error is received.
+  // Treat the ciphertext as a wrapped key and try to unwrap it.
+  // Unwrapping fails because kty="foo" is invalid.
   blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
-  EXPECT_EQ(Status::OperationError(),
+  EXPECT_EQ(Status::ErrorJwkUnrecognizedKty(),
             UnwrapKey(blink::WebCryptoKeyFormatJwk,
                       CryptoData(ciphertext),
                       private_wrapping_key,
                       algorithm,
-                      CreateAesCbcAlgorithm(std::vector<uint8>(0, 16)),
+                      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
                       true,
                       blink::WebCryptoKeyUsageEncrypt,
                       &unwrapped_key));
 }
 
+// Try importing an RSA-SSA public key with unsupported key usages using SPKI
+// format. RSA-SSA public keys only support the 'verify' usage.
+TEST_F(SharedCryptoTest, MAYBE(ImportRsaSsaPublicKeyBadUsage_SPKI)) {
+  const blink::WebCryptoAlgorithm algorithm =
+      CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                                     blink::WebCryptoAlgorithmIdSha256);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageSign,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify,
+      blink::WebCryptoKeyUsageEncrypt,
+      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
+  };
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              ImportKey(blink::WebCryptoKeyFormatSpki,
+                        CryptoData(HexStringToBytes(kPublicKeySpkiDerHex)),
+                        algorithm,
+                        false,
+                        bad_usages[i],
+                        &public_key));
+  }
+}
+
+// Try importing an RSA-SSA public key with unsupported key usages using JWK
+// format. RSA-SSA public keys only support the 'verify' usage.
+TEST_F(SharedCryptoTest, MAYBE(ImportRsaSsaPublicKeyBadUsage_JWK)) {
+  const blink::WebCryptoAlgorithm algorithm =
+      CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                                     blink::WebCryptoAlgorithmIdSha256);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageSign,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify,
+      blink::WebCryptoKeyUsageEncrypt,
+      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt,
+  };
+
+  base::DictionaryValue dict;
+  RestoreJwkRsaDictionary(&dict);
+  dict.Remove("use", NULL);
+  dict.SetString("alg", "RS256");
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              ImportKeyJwkFromDict(
+                  dict, algorithm, false, bad_usages[i], &public_key));
+  }
+}
+
+// Try importing an AES-CBC key with unsupported key usages using raw
+// format. AES-CBC keys support the following usages:
+//   'encrypt', 'decrypt', 'wrapKey', 'unwrapKey'
+TEST_F(SharedCryptoTest, MAYBE(ImportAesCbcKeyBadUsage_Raw)) {
+  const blink::WebCryptoAlgorithm algorithm =
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageSign,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageDeriveBits,
+      blink::WebCryptoKeyUsageUnwrapKey | blink::WebCryptoKeyUsageVerify,
+  };
+
+  std::vector<uint8> key_bytes(16);
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              ImportKey(blink::WebCryptoKeyFormatRaw,
+                        CryptoData(key_bytes),
+                        algorithm,
+                        true,
+                        bad_usages[i],
+                        &key));
+  }
+}
+
+// Try importing an AES-KW key with unsupported key usages using raw
+// format. AES-KW keys support the following usages:
+//   'wrapKey', 'unwrapKey'
+TEST_F(SharedCryptoTest, MAYBE(ImportAesKwKeyBadUsage_Raw)) {
+  const blink::WebCryptoAlgorithm algorithm =
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageEncrypt,
+      blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageSign,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageUnwrapKey,
+      blink::WebCryptoKeyUsageDeriveBits,
+      blink::WebCryptoKeyUsageUnwrapKey | blink::WebCryptoKeyUsageVerify,
+  };
+
+  std::vector<uint8> key_bytes(16);
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              ImportKey(blink::WebCryptoKeyFormatRaw,
+                        CryptoData(key_bytes),
+                        algorithm,
+                        true,
+                        bad_usages[i],
+                        &key));
+  }
+}
+
+// Try unwrapping an HMAC key with unsupported usages using JWK format and
+// AES-KW. HMAC keys support the following usages:
+//   'sign', 'verify'
+TEST_F(SharedCryptoTest, MAYBE(UnwrapHmacKeyBadUsage_JWK)) {
+  const blink::WebCryptoAlgorithm unwrap_algorithm =
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageEncrypt,
+      blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageWrapKey,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageWrapKey,
+      blink::WebCryptoKeyUsageVerify | blink::WebCryptoKeyUsageDeriveKey,
+  };
+
+  // Import the wrapping key.
+  blink::WebCryptoKey wrapping_key = blink::WebCryptoKey::createNull();
+  ASSERT_EQ(Status::Success(),
+            ImportKey(blink::WebCryptoKeyFormatRaw,
+                      CryptoData(std::vector<uint8>(16)),
+                      unwrap_algorithm,
+                      true,
+                      blink::WebCryptoKeyUsageUnwrapKey,
+                      &wrapping_key));
+
+  // The JWK plain text is:
+  //   {   "kty": "oct","alg": "HS256","k": "GADWrMRHwQfoNaXU5fZvTg=="}
+  const char* kWrappedJwk =
+      "0AA245F17064FFB2A7A094436A39BEBFC962C627303D1327EA750CE9F917688C2782A943"
+      "7AE7586547AC490E8AE7D5B02D63868D5C3BB57D36C4C8C5BF3962ACEC6F42E767E5706"
+      "4";
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              UnwrapKey(blink::WebCryptoKeyFormatJwk,
+                        CryptoData(HexStringToBytes(kWrappedJwk)),
+                        wrapping_key,
+                        unwrap_algorithm,
+                        webcrypto::CreateHmacImportAlgorithm(
+                            blink::WebCryptoAlgorithmIdSha256),
+                        true,
+                        bad_usages[i],
+                        &key));
+  }
+}
+
+// Try unwrapping an RSA-SSA public key with unsupported usages using JWK format
+// and AES-KW. RSA-SSA public keys support the following usages:
+//   'verify'
+TEST_F(SharedCryptoTest, MAYBE(UnwrapRsaSsaPublicKeyBadUsage_JWK)) {
+  const blink::WebCryptoAlgorithm unwrap_algorithm =
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesKw);
+
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageEncrypt,
+      blink::WebCryptoKeyUsageSign,
+      blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageWrapKey,
+      blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageWrapKey,
+  };
+
+  // Import the wrapping key.
+  blink::WebCryptoKey wrapping_key = blink::WebCryptoKey::createNull();
+  ASSERT_EQ(Status::Success(),
+            ImportKey(blink::WebCryptoKeyFormatRaw,
+                      CryptoData(std::vector<uint8>(16)),
+                      unwrap_algorithm,
+                      true,
+                      blink::WebCryptoKeyUsageUnwrapKey,
+                      &wrapping_key));
+
+  // The JWK plaintext is:
+  // {    "kty": "RSA","alg": "RS256","n": "...","e": "AQAB"}
+
+  const char* kWrappedJwk =
+      "CE8DAEF99E977EE58958B8C4494755C846E883B2ECA575C5366622839AF71AB30875F152"
+      "E8E33E15A7817A3A2874EB53EFE05C774D98BC936BA9BA29BEB8BB3F3C3CE2323CB3359D"
+      "E3F426605CF95CCF0E01E870ABD7E35F62E030B5FB6E520A5885514D1D850FB64B57806D"
+      "1ADA57C6E27DF345D8292D80F6B074F1BE51C4CF3D76ECC8886218551308681B44FAC60B"
+      "8CF6EA439BC63239103D0AE81ADB96F908680586C6169284E32EB7DD09D31103EBDAC0C2"
+      "40C72DCF0AEA454113CC47457B13305B25507CBEAB9BDC8D8E0F867F9167F9DCEF0D9F9B"
+      "30F2EE83CEDFD51136852C8A5939B768";
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              UnwrapKey(blink::WebCryptoKeyFormatJwk,
+                        CryptoData(HexStringToBytes(kWrappedJwk)),
+                        wrapping_key,
+                        unwrap_algorithm,
+                        webcrypto::CreateRsaHashedImportAlgorithm(
+                            blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                            blink::WebCryptoAlgorithmIdSha256),
+                        true,
+                        bad_usages[i],
+                        &key));
+  }
+}
+
+// Generate an AES-CBC key with invalid usages. AES-CBC supports:
+//   'encrypt', 'decrypt', 'wrapKey', 'unwrapKey'
+TEST_F(SharedCryptoTest, MAYBE(GenerateAesKeyBadUsages)) {
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageSign, blink::WebCryptoKeyUsageVerify,
+      blink::WebCryptoKeyUsageDecrypt | blink::WebCryptoKeyUsageVerify,
+  };
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
+
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              GenerateSecretKey(
+                  CreateAesCbcKeyGenAlgorithm(128), true, bad_usages[i], &key));
+  }
+}
+
+// Generate an RSA-SSA key pair with invalid usages. RSA-SSA supports:
+//   'sign', 'verify'
+TEST_F(SharedCryptoTest, MAYBE(GenerateRsaSsaBadUsages)) {
+  blink::WebCryptoKeyUsageMask bad_usages[] = {
+      blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageVerify | blink::WebCryptoKeyUsageDecrypt,
+      blink::WebCryptoKeyUsageWrapKey,
+  };
+
+  const unsigned int modulus_length = 256;
+  const std::vector<uint8> public_exponent = HexStringToBytes("010001");
+
+  for (size_t i = 0; i < arraysize(bad_usages); ++i) {
+    SCOPED_TRACE(i);
+
+    blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
+    blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
+
+    ASSERT_EQ(Status::ErrorCreateKeyBadUsages(),
+              GenerateKeyPair(CreateRsaHashedKeyGenAlgorithm(
+                                  blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                                  blink::WebCryptoAlgorithmIdSha256,
+                                  modulus_length,
+                                  public_exponent),
+                              true,
+                              bad_usages[i],
+                              &public_key,
+                              &private_key));
+  }
+}
+
+// Generate an RSA-SSA key pair. The public and private keys should select the
+// key usages which are applicable, and not have the exact same usages as was
+// specified to GenerateKey
+TEST_F(SharedCryptoTest, MAYBE(GenerateRsaSsaKeyPairIntersectUsages)) {
+  const unsigned int modulus_length = 256;
+  const std::vector<uint8> public_exponent = HexStringToBytes("010001");
+
+  blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
+  blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
+
+  ASSERT_EQ(Status::Success(),
+            GenerateKeyPair(
+                CreateRsaHashedKeyGenAlgorithm(
+                    blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                    blink::WebCryptoAlgorithmIdSha256,
+                    modulus_length,
+                    public_exponent),
+                true,
+                blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify,
+                &public_key,
+                &private_key));
+
+  EXPECT_EQ(blink::WebCryptoKeyUsageVerify, public_key.usages());
+  EXPECT_EQ(blink::WebCryptoKeyUsageSign, private_key.usages());
+
+  // Try again but this time without the Verify usages.
+  ASSERT_EQ(Status::Success(),
+            GenerateKeyPair(CreateRsaHashedKeyGenAlgorithm(
+                                blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
+                                blink::WebCryptoAlgorithmIdSha256,
+                                modulus_length,
+                                public_exponent),
+                            true,
+                            blink::WebCryptoKeyUsageSign,
+                            &public_key,
+                            &private_key));
+
+  EXPECT_EQ(0, public_key.usages());
+  EXPECT_EQ(blink::WebCryptoKeyUsageSign, private_key.usages());
+}
+
 }  // namespace webcrypto
 
 }  // namespace content