[webcrypto] Add JWK import/export of RSA private keys (NSS).

content/child/webcrypto/jwk.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "jwk.h"
 
 #include <algorithm>
 #include <functional>
 #include <map>
 
@@ skipping 112 matching lines @@
 //   | "A192GCM"    | AES GCM using 192 bit keys                            |
 //   | "A256GCM"    | AES GCM using 256 bit keys                            |
 //   | "A128CBC"    | AES in Cipher Block Chaining Mode (CBC) with PKCS #5  |
 //   |              | padding [NIST.800-38A]                                |
 //   | "A192CBC"    | AES CBC using 192 bit keys                            |
 //   | "A256CBC"    | AES CBC using 256 bit keys                            |
 //   +--------------+-------------------------------------------------------+
 //
 // kty-specific parameters
 // The value of kty determines the type and content of the keying material
-// carried in the JWK to be imported. Currently only two possibilities are
-// supported: a raw key or an RSA public key. RSA private keys are not
-// supported because typical applications seldom need to import a private key,
-// and the large number of JWK parameters required to describe one.
-// - kty == "oct" (symmetric or other raw key)
+// carried in the JWK to be imported.
+// // - kty == "oct" (symmetric or other raw key)
 //   +-------+--------------------------------------------------------------+
 //   | "k"   | Contains the value of the symmetric (or other single-valued) |
 //   |       | key.  It is represented as the base64url encoding of the     |
 //   |       | octet sequence containing the key value.                     |
 //   +-------+--------------------------------------------------------------+
 // - kty == "RSA" (RSA public key)
 //   +-------+--------------------------------------------------------------+
 //   | "n"   | Contains the modulus value for the RSA public key.  It is    |
 //   |       | represented as the base64url encoding of the value's         |
 //   |       | unsigned big endian representation as an octet sequence.     |
 //   +-------+--------------------------------------------------------------+
 //   | "e"   | Contains the exponent value for the RSA public key.  It is   |
 //   |       | represented as the base64url encoding of the value's         |
 //   |       | unsigned big endian representation as an octet sequence.     |
 //   +-------+--------------------------------------------------------------+
+// - If key == "RSA" and the "d" parameter is present then it is a private key.
+//   All the parameters above for public keys apply, as well as the following.
+//   (Note that except for "d", all of these are optional):
+//   +-------+--------------------------------------------------------------+
+//   | "d"   | Contains the private exponent value for the RSA private key. |
+//   |       | It is represented as the base64url encoding of the value's   |
+//   |       | unsigned big endian representation as an octet sequence.     |
+//   +-------+--------------------------------------------------------------+
+//   | "p"   | Contains the first prime factor value for the RSA private    |
+//   |       | key.  It is represented as the base64url encoding of the     |
+//   |       | value's                                                      |
+//   |       | unsigned big endian representation as an octet sequence.     |
+//   +-------+--------------------------------------------------------------+
+//   | "q"   | Contains the second prime factor value for the RSA private   |
+//   |       | key.  It is represented as the base64url encoding of the     |
+//   |       | value's unsigned big endian representation as an octet       |
+//   |       | sequence.                                                    |
+//   +-------+--------------------------------------------------------------+
+//   | "dp"  | Contains the first factor CRT exponent value for the RSA     |
+//   |       | private key.  It is represented as the base64url encoding of |
+//   |       | the value's unsigned big endian representation as an octet   |
+//   |       | sequence.                                                    |
+//   +-------+--------------------------------------------------------------+
+//   | "dq"  | Contains the second factor CRT exponent value for the RSA    |
+//   |       | private key.  It is represented as the base64url encoding of |
+//   |       | the value's unsigned big endian representation as an octet   |
+//   |       | sequence.                                                    |
+//   +-------+--------------------------------------------------------------+
+//   | "dq"  | Contains the first CRT coefficient value for the RSA private |
+//   |       | key.  It is represented as the base64url encoding of the     |
+//   |       | value's unsigned big endian representation as an octet       |
+//   |       | sequence.                                                    |
+//   +-------+--------------------------------------------------------------+
 //
 // Consistency and conflict resolution
 // The 'algorithm', 'extractable', and 'usage_mask' input parameters
 // may be different than the corresponding values inside the JWK. The Web
 // Crypto spec says that if a JWK value is present but is inconsistent with
 // the input value, it is an error and the operation must fail. If no
 // inconsistency is found then the input parameters are used.
 //
 // algorithm
 //   If the JWK algorithm is provided, it must match the web crypto input
@@ skipping 260 matching lines @@
   Status status = GetJwkString(dict, path, &base64_string);
   if (status.IsError())
     return status;
 
   if (!Base64DecodeUrlSafe(base64_string, result))
     return Status::ErrorJwkBase64Decode(path);
 
   return Status::Success();
 }
 
+// Extracts the optional string property with key |path| from |dict| and saves
+// the base64url-decoded bytes to |*result|. If the property exist and is not a
+// string, or could not be base64url-decoded, returns an error.
+Status GetOptionalJwkBytes(base::DictionaryValue* dict,
+                           const std::string& path,
+                           std::string* result,
+                           bool* property_exists) {
+  std::string base64_string;
+  Status status =
+      GetOptionalJwkString(dict, path, &base64_string, property_exists);
+  if (!*property_exists || status.IsError())

[Ryan Sleevi, 2014/05/19 00:10:34]

nit: Check status.IsError() before doing *property_exists

I would expect that if status.IsError() is true, GetOptionalJwkString may not
have updated property_exists (under the normal Chromium idiom of not mutating
return values on error). Now, this may not be true - you may always be updating
property_exists, but that would force me as a reader to check whether or not
that precondition is true (something i'll likely forget), whereas the logical
re-ordering provides some degree of reasonable expectation.

[eroman, 2014/05/19 18:51:09]

Good point! Done.

Reading the boolean first could be an uninitialized memory read as the API is
currently defined (although not current implementation).

+    return status;
+
+  if (!Base64DecodeUrlSafe(base64_string, result))
+    return Status::ErrorJwkBase64Decode(path);
+
+  return Status::Success();
+}
+
 // Extracts the optional boolean property with key |path| from |dict| and saves
 // the result to |*result| if it was found. If the property exists and is not a
 // boolean, returns an error. Otherwise returns success, and sets
 // |*property_exists| if it was found.
 Status GetOptionalJwkBool(base::DictionaryValue* dict,
                           const std::string& path,
                           bool* result,
                           bool* property_exists) {
   *property_exists = false;
   base::Value* value = NULL;
@@ skipping 30 matching lines @@
                        const std::vector<uint8>& public_exponent,
                        base::DictionaryValue* jwk_dict) {
   DCHECK(jwk_dict);
   DCHECK(modulus.size());
   DCHECK(public_exponent.size());
   jwk_dict->SetString("kty", "RSA");
   jwk_dict->SetString("n", Base64EncodeUrlSafe(modulus));
   jwk_dict->SetString("e", Base64EncodeUrlSafe(public_exponent));
 }
 
+// Writes an RSA private key to a JWK dictionary
+Status ExportRsaPrivateKeyJwk(const blink::WebCryptoKey& key,
+                              base::DictionaryValue* jwk_dict) {
+  platform::PrivateKey* private_key;
+  Status status = ToPlatformPrivateKey(key, &private_key);
+  if (status.IsError())
+    return status;
+
+  // TODO(eroman): Copying the key properties to temporary vectors is
+  // inefficient. Once there aren't two implementations of platform_crypto this
+  // and other code will be easier to streamline.
+  std::vector<uint8> modulus;
+  std::vector<uint8> public_exponent;
+  std::vector<uint8> private_exponent;
+  std::vector<uint8> prime1;
+  std::vector<uint8> prime2;
+  std::vector<uint8> exponent1;
+  std::vector<uint8> exponent2;
+  std::vector<uint8> coefficient;
+
+  status = platform::ExportRsaPrivateKey(private_key,
+                                         &modulus,
+                                         &public_exponent,
+                                         &private_exponent,
+                                         &prime1,
+                                         &prime2,
+                                         &exponent1,
+                                         &exponent2,
+                                         &coefficient);
+  if (status.IsError())
+    return status;
+
+  jwk_dict->SetString("kty", "RSA");
+  jwk_dict->SetString("n", Base64EncodeUrlSafe(modulus));
+  jwk_dict->SetString("e", Base64EncodeUrlSafe(public_exponent));
+  jwk_dict->SetString("d", Base64EncodeUrlSafe(private_exponent));
+  // Although these are "optional", the JWA spec says that producers
+  // SHOULD include them.

[Ryan Sleevi, 2014/05/19 00:10:34]

Doesn't matter what JWA says. The WebCrypto spec is explicit that they MUST be
included.

[eroman, 2014/05/19 18:51:09]

Done, updated the comment.

+  jwk_dict->SetString("p", Base64EncodeUrlSafe(prime1));
+  jwk_dict->SetString("q", Base64EncodeUrlSafe(prime2));
+  jwk_dict->SetString("dp", Base64EncodeUrlSafe(exponent1));
+  jwk_dict->SetString("dq", Base64EncodeUrlSafe(exponent2));
+  jwk_dict->SetString("qi", Base64EncodeUrlSafe(coefficient));
+
+  return Status::Success();
+}
+
 // Writes a Web Crypto usage mask to a JWK dictionary.
 void WriteKeyOps(blink::WebCryptoKeyUsageMask key_usages,
                  base::DictionaryValue* jwk_dict) {
   jwk_dict->Set("key_ops", CreateJwkKeyOpsFromWebCryptoUsages(key_usages));
 }
 
 // Writes a Web Crypto extractable value to a JWK dictionary.
 void WriteExt(bool extractable, base::DictionaryValue* jwk_dict) {
   jwk_dict->SetBoolean("ext", extractable);
 }
@@ skipping 92 matching lines @@
           NOTREACHED();
           return Status::ErrorUnexpected();
       }
       break;
     default:
       return Status::ErrorUnsupported();
   }
   return Status::Success();
 }
 
-bool IsRsaPublicKey(const blink::WebCryptoKey& key) {
-  if (key.type() != blink::WebCryptoKeyTypePublic)
-    return false;
+bool IsRsaKey(const blink::WebCryptoKey& key) {
   const blink::WebCryptoAlgorithmId algorithm_id = key.algorithm().id();
   return algorithm_id == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
          algorithm_id == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
          algorithm_id == blink::WebCryptoAlgorithmIdRsaOaep;
 }
 
-// TODO(padolph): This function is duplicated in shared_crypto.cc
-Status ToPlatformPublicKey(const blink::WebCryptoKey& key,
-                           platform::PublicKey** out) {
-  *out = static_cast<platform::Key*>(key.handle())->AsPublicKey();
-  if (!*out)
-    return Status::ErrorUnexpectedKeyType();
-  return Status::Success();
-}
-
 }  // namespace
 
+// TODO(eroman): Split this up into smaller functions.

[Ryan Sleevi, 2014/05/19 00:10:34]

I would rather see RSA Private key import split out in this CL

Lines 836-912 seem like they can be fully encapsulated stand-alone.

[eroman, 2014/05/19 18:51:09]

Done.

 Status ImportKeyJwk(const CryptoData& key_data,
                     const blink::WebCryptoAlgorithm& algorithm,
                     bool extractable,
                     blink::WebCryptoKeyUsageMask usage_mask,
                     blink::WebCryptoKey* key) {
   if (!key_data.byte_length())
     return Status::ErrorImportEmptyKeyData();
   DCHECK(key);
 
   // Parse the incoming JWK JSON.
@@ skipping 121 matching lines @@
                      extractable,
                      usage_mask,
                      key);
   }
   if (jwk_kty_value == "RSA") {
     // An RSA public key must have an "n" (modulus) and an "e" (exponent) entry
     // in the JWK, while an RSA private key must have those, plus at least a "d"
     // (private exponent) entry.
     // See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
     // section 6.3.
-
-    // RSA private key import is not currently supported, so fail here if a "d"
-    // entry is found.
-    // TODO(padolph): Support RSA private key import.
-    if (dict_value->HasKey("d"))
-      return Status::ErrorJwkRsaPrivateKeyUnsupported();
-
     std::string jwk_n_value;
     status = GetJwkBytes(dict_value, "n", &jwk_n_value);
     if (status.IsError())
       return status;
     std::string jwk_e_value;
     status = GetJwkBytes(dict_value, "e", &jwk_e_value);
     if (status.IsError())
       return status;
 
-    return platform::ImportRsaPublicKey(algorithm,
-                                        extractable,
-                                        usage_mask,
-                                        CryptoData(jwk_n_value),
-                                        CryptoData(jwk_e_value),
-                                        key);
+    if (!dict_value->HasKey("d")) {
+      return platform::ImportRsaPublicKey(algorithm,
+                                          extractable,
+                                          usage_mask,
+                                          CryptoData(jwk_n_value),
+                                          CryptoData(jwk_e_value),
+                                          key);
+    }
 
+    std::string jwk_d_value;
+    status = GetJwkBytes(dict_value, "d", &jwk_d_value);
+    if (status.IsError())
+      return status;
+
+    std::string jwk_p_value;
+    bool has_p;
+    status = GetOptionalJwkBytes(dict_value, "p", &jwk_p_value, &has_p);
+    if (status.IsError())
+      return status;
+
+    std::string jwk_q_value;
+    bool has_q;
+    status = GetOptionalJwkBytes(dict_value, "q", &jwk_q_value, &has_q);
+    if (status.IsError())
+      return status;
+
+    std::string jwk_dp_value;
+    bool has_dp;
+    status = GetOptionalJwkBytes(dict_value, "dp", &jwk_dp_value, &has_dp);
+    if (status.IsError())
+      return status;
+
+    std::string jwk_dq_value;
+    bool has_dq;
+    status = GetOptionalJwkBytes(dict_value, "dq", &jwk_dq_value, &has_dq);
+    if (status.IsError())
+      return status;
+
+    std::string jwk_qi_value;
+    bool has_qi;
+    status = GetOptionalJwkBytes(dict_value, "qi", &jwk_qi_value, &has_qi);
+    if (status.IsError())
+      return status;
+
+    return platform::ImportRsaPrivateKey(
+        algorithm,
+        extractable,
+        usage_mask,
+        CryptoData(jwk_n_value),  // modulus
+        CryptoData(jwk_e_value),  // public_exponent
+        CryptoData(jwk_d_value),  // private_exponent
+        has_p,
+        CryptoData(jwk_p_value),  // prime1
+        has_q,
+        CryptoData(jwk_q_value),  // prime2
+        has_dp,
+        CryptoData(jwk_dp_value),  // exponent1
+        has_dq,
+        CryptoData(jwk_dq_value),  // exponent2
+        has_qi,
+        CryptoData(jwk_qi_value),  // coefficient
+        key);
   }
 
   return Status::ErrorJwkUnrecognizedKty();
 }
 
 Status ExportKeyJwk(const blink::WebCryptoKey& key,
                     std::vector<uint8>* buffer) {
   DCHECK(key.extractable());
   base::DictionaryValue jwk_dict;
   Status status = Status::OperationError();
 
   switch (key.type()) {
     case blink::WebCryptoKeyTypeSecret: {
       std::vector<uint8> exported_key;
       status = ExportKey(blink::WebCryptoKeyFormatRaw, key, &exported_key);
       if (status.IsError())
         return status;
       WriteSecretKey(exported_key, &jwk_dict);
       break;
     }
     case blink::WebCryptoKeyTypePublic: {
-      // Currently only RSA public key export is supported.
-      if (!IsRsaPublicKey(key))
+      // TODO(eroman): Update when there are asymmetric keys other than RSA.
+      if (!IsRsaKey(key))
         return Status::ErrorUnsupported();
       platform::PublicKey* public_key;
       status = ToPlatformPublicKey(key, &public_key);
       if (status.IsError())
         return status;
       std::vector<uint8> modulus;
       std::vector<uint8> public_exponent;
       status =
           platform::ExportRsaPublicKey(public_key, &modulus, &public_exponent);
       if (status.IsError())
         return status;
       WriteRsaPublicKey(modulus, public_exponent, &jwk_dict);
       break;
     }
-    case blink::WebCryptoKeyTypePrivate:  // TODO(padolph)
+    case blink::WebCryptoKeyTypePrivate: {
+      // TODO(eroman): Update when there are asymmetric keys other than RSA.
+      if (!IsRsaKey(key))
+        return Status::ErrorUnsupported();
+
+      status = ExportRsaPrivateKeyJwk(key, &jwk_dict);
+      if (status.IsError())
+        return status;
+      break;
+    }
+
     default:
       return Status::ErrorUnsupported();
   }
 
   WriteKeyOps(key.usages(), &jwk_dict);
   WriteExt(key.extractable(), &jwk_dict);
   status = WriteAlg(key.algorithm(), &jwk_dict);
   if (status.IsError())
     return status;
 
   std::string json;
   base::JSONWriter::Write(&jwk_dict, &json);
   buffer->assign(json.data(), json.data() + json.size());
   return Status::Success();
 }
 
 }  // namespace webcrypto
 
 }  // namespace content