enterprise.platformKeys: Copy-on-read the 'algorithm' member of Key objects.

chrome/test/data/extensions/api_test/enterprise_platform_keys/basic.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Must be packed to ../enterprise_platform_keys.crx using the private key
 // ../enterprise_platform_keys.pem .
 
+'use strict';
+
 var assertEq = chrome.test.assertEq;
 var assertTrue = chrome.test.assertTrue;
 var assertThrows = chrome.test.assertThrows;
 var fail = chrome.test.fail;
 var succeed = chrome.test.succeed;
 var callbackPass = chrome.test.callbackPass;
 var callbackFail= chrome.test.callbackFail;
 
 // openssl req -new -x509 -key privkey.pem \
 //   -outform der -out cert.der -days 36500
@@ skipping 225 matching lines @@
   assertTrue(!!chrome.enterprise.platformKeys, "No platformKeys namespace.");
   assertTrue(!!chrome.enterprise.platformKeys.getTokens,
              "No getTokens function.");
   assertTrue(!!chrome.enterprise.platformKeys.importCertificate,
              "No importCertificate function.");
   assertTrue(!!chrome.enterprise.platformKeys.removeCertificate,
              "No removeCertificate function.");
 
   getUserToken(function(userToken) {
     if (!userToken)
-      chrome.test.fail('no user token');
+      fail('no user token');
     if (userToken.id != 'user')
-      chrome.test.fail('token is not named "user".');
+      fail('token is not named "user".');
 
     callback(userToken);
   });
 }
 
+function checkKeyPairCommonFormat(keyPair) {
+  function checkReadOnly(object, key) {
+    var original = object[key];
+    try {
+      object[key] = {};
+      fail('Expected that the property is read only and an exception to ' +
+           'be thrown');
+    } catch (error) {
+      assertTrue(object[key] === original);
+    }
+  }
+
+  checkReadOnly(keyPair, 'privateKey');
+  var privateKey = keyPair.privateKey;
+  assertEq('private', privateKey.type);
+  assertEq(false, privateKey.extractable);
+  checkReadOnly(privateKey, 'algorithm');
+  checkReadOnly(privateKey.algorithm, 'hash');
+  checkReadOnly(privateKey.algorithm, 'modulusLength');
+  checkReadOnly(privateKey.algorithm, 'name');
+
+  checkReadOnly(keyPair, 'publicKey');
+  var publicKey = keyPair.publicKey;
+  assertEq('public', publicKey.type);
+  assertEq(true, publicKey.extractable);
+  checkReadOnly(publicKey, 'algorithm');
+  checkReadOnly(publicKey.algorithm, 'hash');
+  checkReadOnly(publicKey.algorithm, 'modulusLength');
+  checkReadOnly(publicKey.algorithm, 'name');
+}
+
 function runTests(userToken) {
   chrome.test.runTests([
     function hasSubtleCryptoMethods() {
       assertTrue(!!userToken.subtleCrypto.generateKey,
                  "user token has no generateKey method");
       assertTrue(!!userToken.subtleCrypto.sign,
                  "user token has no sign method");
       assertTrue(!!userToken.subtleCrypto.exportKey,
                  "user token has no exportKey method");
       succeed();
     },
     function initiallyNoCerts() { assertCertsStored(userToken, []); },
 
     // Generates a key and sign some data with it. Verifies the signature using
     // WebCrypto.
     function generateKeyAndSign() {
       var algorithm = {
         name: "RSASSA-PKCS1-v1_5",
         // RsaHashedKeyGenParams
         modulusLength: 512,
-        publicExponent:
-            new Uint8Array([0x01, 0x00, 0x01]),  // Equivalent to 65537
+        // Equivalent to 65537
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
         hash: {
           name: "SHA-1",
         }
       };
       // Some random data to sign.
       var data = new Uint8Array([0, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 6]);
       var cachedKeyPair;
       var cachedSpki;
       var cachedSignature;
       userToken.subtleCrypto.generateKey(algorithm, false, ["sign"])
           .then(callbackPass(function(keyPair) {
                   assertTrue(!!keyPair, "No key pair.");
                   cachedKeyPair = keyPair;
                   return userToken.subtleCrypto.exportKey('spki',
                                                           keyPair.publicKey);
                 }),
-                function(error) {
-            assertTrue(false, "GenerateKey failed: " + error);
-          })
+                function(error) { fail("GenerateKey failed: " + error); })
           .then(callbackPass(function(publicKeySpki) {
+                  // Ensure that the returned key pair has the expected format.
+                  // Some parameter independent checks:
+                  checkKeyPairCommonFormat(cachedKeyPair);
+
+                  // Checks depending on the generateKey arguments:
+                  var privateKey = cachedKeyPair.privateKey;
+                  assertEq(['sign'], privateKey.usages);
+                  assertEq(algorithm, privateKey.algorithm);
+
+                  var publicKey = cachedKeyPair.publicKey;
+                  assertEq([], publicKey.usages);
+                  assertEq(algorithm, publicKey.algorithm);
+
                   cachedSpki = publicKeySpki;
                   var signParams = {name: 'RSASSA-PKCS1-v1_5'};
                   return userToken.subtleCrypto.sign(
-                      signParams, cachedKeyPair.privateKey, data);
+                      signParams, privateKey, data);
                 }),
-                function(error) {
-            assertTrue(false, "Export failed: " + error);
-          })
+                function(error) { fail("Export failed: " + error); })
           .then(callbackPass(function(signature) {
                   var importParams = {
                     name: algorithm.name,
                     // RsaHashedImportParams
                     hash: {
                       name: "SHA-1",
                     }
                   };
                   assertTrue(!!signature, "No signature.");
                   assertTrue(signature.length != 0, "Signature is empty.");
                   cachedSignature = signature;
                   return window.crypto.subtle.importKey(
                       "spki", cachedSpki, importParams, false, ["verify"]);
                 }),
-                function(error) { assertTrue(false, "Sign failed: " + error); })
+                function(error) { fail("Sign failed: " + error); })
           .then(callbackPass(function(webCryptoPublicKey) {
                   assertTrue(!!webCryptoPublicKey);
                   assertEq(algorithm.modulusLength,
                            webCryptoPublicKey.algorithm.modulusLength);
                   assertEq(algorithm.publicExponent,
                            webCryptoPublicKey.algorithm.publicExponent);
                   return window.crypto.subtle.verify(
                       algorithm, webCryptoPublicKey, cachedSignature, data);
                 }),
-                function(error) {
-            assertTrue(false, "Import failed: " + error);
-          })
+                function(error) { fail("Import failed: " + error); })
           .then(callbackPass(function(success) {
                   assertEq(true, success, "Signature invalid.");
                 }),
-                function(error) {
-            assertTrue(false, "Verification failed: " + error);
-          });
+                function(error) { fail("Verification failed: " + error); });
     },
 
     // Imports and removes certificates for privateKeyPkcs8, which was imported
     // by on C++'s side.
     // Note: After this test, privateKeyPkcs8 is not stored anymore!
     function importAndRemoveCerts() {
       runAsyncSequence([
         chrome.enterprise.platformKeys.importCertificate.bind(
             null, userToken.id, cert1a.buffer),
         assertCertsStored.bind(null, userToken, [cert1a]),
@@ skipping 19 matching lines @@
     function algorithmParameterMissingModulusLength() {
       var algorithm = {
         name: "RSASSA-PKCS1-v1_5",
         // Equivalent to 65537
         publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
         hash: {
           name: "SHA-1",
         }
       };
       userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) {
-            assertTrue(false, 'generateKey was expected to fail');
-          },
+          function(keyPair) { fail('generateKey was expected to fail'); },
           callbackPass(function(error) {
       assertTrue(error instanceof Error);
       assertEq('A required parameter was missing or out-of-range',
                error.message);
       }));
     },
 
     // Call generate key with invalid algorithm parameter, missing hash.
     function algorithmParameterMissingHash() {
       var algorithm = {
         name: 'RSASSA-PKCS1-v1_5',
         modulusLength: 512,
         // Equivalent to 65537
         publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
       };
       userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) {
-            assertTrue(false, 'generateKey was expected to fail');
-          },
+          function(keyPair) { fail('generateKey was expected to fail'); },
           callbackPass(function(error) {
       assertEq(
           new Error('Error: A required parameter was missing our out-of-range'),
           error);
       }));
     },
 
     // Call generate key with invalid algorithm parameter, unsupported public
     // exponent.
     function algorithmParameterUnsupportedPublicExponent() {
       var algorithm = {
         name: 'RSASSA-PKCS1-v1_5',
         modulusLength: 512,
         // Different from 65537.
         publicExponent: new Uint8Array([0x01, 0x01]),
       };
       userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) {
-            assertTrue(false, 'generateKey was expected to fail');
-          },
+          function(keyPair) { fail('generateKey was expected to fail'); },
           callbackPass(function(error) {
       assertTrue(error instanceof Error);
       assertEq('A required parameter was missing or out-of-range',
                error.message);
       }));
     },
 
     // Imports a certificate for which now private key was imported/generated
     // before.
     function missingPrivateKey() {
@@ skipping 21 matching lines @@
           callbackFail('Certificate is not a valid X.509 certificate.'));
     },
     function getCertsInvalidToken() {
       chrome.enterprise.platformKeys.getCertificates(
           'invalid token id', callbackFail('The token is not valid.'));
     }
   ]);
 }
 
 beforeTests(runTests);