[webcrypto] Add RSA key generation using NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
 #include <vector>
 
 #include "base/logging.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/secure_util.h"
 #include "third_party/WebKit/public/platform/WebArrayBuffer.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
 
 namespace content {
 
 namespace {
 
 class SymKeyHandle : public WebKit::WebCryptoKeyHandle {
  public:
-  explicit SymKeyHandle(crypto::ScopedPK11SymKey key) {
-    DCHECK(!key_.get());
-    key_ = key.Pass();
-  }
+  explicit SymKeyHandle(crypto::ScopedPK11SymKey key) : key_(key.Pass()) {}
 
   PK11SymKey* key() { return key_.get(); }
 
  private:
   crypto::ScopedPK11SymKey key_;
 
   DISALLOW_COPY_AND_ASSIGN(SymKeyHandle);
 };
 
+class PublicKeyHandle : public WebKit::WebCryptoKeyHandle {
+ public:
+  explicit PublicKeyHandle(crypto::ScopedSECKEYPublicKey key)
+      : key_(key.Pass()) {}
+
+  SECKEYPublicKey* key() { return key_.get(); }
+
+ private:
+  crypto::ScopedSECKEYPublicKey key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PublicKeyHandle);
+};
+
+class PrivateKeyHandle : public WebKit::WebCryptoKeyHandle {
+ public:
+  explicit PrivateKeyHandle(crypto::ScopedSECKEYPrivateKey key)
+      : key_(key.Pass()) {}
+
+  SECKEYPrivateKey* key() { return key_.get(); }
+
+ private:
+  crypto::ScopedSECKEYPrivateKey key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PrivateKeyHandle);
+};
+
 HASH_HashType WebCryptoAlgorithmToNSSHashType(
     const WebKit::WebCryptoAlgorithm& algorithm) {
   switch (algorithm.id()) {
     case WebKit::WebCryptoAlgorithmIdSha1:
       return HASH_AlgSHA1;
     case WebKit::WebCryptoAlgorithmIdSha224:
       return HASH_AlgSHA224;
     case WebKit::WebCryptoAlgorithmIdSha256:
       return HASH_AlgSHA256;
     case WebKit::WebCryptoAlgorithmIdSha384:
@@ skipping 45 matching lines @@
   crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
   if (!param)
     return false;
 
   crypto::ScopedPK11Context context(PK11_CreateContextBySymKey(
       CKM_AES_CBC_PAD, operation, sym_key->key(), param.get()));
 
   if (!context.get())
     return false;
 
-  // Oddly PK11_CipherOp takes input and output lenths as "int" rather than
+  // Oddly PK11_CipherOp takes input and output lengths as "int" rather than
   // "unsigned". Do some checks now to avoid integer overflowing.
   if (data_size >= INT_MAX - AES_BLOCK_SIZE) {
     // TODO(eroman): Handle this by chunking the input fed into NSS. Right now
     // it doesn't make much difference since the one-shot API would end up
     // blowing out the memory and crashing anyway. However a newer version of
     // the spec allows for a sequence<CryptoData> so this will be relevant.
     return false;
   }
 
   // PK11_CipherOp does an invalid memory access when given empty decryption
@@ skipping 70 matching lines @@
   switch (params->hash().id()) {
     case WebKit::WebCryptoAlgorithmIdSha1:
       return 512;
     case WebKit::WebCryptoAlgorithmIdSha256:
       return 512;
     default:
       return 0;
   }
 }
 
+// Converts a (big-endian) WebCrypto BigInteger, with or without leading zeros,
+// to unsigned long.
+bool BigIntegerToLong(const uint8* data,
+                      unsigned data_size,
+                      unsigned long* result) {
+  // TODO(padolph): Is it correct to say that empty data is an error, or does it
+  // mean value 0? See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23655
+  if (data_size == 0)
+    return false;
+
+  *result = 0;
+  for (size_t i = 0; i < data_size; ++i) {
+    size_t reverse_i = data_size - i - 1;
+
+    if (reverse_i >= sizeof(unsigned long) && data[i])
+      return false;  // Too large for a long.
+
+    *result |= data[i] << 8 * reverse_i;
+  }
+  return true;
+}
+
 }  // namespace
 
 void WebCryptoImpl::Init() {
   crypto::EnsureNSSInit();
 }
 
 bool WebCryptoImpl::EncryptInternal(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
     const unsigned char* data,
@@ skipping 111 matching lines @@
   if (!pk11_key) {
     return false;
   }
 
   *key = WebKit::WebCryptoKey::create(
       new SymKeyHandle(pk11_key.Pass()),
       key_type, extractable, algorithm, usage_mask);
   return true;
 }
 
+bool WebCryptoImpl::GenerateKeyPairInternal(
+    const WebKit::WebCryptoAlgorithm& algorithm,
+    bool extractable,
+    WebKit::WebCryptoKeyUsageMask usage_mask,
+    WebKit::WebCryptoKey* public_key,
+    WebKit::WebCryptoKey* private_key) {
+
+  // TODO(padolph): Handle other asymmetric algorithm key generation.
+  switch (algorithm.id()) {
+    case WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
+    case WebKit::WebCryptoAlgorithmIdRsaOaep:
+    case WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      const WebKit::WebCryptoRsaKeyGenParams* const params =
+          algorithm.rsaKeyGenParams();
+      DCHECK(params);
+
+      crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
+      unsigned long public_exponent;
+      if (!slot || !params->modulusLength() ||
+          !BigIntegerToLong(params->publicExponent().data(),
+                            params->publicExponent().size(),
+                            &public_exponent) ||
+          !public_exponent) {
+        return false;
+      }
+
+      PK11RSAGenParams rsa_gen_params;
+      rsa_gen_params.keySizeInBits = params->modulusLength();
+      rsa_gen_params.pe = public_exponent;
+
+      // Flags are verified at the Blink layer; here the flags are set to all
+      // possible operations for the given key type.
+      CK_FLAGS operation_flags;
+      switch (algorithm.id()) {
+        case WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
+        case WebKit::WebCryptoAlgorithmIdRsaOaep:
+          operation_flags = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP;
+          break;
+        case WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
+          operation_flags = CKF_SIGN | CKF_VERIFY;
+          break;
+        default:
+          NOTREACHED();
+          return false;
+      }
+      const CK_FLAGS operation_flags_mask = CKF_ENCRYPT | CKF_DECRYPT |
+                                            CKF_SIGN | CKF_VERIFY | CKF_WRAP |
+                                            CKF_UNWRAP;
+      const PK11AttrFlags attribute_flags = 0;  // Default all PK11_ATTR_ flags.
+
+      // Note: NSS does not generate an sec_public_key if the call below fails,
+      // so there is no danger of a leaked sec_public_key.
+      SECKEYPublicKey* sec_public_key;
+      crypto::ScopedSECKEYPrivateKey scoped_sec_private_key(
+          PK11_GenerateKeyPairWithOpFlags(slot.get(),
+                                          CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                          &rsa_gen_params,
+                                          &sec_public_key,
+                                          attribute_flags,
+                                          operation_flags,
+                                          operation_flags_mask,
+                                          NULL));
+      if (!private_key) {
+        return false;
+      }
+
+      // The 'extractable' input parameter applies to the private key here.
+      // Make the public key always extractable.

[eroman, 2013/10/31 22:18:36]

I don't see anything about this in the spec.

My interpretation would have been to have the "extractable" boolean apply to
both keys, since that is how the usages works too.

@sleevi: what do you think?

[Ryan Sleevi, 2013/10/31 22:23:20]

File a spec bug. Current spec indicates both keys respect the extractable
attribute.

[eroman, 2013/10/31 22:30:07]

Done: https://www.w3.org/Bugs/Public/show_bug.cgi?id=23695

@padolph: For this changelist can you use the same "extractable" for both public
and private keys?

[padolph, 2013/11/01 20:35:31]

Done.

+      *public_key = WebKit::WebCryptoKey::create(
+          new PublicKeyHandle(
+              crypto::ScopedSECKEYPublicKey(sec_public_key).Pass()),

[eroman, 2013/10/31 22:18:36]

Is the .Pass() needed ?

[padolph, 2013/11/01 20:35:31]

No. Done.

+          WebKit::WebCryptoKeyTypePublic,
+          true,
+          algorithm,
+          usage_mask);
+      *private_key = WebKit::WebCryptoKey::create(
+          new PrivateKeyHandle(scoped_sec_private_key.Pass()),
+          WebKit::WebCryptoKeyTypePrivate,
+          extractable,
+          algorithm,
+          usage_mask);
+
+      return true;
+    }
+    default:
+      return false;
+  }
+}
 
 bool WebCryptoImpl::ImportKeyInternal(
     WebKit::WebCryptoKeyFormat format,
     const unsigned char* key_data,
     unsigned key_data_size,
     const WebKit::WebCryptoAlgorithm& algorithm_or_null,
     bool extractable,
     WebKit::WebCryptoKeyUsageMask usage_mask,
     WebKit::WebCryptoKey* key) {
   // TODO(eroman): Currently expects algorithm to always be specified, as it is
@@ skipping 169 matching lines @@
       break;
     }
     default:
       return false;
   }
 
   return true;
 }
 
 }  // namespace content