[webcrypto] Add RSA key generation using NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

Index: content/renderer/webcrypto/webcrypto_impl_nss.cc
diff --git a/content/renderer/webcrypto/webcrypto_impl_nss.cc b/content/renderer/webcrypto/webcrypto_impl_nss.cc
index a20f72fb6bfd1bfe4336cb9a60deb8f15e3bd3f0..08938beb0bfb7d070310c69589de1d108e69647d 100644
--- a/content/renderer/webcrypto/webcrypto_impl_nss.cc
+++ b/content/renderer/webcrypto/webcrypto_impl_nss.cc
@@ -37,6 +37,36 @@ class SymKeyHandle : public WebKit::WebCryptoKeyHandle {
   DISALLOW_COPY_AND_ASSIGN(SymKeyHandle);
 };
 
+class PublicKeyHandle : public WebKit::WebCryptoKeyHandle {
+ public:
+  explicit PublicKeyHandle(crypto::ScopedSECKEYPublicKey key) {
+    DCHECK(!key_.get());
+    key_ = key.Pass();
+  }
+
+  SECKEYPublicKey* key() { return key_.get(); }
+
+ private:
+  crypto::ScopedSECKEYPublicKey key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PublicKeyHandle);
+};
+
+class PrivateKeyHandle : public WebKit::WebCryptoKeyHandle {
+ public:
+  explicit PrivateKeyHandle(crypto::ScopedSECKEYPrivateKey key) {
+    DCHECK(!key_.get());
+    key_ = key.Pass();
+  }
+
+  SECKEYPrivateKey* key() { return key_.get(); }
+
+ private:
+  crypto::ScopedSECKEYPrivateKey key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PrivateKeyHandle);
+};
+
 HASH_HashType WebCryptoAlgorithmToNSSHashType(
     const WebKit::WebCryptoAlgorithm& algorithm) {
   switch (algorithm.id()) {
@@ -323,6 +353,88 @@ bool WebCryptoImpl::GenerateKeyInternal(
   return true;
 }
 
+bool WebCryptoImpl::GenerateKeyPairInternal(
+    const WebKit::WebCryptoAlgorithm& algorithm,
+    scoped_ptr<WebKit::WebCryptoKeyHandle>* public_key_handle,
+    scoped_ptr<WebKit::WebCryptoKeyHandle>* private_key_handle) {
+
+  // TODO (padolph) Handle other asymmetric algorithm key generation

[eroman, 2013/10/23 20:02:46]

nit: remove the space after TODO

[padolph, 2013/10/23 23:21:47]

Done.

+  switch (algorithm.id()) {
+    case WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
+    case WebKit::WebCryptoAlgorithmIdRsaOaep:
+    case WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      const WebKit::WebCryptoRsaKeyGenParams* const params =
+          algorithm.rsaKeyGenParams();
+      DCHECK(params);
+
+      crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
+      if (!slot || !params->modulusLength() ||
+          !params->publicExponent().size()) {
+        return false;
+      }
+
+      // The Web Crypto API says params->m_publicExponent is in big-endian
+      // order: the first element in the vector is the most significant digit.
+      // Leading zeros may or may not be present.
+      DCHECK_LE(params->publicExponent().size(), sizeof(unsigned long));

[eroman, 2013/10/23 20:02:46]

This needs to be a runtime error (i.e. "return false"), since the publicExponent
is controlled by the user (and the length is not enforced by blink).

[padolph, 2013/10/23 23:21:47]

Done.

+      const size_t size_minus_1 = params->publicExponent().size() - 1;
+      unsigned long public_exponent = 0;
+      for (int i = size_minus_1; i >= 0; --i) {
+        public_exponent |= params->publicExponent()[i]
+                           << (8 * (size_minus_1 - i));
+      }
+      // TODO (padolph): should we limit the public exponent to the 'safe' set

[eroman, 2013/10/23 20:02:46]

Ryan: Can you comment on this?

+      // of {3, 5, 17, 257, 65537}?
+
+      PK11RSAGenParams param;
+      param.keySizeInBits = params->modulusLength();
+      param.pe = public_exponent;
+
+      // Flags are verified at the Blink layer; here the flags are set to all
+      // possible operations for the given key type.
+      CK_FLAGS operation_flags;
+      switch (algorithm.id()) {
+        case WebKit::WebCryptoAlgorithmIdRsaEsPkcs1v1_5:
+          operation_flags = CKF_ENCRYPT | CKF_DECRYPT;
+          break;
+        case WebKit::WebCryptoAlgorithmIdRsaOaep:
+          operation_flags = CKF_WRAP | CKF_UNWRAP;
+          break;
+        case WebKit::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
+          operation_flags = CKF_SIGN | CKF_VERIFY;
+          break;
+        default:
+          DCHECK(false);

[eroman, 2013/10/23 20:02:46]

NOTREACHED();
Also would be good to add a defensive "return false" (for release builds)

[padolph, 2013/10/23 23:21:47]

Done.

+      }
+      const CK_FLAGS operation_flags_mask = CKF_ENCRYPT | CKF_DECRYPT |
+                                            CKF_SIGN | CKF_VERIFY | CKF_WRAP |
+                                            CKF_UNWRAP;
+      const PK11AttrFlags attribute_flags = 0;  // default all PK11_ATTR_ flags
+
+      SECKEYPublicKey* sec_public_key;
+      crypto::ScopedSECKEYPrivateKey private_key(
+          PK11_GenerateKeyPairWithOpFlags(slot.get(),
+                                          CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                          &param,
+                                          &sec_public_key,
+                                          attribute_flags,
+                                          operation_flags,
+                                          operation_flags_mask,
+                                          NULL));
+      if (!private_key) {
+        return false;

[eroman, 2013/10/23 20:02:46]

Is it guaranteed that sec_public_key hasn't been set in this case? (If not, it
will leak).

[padolph, 2013/10/23 23:21:47]

Looking at the NSS source, the pubkey is destroyed if the private key generation
fails, so it seems so. However, I cannot find documentation that codifies this
into the API contract, so it could change I guess. Ryan, can you please comment?

+      }
+      crypto::ScopedSECKEYPublicKey public_key(sec_public_key);
+
+      public_key_handle->reset(new PublicKeyHandle(public_key.Pass()));
+      private_key_handle->reset(new PrivateKeyHandle(private_key.Pass()));
+
+      return true;
+    }
+    default:
+      return false;
+  }
+}
 
 bool WebCryptoImpl::ImportKeyInternal(
     WebKit::WebCryptoKeyFormat format,