[webcrypto] Wire up {spki, pkcs8} import/export for OpenSSL.

content/child/webcrypto/platform_crypto_openssl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/webcrypto/platform_crypto.h"
 
 #include <vector>
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
+#include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/child/webcrypto/crypto_data.h"
 #include "content/child/webcrypto/status.h"
 #include "content/child/webcrypto/webcrypto_util.h"
 #include "crypto/openssl_util.h"
 #include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
@@ skipping 21 matching lines @@
   }
 
   const std::vector<unsigned char>& key() const { return key_; }
 
  private:
   const std::vector<unsigned char> key_;
 
   DISALLOW_COPY_AND_ASSIGN(SymKey);
 };
 
+class PublicKey : public Key {
+ public:
+  // Takes ownership of |key|.
+  // TODO(eroman): use Pass() semantics.
+  static Status Create(EVP_PKEY* key,
+                       const blink::WebCryptoKeyAlgorithm& algorithm,
+                       scoped_ptr<PublicKey>* out) {
+    out->reset(new PublicKey(key));
+    return ExportKeySpki(out->get(), &(*out)->serialized_key_);
+  }
+
+  EVP_PKEY* key() { return key_.get(); }
+
+  virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
+  virtual PublicKey* AsPublicKey() OVERRIDE { return this; }
+  virtual PrivateKey* AsPrivateKey() OVERRIDE { return NULL; }
+
+  virtual bool ThreadSafeSerializeForClone(
+      blink::WebVector<uint8>* key_data) OVERRIDE {
+    key_data->assign(Uint8VectorStart(serialized_key_), serialized_key_.size());
+    return true;
+  }
+
+ private:
+  explicit PublicKey(EVP_PKEY* key) : key_(key) {}
+
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> key_;
+  std::vector<uint8> serialized_key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PublicKey);
+};
+
+class PrivateKey : public Key {
+ public:
+  // Takes ownership of |key|.
+  // TODO(eroman): use Pass() semantics.
+  static Status Create(EVP_PKEY* key,
+                       const blink::WebCryptoKeyAlgorithm& algorithm,
+                       scoped_ptr<PrivateKey>* out) {
+    out->reset(new PrivateKey(key));
+    return ExportKeyPkcs8(out->get(), algorithm, &(*out)->serialized_key_);
+  }
+
+  EVP_PKEY* key() { return key_.get(); }
+
+  virtual SymKey* AsSymKey() OVERRIDE { return NULL; }
+  virtual PublicKey* AsPublicKey() OVERRIDE { return NULL; }
+  virtual PrivateKey* AsPrivateKey() OVERRIDE { return this; }
+
+  virtual bool ThreadSafeSerializeForClone(
+      blink::WebVector<uint8>* key_data) OVERRIDE {
+    key_data->assign(Uint8VectorStart(serialized_key_), serialized_key_.size());
+    return true;
+  }
+
+ private:
+  explicit PrivateKey(EVP_PKEY* key) : key_(key) {}
+
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> key_;
+  std::vector<uint8> serialized_key_;
+
+  DISALLOW_COPY_AND_ASSIGN(PrivateKey);
+};
+
 namespace {
 
 const EVP_CIPHER* GetAESCipherByKeyLength(unsigned int key_length_bytes) {
   // OpenSSL supports AES CBC ciphers for only 3 key lengths: 128, 192, 256 bits
   switch (key_length_bytes) {
     case 16:
       return EVP_aes_128_cbc();
     case 24:
       return EVP_aes_192_cbc();
     case 32:
@@ skipping 84 matching lines @@
   const unsigned int final_output_len =
       static_cast<unsigned int>(output_len) +
       static_cast<unsigned int>(final_output_chunk_len);
   DCHECK_LE(final_output_len, output_max_len);
 
   buffer->resize(final_output_len);
 
   return Status::Success();
 }
 
+// Creates a blink::WebCryptoAlgorithm having the modulus length and public
+// exponent  of |key|.
+Status CreateRsaHashedKeyAlgorithm(
+    blink::WebCryptoAlgorithmId rsa_algorithm,
+    blink::WebCryptoAlgorithmId hash_algorithm,
+    EVP_PKEY* key,
+    blink::WebCryptoKeyAlgorithm* key_algorithm) {
+  DCHECK(IsAlgorithmRsa(rsa_algorithm));
+  DCHECK(EVP_PKEY_id(key) == EVP_PKEY_RSA);

[Ryan Sleevi, 2014/06/27 01:43:25]

DCHECK_EQ

[eroman, 2014/06/27 02:12:47]

Done.

+
+  crypto::ScopedOpenSSL<RSA, RSA_free> rsa(EVP_PKEY_get1_RSA(key));
+  if (!rsa.get())
+    return Status::ErrorUnexpected();
+
+  unsigned int modulus_length_bits = RSA_size(rsa.get()) * 8;
+
+  // Convert the public exponent to big-endian representation.
+  std::vector<uint8> e(BN_num_bytes(rsa.get()->e));
+  if (e.size() == 0)
+    return Status::ErrorUnexpected();
+  if (static_cast<int>(e.size()) != BN_bn2bin(rsa.get()->e, &e[0]))

[Ryan Sleevi, 2014/06/27 01:43:25]

I think these may differ dependent on leading bits?

[eroman, 2014/06/27 02:12:47]

Looks like at least in the current implementation, the return value can be
nothing other than BN_num_bytes():

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/openss...

I could remove the check alltogether and turn it into an assertion if this is
something I can assume will never have future failure modes.

+    return Status::ErrorUnexpected();
+
+  *key_algorithm = blink::WebCryptoKeyAlgorithm::createRsaHashed(
+      rsa_algorithm, modulus_length_bits, &e[0], e.size(), hash_algorithm);
+
+  return Status::Success();
+}
+
+// Verifies that |key| is consistent with the input algorithm id, and creates a
+// blink::WebCryptoKeyAlgorithm describing the key.
+// Returns Status::Success() on success and sets |*key_algorithm|.
+Status ValidateKeyTypeAndCreateKeyAlgorithm(
+    const blink::WebCryptoAlgorithm& algorithm,
+    EVP_PKEY* key,
+    blink::WebCryptoKeyAlgorithm* key_algorithm) {
+  if (IsAlgorithmRsa(algorithm.id())) {
+    if (EVP_PKEY_id(key) != EVP_PKEY_RSA)
+      return Status::DataError();  // Data did not define an RSA key.
+    return CreateRsaHashedKeyAlgorithm(algorithm.id(),
+                                     GetInnerHashAlgorithm(algorithm).id(),
+                                     key,
+                                     key_algorithm);
+    return Status::Success();
+  }
+
+  return Status::ErrorUnsupported();
+}
+
 }  // namespace
 
 class DigestorOpenSSL : public blink::WebCryptoDigestor {
  public:
   explicit DigestorOpenSSL(blink::WebCryptoAlgorithmId algorithm_id)
       : initialized_(false),
         digest_context_(EVP_MD_CTX_create()),
         algorithm_id_(algorithm_id) {}
 
   virtual bool consume(const unsigned char* data, unsigned int size) {
@@ skipping 276 matching lines @@
                              bool* signature_match) {
   // TODO(eroman): http://crbug.com/267888
   return Status::ErrorUnsupported();
 }
 
 Status ImportKeySpki(const blink::WebCryptoAlgorithm& algorithm,
                      const CryptoData& key_data,
                      bool extractable,
                      blink::WebCryptoKeyUsageMask usage_mask,
                      blink::WebCryptoKey* key) {
-  // TODO(eroman): http://crbug.com/267888
-  return Status::ErrorUnsupported();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(
+      const_cast<uint8*>(key_data.bytes()), key_data.byte_length()));
+  if (!bio.get())
+    return Status::ErrorUnexpected();
+
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> public_key(
+      d2i_PUBKEY_bio(bio.get(), NULL));
+  if (!public_key.get())
+    return Status::DataError();
+
+  blink::WebCryptoKeyAlgorithm key_algorithm;
+  Status status = ValidateKeyTypeAndCreateKeyAlgorithm(
+      algorithm, public_key.get(), &key_algorithm);
+  if (status.IsError())
+    return status;
+
+  scoped_ptr<PublicKey> key_handle;
+  status = PublicKey::Create(public_key.release(), key_algorithm, &key_handle);
+  if (status.IsError())
+    return status;
+
+  *key = blink::WebCryptoKey::create(key_handle.release(),
+                                     blink::WebCryptoKeyTypePublic,
+                                     extractable,
+                                     key_algorithm,
+                                     usage_mask);
+
+  return Status::Success();
 }
 
 Status ImportKeyPkcs8(const blink::WebCryptoAlgorithm& algorithm,
                       const CryptoData& key_data,
                       bool extractable,
                       blink::WebCryptoKeyUsageMask usage_mask,
                       blink::WebCryptoKey* key) {
-  // TODO(eroman): http://crbug.com/267888
-  return Status::ErrorUnsupported();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new_mem_buf(
+      const_cast<uint8*>(key_data.bytes()), key_data.byte_length()));
+  if (!bio.get())
+    return Status::ErrorUnexpected();
+
+  crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free> p8inf(

[Ryan Sleevi, 2014/06/27 01:43:24]

// TODO reminder - need to validate the EVP data according to the spec.

[eroman, 2014/06/27 02:12:47]

Done. I have added comments linking to the corresponding bugs.

+      d2i_PKCS8_PRIV_KEY_INFO_bio(bio.get(), NULL));
+  if (!p8inf.get())
+    return Status::DataError();
+
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> private_key(
+      EVP_PKCS82PKEY(p8inf.get()));
+  if (!private_key.get())
+    return Status::DataError();
+
+  blink::WebCryptoKeyAlgorithm key_algorithm;
+  Status status = ValidateKeyTypeAndCreateKeyAlgorithm(
+      algorithm, private_key.get(), &key_algorithm);
+  if (status.IsError())
+    return status;
+
+  scoped_ptr<PrivateKey> key_handle;
+  status =
+      PrivateKey::Create(private_key.release(), key_algorithm, &key_handle);
+  if (status.IsError())
+    return status;
+
+  *key = blink::WebCryptoKey::create(key_handle.release(),
+                                     blink::WebCryptoKeyTypePrivate,
+                                     extractable,
+                                     key_algorithm,
+                                     usage_mask);
+
+  return Status::Success();
 }
 
 Status ExportKeySpki(PublicKey* key, std::vector<uint8>* buffer) {
-  // TODO(eroman): http://crbug.com/267888
-  return Status::ErrorUnsupported();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem()));
+  if (!i2d_PUBKEY_bio(bio.get(), key->key()))
+    return Status::ErrorUnexpected();
+
+  uint8* data = NULL;
+  long len = BIO_get_mem_data(bio.get(), &data);
+  if (!data || len < 0)
+    return Status::ErrorUnexpected();
+
+  buffer->assign(data, data + len);
+  return Status::Success();
 }
 
 Status ExportKeyPkcs8(PrivateKey* key,
                       const blink::WebCryptoKeyAlgorithm& key_algorithm,
                       std::vector<uint8>* buffer) {
-  // TODO(eroman): http://crbug.com/267888
-  return Status::ErrorUnsupported();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(BIO_new(BIO_s_mem()));
+
+  if (!i2d_PKCS8PrivateKeyInfo_bio(bio.get(), key->key()))
+    return Status::ErrorUnexpected();
+
+  uint8* data = NULL;
+  long len = BIO_get_mem_data(bio.get(), &data);
+  if (!data || len < 0)
+    return Status::ErrorUnexpected();
+
+  buffer->assign(data, data + len);
+  return Status::Success();
 }
 
 Status ExportRsaPublicKey(PublicKey* key,
                           std::vector<uint8>* modulus,
                           std::vector<uint8>* public_exponent) {
   // TODO(eroman): http://crbug.com/267888
   return Status::ErrorUnsupported();
 }
 
 Status ExportRsaPrivateKey(PrivateKey* key,
@@ skipping 26 matching lines @@
     blink::WebCryptoKey* key) {
   // TODO(eroman): http://crbug.com/267888
   return false;
 }
 
 }  // namespace platform
 
 }  // namespace webcrypto
 
 }  // namespace content