[webcrypto] Don't disallow RSA public key import using SPKI format when on Linux.

content/child/webcrypto/shared_crypto_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/basictypes.h"
 #include "base/file_util.h"
@@ skipping 104 matching lines @@
   // TODO(eroman): Exclude version test for OS_CHROMEOS
 #if defined(USE_NSS)
   if (!NSS_VersionCheck("3.16.2"))
     return false;
 #endif
   crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());
   return !!PK11_DoesMechanism(slot.get(), CKM_RSA_PKCS_OAEP);
 #endif
 }
 
-bool SupportsRsaKeyImport() {
+bool SupportsRsaPrivateKeyImport() {
 // TODO(eroman): Exclude version test for OS_CHROMEOS
 #if defined(USE_NSS)
   crypto::EnsureNSSInit();
   if (!NSS_VersionCheck("3.16.2")) {
     LOG(WARNING) << "RSA key import is not supported by this version of NSS. "
                     "Skipping some tests";
     return false;
   }
 #endif
   return true;
@@ skipping 1698 matching lines @@
   EXPECT_EQ(
       Status::ErrorJwkIncorrectKeyLength(),
       ImportKeyJwkFromDict(dict,
                            CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
                            false,
                            blink::WebCryptoKeyUsageEncrypt,
                            &key));
 }
 
 TEST(WebCryptoRsaSsaTest, ImportExportJwkRsaPublicKey) {
-  if (!SupportsRsaKeyImport())
-    return;
-
   struct TestCase {
     const blink::WebCryptoAlgorithmId hash;
     const blink::WebCryptoKeyUsageMask usage;
     const char* const jwk_alg;
   };
   const TestCase kTests[] = {
       {blink::WebCryptoAlgorithmIdSha1, blink::WebCryptoKeyUsageVerify, "RS1"},
       {blink::WebCryptoAlgorithmIdSha256, blink::WebCryptoKeyUsageVerify,
        "RS256"},
       {blink::WebCryptoAlgorithmIdSha384, blink::WebCryptoKeyUsageVerify,
@@ skipping 43 matching lines @@
 
     // Export the new key as spki and compare to the original.
     std::vector<uint8_t> spki;
     ASSERT_EQ(Status::Success(),
               ExportKey(blink::WebCryptoKeyFormatSpki, public_key2, &spki));
     EXPECT_BYTES_EQ_HEX(kPublicKeySpkiDerHex, CryptoData(spki));
   }
 }
 
 TEST(WebCryptoRsaOaepTest, ImportExportJwkRsaPublicKey) {
-  if (!SupportsRsaKeyImport())
-    return;
-
   if (!SupportsRsaOaep()) {
     LOG(WARNING) << "RSA-OAEP support not present; skipping.";
     return;
   }
 
   struct TestCase {
     const blink::WebCryptoAlgorithmId hash;
     const blink::WebCryptoKeyUsageMask usage;
     const char* const jwk_alg;
   };
@@ skipping 465 matching lines @@
   EXPECT_EQ(0u, key.algorithm().hmacParams()->lengthBits());
 
   std::vector<uint8_t> exported_key_data;
   EXPECT_EQ(Status::Success(),
             ExportKey(blink::WebCryptoKeyFormatRaw, key, &exported_key_data));
 
   EXPECT_EQ(0u, exported_key_data.size());
 }
 
 TEST(WebCryptoRsaSsaTest, ImportExportSpki) {
-  if (!SupportsRsaKeyImport())
-    return;
-
   // Passing case: Import a valid RSA key in SPKI format.
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatSpki,
                       CryptoData(HexStringToBytes(kPublicKeySpkiDerHex)),
                       CreateRsaHashedImportAlgorithm(
                           blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                           blink::WebCryptoAlgorithmIdSha256),
                       true,
                       blink::WebCryptoKeyUsageVerify,
@@ skipping 66 matching lines @@
 
   // TODO(eroman): Failing test: Import a SPKI with an unrecognized hash OID
   // TODO(eroman): Failing test: Import a SPKI with invalid algorithm params
   // TODO(eroman): Failing test: Import a SPKI with inconsistent parameters
   // (e.g. SHA-1 in OID, SHA-256 in params)
   // TODO(eroman): Failing test: Import a SPKI for RSA-SSA, but with params
   // as OAEP/PSS
 }
 
 TEST(WebCryptoRsaSsaTest, ImportExportPkcs8) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   // Passing case: Import a valid RSA key in PKCS#8 format.
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatPkcs8,
                       CryptoData(HexStringToBytes(kPrivateKeyPkcs8DerHex)),
                       CreateRsaHashedImportAlgorithm(
                           blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                           blink::WebCryptoAlgorithmIdSha1),
@@ skipping 46 matching lines @@
             ImportKey(blink::WebCryptoKeyFormatPkcs8,
                       CryptoData(HexStringToBytes(kPrivateKeyPkcs8DerHex)),
                       CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
                       true,
                       blink::WebCryptoKeyUsageSign,
                       &key));
 }
 
 // Tests importing of PKCS8 data that does not define a valid RSA key.
 TEST(WebCryptoRsaSsaTest, ImportInvalidPkcs8) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   // kPrivateKeyPkcs8DerHex defines an RSA private key in PKCS8 format, whose
   // parameters appear at the following offsets:
   //
   //   n: (offset=36, len=129)
   //   e: (offset=167, len=3)
   //   d: (offset=173, len=128)
   //   p: (offset=303, len=65)
   //   q: (offset=370, len=65)
@@ skipping 33 matching lines @@
                         blink::WebCryptoKeyUsageSign,
                         &key));
   }
 }
 
 // Tests JWK import and export by doing a roundtrip key conversion and ensuring
 // it was lossless:
 //
 //   PKCS8 --> JWK --> PKCS8
 TEST(WebCryptoRsaSsaTest, ImportRsaPrivateKeyJwkToPkcs8RoundTrip) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             ImportKey(blink::WebCryptoKeyFormatPkcs8,
                       CryptoData(HexStringToBytes(kPrivateKeyPkcs8DerHex)),
                       CreateRsaHashedImportAlgorithm(
                           blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                           blink::WebCryptoAlgorithmIdSha1),
                       true,
@@ skipping 47 matching lines @@
 }
 
 // Tests importing multiple RSA private keys from JWK, and then exporting to
 // PKCS8.
 //
 // This is a regression test for http://crbug.com/378315, for which importing
 // a sequence of keys from JWK could yield the wrong key. The first key would
 // be imported correctly, however every key after that would actually import
 // the first key.
 TEST(WebCryptoRsaSsaTest, ImportMultipleRSAPrivateKeysJwk) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   scoped_ptr<base::ListValue> key_list;
   ASSERT_TRUE(ReadJsonTestFileToList("rsa_private_keys.json", &key_list));
 
   // For this test to be meaningful the keys MUST be kept alive before importing
   // new keys.
   std::vector<blink::WebCryptoKey> live_keys;
 
   for (size_t key_index = 0; key_index < key_list->GetSize(); ++key_index) {
@@ skipping 143 matching lines @@
                                  &key));
 }
 
 // Import a JWK RSA private key, without any of the optional parameters.
 //
 // According to JWA, such keys are valid, but applications SHOULD
 // include all the parameters when sending, and recipients MAY
 // accept them, but are not required to. Chromium's WebCrypto does
 // not allow such degenerate keys.
 TEST(WebCryptoRsaSsaTest, ImportRsaPrivateKeyJwkIncorrectOptionalEmpty) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
 
   base::DictionaryValue dict;
   dict.SetString("kty", "RSA");
   dict.SetString("alg", "RS1");
 
   dict.SetString(
       "n",
@@ skipping 77 matching lines @@
   EXPECT_EQ(usage_mask, public_key.usages());
   EXPECT_EQ(usage_mask, private_key.usages());
 
   // Try exporting the generated key pair, and then re-importing to verify that
   // the exported data was valid.
   std::vector<uint8_t> public_key_spki;
   EXPECT_EQ(
       Status::Success(),
       ExportKey(blink::WebCryptoKeyFormatSpki, public_key, &public_key_spki));
 
-  if (SupportsRsaKeyImport()) {
+  if (SupportsRsaPrivateKeyImport()) {
     public_key = blink::WebCryptoKey::createNull();
     EXPECT_EQ(Status::Success(),
               ImportKey(blink::WebCryptoKeyFormatSpki,
                         CryptoData(public_key_spki),
                         CreateRsaHashedImportAlgorithm(
                             blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                             blink::WebCryptoAlgorithmIdSha256),
                         true,
                         usage_mask,
                         &public_key));
@@ skipping 183 matching lines @@
 
     blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
     blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
 
     EXPECT_EQ(Status::ErrorGenerateKeyPublicExponent(),
               GenerateKeyPair(algorithm, true, 0, &public_key, &private_key));
   }
 }
 
 TEST(WebCryptoRsaSsaTest, SignVerifyFailures) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   // Import a key pair.
   blink::WebCryptoAlgorithm import_algorithm =
       CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                                      blink::WebCryptoAlgorithmIdSha1);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
   ASSERT_NO_FATAL_FAILURE(
       ImportRsaKeyPair(HexStringToBytes(kPublicKeySpkiDerHex),
@@ skipping 111 matching lines @@
   EXPECT_EQ(Status::Success(),
             Verify(CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5),
                    public_key_256,
                    CryptoData(signature),
                    CryptoData(data),
                    &is_match));
   EXPECT_FALSE(is_match);
 }
 
 TEST(WebCryptoRsaSsaTest, SignVerifyKnownAnswer) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   scoped_ptr<base::ListValue> tests;
   ASSERT_TRUE(ReadJsonTestFileToList("pkcs1v15_sign.json", &tests));
 
   // Import the key pair.
   blink::WebCryptoAlgorithm import_algorithm =
       CreateRsaHashedImportAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
                                      blink::WebCryptoAlgorithmIdSha1);
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
@@ skipping 1458 matching lines @@
                             &private_key));
 
   EXPECT_EQ(0, public_key.usages());
   EXPECT_EQ(blink::WebCryptoKeyUsageSign, private_key.usages());
 }
 
 // Generate an AES-CBC key and an RSA key pair. Use the AES-CBC key to wrap the
 // key pair (using SPKI format for public key, PKCS8 format for private key).
 // Then unwrap the wrapped key pair and verify that the key data is the same.
 TEST(WebCryptoAesCbcTest, WrapUnwrapRoundtripSpkiPkcs8) {
-  if (!SupportsRsaKeyImport())
+  if (!SupportsRsaPrivateKeyImport())
     return;
 
   // Generate the wrapping key.
   blink::WebCryptoKey wrapping_key = blink::WebCryptoKey::createNull();
   ASSERT_EQ(Status::Success(),
             GenerateSecretKey(CreateAesCbcKeyGenAlgorithm(128),
                               true,
                               blink::WebCryptoKeyUsageWrapKey |
                                   blink::WebCryptoKeyUsageUnwrapKey,
                               &wrapping_key));
@@ skipping 94 matching lines @@
 
   EXPECT_NE(public_key_spki, wrapped_public_key);
   EXPECT_NE(private_key_pkcs8, wrapped_private_key);
 }
 
 }  // namespace
 
 }  // namespace webcrypto
 
 }  // namespace content