[webcrypto] Implement RSA-PSS using BoringSSL.

content/child/webcrypto/openssl/rsa_sign_openssl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/numerics/safe_math.h"
 #include "content/child/webcrypto/crypto_data.h"
 #include "content/child/webcrypto/openssl/key_openssl.h"
 #include "content/child/webcrypto/openssl/rsa_key_openssl.h"
 #include "content/child/webcrypto/openssl/rsa_sign_openssl.h"
 #include "content/child/webcrypto/openssl/util_openssl.h"
 #include "content/child/webcrypto/status.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
 
@@ skipping 10 matching lines @@
                         const EVP_MD** digest) {
   *pkey = AsymKeyOpenSsl::Cast(key)->key();
 
   *digest = GetDigest(key.algorithm().rsaHashedParams()->hash().id());
   if (!*digest)
     return Status::ErrorUnsupported();
 
   return Status::Success();
 }
 
+// Sets the PSS parameters on |pctx| if the key is for RSA-PSS.
+//
+// Otherwise returns Success without doing anything.
+Status ApplyRsaPssOptions(const blink::WebCryptoKey& key,
+                          const EVP_MD* const mgf_digest,
+                          unsigned int salt_length_bytes,
+                          EVP_PKEY_CTX* pctx) {
+  // Only apply RSA-PSS options if the key is for RSA-PSS.
+  if (key.algorithm().id() != blink::WebCryptoAlgorithmIdRsaPss) {
+    DCHECK_EQ(0u, salt_length_bytes);
+    DCHECK_EQ(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5, key.algorithm().id());
+    return Status::Success();
+  }
+
+  // BoringSSL takes a signed int for the salt length, and interprets
+  // negative values in a special manner. Make sure not to silently underflow.
+  base::CheckedNumeric<int> salt_length_bytes_int(salt_length_bytes);
+  if (!salt_length_bytes_int.IsValid()) {
+    // TODO(eroman): Give a better error message.
+    return Status::OperationError();
+  }
+
+  if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
+      !EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf_digest) ||
+      !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
+                                        salt_length_bytes_int.ValueOrDie())) {

[davidben, 2014/10/19 03:42:34]

These should all be != 1 rather than !. The random functions that back onto
EVP_PKEY_CTX_ctrl can return -1 or -2 to signal random things. (I wonder if we
can fix that because that's obnoxious...)

[eroman, 2014/10/20 18:44:53]

Done. Thanks for spotting this!

+    return Status::OperationError();
+  }
+
+  return Status::Success();
+}
+
 }  // namespace
 
 Status RsaSign(const blink::WebCryptoKey& key,
+               unsigned int pss_salt_length_bytes,
                const CryptoData& data,
                std::vector<uint8_t>* buffer) {
   if (key.type() != blink::WebCryptoKeyTypePrivate)
     return Status::ErrorUnexpectedKeyType();
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+  EVP_PKEY_CTX* pctx = NULL;  // Owned by |ctx|.
 
   EVP_PKEY* private_key = NULL;
   const EVP_MD* digest = NULL;
   Status status = GetPKeyAndDigest(key, &private_key, &digest);
   if (status.IsError())
     return status;
 
   // NOTE: A call to EVP_DigestSignFinal() with a NULL second parameter
   // returns a maximum allocation size, while the call without a NULL returns
   // the real one, which may be smaller.
   size_t sig_len = 0;
   if (!ctx.get() ||
-      !EVP_DigestSignInit(ctx.get(), NULL, digest, NULL, private_key) ||
-      !EVP_DigestSignUpdate(ctx.get(), data.bytes(), data.byte_length()) ||
+      !EVP_DigestSignInit(ctx.get(), &pctx, digest, NULL, private_key)) {
+    return Status::OperationError();
+  }
+
+  // Set PSS-specific options (if applicable).
+  status = ApplyRsaPssOptions(key, digest, pss_salt_length_bytes, pctx);
+  if (status.IsError())
+    return status;
+
+  if (!EVP_DigestSignUpdate(ctx.get(), data.bytes(), data.byte_length()) ||
       !EVP_DigestSignFinal(ctx.get(), NULL, &sig_len)) {
     return Status::OperationError();
   }
 
   buffer->resize(sig_len);
   if (!EVP_DigestSignFinal(ctx.get(), &buffer->front(), &sig_len))
     return Status::OperationError();
 
   buffer->resize(sig_len);
   return Status::Success();
 }
 
 Status RsaVerify(const blink::WebCryptoKey& key,
+                 unsigned int pss_salt_length_bytes,
                  const CryptoData& signature,
                  const CryptoData& data,
                  bool* signature_match) {
   if (key.type() != blink::WebCryptoKeyTypePublic)
     return Status::ErrorUnexpectedKeyType();
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+  EVP_PKEY_CTX* pctx = NULL;  // Owned by |ctx|.
 
   EVP_PKEY* public_key = NULL;
   const EVP_MD* digest = NULL;
   Status status = GetPKeyAndDigest(key, &public_key, &digest);
   if (status.IsError())
     return status;
 
-  if (!EVP_DigestVerifyInit(ctx.get(), NULL, digest, NULL, public_key))
+  if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, NULL, public_key))
     return Status::OperationError();
 
+  // Set PSS-specific options (if applicable).
+  status = ApplyRsaPssOptions(key, digest, pss_salt_length_bytes, pctx);
+  if (status.IsError())
+    return status;
+
   if (!EVP_DigestVerifyUpdate(ctx.get(), data.bytes(), data.byte_length())) {
     return Status::OperationError();
   }
 
   // Note that the return value can be:
   //   1 --> Success
   //   0 --> Verification failed
   //  <0 --> Operation error
   int rv = EVP_DigestVerifyFinal(
       ctx.get(), signature.bytes(), signature.byte_length());
   *signature_match = rv == 1;
   return rv >= 0 ? Status::Success() : Status::OperationError();
 }
 
 }  // namespace webcrypto
 
 }  // namespace content