[webcrypto] Add RSASSA-PKCS1-v1_5 sign and verify for NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 220 matching lines @@
     size_t reverse_i = data_size - i - 1;
 
     if (reverse_i >= sizeof(unsigned long) && data[i])
       return false;  // Too large for a long.
 
     *result |= data[i] << 8 * reverse_i;
   }
   return true;
 }
 
+// TODO(padolph): Move to webcrypto_util
+blink::WebCryptoAlgorithm GetInnerHashAlgorithm(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  DCHECK(!algorithm.isNull());
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdHmac:
+      if (algorithm.hmacParams())
+        return algorithm.hmacParams()->hash();
+      else if (algorithm.hmacKeyParams())
+        return algorithm.hmacKeyParams()->hash();
+      break;
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      if (algorithm.rsaOaepParams())
+        return algorithm.rsaOaepParams()->hash();
+      break;
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
+      if (algorithm.rsaSsaParams())
+        return algorithm.rsaSsaParams()->hash();
+      break;
+    default:
+      break;
+  }
+  return blink::WebCryptoAlgorithm::createNull();
+}
+
 }  // namespace
 
 void WebCryptoImpl::Init() {
   crypto::EnsureNSSInit();
 }
 
 bool WebCryptoImpl::EncryptInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* data,
@@ skipping 299 matching lines @@
                                       type, extractable, algorithm, usage_mask);
   return true;
 }
 
 bool WebCryptoImpl::SignInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     blink::WebArrayBuffer* buffer) {
+
+  // Note: It is not an error to sign empty data.
+
+  DCHECK(buffer);
+  DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
+
   blink::WebArrayBuffer result;
 
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
       if (!params) {
         return false;
       }
 
       SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
 
       DCHECK_EQ(PK11_GetMechanism(sym_key->key()),
                 WebCryptoAlgorithmToHMACMechanism(params->hash()));
-      DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
 
       SECItem param_item = { siBuffer, NULL, 0 };
       SECItem data_item = {
         siBuffer,
         const_cast<unsigned char*>(data),
         data_size
       };
       // First call is to figure out the length.
       SECItem signature_item = { siBuffer, NULL, 0 };
 
@@ skipping 17 matching lines @@
                               &signature_item,
                               &data_item) != SECSuccess) {
         NOTREACHED();
         return false;
       }
 
       DCHECK_EQ(result.byteLength(), signature_item.len);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      // Only private key signing is supported.
+      if (key.type() != blink::WebCryptoKeyTypePrivate)
+        return false;
+
+      const blink::WebCryptoAlgorithm hash_algorithm =
+          GetInnerHashAlgorithm(algorithm);
+      if (hash_algorithm.isNull())  // TODO(padolph): DCHECK instead?
+        return false;
+      blink::WebArrayBuffer digest;
+      if (!DigestInternal(hash_algorithm, data, data_size, &digest))

[Ryan Sleevi, 2013/11/21 01:45:57]

I'm not sure this is the right approach.

Why not use the SGN_ API (secdig.h & cryptohi.h), which is where the PSS support
is going to be added? Why reach directly into the PK11 layer?

BUG: Also, an RsaSsa signature is over a DigestInfo, but it appears that you're
signing a 'raw' hash, rather than the digest info.

[padolph, 2013/11/28 02:29:09]

Done. Rewrote to use SEC_SignData (a sequence of SGN_ calls) and
VFY_VerifyDataDirect (a sequence of VFY_ calls). Passes new KAT's. Please take a
look.

+        return false;
+      const SECItem digest_item = {
+          siBuffer,
+          reinterpret_cast<unsigned char*>(digest.data()),
+          digest.byteLength()
+      };
+
+      PrivateKeyHandle* const private_key =
+          reinterpret_cast<PrivateKeyHandle*>(key.handle());
+      DCHECK(private_key);
+      DCHECK(private_key->key());
+      const int signature_length = PK11_SignatureLen(private_key->key());
+      if (signature_length <= 0)
+        return false;
+      result = blink::WebArrayBuffer::create(signature_length, 1);
+      SECItem signature_item = {
+          siBuffer,
+          reinterpret_cast<unsigned char*>(result.data()),
+          signature_length
+      };
+      if (PK11_Sign(private_key->key(),
+                    &signature_item,
+                    &digest_item) != SECSuccess ) {
+        return false;
+      }
+      DCHECK_EQ(result.byteLength(), signature_item.len);
+
+      break;
+    }
     default:
       return false;
   }
 
   *buffer = result;
   return true;
 }
 
 bool WebCryptoImpl::VerifySignatureInternal(
     const blink::WebCryptoAlgorithm& algorithm,
@@ skipping 13 matching lines @@
       // Handling of truncated signatures is underspecified in the WebCrypto
       // spec, so here we fail verification if a truncated signature is being
       // verified.
       // See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23097
       *signature_match =
           result.byteLength() == signature_size &&
           crypto::SecureMemEqual(result.data(), signature, signature_size);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      // Only public key signature verification is supported.
+      if (key.type() != blink::WebCryptoKeyTypePublic)
+        return false;
+
+      const blink::WebCryptoAlgorithm hash_algorithm =
+          GetInnerHashAlgorithm(algorithm);
+      if (hash_algorithm.isNull())  // TODO(padolph): DCHECK instead?
+        return false;
+      blink::WebArrayBuffer digest;
+      if (!DigestInternal(hash_algorithm, data, data_size, &digest))
+        return false;
+      const SECItem digest_item = {
+          siBuffer,
+          reinterpret_cast<unsigned char*>(digest.data()),
+          digest.byteLength()
+      };
+
+      PublicKeyHandle* const public_key =
+          reinterpret_cast<PublicKeyHandle*>(key.handle());
+      DCHECK(public_key);
+      DCHECK(public_key->key());
+      const SECItem signature_item = {
+          siBuffer,
+          const_cast<unsigned char*>(signature),
+          signature_size
+      };
+      *signature_match = PK11_Verify(public_key->key(),
+          &signature_item,
+          &digest_item,
+          NULL) == SECSuccess;
+
+      break;
+    }
     default:
       return false;
   }
 
   return true;
 }
 
 }  // namespace content