[webcrypto] Add RSASSA-PKCS1-v1_5 sign and verify for NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 62 matching lines @@
     case blink::WebCryptoAlgorithmIdSha384:
       return HASH_AlgSHA384;
     case blink::WebCryptoAlgorithmIdSha512:
       return HASH_AlgSHA512;
     default:
       // Not a digest algorithm.
       return HASH_AlgNULL;
   }
 }
 
+SECOidTag WebCryptoAlgorithmToNssSecOidShaTag(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdSha1:
+      return SEC_OID_SHA1;
+    case blink::WebCryptoAlgorithmIdSha224:
+      return SEC_OID_SHA224;
+    case blink::WebCryptoAlgorithmIdSha256:
+      return SEC_OID_SHA256;
+    case blink::WebCryptoAlgorithmIdSha384:
+      return SEC_OID_SHA384;
+    case blink::WebCryptoAlgorithmIdSha512:
+      return SEC_OID_SHA512;
+    default:
+      return SEC_OID_UNKNOWN;
+  }
+}
+
 CK_MECHANISM_TYPE WebCryptoAlgorithmToHMACMechanism(
     const blink::WebCryptoAlgorithm& algorithm) {
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdSha1:
       return CKM_SHA_1_HMAC;
     case blink::WebCryptoAlgorithmIdSha256:
       return CKM_SHA256_HMAC;
     default:
       // Not a supported algorithm.
       return CKM_INVALID_MECHANISM;
@@ skipping 139 matching lines @@
     size_t reverse_i = data_size - i - 1;
 
     if (reverse_i >= sizeof(unsigned long) && data[i])
       return false;  // Too large for a long.
 
     *result |= data[i] << 8 * reverse_i;
   }
   return true;
 }
 
+// TODO(padolph): Move to webcrypto_util

[eroman, 2013/12/06 02:20:42]

This can be done as part of this changelist.

[padolph, 2013/12/06 18:52:52]

Done.

+blink::WebCryptoAlgorithm GetInnerHashAlgorithm(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  DCHECK(!algorithm.isNull());
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdHmac:
+      if (algorithm.hmacParams())
+        return algorithm.hmacParams()->hash();
+      else if (algorithm.hmacKeyParams())
+        return algorithm.hmacKeyParams()->hash();
+      break;
+    case blink::WebCryptoAlgorithmIdRsaOaep:
+      if (algorithm.rsaOaepParams())
+        return algorithm.rsaOaepParams()->hash();
+      break;
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5:
+      if (algorithm.rsaSsaParams())
+        return algorithm.rsaSsaParams()->hash();
+      break;
+    default:
+      break;
+  }
+  return blink::WebCryptoAlgorithm::createNull();
+}
+
 bool IsAlgorithmRsa(const blink::WebCryptoAlgorithm& algorithm) {
   return algorithm.id() == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
          algorithm.id() == blink::WebCryptoAlgorithmIdRsaOaep ||
          algorithm.id() == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5;
 }
 
 bool ImportKeyInternalRaw(
     const unsigned char* key_data,
     unsigned key_data_size,
     const blink::WebCryptoAlgorithm& algorithm,
@@ skipping 586 matching lines @@
       return false;
   }
 }
 
 bool WebCryptoImpl::SignInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     blink::WebArrayBuffer* buffer) {
+
+  // Note: It is not an error to sign empty data.
+
+  DCHECK(buffer);
+  DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
+
   blink::WebArrayBuffer result;
 
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
       if (!params) {
         return false;
       }
 
       SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
 
       DCHECK_EQ(PK11_GetMechanism(sym_key->key()),
                 WebCryptoAlgorithmToHMACMechanism(params->hash()));
-      DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
 
       SECItem param_item = { siBuffer, NULL, 0 };
       SECItem data_item = {
         siBuffer,
         const_cast<unsigned char*>(data),
         data_size
       };
       // First call is to figure out the length.
       SECItem signature_item = { siBuffer, NULL, 0 };
 
@@ skipping 17 matching lines @@
                               &signature_item,
                               &data_item) != SECSuccess) {
         NOTREACHED();
         return false;
       }
 
       DCHECK_EQ(result.byteLength(), signature_item.len);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      // Only private key signing is supported.
+      if (key.type() != blink::WebCryptoKeyTypePrivate)
+        return false;
+
+      PrivateKeyHandle* const private_key =
+          reinterpret_cast<PrivateKeyHandle*>(key.handle());
+      DCHECK(private_key);
+      DCHECK(private_key->key());
+
+      // Get the inner hash algorithm and convert to an NSS SECOidTag
+      const blink::WebCryptoAlgorithm hash_algorithm =
+          GetInnerHashAlgorithm(algorithm);
+      if (hash_algorithm.isNull())  // TODO(padolph): DCHECK instead?
+        return false;
+      const SECOidTag hash_alg_tag =
+          WebCryptoAlgorithmToNssSecOidShaTag(hash_algorithm);
+      if (hash_alg_tag == SEC_OID_UNKNOWN)
+        return false;
+
+      // Get the NSS signature algorithm SECOidTag corresponding to the key type
+      // and inner hash algorithm SECOidTag.
+      const SECOidTag sign_alg_tag = SEC_GetSignatureAlgorithmOidTag(
+          private_key->key()->keyType,
+          hash_alg_tag);
+      if (sign_alg_tag == SEC_OID_UNKNOWN)
+        return false;
+
+      crypto::ScopedSECItem signature_item(SECITEM_AllocItem(NULL, NULL, 0));
+      if (SEC_SignData(signature_item.get(),
+                       data,
+                       data_size,
+                       private_key->key(),
+                       sign_alg_tag) != SECSuccess) {
+        return false;
+      }
+
+      result = blink::WebArrayBuffer::create(signature_item->len, 1);
+      memcpy(result.data(), signature_item->data, signature_item->len);

[eroman, 2013/12/06 02:20:42]

I believe there is now a helper for this checked in.

[padolph, 2013/12/06 18:52:52]

Done.

+
+      break;
+    }
     default:
       return false;
   }
 
   *buffer = result;
   return true;
 }
 
 bool WebCryptoImpl::VerifySignatureInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* signature,
     unsigned signature_size,
     const unsigned char* data,
     unsigned data_size,
     bool* signature_match) {
+
+  if (!signature_size)
+    return false;
+  DCHECK(signature);
+
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       blink::WebArrayBuffer result;
       if (!SignInternal(algorithm, key, data, data_size, &result)) {
         return false;
       }
 
       // Handling of truncated signatures is underspecified in the WebCrypto
       // spec, so here we fail verification if a truncated signature is being
       // verified.
       // See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23097
       *signature_match =
           result.byteLength() == signature_size &&
           crypto::SecureMemEqual(result.data(), signature, signature_size);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+
+      // Only public key signature verification is supported.
+      if (key.type() != blink::WebCryptoKeyTypePublic)
+        return false;
+
+      PublicKeyHandle* const public_key =
+          reinterpret_cast<PublicKeyHandle*>(key.handle());
+      DCHECK(public_key);
+      DCHECK(public_key->key());
+
+      const SECItem signature_item = {
+          siBuffer,
+          const_cast<unsigned char*>(signature),
+          signature_size
+      };
+
+      *signature_match =
+          VFY_VerifyDataDirect(
+              data,
+              data_size,
+              public_key->key(),
+              &signature_item,
+              SEC_OID_PKCS1_RSA_ENCRYPTION,
+              SEC_OID_UNKNOWN,

[eroman, 2013/12/06 02:20:42]

Forgive my crypto ignorance, but is this safe?

The NSS docs say the hashAlg is optional (and if not specified will be inferred
from the RSA key + signature).

What if the webapp calls verify() with a SHA-1 signature, asking it to be
verified as a SHA-256 signature. If this were to return "true" then we have a
problem.

It is entirely possible that what I am saying doesn't make sense, but I think we
should be passing WebCryptoAlgorithmToNssSecOidShaTag(hash_algorithm) here.

Deferring this review rsleevi as I am unqualified, but I did wanted to ping it
:)

[padolph, 2013/12/06 18:52:52]

We know at this callsite that we have an RSA key, and the NSS docs say "If the
key is an RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN".
This makes the code a little simpler and seems like NSS is OK with it. That's
the only reason I took that shortcut.

Also would like rsleevi's opinion on this.

[padolph, 2013/12/07 00:41:04]

Added explicit setting of the hash algorithm, and a unit test to validate. You
are correct: the unit test fails without the change. Thanks for pointing this
out.

+              NULL,
+              NULL) == SECSuccess;
+
+      break;
+    }
     default:
       return false;
   }
 
   return true;
 }
 
 bool WebCryptoImpl::ImportRsaPublicKeyInternal(
     const unsigned char* modulus_data,
     unsigned modulus_size,
@@ skipping 46 matching lines @@
 
   *key = blink::WebCryptoKey::create(new PublicKeyHandle(pubkey.Pass()),
                                      blink::WebCryptoKeyTypePublic,
                                      extractable,
                                      algorithm,
                                      usage_mask);
   return true;
 }
 
 }  // namespace content