[webcrypto] Add RSASSA-PKCS1-v1_5 sign and verify for NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 62 matching lines @@
     case blink::WebCryptoAlgorithmIdSha384:
       return HASH_AlgSHA384;
     case blink::WebCryptoAlgorithmIdSha512:
       return HASH_AlgSHA512;
     default:
       // Not a digest algorithm.
       return HASH_AlgNULL;
   }
 }
 
+SECOidTag WebCryptoAlgorithmToNssSecOidShaTag(
+    const blink::WebCryptoAlgorithm& algorithm) {
+  DCHECK(!algorithm.isNull());
+  switch (algorithm.id()) {
+    case blink::WebCryptoAlgorithmIdSha1:
+      return SEC_OID_SHA1;
+    case blink::WebCryptoAlgorithmIdSha224:
+      return SEC_OID_SHA224;
+    case blink::WebCryptoAlgorithmIdSha256:
+      return SEC_OID_SHA256;
+    case blink::WebCryptoAlgorithmIdSha384:
+      return SEC_OID_SHA384;
+    case blink::WebCryptoAlgorithmIdSha512:
+      return SEC_OID_SHA512;
+    default:
+      return SEC_OID_UNKNOWN;
+  }
+}
+
 CK_MECHANISM_TYPE WebCryptoAlgorithmToHMACMechanism(
     const blink::WebCryptoAlgorithm& algorithm) {
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdSha1:
       return CKM_SHA_1_HMAC;
     case blink::WebCryptoAlgorithmIdSha256:
       return CKM_SHA256_HMAC;
     default:
       // Not a supported algorithm.
       return CKM_INVALID_MECHANISM;
@@ skipping 168 matching lines @@
     case blink::WebCryptoAlgorithmIdHmac:
     case blink::WebCryptoAlgorithmIdAesCbc:
     case blink::WebCryptoAlgorithmIdAesKw:
       type = blink::WebCryptoKeyTypeSecret;
       break;
     // TODO(bryaneyler): Support more key types.
     default:
       return false;
   }
 
+  // TODO(bryaneyler): Need to split handling for symmetric and asymmetric keys.
+  // Currently only supporting symmetric.
   CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
   // Flags are verified at the Blink layer; here the flags are set to all
   // possible operations for this key type.
   CK_FLAGS flags = 0;
 
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
       if (!params) {
         return false;
@@ skipping 580 matching lines @@
       return false;
   }
 }
 
 bool WebCryptoImpl::SignInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     blink::WebArrayBuffer* buffer) {
+
+  // Note: It is not an error to sign empty data.
+
+  DCHECK(buffer);
+  DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
+
   blink::WebArrayBuffer result;
 
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       const blink::WebCryptoHmacParams* params = algorithm.hmacParams();
       if (!params) {
         return false;
       }
 
       SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
 
       DCHECK_EQ(PK11_GetMechanism(sym_key->key()),
                 WebCryptoAlgorithmToHMACMechanism(params->hash()));
-      DCHECK_NE(0, key.usages() & blink::WebCryptoKeyUsageSign);
 
       SECItem param_item = { siBuffer, NULL, 0 };
       SECItem data_item = {
         siBuffer,
         const_cast<unsigned char*>(data),
         data_size
       };
       // First call is to figure out the length.
       SECItem signature_item = { siBuffer, NULL, 0 };
 
@@ skipping 17 matching lines @@
                               &signature_item,
                               &data_item) != SECSuccess) {
         NOTREACHED();
         return false;
       }
 
       DCHECK_EQ(result.byteLength(), signature_item.len);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+      // Only private key signing is supported.
+      if (key.type() != blink::WebCryptoKeyTypePrivate)
+        return false;
+
+      PrivateKeyHandle* const private_key =
+          reinterpret_cast<PrivateKeyHandle*>(key.handle());
+      DCHECK(private_key);
+      DCHECK(private_key->key());
+
+      // Get the inner hash algorithm and convert to an NSS SECOidTag
+      const blink::WebCryptoAlgorithm hash_algorithm =
+          webcrypto::GetInnerHashAlgorithm(algorithm);
+      if (hash_algorithm.isNull())  // TODO(padolph): DCHECK instead?
+        return false;
+      const SECOidTag hash_alg_tag =
+          WebCryptoAlgorithmToNssSecOidShaTag(hash_algorithm);
+      if (hash_alg_tag == SEC_OID_UNKNOWN)
+        return false;
+
+      // Get the NSS signature algorithm SECOidTag corresponding to the key type
+      // and inner hash algorithm SECOidTag.
+      const SECOidTag sign_alg_tag = SEC_GetSignatureAlgorithmOidTag(
+          private_key->key()->keyType,
+          hash_alg_tag);

[Ryan Sleevi, 2013/12/20 02:08:50]

This is unnecessary. The design of this API was meant to be forward-flexible
with other RSA schemes, but it's not - because PSS has additional parameters
that need to be represented.

You should instead do a mapping to the NSS sign_alg_tag based on the WebCrypto
inner hash algorithm and the knowledge that this will always be RSA-SSA
signatures.

That is, the "SEC_GetSignatureAlgorithmOidTag" is a bad API, although the code
will work correctly.

[padolph, 2013/12/21 02:44:17]

Done.

+      if (sign_alg_tag == SEC_OID_UNKNOWN)
+        return false;
+
+      crypto::ScopedSECItem signature_item(SECITEM_AllocItem(NULL, NULL, 0));
+      if (SEC_SignData(signature_item.get(),
+                       data,
+                       data_size,
+                       private_key->key(),
+                       sign_alg_tag) != SECSuccess) {
+        return false;
+      }
+
+      result = webcrypto::CreateArrayBuffer(signature_item->data,
+                                            signature_item->len);
+
+      break;
+    }
     default:
       return false;
   }
 
   *buffer = result;
   return true;
 }
 
 bool WebCryptoImpl::VerifySignatureInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* signature,
     unsigned signature_size,
     const unsigned char* data,
     unsigned data_size,
     bool* signature_match) {
+
+  if (!signature_size)
+    return false;
+  DCHECK(signature);
+
   switch (algorithm.id()) {
     case blink::WebCryptoAlgorithmIdHmac: {
       blink::WebArrayBuffer result;
       if (!SignInternal(algorithm, key, data, data_size, &result)) {
         return false;
       }
 
       // Handling of truncated signatures is underspecified in the WebCrypto
       // spec, so here we fail verification if a truncated signature is being
       // verified.
       // See https://www.w3.org/Bugs/Public/show_bug.cgi?id=23097
       *signature_match =
           result.byteLength() == signature_size &&
           crypto::SecureMemEqual(result.data(), signature, signature_size);
 
       break;
     }
+    case blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5: {
+

[Ryan Sleevi, 2013/12/20 02:08:50]

unnecessary newline

[padolph, 2013/12/21 02:44:17]

Done.

+      // Only public key signature verification is supported.

[Ryan Sleevi, 2013/12/20 02:08:50]

This comment makes no sense, given the algorithm being discussed. RSA-SSA is a
public-key only algorithm.

"private key signature verification" isn't a term

[padolph, 2013/12/21 02:44:17]

Done.

+      if (key.type() != blink::WebCryptoKeyTypePublic)
+        return false;
+
+      PublicKeyHandle* const public_key =
+          reinterpret_cast<PublicKeyHandle*>(key.handle());
+      DCHECK(public_key);
+      DCHECK(public_key->key());
+
+      const SECItem signature_item = {
+          siBuffer,
+          const_cast<unsigned char*>(signature),
+          signature_size
+      };
+
+      const SECOidTag hash_alg_tag = WebCryptoAlgorithmToNssSecOidShaTag(
+          webcrypto::GetInnerHashAlgorithm(algorithm));
+      if (hash_alg_tag == SEC_OID_UNKNOWN)
+        return false;
+
+      *signature_match =
+          VFY_VerifyDataDirect(
+              data,
+              data_size,
+              public_key->key(),
+              &signature_item,
+              SEC_OID_PKCS1_RSA_ENCRYPTION,
+              hash_alg_tag,
+              NULL,
+              NULL) == SECSuccess;

[Ryan Sleevi, 2013/12/20 02:08:50]

Was this run through git cl format? The formatting here seems... odd?

That said, the "== SECSuccess" at the end is especially subtle, so it seems
better to write this yoda style

*signature_match =
    SECSuccess == VFY_VerifyDataDirect(arg, arg, arg, arg
                                                              arg, arg, arg,
arg);

Which is valid style guide. More of a nit than anything.
                         

[padolph, 2013/12/21 02:44:17]

Rewrote yoda style and reformatted, and ran through clang-format
-style=Chromium.

+
+      break;
+    }
     default:
       return false;
   }
 
   return true;
 }
 
 bool WebCryptoImpl::ImportRsaPublicKeyInternal(
     const unsigned char* modulus_data,
     unsigned modulus_size,
@@ skipping 46 matching lines @@
 
   *key = blink::WebCryptoKey::create(new PublicKeyHandle(pubkey.Pass()),
                                      blink::WebCryptoKeyTypePublic,
                                      extractable,
                                      algorithm,
                                      usage_mask);
   return true;
 }
 
 }  // namespace content