[webcrypto] Add RSA private key PKCS#8 import for NSS.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 306 matching lines @@
                                  NULL));
   if (!pk11_sym_key.get()) {
     return false;
   }
 
   *key = blink::WebCryptoKey::create(new SymKeyHandle(pk11_sym_key.Pass()),
                                       type, extractable, algorithm, usage_mask);
   return true;
 }
 
-typedef scoped_ptr_malloc<
-    CERTSubjectPublicKeyInfo,
-    crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
-                         SECKEY_DestroySubjectPublicKeyInfo> >
+typedef scoped_ptr<CERTSubjectPublicKeyInfo,
+                   crypto::NSSDestroyer<CERTSubjectPublicKeyInfo,
+                                        SECKEY_DestroySubjectPublicKeyInfo> >
     ScopedCERTSubjectPublicKeyInfo;
 
+// Validates an NSS KeyType against a WebCrypto algorithm. Some NSS KeyTypes
+// contain enough information to fabricate a Web Crypto algorithm, which is
+// returned if the input algorithm isNull(). This function indicates failure by
+// returning a Null algorithm.
+blink::WebCryptoAlgorithm ResolveNssKeyTypeWithInputAlgorithm(
+    KeyType key_type,
+    const blink::WebCryptoAlgorithm& algorithm_or_null) {
+  switch (key_type) {
+    case rsaKey:
+      // NSS's rsaKey KeyType maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and
+      // according to RFC 4055 this can be used for both encryption and

[Ryan Sleevi, 2013/11/25 06:59:44]

Note the existence of http://tools.ietf.org/html/rfc5756

"according to RFCs 4055/5756" should be sufficient.

[padolph, 2013/11/25 23:02:58]

Done.

+      // signatures. However, this is not specific enough to build a compatible
+      // Web Crypto algorithm, since in Web Crypto RSA encryption and signature

[Ryan Sleevi, 2013/11/25 06:59:44]

"since in Web Crypto" -> "since in Web Crypto,"

[padolph, 2013/11/25 23:02:58]

Done.

+      // algorithms are distinct. So if the input algorithm isNull() here, we
+      // have to fail.
+      if (!algorithm_or_null.isNull() && IsAlgorithmRsa(algorithm_or_null))
+        return algorithm_or_null;
+      break;
+    case dsaKey:
+    case ecKey:
+    case rsaPssKey:
+    case rsaOaepKey:
+      // TODO(padolph): Handle other key types.
+      break;
+    default:
+      break;
+  }
+  return blink::WebCryptoAlgorithm::createNull();
+}
+
 bool ImportKeyInternalSpki(
     const unsigned char* key_data,
     unsigned key_data_size,
     const blink::WebCryptoAlgorithm& algorithm_or_null,
     bool extractable,
     blink::WebCryptoKeyUsageMask usage_mask,
     blink::WebCryptoKey* key) {
 
   DCHECK(key);
 
   if (!key_data_size)
     return false;
-
   DCHECK(key_data);
 
   // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 Subject
   // Public Key Info. Decode this to a CERTSubjectPublicKeyInfo.
-  SECItem spki_item = {
-      siBuffer,
-      const_cast<uint8*>(key_data),
-      key_data_size
-  };
+  SECItem spki_item = {siBuffer, const_cast<uint8*>(key_data), key_data_size};
   const ScopedCERTSubjectPublicKeyInfo spki(
       SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
   if (!spki)
     return false;
 
   crypto::ScopedSECKEYPublicKey sec_public_key(
       SECKEY_ExtractPublicKey(spki.get()));
   if (!sec_public_key)
     return false;
 
   const KeyType sec_key_type = SECKEY_GetPublicKeyType(sec_public_key.get());
-
-  // Validate the sec_key_type against the input algorithm. Some NSS KeyType's
-  // contain enough information to fabricate a Web Crypto Algorithm, which will
-  // be used if the input algorithm isNull(). Others like 'rsaKey' do not (see
-  // below).
   blink::WebCryptoAlgorithm algorithm =
-      blink::WebCryptoAlgorithm::createNull();
-  switch (sec_key_type) {
-    case rsaKey:
-      // NSS's rsaKey KeyType maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and
-      // according to RFC 4055 this can be used for both encryption and
-      // signatures. However, this is not specific enough to build a compatible
-      // Web Crypto algorithm, since in Web Crypto RSA encryption and signature
-      // algorithms are distinct. So if the input algorithm isNull() here, we
-      // have to fail.
-      if (algorithm_or_null.isNull() || !IsAlgorithmRsa(algorithm_or_null))
-        return false;
-      algorithm = algorithm_or_null;
-      break;
-    case dsaKey:
-    case ecKey:
-    case rsaPssKey:
-    case rsaOaepKey:
-      // TODO(padolph): Handle other key types.
-      return false;
-    default:
-      return false;
-  }
+      ResolveNssKeyTypeWithInputAlgorithm(sec_key_type, algorithm_or_null);
+  if (algorithm.isNull())
+    return false;
 
   *key = blink::WebCryptoKey::create(
       new PublicKeyHandle(sec_public_key.Pass()),
       blink::WebCryptoKeyTypePublic,
       extractable,
       algorithm,
       usage_mask);
 
   return true;
 }
@@ skipping 18 matching lines @@
 
   DCHECK(spki_der->data);
   DCHECK(spki_der->len);
 
   *buffer = blink::WebArrayBuffer::create(spki_der->len, 1);
   memcpy(buffer->data(), spki_der->data, spki_der->len);
 
   return true;
 }
 
+bool ImportKeyInternalPkcs8(
+    const unsigned char* key_data,
+    unsigned key_data_size,
+    const blink::WebCryptoAlgorithm& algorithm_or_null,
+    bool extractable,
+    blink::WebCryptoKeyUsageMask usage_mask,
+    blink::WebCryptoKey* key) {
+
+  DCHECK(key);
+
+  if (!key_data_size)
+    return false;
+  DCHECK(key_data);
+
+  // The binary blob 'key_data' is expected to be a DER-encoded ASN.1 PKCS#8
+  // private key info object.
+  SECItem pki_der = {siBuffer, const_cast<uint8*>(key_data), key_data_size};
+
+  crypto::ScopedPK11Slot slot(PK11_GetInternalKeySlot());

[Ryan Sleevi, 2013/11/25 06:59:44]

This should be PK11_GetInternalSlot, not PK11_GetInternalKeySlot.

The distinction is because there's this ugly API to set the internal key slot,
which we *don't* want affecting the WebCrypto Impl.

[padolph, 2013/11/25 23:02:58]

Done.

+  if (!slot)
+    return false;
+
+  SECKEYPrivateKey* seckey_private_key = NULL;
+  // TODO(padolph): Verify correct values of isPerm, isPrivate, and usage below.

[Ryan Sleevi, 2013/11/25 06:59:44]

isPerm/isPrivate is correct. Usage is (probably) wrong, IIRC.

[padolph, 2013/11/25 23:02:58]

Thanks.

For usage, there are two cases to consider. If the input algorithm is non-Null,
I will set the NSS usage flags just like we do in ImportKeyInternalRaw(): set
them to all known possible usages for a given algorithm, with the assumption
that Blink will further restrict usage.

But this API can receive a Null algorithm, as you and Eric discussed earlier. In
that case I think the best approach is to just take the input (Blink) usage
flags and transfer them to the NSS key. Do you agree?

One alternative is to run PK11_ImportDERPrivateKeyInfoAndReturnKey() TWICE. Once
to get the NSS KeyType from inside the DER from with usage can be deduced, then 
destroy the key and run the function again with the correct usage flags. Seems
really silly.

Or I could parse the PKI ASN.1 manually to get the KeyType first and use that to
determine usage for the PK11_ImportDERPrivateKeyInfoAndReturnKey(). I don't like
that either.

[eroman, 2013/11/26 03:40:28]

Setting usage to 0 seems like the right approach to me (or KU_ALL if 0 is
failing). Blink enforces its own granularity of usage for permitting operations
using the key, so mirroring in NSS isn't critical other than to make operations
work.

Note that usages is non-optional in WebCrypto, so even if the algorithm is Null
we could synthesize a nssKeyUsage from usage_mask. (Although we wouldn't be able
to verify if the usages make sense without knowing the algorithm).

That said, I am not sure how useful doing that is since the nssKeyUsage does not
have a 1:1 mapping with the WebCrypto key usages, so ultimately it would still
be a superset of usages (judging from how keyUsage is used in
http://mxr.mozilla.org/nss/source/lib/pk11wrap/pk11pk12.c#283)

[padolph, 2013/11/27 03:35:34]

Thanks for the guidance. I'll use KU_ALL because it looks like 0 would restrict
usage.

+  if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
+      slot.get(),

[Ryan Sleevi, 2013/11/25 06:59:44]

These should all be indented an additional 4 spaces.

[padolph, 2013/11/25 23:02:58]

Done.

+      &pki_der,
+      NULL,
+      NULL,
+      false,  // isPerm
+      false,  // isPrivate
+      0,  // usage
+      &seckey_private_key,
+      NULL) != SECSuccess) {
+    return false;
+  }
+  DCHECK(seckey_private_key);
+  crypto::ScopedSECKEYPrivateKey private_key(seckey_private_key);
+
+  const KeyType sec_key_type = SECKEY_GetPrivateKeyType(private_key.get());
+  blink::WebCryptoAlgorithm algorithm =
+      ResolveNssKeyTypeWithInputAlgorithm(sec_key_type, algorithm_or_null);
+  if (algorithm.isNull())
+    return false;
+
+  *key = blink::WebCryptoKey::create(
+      new PrivateKeyHandle(private_key.Pass()),
+      blink::WebCryptoKeyTypePrivate,
+      extractable,
+      algorithm,
+      usage_mask);
+
+  return true;
+}
+
 }  // namespace
 
 void WebCryptoImpl::Init() {
   crypto::EnsureNSSInit();
 }
 
 bool WebCryptoImpl::EncryptInternal(
     const blink::WebCryptoAlgorithm& algorithm,
     const blink::WebCryptoKey& key,
     const unsigned char* data,
@@ skipping 231 matching lines @@
                                   usage_mask,
                                   key);
     case blink::WebCryptoKeyFormatSpki:
       return ImportKeyInternalSpki(key_data,
                                    key_data_size,
                                    algorithm_or_null,
                                    extractable,
                                    usage_mask,
                                    key);
     case blink::WebCryptoKeyFormatPkcs8:
-      // TODO(padolph): Handle PKCS#8 private key import
-      return false;
+      return ImportKeyInternalPkcs8(key_data,
+                                    key_data_size,
+                                    algorithm_or_null,
+                                    extractable,
+                                    usage_mask,
+                                    key);
     default:
+      // NOTE: blink::WebCryptoKeyFormatJwk is handled one level above.
       return false;
   }
 }
 
 bool WebCryptoImpl::ExportKeyInternal(
     blink::WebCryptoKeyFormat format,
     const blink::WebCryptoKey& key,
     blink::WebArrayBuffer* buffer) {
   switch (format) {
     case blink::WebCryptoKeyFormatRaw:
@@ skipping 100 matching lines @@
       break;
     }
     default:
       return false;
   }
 
   return true;
 }
 
 }  // namespace content