platformKeys: Add per-extension sign permissions.

chrome/test/data/extensions/api_test/platform_keys/basic.js

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 'use strict';
 
-var systemTokenEnabled = (location.href.indexOf("systemTokenEnabled") != -1);
+var systemTokenEnabled = (location.search.indexOf("systemTokenEnabled") != -1);
+var selectedTestSuite = location.hash.slice(1);
+console.log('[SELECTED TEST SUITE] ' + selectedTestSuite +
+            ', systemTokenEnable ' + systemTokenEnabled);
 
 var assertEq = chrome.test.assertEq;
 var assertTrue = chrome.test.assertTrue;
-var assertThrows = chrome.test.assertThrows;
 var fail = chrome.test.fail;
 var succeed = chrome.test.succeed;
 var callbackPass = chrome.test.callbackPass;
 var callbackFail= chrome.test.callbackFail;
 
 // Each value is the path to a file in this extension's folder that will be
 // loaded and replaced by a Uint8Array in the setUp() function below.
 var data = {
   // X.509 client certificates in DER encoding.
   // openssl x509 -in net/data/ssl/certificates/client_1.pem -outform DER -out
@@ skipping 83 matching lines @@
 }
 
 /**
  * @param {ArrayBufferView[]} certs
  * @return {ArrayBufferView[]} |certs| sorted in some order.
  */
 function sortCerts(certs) {
   return certs.sort(compareArrays);
 }
 
-function assertCertsSelected(request, expectedCerts, callback) {
+function assertCertsSelected(details, expectedCerts, callback) {
   chrome.platformKeys.selectClientCertificates(
-      {interactive: false, request: request},
-      callbackPass(function(actualMatches) {
+      details, callbackPass(function(actualMatches) {
         assertEq(expectedCerts.length, actualMatches.length,
                  'Number of stored certs not as expected');
         if (expectedCerts.length == actualMatches.length) {
           var actualCerts = actualMatches.map(function(match) {
             return new Uint8Array(match.certificate);
           });
           actualCerts = sortCerts(actualCerts);
           expectedCerts = sortCerts(expectedCerts);
           for (var i = 0; i < expectedCerts.length; i++) {
             assertEq(expectedCerts[i], actualCerts[i],
@@ skipping 54 matching lines @@
 }
 
 function testHasSubtleCryptoMethods(token) {
   assertTrue(!!token.subtleCrypto.generateKey,
              "token has no generateKey method");
   assertTrue(!!token.subtleCrypto.sign, "token has no sign method");
   assertTrue(!!token.subtleCrypto.exportKey, "token has no exportKey method");
   succeed();
 }
 
+var requestAll = {
+  certificateTypes: [],
+  certificateAuthorities: []
+};
+
+// Depends on |data|, thus it cannot be created immediately.
+function requestCA1() {
+  return {
+    certificateTypes: [],
+    certificateAuthorities: [data.client_1_issuer_dn.buffer]
+  };
+}
+
 function testSelectAllCerts() {
-  var requestAll = {
-    certificateTypes: [],
-    certificateAuthorities: []
-  };
   var expectedCerts = [data.client_1];
   if (systemTokenEnabled)
     expectedCerts.push(data.client_2);
-  assertCertsSelected(requestAll, expectedCerts);
+  assertCertsSelected({interactive: false, request: requestAll}, expectedCerts);
 }
 
 function testSelectCA1Certs() {
-  var requestCA1 = {
-    certificateTypes: [],
-    certificateAuthorities: [data.client_1_issuer_dn.buffer]
-  };
-  assertCertsSelected(requestCA1, [data.client_1]);
+  assertCertsSelected({interactive: false, request: requestCA1()},
+                      [data.client_1]);
+}
+
+function testSelectAllReturnsNoCerts() {
+  assertCertsSelected({interactive: false, request: requestAll},
+                      [] /* no certs selected */);
+}
+
+function testSelectAllReturnsClient1() {
+  assertCertsSelected({interactive: false, request: requestAll},
+                      [data.client_1]);
+}
+
+function testInteractiveSelectNoCerts() {
+  assertCertsSelected({interactive: true, request: requestAll},
+                      [] /* no certs selected */);
+}
+
+function testInteractiveSelectClient1() {
+  assertCertsSelected({interactive: true, request: requestAll},
+                      [data.client_1]);
 }
 
 function testMatchResult() {
-  var requestCA1 = {
-    certificateTypes: [],
-    certificateAuthorities: [data.client_1_issuer_dn.buffer]
-  };
   chrome.platformKeys.selectClientCertificates(
-      {interactive: false, request: requestCA1},
+      {interactive: false, request: requestCA1()},
       callbackPass(function(matches) {
         var expectedAlgorithm = {
           modulusLength: 2048,
           name: "RSASSA-PKCS1-v1_5",
           publicExponent: new Uint8Array([0x01, 0x00, 0x01])
         };
         var actualAlgorithm = matches[0].keyAlgorithm;
         assertEq(
             expectedAlgorithm, actualAlgorithm,
             'Member algorithm of Match does not equal the expected algorithm');
@@ skipping 46 matching lines @@
             .sign(signParams, privateKey, data.raw_data)
             .then(callbackPass(function(signature) {
               var actualSignature = new Uint8Array(signature);
               assertTrue(compareArrays(data.signature_nohash_pkcs,
                                        actualSignature) == 0,
                          'Incorrect signature');
             }));
       }));
 }
 
-function testSignSha1() {
+function testSignSha1Client1() {
   var keyParams = {
     // Algorithm names are case-insensitive.
     hash: {name: 'Sha-1'}
   };
   var signParams = {
     // Algorithm names are case-insensitive.
     name: 'RSASSA-Pkcs1-v1_5'
   };
   chrome.platformKeys.getKeyPair(
       data.client_1.buffer, keyParams,
       callbackPass(function(publicKey, privateKey) {
         chrome.platformKeys.subtleCrypto()
             .sign(signParams, privateKey, data.raw_data)
             .then(callbackPass(function(signature) {
               var actualSignature = new Uint8Array(signature);
               assertTrue(
                   compareArrays(data.signature_sha1_pkcs, actualSignature) == 0,
                   'Incorrect signature');
             }));
       }));
 }
 
-function runTests() {
-  var tests = [
-    testStaticMethods,
-    testSelectAllCerts,
-    testSelectCA1Certs,
-    testMatchResult,
-    testGetKeyPair,
-    testSignNoHash,
-    testSignSha1
-  ];
-
-  chrome.test.runTests(tests);
+// TODO(pneubeck): Test this by verifying that no private key is returned, once
+// that's implemented.
+function testSignFails(cert) {
+  var keyParams = {
+    hash: {name: 'SHA-1'}
+  };
+  var signParams = {
+    name: 'RSASSA-PKCS1-v1_5'
+  };
+  chrome.platformKeys.getKeyPair(
+      cert.buffer, keyParams, callbackPass(function(publicKey, privateKey) {
+        chrome.platformKeys.subtleCrypto()
+            .sign(signParams, privateKey, data.raw_data)
+            .then(function(signature) { fail('sign was expected to fail.'); },
+                  callbackPass(function(error) {
+                    assertTrue(error instanceof Error);
+                    assertEq(
+                        'The operation failed for an operation-specific reason',
+                        error.message);
+                  }));
+      }));
 }
 
-setUp(runTests);
+function testSignClient1Fails() {
+  testSignFails(data.client_1);
+}
+
+function testSignClient2Fails() {
+  testSignFails(data.client_2);
+}
+
+var testSuites = {
+  // These tests assume already granted permissions for client_1 and client_2.
+  // On interactive selectClientCertificates calls, the simulated user does not
+  // select any cert.
+  basicTests: function() {
+    var tests = [
+      testStaticMethods,
+      testSelectAllCerts,
+      testSelectCA1Certs,
+      testInteractiveSelectNoCerts,
+      testMatchResult,
+      testGetKeyPair,
+      testSignNoHash,
+      testSignSha1Client1,
+    ];
+
+    chrome.test.runTests(tests);
+  },
+
+  // This test suite starts without any granted permissions.
+  // On interactive selectClientCertificates calls, the simulated user selects
+  // client_1, if matching.
+  permissionTests: function() {
+    var tests = [
+      // Without permissions both sign attempts fail.
+      testSignClient1Fails,
+      testSignClient2Fails,
+
+      // Without permissions, non-interactive select calls return no certs.
+      testSelectAllReturnsNoCerts,
+
+      testInteractiveSelectClient1,
+      // Now that the permission for client_1 is granted.
+
+      // Verify that signing with client_1 is possible and with client_2 still
+      // fails.
+      testSignSha1Client1,
+      testSignClient2Fails,
+
+      // Verify that client_1 can still be selected interactively.
+      testInteractiveSelectClient1,
+
+      // Verify that client_1 but not client_2 is selected in non-interactive
+      // calls.
+      testSelectAllReturnsClient1,
+    ];
+
+    chrome.test.runTests(tests);
+  }
+};
+
+setUp(testSuites[selectedTestSuite]);