[webcrypto] Wire up {spki, pkcs8} import/export for OpenSSL.

BUG=389314 Review URL: https://codereview.chromium.org/353043005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@284331 0039d316-1c4b-4281-b951-d872f2087c98

[webcrypto] Wire up {spki, pkcs8} import/export for OpenSSL.
BUG=389314 Review URL: https://codereview.chromium.org/353043005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@284331 0039d316-1c4b-4281-b951-d872f2087c98
f59f5692 · eroman@chromium.org · 62e03626 · f59f5692 · f59f5692 · f59f5692
Commit f59f5692 authored Jul 19, 2014 by eroman@chromium.org
8 changed files
--- a/content/child/webcrypto/openssl/key_openssl.cc
+++ b/content/child/webcrypto/openssl/key_openssl.cc
@@ -25,6 +25,10 @@ SymKeyOpenSsl* KeyOpenSsl::AsSymKey() {
  return NULL;
 }
+AsymKeyOpenSsl* KeyOpenSsl::AsAsymKey() {
+  return NULL;
+}
 SymKeyOpenSsl::~SymKeyOpenSsl() {
 }
@@ -41,6 +45,22 @@ SymKeyOpenSsl::SymKeyOpenSsl(const CryptoData& raw_key_data)
    : KeyOpenSsl(raw_key_data) {
 }
+AsymKeyOpenSsl::~AsymKeyOpenSsl() {
+}
+AsymKeyOpenSsl* AsymKeyOpenSsl::Cast(const blink::WebCryptoKey& key) {
+  return reinterpret_cast<KeyOpenSsl*>(key.handle())->AsAsymKey();
+}
+AsymKeyOpenSsl* AsymKeyOpenSsl::AsAsymKey() {
+  return this;
+}
+AsymKeyOpenSsl::AsymKeyOpenSsl(crypto::ScopedEVP_PKEY key,
+                               const CryptoData& serialized_key_data)
+    : KeyOpenSsl(serialized_key_data), key_(key.Pass()) {
+}
 bool PlatformSerializeKeyForClone(const blink::WebCryptoKey& key,
                                  blink::WebVector<uint8_t>* key_data) {
  const KeyOpenSsl* openssl_key = static_cast<KeyOpenSsl*>(key.handle());

--- a/content/child/webcrypto/openssl/key_openssl.h
+++ b/content/child/webcrypto/openssl/key_openssl.h
@@ -5,10 +5,12 @@
 #ifndef CONTENT_CHILD_WEBCRYPTO_OPENSSL_KEY_OPENSSL_H_
 #define CONTENT_CHILD_WEBCRYPTO_OPENSSL_KEY_OPENSSL_H_
+#include <openssl/ossl_typ.h>
 #include <stdint.h>
 #include <vector>
 #include "base/macros.h"
+#include "crypto/scoped_openssl_types.h"
 #include "third_party/WebKit/public/platform/WebCryptoKey.h"
 namespace content {
@@ -16,6 +18,7 @@ namespace content {
 namespace webcrypto {
 class CryptoData;
+class AsymKeyOpenSsl;
 class SymKeyOpenSsl;
 // Base key class for all OpenSSL keys, used to safely cast between types. Each
@@ -28,6 +31,7 @@ class KeyOpenSsl : public blink::WebCryptoKeyHandle {
  virtual ~KeyOpenSsl();
  virtual SymKeyOpenSsl* AsSymKey();
+  virtual AsymKeyOpenSsl* AsAsymKey();
  const std::vector<uint8_t>& serialized_key_data() const {
    return serialized_key_data_;
@@ -54,6 +58,24 @@ class SymKeyOpenSsl : public KeyOpenSsl {
  DISALLOW_COPY_AND_ASSIGN(SymKeyOpenSsl);
 };
+class AsymKeyOpenSsl : public KeyOpenSsl {
+ public:
+  virtual ~AsymKeyOpenSsl();
+  AsymKeyOpenSsl(crypto::ScopedEVP_PKEY key,
+                 const CryptoData& serialized_key_data);
+  static AsymKeyOpenSsl* Cast(const blink::WebCryptoKey& key);
+  virtual AsymKeyOpenSsl* AsAsymKey() OVERRIDE;
+  EVP_PKEY* key() { return key_.get(); }
+ private:
+  crypto::ScopedEVP_PKEY key_;
+  DISALLOW_COPY_AND_ASSIGN(AsymKeyOpenSsl);
+};
 }  // namespace webcrypto
 }  // namespace content

--- a/content/child/webcrypto/openssl/rsa_key_openssl.cc
+++ b/content/child/webcrypto/openssl/rsa_key_openssl.cc
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "content/child/webcrypto/openssl/rsa_key_openssl.h"
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include "base/logging.h"
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/status.h"
+#include "content/child/webcrypto/webcrypto_util.h"
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
+#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
+namespace content {
+namespace webcrypto {
+namespace {
+Status ExportPKeySpki(EVP_PKEY* key, std::vector<uint8>* buffer) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedBIO bio(BIO_new(BIO_s_mem()));
+  // TODO(eroman): Use the OID specified by webcrypto spec.
+  //               http://crbug.com/373545
+  if (!i2d_PUBKEY_bio(bio.get(), key))
+    return Status::ErrorUnexpected();
+  char* data = NULL;
+  long len = BIO_get_mem_data(bio.get(), &data);
+  if (!data || len < 0)
+    return Status::ErrorUnexpected();
+  buffer->assign(data, data + len);
+  return Status::Success();
+}
+Status ExportPKeyPkcs8(EVP_PKEY* key, std::vector<uint8>* buffer) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedBIO bio(BIO_new(BIO_s_mem()));
+  // TODO(eroman): Use the OID specified by webcrypto spec.
+  //               http://crbug.com/373545
+  if (!i2d_PKCS8PrivateKeyInfo_bio(bio.get(), key))
+    return Status::ErrorUnexpected();
+  char* data = NULL;
+  long len = BIO_get_mem_data(bio.get(), &data);
+  if (!data || len < 0)
+    return Status::ErrorUnexpected();
+  buffer->assign(data, data + len);
+  return Status::Success();
+}
+// Creates a blink::WebCryptoAlgorithm having the modulus length and public
+// exponent  of |key|.
+Status CreateRsaHashedKeyAlgorithm(
+    blink::WebCryptoAlgorithmId rsa_algorithm,
+    blink::WebCryptoAlgorithmId hash_algorithm,
+    EVP_PKEY* key,
+    blink::WebCryptoKeyAlgorithm* key_algorithm) {
+  DCHECK(IsAlgorithmRsa(rsa_algorithm));
+  DCHECK_EQ(EVP_PKEY_RSA, EVP_PKEY_id(key));
+  crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(key));
+  if (!rsa.get())
+    return Status::ErrorUnexpected();
+  unsigned int modulus_length_bits = BN_num_bits(rsa.get()->n);
+  // Convert the public exponent to big-endian representation.
+  std::vector<uint8> e(BN_num_bytes(rsa.get()->e));
+  if (e.size() == 0)
+    return Status::ErrorUnexpected();
+  if (static_cast<int>(e.size()) != BN_bn2bin(rsa.get()->e, &e[0]))
+    return Status::ErrorUnexpected();
+  *key_algorithm = blink::WebCryptoKeyAlgorithm::createRsaHashed(
+      rsa_algorithm, modulus_length_bits, &e[0], e.size(), hash_algorithm);
+  return Status::Success();
+}
+// Verifies that |key| is consistent with the input algorithm id, and creates a
+// blink::WebCryptoKeyAlgorithm describing the key.
+// Returns Status::Success() on success and sets |*key_algorithm|.
+Status ValidateKeyTypeAndCreateKeyAlgorithm(
+    const blink::WebCryptoAlgorithm& algorithm,
+    EVP_PKEY* key,
+    blink::WebCryptoKeyAlgorithm* key_algorithm) {
+  // TODO(eroman): Validate the algorithm OID against the webcrypto provided
+  // hash. http://crbug.com/389400
+  if (EVP_PKEY_id(key) != EVP_PKEY_RSA)
+    return Status::DataError();  // Data did not define an RSA key.
+  return CreateRsaHashedKeyAlgorithm(algorithm.id(),
+                                     GetInnerHashAlgorithm(algorithm).id(),
+                                     key,
+                                     key_algorithm);
+}
+}  // namespace
+Status RsaHashedAlgorithm::VerifyKeyUsagesBeforeImportKey(
+    blink::WebCryptoKeyFormat format,
+    blink::WebCryptoKeyUsageMask usage_mask) const {
+  switch (format) {
+    case blink::WebCryptoKeyFormatSpki:
+      return CheckKeyCreationUsages(all_public_key_usages_, usage_mask);
+    case blink::WebCryptoKeyFormatPkcs8:
+      return CheckKeyCreationUsages(all_private_key_usages_, usage_mask);
+    default:
+      return Status::ErrorUnsupportedImportKeyFormat();
+  }
+}
+Status RsaHashedAlgorithm::ImportKeyPkcs8(
+    const CryptoData& key_data,
+    const blink::WebCryptoAlgorithm& algorithm,
+    bool extractable,
+    blink::WebCryptoKeyUsageMask usage_mask,
+    blink::WebCryptoKey* key) const {
+  if (!key_data.byte_length())
+    return Status::ErrorImportEmptyKeyData();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedBIO bio(BIO_new_mem_buf(const_cast<uint8*>(key_data.bytes()),
+                                        key_data.byte_length()));
+  if (!bio.get())
+    return Status::ErrorUnexpected();
+  crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>::Type
+      p8inf(d2i_PKCS8_PRIV_KEY_INFO_bio(bio.get(), NULL));
+  if (!p8inf.get())
+    return Status::DataError();
+  crypto::ScopedEVP_PKEY private_key(EVP_PKCS82PKEY(p8inf.get()));
+  if (!private_key.get())
+    return Status::DataError();
+  blink::WebCryptoKeyAlgorithm key_algorithm;
+  Status status = ValidateKeyTypeAndCreateKeyAlgorithm(
+      algorithm, private_key.get(), &key_algorithm);
+  if (status.IsError())
+    return status;
+  // TODO(eroman): This is probably going to be the same as the input.
+  std::vector<uint8> pkcs8_data;
+  status = ExportPKeyPkcs8(private_key.get(), &pkcs8_data);
+  if (status.IsError())
+    return status;
+  scoped_ptr<AsymKeyOpenSsl> key_handle(
+      new AsymKeyOpenSsl(private_key.Pass(), CryptoData(pkcs8_data)));
+  *key = blink::WebCryptoKey::create(key_handle.release(),
+                                     blink::WebCryptoKeyTypePrivate,
+                                     extractable,
+                                     key_algorithm,
+                                     usage_mask);
+  return Status::Success();
+}
+Status RsaHashedAlgorithm::ImportKeySpki(
+    const CryptoData& key_data,
+    const blink::WebCryptoAlgorithm& algorithm,
+    bool extractable,
+    blink::WebCryptoKeyUsageMask usage_mask,
+    blink::WebCryptoKey* key) const {
+  if (!key_data.byte_length())
+    return Status::ErrorImportEmptyKeyData();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedBIO bio(BIO_new_mem_buf(const_cast<uint8*>(key_data.bytes()),
+                                        key_data.byte_length()));
+  if (!bio.get())
+    return Status::ErrorUnexpected();
+  crypto::ScopedEVP_PKEY public_key(d2i_PUBKEY_bio(bio.get(), NULL));
+  if (!public_key.get())
+    return Status::DataError();
+  blink::WebCryptoKeyAlgorithm key_algorithm;
+  Status status = ValidateKeyTypeAndCreateKeyAlgorithm(
+      algorithm, public_key.get(), &key_algorithm);
+  if (status.IsError())
+    return status;
+  // TODO(eroman): This is probably going to be the same as the input.
+  std::vector<uint8> spki_data;
+  status = ExportPKeySpki(public_key.get(), &spki_data);
+  if (status.IsError())
+    return status;
+  scoped_ptr<AsymKeyOpenSsl> key_handle(
+      new AsymKeyOpenSsl(public_key.Pass(), CryptoData(spki_data)));
+  *key = blink::WebCryptoKey::create(key_handle.release(),
+                                     blink::WebCryptoKeyTypePublic,
+                                     extractable,
+                                     key_algorithm,
+                                     usage_mask);
+  return Status::Success();
+}
+Status RsaHashedAlgorithm::ExportKeyPkcs8(const blink::WebCryptoKey& key,
+                                          std::vector<uint8>* buffer) const {
+  if (key.type() != blink::WebCryptoKeyTypePrivate)
+    return Status::ErrorUnexpectedKeyType();
+  *buffer = AsymKeyOpenSsl::Cast(key)->serialized_key_data();
+  return Status::Success();
+}
+Status RsaHashedAlgorithm::ExportKeySpki(const blink::WebCryptoKey& key,
+                                         std::vector<uint8>* buffer) const {
+  if (key.type() != blink::WebCryptoKeyTypePublic)
+    return Status::ErrorUnexpectedKeyType();
+  *buffer = AsymKeyOpenSsl::Cast(key)->serialized_key_data();
+  return Status::Success();
+}
+}  // namespace webcrypto
+}  // namespace content
--- a/content/child/webcrypto/openssl/rsa_key_openssl.h
+++ b/content/child/webcrypto/openssl/rsa_key_openssl.h
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef CONTENT_CHILD_WEBCRYPTO_OPENSSL_RSA_KEY_OPENSSL_H_
+#define CONTENT_CHILD_WEBCRYPTO_OPENSSL_RSA_KEY_OPENSSL_H_
+#include "content/child/webcrypto/algorithm_implementation.h"
+namespace content {
+namespace webcrypto {
+class PublicKeyNss;
+class PrivateKeyNss;
+// Base class for an RSA algorithm whose keys additionaly have a hash parameter
+// bound to them. Provides functionality for generating, importing, and
+// exporting keys.
+class RsaHashedAlgorithm : public AlgorithmImplementation {
+ public:
+  // |all_public_key_usages| and |all_private_key_usages| are the set of
+  // WebCrypto key usages that are valid for created keys (public and private
+  // respectively).
+  //
+  // For instance if public keys support encryption and wrapping, and private
+  // keys support decryption and unwrapping callers should set:
+  //    all_public_key_usages = UsageEncrypt | UsageWrap
+  //    all_private_key_usages = UsageDecrypt | UsageUnwrap
+  // This information is used when importing or generating keys, to enforce
+  // that valid key usages are allowed.
+  RsaHashedAlgorithm(blink::WebCryptoKeyUsageMask all_public_key_usages,
+                     blink::WebCryptoKeyUsageMask all_private_key_usages)
+      : all_public_key_usages_(all_public_key_usages),
+        all_private_key_usages_(all_private_key_usages) {}
+  virtual Status VerifyKeyUsagesBeforeImportKey(
+      blink::WebCryptoKeyFormat format,
+      blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE;
+  virtual Status ImportKeyPkcs8(const CryptoData& key_data,
+                                const blink::WebCryptoAlgorithm& algorithm,
+                                bool extractable,
+                                blink::WebCryptoKeyUsageMask usage_mask,
+                                blink::WebCryptoKey* key) const OVERRIDE;
+  virtual Status ImportKeySpki(const CryptoData& key_data,
+                               const blink::WebCryptoAlgorithm& algorithm,
+                               bool extractable,
+                               blink::WebCryptoKeyUsageMask usage_mask,
+                               blink::WebCryptoKey* key) const OVERRIDE;
+  virtual Status ExportKeyPkcs8(const blink::WebCryptoKey& key,
+                                std::vector<uint8>* buffer) const OVERRIDE;
+  virtual Status ExportKeySpki(const blink::WebCryptoKey& key,
+                               std::vector<uint8>* buffer) const OVERRIDE;
+ private:
+  blink::WebCryptoKeyUsageMask all_public_key_usages_;
+  blink::WebCryptoKeyUsageMask all_private_key_usages_;
+};
+}  // namespace webcrypto
+}  // namespace content
+#endif  // CONTENT_CHILD_WEBCRYPTO_OPENSSL_RSA_KEY_OPENSSL_H_
--- a/content/child/webcrypto/openssl/rsa_ssa_openssl.cc
+++ b/content/child/webcrypto/openssl/rsa_ssa_openssl.cc
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/openssl/rsa_key_openssl.h"
+#include "content/child/webcrypto/status.h"
+#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
+namespace content {
+namespace webcrypto {
+namespace {
+class RsaSsaImplementation : public RsaHashedAlgorithm {
+ public:
+  RsaSsaImplementation()
+      : RsaHashedAlgorithm(blink::WebCryptoKeyUsageVerify,
+                           blink::WebCryptoKeyUsageSign) {}
+  // TODO(eroman): Implement Sign() and Verify().
+};
+}  // namespace
+AlgorithmImplementation* CreatePlatformRsaSsaImplementation() {
+  return new RsaSsaImplementation;
+}
+}  // namespace webcrypto
+}  // namespace content
--- a/content/child/webcrypto/openssl/util_openssl.cc
+++ b/content/child/webcrypto/openssl/util_openssl.cc
@@ -38,11 +38,6 @@ AlgorithmImplementation* CreatePlatformRsaOaepImplementation() {
  return NULL;
 }
-AlgorithmImplementation* CreatePlatformRsaSsaImplementation() {
-  // TODO(eroman):
-  return NULL;
-}
 }  // namespace webcrypto
 }  // namespace content
--- a/content/child/webcrypto/shared_crypto_unittest.cc
+++ b/content/child/webcrypto/shared_crypto_unittest.cc
@@ -2014,7 +2014,7 @@ TEST_F(SharedCryptoTest, MAYBE(ExportJwkEmptySymmetricKey)) {
  EXPECT_EQ(0u, exported_key_data.size());
 }
-TEST_F(SharedCryptoTest, MAYBE(ImportExportSpki)) {
+TEST_F(SharedCryptoTest, ImportExportSpki) {
  if (!SupportsRsaKeyImport())
    return;
@@ -2103,7 +2103,7 @@ TEST_F(SharedCryptoTest, MAYBE(ImportExportSpki)) {
  // as OAEP/PSS
 }
-TEST_F(SharedCryptoTest, MAYBE(ImportExportPkcs8)) {
+TEST_F(SharedCryptoTest, ImportExportPkcs8) {
  if (!SupportsRsaKeyImport())
    return;

--- a/content/content_child.gypi
+++ b/content/content_child.gypi
@@ -267,6 +267,9 @@
      'child/webcrypto/openssl/hmac_openssl.cc',
      'child/webcrypto/openssl/key_openssl.cc',
      'child/webcrypto/openssl/key_openssl.h',
+      'child/webcrypto/openssl/rsa_key_openssl.cc',
+      'child/webcrypto/openssl/rsa_key_openssl.h',
+      'child/webcrypto/openssl/rsa_ssa_openssl.cc',
      'child/webcrypto/openssl/sha_openssl.cc',
      'child/webcrypto/openssl/sym_key_openssl.cc',
      'child/webcrypto/openssl/sym_key_openssl.h',