// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/renderer/webcrypto/webcrypto_impl.h"
#include <algorithm>
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "base/json/json_writer.h"
#include "base/logging.h"
#include "base/memory/ref_counted.h"
#include "base/strings/string_number_conversions.h"
#include "content/public/renderer/content_renderer_client.h"
#include "content/renderer/renderer_webkitplatformsupport_impl.h"
#include "content/renderer/webcrypto/webcrypto_util.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "third_party/WebKit/public/platform/WebArrayBuffer.h"
#include "third_party/WebKit/public/platform/WebCryptoAlgorithm.h"
#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
#include "third_party/WebKit/public/platform/WebCryptoKey.h"
namespace content {
namespace {
std::vector<uint8> HexStringToBytes(const std::string& hex) {
std::vector<uint8> bytes;
base::HexStringToBytes(hex, &bytes);
return bytes;
}
void ExpectArrayBufferMatchesHex(const std::string& expected_hex,
const blink::WebArrayBuffer& array_buffer) {
EXPECT_STRCASEEQ(
expected_hex.c_str(),
base::HexEncode(array_buffer.data(), array_buffer.byteLength()).c_str());
}
std::vector<uint8> MakeJsonVector(const std::string& json_string) {
return std::vector<uint8>(json_string.begin(), json_string.end());
}
std::vector<uint8> MakeJsonVector(const base::DictionaryValue& dict) {
std::string json;
base::JSONWriter::Write(&dict, &json);
return MakeJsonVector(json);
}
// Helper for ImportJwkFailures and ImportJwkOctFailures. Restores the JWK JSON
// dictionary to a good state
void RestoreJwkOctDictionary(base::DictionaryValue* dict) {
dict->Clear();
dict->SetString("kty", "oct");
dict->SetString("alg", "A128CBC");
dict->SetString("use", "enc");
dict->SetBoolean("extractable", false);
dict->SetString("k", "GADWrMRHwQfoNaXU5fZvTg==");
}
#if !defined(USE_OPENSSL)
// Helper for ImportJwkRsaFailures. Restores the JWK JSON
// dictionary to a good state
void RestoreJwkRsaDictionary(base::DictionaryValue* dict) {
dict->Clear();
dict->SetString("kty", "RSA");
dict->SetString("alg", "RSA1_5");
dict->SetString("use", "enc");
dict->SetBoolean("extractable", false);
dict->SetString("n",
"qLOyhK-OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx-CwgtaTpef87Wdc9GaFEncsDLxk"
"p0LGxjD1M8jMcvYq6DPEC_JYQumEu3i9v5fAEH1VvbZi9cTg-rmEXLUUjvc5LdOq_5OuHmtm"
"e7PUJHYW1PW6ENTP0ibeiNOfFvs");
dict->SetString("e", "AQAB");
}
blink::WebCryptoAlgorithm CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmId algorithm_id,
unsigned modulus_length,
const std::vector<uint8>& public_exponent) {
DCHECK(algorithm_id == blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5 ||
algorithm_id == blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 ||
algorithm_id == blink::WebCryptoAlgorithmIdRsaOaep);
return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
algorithm_id,
new blink::WebCryptoRsaKeyGenParams(
modulus_length,
webcrypto::Uint8VectorStart(public_exponent),
public_exponent.size()));
}
// Determines if two ArrayBuffers have identical content.
bool ArrayBuffersEqual(
const blink::WebArrayBuffer& a,
const blink::WebArrayBuffer& b) {
return a.byteLength() == b.byteLength() &&
memcmp(a.data(), b.data(), a.byteLength()) == 0;
}
// Given a vector of WebArrayBuffers, determines if there are any copies.
bool CopiesExist(std::vector<blink::WebArrayBuffer> bufs) {
for (size_t i = 0; i < bufs.size(); ++i) {
for (size_t j = i + 1; j < bufs.size(); ++j) {
if (ArrayBuffersEqual(bufs[i], bufs[j]))
return true;
}
}
return false;
}
#endif // #if !defined(USE_OPENSSL)
} // namespace
class WebCryptoImplTest : public testing::Test {
protected:
blink::WebCryptoKey ImportSecretKeyFromRawHexString(
const std::string& key_hex,
const blink::WebCryptoAlgorithm& algorithm,
blink::WebCryptoKeyUsageMask usage) {
std::vector<uint8> key_raw = HexStringToBytes(key_hex);
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
bool extractable = true;
EXPECT_TRUE(crypto_.ImportKeyInternal(blink::WebCryptoKeyFormatRaw,
webcrypto::Uint8VectorStart(key_raw),
key_raw.size(),
algorithm,
extractable,
usage,
&key));
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
EXPECT_FALSE(key.isNull());
EXPECT_TRUE(key.handle());
return key;
}
// Forwarding methods to gain access to protected methods of
// WebCryptoImpl.
bool DigestInternal(
const blink::WebCryptoAlgorithm& algorithm,
const std::vector<uint8>& data,
blink::WebArrayBuffer* buffer) {
return crypto_.DigestInternal(
algorithm, webcrypto::Uint8VectorStart(data), data.size(), buffer);
}
bool GenerateKeyInternal(
const blink::WebCryptoAlgorithm& algorithm,
blink::WebCryptoKey* key) {
bool extractable = true;
blink::WebCryptoKeyUsageMask usage_mask = 0;
return crypto_.GenerateKeyInternal(algorithm, extractable, usage_mask, key);
}
bool GenerateKeyPairInternal(
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* public_key,
blink::WebCryptoKey* private_key) {
return crypto_.GenerateKeyPairInternal(
algorithm, extractable, usage_mask, public_key, private_key);
}
bool ImportKeyInternal(
blink::WebCryptoKeyFormat format,
const std::vector<uint8>& key_data,
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
return crypto_.ImportKeyInternal(format,
webcrypto::Uint8VectorStart(key_data),
key_data.size(),
algorithm,
extractable,
usage_mask,
key);
}
bool ExportKeyInternal(
blink::WebCryptoKeyFormat format,
const blink::WebCryptoKey& key,
blink::WebArrayBuffer* buffer) {
return crypto_.ExportKeyInternal(format, key, buffer);
}
bool SignInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const std::vector<uint8>& data,
blink::WebArrayBuffer* buffer) {
return crypto_.SignInternal(
algorithm, key, webcrypto::Uint8VectorStart(data), data.size(), buffer);
}
bool VerifySignatureInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* signature,
unsigned signature_size,
const std::vector<uint8>& data,
bool* signature_match) {
return crypto_.VerifySignatureInternal(algorithm,
key,
signature,
signature_size,
webcrypto::Uint8VectorStart(data),
data.size(),
signature_match);
}
bool EncryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
return crypto_.EncryptInternal(algorithm, key, data, data_size, buffer);
}
bool EncryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const std::vector<uint8>& data,
blink::WebArrayBuffer* buffer) {
return crypto_.EncryptInternal(
algorithm, key, webcrypto::Uint8VectorStart(data), data.size(), buffer);
}
bool DecryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const unsigned char* data,
unsigned data_size,
blink::WebArrayBuffer* buffer) {
return crypto_.DecryptInternal(algorithm, key, data, data_size, buffer);
}
bool DecryptInternal(
const blink::WebCryptoAlgorithm& algorithm,
const blink::WebCryptoKey& key,
const std::vector<uint8>& data,
blink::WebArrayBuffer* buffer) {
return crypto_.DecryptInternal(
algorithm, key, webcrypto::Uint8VectorStart(data), data.size(), buffer);
}
bool ImportKeyJwk(
const std::vector<uint8>& key_data,
const blink::WebCryptoAlgorithm& algorithm,
bool extractable,
blink::WebCryptoKeyUsageMask usage_mask,
blink::WebCryptoKey* key) {
return crypto_.ImportKeyJwk(webcrypto::Uint8VectorStart(key_data),
key_data.size(),
algorithm,
extractable,
usage_mask,
key);
}
private:
WebCryptoImpl crypto_;
};
TEST_F(WebCryptoImplTest, DigestSampleSets) {
// The results are stored here in hex format for readability.
//
// TODO(bryaneyler): Eventually, all these sample test sets should be replaced
// with the sets here: http://csrc.nist.gov/groups/STM/cavp/index.html#03
//
// Results were generated using the command sha{1,224,256,384,512}sum.
struct TestCase {
blink::WebCryptoAlgorithmId algorithm;
const std::string hex_input;
const char* hex_result;
};
const TestCase kTests[] = {
{ blink::WebCryptoAlgorithmIdSha1, "",
"da39a3ee5e6b4b0d3255bfef95601890afd80709"
},
{ blink::WebCryptoAlgorithmIdSha224, "",
"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
},
{ blink::WebCryptoAlgorithmIdSha256, "",
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
{ blink::WebCryptoAlgorithmIdSha384, "",
"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274e"
"debfe76f65fbd51ad2f14898b95b"
},
{ blink::WebCryptoAlgorithmIdSha512, "",
"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0"
"d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
},
{ blink::WebCryptoAlgorithmIdSha1, "00",
"5ba93c9db0cff93f52b521d7420e43f6eda2784f",
},
{ blink::WebCryptoAlgorithmIdSha224, "00",
"fff9292b4201617bdc4d3053fce02734166a683d7d858a7f5f59b073",
},
{ blink::WebCryptoAlgorithmIdSha256, "00",
"6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d",
},
{ blink::WebCryptoAlgorithmIdSha384, "00",
"bec021b4f368e3069134e012c2b4307083d3a9bdd206e24e5f0d86e13d6636655933"
"ec2b413465966817a9c208a11717",
},
{ blink::WebCryptoAlgorithmIdSha512, "00",
"b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a"
"802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee",
},
{ blink::WebCryptoAlgorithmIdSha1, "000102030405",
"868460d98d09d8bbb93d7b6cdd15cc7fbec676b9",
},
{ blink::WebCryptoAlgorithmIdSha224, "000102030405",
"7d92e7f1cad1818ed1d13ab41f04ebabfe1fef6bb4cbeebac34c29bc",
},
{ blink::WebCryptoAlgorithmIdSha256, "000102030405",
"17e88db187afd62c16e5debf3e6527cd006bc012bc90b51a810cd80c2d511f43",
},
{ blink::WebCryptoAlgorithmIdSha384, "000102030405",
"79f4738706fce9650ac60266675c3cd07298b09923850d525604d040e6e448adc7dc"
"22780d7e1b95bfeaa86a678e4552",
},
{ blink::WebCryptoAlgorithmIdSha512, "000102030405",
"2f3831bccc94cf061bcfa5f8c23c1429d26e3bc6b76edad93d9025cb91c903af6cf9"
"c935dc37193c04c2c66e7d9de17c358284418218afea2160147aaa912f4c",
},
};
for (size_t test_index = 0; test_index < ARRAYSIZE_UNSAFE(kTests);
++test_index) {
SCOPED_TRACE(test_index);
const TestCase& test = kTests[test_index];
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateAlgorithm(test.algorithm);
std::vector<uint8> input = HexStringToBytes(test.hex_input);
blink::WebArrayBuffer output;
ASSERT_TRUE(DigestInternal(algorithm, input, &output));
ExpectArrayBufferMatchesHex(test.hex_result, output);
}
}
TEST_F(WebCryptoImplTest, HMACSampleSets) {
struct TestCase {
blink::WebCryptoAlgorithmId algorithm;
const char* key;
const char* message;
const char* mac;
};
const TestCase kTests[] = {
// Empty sets. Result generated via OpenSSL commandline tool. These
// particular results are also posted on the Wikipedia page examples:
// http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
{
blink::WebCryptoAlgorithmIdSha1,
"",
"",
// openssl dgst -sha1 -hmac "" < /dev/null
"fbdb1d1b18aa6c08324b7d64b71fb76370690e1d",
},
{
blink::WebCryptoAlgorithmIdSha256,
"",
"",
// openssl dgst -sha256 -hmac "" < /dev/null
"b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad",
},
// For this data, see http://csrc.nist.gov/groups/STM/cavp/index.html#07
// Download:
// http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmactestvectors.zip
// L=20 set 45
{
blink::WebCryptoAlgorithmIdSha1,
// key
"59785928d72516e31272",
// message
"a3ce8899df1022e8d2d539b47bf0e309c66f84095e21438ec355bf119ce5fdcb4e73a6"
"19cdf36f25b369d8c38ff419997f0c59830108223606e31223483fd39edeaa4d3f0d21"
"198862d239c9fd26074130ff6c86493f5227ab895c8f244bd42c7afce5d147a20a5907"
"98c68e708e964902d124dadecdbda9dbd0051ed710e9bf",
// mac
"3c8162589aafaee024fc9a5ca50dd2336fe3eb28",
},
// L=20 set 299
{
blink::WebCryptoAlgorithmIdSha1,
// key
"ceb9aedf8d6efcf0ae52bea0fa99a9e26ae81bacea0cff4d5eecf201e3bca3c3577480"
"621b818fd717ba99d6ff958ea3d59b2527b019c343bb199e648090225867d994607962"
"f5866aa62930d75b58f6",
// message
"99958aa459604657c7bf6e4cdfcc8785f0abf06ffe636b5b64ecd931bd8a4563055924"
"21fc28dbcccb8a82acea2be8e54161d7a78e0399a6067ebaca3f2510274dc9f92f2c8a"
"e4265eec13d7d42e9f8612d7bc258f913ecb5a3a5c610339b49fb90e9037b02d684fc6"
"0da835657cb24eab352750c8b463b1a8494660d36c3ab2",
// mac
"4ac41ab89f625c60125ed65ffa958c6b490ea670",
},
// L=32, set 30
{
blink::WebCryptoAlgorithmIdSha256,
// key
"9779d9120642797f1747025d5b22b7ac607cab08e1758f2f3a46c8be1e25c53b8c6a8f"
"58ffefa176",
// message
"b1689c2591eaf3c9e66070f8a77954ffb81749f1b00346f9dfe0b2ee905dcc288baf4a"
"92de3f4001dd9f44c468c3d07d6c6ee82faceafc97c2fc0fc0601719d2dcd0aa2aec92"
"d1b0ae933c65eb06a03c9c935c2bad0459810241347ab87e9f11adb30415424c6c7f5f"
"22a003b8ab8de54f6ded0e3ab9245fa79568451dfa258e",
// mac
"769f00d3e6a6cc1fb426a14a4f76c6462e6149726e0dee0ec0cf97a16605ac8b",
},
// L=32, set 224
{
blink::WebCryptoAlgorithmIdSha256,
// key
"4b7ab133efe99e02fc89a28409ee187d579e774f4cba6fc223e13504e3511bef8d4f63"
"8b9aca55d4a43b8fbd64cf9d74dcc8c9e8d52034898c70264ea911a3fd70813fa73b08"
"3371289b",
// message
"138efc832c64513d11b9873c6fd4d8a65dbf367092a826ddd587d141b401580b798c69"
"025ad510cff05fcfbceb6cf0bb03201aaa32e423d5200925bddfadd418d8e30e18050e"
"b4f0618eb9959d9f78c1157d4b3e02cd5961f138afd57459939917d9144c95d8e6a94c"
"8f6d4eef3418c17b1ef0b46c2a7188305d9811dccb3d99",
// mac
"4f1ee7cb36c58803a8721d4ac8c4cf8cae5d8832392eed2a96dc59694252801b",
},
};
for (size_t test_index = 0; test_index < ARRAYSIZE_UNSAFE(kTests);
++test_index) {
SCOPED_TRACE(test_index);
const TestCase& test = kTests[test_index];
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateHmacAlgorithmByHashId(test.algorithm);
blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
test.key, algorithm, blink::WebCryptoKeyUsageSign);
// Verify exported raw key is identical to the imported data
blink::WebArrayBuffer raw_key;
EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
ExpectArrayBufferMatchesHex(test.key, raw_key);
std::vector<uint8> message_raw = HexStringToBytes(test.message);
blink::WebArrayBuffer output;
ASSERT_TRUE(SignInternal(algorithm, key, message_raw, &output));
ExpectArrayBufferMatchesHex(test.mac, output);
bool signature_match = false;
EXPECT_TRUE(VerifySignatureInternal(
algorithm,
key,
static_cast<const unsigned char*>(output.data()),
output.byteLength(),
message_raw,
&signature_match));
EXPECT_TRUE(signature_match);
// Ensure truncated signature does not verify by passing one less byte.
EXPECT_TRUE(VerifySignatureInternal(
algorithm,
key,
static_cast<const unsigned char*>(output.data()),
output.byteLength() - 1,
message_raw,
&signature_match));
EXPECT_FALSE(signature_match);
// Ensure extra long signature does not cause issues and fails.
const unsigned char kLongSignature[1024] = { 0 };
EXPECT_TRUE(VerifySignatureInternal(
algorithm,
key,
kLongSignature,
sizeof(kLongSignature),
message_raw,
&signature_match));
EXPECT_FALSE(signature_match);
}
}
#if !defined(USE_OPENSSL)
TEST_F(WebCryptoImplTest, AesCbcFailures) {
const std::string key_hex = "2b7e151628aed2a6abf7158809cf4f3c";
blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
key_hex,
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
// Verify exported raw key is identical to the imported data
blink::WebArrayBuffer raw_key;
EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
ExpectArrayBufferMatchesHex(key_hex, raw_key);
blink::WebArrayBuffer output;
// Use an invalid |iv| (fewer than 16 bytes)
{
std::vector<uint8> input(32);
std::vector<uint8> iv;
EXPECT_FALSE(EncryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
EXPECT_FALSE(DecryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
}
// Use an invalid |iv| (more than 16 bytes)
{
std::vector<uint8> input(32);
std::vector<uint8> iv(17);
EXPECT_FALSE(EncryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
EXPECT_FALSE(DecryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, &output));
}
// Give an input that is too large (would cause integer overflow when
// narrowing to an int).
{
std::vector<uint8> iv(16);
// Pretend the input is large. Don't pass data pointer as NULL in case that
// is special cased; the implementation shouldn't actually dereference the
// data.
const unsigned char* input = &iv[0];
unsigned input_len = INT_MAX - 3;
EXPECT_FALSE(EncryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, input_len, &output));
EXPECT_FALSE(DecryptInternal(
webcrypto::CreateAesCbcAlgorithm(iv), key, input, input_len, &output));
}
// Fail importing the key (too few bytes specified)
{
std::vector<uint8> key_raw(1);
std::vector<uint8> iv(16);
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
EXPECT_FALSE(ImportKeyInternal(blink::WebCryptoKeyFormatRaw,
key_raw,
webcrypto::CreateAesCbcAlgorithm(iv),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
}
// Fail exporting the key in SPKI and PKCS#8 formats (not allowed for secret
// keys).
EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatPkcs8, key, &output));
}
TEST_F(WebCryptoImplTest, AesCbcSampleSets) {
struct TestCase {
const char* key;
const char* iv;
const char* plain_text;
const char* cipher_text;
};
TestCase kTests[] = {
// F.2.1 (CBC-AES128.Encrypt)
// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
{
// key
"2b7e151628aed2a6abf7158809cf4f3c",
// iv
"000102030405060708090a0b0c0d0e0f",
// plain_text
"6bc1bee22e409f96e93d7e117393172a"
"ae2d8a571e03ac9c9eb76fac45af8e51"
"30c81c46a35ce411e5fbc1191a0a52ef"
"f69f2445df4f9b17ad2b417be66c3710",
// cipher_text
"7649abac8119b246cee98e9b12e9197d"
"5086cb9b507219ee95db113a917678b2"
"73bed6b8e3c1743b7116e69e22229516"
"3ff1caa1681fac09120eca307586e1a7"
// Padding block: encryption of {0x10, 0x10, ... 0x10}) (not given by the
// NIST test vector)
"8cb82807230e1321d3fae00d18cc2012"
},
// F.2.6 CBC-AES256.Decrypt [*]
// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
//
// [*] Truncated 3 bytes off the plain text, so block 4 differs from the
// NIST vector.
{
// key
"603deb1015ca71be2b73aef0857d7781"
"1f352c073b6108d72d9810a30914dff4",
// iv
"000102030405060708090a0b0c0d0e0f",
// plain_text
"6bc1bee22e409f96e93d7e117393172a"
"ae2d8a571e03ac9c9eb76fac45af8e51"
"30c81c46a35ce411e5fbc1191a0a52ef"
// Truncated this last block to make it more interesting.
"f69f2445df4f9b17ad2b417be6",
// cipher_text
"f58c4c04d6e5f1ba779eabfb5f7bfbd6"
"9cfc4e967edb808d679f777bc6702c7d"
"39f23369a9d9bacfa530e26304231461"
// This block differs from source vector (due to truncation)
"c9aaf02a6a54e9e242ccbf48c59daca6"
},
// Taken from encryptor_unittest.cc (EncryptorTest.EmptyEncrypt())
{
// key
"3132383d5369787465656e4279746573",
// iv
"5377656574205369787465656e204956",
// plain_text
"",
// cipher_text
"8518b8878d34e7185e300d0fcc426396"
},
};
for (size_t index = 0; index < ARRAYSIZE_UNSAFE(kTests); index++) {
SCOPED_TRACE(index);
const TestCase& test = kTests[index];
blink::WebCryptoKey key = ImportSecretKeyFromRawHexString(
test.key,
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
// Verify exported raw key is identical to the imported data
blink::WebArrayBuffer raw_key;
EXPECT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &raw_key));
ExpectArrayBufferMatchesHex(test.key, raw_key);
std::vector<uint8> plain_text = HexStringToBytes(test.plain_text);
std::vector<uint8> iv = HexStringToBytes(test.iv);
blink::WebArrayBuffer output;
// Test encryption.
EXPECT_TRUE(EncryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
key,
plain_text,
&output));
ExpectArrayBufferMatchesHex(test.cipher_text, output);
// Test decryption.
std::vector<uint8> cipher_text = HexStringToBytes(test.cipher_text);
EXPECT_TRUE(DecryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
key,
cipher_text,
&output));
ExpectArrayBufferMatchesHex(test.plain_text, output);
const unsigned kAesCbcBlockSize = 16;
// Decrypt with a padding error by stripping the last block. This also ends
// up testing decryption over empty cipher text.
if (cipher_text.size() >= kAesCbcBlockSize) {
EXPECT_FALSE(DecryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
key,
&cipher_text[0],
cipher_text.size() - kAesCbcBlockSize,
&output));
}
// Decrypt cipher text which is not a multiple of block size by stripping
// a few bytes off the cipher text.
if (cipher_text.size() > 3) {
EXPECT_FALSE(DecryptInternal(webcrypto::CreateAesCbcAlgorithm(iv),
key,
&cipher_text[0],
cipher_text.size() - 3,
&output));
}
}
}
TEST_F(WebCryptoImplTest, GenerateKeyAes) {
// Generate a small sample of AES keys.
std::vector<blink::WebArrayBuffer> keys;
blink::WebArrayBuffer key_bytes;
for (int i = 0; i < 16; ++i) {
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
ASSERT_TRUE(
GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(128), &key));
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
ASSERT_TRUE(
ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &key_bytes));
keys.push_back(key_bytes);
}
// Ensure all entries in the key sample set are unique. This is a simplistic
// estimate of whether the generated keys appear random.
EXPECT_FALSE(CopiesExist(keys));
}
TEST_F(WebCryptoImplTest, GenerateKeyAesBadLength) {
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
EXPECT_FALSE(
GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(0), &key));
EXPECT_FALSE(
GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(0), &key));
EXPECT_FALSE(
GenerateKeyInternal(webcrypto::CreateAesCbcKeyGenAlgorithm(129), &key));
}
TEST_F(WebCryptoImplTest, GenerateKeyHmac) {
// Generate a small sample of HMAC keys.
std::vector<blink::WebArrayBuffer> keys;
for (int i = 0; i < 16; ++i) {
blink::WebArrayBuffer key_bytes;
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
blink::WebCryptoAlgorithm algorithm = webcrypto::CreateHmacKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdSha1, 128);
ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
EXPECT_FALSE(key.isNull());
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
}
// Ensure all entries in the key sample set are unique. This is a simplistic
// estimate of whether the generated keys appear random.
EXPECT_FALSE(CopiesExist(keys));
}
TEST_F(WebCryptoImplTest, GenerateKeyHmacNoLength) {
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateHmacKeyGenAlgorithm(blink::WebCryptoAlgorithmIdSha1, 0);
ASSERT_TRUE(GenerateKeyInternal(algorithm, &key));
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
}
TEST_F(WebCryptoImplTest, ImportSecretKeyNoAlgorithm) {
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
// This fails because the algorithm is null.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatRaw,
HexStringToBytes("00000000000000000000"),
blink::WebCryptoAlgorithm::createNull(),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
}
#endif //#if !defined(USE_OPENSSL)
TEST_F(WebCryptoImplTest, ImportJwkFailures) {
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageEncrypt;
// Baseline pass: each test below breaks a single item, so we start with a
// passing case to make sure each failure is caused by the isolated break.
// Each breaking subtest below resets the dictionary to this passing case when
// complete.
base::DictionaryValue dict;
RestoreJwkOctDictionary(&dict);
EXPECT_TRUE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
// Fail on empty JSON.
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(""), algorithm, false, usage_mask, &key));
// Fail on invalid JSON.
const std::vector<uint8> bad_json_vec = MakeJsonVector(
"{"
"\"kty\" : \"oct\","
"\"alg\" : \"HS256\","
"\"use\" : "
);
EXPECT_FALSE(ImportKeyJwk(bad_json_vec, algorithm, false, usage_mask, &key));
// Fail on JWK alg present but unrecognized.
dict.SetString("alg", "A127CBC");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on both JWK and input algorithm missing.
dict.Remove("alg", NULL);
EXPECT_FALSE(ImportKeyJwk(MakeJsonVector(dict),
blink::WebCryptoAlgorithm::createNull(),
false,
usage_mask,
&key));
RestoreJwkOctDictionary(&dict);
// Fail on invalid kty.
dict.SetString("kty", "foo");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on missing kty.
dict.Remove("kty", NULL);
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on invalid use.
dict.SetString("use", "foo");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
}
TEST_F(WebCryptoImplTest, ImportJwkOctFailures) {
base::DictionaryValue dict;
RestoreJwkOctDictionary(&dict);
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc);
blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageEncrypt;
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
// Baseline pass.
EXPECT_TRUE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
EXPECT_EQ(algorithm.id(), key.algorithm().id());
EXPECT_FALSE(key.extractable());
EXPECT_EQ(blink::WebCryptoKeyUsageEncrypt, key.usages());
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
// The following are specific failure cases for when kty = "oct".
// Fail on missing k.
dict.Remove("k", NULL);
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on bad b64 encoding for k.
dict.SetString("k", "Qk3f0DsytU8lfza2au #$% Htaw2xpop9GYyTuH0p5GghxTI=");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on empty k.
dict.SetString("k", "");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
// Fail on k actual length (120 bits) inconsistent with the embedded JWK alg
// value (128) for an AES key.
dict.SetString("k", "AVj42h0Y5aqGtE3yluKL");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkOctDictionary(&dict);
}
#if !defined(USE_OPENSSL)
TEST_F(WebCryptoImplTest, ImportJwkRsaFailures) {
base::DictionaryValue dict;
RestoreJwkRsaDictionary(&dict);
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageEncrypt;
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
// An RSA public key JWK _must_ have an "n" (modulus) and an "e" (exponent)
// entry, while an RSA private key must have those plus at least a "d"
// (private exponent) entry.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-18,
// section 6.3.
// Baseline pass.
EXPECT_TRUE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
EXPECT_EQ(algorithm.id(), key.algorithm().id());
EXPECT_FALSE(key.extractable());
EXPECT_EQ(blink::WebCryptoKeyUsageEncrypt, key.usages());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, key.type());
// The following are specific failure cases for when kty = "RSA".
// Fail if either "n" or "e" is not present or malformed.
const std::string kKtyParmName[] = {"n", "e"};
for (size_t idx = 0; idx < ARRAYSIZE_UNSAFE(kKtyParmName); ++idx) {
// Fail on missing parameter.
dict.Remove(kKtyParmName[idx], NULL);
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkRsaDictionary(&dict);
// Fail on bad b64 parameter encoding.
dict.SetString(kKtyParmName[idx], "Qk3f0DsytU8lfza2au #$% Htaw2xpop9yTuH0");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkRsaDictionary(&dict);
// Fail on empty parameter.
dict.SetString(kKtyParmName[idx], "");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkRsaDictionary(&dict);
}
// Fail if "d" parameter is present, implying the JWK is a private key, which
// is not supported.
dict.SetString("d", "Qk3f0Dsyt");
EXPECT_FALSE(ImportKeyJwk(
MakeJsonVector(dict), algorithm, false, usage_mask, &key));
RestoreJwkRsaDictionary(&dict);
}
#endif // #if !defined(USE_OPENSSL)
TEST_F(WebCryptoImplTest, ImportJwkInputConsistency) {
// The Web Crypto spec says that if a JWK value is present, but is
// inconsistent with the input value, the operation must fail.
// Consistency rules when JWK value is not present: Inputs should be used.
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
bool extractable = false;
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateHmacAlgorithmByHashId(blink::WebCryptoAlgorithmIdSha256);
blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageVerify;
base::DictionaryValue dict;
dict.SetString("kty", "oct");
dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
std::vector<uint8> json_vec = MakeJsonVector(dict);
EXPECT_TRUE(ImportKeyJwk(json_vec, algorithm, extractable, usage_mask, &key));
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypeSecret, key.type());
EXPECT_EQ(extractable, key.extractable());
EXPECT_EQ(blink::WebCryptoAlgorithmIdHmac, key.algorithm().id());
EXPECT_EQ(blink::WebCryptoAlgorithmIdSha256,
key.algorithm().hmacParams()->hash().id());
EXPECT_EQ(blink::WebCryptoKeyUsageVerify, key.usages());
key = blink::WebCryptoKey::createNull();
// Consistency rules when JWK value exists: Fail if inconsistency is found.
// Pass: All input values are consistent with the JWK values.
dict.Clear();
dict.SetString("kty", "oct");
dict.SetString("alg", "HS256");
dict.SetString("use", "sig");
dict.SetBoolean("extractable", false);
dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
json_vec = MakeJsonVector(dict);
EXPECT_TRUE(ImportKeyJwk(json_vec, algorithm, extractable, usage_mask, &key));
// Extractable cases:
// 1. input=T, JWK=F ==> fail (inconsistent)
// 4. input=F, JWK=F ==> pass, result extractable is F
// 2. input=T, JWK=T ==> pass, result extractable is T
// 3. input=F, JWK=T ==> pass, result extractable is F
EXPECT_FALSE(ImportKeyJwk(json_vec, algorithm, true, usage_mask, &key));
EXPECT_TRUE(ImportKeyJwk(json_vec, algorithm, false, usage_mask, &key));
EXPECT_FALSE(key.extractable());
dict.SetBoolean("extractable", true);
EXPECT_TRUE(
ImportKeyJwk(MakeJsonVector(dict), algorithm, true, usage_mask, &key));
EXPECT_TRUE(key.extractable());
EXPECT_TRUE(
ImportKeyJwk(MakeJsonVector(dict), algorithm, false, usage_mask, &key));
EXPECT_FALSE(key.extractable());
dict.SetBoolean("extractable", true); // restore previous value
// Fail: Input algorithm (AES-CBC) is inconsistent with JWK value
// (HMAC SHA256).
EXPECT_FALSE(ImportKeyJwk(
json_vec,
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
extractable,
usage_mask,
&key));
// Fail: Input algorithm (HMAC SHA1) is inconsistent with JWK value
// (HMAC SHA256).
EXPECT_FALSE(ImportKeyJwk(
json_vec,
webcrypto::CreateHmacAlgorithmByHashId(blink::WebCryptoAlgorithmIdSha1),
extractable,
usage_mask,
&key));
// Pass: JWK alg valid but input algorithm isNull: use JWK algorithm value.
EXPECT_TRUE(ImportKeyJwk(json_vec,
blink::WebCryptoAlgorithm::createNull(),
extractable,
usage_mask,
&key));
EXPECT_EQ(blink::WebCryptoAlgorithmIdHmac, algorithm.id());
// Pass: JWK alg missing but input algorithm specified: use input value
dict.Remove("alg", NULL);
EXPECT_TRUE(ImportKeyJwk(
MakeJsonVector(dict),
webcrypto::CreateHmacAlgorithmByHashId(blink::WebCryptoAlgorithmIdSha256),
extractable,
usage_mask,
&key));
EXPECT_EQ(blink::WebCryptoAlgorithmIdHmac, algorithm.id());
dict.SetString("alg", "HS256");
// Fail: Input usage_mask (encrypt) is not a subset of the JWK value
// (sign|verify)
EXPECT_FALSE(ImportKeyJwk(
json_vec, algorithm, extractable, blink::WebCryptoKeyUsageEncrypt, &key));
// Fail: Input usage_mask (encrypt|sign|verify) is not a subset of the JWK
// value (sign|verify)
usage_mask = blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageSign |
blink::WebCryptoKeyUsageVerify;
EXPECT_FALSE(
ImportKeyJwk(json_vec, algorithm, extractable, usage_mask, &key));
usage_mask = blink::WebCryptoKeyUsageSign | blink::WebCryptoKeyUsageVerify;
// TODO(padolph): kty vs alg consistency tests: Depending on the kty value,
// only certain alg values are permitted. For example, when kty = "RSA" alg
// must be of the RSA family, or when kty = "oct" alg must be symmetric
// algorithm.
}
TEST_F(WebCryptoImplTest, ImportJwkHappy) {
// This test verifies the happy path of JWK import, including the application
// of the imported key material.
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
bool extractable = false;
blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateHmacAlgorithmByHashId(blink::WebCryptoAlgorithmIdSha256);
blink::WebCryptoKeyUsageMask usage_mask = blink::WebCryptoKeyUsageSign;
// Import a symmetric key JWK and HMAC-SHA256 sign()
// Uses the first SHA256 test vector from the HMAC sample set above.
base::DictionaryValue dict;
dict.SetString("kty", "oct");
dict.SetString("alg", "HS256");
dict.SetString("use", "sig");
dict.SetBoolean("extractable", false);
dict.SetString("k", "l3nZEgZCeX8XRwJdWyK3rGB8qwjhdY8vOkbIvh4lxTuMao9Y_--hdg");
std::vector<uint8> json_vec = MakeJsonVector(dict);
ASSERT_TRUE(ImportKeyJwk(json_vec, algorithm, extractable, usage_mask, &key));
const std::vector<uint8> message_raw = HexStringToBytes(
"b1689c2591eaf3c9e66070f8a77954ffb81749f1b00346f9dfe0b2ee905dcc288baf4a"
"92de3f4001dd9f44c468c3d07d6c6ee82faceafc97c2fc0fc0601719d2dcd0aa2aec92"
"d1b0ae933c65eb06a03c9c935c2bad0459810241347ab87e9f11adb30415424c6c7f5f"
"22a003b8ab8de54f6ded0e3ab9245fa79568451dfa258e");
blink::WebArrayBuffer output;
ASSERT_TRUE(SignInternal(algorithm, key, message_raw, &output));
const std::string mac_raw =
"769f00d3e6a6cc1fb426a14a4f76c6462e6149726e0dee0ec0cf97a16605ac8b";
ExpectArrayBufferMatchesHex(mac_raw, output);
// TODO(padolph): Import an RSA public key JWK and use it
}
#if !defined(USE_OPENSSL)
TEST_F(WebCryptoImplTest, ImportExportSpki) {
// openssl genrsa -out pair.pem 2048
// openssl rsa -in pair.pem -out pubkey.der -outform DER -pubout
// xxd -p pubkey.der
const std::string hex_rsa_spki_der =
"30820122300d06092a864886f70d01010105000382010f003082010a0282"
"010100f19e40f94e3780858701577a571cca000cb9795db89ddf8e98ab0e"
"5eecfa47516cb08dc591cae5ab7fa43d6db402e95991d4a2de52e7cd3a66"
"4f58284be2eb4675d5a849a2582c585d2b3c6c225a8f2c53a0414d5dbd06"
"172371cefdf953e9ec3000fc9ad000743023f74e82d12aa93917a2c9b832"
"696085ee0711154cf98a6d098f44cee00ea3b7584236503a5483ba8b6792"
"fee588d1a8f4a0618333c4cb3447d760b43d5a0d9ed6ef79763df670cd8b"
"5eb869a20833f1e3e6d8b88240a5d4335c73fd20487f2a7d112af8692357"
"6425e44a273e5ad2e93d6b50a28e65f9e133958e4f0c7d12e0adc90fedd4"
"f6b6848e7b6900666642a08b520a6534a35d4f0203010001";
// Passing case: Import a valid RSA key in SPKI format.
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
ASSERT_TRUE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes(hex_rsa_spki_der),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, key.type());
EXPECT_TRUE(key.extractable());
EXPECT_EQ(blink::WebCryptoKeyUsageEncrypt, key.usages());
// Failing case: Empty SPKI data
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
std::vector<uint8>(),
blink::WebCryptoAlgorithm::createNull(),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
// Failing case: Import RSA key with NULL input algorithm. This is not
// allowed because the SPKI ASN.1 format for RSA keys is not specific enough
// to map to a Web Crypto algorithm.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes(hex_rsa_spki_der),
blink::WebCryptoAlgorithm::createNull(),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
// Failing case: Bad DER encoding.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes("618333c4cb"),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
// Failing case: Import RSA key but provide an inconsistent input algorithm.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes(hex_rsa_spki_der),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
true,
blink::WebCryptoKeyUsageEncrypt,
&key));
// Passing case: Export a previously imported RSA public key in SPKI format
// and compare to original data.
blink::WebArrayBuffer output;
ASSERT_TRUE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
ExpectArrayBufferMatchesHex(hex_rsa_spki_der, output);
// Failing case: Try to export a previously imported RSA public key in raw
// format (not allowed for a public key).
EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatRaw, key, &output));
// Failing case: Try to export a non-extractable key
ASSERT_TRUE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes(hex_rsa_spki_der),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
false,
blink::WebCryptoKeyUsageEncrypt,
&key));
EXPECT_TRUE(key.handle());
EXPECT_FALSE(key.extractable());
EXPECT_FALSE(ExportKeyInternal(blink::WebCryptoKeyFormatSpki, key, &output));
}
TEST_F(WebCryptoImplTest, ImportPkcs8) {
// The following is a DER-encoded PKCS#8 representation of the RSA key from
// Example 1 of NIST's "Test vectors for RSA PKCS#1 v1.5 Signature".
// ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15sign-vectors.txt
const std::string hex_rsa_pkcs8_der =
"30820275020100300D06092A864886F70D01010105000482025F3082025B020100028181"
"00A56E4A0E701017589A5187DC7EA841D156F2EC0E36AD52A44DFEB1E61F7AD991D8C510"
"56FFEDB162B4C0F283A12A88A394DFF526AB7291CBB307CEABFCE0B1DFD5CD9508096D5B"
"2B8B6DF5D671EF6377C0921CB23C270A70E2598E6FF89D19F105ACC2D3F0CB35F29280E1"
"386B6F64C4EF22E1E1F20D0CE8CFFB2249BD9A2137020301000102818033A5042A90B27D"
"4F5451CA9BBBD0B44771A101AF884340AEF9885F2A4BBE92E894A724AC3C568C8F97853A"
"D07C0266C8C6A3CA0929F1E8F11231884429FC4D9AE55FEE896A10CE707C3ED7E734E447"
"27A39574501A532683109C2ABACABA283C31B4BD2F53C3EE37E352CEE34F9E503BD80C06"
"22AD79C6DCEE883547C6A3B325024100E7E8942720A877517273A356053EA2A1BC0C94AA"
"72D55C6E86296B2DFC967948C0A72CBCCCA7EACB35706E09A1DF55A1535BD9B3CC34160B"
"3B6DCD3EDA8E6443024100B69DCA1CF7D4D7EC81E75B90FCCA874ABCDE123FD2700180AA"
"90479B6E48DE8D67ED24F9F19D85BA275874F542CD20DC723E6963364A1F9425452B269A"
"6799FD024028FA13938655BE1F8A159CBACA5A72EA190C30089E19CD274A556F36C4F6E1"
"9F554B34C077790427BBDD8DD3EDE2448328F385D81B30E8E43B2FFFA02786197902401A"
"8B38F398FA712049898D7FB79EE0A77668791299CDFA09EFC0E507ACB21ED74301EF5BFD"
"48BE455EAEB6E1678255827580A8E4E8E14151D1510A82A3F2E729024027156ABA4126D2"
"4A81F3A528CBFB27F56886F840A9F6E86E17A44B94FE9319584B8E22FDDE1E5A2E3BD8AA"
"5BA8D8584194EB2190ACF832B847F13A3D24A79F4D";
// Passing case: Import a valid RSA key in PKCS#8 format.
blink::WebCryptoKey key = blink::WebCryptoKey::createNull();
ASSERT_TRUE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
HexStringToBytes(hex_rsa_pkcs8_der),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5),
true,
blink::WebCryptoKeyUsageSign,
&key));
EXPECT_TRUE(key.handle());
EXPECT_EQ(blink::WebCryptoKeyTypePrivate, key.type());
EXPECT_TRUE(key.extractable());
EXPECT_EQ(blink::WebCryptoKeyUsageSign, key.usages());
// Failing case: Empty PKCS#8 data
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
std::vector<uint8>(),
blink::WebCryptoAlgorithm::createNull(),
true,
blink::WebCryptoKeyUsageSign,
&key));
// Failing case: Import RSA key with NULL input algorithm. This is not
// allowed because the PKCS#8 ASN.1 format for RSA keys is not specific enough
// to map to a Web Crypto algorithm.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
HexStringToBytes(hex_rsa_pkcs8_der),
blink::WebCryptoAlgorithm::createNull(),
true,
blink::WebCryptoKeyUsageSign,
&key));
// Failing case: Bad DER encoding.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
HexStringToBytes("618333c4cb"),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5),
true,
blink::WebCryptoKeyUsageSign,
&key));
// Failing case: Import RSA key but provide an inconsistent input algorithm.
EXPECT_FALSE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
HexStringToBytes(hex_rsa_pkcs8_der),
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCbc),
true,
blink::WebCryptoKeyUsageSign,
&key));
}
TEST_F(WebCryptoImplTest, GenerateKeyPairRsa) {
// Note: using unrealistic short key lengths here to avoid bogging down tests.
// Successful WebCryptoAlgorithmIdRsaEsPkcs1v1_5 key generation.
const unsigned modulus_length = 256;
const std::vector<uint8> public_exponent = HexStringToBytes("010001");
blink::WebCryptoAlgorithm algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
modulus_length,
public_exponent);
bool extractable = false;
const blink::WebCryptoKeyUsageMask usage_mask = 0;
blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key.type());
EXPECT_EQ(blink::WebCryptoKeyTypePrivate, private_key.type());
EXPECT_EQ(true, public_key.extractable());
EXPECT_EQ(extractable, private_key.extractable());
EXPECT_EQ(usage_mask, public_key.usages());
EXPECT_EQ(usage_mask, private_key.usages());
// Fail with bad modulus.
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5, 0, public_exponent);
EXPECT_FALSE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
// Fail with bad exponent: larger than unsigned long.
unsigned exponent_length = sizeof(unsigned long) + 1; // NOLINT
const std::vector<uint8> long_exponent(exponent_length, 0x01);
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5, modulus_length, long_exponent);
EXPECT_FALSE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
// Fail with bad exponent: empty.
const std::vector<uint8> empty_exponent;
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
modulus_length,
empty_exponent);
EXPECT_FALSE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
// Fail with bad exponent: all zeros.
std::vector<uint8> exponent_with_leading_zeros(15, 0x00);
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
modulus_length,
exponent_with_leading_zeros);
EXPECT_FALSE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
// Key generation success using exponent with leading zeros.
exponent_with_leading_zeros.insert(exponent_with_leading_zeros.end(),
public_exponent.begin(),
public_exponent.end());
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
modulus_length,
exponent_with_leading_zeros);
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key.type());
EXPECT_EQ(blink::WebCryptoKeyTypePrivate, private_key.type());
EXPECT_EQ(true, public_key.extractable());
EXPECT_EQ(extractable, private_key.extractable());
EXPECT_EQ(usage_mask, public_key.usages());
EXPECT_EQ(usage_mask, private_key.usages());
// Successful WebCryptoAlgorithmIdRsaOaep key generation.
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaOaep, modulus_length, public_exponent);
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key.type());
EXPECT_EQ(blink::WebCryptoKeyTypePrivate, private_key.type());
EXPECT_EQ(true, public_key.extractable());
EXPECT_EQ(extractable, private_key.extractable());
EXPECT_EQ(usage_mask, public_key.usages());
EXPECT_EQ(usage_mask, private_key.usages());
// Successful WebCryptoAlgorithmIdRsaSsaPkcs1v1_5 key generation.
algorithm = webcrypto::CreateRsaKeyGenAlgorithm(
blink::WebCryptoAlgorithmIdRsaSsaPkcs1v1_5,
modulus_length,
public_exponent);
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, extractable, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
EXPECT_EQ(blink::WebCryptoKeyTypePublic, public_key.type());
EXPECT_EQ(blink::WebCryptoKeyTypePrivate, private_key.type());
EXPECT_EQ(true, public_key.extractable());
EXPECT_EQ(extractable, private_key.extractable());
EXPECT_EQ(usage_mask, public_key.usages());
EXPECT_EQ(usage_mask, private_key.usages());
// Fail SPKI export of private key. This is an ExportKey test, but do it here
// since it is expensive to generate an RSA key pair and we already have a
// private key here.
blink::WebArrayBuffer output;
EXPECT_FALSE(
ExportKeyInternal(blink::WebCryptoKeyFormatSpki, private_key, &output));
}
TEST_F(WebCryptoImplTest, RsaEsRoundTrip) {
// Note: using unrealistic short key length here to avoid bogging down tests.
// Create a key pair.
const unsigned kModulusLength = 256;
blink::WebCryptoAlgorithm algorithm =
CreateRsaKeyGenAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
kModulusLength,
HexStringToBytes("010001"));
const blink::WebCryptoKeyUsageMask usage_mask =
blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt;
blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, false, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
// Make a maximum-length data message. RSAES can operate on messages up to
// length of k - 11 bytes, where k is the octet length of the RSA modulus.
const unsigned kMaxMsgSizeBytes = kModulusLength / 8 - 11;
// There are two hex chars for each byte.
const unsigned kMsgHexSize = kMaxMsgSizeBytes * 2;
char max_data_hex[kMsgHexSize+1];
std::fill(&max_data_hex[0], &max_data_hex[0] + kMsgHexSize, 'a');
max_data_hex[kMsgHexSize] = '\0';
// Verify encrypt / decrypt round trip on a few messages. Note that RSA
// encryption does not support empty input.
algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
const char* const kTestDataHex[] = {
"ff",
"0102030405060708090a0b0c0d0e0f",
max_data_hex
};
blink::WebArrayBuffer encrypted_data;
blink::WebArrayBuffer decrypted_data;
for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestDataHex); ++i) {
SCOPED_TRACE(i);
ASSERT_TRUE(EncryptInternal(
algorithm,
public_key,
HexStringToBytes(kTestDataHex[i]),
&encrypted_data));
EXPECT_EQ(kModulusLength/8, encrypted_data.byteLength());
ASSERT_TRUE(DecryptInternal(
algorithm,
private_key,
reinterpret_cast<const unsigned char*>(encrypted_data.data()),
encrypted_data.byteLength(),
&decrypted_data));
ExpectArrayBufferMatchesHex(kTestDataHex[i], decrypted_data);
}
}
TEST_F(WebCryptoImplTest, RsaEsKnownAnswer) {
// Because the random data in PKCS1.5 padding makes the encryption output non-
// deterministic, we cannot easily do a typical known-answer test for RSA
// encryption / decryption. Instead we will take a known-good encrypted
// message, decrypt it, re-encrypt it, then decrypt again, verifying that the
// original known cleartext is the result.
// The RSA public and private keys used for this test are produced by the
// openssl command line:
// % openssl genrsa -out pair.pem 1024
// % openssl rsa -in pair.pem -out spki.der -outform DER -pubout
// % openssl pkcs8 -topk8 -inform PEM -outform DER -in pair.pem -out
// pkcs8.der -nocrypt
// % xxd -p spki.der
// % xxd -p pkcs8.der
const std::string rsa_spki_der_hex =
"30819f300d06092a864886f70d010101050003818d0030818902818100a8"
"d30894b93f376f7822229bfd2483e50da944c4ab803ca31979e0f47e70bf"
"683c687c6b3e80f280a237cea3643fd1f7f10f7cc664dbc2ecd45be53e1c"
"9b15a53c37dbdad846c0f8340c472abc7821e4aa7df185867bf38228ac3e"
"cc1d97d3c8b57e21ea6ba57b2bc3814a436e910ee8ab64a0b7743a927e94"
"4d3420401f7dd50203010001";
const std::string rsa_pkcs8_der_hex =
"30820276020100300d06092a864886f70d0101010500048202603082025c"
"02010002818100a8d30894b93f376f7822229bfd2483e50da944c4ab803c"
"a31979e0f47e70bf683c687c6b3e80f280a237cea3643fd1f7f10f7cc664"
"dbc2ecd45be53e1c9b15a53c37dbdad846c0f8340c472abc7821e4aa7df1"
"85867bf38228ac3ecc1d97d3c8b57e21ea6ba57b2bc3814a436e910ee8ab"
"64a0b7743a927e944d3420401f7dd5020301000102818100896cdffb50a0"
"691bd00ad9696933243a7c5861a64684e8d74b91aed0d76c28234da9303e"
"8c6ea2f89b141a9d5ea9a4ddd3d8eb9503dcf05ba0b1fd76060b281e3ae4"
"b9d497fb5519bdf1127db8ad412d6a722686c78df3e3002acca960c6b2a2"
"42a83ace5410693c03ce3d74cb9c9a7bacc8e271812920d1f53fee9312ef"
"4eb1024100d09c14418ce92af7cc62f7cdc79836d8c6e3d0d33e7229cc11"
"d732cbac75aa4c56c92e409a3ccbe75d4ce63ac5adca33080690782c6371"
"e3628134c3534ca603024100cf2d3206f6deea2f39b70351c51f85436200"
"5aa8f643e49e22486736d536e040dc30a2b4f9be3ab212a88d1891280874"
"b9a170cdeb22eaf61c27c4b082c7d1470240638411a5b3b307ec6e744802"
"c2d4ba556f8bfe72c7b76e790b89bd91ac13f5c9b51d04138d80b3450c1d"
"4337865601bf96748b36c8f627be719f71ac3c70b441024065ce92cfe34e"
"a58bf173a2b8f3024b4d5282540ac581957db3e11a7f528535ec098808dc"
"a0013ffcb3b88a25716757c86c540e07d2ad8502cdd129118822c30f0240"
"420a4983040e9db46eb29f1315a0d7b41cf60428f7460fce748e9a1a7d22"
"d7390fa328948e7e9d1724401374e99d45eb41474781201378a4330e8e80"
"8ce63551";
// Similarly, the cleartext and public key encrypted ciphertext for this test
// are also produced by openssl. Note that since we are using a 1024-bit key,
// the cleartext size must be less than or equal to 117 bytes (modulusLength /
// 8 - 11).
// % openssl rand -out cleartext.bin 64
// % openssl rsautl -encrypt -inkey spki.der -keyform DER -pubin -in
// cleartext.bin -out ciphertext.bin
// % xxd -p cleartext.bin
// % xxd -p ciphertext.bin
const std::string cleartext_hex =
"ec358ed141c45d7e03d4c6338aebad718e8bcbbf8f8ee6f8d9f4b9ef06d8"
"84739a398c6bcbc688418b2ff64761dc0ccd40e7d52bed03e06946d0957a"
"eef9e822";
const std::string ciphertext_hex =
"6106441c2b7a4b1a16260ed1ae4fe6135247345dc8e674754bbda6588c6c"
"0d95a3d4d26bb34cdbcbe327723e80343bd7a15cd4c91c3a44e6cb9c6cd6"
"7ad2e8bf41523188d9b36dc364a838642dcbc2c25e85dfb2106ba47578ca"
"3bbf8915055aea4fa7c3cbfdfbcc163f04c234fb6d847f39bab9612ecbee"
"04626e945c3ccf42";
// Import the public key.
const blink::WebCryptoAlgorithm algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
ASSERT_TRUE(ImportKeyInternal(
blink::WebCryptoKeyFormatSpki,
HexStringToBytes(rsa_spki_der_hex),
algorithm,
true,
blink::WebCryptoKeyUsageEncrypt,
&public_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_TRUE(public_key.handle());
// Import the private key.
blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
ASSERT_TRUE(ImportKeyInternal(
blink::WebCryptoKeyFormatPkcs8,
HexStringToBytes(rsa_pkcs8_der_hex),
algorithm,
true,
blink::WebCryptoKeyUsageDecrypt,
&private_key));
EXPECT_FALSE(private_key.isNull());
EXPECT_TRUE(private_key.handle());
// Decrypt the known-good ciphertext with the private key. As a check we must
// get the known original cleartext.
blink::WebArrayBuffer decrypted_data;
ASSERT_TRUE(DecryptInternal(
algorithm,
private_key,
HexStringToBytes(ciphertext_hex),
&decrypted_data));
EXPECT_FALSE(decrypted_data.isNull());
ExpectArrayBufferMatchesHex(cleartext_hex, decrypted_data);
// Encrypt this decrypted data with the public key.
blink::WebArrayBuffer encrypted_data;
ASSERT_TRUE(EncryptInternal(
algorithm,
public_key,
reinterpret_cast<const unsigned char*>(decrypted_data.data()),
decrypted_data.byteLength(),
&encrypted_data));
EXPECT_EQ(128u, encrypted_data.byteLength());
// Finally, decrypt the newly encrypted result with the private key, and
// compare to the known original cleartext.
decrypted_data.reset();
ASSERT_TRUE(DecryptInternal(
algorithm,
private_key,
reinterpret_cast<const unsigned char*>(encrypted_data.data()),
encrypted_data.byteLength(),
&decrypted_data));
EXPECT_FALSE(decrypted_data.isNull());
ExpectArrayBufferMatchesHex(cleartext_hex, decrypted_data);
}
TEST_F(WebCryptoImplTest, RsaEsFailures) {
// Note: using unrealistic short key length here to avoid bogging down tests.
// Create a key pair.
const unsigned kModulusLength = 256;
blink::WebCryptoAlgorithm algorithm =
CreateRsaKeyGenAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
kModulusLength,
HexStringToBytes("010001"));
const blink::WebCryptoKeyUsageMask usage_mask =
blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt;
blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
EXPECT_TRUE(GenerateKeyPairInternal(
algorithm, false, usage_mask, &public_key, &private_key));
EXPECT_FALSE(public_key.isNull());
EXPECT_FALSE(private_key.isNull());
// Fail encrypt with a private key.
algorithm =
webcrypto::CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5);
blink::WebArrayBuffer encrypted_data;
const std::string message_hex_str("0102030405060708090a0b0c0d0e0f");
const std::vector<uint8> message_hex(HexStringToBytes(message_hex_str));
EXPECT_FALSE(
EncryptInternal(algorithm, private_key, message_hex, &encrypted_data));
// Fail encrypt with empty message.
EXPECT_FALSE(EncryptInternal(
algorithm, public_key, std::vector<uint8>(), &encrypted_data));
// Fail encrypt with message too large. RSAES can operate on messages up to
// length of k - 11 bytes, where k is the octet length of the RSA modulus.
const unsigned kMaxMsgSizeBytes = kModulusLength / 8 - 11;
EXPECT_FALSE(EncryptInternal(algorithm,
public_key,
std::vector<uint8>(kMaxMsgSizeBytes + 1, '0'),
&encrypted_data));
// Generate encrypted data.
EXPECT_TRUE(
EncryptInternal(algorithm, public_key, message_hex, &encrypted_data));
// Fail decrypt with a public key.
blink::WebArrayBuffer decrypted_data;
EXPECT_FALSE(DecryptInternal(
algorithm,
public_key,
reinterpret_cast<const unsigned char*>(encrypted_data.data()),
encrypted_data.byteLength(),
&decrypted_data));
// Corrupt encrypted data; ensure decrypt fails because padding was disrupted.
std::vector<uint8> corrupted_data(
static_cast<uint8*>(encrypted_data.data()),
static_cast<uint8*>(encrypted_data.data()) + encrypted_data.byteLength());
corrupted_data[corrupted_data.size() / 2] ^= 0x01;
EXPECT_FALSE(
DecryptInternal(algorithm, private_key, corrupted_data, &decrypted_data));
// TODO(padolph): Are there other specific data corruption scenarios to
// consider?
// Do a successful decrypt with good data just for confirmation.
EXPECT_TRUE(DecryptInternal(
algorithm,
private_key,
reinterpret_cast<const unsigned char*>(encrypted_data.data()),
encrypted_data.byteLength(),
&decrypted_data));
ExpectArrayBufferMatchesHex(message_hex_str, decrypted_data);
}
#endif // #if !defined(USE_OPENSSL)
} // namespace content