[webcrypto] Fix a bug where generated RSA private keys couldn't be ex…

…ported or cloned. BUG=245025 R=rsleevi@chromium.org, wtc@chromium.org Review URL: https://codereview.chromium.org/213423007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260100 0039d316-1c4b-4281-b951-d872f2087c98
cbchan · Mar 28, 2014 · 75d6d67 · 75d6d67
1 parent cd00f8a
commit 75d6d67
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/content/child/webcrypto/platform_crypto_nss.cc b/content/child/webcrypto/platform_crypto_nss.cc
@@ -1164,7 +1164,11 @@ Status GenerateRsaKeyPair(const blink::WebCryptoAlgorithm& algorithm,
   }
   const CK_FLAGS operation_flags_mask =
       CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP;
-  const PK11AttrFlags attribute_flags = 0;  // Default all PK11_ATTR_ flags.
+
+  // The private key must be marked as insensitive and extractable, otherwise it
+  // cannot later be exported in unencrypted form or structured-cloned.
+  const PK11AttrFlags attribute_flags =
+      PK11_ATTR_INSENSITIVE | PK11_ATTR_EXTRACTABLE;
 
   // Note: NSS does not generate an sec_public_key if the call below fails,
   // so there is no danger of a leaked sec_public_key.

diff --git a/content/child/webcrypto/shared_crypto_unittest.cc b/content/child/webcrypto/shared_crypto_unittest.cc
@@ -1895,7 +1895,7 @@ TEST_F(SharedCryptoTest, MAYBE(GenerateKeyPairRsa)) {
       CreateRsaKeyGenAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5,
                                modulus_length,
                                public_exponent);
-  bool extractable = false;
+  bool extractable = true;
   const blink::WebCryptoKeyUsageMask usage_mask = 0;
   blink::WebCryptoKey public_key = blink::WebCryptoKey::createNull();
   blink::WebCryptoKey private_key = blink::WebCryptoKey::createNull();
@@ -1910,6 +1910,36 @@ TEST_F(SharedCryptoTest, MAYBE(GenerateKeyPairRsa)) {
   EXPECT_EQ(usage_mask, public_key.usages());
   EXPECT_EQ(usage_mask, private_key.usages());
 
+  // Try exporting the generated key pair, and then re-importing to verify that
+  // the exported data was valid.
+  blink::WebArrayBuffer public_key_spki;
+  EXPECT_STATUS_SUCCESS(
+      ExportKey(blink::WebCryptoKeyFormatSpki, public_key, &public_key_spki));
+  public_key = blink::WebCryptoKey::createNull();
+  EXPECT_STATUS_SUCCESS(
+      ImportKey(blink::WebCryptoKeyFormatSpki,
+                CryptoData(public_key_spki),
+                CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
+                true,
+                usage_mask,
+                &public_key));
+  EXPECT_EQ(modulus_length,
+            public_key.algorithm().rsaParams()->modulusLengthBits());
+
+  blink::WebArrayBuffer private_key_pkcs8;
+  EXPECT_STATUS_SUCCESS(ExportKey(
+      blink::WebCryptoKeyFormatPkcs8, private_key, &private_key_pkcs8));
+  private_key = blink::WebCryptoKey::createNull();
+  EXPECT_STATUS_SUCCESS(
+      ImportKey(blink::WebCryptoKeyFormatPkcs8,
+                CryptoData(private_key_pkcs8),
+                CreateAlgorithm(blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5),
+                true,
+                usage_mask,
+                &private_key));
+  EXPECT_EQ(modulus_length,
+            private_key.algorithm().rsaParams()->modulusLengthBits());
+
   // Fail with bad modulus.
   algorithm = CreateRsaKeyGenAlgorithm(
       blink::WebCryptoAlgorithmIdRsaEsPkcs1v1_5, 0, public_exponent);