| Index: chrome/browser/policy/cloud_policy_validator.cc
|
| diff --git a/chrome/browser/policy/cloud_policy_validator.cc b/chrome/browser/policy/cloud_policy_validator.cc
|
| index 6609cb91371345dbc9d0864886f50f27c10f956e..8ee7841cff4164e2d9c3d82cd2b4db9b3ab8fba0 100644
|
| --- a/chrome/browser/policy/cloud_policy_validator.cc
|
| +++ b/chrome/browser/policy/cloud_policy_validator.cc
|
| @@ -35,13 +35,15 @@ const uint8 kSignatureAlgorithm[] = {
|
| CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {}
|
|
|
| void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before,
|
| - base::Time now) {
|
| + base::Time now,
|
| + bool allow_missing_timestamp) {
|
| // Timestamp should be from the past. We allow for a 1-minute grace interval
|
| // to cover clock drift.
|
| validation_flags_ |= VALIDATE_TIMESTAMP;
|
| timestamp_not_before_ = not_before;
|
| timestamp_not_after_ =
|
| now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds);
|
| + allow_missing_timestamp_ = allow_missing_timestamp;
|
| }
|
|
|
| void CloudPolicyValidatorBase::ValidateUsername(
|
| @@ -71,9 +73,11 @@ void CloudPolicyValidatorBase::ValidatePayload() {
|
| validation_flags_ |= VALIDATE_PAYLOAD;
|
| }
|
|
|
| -void CloudPolicyValidatorBase::ValidateSignature(const std::string& key) {
|
| +void CloudPolicyValidatorBase::ValidateSignature(const std::string& key,
|
| + bool allow_key_rotation) {
|
| validation_flags_ |= VALIDATE_SIGNATURE;
|
| key_ = key;
|
| + allow_key_rotation_ = allow_key_rotation;
|
| }
|
|
|
| void CloudPolicyValidatorBase::ValidateInitialKey() {
|
| @@ -81,7 +85,8 @@ void CloudPolicyValidatorBase::ValidateInitialKey() {
|
| }
|
|
|
| void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
|
| - const em::PolicyData* policy_data) {
|
| + const em::PolicyData* policy_data,
|
| + bool allow_missing_timestamp) {
|
| base::Time last_policy_timestamp;
|
| std::string expected_dm_token;
|
| if (policy_data) {
|
| @@ -90,7 +95,8 @@ void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
|
| base::TimeDelta::FromMilliseconds(policy_data->timestamp());
|
| expected_dm_token = policy_data->request_token();
|
| }
|
| - ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime());
|
| + ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
|
| + allow_missing_timestamp);
|
| if (!expected_dm_token.empty())
|
| ValidateDMToken(expected_dm_token);
|
| }
|
| @@ -179,7 +185,7 @@ void CloudPolicyValidatorBase::RunChecks() {
|
|
|
| CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {
|
| std::string signature_key(key_);
|
| - if (policy_->has_new_public_key()) {
|
| + if (policy_->has_new_public_key() && allow_key_rotation_) {
|
| signature_key = policy_->new_public_key();
|
| if (!policy_->has_new_public_key_signature() ||
|
| !VerifySignature(policy_->new_public_key(), key_,
|
| @@ -222,13 +228,18 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() {
|
| }
|
|
|
| CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {
|
| + if (!policy_data_->has_timestamp()) {
|
| + if (allow_missing_timestamp_) {
|
| + return VALIDATION_OK;
|
| + } else {
|
| + LOG(ERROR) << "Policy timestamp missing";
|
| + return VALIDATION_BAD_TIMESTAMP;
|
| + }
|
| + }
|
| +
|
| base::Time policy_time =
|
| base::Time::UnixEpoch() +
|
| base::TimeDelta::FromMilliseconds(policy_data_->timestamp());
|
| - if (!policy_data_->has_timestamp()) {
|
| - LOG(ERROR) << "Policy timestamp missing";
|
| - return VALIDATION_BAD_TIMESTAMP;
|
| - }
|
| if (policy_time < timestamp_not_before_) {
|
| LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();
|
| return VALIDATION_BAD_TIMESTAMP;
|
|
|