Chromium Code Reviews Chromium Code Reviews
Issue 7756025:
Changed OAuth token+secret encryption to use supplemental user key. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/login/parallel_authenticator.h" | 5 #include "chrome/browser/chromeos/login/parallel_authenticator.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| 11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 12 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 13 #include "base/logging.h" | 13 #include "base/logging.h" |
| 14 #include "base/path_service.h" | 14 #include "base/path_service.h" |
| 15 #include "base/rand_util.h" | 15 #include "base/rand_util.h" |
| 16 #include "base/string_number_conversions.h" | 16 #include "base/string_number_conversions.h" |
| 17 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 18 #include "base/synchronization/lock.h" | 18 #include "base/synchronization/lock.h" |
| 19 #include "chrome/browser/chromeos/cros/cert_library.h" | |
| 19 #include "chrome/browser/chromeos/cros/cryptohome_library.h" | 20 #include "chrome/browser/chromeos/cros/cryptohome_library.h" |
| 20 #include "chrome/browser/chromeos/login/auth_response_handler.h" | 21 #include "chrome/browser/chromeos/login/auth_response_handler.h" |
| 21 #include "chrome/browser/chromeos/login/authentication_notification_details.h" | 22 #include "chrome/browser/chromeos/login/authentication_notification_details.h" |
| 22 #include "chrome/browser/chromeos/login/login_status_consumer.h" | 23 #include "chrome/browser/chromeos/login/login_status_consumer.h" |
| 23 #include "chrome/browser/chromeos/login/ownership_service.h" | 24 #include "chrome/browser/chromeos/login/ownership_service.h" |
| 24 #include "chrome/browser/chromeos/login/user_manager.h" | 25 #include "chrome/browser/chromeos/login/user_manager.h" |
| 25 #include "chrome/browser/profiles/profile.h" | 26 #include "chrome/browser/profiles/profile.h" |
| 26 #include "chrome/browser/profiles/profile_manager.h" | 27 #include "chrome/browser/profiles/profile_manager.h" |
| 27 #include "chrome/common/chrome_notification_types.h" | 28 #include "chrome/common/chrome_notification_types.h" |
| 28 #include "chrome/common/chrome_paths.h" | 29 #include "chrome/common/chrome_paths.h" |
| (...skipping 655 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 684 SetLocalaccount(localaccount); | 685 SetLocalaccount(localaccount); |
| 685 } | 686 } |
| 686 | 687 |
| 687 void ParallelAuthenticator::SetLocalaccount(const std::string& new_name) { | 688 void ParallelAuthenticator::SetLocalaccount(const std::string& new_name) { |
| 688 localaccount_ = new_name; | 689 localaccount_ = new_name; |
| 689 { // extra braces for clarity about AutoLock scope. | 690 { // extra braces for clarity about AutoLock scope. |
| 690 base::AutoLock for_this_block(localaccount_lock_); | 691 base::AutoLock for_this_block(localaccount_lock_); |
| 691 checked_for_localaccount_ = true; | 692 checked_for_localaccount_ = true; |
| 692 } | 693 } |
| 693 } | 694 } |
| 694 | |
| 695 std::string ParallelAuthenticator::EncryptToken(const std::string& token) { | 695 std::string ParallelAuthenticator::EncryptToken(const std::string& token) { |
| 696 // TODO(zelidrag): Replace salt with | 696 std::string encoded_token; |
| 697 scoped_ptr<crypto::SymmetricKey> key( | 697 if (!CrosLibrary::Get()->GetCertLibrary()->EncryptWithSupplementalUserKey( |
| 698 crypto::SymmetricKey::DeriveKeyFromPassword( | 698 token, &encoded_token)) { |
| 699 crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(), | |
| 700 SaltAsAscii(), 1000, 256)); | |
| 701 crypto::Encryptor encryptor; | |
| 702 if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string())) | |
| 703 return std::string(); | 699 return std::string(); |
| 704 | 700 } |
| 705 std::string nonce = SaltAsAscii().substr(0, kKeySize); | |
| 706 std::string encoded_token; | |
| 707 CHECK(encryptor.SetCounter(nonce)); | |
| 708 if (!encryptor.Encrypt(token, &encoded_token)) | |
| 709 return std::string(); | |
| 710 | |
| 711 return StringToLowerASCII(base::HexEncode( | 701 return StringToLowerASCII(base::HexEncode( |
| 712 reinterpret_cast<const void*>(encoded_token.data()), | 702 reinterpret_cast<const void*>(encoded_token.data()), |
| 713 encoded_token.size())); | 703 encoded_token.size())); |
| 714 } | 704 } |
| 715 | 705 |
| 716 std::string ParallelAuthenticator::DecryptToken( | 706 std::string ParallelAuthenticator::DecryptToken( |
| 717 const std::string& encrypted_token_hex) { | 707 const std::string& encrypted_token_hex) { |
| 718 std::vector<uint8> encrypted_token_bytes; | 708 std::vector<uint8> encrypted_token_bytes; |
| 719 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) | 709 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) |
| 720 return std::string(); | 710 return std::string(); |
| 711 std::string encrypted_token( | |
| 712 reinterpret_cast<char*>(encrypted_token_bytes.data()), | |
| 713 encrypted_token_bytes.size()); | |
|
wtc
2011/09/02 22:31:08
Nit: this argument should be left-aligned with the
zel
2011/09/03 01:52:22
Done.
| |
| 714 std::string token; | |
| 715 if (!CrosLibrary::Get()->GetCertLibrary()->DecryptWithSupplementalUserKey( | |
| 716 encrypted_token, &token)) { | |
| 717 return std::string(); | |
| 718 } | |
| 719 return token; | |
| 720 } | |
| 721 | |
| 722 std::string ParallelAuthenticator::DecryptLegacyToken( | |
| 723 const std::string& encrypted_token_hex) { | |
| 724 std::vector<uint8> encrypted_token_bytes; | |
| 725 if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) | |
| 726 return std::string(); | |
| 721 | 727 |
| 722 std::string encrypted_token( | 728 std::string encrypted_token( |
| 723 reinterpret_cast<char*>(encrypted_token_bytes.data()), | 729 reinterpret_cast<char*>(encrypted_token_bytes.data()), |
| 724 encrypted_token_bytes.size()); | 730 encrypted_token_bytes.size()); |
| 725 scoped_ptr<crypto::SymmetricKey> key( | 731 scoped_ptr<crypto::SymmetricKey> key( |
| 726 crypto::SymmetricKey::DeriveKeyFromPassword( | 732 crypto::SymmetricKey::DeriveKeyFromPassword( |
| 727 crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(), | 733 crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(), |
| 728 SaltAsAscii(), 1000, 256)); | 734 SaltAsAscii(), 1000, 256)); |
| 729 crypto::Encryptor encryptor; | 735 crypto::Encryptor encryptor; |
| 730 if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string())) | 736 if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string())) |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 768 } | 774 } |
| 769 | 775 |
| 770 void ParallelAuthenticator::ResolveLoginCompletionStatus() { | 776 void ParallelAuthenticator::ResolveLoginCompletionStatus() { |
| 771 // Shortcut online state resolution process. | 777 // Shortcut online state resolution process. |
| 772 current_state_->RecordOnlineLoginStatus(GaiaAuthConsumer::ClientLoginResult(), | 778 current_state_->RecordOnlineLoginStatus(GaiaAuthConsumer::ClientLoginResult(), |
| 773 LoginFailure::None()); | 779 LoginFailure::None()); |
| 774 Resolve(); | 780 Resolve(); |
| 775 } | 781 } |
| 776 | 782 |
| 777 } // namespace chromeos | 783 } // namespace chromeos |
| OLD | NEW |
