Changed OAuth token+secret encryption to use supplemental user key.

chrome/browser/chromeos/login/parallel_authenticator.cc

Index: chrome/browser/chromeos/login/parallel_authenticator.cc
===================================================================
--- chrome/browser/chromeos/login/parallel_authenticator.cc	(revision 99168)
+++ chrome/browser/chromeos/login/parallel_authenticator.cc	(working copy)
@@ -16,6 +16,7 @@
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/synchronization/lock.h"
+#include "chrome/browser/chromeos/cros/cert_library.h"
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/login/auth_response_handler.h"
 #include "chrome/browser/chromeos/login/authentication_notification_details.h"
@@ -46,6 +47,36 @@
 using file_util::ReadFile;
 using file_util::ReadFileToString;
 
+namespace {
+
+const int kPassHashLen = 32;
+const size_t kKeySize = 16;
+
+std::string DecryptTokenWithKey(

[wtc, 2011/09/06 21:35:17]

Nit: as recommended by the Style Guide, it'd be nice to
add a comment to document what this function does.  At
least say it is the code common to DecryptToken and
DecryptLegacyToken.

[zel, 2011/09/06 22:33:35]

Done.

+    crypto::SymmetricKey* key,
+    const std::string& salt,
+    const std::string& encrypted_token_hex) {
+  std::vector<uint8> encrypted_token_bytes;
+  if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes))
+    return std::string();
+
+  std::string encrypted_token(
+      reinterpret_cast<char*>(encrypted_token_bytes.data()),
+      encrypted_token_bytes.size());
+  crypto::Encryptor encryptor;
+  if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string()))
+    return std::string();
+
+  std::string nonce = salt.substr(0, kKeySize);
+  std::string token;
+  CHECK(encryptor.SetCounter(nonce));
+  if (!encryptor.Decrypt(encrypted_token, &token))
+    return std::string();
+  return token;
+}
+
+}   // namespace
+
 namespace chromeos {
 
 // static
@@ -56,9 +87,6 @@
 // static
 const int ParallelAuthenticator::kLocalaccountRetryIntervalMs = 20;
 
-const int kPassHashLen = 32;
-const size_t kKeySize = 16;
-
 ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer)
     : Authenticator(consumer),
       already_reported_success_(false),
@@ -662,6 +690,15 @@
   CHECK_EQ(system_salt_.size() % 2, 0U);
 }
 
+bool ParallelAuthenticator::LoadSupplementalUserKey() {
+  if (!supplemental_user_key_.get()) {
+    supplemental_user_key_.reset(
+        CrosLibrary::Get()->GetCertLibrary()->GetSupplementalUserKey());
+  }
+  return supplemental_user_key_.get() != NULL;
+}
+
+
 void ParallelAuthenticator::LoadLocalaccount(const std::string& filename) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
   {
@@ -693,13 +730,11 @@
 }
 
 std::string ParallelAuthenticator::EncryptToken(const std::string& token) {
-  // TODO(zelidrag): Replace salt with
-  scoped_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
-          crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(),
-          SaltAsAscii(), 1000, 256));
+  if (!LoadSupplementalUserKey())
+    return std::string();
   crypto::Encryptor encryptor;
-  if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string()))
+  if (!encryptor.Init(supplemental_user_key_.get(), crypto::Encryptor::CTR,
+                      std::string()))
     return std::string();
 
   std::string nonce = SaltAsAscii().substr(0, kKeySize);
@@ -712,33 +747,24 @@
       reinterpret_cast<const void*>(encoded_token.data()),
       encoded_token.size()));
 }
-
 std::string ParallelAuthenticator::DecryptToken(
     const std::string& encrypted_token_hex) {
-  std::vector<uint8> encrypted_token_bytes;
-  if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes))
+  if (!LoadSupplementalUserKey())
     return std::string();
+  return DecryptTokenWithKey(supplemental_user_key_.get(),
+                             SaltAsAscii(),
+                             encrypted_token_hex);
+}
 
-  std::string encrypted_token(
-      reinterpret_cast<char*>(encrypted_token_bytes.data()),
-                              encrypted_token_bytes.size());
+std::string ParallelAuthenticator::DecryptLegacyToken(
+    const std::string& encrypted_token_hex) {
   scoped_ptr<crypto::SymmetricKey> key(
       crypto::SymmetricKey::DeriveKeyFromPassword(
           crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(),
           SaltAsAscii(), 1000, 256));
-  crypto::Encryptor encryptor;
-  if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string()))
-    return std::string();
-
-  std::string nonce = SaltAsAscii().substr(0, kKeySize);
-  std::string token;
-  CHECK(encryptor.SetCounter(nonce));
-  if (!encryptor.Decrypt(encrypted_token, &token))
-    return std::string();
-  return token;
+  return DecryptTokenWithKey(key.get(), SaltAsAscii(), encrypted_token_hex);
 }
 
-
 std::string ParallelAuthenticator::HashPassword(const std::string& password) {
   // Get salt, ascii encode, update sha with that, then update with ascii
   // of password, then end.