Shaving parallel authenticator yak to remove unnecessary dependency on this class from OAuth spec...

chrome/browser/chromeos/cros/cert_library.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/cert_library.h"
 
 #include <algorithm>
 
 #include "base/observer_list_threadsafe.h"
+#include "base/string_number_conversions.h"
+#include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/browser_process.h"  // g_browser_process
+#include "chrome/browser/chromeos/cros/cros_library.h"
+#include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/common/net/x509_certificate_model.h"
 #include "content/public/browser/browser_thread.h"
+#include "crypto/encryptor.h"
 #include "crypto/nss_util.h"
+#include "crypto/sha2.h"
+#include "crypto/symmetric_key.h"
 #include "grit/generated_resources.h"
 #include "net/base/cert_database.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/l10n/l10n_util_collator.h"
 #include "unicode/coll.h"  // icu::Collator
 
 using content::BrowserThread;
 
 //////////////////////////////////////////////////////////////////////////////
 
 namespace {
 
 // Root CA certificates that are built into Chrome use this token name.
 const char kRootCertificateTokenName[] = "Builtin Object Token";
 
 // Delay between certificate requests while waiting for TPM/PKCS#11 init.
 const int kRequestDelayMs = 500;
 
+const size_t kKeySize = 16;
+
+// Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
+std::string DecryptTokenWithKey(
+    crypto::SymmetricKey* key,
+    const std::string& salt,
+    const std::string& encrypted_token_hex) {
+  std::vector<uint8> encrypted_token_bytes;
+  if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes))
+    return std::string();
+
+  std::string encrypted_token(
+      reinterpret_cast<char*>(encrypted_token_bytes.data()),
+      encrypted_token_bytes.size());
+  crypto::Encryptor encryptor;
+  if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string()))
+    return std::string();
+
+  std::string nonce = salt.substr(0, kKeySize);
+  std::string token;
+  CHECK(encryptor.SetCounter(nonce));
+  if (!encryptor.Decrypt(encrypted_token, &token))
+    return std::string();
+  return token;
+}
+
 string16 GetDisplayString(net::X509Certificate* cert, bool hardware_backed) {
   std::string org;
   if (!cert->subject().organization_names.empty())
     org = cert->subject().organization_names[0];
   if (org.empty())
     org = cert->subject().GetDisplayName();
   string16 issued_by = UTF8ToUTF16(
       x509_certificate_model::GetIssuerCommonName(cert->os_cert_handle(),
                                                   org));  // alternative text
   string16 issued_to = UTF8ToUTF16(
@@ skipping 49 matching lines @@
 
   // CertLibrary implementation.
   virtual void RequestCertificates() OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
     if (!UserManager::Get()->user_is_logged_in()) {
       // If we are not logged in, we cannot load any certificates.
       // Set 'loaded' to true for the UI, since we are not waiting on loading.
       LOG(WARNING) << "Requesting certificates before login.";
       certificates_loaded_ = true;
       return;

[Nikita (slow), 2011/12/01 14:34:13]

Perhaps add supplemental_user_key_.reset(NULL); here too?

[zel, 2011/12/02 02:35:23]

Done.

     }
 
     if (!user_logged_in_) {
       user_logged_in_ = true;
       certificates_loaded_ = false;
+      supplemental_user_key_.reset(NULL);
     }
 
     VLOG(1) << "Requesting Certificates.";
 
     // Need TPM token name to filter user certificates.
     // TODO(stevenjb): crypto::EnsureTPMTokenReady() may block if init has
     // not succeeded. It is not clear whether or not TPM / PKCS#11 init can
     // be done safely on a non blocking thread. Blocking time is low.
     if (crypto::EnsureTPMTokenReady()) {
       std::string unused_pin;
@@ skipping 53 matching lines @@
   virtual const CertList& GetServerCertificates() const OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     return server_certs_;
   }
 
   virtual const CertList& GetCACertificates() const OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     return server_ca_certs_;
   }
 
-  virtual crypto::SymmetricKey* GetSupplementalUserKey() const {
-    return crypto::GetSupplementalUserKey();
+  virtual std::string EncryptToken(const std::string& token) OVERRIDE {
+    if (!LoadSupplementalUserKey())
+      return std::string();
+    crypto::Encryptor encryptor;
+    if (!encryptor.Init(supplemental_user_key_.get(), crypto::Encryptor::CTR,
+                        std::string()))
+      return std::string();
+    std::string salt =
+        CrosLibrary::Get()->GetCryptohomeLibrary()->GetSystemSalt();
+    std::string nonce = salt.substr(0, kKeySize);
+    std::string encoded_token;
+    CHECK(encryptor.SetCounter(nonce));
+    if (!encryptor.Encrypt(token, &encoded_token))
+      return std::string();
+
+    return StringToLowerASCII(base::HexEncode(
+        reinterpret_cast<const void*>(encoded_token.data()),
+        encoded_token.size()));
+  }
+
+  virtual std::string DecryptToken(
+      const std::string& encrypted_token_hex) OVERRIDE {
+    if (!LoadSupplementalUserKey())
+      return std::string();
+    return DecryptTokenWithKey(supplemental_user_key_.get(),
+        CrosLibrary::Get()->GetCryptohomeLibrary()->GetSystemSalt(),
+        encrypted_token_hex);
   }
 
   // net::CertDatabase::Observer implementation. Observer added on UI thread.
   virtual void OnCertTrustChanged(const net::X509Certificate* cert) OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   }
 
   virtual void OnUserCertAdded(const net::X509Certificate* cert) OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     VLOG(1) << "Certificate Added.";
@@ skipping 118 matching lines @@
 
     // Set loaded state and notify observers.
     if (!certificates_loaded_) {
       certificates_loaded_ = true;
       NotifyCertificatesLoaded(true);
     } else {
       NotifyCertificatesLoaded(false);
     }
   }
 
+  bool LoadSupplementalUserKey() {
+    if (!user_logged_in_) {
+      // If we are not logged in, we cannot load any certificates.
+      // Set 'loaded' to true for the UI, since we are not waiting on loading.
+      LOG(WARNING) << "Requesting supplemental use key before login.";
+      return false;
+    }
+    if (!supplemental_user_key_.get()) {
+      supplemental_user_key_.reset(crypto::GetSupplementalUserKey());
+    }
+    return supplemental_user_key_.get() != NULL;
+  }
+
   // Observers.
   const scoped_refptr<CertLibraryObserverList> observer_list_;
 
   // Active request task for re-requests while waiting for TPM init.
   base::Closure request_task_;
 
   // Cached TPM token name.
   std::string tpm_token_name_;
 
+  // Supplemental user key.
+  scoped_ptr<crypto::SymmetricKey> supplemental_user_key_;
+
   // Local state.
   bool user_logged_in_;
   bool certificates_loaded_;
 
   // Certificates.
   CertList certs_;
   CertList user_certs_;
   CertList server_certs_;
   CertList server_ca_certs_;
 
@@ skipping 62 matching lines @@
     net::X509Certificate* cert = GetCertificateAt(index);
     net::X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();
     std::string id = x509_certificate_model::GetPkcs11Id(cert_handle);
     if (id == pkcs11_id)
       return index;
   }
   return -1;  // Not found.
 }
 
 }  // chromeos