Added support for signed policy blobs on desktop.

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/sequenced_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "chrome/browser/chromeos/policy/user_policy_disk_cache.h"
 #include "chrome/browser/chromeos/policy/user_policy_token_loader.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/session_manager_client.h"
+#include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "policy/proto/cloud_policy.pb.h"
 #include "policy/proto/device_management_local.pb.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
@@ skipping 217 matching lines @@
   policy_key_path_ = user_policy_key_dir_.Append(
       base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
   LoadPolicyKey(policy_key_path_, &policy_key_);
   policy_key_loaded_ = true;
 
   scoped_ptr<UserCloudPolicyValidator> validator =
       CreateValidator(policy.Pass(),
                       CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   const bool allow_rotation = false;
-  validator->ValidateSignature(policy_key_, allow_rotation);
+  validator->ValidateSignature(
+      policy_key_,
+      GetPolicyVerificationKey(),
+      std::string(), // No signature verification needed.
+      allow_rotation);
   validator->RunValidation();
   OnRetrievedPolicyValidated(validator.get());
 }
 
 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator.
   scoped_ptr<UserCloudPolicyValidator> validator =
       CreateValidator(policy.Pass(),
                       CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   if (policy_key_.empty()) {
-    validator->ValidateInitialKey();
+    validator->ValidateInitialKey(GetPolicyVerificationKey());
   } else {
     const bool allow_rotation = true;
-    validator->ValidateSignature(policy_key_, allow_rotation);
+    validator->ValidateSignature(policy_key_,
+                                 GetPolicyVerificationKey(),
+                                 std::string(),
+                                 allow_rotation);
   }
 
   // Start validation. The Validator will delete itself once validation is
   // complete.
   validator.release()->StartValidation(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
@@ skipping 75 matching lines @@
 }
 
 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator for the loaded policy.
   scoped_ptr<UserCloudPolicyValidator> validator =
       CreateValidator(policy.Pass(),
                       CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   const bool allow_rotation = false;
-  validator->ValidateSignature(policy_key_, allow_rotation);
+  validator->ValidateSignature(policy_key_,
+                               GetPolicyVerificationKey(),
+                               std::string(),
+                               allow_rotation);
   // Start validation. The Validator will delete itself once validation is
   // complete.
   validator.release()->StartValidation(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated(
     UserCloudPolicyValidator* validator) {
   validation_status_ = validator->status();
@@ skipping 87 matching lines @@
 
 // static
 void UserCloudPolicyStoreChromeOS::RemoveLegacyCacheDir(
     const base::FilePath& dir) {
   if (base::PathExists(dir) && !base::DeleteFile(dir, true))
     LOG(ERROR) << "Failed to remove cache dir " << dir.value();
 }
 
 void UserCloudPolicyStoreChromeOS::ReloadPolicyKey(
     const base::Closure& callback) {
-  std::vector<uint8>* key = new std::vector<uint8>();
+  std::string* key = new std::string();
   background_task_runner()->PostTaskAndReply(
       FROM_HERE,
       base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
                  policy_key_path_,
                  key),
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded,
                  weak_factory_.GetWeakPtr(),
                  base::Owned(key),
                  callback));
 }
 
 // static
 void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
-                                                 std::vector<uint8>* key) {
+                                                 std::string* key) {
   if (!base::PathExists(path)) {
     // There is no policy key the first time that a user fetches policy. If
     // |path| does not exist then that is the most likely scenario, so there's
     // no need to sample a failure.
     VLOG(1) << "No key at " << path.value();
     return;
   }
 
   int64 size;
   if (!base::GetFileSize(path, &size)) {
     LOG(ERROR) << "Could not get size of " << path.value();
   } else if (size == 0 || size > kKeySizeLimit) {
     LOG(ERROR) << "Key at " << path.value() << " has bad size " << size;
   } else {
-    key->resize(size);
-    int read_size = base::ReadFile(
-        path, reinterpret_cast<char*>(vector_as_array(key)), size);
-    if (read_size != size) {
+    if (!base::ReadFileToString(path, key) ||

[Mattias Nissler (ping if slow), 2014/01/27 13:52:13]

nit: I'd prefer ReadFile over ReadFileToString since the former uses only
limited memory (strictly speaking, there's a race here where the file size might
have increased since the GetFileSize() call above).

[Andrew T Wilson (Slow), 2014/01/30 17:10:31]

Done.

+        key->size() != static_cast<uint64>(size)) {
       LOG(ERROR) << "Failed to read key at " << path.value();
       key->clear();
     }
   }
 
   if (key->empty())
     SampleValidationFailure(VALIDATION_FAILURE_LOAD_KEY);
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
-    std::vector<uint8>* key,
+    std::string* key,
     const base::Closure& callback) {
-  policy_key_.swap(*key);
+  policy_key_ = *key;
   policy_key_loaded_ = true;
   callback.Run();
 }
 
 void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
     const base::Closure& callback) {
   if (policy_key_loaded_) {
     callback.Run();
   } else {
     // Get the hashed username that's part of the key's path, to determine
@@ skipping 14 matching lines @@
       !sanitized_username.empty()) {
     policy_key_path_ = user_policy_key_dir_.Append(
         base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
   } else {
     SampleValidationFailure(VALIDATION_FAILURE_DBUS);
   }
   ReloadPolicyKey(callback);
 }
 
 }  // namespace policy