Added support for signed policy blobs on desktop.

components/policy/core/common/cloud/cloud_policy_validator.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 #define COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 
 #include <string>
 #include <vector>
 
@@ skipping 28 matching lines @@
 
 namespace policy {
 
 // Helper class that implements the gory details of validating a policy blob.
 // Since signature checks are expensive, validation can happen on a background
 // thread. The pattern is to create a validator, configure its behavior through
 // the ValidateXYZ() functions, and then call StartValidation(). Alternatively,
 // RunValidation() can be used to perform validation on the current thread.
 class POLICY_EXPORT CloudPolicyValidatorBase {
  public:
-  // Validation result codes. These values are also used for UMA histograms;
-  // they must stay stable, and the UMA counters must be updated if new elements
-  // are appended at the end.
+  // Validation result codes. These values are also used for UMA histograms by
+  // UserCloudPolicyStoreChromeOS and must stay stable - new elements should
+  // be added at the end before VALIDATION_STATUS_SIZE.
   enum Status {
     // Indicates successful validation.
     VALIDATION_OK,
     // Bad signature on the initial key.
     VALIDATION_BAD_INITIAL_SIGNATURE,
     // Bad signature.
     VALIDATION_BAD_SIGNATURE,
     // Policy blob contains error code.
     VALIDATION_ERROR_CODE_PRESENT,
     // Policy payload failed to decode.
     VALIDATION_PAYLOAD_PARSE_ERROR,
     // Unexpected policy type.
     VALIDATION_WRONG_POLICY_TYPE,
     // Unexpected settings entity id.
     VALIDATION_WRONG_SETTINGS_ENTITY_ID,
     // Time stamp from the future.
     VALIDATION_BAD_TIMESTAMP,
     // Token doesn't match.
     VALIDATION_WRONG_TOKEN,
     // Username doesn't match.
     VALIDATION_BAD_USERNAME,
     // Policy payload protobuf parse error.
     VALIDATION_POLICY_PARSE_ERROR,
+    // Policy key signature could not be verified using the hard-coded
+    // verification key.
+    VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE,
+    VALIDATION_STATUS_SIZE  // MUST BE LAST
   };
 
   enum ValidateDMTokenOption {
     // The policy must have a non-empty DMToken.
     DM_TOKEN_REQUIRED,
 
     // The policy may have an empty or missing DMToken, if the expected token
     // is also empty.
     DM_TOKEN_NOT_REQUIRED,
   };
@@ skipping 51 matching lines @@
 
   // Validates the policy type.
   void ValidatePolicyType(const std::string& policy_type);
 
   // Validates the settings_entity_id value.
   void ValidateSettingsEntityId(const std::string& settings_entity_id);
 
   // Validates that the payload can be decoded successfully.
   void ValidatePayload();
 
-  // Verifies that the signature on the policy blob verifies against |key|. If |
+  // Verifies that the signature on the policy blob verifies against |key|. If
   // |allow_key_rotation| is true and there is a key rotation present in the
   // policy blob, this checks the signature on the new key against |key| and the
-  // policy blob against the new key.
-  void ValidateSignature(const std::vector<uint8>& key,
+  // policy blob against the new key. New key is also validated using the passed
+  // |verification_key| and the |new_public_key_verification_signature| field.
+  // If |key_signature| is non-empty, then |key| is also verified against that
+  // signature (useful when dealing with cached keys from untrusted sources).
+  void ValidateSignature(const std::string& key,
+                         const std::string& verification_key,
+                         const std::string& key_signature,
                          bool allow_key_rotation);
 
-  // Similar to StartSignatureVerification(), this checks the signature on the
+  // Similar to ValidateSignature(), this checks the signature on the
   // policy blob. However, this variant expects a new policy key set in the
   // policy blob and makes sure the policy is signed using that key. This should
   // be called at setup time when there is no existing policy key present to
-  // check against.
-  void ValidateInitialKey();
+  // check against. New key is validated using the passed |verification_key| and
+  // the new_public_key_verification_signature field.
+  void ValidateInitialKey(const std::string& verification_key);
 
   // Convenience helper that configures timestamp and token validation based on
   // the current policy blob. |policy_data| may be NULL, in which case the
   // timestamp validation will drop the lower bound. |dm_token_option|
   // and |timestamp_option| have the same effect as the corresponding
   // parameters for ValidateTimestamp() and ValidateDMToken().
   void ValidateAgainstCurrentPolicy(
       const enterprise_management::PolicyData* policy_data,
       ValidateTimestampOption timestamp_option,
       ValidateDMTokenOption dm_token_option);
@@ skipping 19 matching lines @@
   enum ValidationFlags {
     VALIDATE_TIMESTAMP   = 1 << 0,
     VALIDATE_USERNAME    = 1 << 1,
     VALIDATE_DOMAIN      = 1 << 2,
     VALIDATE_TOKEN       = 1 << 3,
     VALIDATE_POLICY_TYPE = 1 << 4,
     VALIDATE_ENTITY_ID   = 1 << 5,
     VALIDATE_PAYLOAD     = 1 << 6,
     VALIDATE_SIGNATURE   = 1 << 7,
     VALIDATE_INITIAL_KEY = 1 << 8,
+    VALIDATE_SIGNED_KEY  = 1 << 9,
   };
 
   // Performs validation, called on a background thread.
   static void PerformValidation(
       scoped_ptr<CloudPolicyValidatorBase> self,
       scoped_refptr<base::MessageLoopProxy> message_loop,
       const base::Closure& completion_callback);
 
   // Reports completion to the |completion_callback_|.
   static void ReportCompletion(scoped_ptr<CloudPolicyValidatorBase> self,
                                const base::Closure& completion_callback);
 
   // Invokes all the checks and reports the result.
   void RunChecks();
 
+  // Helper routine that verifies that the new public key in the policy blob
+  // is properly signed by the |verification_key_|.
+  bool CheckNewPublicKeyVerificationSignature();
+
+  // Helper routine that performs a verification-key-based signature check,
+  // which includes the domain name associated with this policy. Returns true
+  // if the verification succeeds, or if |signature| is empty.
+  bool CheckVerificationKeySignature(const std::string& key_to_verify,
+                                     const std::string& server_key,
+                                     const std::string& signature);
+
+  // Sets the key used to verify new public keys, and ensures that callers
+  // don't try to set conflicting keys.
+  void set_verification_key(const std::string& verification_key);
+
   // Helper functions implementing individual checks.
   Status CheckTimestamp();
   Status CheckUsername();
   Status CheckDomain();
   Status CheckToken();
   Status CheckPolicyType();
   Status CheckEntityId();
   Status CheckPayload();
   Status CheckSignature();
   Status CheckInitialKey();
@@ skipping 12 matching lines @@
   int64 timestamp_not_before_;
   int64 timestamp_not_after_;
   ValidateTimestampOption timestamp_option_;
   ValidateDMTokenOption dm_token_option_;
   std::string user_;
   std::string domain_;
   std::string token_;
   std::string policy_type_;
   std::string settings_entity_id_;
   std::string key_;
+  std::string key_signature_;
+  std::string verification_key_;
   bool allow_key_rotation_;
   scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
 
   DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorBase);
 };
 
 // A simple type-parameterized extension of CloudPolicyValidator that
 // facilitates working with the actual protobuf payload type.
 template<typename PayloadProto>
 class POLICY_EXPORT CloudPolicyValidator : public CloudPolicyValidatorBase {
@@ skipping 46 matching lines @@
     UserCloudPolicyValidator;
 
 #if !defined(OS_ANDROID) && !defined(OS_IOS)
 typedef CloudPolicyValidator<enterprise_management::ExternalPolicyData>
     ComponentCloudPolicyValidator;
 #endif
 
 }  // namespace policy
 
 #endif  // COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_VALIDATOR_H_