net/tools/testserver/device_management.py - Issue 12183017: Verify the signature on user cloud policy downloads.

Unified Diff: net/tools/testserver/device_management.py

Issue 12183017: Verify the signature on user cloud policy downloads. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Addressed comments Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/tools/testserver/device_management.py

diff --git a/net/tools/testserver/device_management.py b/net/tools/testserver/device_management.py

index bbfb3c5ff08871773c7a0b29c3a130201a6a2bd4..5085e5efcd28d106a8c111c70cbfe5798199e00f 100644

--- a/net/tools/testserver/device_management.py

+++ b/net/tools/testserver/device_management.py

@@ -45,7 +45,8 @@ Example:

"managed_users" : [

"secret123456"

- ]

+ ],

+ "current_key_index": 0

}

"""

@@ -455,18 +456,17 @@ class RequestHandler(object):

settings = dp.ChromeDeviceSettingsProto()

self.GatherDevicePolicySettings(settings, policy.get(policy_key, {}))

- # Figure out the key we want to use. If multiple keys are configured, the

- # server will rotate through them in a round-robin fashion.

+ # Sign with 'current_key_index', defaulting to key 0.

signing_key = None

req_key = None

- key_version = 1

+ current_key_index = policy.get('current_key_index', 0)

nkeys = len(self._server.keys)

- if msg.signature_type == dm.PolicyFetchRequest.SHA1_RSA and nkeys > 0:

+ if (msg.signature_type == dm.PolicyFetchRequest.SHA1_RSA and

+ current_key_index in range(nkeys)):

+ signing_key = self._server.keys[current_key_index]

if msg.public_key_version in range(1, nkeys + 1):

# requested key exists, use for signing and rotate.

req_key = self._server.keys[msg.public_key_version - 1]['private_key']

- key_version = (msg.public_key_version % nkeys) + 1

- signing_key = self._server.keys[key_version - 1]

# Fill the policy data protobuf.

policy_data = dm.PolicyData()

@@ -480,7 +480,7 @@ class RequestHandler(object):

policy_data.settings_entity_id = msg.settings_entity_id

if signing_key:

- policy_data.public_key_version = key_version

+ policy_data.public_key_version = current_key_index + 1

if msg.policy_type == 'google/chromeos/publicaccount':

policy_data.username = msg.settings_entity_id

else:

@@ -498,7 +498,7 @@ class RequestHandler(object):

if signing_key:

fetch_response.policy_data_signature = (

signing_key['private_key'].hashAndSign(signed_data).tostring())

- if msg.public_key_version != key_version:

+ if msg.public_key_version != current_key_index + 1:

fetch_response.new_public_key = signing_key['public_key']

if req_key:

fetch_response.new_public_key_signature = (

@@ -572,12 +572,13 @@ class TestServer(object):

assert key is not None

self.keys.append({ 'private_key' : key })

else:

- # Generate a key if none were specified.

- key = tlslite.api.generateRSAKey(1024)

- assert key is not None

- self.keys.append({ 'private_key' : key })

+ # Generate 2 private keys if no private keys directory was specified.

Mattias Nissler (ping if slow) 2013/02/08 13:36:42 nit: it's not a directory, you can specify the fla

Joao da Silva 2013/02/08 16:47:04 Done.

+ for i in range(2):

+ key = tlslite.api.generateRSAKey(512)

+ assert key is not None

+ self.keys.append({ 'private_key' : key })

- # Derive the public keys from the loaded private keys.

+ # Derive the public keys from the private keys.

for entry in self.keys:

key = entry['private_key']

« chrome/browser/policy/user_cloud_policy_store_chromeos_unittest.cc ('K') | « chrome/common/chrome_paths.cc ('k') | no next file » | no next file with comments »