Chromium Code Reviews| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h" | |
| 6 | |
| 7 #include <CoreFoundation/CoreFoundation.h> | |
| 8 #include <string> | |
|
Mark Mentovai
2015/10/05 15:02:12
Separate C from C++ system headers.
Greg K
2015/10/07 22:54:30
Done.
| |
| 9 #include <sys/xattr.h> | |
| 10 #include <vector> | |
| 11 | |
| 12 #include "base/files/file_path.h" | |
| 13 #include "base/files/file_util.h" | |
| 14 #include "base/files/scoped_temp_dir.h" | |
| 15 #include "base/mac/mac_util.h" | |
| 16 #include "base/mac/scoped_cftyperef.h" | |
| 17 #include "base/path_service.h" | |
| 18 #include "base/test/scoped_path_override.h" | |
| 19 #include "chrome/common/chrome_paths.h" | |
| 20 #include "chrome/common/safe_browsing/csd.pb.h" | |
| 21 #include "testing/gmock/include/gmock/gmock-matchers.h" | |
| 22 #include "testing/gtest/include/gtest/gtest.h" | |
| 23 | |
| 24 namespace { | |
| 25 const char* xattrs[] = { | |
|
Mark Mentovai
2015/10/05 15:02:12
It’s unfortunate that this isn’t sharing with the
Greg K
2015/10/07 22:54:30
I actually made these two separate lists on purpos
| |
| 26 "com.apple.cs.CodeDirectory", "com.apple.cs.CodeSignature", | |
| 27 "com.apple.cs.CodeRequirements", "com.apple.cs.CodeResources", | |
| 28 "com.apple.cs.CodeApplication", "com.apple.cs.CodeEntitlements", | |
| 29 }; | |
| 30 } | |
|
Mark Mentovai
2015/10/05 15:02:12
// namespace
Greg K
2015/10/07 22:54:30
Done.
| |
| 31 | |
| 32 class MacSignatureEvaluatorTest : public testing::Test { | |
| 33 protected: | |
| 34 void SetUp() override { | |
| 35 base::FilePath source_path; | |
| 36 ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &source_path)); | |
| 37 testdata_path_ = | |
| 38 source_path.AppendASCII("safe_browsing").AppendASCII("mach_o"); | |
| 39 | |
| 40 base::FilePath dir_exe; | |
| 41 ASSERT_TRUE(PathService::Get(base::DIR_EXE, &dir_exe)); | |
| 42 base::FilePath file_exe; | |
| 43 ASSERT_TRUE(PathService::Get(base::FILE_EXE, &file_exe)); | |
| 44 | |
| 45 CHECK(temp_dir_.CreateUniqueTempDir()); | |
|
Robert Sesek
2015/10/05 22:19:07
No CHECK
Greg K
2015/10/07 22:54:30
Done.
| |
| 46 } | |
| 47 | |
| 48 bool GetExecPath(const base::FilePath& bundle_url, base::FilePath* result) { | |
| 49 base::ScopedCFTypeRef<CFStringRef> path_str(CFStringCreateWithCString( | |
| 50 kCFAllocatorDefault, bundle_url.value().c_str(), | |
| 51 kCFStringEncodingUTF8)); | |
| 52 if (!path_str.get()) | |
| 53 return false; | |
| 54 base::ScopedCFTypeRef<CFURLRef> path_url(CFURLCreateWithFileSystemPath( | |
| 55 kCFAllocatorDefault, path_str, kCFURLPOSIXPathStyle, false)); | |
| 56 if (!path_url.get()) | |
| 57 return false; | |
| 58 base::ScopedCFTypeRef<CFBundleRef> bundle( | |
| 59 CFBundleCreate(kCFAllocatorDefault, path_url)); | |
| 60 if (!bundle.get()) | |
| 61 return false; | |
| 62 | |
| 63 base::ScopedCFTypeRef<CFURLRef> exec_url(CFBundleCopyExecutableURL(bundle)); | |
| 64 UInt8 path_buf[PATH_MAX]; | |
| 65 if (!CFURLGetFileSystemRepresentation(exec_url, true, path_buf, | |
| 66 sizeof(path_buf))) | |
| 67 return false; | |
| 68 | |
| 69 *result = base::FilePath(reinterpret_cast<const char*>(path_buf)); | |
| 70 return true; | |
| 71 } | |
| 72 | |
| 73 bool SetupXattrs(const base::FilePath& path) { | |
| 74 char sentinel = 'A'; | |
| 75 for (const auto& xattr : xattrs) { | |
| 76 std::vector<uint8_t> buf(10); | |
| 77 memset(&buf[0], sentinel++, buf.size()); | |
| 78 if (setxattr(path.value().c_str(), xattr, &buf[0], buf.size(), 0, 0) != 0) | |
| 79 return false; | |
| 80 } | |
| 81 return true; | |
| 82 } | |
| 83 | |
| 84 base::FilePath testdata_path_; | |
| 85 base::ScopedTempDir temp_dir_; | |
| 86 }; | |
| 87 | |
| 88 TEST_F(MacSignatureEvaluatorTest, SimpleTest) { | |
| 89 // This is a simple test that checks the validity of a signed executable. | |
| 90 // There is no designated requirement: we only check the embedded signature. | |
| 91 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat"); | |
| 92 safe_browsing::MacSignatureEvaluator evaluator(path); | |
| 93 ASSERT_TRUE(evaluator.Initialize()); | |
| 94 | |
| 95 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 96 result; | |
| 97 ASSERT_TRUE(evaluator.PerformEvaluation(&result)); | |
| 98 ASSERT_EQ(0, result.sub_incident_size()); | |
| 99 ASSERT_FALSE(result.has_sec_error()); | |
| 100 ASSERT_FALSE(result.has_file_basename()); | |
| 101 } | |
| 102 | |
| 103 TEST_F(MacSignatureEvaluatorTest, SimpleTestWithDR) { | |
| 104 // This test checks the signer against a designated requirement description. | |
| 105 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat"); | |
| 106 std::string requirement( | |
| 107 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 108 safe_browsing::MacSignatureEvaluator evaluator(path, requirement); | |
| 109 ASSERT_TRUE(evaluator.Initialize()); | |
| 110 | |
| 111 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 112 result; | |
| 113 ASSERT_TRUE(evaluator.PerformEvaluation(&result)); | |
| 114 ASSERT_EQ(0, result.sub_incident_size()); | |
| 115 ASSERT_FALSE(result.has_sec_error()); | |
| 116 ASSERT_FALSE(result.has_file_basename()); | |
| 117 } | |
| 118 | |
| 119 TEST_F(MacSignatureEvaluatorTest, SimpleTestWithBadDR) { | |
| 120 // Now test with a designated requirement that does not describe the signer. | |
| 121 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat"); | |
| 122 safe_browsing::MacSignatureEvaluator evaluator(path, "anchor apple"); | |
| 123 ASSERT_TRUE(evaluator.Initialize()); | |
| 124 | |
| 125 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 126 result; | |
| 127 ASSERT_FALSE(evaluator.PerformEvaluation(&result)); | |
| 128 ASSERT_EQ(1, result.sub_incident_size()); | |
| 129 ASSERT_EQ(-67050, result.sec_error()); | |
| 130 | |
| 131 const safe_browsing:: | |
| 132 ClientIncidentReport_IncidentData_BinaryIntegrityIncident& incident = | |
| 133 result.sub_incident(0); | |
| 134 ASSERT_TRUE(incident.has_file_basename()); | |
| 135 ASSERT_EQ("signedexecutablefat", incident.file_basename()); | |
| 136 ASSERT_TRUE(incident.has_signature()); | |
| 137 } | |
| 138 | |
| 139 TEST_F(MacSignatureEvaluatorTest, SimpleBundleTest) { | |
| 140 // Now test a simple, validly signed bundle. | |
| 141 base::FilePath path = testdata_path_.AppendASCII("test-bundle.app"); | |
| 142 base::FilePath exec_path; | |
| 143 ASSERT_TRUE(GetExecPath(path, &exec_path)); | |
| 144 | |
| 145 std::string requirement( | |
| 146 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 147 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement); | |
| 148 ASSERT_TRUE(evaluator.Initialize()); | |
| 149 | |
| 150 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 151 result; | |
| 152 ASSERT_TRUE(evaluator.PerformEvaluation(&result)); | |
| 153 ASSERT_EQ(0, result.sub_incident_size()); | |
| 154 ASSERT_FALSE(result.has_sec_error()); | |
| 155 ASSERT_FALSE(result.has_file_basename()); | |
| 156 } | |
| 157 | |
| 158 TEST_F(MacSignatureEvaluatorTest, ModifiedMainExecTest32) { | |
| 159 // Now to a test modified, signed bundle. | |
| 160 base::FilePath path = testdata_path_.AppendASCII("modified-main-exec32.app"); | |
| 161 base::FilePath exec_path; | |
| 162 ASSERT_TRUE(GetExecPath(path, &exec_path)); | |
| 163 | |
| 164 std::string requirement( | |
| 165 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 166 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement); | |
| 167 ASSERT_TRUE(evaluator.Initialize()); | |
| 168 | |
| 169 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 170 incident; | |
| 171 ASSERT_FALSE(evaluator.PerformEvaluation(&incident)); | |
| 172 ASSERT_EQ(1, incident.sub_incident_size()); | |
| 173 ASSERT_EQ(-67061, incident.sec_error()); | |
| 174 | |
| 175 ASSERT_EQ(exec_path.BaseName().value(), incident.file_basename()); | |
| 176 } | |
| 177 | |
| 178 TEST_F(MacSignatureEvaluatorTest, ModifiedMainExecTest64) { | |
| 179 // Snow Leopard does not know about the 64-bit slice so this test is | |
| 180 // irrelevant. | |
| 181 if (base::mac::IsOSLionOrLater()) { | |
| 182 // Now to a test modified, signed bundle. | |
| 183 base::FilePath path = | |
| 184 testdata_path_.AppendASCII("modified-main-exec64.app"); | |
| 185 base::FilePath exec_path; | |
| 186 ASSERT_TRUE(GetExecPath(path, &exec_path)); | |
| 187 | |
| 188 std::string requirement( | |
| 189 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 190 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement); | |
| 191 ASSERT_TRUE(evaluator.Initialize()); | |
| 192 | |
| 193 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 194 incident; | |
| 195 ASSERT_FALSE(evaluator.PerformEvaluation(&incident)); | |
| 196 ASSERT_EQ(1, incident.sub_incident_size()); | |
| 197 ASSERT_EQ(-67061, incident.sec_error()); | |
| 198 | |
| 199 ASSERT_EQ(exec_path.BaseName().value(), incident.file_basename()); | |
| 200 } | |
| 201 } | |
| 202 | |
| 203 TEST_F(MacSignatureEvaluatorTest, ModifiedBundleAndExecTest) { | |
| 204 // Now test a modified, signed bundle with resources added and the main | |
| 205 // executable modified. | |
| 206 base::FilePath path = | |
| 207 testdata_path_.AppendASCII("modified-bundle-and-exec.app"); | |
| 208 base::FilePath exec_path; | |
| 209 ASSERT_TRUE(GetExecPath(path, &exec_path)); | |
| 210 | |
| 211 std::string requirement( | |
| 212 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 213 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement); | |
| 214 ASSERT_TRUE(evaluator.Initialize()); | |
| 215 | |
| 216 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 217 result; | |
| 218 ASSERT_FALSE(evaluator.PerformEvaluation(&result)); | |
| 219 ASSERT_EQ(-67061, result.sec_error()); | |
| 220 | |
| 221 ASSERT_EQ(exec_path.BaseName().value(), result.file_basename()); | |
| 222 ASSERT_EQ(1, result.sub_incident_size()); | |
| 223 | |
| 224 const safe_browsing:: | |
| 225 ClientIncidentReport_IncidentData_BinaryIntegrityIncident& sub_incident = | |
| 226 result.sub_incident(0); | |
| 227 ASSERT_TRUE(sub_incident.has_file_basename()); | |
| 228 ASSERT_EQ(sub_incident.file_basename(), exec_path.BaseName().value()); | |
| 229 ASSERT_TRUE(sub_incident.has_signature()); | |
| 230 } | |
| 231 | |
| 232 TEST_F(MacSignatureEvaluatorTest, ModifiedBundleTest) { | |
| 233 // Now test a modified, signed bundle. This bundle has | |
| 234 // the following problems: | |
| 235 // 1) A file was added (This should not be reported) | |
| 236 // 2) libsigned64.dylib was modified | |
| 237 // 3) executable32 was modified | |
| 238 | |
| 239 base::FilePath orig_path = testdata_path_.AppendASCII("modified-bundle.app"); | |
| 240 base::FilePath copied_path = | |
| 241 temp_dir_.path().AppendASCII("modified-bundle.app"); | |
| 242 CHECK(base::CopyDirectory(orig_path, copied_path, true)); | |
| 243 | |
| 244 base::FilePath exec_path; | |
| 245 ASSERT_TRUE(GetExecPath(copied_path, &exec_path)); | |
| 246 | |
| 247 // Setup the extended attributes, which don't persist in the git repo. | |
| 248 ASSERT_TRUE(SetupXattrs( | |
| 249 copied_path.AppendASCII("Contents/Resources/Base.lproj/MainMenu.nib"))); | |
| 250 | |
| 251 std::string requirement( | |
| 252 "certificate leaf[subject.CN]=\"untrusted@goat.local\""); | |
| 253 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement); | |
| 254 ASSERT_TRUE(evaluator.Initialize()); | |
| 255 | |
| 256 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident | |
| 257 result; | |
| 258 ASSERT_FALSE(evaluator.PerformEvaluation(&result)); | |
| 259 ASSERT_EQ(-67054, result.sec_error()); | |
| 260 ASSERT_EQ(exec_path.BaseName().value(), result.file_basename()); | |
| 261 ASSERT_EQ(4, result.sub_incident_size()); | |
| 262 | |
| 263 const google::protobuf::RepeatedPtrField< | |
| 264 safe_browsing::ClientIncidentReport_IncidentData_BinaryIntegrityIncident>& | |
| 265 incidents = result.sub_incident(); | |
| 266 const safe_browsing:: | |
| 267 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* main_exec = | |
| 268 nullptr; | |
| 269 const safe_browsing:: | |
| 270 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* libsigned64 = | |
| 271 nullptr; | |
| 272 const safe_browsing:: | |
| 273 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* executable32 = | |
| 274 nullptr; | |
| 275 const safe_browsing:: | |
| 276 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* mainmenunib = | |
| 277 nullptr; | |
| 278 const safe_browsing:: | |
| 279 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* codesign_cfg = | |
| 280 nullptr; | |
| 281 | |
| 282 for (const auto& incident : incidents) { | |
| 283 if (incident.file_basename() == exec_path.BaseName().value()) | |
| 284 main_exec = &incident; | |
| 285 else if (incident.file_basename() == "libsigned64.dylib") | |
| 286 libsigned64 = &incident; | |
| 287 else if (incident.file_basename() == "executable32") | |
| 288 executable32 = &incident; | |
| 289 else if (incident.file_basename() == "MainMenu.nib") | |
| 290 mainmenunib = &incident; | |
| 291 else if (incident.file_basename() == "codesign.cfg") | |
| 292 codesign_cfg = &incident; | |
| 293 } | |
| 294 ASSERT_NE(main_exec, nullptr); | |
| 295 ASSERT_NE(libsigned64, nullptr); | |
| 296 ASSERT_NE(executable32, nullptr); | |
| 297 // This is important. Do not collect information on extra files added. | |
| 298 ASSERT_EQ(codesign_cfg, nullptr); | |
| 299 | |
| 300 ASSERT_TRUE(main_exec->has_file_basename()); | |
| 301 ASSERT_EQ(exec_path.BaseName().value(), main_exec->file_basename()); | |
| 302 ASSERT_TRUE(main_exec->has_signature()); | |
| 303 | |
| 304 ASSERT_TRUE(libsigned64->has_file_basename()); | |
| 305 ASSERT_EQ("libsigned64.dylib", libsigned64->file_basename()); | |
| 306 ASSERT_TRUE(libsigned64->has_signature()); | |
| 307 | |
| 308 ASSERT_TRUE(executable32->has_file_basename()); | |
| 309 ASSERT_EQ("executable32", executable32->file_basename()); | |
| 310 ASSERT_TRUE(executable32->has_signature()); | |
| 311 | |
| 312 ASSERT_TRUE(mainmenunib->has_file_basename()); | |
| 313 ASSERT_EQ("MainMenu.nib", mainmenunib->file_basename()); | |
| 314 ASSERT_TRUE(mainmenunib->has_signature()); | |
| 315 ASSERT_EQ(6, mainmenunib->signature().xattr_size()); | |
| 316 // Manually convert the global xattrs array to a vector | |
| 317 std::vector<std::string> xattrs_known; | |
| 318 for (const auto& xattr : xattrs) | |
| 319 xattrs_known.push_back(xattr); | |
| 320 | |
| 321 std::vector<std::string> xattrs_seen; | |
| 322 for (const auto& xattr : mainmenunib->signature().xattr()) { | |
| 323 ASSERT_TRUE(xattr.has_key()); | |
| 324 ASSERT_TRUE(xattr.has_value()); | |
| 325 xattrs_seen.push_back(xattr.key()); | |
| 326 } | |
| 327 ASSERT_THAT(xattrs_known, ::testing::ContainerEq(xattrs_seen)); | |
| 328 } | |
| OLD | NEW |