Add gnubby authentication to remoting host

remoting/host/gnubby_utils.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "remoting/host/gnubby_utils.h"
+
+#include <algorithm>
+#include <vector>
+
+#include "base/base64.h"
+#include "base/json/json_reader.h"
+#include "base/json/json_writer.h"
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/values.h"
+#include "remoting/base/logging.h"
+
+namespace remoting {
+
+namespace {
+
+// Failure code to use when the code from the webapp response isn't available.
+const int kGnubbyResponseFail = 1;
+
+const int kSsh2AgentcGnubbySignRequest  = 101;  // 0x65
+const int kSsh2AgentcGnubbySignResponse = 102;  // 0x66
+
+// Class to read gnubby blob data.
+class BlobReader {

[Sergey Ulanov, 2014/02/09 22:29:54]

Reuse Pickle from base/pickle.h?

[psj, 2014/02/10 22:57:22]

Unfortunately not. Pickle pads to int boundaries after every write, while the
gnubbyd extension expects the data to be packed.

+ public:
+  // Create a blob with the given data. Does not take ownership of the memory.
+  BlobReader(const char* data, int data_len);
+  virtual ~BlobReader();
+
+  // Read a byte from the blob. Returns true on success.
+  bool ReadByte(char* value);
+
+  // Read a four byte size from the blob. Returns true on success.
+  bool ReadSize(int* value);
+
+  // Read a size-prefixed blob. Returns true on success.
+  bool ReadBlobReader(scoped_ptr<BlobReader>* value);
+
+  // Read a size-prefixed string from the blob. Returns true on success.
+  bool ReadString(std::string* value);
+
+ private:
+  // The blob data.
+  const char* data_;
+
+  // The length of the blob data.
+  int data_len_;
+
+  // The current read index.
+  int index_;
+
+  DISALLOW_COPY_AND_ASSIGN(BlobReader);
+};
+
+// Class to write gnubby blob data.
+class BlobWriter {

[Sergey Ulanov, 2014/02/09 22:29:54]

ditto

[psj, 2014/02/10 22:57:22]

ditto

+ public:
+  BlobWriter();
+  virtual ~BlobWriter();
+
+  // Write a byte to the blob.
+  void WriteByte(char value);
+
+  // Write a four byte size to the blob.
+  void WriteSize(int value);
+
+  // Write a size-prefixed blob to the blob.
+  void WriteBlobWriter(const BlobWriter& value);
+
+  // Write a size-prefixed string to the blob.
+  void WriteString(const std::string& value);
+
+  // Returns the blob data.
+  void GetData(std::string* data) const;
+
+ private:
+  // The blob data.
+  std::vector<char> data_;
+
+  DISALLOW_COPY_AND_ASSIGN(BlobWriter);
+};
+
+BlobReader::BlobReader(const char* data, int data_len)
+    : data_(data), data_len_(data_len), index_(0) {}
+
+BlobReader::~BlobReader() {}
+
+bool BlobReader::ReadByte(char* value) {
+  if (data_len_ - index_ < 0) {
+    *value = 0;
+    return false;
+  }
+  *value = data_[index_++];
+  return true;
+}
+
+bool BlobReader::ReadSize(int* value) {
+  if (data_len_ - (index_ + 4) < 0) {
+    *value = 0;
+    return false;
+  }
+  *value =
+      ((data_[index_] & 255) << 24) +
+      ((data_[index_ + 1] & 255) << 16) +
+      ((data_[index_ + 2] & 255) << 8) +
+      (data_[index_ + 3] & 255);
+  index_ += 4;
+  return true;
+}
+
+bool BlobReader::ReadBlobReader(scoped_ptr<BlobReader>* value) {
+  int blobSize;
+  if (!ReadSize(&blobSize) || data_len_ - (index_ + blobSize) < 0) {
+    value->reset();
+    return 0;
+  }
+  value->reset(new BlobReader(data_ + index_, blobSize));
+  index_ += blobSize;
+  return true;
+}
+
+bool BlobReader::ReadString(std::string* value) {
+  int length;
+  if (!ReadSize(&length) || data_len_ - (index_ + length) < 0) {
+    value->erase();
+    return 0;
+  }
+  value->assign(data_ + index_, length);
+  index_ += length;
+  return true;
+}
+
+BlobWriter::BlobWriter() {}
+
+BlobWriter::~BlobWriter() {}
+
+void BlobWriter::WriteByte(char value) {
+  data_.push_back(value);
+}
+
+void BlobWriter::WriteSize(int value) {
+  data_.push_back((value & 0xff000000) >> 24);
+  data_.push_back((value & 0xff0000) >> 16);
+  data_.push_back((value & 0xff00) >> 8);
+  data_.push_back(value & 0xff);
+}
+
+void BlobWriter::WriteBlobWriter(const BlobWriter& value) {
+  std::string data;
+  value.GetData(&data);
+  WriteString(data);
+}
+
+void BlobWriter::WriteString(const std::string& value) {
+  WriteSize(value.length());
+  for (std::string::const_iterator i = value.begin(); i != value.end(); ++i) {
+    data_.push_back(*i);
+  }
+}
+
+void BlobWriter::GetData(std::string* data) const {
+  data->assign(data_.data(), data_.size());
+}
+
+}  // namespace
+
+bool GnubbyUtils::GetJsonFromRequest(const char* data,
+                                     int data_len,
+                                     std::string* json) {
+  json->empty();
+
+  BlobReader ssh_request(data, data_len);
+  scoped_ptr<BlobReader> blob;
+  if (!ssh_request.ReadBlobReader(&blob)) {
+    return false;
+  }
+
+  char cmd = 0;
+  char timeout = 0;
+  int request_count = 0;
+  bool result = blob->ReadByte(&cmd);
+  result = result && blob->ReadByte(&timeout);
+  result = result && blob->ReadSize(&request_count);
+  if (!result || cmd != kSsh2AgentcGnubbySignRequest) {
+    return false;
+  }
+
+  base::DictionaryValue request;
+  request.SetString("type", "sign_helper_request");
+  request.SetInteger("timeout", timeout);
+
+  base::ListValue* sign_requests = new base::ListValue();
+  request.Set("signData", sign_requests);
+
+  for (int i = 0; i < request_count; ++i) {
+    scoped_ptr<BlobReader> sign_request;
+    std::string version;
+    std::string challenge_hash;
+    std::string origin_hash;
+    std::string key_handle;
+
+    result = result && blob->ReadBlobReader(&sign_request);
+    result = result && sign_request->ReadString(&version);
+    result = result && sign_request->ReadString(&challenge_hash);
+    result = result && sign_request->ReadString(&origin_hash);
+    result = result && sign_request->ReadString(&key_handle);
+    if (!result) {
+      return false;
+    }
+
+    std::string encoded_origin_hash;
+    std::string encoded_challenge_hash;
+    std::string encoded_key_handle;
+
+    WebSafeBase64Encode(origin_hash, &encoded_origin_hash);
+    WebSafeBase64Encode(challenge_hash, &encoded_challenge_hash);
+    WebSafeBase64Encode(key_handle, &encoded_key_handle);
+
+    base::DictionaryValue* request = new base::DictionaryValue();
+    request->SetString("appIdHash", encoded_origin_hash);
+    request->SetString("challengeHash", encoded_challenge_hash);
+    request->SetString("keyHandle", encoded_key_handle);
+    request->SetString("version", version);
+    sign_requests->Append(request);
+  }
+
+  base::JSONWriter::Write(&request, json);
+  return true;
+}
+
+void GnubbyUtils::GetResponseFromJson(std::string json, std::string* data) {
+  data->erase();
+
+  scoped_ptr<base::Value> json_value(base::JSONReader::Read(json));
+  base::DictionaryValue* reply;
+  if (json_value && json_value->GetAsDictionary(&reply)) {
+    BlobWriter response;
+    response.WriteByte(kSsh2AgentcGnubbySignResponse);
+
+    int code;
+    bool result = reply->GetInteger("code", &code);
+    if (result && code == 0) {
+      response.WriteSize(code);
+
+      std::string type;
+      base::DictionaryValue* reply_data;
+      result = reply->GetString("type", &type);
+      result = result && type == "sign_helper_reply";
+      result = result && reply->GetDictionary("responseData", &reply_data);
+      if (result) {
+        BlobWriter tmp;
+        std::string version;
+        result = reply_data->GetString("version", &version);
+        if (result) {
+          tmp.WriteString(version);
+        } else {
+          tmp.WriteSize(0);
+        }
+
+        std::string challenge_hash;
+        std::string app_id_hash;
+        std::string key_handle;
+        std::string signature_data;
+
+        result = DecodeDataFromDictionary(
+            *reply_data, "challengeHash", &challenge_hash);
+        result = result && DecodeDataFromDictionary(
+            *reply_data, "appIdHash", &app_id_hash);
+        result = result && DecodeDataFromDictionary(
+            *reply_data, "keyHandle", &key_handle);
+        result = result && DecodeDataFromDictionary(
+            *reply_data, "signatureData", &signature_data);
+
+        if (result) {
+          tmp.WriteString(challenge_hash);
+          tmp.WriteString(app_id_hash);
+          tmp.WriteString(key_handle);
+          tmp.WriteString(signature_data);
+        }
+        response.WriteBlobWriter(tmp);
+      }
+    } else {
+      response.WriteSize(kGnubbyResponseFail);
+    }
+
+    BlobWriter ssh_response;
+    ssh_response.WriteBlobWriter(response);
+    ssh_response.GetData(data);
+
+    if (!result) {
+      HOST_LOG << "Failed to create valid blob from json";
+    }
+  } else {
+    HOST_LOG << "Could not parse json: " << json;
+  }
+}
+
+void GnubbyUtils::WebSafeBase64Encode(const std::string& data,
+                                      std::string* encoded_data) {
+  base::Base64Encode(data, encoded_data);
+
+  std::replace(encoded_data->begin(), encoded_data->end(), '+', '-');
+  std::replace(encoded_data->begin(), encoded_data->end(), '/', '_');
+  encoded_data->erase(
+      std::remove(encoded_data->begin(), encoded_data->end(), '='),
+      encoded_data->end());
+}
+
+void GnubbyUtils::WebSafeBase64Decode(const std::string& encoded_data,
+                                      std::string* data) {
+  std::string temp(encoded_data);
+  std::replace(temp.begin(), temp.end(), '-', '+');
+  std::replace(temp.begin(), temp.end(), '_', '/');
+
+  int num_equals = temp.length() % 3;
+  for (int i = 0; i < num_equals; ++i) {
+    temp += "=";
+  }
+
+  base::Base64Decode(temp, data);
+}
+
+bool GnubbyUtils::DecodeDataFromDictionary(
+    const base::DictionaryValue& dictionary,
+    const std::string& path,
+    std::string* data) {
+  std::string encoded_data;
+  bool result = dictionary.GetString(path, &encoded_data);
+  if (result) {
+    WebSafeBase64Decode(encoded_data, data);
+  } else {
+    HOST_LOG << "Failed to get dictionary value " << path;
+    data->erase();
+  }
+  return result;
+}
+
+}  // namespace remoting