Add gnubby authentication to remoting host

remoting/host/gnubby_util.cc

Index: remoting/host/gnubby_util.cc
diff --git a/remoting/host/gnubby_util.cc b/remoting/host/gnubby_util.cc
new file mode 100644
index 0000000000000000000000000000000000000000..9e3ef23755056801e7f998239ff6c1b67dbdf168
--- /dev/null
+++ b/remoting/host/gnubby_util.cc
@@ -0,0 +1,336 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "remoting/host/gnubby_util.h"
+
+#include <endian.h>

[Sergey Ulanov, 2014/02/14 07:31:59]

remove this include - won't compile on OSX.

[psj, 2014/02/15 00:01:34]

Done.

+#include <algorithm>
+#include <vector>
+
+#include "base/base64.h"
+#include "base/json/json_reader.h"
+#include "base/json/json_writer.h"
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/values.h"
+#include "remoting/base/logging.h"
+
+namespace remoting {
+
+namespace {
+
+// Failure code to use when the code from the webapp response isn't available.
+const int kGnubbyResponseFail = 1;
+
+const int kSsh2AgentcGnubbySignRequest = 101;   // 0x65
+const int kSsh2AgentcGnubbySignResponse = 102;  // 0x66
+
+void WebSafeBase64Encode(const std::string& data, std::string* encoded_data) {
+  base::Base64Encode(data, encoded_data);
+
+  std::replace(encoded_data->begin(), encoded_data->end(), '+', '-');
+  std::replace(encoded_data->begin(), encoded_data->end(), '/', '_');
+  encoded_data->erase(
+      std::remove(encoded_data->begin(), encoded_data->end(), '='),
+      encoded_data->end());
+}
+
+void WebSafeBase64Decode(const std::string& encoded_data, std::string* data) {
+  std::string temp(encoded_data);
+  std::replace(temp.begin(), temp.end(), '-', '+');
+  std::replace(temp.begin(), temp.end(), '_', '/');
+
+  int num_equals = temp.length() % 3;
+  temp.append(num_equals, '=');
+
+  base::Base64Decode(temp, data);
+}
+
+bool DecodeDataFromDictionary(const base::DictionaryValue& dictionary,
+                              const std::string& path,
+                              std::string* data) {
+  std::string encoded_data;
+  bool result = dictionary.GetString(path, &encoded_data);
+  if (result) {
+    WebSafeBase64Decode(encoded_data, data);
+  } else {
+    LOG(ERROR) << "Failed to get dictionary value " << path;
+    data->erase();
+  }
+  return result;
+}
+
+// Class to read gnubby blob data.
+class BlobReader {
+ public:
+  // Create a blob with the given data. Does not take ownership of the memory.
+  BlobReader(const uint8_t* data, size_t data_len);
+  virtual ~BlobReader();
+
+  // Read a byte from the blob. Returns true on success.
+  bool ReadByte(uint8_t* value);
+
+  // Read a four byte size from the blob. Returns true on success.
+  bool ReadSize(size_t* value);
+
+  // Read a size-prefixed blob. Returns true on success.
+  bool ReadBlobReader(scoped_ptr<BlobReader>* value);
+
+  // Read a size-prefixed string from the blob. Returns true on success.
+  bool ReadString(std::string* value);
+
+ private:
+  // The blob data.
+  const uint8_t* data_;
+
+  // The length of the blob data.
+  size_t data_len_;
+
+  // The current read index.
+  size_t index_;
+
+  DISALLOW_COPY_AND_ASSIGN(BlobReader);
+};
+
+// Class to write gnubby blob data.
+class BlobWriter {
+ public:
+  BlobWriter();
+  virtual ~BlobWriter();
+
+  // Write a byte to the blob.
+  void WriteByte(uint8_t value);
+
+  // Write a four byte size to the blob.
+  void WriteSize(size_t value);
+
+  // Write a size-prefixed blob to the blob.
+  void WriteBlobWriter(const BlobWriter& value);
+
+  // Write a size-prefixed string to the blob.
+  void WriteString(const std::string& value);
+
+  // Returns the blob data.
+  std::string GetData() const;
+
+ private:
+  // The blob data.
+  std::vector<uint8_t> data_;
+
+  DISALLOW_COPY_AND_ASSIGN(BlobWriter);
+};
+
+BlobReader::BlobReader(const uint8_t* data, size_t data_len)
+    : data_(data), data_len_(data_len), index_(0) {}
+
+BlobReader::~BlobReader() {}
+
+bool BlobReader::ReadByte(uint8_t* value) {
+  if (data_len_ < index_) {
+    *value = 0;
+    return false;
+  }
+  *value = data_[index_++];
+  return true;
+}
+
+bool BlobReader::ReadSize(size_t* value) {
+  if (data_len_ < (index_ + 4)) {
+    *value = 0;
+    return false;
+  }
+  *value = ((data_[index_] & 255) << 24) + ((data_[index_ + 1] & 255) << 16) +
+           ((data_[index_ + 2] & 255) << 8) + (data_[index_ + 3] & 255);
+  index_ += 4;
+  return true;
+}
+
+bool BlobReader::ReadBlobReader(scoped_ptr<BlobReader>* value) {
+  size_t blob_size;
+  if (!ReadSize(&blob_size) || data_len_ < (index_ + blob_size)) {
+    value->reset();
+    return 0;
+  }
+  value->reset(new BlobReader(data_ + index_, blob_size));
+  index_ += blob_size;
+  return true;
+}
+
+bool BlobReader::ReadString(std::string* value) {
+  size_t length;
+  if (!ReadSize(&length) || data_len_ < (index_ + length)) {
+    value->erase();
+    return 0;
+  }
+  value->assign(reinterpret_cast<const char*>(data_ + index_), length);
+  index_ += length;
+  return true;
+}
+
+BlobWriter::BlobWriter() {}
+
+BlobWriter::~BlobWriter() {}
+
+void BlobWriter::WriteByte(uint8_t value) { data_.push_back(value); }
+
+void BlobWriter::WriteSize(size_t value) {
+  data_.push_back((value & 0xff000000) >> 24);
+  data_.push_back((value & 0xff0000) >> 16);
+  data_.push_back((value & 0xff00) >> 8);
+  data_.push_back(value & 0xff);
+}
+
+void BlobWriter::WriteBlobWriter(const BlobWriter& value) {
+  WriteString(value.GetData());
+}
+
+void BlobWriter::WriteString(const std::string& value) {
+  WriteSize(value.length());
+  data_.insert(data_.end(), value.begin(), value.end());
+}
+
+std::string BlobWriter::GetData() const {
+  return std::string(reinterpret_cast<const char*>(data_.data()), data_.size());
+}
+
+}  // namespace
+
+bool GetJsonFromGnubbyRequest(const char* data,
+                              int data_len,
+                              std::string* json) {
+  json->empty();
+
+  BlobReader ssh_request(reinterpret_cast<const uint8_t*>(data), data_len);
+  scoped_ptr<BlobReader> blob;
+  if (!ssh_request.ReadBlobReader(&blob))
+    return false;
+
+  uint8_t cmd = 0;
+  uint8_t timeout = 0;
+  size_t request_count = 0;
+  bool result = blob->ReadByte(&cmd);
+  result = result && blob->ReadByte(&timeout);
+  result = result && blob->ReadSize(&request_count);
+  if (!result || cmd != kSsh2AgentcGnubbySignRequest)
+    return false;
+
+  base::DictionaryValue request;
+  request.SetString("type", "sign_helper_request");
+  request.SetInteger("timeout", timeout);
+
+  base::ListValue* sign_requests = new base::ListValue();
+  request.Set("signData", sign_requests);
+
+  for (unsigned int i = 0; i < request_count; ++i) {
+    scoped_ptr<BlobReader> sign_request;
+    std::string version;
+    std::string challenge_hash;
+    std::string origin_hash;
+    std::string key_handle;
+
+    result = result && blob->ReadBlobReader(&sign_request);

[Sergey Ulanov, 2014/02/14 07:31:59]

nit: I think you can write this expression like this:
   result = blob->Read(..) &&
       sign_request.Read(..) &&
       sign_request.Read(..) &&
       sign_request.Read(..);
IMO it's more readable this way, but feel free to disagree.

[psj, 2014/02/15 00:01:34]

Done.

+    result = result && sign_request->ReadString(&version);
+    result = result && sign_request->ReadString(&challenge_hash);
+    result = result && sign_request->ReadString(&origin_hash);
+    result = result && sign_request->ReadString(&key_handle);
+    if (!result)
+      return false;
+
+    std::string encoded_origin_hash;
+    std::string encoded_challenge_hash;
+    std::string encoded_key_handle;
+
+    WebSafeBase64Encode(origin_hash, &encoded_origin_hash);
+    WebSafeBase64Encode(challenge_hash, &encoded_challenge_hash);
+    WebSafeBase64Encode(key_handle, &encoded_key_handle);
+
+    base::DictionaryValue* request = new base::DictionaryValue();
+    request->SetString("appIdHash", encoded_origin_hash);
+    request->SetString("challengeHash", encoded_challenge_hash);
+    request->SetString("keyHandle", encoded_key_handle);
+    request->SetString("version", version);
+    sign_requests->Append(request);
+  }
+
+  base::JSONWriter::Write(&request, json);
+  return true;
+}
+
+void GetGnubbyResponseFromJson(const std::string& json, std::string* data) {
+  data->erase();
+
+  scoped_ptr<base::Value> json_value(base::JSONReader::Read(json));
+  base::DictionaryValue* reply;
+  if (json_value && json_value->GetAsDictionary(&reply)) {
+    BlobWriter response;
+    response.WriteByte(kSsh2AgentcGnubbySignResponse);
+
+    int code;
+    if (reply->GetInteger("code", &code) && code == 0) {
+      response.WriteSize(code);
+
+      std::string type;
+      if (!(reply->GetString("type", &type) && type == "sign_helper_reply")) {
+        LOG(ERROR) << "Invalid type";
+        return;
+      }
+
+      base::DictionaryValue* reply_data;
+      if (!reply->GetDictionary("responseData", &reply_data)) {
+        LOG(ERROR) << "Invalid response data";
+        return;
+      }
+
+      BlobWriter tmp;
+      std::string version;
+      if (reply_data->GetString("version", &version)) {
+        tmp.WriteString(version);
+      } else {
+        tmp.WriteSize(0);
+      }
+
+      std::string challenge_hash;
+      if (!DecodeDataFromDictionary(
+               *reply_data, "challengeHash", &challenge_hash)) {
+        LOG(ERROR) << "Invalid challenge hash";
+        return;
+      }
+      tmp.WriteString(challenge_hash);
+
+      std::string app_id_hash;
+      if (!DecodeDataFromDictionary(*reply_data, "appIdHash", &app_id_hash)) {
+        LOG(ERROR) << "Invalid app id hash";
+        return;
+      }
+      tmp.WriteString(app_id_hash);
+
+      std::string key_handle;
+      if (!DecodeDataFromDictionary(*reply_data, "keyHandle", &key_handle)) {
+        LOG(ERROR) << "Invalid key handle";
+        return;
+      }
+      tmp.WriteString(key_handle);
+
+      std::string signature_data;
+      if (!DecodeDataFromDictionary(
+               *reply_data, "signatureData", &signature_data)) {
+        LOG(ERROR) << "Invalid signature data";
+        return;
+      }
+      tmp.WriteString(signature_data);
+
+      response.WriteBlobWriter(tmp);
+    } else {
+      response.WriteSize(kGnubbyResponseFail);
+    }
+
+    BlobWriter ssh_response;
+    ssh_response.WriteBlobWriter(response);
+    data->assign(ssh_response.GetData());
+  } else {
+    LOG(ERROR) << "Could not parse json: " << json;
+  }
+}
+
+}  // namespace remoting