Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(193)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 143183007: Update policy signature verification to include policy domain. (Closed)

Created:
6 years, 10 months ago by Andrew T Wilson (Slow)
Modified:
6 years, 10 months ago
CC:
chromium-reviews, stevenjb+watch_chromium.org, davemoore+watch_chromium.org, oshima+watch_chromium.org, nkostylev+watch_chromium.org
Visibility:
Public.

Description

Update policy signature verification to include policy domain. CloudPolicyValidator now accpets a "domain" parameter which is used to generate verification signatures for public keys. Broke out CloudPolicyValidator cached-key verification code into a separate validation function: ValidateCachedKey(). Added new hard-coded signatures for our PolicyBuilder test keys for the example.com domain. BUG=275291 TBR=rogerta@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=251292

Patch Set 1 #

Patch Set 2 : Trying again after mysterious chunk-mismatch error on last upload. #

Total comments: 15

Patch Set 3 : Review feedback. #

Patch Set 4 : Fixed style error. #

Total comments: 4
Unified diffs Side-by-side diffs Delta from patch set Stats (+307 lines, -85 lines) Patch
M chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc View 2 chunks +3 lines, -2 lines 0 comments Download
M chrome/browser/chromeos/policy/device_local_account_policy_store.cc View 2 chunks +5 lines, -1 line 0 comments Download
M chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc View 1 2 1 chunk +14 lines, -3 lines 0 comments Download
M chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc View 4 chunks +10 lines, -4 lines 0 comments Download
M chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc View 2 chunks +3 lines, -2 lines 0 comments Download
M chrome/browser/chromeos/settings/session_manager_operation.cc View 1 2 1 chunk +3 lines, -1 line 2 comments Download
M chrome/browser/chromeos/settings/session_manager_operation_unittest.cc View 1 chunk +1 line, -1 line 0 comments Download
M components/policy/core/common/cloud/cloud_policy_validator.h View 6 chunks +26 lines, -9 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_validator.cc View 1 2 6 chunks +67 lines, -27 lines 2 comments Download
M components/policy/core/common/cloud/cloud_policy_validator_unittest.cc View 1 2 9 chunks +60 lines, -12 lines 0 comments Download
M components/policy/core/common/cloud/policy_builder.h View 1 2 2 chunks +4 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/policy_builder.cc View 1 2 5 chunks +62 lines, -4 lines 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_store.cc View 4 chunks +26 lines, -9 lines 0 comments Download
M components/policy/proto/device_management_backend.proto View 1 2 2 chunks +18 lines, -7 lines 0 comments Download
M google_apis/gaia/gaia_auth_util.cc View 1 2 3 1 chunk +5 lines, -3 lines 0 comments Download

Messages

Total messages: 14 (0 generated)
Andrew T Wilson (Slow)
PTAL
6 years, 10 months ago (2014-02-12 15:20:11 UTC) #1
Mattias Nissler (ping if slow)
Just a few nits and requests for additional tests. https://codereview.chromium.org/143183007/diff/100001/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc File chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc (right): https://codereview.chromium.org/143183007/diff/100001/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc#newcode113 chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc:113: ...
6 years, 10 months ago (2014-02-13 10:52:52 UTC) #2
Andrew T Wilson (Slow)
Roger, PTAL at the change to gaia_auth_util.cc (just an improved logging message) for your owners ...
6 years, 10 months ago (2014-02-13 12:15:35 UTC) #3
Mattias Nissler (ping if slow)
LGTM. https://codereview.chromium.org/143183007/diff/100001/chrome/browser/chromeos/settings/session_manager_operation.cc File chrome/browser/chromeos/settings/session_manager_operation.cc (right): https://codereview.chromium.org/143183007/diff/100001/chrome/browser/chromeos/settings/session_manager_operation.cc#newcode186 chrome/browser/chromeos/settings/session_manager_operation.cc:186: // generated by session manager aren't signed by ...
6 years, 10 months ago (2014-02-13 13:35:54 UTC) #4
Andrew T Wilson (Slow)
The CQ bit was checked by atwilson@chromium.org
6 years, 10 months ago (2014-02-13 17:22:56 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/atwilson@chromium.org/143183007/370001
6 years, 10 months ago (2014-02-13 17:24:03 UTC) #6
Roger Tawa OOO till Jul 10th
gaia_auth_util.cc lgtm
6 years, 10 months ago (2014-02-13 17:38:23 UTC) #7
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 10 months ago (2014-02-13 19:10:47 UTC) #8
commit-bot: I haz the power
Retried try job too often on win_rel for step(s) printing_unittests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win_rel&number=263597
6 years, 10 months ago (2014-02-13 19:10:48 UTC) #9
Andrew T Wilson (Slow)
The CQ bit was checked by atwilson@chromium.org
6 years, 10 months ago (2014-02-14 08:11:30 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/atwilson@chromium.org/143183007/370001
6 years, 10 months ago (2014-02-14 08:12:00 UTC) #11
commit-bot: I haz the power
Change committed as 251292
6 years, 10 months ago (2014-02-14 13:50:58 UTC) #12
palmer
https://codereview.chromium.org/143183007/diff/370001/chrome/browser/chromeos/settings/session_manager_operation.cc File chrome/browser/chromeos/settings/session_manager_operation.cc (right): https://codereview.chromium.org/143183007/diff/370001/chrome/browser/chromeos/settings/session_manager_operation.cc#newcode186 chrome/browser/chromeos/settings/session_manager_operation.cc:186: // key is validated when it is installed. What ...
6 years, 10 months ago (2014-02-14 21:52:48 UTC) #13
Andrew T Wilson (Slow)
6 years, 10 months ago (2014-02-17 17:28:39 UTC) #14
Message was sent while issue was closed. 
https://codereview.chromium.org/143183007/diff/370001/chrome/browser/chromeos...
File chrome/browser/chromeos/settings/session_manager_operation.cc (right):

https://codereview.chromium.org/143183007/diff/370001/chrome/browser/chromeos...
chrome/browser/chromeos/settings/session_manager_operation.cc:186: // key is
validated when it is installed.
On 2014/02/14 21:52:48, Chromium Palmer wrote:
> What is the harm of checking it again?
None, really - I've also spoken with mnissler about this. The problem is that
there are cases where this data is signed with the owners key for the device
(see the comment above about "policy auto-generated by session manager" - not
downloaded/signed by DMServer), and this owners key is not currently signed with
a verification key. Before we can start checking owner key verification
signatures, we need some way to migrate all of the existing devices to *have*
owner key verification signatures, which is an issue we're punting on now since
the verification signature is currently only critical for desktop.

I have crbug.com/328038 open to track this (and other) cros key verification
signature issues.

https://codereview.chromium.org/143183007/diff/370001/components/policy/core/...
File components/policy/core/common/cloud/cloud_policy_validator.cc (right):

https://codereview.chromium.org/143183007/diff/370001/components/policy/core/...
components/policy/core/common/cloud/cloud_policy_validator.cc:394: if
(!cached_key_signature_.empty() && !verification_key_.empty() &&
On 2014/02/14 21:52:48, Chromium Palmer wrote:
> So if an attacker can supply an empty signature somehow, they can pass this
> check?

Good catch.

The idea was that this code should never be called with an empty key - there is
code at user_cloud_policy_store.cc:335 that checks for an empty key and deals
with it specially (currently we allow this to pass unmolested for migration).
However, given this special handling at the caller, there's no reason why this
routine should also have special handling for an empty cached_key_signature_ -
it makes this API fragile.

I'll drive a followup CL tomorrow to cause this case (no cached_key_signature
passed to the CloudPolicyValidator) to generate an error.

Powered by Google App Engine
This is Rietveld 408576698