Add public key and signature verification to browser-side API keys

content/common/experiments/api_key.cc

Index: content/common/experiments/api_key.cc
diff --git a/content/common/experiments/api_key.cc b/content/common/experiments/api_key.cc
index 09b607f5a523005feca5332e64728b2801dfb127..a9d0097d6a99e31d4a929d18d3e0dac271c01d96 100644
--- a/content/common/experiments/api_key.cc
+++ b/content/common/experiments/api_key.cc
@@ -4,9 +4,12 @@
 
 #include "content/common/experiments/api_key.h"
 
+#include <openssl/curve25519.h>
+
 #include <vector>
 
 #include "base/base64.h"
+#include "base/macros.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
@@ -18,8 +21,18 @@ namespace content {
 
 namespace {
 
+// This is the default public key used for validating signatures.
+// TODO(iclelland): Move this to the embedder, and provide a mechanism to allow
+// for multiple signing keys. https://crbug.com/543220
+static const uint8_t kPublicKey[] = {
+    0x7c, 0xc4, 0xb8, 0x9a, 0x93, 0xba, 0x6e, 0xe2, 0xd0, 0xfd, 0x03,
+    0x1d, 0xfb, 0x32, 0x66, 0xc7, 0x3b, 0x72, 0xfd, 0x54, 0x3a, 0x07,
+    0x51, 0x14, 0x66, 0xaa, 0x02, 0x53, 0x4e, 0x33, 0xa1, 0x15,
+};
+
 const char* kApiKeyFieldSeparator = "|";
-}
+
+}  // namespace
 
 ApiKey::~ApiKey() {}
 
@@ -30,6 +43,8 @@ scoped_ptr<ApiKey> ApiKey::Parse(const std::string& key_text) {
 
   // API Key should resemble:
   // signature|origin|api_name|expiry_timestamp
+  // TODO(iclelland): Add version code to API key format to identify key algo
+  // https://crbug.com/570684
   std::vector<std::string> parts =
       SplitString(key_text, kApiKeyFieldSeparator, base::KEEP_WHITESPACE,
                   base::SPLIT_WANT_ALL);
@@ -77,9 +92,11 @@ bool ApiKey::IsAppropriate(const std::string& origin,
 }
 
 bool ApiKey::IsValid(const base::Time& now) const {
-  // TODO(iclelland): Validate signature on key data here as well.
-  // https://crbug.com/543215
-  return ValidateDate(now);
+  // TODO(iclelland): Allow for multiple signing keys, and iterate over all
+  // active keys here. https://crbug.com/543220
+  return ValidateDate(now) &&
+         ValidateSignature(base::StringPiece(
+             reinterpret_cast<const char*>(kPublicKey), arraysize(kPublicKey)));
 }
 
 bool ApiKey::ValidateOrigin(const std::string& origin) const {
@@ -95,4 +112,33 @@ bool ApiKey::ValidateDate(const base::Time& now) const {
   return expiry_time > now;
 }
 
+bool ApiKey::ValidateSignature(const base::StringPiece& public_key) const {
+  return ValidateSignature(signature_, data_, public_key);
+}
+
+// static
+bool ApiKey::ValidateSignature(const std::string& signature_text,
+                               const std::string& data,
+                               const base::StringPiece& public_key) {
+  // Public key must be 32 bytes long for Ed25519

[davidben, 2016/01/13 20:50:39]

Nit: Period at end.

[iclelland, 2016/01/13 21:30:11]

Done.

+  DCHECK(public_key.length() == 32);

[davidben, 2016/01/13 20:50:39]

Nit: DCHECK_EQ. Or perhaps something that works at runtime (CHECK or return
false) if you're planning that this be callable by other files.

[iclelland, 2016/01/13 21:30:11]

Done, thanks.

+
+  std::string signature;
+  // signature_text is base64-encoded; decode first.
+  if (!base::Base64Decode(signature_text, &signature)) {
+    return false;
+  }
+
+  // Signature must be 64 bytes long
+  if (signature.length() != 64) {
+    return false;
+  }
+
+  int result = ED25519_verify(
+      reinterpret_cast<const uint8_t*>(data.data()), data.length(),
+      reinterpret_cast<const uint8_t*>(signature.data()),
+      reinterpret_cast<const uint8_t*>(public_key.data()));
+  return (result != 0);
+}
+
 }  // namespace content