| Index: content/common/experiments/api_key.cc
|
| diff --git a/content/common/experiments/api_key.cc b/content/common/experiments/api_key.cc
|
| index 09b607f5a523005feca5332e64728b2801dfb127..9199d5d776fc75faf139e1401ca291dc34dd6d5f 100644
|
| --- a/content/common/experiments/api_key.cc
|
| +++ b/content/common/experiments/api_key.cc
|
| @@ -4,9 +4,12 @@
|
|
|
| #include "content/common/experiments/api_key.h"
|
|
|
| +#include <openssl/curve25519.h>
|
| +
|
| #include <vector>
|
|
|
| #include "base/base64.h"
|
| +#include "base/macros.h"
|
| #include "base/strings/string_number_conversions.h"
|
| #include "base/strings/string_split.h"
|
| #include "base/strings/string_util.h"
|
| @@ -18,8 +21,18 @@ namespace content {
|
|
|
| namespace {
|
|
|
| +// This is the default public key used for validating signatures.
|
| +// TODO(iclelland): Move this to the embedder, and provide a mechanism to allow
|
| +// for multiple signing keys. https://crbug.com/543220
|
| +static const uint8_t kPublicKey[] = {
|
| + 0x7c, 0xc4, 0xb8, 0x9a, 0x93, 0xba, 0x6e, 0xe2, 0xd0, 0xfd, 0x03,
|
| + 0x1d, 0xfb, 0x32, 0x66, 0xc7, 0x3b, 0x72, 0xfd, 0x54, 0x3a, 0x07,
|
| + 0x51, 0x14, 0x66, 0xaa, 0x02, 0x53, 0x4e, 0x33, 0xa1, 0x15,
|
| +};
|
| +
|
| const char* kApiKeyFieldSeparator = "|";
|
| -}
|
| +
|
| +} // namespace
|
|
|
| ApiKey::~ApiKey() {}
|
|
|
| @@ -30,6 +43,8 @@ scoped_ptr<ApiKey> ApiKey::Parse(const std::string& key_text) {
|
|
|
| // API Key should resemble:
|
| // signature|origin|api_name|expiry_timestamp
|
| + // TODO(iclelland): Add version code to API key format to identify key algo
|
| + // https://crbug.com/570684
|
| std::vector<std::string> parts =
|
| SplitString(key_text, kApiKeyFieldSeparator, base::KEEP_WHITESPACE,
|
| base::SPLIT_WANT_ALL);
|
| @@ -77,9 +92,11 @@ bool ApiKey::IsAppropriate(const std::string& origin,
|
| }
|
|
|
| bool ApiKey::IsValid(const base::Time& now) const {
|
| - // TODO(iclelland): Validate signature on key data here as well.
|
| - // https://crbug.com/543215
|
| - return ValidateDate(now);
|
| + // TODO(iclelland): Allow for multiple signing keys, and iterate over all
|
| + // active keys here. https://crbug.com/543220
|
| + return ValidateDate(now) &&
|
| + ValidateSignature(base::StringPiece(
|
| + reinterpret_cast<const char*>(kPublicKey), arraysize(kPublicKey)));
|
| }
|
|
|
| bool ApiKey::ValidateOrigin(const std::string& origin) const {
|
| @@ -95,4 +112,33 @@ bool ApiKey::ValidateDate(const base::Time& now) const {
|
| return expiry_time > now;
|
| }
|
|
|
| +bool ApiKey::ValidateSignature(const base::StringPiece& public_key) const {
|
| + return ValidateSignature(signature_, data_, public_key);
|
| +}
|
| +
|
| +// static
|
| +bool ApiKey::ValidateSignature(const std::string& signature_text,
|
| + const std::string& data,
|
| + const base::StringPiece& public_key) {
|
| + // Public key must be 32 bytes long for Ed25519.
|
| + CHECK_EQ(public_key.length(), 32UL);
|
| +
|
| + std::string signature;
|
| + // signature_text is base64-encoded; decode first.
|
| + if (!base::Base64Decode(signature_text, &signature)) {
|
| + return false;
|
| + }
|
| +
|
| + // Signature must be 64 bytes long
|
| + if (signature.length() != 64) {
|
| + return false;
|
| + }
|
| +
|
| + int result = ED25519_verify(
|
| + reinterpret_cast<const uint8_t*>(data.data()), data.length(),
|
| + reinterpret_cast<const uint8_t*>(signature.data()),
|
| + reinterpret_cast<const uint8_t*>(public_key.data()));
|
| + return (result != 0);
|
| +}
|
| +
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 1522813002:
Add public key and signature verification to browser-side API keys (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@keys