crypto/cup.h - Issue 15793005: Per discussion, implement the Omaha Client Update Protocol (CUP) in src/crypto.

Side by Side Diff: crypto/cup.h

Issue 15793005: Per discussion, implement the Omaha Client Update Protocol (CUP) in src/crypto. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 7 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.
	Ryan Sleevi 2013/05/30 02:28:08 As per http://google-styleguide.googlecode.com/svn As per http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=File_N... , make your file names specific This file (and the related ones) should be called "client_update_protocol" Ryan Myers (chromium) 2013/05/30 21:01:10 ACK. I'll make this change in the final patchset, Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > As per > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=File_N... > , make your file names specific > > This file (and the related ones) should be called "client_update_protocol" ACK. I'll make this change in the final patchset, however, so that diffs in these files remain trackable during the review process.
	4

	5 #ifndef CRYPTO_CUP_H_

	6 #define CRYPTO_CUP_H_

	7

	8 #include <string>

	9 #include <vector>

	10

	11 #include "base/basictypes.h"

	12 #include "base/strings/string_piece.h"

	13 #include "crypto/crypto_export.h"

	14

	15 #if defined(USE_NSS) \|\| defined(OS_WIN) \|\| defined(OS_MACOSX)

	16 #include "crypto/scoped_nss_types.h"

	17 #endif

	18

	19 namespace crypto {

	20

	21 // CUP, or Client Update Protocol, is used by Google Update (Omaha) servers to
	Ryan Sleevi 2013/05/30 02:28:08 Client Update Protocol, or CUP, ... [to match file Client Update Protocol, or CUP, ... [to match file naming] Ryan Myers (chromium) 2013/05/30 21:01:10 Done. Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > Client Update Protocol, or CUP, ... [to match file naming] Done.
	22 // ensure freshness and authenticity of update checks over HTTP, without the

	23 // overhead of HTTPS -- namely, no PKI, no guarantee of privacy, and no request

	24 // replay protection (since update checks are idempotent).

	25 //

	26 // http://omaha.googlecode.com/svn/wiki/cup.html

	27 //

	28 // This implementation does not persist client proofs by design.

	29
	Ryan Sleevi 2013/05/30 02:28:08 Delete newline Delete newline Ryan Myers (chromium) 2013/05/30 21:01:10 Done. Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > Delete newline Done.
	30 class CRYPTO_EXPORT ClientUpdateProtocol {

	31 public:

	32 explicit ClientUpdateProtocol();

	33 ~ClientUpdateProtocol();

	34

	35 // Initializes this instance of CUP with a versioned public key. \|key_version\|

	36 // must be non-negative. \|public_key\| is expected to be in PEM format with no

	37 // header/footer. (i.e. a Base64 encoding of a DER encoding of an ASN.1 key.)
	Ryan Sleevi 2013/05/30 02:28:08 Design: Can you explain why you're using PEM, rath Design: Can you explain why you're using PEM, rather than DER? Especially if this is coded in, it makes no sense to use PEM. Given that PEM itself is ambiguous and subject to interpretation, a strong preference is to just take the binary data. Ryan Myers (chromium) 2013/05/30 21:01:10 Switched to DER. Done. Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > Design: Can you explain why you're using PEM, rather than DER? Especially if > this is coded in, it makes no sense to use PEM. > > Given that PEM itself is ambiguous and subject to interpretation, a strong > preference is to just take the binary data. Switched to DER. Done.
	38 //

	39 // Returns true on success. Only call Init() once; it will return false on

	40 // subsequent calls.

	41 bool Init(int key_version, const char* public_key);
	Ryan Sleevi 2013/05/30 02:28:08 Design: Rather than the Init() pattern, it seems m Design: Rather than the Init() pattern, it seems more desirable to use the Factory pattern (eg: Create), to avoid the partially-initialized-object pattern. Chrome uses both, to be fair. Ryan Myers (chromium)* 2013/05/30 21:01:10 Done. Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > Design: Rather than the Init() pattern, it seems more desirable to use the > Factory pattern (eg: Create*), to avoid the partially-initialized-object > pattern. Chrome uses both, to be fair. Done.
	42

	43 // Generates freshness/authentication data for an outgoing update check. A

	44 // shared key is generated and encrypted with the public key, and a challenge

	45 // and proof are built.

	46 //

	47 // On success, returns true on success. Out parameters are as follows:

	48 // * \|url_query_out\| receives a modified query string to use in the URL.

	49 // * \|cp_out\| receives the client proof in a Base64 encoding, which should be

	50 // sent in the If-Match HTTP header.

	51 //

	52 // On failure, returns false, and output parameters are not modified.

	53 //

	54 // This method will store internal state in this instance used by calls to

	55 // ValidateResponse(); if you need to have multiple update checks in flight,

	56 // initialize a separate CUP instance for each one.

	57 bool SignRequest(const base::StringPiece& url_host,

	58 const base::StringPiece& url_path,

	59 const base::StringPiece& url_query,

	60 const base::StringPiece& request_body,

	61 std::string* url_query_out,

	62 std::string* cp_out);

	63

	64 // Validates a response to a update check request that was previously signed

	65 // with SignRequest(). Returns true on success, false if it cannot validate.

	66 // Internal state from the previous call to SignRequest() is used.

	67 bool ValidateResponse(const base::StringPiece& response_body,

	68 const base::StringPiece& c_in,

	69 const base::StringPiece& sp_in);

	70

	71 private:

	72 int v_;

	73

	74 std::vector<uint8> r_;

	75 std::vector<uint8> sk_;

	76 std::vector<uint8> w_;

	77 std::vector<uint8> hw_;

	78 std::string vw_;
	Ryan Sleevi 2013/05/30 02:28:08 These field names should all be updated to more me These field names should all be updated to more meaningful values. If you're trying to mirror the specification, use comments to indicate that. It's more important to be able to understand this class without having to read the spec http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Copy_C... Ryan Myers (chromium) 2013/05/30 21:01:10 Done. (Renamed them, with added comments to descr Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > These field names should all be updated to more meaningful values. If you're > trying to mirror the specification, use comments to indicate that. It's more > important to be able to understand this class without having to read the spec > > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Copy_C... Done. (Renamed them, with added comments to describe use and reference CUP spec names.)
	79

	80 #if defined(USE_NSS) \|\| defined(OS_WIN) \|\| defined(OS_MACOSX)

	81 ScopedSECKEYPublicKey pkv_;

	82 #endif
	Ryan Sleevi 2013/05/30 02:28:08 No OpenSSL handling? No OpenSSL handling? Ryan Myers (chromium) 2013/05/30 21:01:10 I hadn't coded one yet, because this isn't used on Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > No OpenSSL handling? I hadn't coded one yet, because this isn't used on any of the platforms that use OpenSSL yet. I can add one if it's desired for completeness' sake, although I generally try to not write code that's not going to be used.
	83

	84 // Decodes \|public_key\| into the appropriate internal structures for pk[v].

	85 // Returns the length of the public key (modulus) in bytes, or 0 on failure.

	86 size_t LoadPublicKey(const char* public_key);

	87

	88 // Helper function for BuildSharedKey() -- encrypts r using pk[v] to generate

	89 // challenge w. Returns true on success.

	90 bool EncryptSharedKey();

	91

	92 // Initializes r with random data. (No-fail, but requires that a public key

	93 // be loaded so that we know how much entropy to generate.)

	94 void InitializeEntropy(size_t public_key_length);

	95

	96 // Given a valid r, generates sk', calls EncryptSharedKey() to generate w,

	97 // and generates the encoded v\|w string. Returns true on success.

	98 bool BuildSharedKey();

	99

	100 // Encodes a buffer of bytes as URL-safe B64 with no padding.

	101 static std::string UrlSafeB64Encode(const std::vector<uint8>& data);
	Ryan Sleevi 2013/05/30 02:28:08 Design: All of these static-but-private member fun Design: All of these static-but-private member functions should be in an unnamed namespace in the implementation file, unless you've explicitly added them for unit tests (and I would suggest that they're not quite unit tests at that point, because they're no longer testing the public interface). Ryan Myers (chromium) 2013/05/30 21:01:10 I explicitly added them here for unit tests -- I'v Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > Design: All of these static-but-private member functions should be in an unnamed > namespace in the implementation file, unless you've explicitly added them for > unit tests (and I would suggest that they're not quite unit tests at that point, > because they're no longer testing the public interface). I explicitly added them here for unit tests -- I've found it easier to diagnose a break that way. I've moved it to an anonymous namespace. Done.
	102

	103 // Returns the length of the digest for our hashing algorithm.

	104 static size_t HashDigestSize();

	105

	106 // Computes the hash of a vector of bytes.

	107 static std::vector<uint8> Hash(const std::vector<uint8>& data);

	108

	109 // Computes the hash of a std::string, not including the null terminator.

	110 static std::vector<uint8> Hash(const base::StringPiece& sdata);

	111

	112 // Computes the HMAC of hashes: SYMSign[key](id\|h1\|h2\|h3)

	113 // NULL arguments are not included in the signature computation.

	114 // Returns an empty vector on failure.

	115 static std::vector<uint8> SymSign(const std::vector<uint8>& key,

	116 uint8 id,

	117 const std::vector<uint8>* h1,

	118 const std::vector<uint8>* h2,

	119 const std::vector<uint8>* h3);

	120

	121 // Pads some entropy with a hash of itself to generate a shared key.

	122 static std::vector<uint8> RsaPad(size_t key_size,

	123 const std::vector<uint8>& entropy);

	124

	125 friend class CupUnitTest;
	Ryan Sleevi 2013/05/30 02:28:08 per general Chromium style, move this friend to li per general Chromium style, move this friend to line 72. Similarly, DISALLOW_COPY_AND_ASSIGN(ClientUpdateProtocol) ( see http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Copy_C... ) Ryan Myers (chromium) 2013/05/30 21:01:10 Done. Show quoted text On 2013/05/30 02:28:08, Ryan Sleevi wrote: > per general Chromium style, move this friend to line 72. > > Similarly, DISALLOW_COPY_AND_ASSIGN(ClientUpdateProtocol) ( see > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Copy_C... > ) Done.
	126 };

	127

	128 } // namespace crypto

	129

	130 #endif // CRYPTO_CUP_H_

	131

OLD	NEW

« no previous file with comments | « crypto/crypto.gyp ('k') | crypto/cup.cc » ('j') | crypto/cup.cc » ('J')