Per discussion, implement the Omaha Client Update Protocol (CUP) in src/crypto.

google_apis/cup/client_update_protocol.h

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef GOOGLE_APIS_CUP_CLIENT_UPDATE_PROTOCOL_H_
+#define GOOGLE_APIS_CUP_CLIENT_UPDATE_PROTOCOL_H_
+
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/strings/string_piece.h"
+
+// Forward declare types for NSS/OpenSSL.

[Ryan Sleevi, 2013/06/06 19:59:10]

comment nit: You're not using OpenSSL ATM, so lets not say.

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
+typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
+#endif
+
+// Client Update Protocol, or CUP, is used by Google Update (Omaha) servers to
+// ensure freshness and authenticity of update checks over HTTP, without the
+// overhead of HTTPS -- namely, no PKI, no guarantee of privacy, and no request
+// replay protection (since update checks are idempotent).
+//
+// http://omaha.googlecode.com/svn/wiki/cup.html
+//
+// This implementation does not persist client proofs by design.
+class ClientUpdateProtocol {
+ public:
+  ~ClientUpdateProtocol();
+
+  // Initializes this instance of CUP with a versioned public key. |key_version|
+  // must be non-negative. |public_key| is expected to be a DER-encoded ASN.1
+  // Subject Public Key Info.  Returns NULL on failure.
+  static ClientUpdateProtocol* Create(int key_version,

[Ryan Sleevi, 2013/06/06 19:59:10]

Chromium style is to prefer returning scoped_ptr<ClientUpdateProtocol> to force
an ownership conversion.

We have a C++11 move emulation layer, detailed at
http://www.chromium.org/developers/smart-pointer-guidelines , that makes this
efficient.

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+                                      const base::StringPiece& public_key);
+
+  // Returns a versioned encrypted secret (v|w) in a URL-safe Base64 encoding.
+  // Add to your URL before calling SignRequest().
+  std::string GetVersionedSecret() const;
+
+  // Generates freshness/authentication data for an outgoing update check.
+  // |url| contains the the URL that the request will be sent to; it should
+  // include GetVersionedSecret() in its query string.  This needs to be
+  // formatted in the way that the Omaha server expects: omit the scheme and
+  // any port number.  (e.g. "//tools.google.com/service/update2?w=1:abcdef")
+  // |request_body| contains the body of the update check request in UTF-8.
+  //
+  // On success, returns true, and |cp_out| receives a Base64-encoded client

[Ryan Sleevi, 2013/06/06 19:59:10]

s/cp_out/client_proof/

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+  // proof, which should be sent in the If-Match HTTP header.  On failure,
+  // returns false, and |cp_out| is not modified.
+  //
+  // This method will store internal state in this instance used by calls to
+  // ValidateResponse(); if you need to have multiple update checks in flight,
+  // initialize a separate CUP instance for each one.

[Ryan Sleevi, 2013/06/06 19:59:10]

This last bit seems better moved to the class level, around lines 27.

That is, that each ClientUpdateProtocol instance represents a single update
check.

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+  bool SignRequest(const base::StringPiece& url,
+                   const base::StringPiece& request_body,
+                   std::string* client_proof);
+
+  // Validates a response given to a update check request previously signed
+  // with SignRequest().  |request_body| contains the body of the response in

[Ryan Sleevi, 2013/06/06 19:59:10]

comment/OCD nit: Either use only a single space between each param, or newline
separate. Preference is single-space.

+  // UTF-8.  |server_cookie| contains the persisted credential cookie provided
+  // by the server.  |server_proof| contains the Base64-encoded server proof,
+  // which is passed in the ETag HTTP header.  Returns true if the response is
+  // valid.
+  // This method uses internal state that is set by a prior SignRequest() call.
+  bool ValidateResponse(const base::StringPiece& response_body,
+                        const base::StringPiece& server_cookie,
+                        const base::StringPiece& server_proof);
+
+ private:
+  friend class CupUnitTest;

[Ryan Sleevi, 2013/06/06 19:59:10]

naming nit: The vast majority of our tests omit the "Unit" part of test

eg: CupTest

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+
+  // Constructor is private -- use the Create method above.

[Ryan Sleevi, 2013/06/06 19:59:10]

comment nit: Seems a superfluous comment. 

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+  explicit ClientUpdateProtocol(int key_version);
+
+  // Decodes |public_key| into the appropriate internal structures.  Returns
+  // the length of the public key (modulus) in bytes, or 0 on failure.
+  bool LoadPublicKey(const base::StringPiece& public_key);
+
+  // Returns the size of the public key in bytes, or 0 on failure.
+  size_t PublicKeyLength();
+
+  // Helper function for BuildSharedKey() -- encrypts |key_source| (r) using
+  // the loaded public key, filling out |encrypted_key_source_| (w).
+  // Returns true on success.
+  bool EncryptKeySource(const std::vector<uint8>& key_source);
+
+  // Generates a key source (r) and uses that to fill out |shared_key_| (sk')
+  // and encrypted_key_source_ (w).  If |opt_key_source| is non-NULL, the key
+  // source is read from that location instead of being randomly generated.
+  // (Used for unit testing.)  Returns true on success.
+  bool BuildSharedKey(size_t public_key_length, const uint8* opt_key_source);

[Ryan Sleevi, 2013/06/06 19:59:10]

style/design: I would encourage two different calls here

BuildSharedKey()
BuildSharedKeyForTesting()

We have special pre-submit scripts to ensure that *ForTesting() methods are only
used in unit tests (... more or less), which is a handy design separation.

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+
+  // The server keeps multiple private keys; a version must be sent so that
+  // the right private key is used to decode the versioned secret.  (The CUP
+  // specification calls this "v".)
+  int pub_key_version_;
+
+  // Holds the shared key, which is used to generate an HMAC signature for both
+  // the update check request and the update response. The client builds it
+  // locally, but sends the server an encrypted copy of the key source to
+  // synthesize it on its own. (The CUP specification calls this "sk'".)
+  std::vector<uint8> shared_key_;
+
+  // Holds the original contents of key_source_ that have been encrypted with
+  // the server's public key. The client sends this, along with the version of
+  // the keypair that was used, to the server. The server decrypts it using its
+  // private key to get the contents of key_source_, from which it recreates the
+  // shared key. (The CUP specification calls this "w".)
+  std::vector<uint8> encrypted_key_source_;
+
+  // Holds the hash of the update check request, the URL that it was sent to,
+  // and the versioned secret. This is filled out by a successful call to
+  // SignRequest(), and used by ValidateResponse() to confirm that the server
+  // has successfully decoded the versioned secret and signed the response using
+  // the same shared key as our own. (The CUP specification calls this "hw".)
+  std::vector<uint8> client_challenge_hash_;
+
+  // The public key used to encrypt the key source.  (The CUP specification
+  // calls this "pk[v]".)
+#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
+  SECKEYPublicKey* public_key_;
+#endif
+
+  DISALLOW_COPY_AND_ASSIGN(ClientUpdateProtocol);

[Ryan Sleevi, 2013/06/06 19:59:10]

nit: DISALLOW_IMPLICIT_CONSTRUCTORS

[Ryan Myers (chromium), 2013/06/06 21:09:10]

Done.

+};
+
+#endif  // GOOGLE_APIS_CUP_CLIENT_UPDATE_PROTOCOL_H_
+