| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "content/common/experiments/api_key.h" | |
| 6 | |
| 7 #include <openssl/curve25519.h> | |
| 8 | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/base64.h" | |
| 12 #include "base/macros.h" | |
| 13 #include "base/strings/string_number_conversions.h" | |
| 14 #include "base/strings/string_split.h" | |
| 15 #include "base/strings/string_util.h" | |
| 16 #include "base/strings/utf_string_conversions.h" | |
| 17 #include "base/time/time.h" | |
| 18 #include "url/origin.h" | |
| 19 | |
| 20 namespace content { | |
| 21 | |
| 22 namespace { | |
| 23 | |
| 24 // This is the default public key used for validating signatures. | |
| 25 // TODO(iclelland): Move this to the embedder, and provide a mechanism to allow | |
| 26 // for multiple signing keys. https://crbug.com/543220 | |
| 27 static const uint8_t kPublicKey[] = { | |
| 28 0x7c, 0xc4, 0xb8, 0x9a, 0x93, 0xba, 0x6e, 0xe2, 0xd0, 0xfd, 0x03, | |
| 29 0x1d, 0xfb, 0x32, 0x66, 0xc7, 0x3b, 0x72, 0xfd, 0x54, 0x3a, 0x07, | |
| 30 0x51, 0x14, 0x66, 0xaa, 0x02, 0x53, 0x4e, 0x33, 0xa1, 0x15, | |
| 31 }; | |
| 32 | |
| 33 const char* kApiKeyFieldSeparator = "|"; | |
| 34 | |
| 35 } // namespace | |
| 36 | |
| 37 ApiKey::~ApiKey() {} | |
| 38 | |
| 39 scoped_ptr<ApiKey> ApiKey::Parse(const std::string& key_text) { | |
| 40 if (key_text.empty()) { | |
| 41 return nullptr; | |
| 42 } | |
| 43 | |
| 44 // API Key should resemble: | |
| 45 // signature|origin|api_name|expiry_timestamp | |
| 46 // TODO(iclelland): Add version code to API key format to identify key algo | |
| 47 // https://crbug.com/570684 | |
| 48 std::vector<std::string> parts = | |
| 49 SplitString(key_text, kApiKeyFieldSeparator, base::KEEP_WHITESPACE, | |
| 50 base::SPLIT_WANT_ALL); | |
| 51 if (parts.size() != 4) { | |
| 52 return nullptr; | |
| 53 } | |
| 54 | |
| 55 const std::string& signature = parts[0]; | |
| 56 const std::string& origin_string = parts[1]; | |
| 57 const std::string& api_name = parts[2]; | |
| 58 const std::string& expiry_string = parts[3]; | |
| 59 | |
| 60 uint64_t expiry_timestamp; | |
| 61 if (!base::StringToUint64(expiry_string, &expiry_timestamp)) { | |
| 62 return nullptr; | |
| 63 } | |
| 64 | |
| 65 // Ensure that the origin is a valid (non-unique) origin URL | |
| 66 GURL origin_url(origin_string); | |
| 67 if (url::Origin(origin_url).unique()) { | |
| 68 return nullptr; | |
| 69 } | |
| 70 | |
| 71 // signed data is (origin + "|" + api_name + "|" + expiry). | |
| 72 std::string data = key_text.substr(signature.length() + 1); | |
| 73 | |
| 74 return make_scoped_ptr( | |
| 75 new ApiKey(signature, data, origin_url, api_name, expiry_timestamp)); | |
| 76 } | |
| 77 | |
| 78 ApiKey::ApiKey(const std::string& signature, | |
| 79 const std::string& data, | |
| 80 const GURL& origin, | |
| 81 const std::string& api_name, | |
| 82 uint64_t expiry_timestamp) | |
| 83 : signature_(signature), | |
| 84 data_(data), | |
| 85 origin_(origin), | |
| 86 api_name_(api_name), | |
| 87 expiry_timestamp_(expiry_timestamp) {} | |
| 88 | |
| 89 bool ApiKey::IsAppropriate(const std::string& origin, | |
| 90 const std::string& api_name) const { | |
| 91 return ValidateOrigin(origin) && ValidateApiName(api_name); | |
| 92 } | |
| 93 | |
| 94 bool ApiKey::IsValid(const base::Time& now) const { | |
| 95 // TODO(iclelland): Allow for multiple signing keys, and iterate over all | |
| 96 // active keys here. https://crbug.com/543220 | |
| 97 return ValidateDate(now) && | |
| 98 ValidateSignature(base::StringPiece( | |
| 99 reinterpret_cast<const char*>(kPublicKey), arraysize(kPublicKey))); | |
| 100 } | |
| 101 | |
| 102 bool ApiKey::ValidateOrigin(const std::string& origin) const { | |
| 103 return GURL(origin) == origin_; | |
| 104 } | |
| 105 | |
| 106 bool ApiKey::ValidateApiName(const std::string& api_name) const { | |
| 107 return base::EqualsCaseInsensitiveASCII(api_name, api_name_); | |
| 108 } | |
| 109 | |
| 110 bool ApiKey::ValidateDate(const base::Time& now) const { | |
| 111 base::Time expiry_time = base::Time::FromDoubleT((double)expiry_timestamp_); | |
| 112 return expiry_time > now; | |
| 113 } | |
| 114 | |
| 115 bool ApiKey::ValidateSignature(const base::StringPiece& public_key) const { | |
| 116 return ValidateSignature(signature_, data_, public_key); | |
| 117 } | |
| 118 | |
| 119 // static | |
| 120 bool ApiKey::ValidateSignature(const std::string& signature_text, | |
| 121 const std::string& data, | |
| 122 const base::StringPiece& public_key) { | |
| 123 // Public key must be 32 bytes long for Ed25519. | |
| 124 CHECK_EQ(public_key.length(), 32UL); | |
| 125 | |
| 126 std::string signature; | |
| 127 // signature_text is base64-encoded; decode first. | |
| 128 if (!base::Base64Decode(signature_text, &signature)) { | |
| 129 return false; | |
| 130 } | |
| 131 | |
| 132 // Signature must be 64 bytes long | |
| 133 if (signature.length() != 64) { | |
| 134 return false; | |
| 135 } | |
| 136 | |
| 137 int result = ED25519_verify( | |
| 138 reinterpret_cast<const uint8_t*>(data.data()), data.length(), | |
| 139 reinterpret_cast<const uint8_t*>(signature.data()), | |
| 140 reinterpret_cast<const uint8_t*>(public_key.data())); | |
| 141 return (result != 0); | |
| 142 } | |
| 143 | |
| 144 } // namespace content | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1635593004:
Rename Experimental Framework classes and concepts (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master