Implement CUP signing in UpdateClient.

components/update_client/client_update_protocol_ecdsa.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/update_client/client_update_protocol_ecdsa.h"
 
 #include "base/logging.h"
+#include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/random.h"
 #include "crypto/sha2.h"
 #include "crypto/signature_verifier.h"
 
+namespace update_client {
+
 namespace {
 
 // This is the algorithm ID for ECDSA with SHA-256. Parameters are ABSENT.
 // RFC 5758:
 //   ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
 //        us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
 //   ...
 //   When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
 //   ecdsa-with-SHA512 algorithm identifier appears in the algorithm field
 //   as an AlgorithmIdentifier, the encoding MUST omit the parameters
@@ skipping 12 matching lines @@
 }
 
 std::vector<uint8_t> SHA256HashVec(const std::vector<uint8_t>& vec) {
   if (vec.empty())
     return SHA256HashStr(base::StringPiece());
 
   return SHA256HashStr(base::StringPiece(
       reinterpret_cast<const char*>(&vec.front()), vec.size()));
 }
 
-bool ParseETagHeader(const base::StringPiece& etag_header_value,
+bool ParseETagHeader(const base::StringPiece& etag_header_value_in,
                      std::vector<uint8_t>* ecdsa_signature_out,
                      std::vector<uint8_t>* request_hash_out) {
   DCHECK(ecdsa_signature_out);
   DCHECK(request_hash_out);
 
   // The ETag value is a UTF-8 string, formatted as "S:H", where:
   // * S is the ECDSA signature in DER-encoded ASN.1 form, converted to hex.
   // * H is the SHA-256 hash of the observed request body, standard hex format.
+  // A Weak ETag is formatted as W/"S:H". This function treats it the same as a
+  // strong ETag.
+  base::StringPiece etag_header_value(etag_header_value_in);
+
+  // Remove the weak prefix, then remove the begin and the end quotes.
+  const char kWeakETagPrefix[] = "W/";
+  if (etag_header_value.starts_with(kWeakETagPrefix))
+    etag_header_value.remove_prefix(arraysize(kWeakETagPrefix) - 1);
+  if (etag_header_value.size() >= 2 && etag_header_value.starts_with("\"") &&
+      etag_header_value.ends_with("\"")) {
+    etag_header_value.remove_prefix(1);
+    etag_header_value.remove_suffix(1);
+  }
+
   const base::StringPiece::size_type delim_pos = etag_header_value.find(':');
   if (delim_pos == base::StringPiece::npos || delim_pos == 0 ||
       delim_pos == etag_header_value.size() - 1)
     return false;
 
   const base::StringPiece sig_hex = etag_header_value.substr(0, delim_pos);
   const base::StringPiece hash_hex = etag_header_value.substr(delim_pos + 1);
 
   // Decode the ECDSA signature. Don't bother validating the contents of it;
   // the SignatureValidator class will handle the actual DER decoding and
@@ skipping 113 matching lines @@
 
   // If the verification fails, that implies one of two outcomes:
   // * The signature was modified
   // * The buffer that the server signed does not match the buffer that the
   //   client assembled -- implying that either request body or response body
   //   was modified, or a different nonce value was used.
   verifier.VerifyUpdate(&signed_message_hash.front(),
                         static_cast<int>(signed_message_hash.size()));
   return verifier.VerifyFinal();
 }
+
+}  // namespace update_client