Verify intent signatures.

chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java

Index: chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java b/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
index 99c2a0418e6c33bcb9d4d677230334e3549929bd..4e3188507cff9c14410a612f9389b0682d4a2b8c 100644
--- a/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandler.java
@@ -7,7 +7,9 @@ package org.chromium.chrome.browser.externalnav;
 import android.content.ActivityNotFoundException;
 import android.content.ComponentName;
 import android.content.Intent;
+import android.content.pm.PackageManager;
 import android.content.pm.ResolveInfo;
+import android.content.pm.Signature;
 import android.net.Uri;
 import android.os.SystemClock;
 import android.provider.Browser;
@@ -28,8 +30,12 @@ import org.chromium.chrome.browser.util.UrlUtilities;
 import org.chromium.ui.base.PageTransition;
 
 import java.net.URI;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -112,6 +118,69 @@ public class ExternalNavigationHandler {
             browserFallbackUrl = null;
         }
 
+        try {
+            //scheme
+            String scheme = intent.getData().getScheme();
+            String fragment = intent.getData().getFragment();
+            if (!TextUtils.isEmpty(scheme) && null != fragment && fragment.contains(";")) {
+                String[] parts = fragment.split(";");
+                String[] part = null;

[palmer, 2016/07/20 18:53:48]

Declare this where it's used (line 146).

+                Set<Set<String>> allFingerPrint256 = new HashSet<>();
+                String fingerPrint256 = "";

[palmer, 2016/07/20 18:53:48]

Declare this where it's used (line 148).

+                String pkgName = "";
+                /**
+                 * same package name , different keystores, generated fingerprint256 set.
+                 *
+                 * 1.an app's signature may update and change from old, so need config and
+                 * support new and old, but this is optional.(e.g. a.only config new fingerprint
+                 * b. only config old fingerprint. c.config new and old fingerprint)
+                 *
+                 * 2.one apk itself may contain more than one keystore to sign.
+                 *
+                 * example: suppose apk's new signature is 3A4FXXXXXX,12XXXXXXX,and old signature
+                 * is 1B2AXXXX. you can config the intent like "...;sha256=3A4FXXXXXX,12XXXXXXX;.."
+                 * or "..;sha256=3A4FXXXXXX,12XXXXXXX|1B2AXXXX;.."
+                 */
+                String[] fingerPrint256DifGroups;
+                for (String each : parts) {
+                    part = each.split("=");
+                    if (part[0].equals("sha256")) {
+                        fingerPrint256 = part[1];
+                        fingerPrint256DifGroups = fingerPrint256.split("\\|");
+                        for (String v : fingerPrint256DifGroups) {
+                            Set<String> fingerPrint256GroupSignKeySet = new HashSet<>();
+                            Collections.addAll(fingerPrint256GroupSignKeySet, v.split(","));
+                            allFingerPrint256.add(fingerPrint256GroupSignKeySet);
+                        }
+                    }
+                    if (part[0].equals("package")) {
+                        pkgName = part[1];
+                    }
+                }
+                if (!TextUtils.isEmpty(pkgName) && !TextUtils.isEmpty(fingerPrint256)) {
+                    PackageManager pm = mDelegate.getAssociatedActivityContext()
+                            .getPackageManager();
+                    Signature[] signatures = pm.getPackageInfo(pkgName,
+                            PackageManager.GET_SIGNATURES).signatures;
+                    HashSet<String> fingerPrint256Set = new HashSet<String>();
+                    String fingerPrint = "";

[palmer, 2016/07/20 18:53:48]

Declare this where it's used (line 169).

+                    if (signatures.length > 0) {
+                        for (Signature each : signatures) {
+                            fingerPrint = computeNormalizedSha256Fingerprint(each.toByteArray());
+                            fingerPrint256Set.add(fingerPrint);
+                        }
+                    }
+                    if (!allFingerPrint256.contains(fingerPrint256Set)) {
+                        return OverrideUrlLoadingResult.NO_OVERRIDE;
+                    }
+                }
+            }
+        } catch (PackageManager.NameNotFoundException e) {
+            return OverrideUrlLoadingResult.NO_OVERRIDE;
+        } catch (Exception ignore) {
+            //ignore the check sign miss

[palmer, 2016/07/20 18:53:48]

Why?

+        }
+
         long time = SystemClock.elapsedRealtime();
         OverrideUrlLoadingResult result = shouldOverrideUrlLoadingInternal(
                 params, intent, hasBrowserFallbackUrl, browserFallbackUrl);
@@ -520,4 +589,37 @@ public class ExternalNavigationHandler {
         }
         return null;
     }
+
+    /**
+     * compute normalized sha256fingerprint from signatures
+     *
+     * @return hexString of the fingerprint
+     */
+    private static String computeNormalizedSha256Fingerprint(byte[] signature) {

[palmer, 2016/07/20 18:53:48]

Although this is for Android package signatures, it'd be better to name this
method's argument more generally. Also you can make the method name more
concise:

    getSha256(byte[] bytes)

+        MessageDigest digester;
+        try {
+            digester = MessageDigest.getInstance("SHA-256");
+        } catch (NoSuchAlgorithmException e) {
+            throw new AssertionError("No SHA-256 implementation found.");
+        }
+        digester.update(signature);
+        return byteArrayToHexString(digester.digest());
+    }
+
+    /**
+     * convert byteArray to String
+     *
+     * @return hexString
+     */
+    private static String byteArrayToHexString(byte[] array) {

[palmer, 2016/07/20 18:53:48]

Is there not already a function that does this somewhere in Java, Android, or
Chrome?

+        if (array.length == 0) {
+            return "";
+        }
+        StringBuilder data = new StringBuilder();
+        for (byte anArray : array) {

[palmer, 2016/07/20 18:53:47]

Use more concise names:

   for (byte b : bytes)

+            data.append(Integer.toHexString((anArray >> 4) & 0x0f));
+            data.append(Integer.toHexString(anArray & 0x0f));
+        }
+        return data.toString().toUpperCase();
+    }
 }