chrome/browser/mac/keychain_reauthorize.mm - Issue 2721333005: Reauthorize Keychain to Replace Developer ID Certificate

Side by Side Diff: chrome/browser/mac/keychain_reauthorize.mm

Issue 2721333005: Reauthorize Keychain to Replace Developer ID Certificate (Closed)

Patch Set: Reauthorize Keychain to Replace Developer ID Certificate Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/mac/keychain_reauthorize.h"

	6

	7 #import <Foundation/Foundation.h>

	8 #include <Security/Security.h>

	9

	10 #include <string.h>

	11

	12 #include "base/logging.h"

	13 #include "base/mac/foundation_util.h"

	14 #include "base/mac/scoped_cftyperef.h"

	15 #include "base/metrics/histogram.h"

	16 #include "base/metrics/histogram_macros.h"

	17 #include "base/scoped_generic.h"

	18 #include "components/os_crypt/keychain_password_mac.h"

	19 #include "crypto/apple_keychain.h"

	20

	21 namespace chrome {

	22

	23 namespace {

	24

	25 // Reauthorizes the Safe Storage keychain item, which protects the randomly

	26 // generated password that encrypts the user's saved passwords. This reads out

	27 // the keychain item, deletes it, and re-adds it to the keychain. This works

	28 // because the keychain uses an apps designated requirement as the default ACL
	Mark Mentovai 2017/03/01 22:00:30 “default ACL for”→“ACL for reading” “default ACL for”→“ACL for reading” Mark Mentovai 2017/03/01 22:00:31 app’s app’s Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > app’s Done. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:30, Mark Mentovai wrote: > “default ACL for”→“ACL for reading” Done.
	29 // for an item. We are signing Chrome with the current certificate (so it can
	Mark Mentovai 2017/03/01 22:00:31 Don’t say “we.” Also, the bit about signing will b Don’t say “we.” Also, the bit about signing will become stale, because signing happens outside of this codebase. So this should just say that Chrome will be signed with a designated requirement that allows the item to be read by Chromes signed with both the old and new certificates. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > Don’t say “we.” Also, the bit about signing will become stale, because signing > happens outside of this codebase. So this should just say that Chrome will be > signed with a designated requirement that allows the item to be read by Chromes > signed with both the old and new certificates. Done.
	30 // access the item), but using a designated requirement that accepts the current

	31 // and new certificates as valid.

	32 bool KeychainReauthorize() {

	33 base::ScopedCFTypeRef<SecKeychainItemRef> storage_item;

	34 UInt32 pw_length = 0;

	35 void* password_data = nullptr;

	36

	37 crypto::AppleKeychain keychain;

	38 OSStatus error = keychain.FindGenericPassword(

	39 NULL, strlen(KeychainPassword::service_name),
	Mark Mentovai 2017/03/01 22:00:31 Use nullptr now in new code. Hooray for C++11! Use nullptr now in new code. Hooray for C++11! Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > Use nullptr now in new code. Hooray for C++11! Done.
	40 KeychainPassword::service_name, strlen(KeychainPassword::account_name),
	Mark Mentovai 2017/03/01 22:00:31 If git cl format formatted this, then it’s fine be If git cl format formatted this, then it’s fine because I guess I’m required to say so, but if it didn’t format this, then I’ll say that it’s ugly. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > If git cl format formatted this, then it’s fine because I guess I’m required to > say so, but if it didn’t format this, then I’ll say that it’s ugly. Done.
	41 KeychainPassword::account_name, &pw_length, &password_data,

	42 storage_item.InitializeInto());

	43

	44 std::string password =
	Mark Mentovai 2017/03/01 22:00:30 One of the sanitizers may not like this if !passwo One of the sanitizers may not like this if !password_data, and !password_data seems to be a possibility based on line 46. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:30, Mark Mentovai wrote: > One of the sanitizers may not like this if !password_data, and !password_data > seems to be a possibility based on line 46. Done.
	45 std::string(static_cast<char*>(password_data), pw_length);

	46 if (password_data) {

	47 memset(password_data, 0xAA, pw_length);
	Mark Mentovai 2017/03/01 22:00:31 This is good. memset_s() would be even better. But This is good. memset_s() would be even better. But you never bother scrambling the std::string version of password, so it kind of doesn’t even matter that you’ve done this. You should scramble any copies that you make. Greg K 2017/03/02 01:28:27 memset_s requires some LIBC extension, but let's d Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > This is good. memset_s() would be even better. But you never bother scrambling > the std::string version of password, so it kind of doesn’t even matter that > you’ve done this. You should scramble any copies that you make. memset_s requires some LIBC extension, but let's definitely scramble the string.
	48 keychain.ItemFreeContent(nullptr, password_data);

	49 }

	50

	51 if (error != noErr)

	52 return false;
	Mark Mentovai 2017/03/01 22:00:30 Wanna say something about this? Wanna say something about this? Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:30, Mark Mentovai wrote: > Wanna say something about this? Done.
	53

	54 if (keychain.ItemDelete(storage_item) != noErr) {

	55 LOG(ERROR) << "KeychainReauthorize failed. Cannot delete item.";
	Mark Mentovai 2017/03/01 22:00:31 Aha! Whenever you’re logging something about an OS Aha! Whenever you’re logging something about an OSStatus like you are here, you can use OSSTATUS_LOG from base/mac/mac_logging.h. The log message will include a description of what went wrong. It’s amazing!
	56 return false;

	57 }

	58

	59 error = keychain.AddGenericPassword(
	Mark Mentovai 2017/03/01 22:00:31 I’m pretty sure that the answer is no, but we can’ I’m pretty sure that the answer is no, but we can’t Find-Add without a Delete in the middle, right? Greg K 2017/03/02 01:28:27 Definitely good to test, but it failed. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > I’m pretty sure that the answer is no, but we can’t Find-Add without a Delete in > the middle, right? Definitely good to test, but it failed.
	60 NULL, strlen(KeychainPassword::service_name),

	61 KeychainPassword::service_name, strlen(KeychainPassword::account_name),

	62 KeychainPassword::account_name, password.size(), password.data(), NULL);

	63

	64 if (error != noErr) {

	65 LOG(ERROR) << "Failed to re-add storage password.";

	66 return false;

	67 }

	68 return true;

	69 }

	70

	71 } // namespace

	72

	73 void KeychainReauthorizeIfNeeded(NSString* pref_key, int max_tries) {

	74 NSUserDefaults* user_defaults = [NSUserDefaults standardUserDefaults];

	75 [user_defaults synchronize];
	Mark Mentovai 2017/03/01 22:00:31 I don’t believe that this one will do anything, be I don’t believe that this one will do anything, because you haven’t written anything yet. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > I don’t believe that this one will do anything, because you haven’t written > anything yet. Done.
	76 int pref_value = [user_defaults integerForKey:pref_key];

	77

	78 if (pref_value >= max_tries)

	79 return;

	80

	81 BOOL success_value =

	82 [user_defaults boolForKey:[pref_key stringByAppendingString:@"Success"]];

	83 if (success_value)

	84 return;

	85

	86 if (pref_value > 0) {

	87 // Logs the number of previous tries that didn't complete.

	88 if (base::mac::AmIBundled()) {

	89 UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeeded", pref_value);

	90 } else {

	91 UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededAtUpdate",

	92 pref_value);

	93 }

	94 }

	95

	96 bool success = KeychainReauthorize();

	97

	98 ++pref_value;
	Mark Mentovai 2017/03/01 22:00:31 The comment in the header was explicit that this w The comment in the header was explicit that this would happen BEFORE the reauthorize attempt. It’s nice to do it before, because if KeychainReauthorize() turns out to be crashy, just launch Chrome a few more times to recover. Greg K 2017/03/02 01:28:27 That makes sense, I didn't think about that. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > The comment in the header was explicit that this would happen BEFORE the > reauthorize attempt. It’s nice to do it before, because if KeychainReauthorize() > turns out to be crashy, just launch Chrome a few more times to recover. That makes sense, I didn't think about that.
	99 [user_defaults setInteger:pref_value forKey:pref_key];

	100 [user_defaults synchronize];

	101

	102 if (!success)

	103 return;

	104

	105 NSString* success_pref_key = [pref_key stringByAppendingString:@"Success"];
	Mark Mentovai 2017/03/01 22:00:31 You already computed this above, on line 82. You s You already computed this above, on line 82. You should only do it once. Greg K 2017/03/02 01:28:27 Done. Show quoted text On 2017/03/01 22:00:31, Mark Mentovai wrote: > You already computed this above, on line 82. You should only do it once. Done.
	106 [user_defaults setBool:YES forKey:success_pref_key];

	107 [user_defaults synchronize];

	108

	109 // Logs the try number (1, 2) that succeeded.

	110 if (base::mac::AmIBundled()) {

	111 UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededSuccess", pref_value);

	112 } else {

	113 UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededAtUpdateSuccess",

	114 pref_value);

	115 }

	116 }

	117

	118 } // namespace chrome

OLD	NEW

« chrome/browser/BUILD.gn ('K') | « chrome/browser/mac/keychain_reauthorize.h ('k') | chrome/installer/mac/sign_app.sh.in » ('j') | chrome/installer/mac/sign_app.sh.in » ('J')