chrome/browser/extensions/install_signer.cc - Issue 2797683002: Network traffic annotation added to install_signer.

Side by Side Diff: chrome/browser/extensions/install_signer.cc

Issue 2797683002: Network traffic annotation added to install_signer. (Closed)

Patch Set: Annotation updated. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/extensions/install_signer.h"	5 #include "chrome/browser/extensions/install_signer.h"

6	6

7 #include <stddef.h>	7 #include <stddef.h>

8 #include <stdint.h>	8 #include <stdint.h>

9 #include <utility>	9 #include <utility>

10	10

(...skipping 13 matching lines...) Expand all Loading...
24 #include "base/strings/string_split.h"	24 #include "base/strings/string_split.h"

25 #include "base/strings/string_util.h"	25 #include "base/strings/string_util.h"

26 #include "base/time/time.h"	26 #include "base/time/time.h"

27 #include "base/values.h"	27 #include "base/values.h"

28 #include "build/build_config.h"	28 #include "build/build_config.h"

29 #include "chrome/common/chrome_switches.h"	29 #include "chrome/common/chrome_switches.h"

30 #include "crypto/random.h"	30 #include "crypto/random.h"

31 #include "crypto/secure_hash.h"	31 #include "crypto/secure_hash.h"

32 #include "crypto/sha2.h"	32 #include "crypto/sha2.h"

33 #include "crypto/signature_verifier.h"	33 #include "crypto/signature_verifier.h"

	34 #include "net/traffic_annotation/network_traffic_annotation.h"

34 #include "net/url_request/url_fetcher.h"	35 #include "net/url_request/url_fetcher.h"

35 #include "net/url_request/url_fetcher_delegate.h"	36 #include "net/url_request/url_fetcher_delegate.h"

36 #include "net/url_request/url_request_context_getter.h"	37 #include "net/url_request/url_request_context_getter.h"

37 #include "net/url_request/url_request_status.h"	38 #include "net/url_request/url_request_status.h"

38 #include "rlz/features/features.h"	39 #include "rlz/features/features.h"

39 #include "url/gurl.h"	40 #include "url/gurl.h"

40	41

41 #if BUILDFLAG(ENABLE_RLZ)	42 #if BUILDFLAG(ENABLE_RLZ)

42 #include "rlz/lib/machine_id.h"	43 #include "rlz/lib/machine_id.h"

43 #endif	44 #endif

(...skipping 323 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
367	368

368 if (!context_getter_) {	369 if (!context_getter_) {

369 ReportErrorViaCallback();	370 ReportErrorViaCallback();

370 return;	371 return;

371 }	372 }

372	373

373 base::Closure closure = base::Bind(&InstallSigner::ParseFetchResponse,	374 base::Closure closure = base::Bind(&InstallSigner::ParseFetchResponse,

374 base::Unretained(this));	375 base::Unretained(this));

375	376

376 delegate_.reset(new FetcherDelegate(closure));	377 delegate_.reset(new FetcherDelegate(closure));

	378 net::NetworkTrafficAnnotationTag traffic_annotation =

	379 net::DefineNetworkTrafficAnnotation("extension_install_signer", R"(

	380 semantics {

	381 sender: "Extension Install Signer"

	382 description: "Fetches the signatures for installed extensions."

	383 trigger:

	384 "Chrome detects an extension that requires installation "

	385 "verification."

	386 data:

	387 "The ids of the extensions that need to be verified, as well as a "

	388 "salted hash of the user's machine id."
	msramek 2017/05/03 16:08:27 If I'm reading the code correctly, we send RLZ if If I'm reading the code correctly, we send RLZ if there is one (i.e. promotional instance), and nothing otherwise? How and when is the salt generated? (To be clear, my questions are aimed at assessing the stability of this ID.) Devlin 2017/05/08 15:19:02 Yeah, the machine id comes from RLZ. We don't sen Show quoted text On 2017/05/03 16:08:27, msramek (recovering) wrote: > If I'm reading the code correctly, we send RLZ if there is one (i.e. promotional > instance), and nothing otherwise? > > How and when is the salt generated? > > (To be clear, my questions are aimed at assessing the stability of this ID.) Yeah, the machine id comes from RLZ. We don't send the raw machine id from RLZ, but rather a hash of it + a salt. The salt is generated right above this call (line 361 of this patch set) through crypto::RandBytes(), which should be strongly random. By bundling the 25 (I think?) bit RLZ machine id with a 32-bit random and hashing them in sha256, I think we have sufficient guarantees that there's no way to determine the machine id, even a) by Google/the webstore or b) between unrelated install signature calls (i.e., this id is intentionally unstable). This seems to only be included to verify the validity of the response we receive. msramek 2017/05/17 22:22:04 Thanks, Devlin! Ramin, then I would perhaps add t Show quoted text On 2017/05/08 15:19:02, Devlin (catching up) wrote: > On 2017/05/03 16:08:27, msramek (recovering) wrote: > > If I'm reading the code correctly, we send RLZ if there is one (i.e. > promotional > > instance), and nothing otherwise? > > > > How and when is the salt generated? > > > > (To be clear, my questions are aimed at assessing the stability of this ID.) > > Yeah, the machine id comes from RLZ. We don't send the raw machine id from RLZ, > but rather a hash of it + a salt. The salt is generated right above this call > (line 361 of this patch set) through crypto::RandBytes(), which should be > strongly random. By bundling the 25 (I think?) bit RLZ machine id with a 32-bit > random and hashing them in sha256, I think we have sufficient guarantees that > there's no way to determine the machine id, even a) by Google/the webstore or b) > between unrelated install signature calls (i.e., this id is intentionally > unstable). This seems to only be included to verify the validity of the > response we receive. Thanks, Devlin! Ramin, then I would perhaps add that this is computed by the RLZ library, included to verify the validity of the response, and emphasize that this is not reversible (Devlin's points a) and b) ). Ramin Halavati 2017/05/18 05:01:14 Done. Show quoted text On 2017/05/17 22:22:04, msramek wrote: > On 2017/05/08 15:19:02, Devlin (catching up) wrote: > > On 2017/05/03 16:08:27, msramek (recovering) wrote: > > > If I'm reading the code correctly, we send RLZ if there is one (i.e. > > promotional > > > instance), and nothing otherwise? > > > > > > How and when is the salt generated? > > > > > > (To be clear, my questions are aimed at assessing the stability of this ID.) > > > > Yeah, the machine id comes from RLZ. We don't send the raw machine id from > RLZ, > > but rather a hash of it + a salt. The salt is generated right above this call > > (line 361 of this patch set) through crypto::RandBytes(), which should be > > strongly random. By bundling the 25 (I think?) bit RLZ machine id with a > 32-bit > > random and hashing them in sha256, I think we have sufficient guarantees that > > there's no way to determine the machine id, even a) by Google/the webstore or > b) > > between unrelated install signature calls (i.e., this id is intentionally > > unstable). This seems to only be included to verify the validity of the > > response we receive. > > Thanks, Devlin! > > Ramin, then I would perhaps add that this is computed by the RLZ library, > included to verify the validity of the response, and emphasize that this is not > reversible (Devlin's points a) and b) ). Done.
	389 destination: GOOGLE_OWNED_SERVICE

	390 }

	391 policy {

	392 cookies_allowed: true

	393 cookies_store: "user"

	394 setting:

	395 "This feature cannot be disabled, but it is only activated if "

	396 "extensions are installed."

	397 chrome_policy {

	398 ExtensionInstallBlacklist {

	399 policy_options {mode: MANDATORY/RECOMMENDED/UNSET}

	400 ExtensionInstallBlacklist: '*'

	401 }

	402 }

	403 })");

377 url_fetcher_ = net::URLFetcher::Create(GetBackendUrl(), net::URLFetcher::POST,	404 url_fetcher_ = net::URLFetcher::Create(GetBackendUrl(), net::URLFetcher::POST,

378 delegate_.get());	405 delegate_.get(), traffic_annotation);

379 url_fetcher_->SetRequestContext(context_getter_);	406 url_fetcher_->SetRequestContext(context_getter_);

380	407

381 // The request protocol is JSON of the form:	408 // The request protocol is JSON of the form:

382 // {	409 // {

383 // "protocol_version": "1",	410 // "protocol_version": "1",

384 // "hash": "<base64-encoded hash value here>",	411 // "hash": "<base64-encoded hash value here>",

385 // "ids": [ "<id1>", "id2" ]	412 // "ids": [ "<id1>", "id2" ]

386 // }	413 // }

387 base::DictionaryValue dictionary;	414 base::DictionaryValue dictionary;

388 dictionary.SetInteger(kProtocolVersionKey, 1);	415 dictionary.SetInteger(kProtocolVersionKey, 1);

(...skipping 117 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
506 if (!verified)	533 if (!verified)

507 result.reset();	534 result.reset();

508 }	535 }

509	536

510 if (!callback_.is_null())	537 if (!callback_.is_null())

511 callback_.Run(std::move(result));	538 callback_.Run(std::move(result));

512 }	539 }

513	540

514	541

515 } // namespace extensions	542 } // namespace extensions

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »