Network traffic annotation added to install_signer.

chrome/browser/extensions/install_signer.cc

Index: chrome/browser/extensions/install_signer.cc
diff --git a/chrome/browser/extensions/install_signer.cc b/chrome/browser/extensions/install_signer.cc
index b73da46ffe22dff3db1697894c0b95d7ea2693c7..3a4d29103330c0a8a853437966a361a2f23b62cc 100644
--- a/chrome/browser/extensions/install_signer.cc
+++ b/chrome/browser/extensions/install_signer.cc
@@ -31,6 +31,7 @@
 #include "crypto/secure_hash.h"
 #include "crypto/sha2.h"
 #include "crypto/signature_verifier.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_fetcher_delegate.h"
 #include "net/url_request/url_request_context_getter.h"
@@ -374,8 +375,34 @@ void InstallSigner::GetSignature(const SignatureCallback& callback) {
                                      base::Unretained(this));
 
   delegate_.reset(new FetcherDelegate(closure));
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("extension_install_signer", R"(
+        semantics {
+          sender: "Extension Install Signer"
+          description: "Fetches the signatures for installed extensions."
+          trigger:
+            "Chrome detects an extension that requires installation "
+            "verification."
+          data:
+            "The ids of the extensions that need to be verified, as well as a "
+            "salted hash of the user's machine id."

[msramek, 2017/05/03 16:08:27]

If I'm reading the code correctly, we send RLZ if there is one (i.e. promotional
instance), and nothing otherwise?

How and when is the salt generated?

(To be clear, my questions are aimed at assessing the stability of this ID.)

[Devlin, 2017/05/08 15:19:02]

Yeah, the machine id comes from RLZ.  We don't send the raw machine id from RLZ,
but rather a hash of it + a salt.  The salt is generated right above this call
(line 361 of this patch set) through crypto::RandBytes(), which should be
strongly random.  By bundling the 25 (I think?) bit RLZ machine id with a 32-bit
random and hashing them in sha256, I think we have sufficient guarantees that
there's no way to determine the machine id, even a) by Google/the webstore or b)
between unrelated install signature calls (i.e., this id is intentionally
unstable).  This seems to only be included to verify the validity of the
response we receive.

[msramek, 2017/05/17 22:22:04]

Thanks, Devlin!

Ramin, then I would perhaps add that this is computed by the RLZ library,
included to verify the validity of the response, and emphasize that this is not
reversible (Devlin's points a) and b) ).

[Ramin Halavati, 2017/05/18 05:01:14]

Done.

+          destination: GOOGLE_OWNED_SERVICE
+        }
+        policy {
+          cookies_allowed: true
+          cookies_store: "user"
+          setting:
+            "This feature cannot be disabled, but it is only activated if "
+            "extensions are installed."
+          chrome_policy {
+            ExtensionInstallBlacklist {
+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}
+              ExtensionInstallBlacklist: '*'
+            }
+          }
+        })");
   url_fetcher_ = net::URLFetcher::Create(GetBackendUrl(), net::URLFetcher::POST,
-                                         delegate_.get());
+                                         delegate_.get(), traffic_annotation);
   url_fetcher_->SetRequestContext(context_getter_);
 
   // The request protocol is JSON of the form: