Record Code Signature of Downloaded DMG files

chrome/browser/safe_browsing/download_protection_service.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/safe_browsing/download_protection_service.h"
 
 #include <stddef.h>
 
 #include <memory>
 
@@ skipping 332 matching lines @@
       DownloadProtectionService* service,
       const scoped_refptr<SafeBrowsingDatabaseManager>& database_manager,
       BinaryFeatureExtractor* binary_feature_extractor)
       : item_(item),
         url_chain_(item->GetUrlChain()),
         referrer_url_(item->GetReferrerUrl()),
         tab_url_(item->GetTabUrl()),
         tab_referrer_url_(item->GetTabReferrerUrl()),
         archived_executable_(false),
         archive_is_valid_(ArchiveValid::UNSET),
+#if defined(OS_MACOSX)
+        disk_image_signature_length_(0),
+        disk_image_signature_(nullptr),
+#endif
         callback_(callback),
         service_(service),
         binary_feature_extractor_(binary_feature_extractor),
         database_manager_(database_manager),
         pingback_enabled_(service_->enabled()),
         finished_(false),
         type_(ClientDownloadRequest::WIN_EXECUTABLE),
         start_time_(base::TimeTicks::Now()),
         skipped_url_whitelist_(false),
         skipped_certificate_whitelist_(false),
@@ skipping 415 matching lines @@
     dmg_analyzer_->Start();
     dmg_analysis_start_time_ = base::TimeTicks::Now();
   }
 
   void OnDmgAnalysisFinished(const ArchiveAnalyzerResults& results) {
     DCHECK_CURRENTLY_ON(BrowserThread::UI);
     DCHECK_EQ(ClientDownloadRequest::MAC_EXECUTABLE, type_);
     if (!service_)
       return;
 
+#if defined(OS_MACOSX)
+    disk_image_signature_length_ = results.signature_blob.size();
+    if (disk_image_signature_length_ > 0) {
+      disk_image_signature_ =
+          std::unique_ptr<uint8_t[]>(new uint8_t[disk_image_signature_length_]);
+      memcpy(disk_image_signature_.get(), results.signature_blob.data(),
+             disk_image_signature_length_);
+    }
+#endif
+
     // Even if !results.success, some of the DMG may have been parsed.
     archive_is_valid_ =
         (results.success ? ArchiveValid::VALID : ArchiveValid::INVALID);
     archived_executable_ = results.has_executable;
     archived_binary_.CopyFrom(results.archived_binary);
     DVLOG(1) << "DMG analysis has finished for " << item_->GetFullPath().value()
              << ", has_executable=" << results.has_executable
              << ", success=" << results.success;
 
     int64_t uma_file_type = FileTypePolicies::GetInstance()->UmaValueForFile(
@@ skipping 231 matching lines @@
 
     ReferrerChainData* referrer_chain_data =
       static_cast<ReferrerChainData*>(
           item_->GetUserData(kDownloadReferrerChainDataKey));
     if (referrer_chain_data &&
         !referrer_chain_data->GetReferrerChain()->empty()) {
       request.mutable_referrer_chain()->Swap(
           referrer_chain_data->GetReferrerChain());
     }
 
+// TODO(mortonm): add UMA stats to keep track of % of DMG use new format
+#if defined(OS_MACOSX)
+    if (disk_image_signature_length_ > 0) {
+      request.set_udif_code_signature(disk_image_signature_.get(),
+                                      disk_image_signature_length_);
+    }
+#endif
+
     if (archive_is_valid_ != ArchiveValid::UNSET)
       request.set_archive_valid(archive_is_valid_ == ArchiveValid::VALID);
     request.mutable_signature()->CopyFrom(signature_info_);
     if (image_headers_)
       request.set_allocated_image_headers(image_headers_.release());
     if (archived_executable_)
       request.mutable_archived_binary()->Swap(&archived_binary_);
     if (!request.SerializeToString(&client_download_request_data_)) {
       FinishRequest(UNKNOWN, REASON_INVALID_REQUEST_PROTO);
       return;
@@ skipping 175 matching lines @@
   GURL referrer_url_;
   // URL chain of redirects leading to (but not including) |tab_url|.
   std::vector<GURL> tab_redirects_;
   // URL and referrer of the window the download was started from.
   GURL tab_url_;
   GURL tab_referrer_url_;
 
   bool archived_executable_;
   ArchiveValid archive_is_valid_;
 
+#if defined(OS_MACOSX)
+  uint64_t disk_image_signature_length_;
+  std::unique_ptr<uint8_t[]> disk_image_signature_;
+#endif
+
   ClientDownloadRequest_SignatureInfo signature_info_;
   std::unique_ptr<ClientDownloadRequest_ImageHeaders> image_headers_;
   google::protobuf::RepeatedPtrField<ClientDownloadRequest_ArchivedBinary>
       archived_binary_;
   CheckDownloadCallback callback_;
   // Will be NULL if the request has been canceled.
   DownloadProtectionService* service_;
   scoped_refptr<BinaryFeatureExtractor> binary_feature_extractor_;
   scoped_refptr<SafeBrowsingDatabaseManager> database_manager_;
   const bool pingback_enabled_;
@@ skipping 747 matching lines @@
           out_request->mutable_referrer_chain());
   UMA_HISTOGRAM_COUNTS_100(
       "SafeBrowsing.ReferrerURLChainSize.PPAPIDownloadAttribution",
       out_request->referrer_chain_size());
   UMA_HISTOGRAM_ENUMERATION(
       "SafeBrowsing.ReferrerAttributionResult.PPAPIDownloadAttribution", result,
       SafeBrowsingNavigationObserverManager::ATTRIBUTION_FAILURE_TYPE_MAX);
 }
 
 }  // namespace safe_browsing