1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/platform_keys/key_permissions.h"
7 #include "base/base64.h"
9 #include "base/callback.h"
10 #include "base/logging.h"
11 #include "base/prefs/pref_service.h"
12 #include "base/prefs/scoped_user_pref_update.h"
13 #include "base/values.h"
14 #include "chrome/common/pref_names.h"
15 #include "components/policy/core/common/policy_map.h"
16 #include "components/policy/core/common/policy_namespace.h"
17 #include "components/policy/core/common/policy_service.h"
18 #include "components/pref_registry/pref_registry_syncable.h"
19 #include "extensions/browser/state_store.h"
20 #include "policy/policy_constants.h"
26 // The key at which platform key specific data is stored in each extension's
29 // From older versions of ChromeOS, this key can hold a list of base64 and
30 // DER-encoded SPKIs. A key can be used for signing at most once if it is part
33 // The current format of data that is written to the PlatformKeys field is a
34 // list of serialized KeyEntry objects:
36 // 'signOnce': bool, // if not present, defaults to false
37 // 'signUnlimited': bool // if not present, defaults to false
40 // Do not change this constant as clients will lose their existing state.
41 const char kStateStorePlatformKeys
[] = "PlatformKeys";
42 const char kStateStoreSPKI
[] = "SPKI";
43 const char kStateStoreSignOnce
[] = "signOnce";
44 const char kStateStoreSignUnlimited
[] = "signUnlimited";
46 // The profile pref prefs::kPlatformKeys stores a dictionary mapping from
47 // public key (base64 encoding of an DER-encoded SPKI) to key properties. The
48 // currently only key property is the key usage, which can either be undefined
49 // or "corporate". If a key is not present in the pref, the default for the key
50 // usage is undefined, which in particular means "not for corporate usage".
51 // E.g. the entry in the profile pref might look like:
52 // "platform_keys" : {
54 // "keyUsage" : "corporate"
57 // "keyUsage" : "corporate"
60 const char kPrefKeyUsage
[] = "keyUsage";
61 const char kPrefKeyUsageCorporate
[] = "corporate";
63 const char kPolicyAllowCorporateKeyUsage
[] = "allowCorporateKeyUsage";
67 struct KeyPermissions::PermissionsForExtension::KeyEntry
{
68 explicit KeyEntry(const std::string
& public_key_spki_der_b64
)
69 : spki_b64(public_key_spki_der_b64
) {}
71 // The base64-encoded DER of a X.509 Subject Public Key Info.
74 // True if the key can be used once for singing.
75 // This permission is granted if an extension generated a key using the
76 // enterprise.platformKeys API, so that it can build a certification request.
77 // After the first signing operation this permission will be revoked.
78 bool sign_once
= false;
80 // True if the key can be used for signing an unlimited number of times.
81 // This permission is granted by the user to allow the extension to use the
82 // key for signing through the enterprise.platformKeys or platformKeys API.
83 // This permission is granted until revoked by the user or the policy.
84 bool sign_unlimited
= false;
87 KeyPermissions::PermissionsForExtension::PermissionsForExtension(
88 const std::string
& extension_id
,
89 scoped_ptr
<base::Value
> state_store_value
,
90 PrefService
* profile_prefs
,
91 policy::PolicyService
* profile_policies
,
92 KeyPermissions
* key_permissions
)
93 : extension_id_(extension_id
),
94 profile_prefs_(profile_prefs
),
95 profile_policies_(profile_policies
),
96 key_permissions_(key_permissions
) {
97 DCHECK(profile_prefs_
);
98 DCHECK(profile_policies_
);
99 DCHECK(key_permissions_
);
100 if (state_store_value
)
101 KeyEntriesFromState(*state_store_value
);
104 KeyPermissions::PermissionsForExtension::~PermissionsForExtension() {
107 bool KeyPermissions::PermissionsForExtension::CanUseKeyForSigning(
108 const std::string
& public_key_spki_der
) {
109 std::string public_key_spki_der_b64
;
110 base::Base64Encode(public_key_spki_der
, &public_key_spki_der_b64
);
112 KeyEntry
* matching_entry
= GetStateStoreEntry(public_key_spki_der_b64
);
114 // In any case, we allow the generating extension to use the generated key a
115 // single time for signing arbitrary data. The reason is, that the extension
116 // usually has to sign a certification request containing the public key in
117 // order to obtain a certificate for the key.
118 // That means, once a certificate authority generated a certificate for the
119 // key, the generating extension doesn't have access to the key anymore,
120 // except if explicitly permitted by the administrator.
121 if (matching_entry
->sign_once
)
124 // Usage of corporate keys is solely determined by policy. The user must not
125 // circumvent this decision.
126 if (key_permissions_
->IsCorporateKey(public_key_spki_der_b64
))
127 return PolicyAllowsCorporateKeyUsage();
129 // Only permissions for keys that are not designated for corporate usage are
130 // determined by user decisions.
131 return matching_entry
->sign_unlimited
;
134 void KeyPermissions::PermissionsForExtension::SetKeyUsedForSigning(
135 const std::string
& public_key_spki_der
) {
136 std::string public_key_spki_der_b64
;
137 base::Base64Encode(public_key_spki_der
, &public_key_spki_der_b64
);
139 KeyEntry
* matching_entry
= GetStateStoreEntry(public_key_spki_der_b64
);
141 if (!matching_entry
->sign_once
) {
142 if (matching_entry
->sign_unlimited
)
143 VLOG(1) << "Key is already marked as not usable for signing, skipping.";
145 LOG(ERROR
) << "Key was not allowed for signing.";
149 matching_entry
->sign_once
= false;
153 void KeyPermissions::PermissionsForExtension::RegisterKeyForCorporateUsage(
154 const std::string
& public_key_spki_der
) {
155 std::string public_key_spki_der_b64
;
156 base::Base64Encode(public_key_spki_der
, &public_key_spki_der_b64
);
158 KeyEntry
* matching_entry
= GetStateStoreEntry(public_key_spki_der_b64
);
160 if (matching_entry
->sign_once
) {
161 VLOG(1) << "Key is already allowed for signing, skipping.";
165 matching_entry
->sign_once
= true;
168 DictionaryPrefUpdate
update(profile_prefs_
, prefs::kPlatformKeys
);
170 scoped_ptr
<base::DictionaryValue
> new_pref_entry(new base::DictionaryValue
);
171 new_pref_entry
->SetStringWithoutPathExpansion(kPrefKeyUsage
,
172 kPrefKeyUsageCorporate
);
174 update
->SetWithoutPathExpansion(public_key_spki_der_b64
,
175 new_pref_entry
.release());
178 void KeyPermissions::PermissionsForExtension::SetUserGrantedPermission(
179 const std::string
& public_key_spki_der
) {
180 if (!key_permissions_
->CanUserGrantPermissionFor(public_key_spki_der
)) {
181 LOG(WARNING
) << "Tried to grant permission for a key although prohibited "
182 "(either key is a corporate key or this account is "
187 std::string public_key_spki_der_b64
;
188 base::Base64Encode(public_key_spki_der
, &public_key_spki_der_b64
);
189 KeyEntry
* matching_entry
= GetStateStoreEntry(public_key_spki_der_b64
);
191 if (matching_entry
->sign_unlimited
) {
192 VLOG(1) << "Key is already allowed for signing, skipping.";
196 matching_entry
->sign_unlimited
= true;
200 bool KeyPermissions::PermissionsForExtension::PolicyAllowsCorporateKeyUsage()
202 const policy::PolicyMap
& policies
= profile_policies_
->GetPolicies(
203 policy::PolicyNamespace(policy::POLICY_DOMAIN_CHROME
, std::string()));
204 const base::Value
* policy_value
=
205 policies
.GetValue(policy::key::kKeyPermissions
);
209 const base::DictionaryValue
* key_permissions_map
= nullptr;
210 policy_value
->GetAsDictionary(&key_permissions_map
);
211 if (!key_permissions_map
) {
212 LOG(ERROR
) << "Expected policy to be a dictionary.";
216 const base::DictionaryValue
* key_permissions_for_ext
= nullptr;
217 key_permissions_map
->GetDictionaryWithoutPathExpansion(
218 extension_id_
, &key_permissions_for_ext
);
219 if (!key_permissions_for_ext
)
222 bool allow_corporate_key_usage
= false;
223 key_permissions_for_ext
->GetBooleanWithoutPathExpansion(
224 kPolicyAllowCorporateKeyUsage
, &allow_corporate_key_usage
);
226 VLOG_IF(allow_corporate_key_usage
, 2)
227 << "Policy allows usage of corporate keys by extension " << extension_id_
;
228 return allow_corporate_key_usage
;
231 void KeyPermissions::PermissionsForExtension::WriteToStateStore() {
232 key_permissions_
->SetPlatformKeysOfExtension(extension_id_
,
233 KeyEntriesToState());
236 void KeyPermissions::PermissionsForExtension::KeyEntriesFromState(
237 const base::Value
& state
) {
238 state_store_entries_
.clear();
240 const base::ListValue
* entries
= nullptr;
241 if (!state
.GetAsList(&entries
)) {
242 LOG(ERROR
) << "Found a state store of wrong type.";
245 for (const base::Value
* entry
: *entries
) {
247 LOG(ERROR
) << "Found invalid NULL entry in PlatformKeys state store.";
251 std::string spki_b64
;
252 const base::DictionaryValue
* dict_entry
= nullptr;
253 if (entry
->GetAsString(&spki_b64
)) {
254 // This handles the case that the store contained a plain list of base64
255 // and DER-encoded SPKIs from an older version of ChromeOS.
256 KeyEntry
new_entry(spki_b64
);
257 new_entry
.sign_once
= true;
258 state_store_entries_
.push_back(new_entry
);
259 } else if (entry
->GetAsDictionary(&dict_entry
)) {
260 dict_entry
->GetStringWithoutPathExpansion(kStateStoreSPKI
, &spki_b64
);
261 KeyEntry
new_entry(spki_b64
);
262 dict_entry
->GetBooleanWithoutPathExpansion(kStateStoreSignOnce
,
263 &new_entry
.sign_once
);
264 dict_entry
->GetBooleanWithoutPathExpansion(kStateStoreSignUnlimited
,
265 &new_entry
.sign_unlimited
);
266 state_store_entries_
.push_back(new_entry
);
268 LOG(ERROR
) << "Found invalid entry of type " << entry
->GetType()
269 << " in PlatformKeys state store.";
275 scoped_ptr
<base::Value
>
276 KeyPermissions::PermissionsForExtension::KeyEntriesToState() {
277 scoped_ptr
<base::ListValue
> new_state(new base::ListValue
);
278 for (const KeyEntry
& entry
: state_store_entries_
) {
279 // Drop entries that the extension doesn't have any permissions for anymore.
280 if (!entry
.sign_once
&& !entry
.sign_unlimited
)
283 scoped_ptr
<base::DictionaryValue
> new_entry(new base::DictionaryValue
);
284 new_entry
->SetStringWithoutPathExpansion(kStateStoreSPKI
, entry
.spki_b64
);
285 // Omit writing default values, namely |false|.
286 if (entry
.sign_once
) {
287 new_entry
->SetBooleanWithoutPathExpansion(kStateStoreSignOnce
,
290 if (entry
.sign_unlimited
) {
291 new_entry
->SetBooleanWithoutPathExpansion(kStateStoreSignUnlimited
,
292 entry
.sign_unlimited
);
294 new_state
->Append(new_entry
.release());
296 return new_state
.Pass();
299 KeyPermissions::PermissionsForExtension::KeyEntry
*
300 KeyPermissions::PermissionsForExtension::GetStateStoreEntry(
301 const std::string
& public_key_spki_der_b64
) {
302 for (KeyEntry
& entry
: state_store_entries_
) {
303 // For every ASN.1 value there is exactly one DER encoding, so it is fine to
304 // compare the DER (or its base64 encoding).
305 if (entry
.spki_b64
== public_key_spki_der_b64
)
309 state_store_entries_
.push_back(KeyEntry(public_key_spki_der_b64
));
310 return &state_store_entries_
.back();
313 KeyPermissions::KeyPermissions(bool profile_is_managed
,
314 PrefService
* profile_prefs
,
315 policy::PolicyService
* profile_policies
,
316 extensions::StateStore
* extensions_state_store
)
317 : profile_is_managed_(profile_is_managed
),
318 profile_prefs_(profile_prefs
),
319 profile_policies_(profile_policies
),
320 extensions_state_store_(extensions_state_store
),
321 weak_factory_(this) {
322 DCHECK(profile_prefs_
);
323 DCHECK(extensions_state_store_
);
324 DCHECK(!profile_is_managed_
|| profile_policies_
);
327 KeyPermissions::~KeyPermissions() {
330 void KeyPermissions::GetPermissionsForExtension(
331 const std::string
& extension_id
,
332 const PermissionsCallback
& callback
) {
333 extensions_state_store_
->GetExtensionValue(
334 extension_id
, kStateStorePlatformKeys
,
335 base::Bind(&KeyPermissions::CreatePermissionObjectAndPassToCallback
,
336 weak_factory_
.GetWeakPtr(), extension_id
, callback
));
339 bool KeyPermissions::CanUserGrantPermissionFor(
340 const std::string
& public_key_spki_der
) const {
341 // As keys cannot be tagged for non-corporate usage, the user can currently
342 // not grant any permissions if the profile is managed.
343 if (profile_is_managed_
)
346 std::string public_key_spki_der_b64
;
347 base::Base64Encode(public_key_spki_der
, &public_key_spki_der_b64
);
349 // If this profile is not managed but we find a corporate key, don't allow
350 // the user to grant permissions.
351 return !IsCorporateKey(public_key_spki_der_b64
);
354 bool KeyPermissions::IsCorporateKey(
355 const std::string
& public_key_spki_der_b64
) const {
356 const base::DictionaryValue
* prefs_entry
=
357 GetPrefsEntry(public_key_spki_der_b64
);
359 std::string key_usage
;
360 prefs_entry
->GetStringWithoutPathExpansion(kPrefKeyUsage
, &key_usage
);
361 return key_usage
== kPrefKeyUsageCorporate
;
366 void KeyPermissions::RegisterProfilePrefs(
367 user_prefs::PrefRegistrySyncable
* registry
) {
368 // For the format of the dictionary see the documentation at kPrefKeyUsage.
369 registry
->RegisterDictionaryPref(prefs::kPlatformKeys
);
372 void KeyPermissions::CreatePermissionObjectAndPassToCallback(
373 const std::string
& extension_id
,
374 const PermissionsCallback
& callback
,
375 scoped_ptr
<base::Value
> value
) {
376 callback
.Run(make_scoped_ptr(new PermissionsForExtension(
377 extension_id
, value
.Pass(), profile_prefs_
, profile_policies_
, this)));
380 void KeyPermissions::SetPlatformKeysOfExtension(const std::string
& extension_id
,
381 scoped_ptr
<base::Value
> value
) {
382 extensions_state_store_
->SetExtensionValue(
383 extension_id
, kStateStorePlatformKeys
, value
.Pass());
386 const base::DictionaryValue
* KeyPermissions::GetPrefsEntry(
387 const std::string
& public_key_spki_der_b64
) const {
388 const base::DictionaryValue
* platform_keys
=
389 profile_prefs_
->GetDictionary(prefs::kPlatformKeys
);
391 const base::DictionaryValue
* key_entry
= nullptr;
392 platform_keys
->GetDictionaryWithoutPathExpansion(public_key_spki_der_b64
,
397 } // namespace chromeos