chromium/src/third_party/blink/common/origin_trials/trial_token.cc - manifest_repos/chromium_src - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "third_party/blink/public/common/origin_trials/trial_token.h"

 #include "base/base64.h"
 #include "base/big_endian.h"
 #include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/optional.h"
 #include "base/strings/string_piece.h"
 #include "base/time/time.h"
 #include "base/values.h"
 #include "third_party/boringssl/src/include/openssl/curve25519.h"
 #include "url/gurl.h"
 #include "url/origin.h"

 namespace blink {

 namespace {

 // Token payloads can be at most 4KB in size, as a guard against trying to parse
 // excessively large tokens (see crbug.com/802377). The origin is the only part
 // of the payload that is user-supplied. The 4KB payload limit allows for the
 // origin to be ~3900 chars. In some cases, 2KB is suggested as the practical
 // limit for URLs, e.g.:
 // https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers
 // This means tokens can contain origins that are nearly twice as long as any
 // expected to be seen in the wild.
 const size_t kMaxPayloadSize = 4096;
 // Encoded tokens can be at most 6KB in size. Based on the 4KB payload limit,
 // this allows for the payload, signature, and other format bits, plus the
 // Base64 encoding overhead (~4/3 of the input).
 const size_t kMaxTokenSize = 6144;

 // Version is a 1-byte field at offset 0.
 const size_t kVersionOffset = 0;
 const size_t kVersionSize = 1;

 // These constants define the Version 2 field sizes and offsets.
 const size_t kSignatureOffset = kVersionOffset + kVersionSize;
 const size_t kSignatureSize = 64;
 const size_t kPayloadLengthOffset = kSignatureOffset + kSignatureSize;
 const size_t kPayloadLengthSize = 4;
 const size_t kPayloadOffset = kPayloadLengthOffset + kPayloadLengthSize;

 // Version 3 introduced support to match tokens against third party origins (see
 // design doc
 // https://docs.google.com/document/d/1xALH9W7rWmX0FpjudhDeS2TNTEOXuPn4Tlc9VmuPdHA
 // for more details).
 const uint8_t kVersion3 = 3;
 // Version 2 is also currently supported. Version 1 was
 // introduced in Chrome M50, and removed in M51. There were no experiments
 // enabled in the stable M50 release which would have used those tokens.
 const uint8_t kVersion2 = 2;

 const char* kUsageSubset = "subset";

 }  // namespace

 TrialToken::~TrialToken() = default;

 // static
 std::unique_ptr<TrialToken> TrialToken::From(
     base::StringPiece token_text,
     base::StringPiece public_key,
     OriginTrialTokenStatus* out_status) {
   DCHECK(out_status);
   std::string token_payload;
   std::string token_signature;
   uint8_t token_version;
   *out_status = Extract(token_text, public_key, &token_payload,
                         &token_signature, &token_version);
   if (*out_status != OriginTrialTokenStatus::kSuccess) {
     DVLOG(2) << "Malformed origin trial token found (unable to extract)";
     return nullptr;
   }
   std::unique_ptr<TrialToken> token = Parse(token_payload, token_version);
   if (token) {
     token->signature_ = token_signature;
     *out_status = OriginTrialTokenStatus::kSuccess;
   } else {
     DVLOG(2) << "Malformed origin trial token found (unable to parse)";
     *out_status = OriginTrialTokenStatus::kMalformed;
   }
   DVLOG(2) << "Valid origin trial token found for feature "
            << token->feature_name();
   return token;
 }

 OriginTrialTokenStatus TrialToken::IsValid(const url::Origin& origin,
                                            const base::Time& now) const {
   // The order of these checks is intentional. For example, will only report a
   // token as expired if it is valid for the origin.
   if (!ValidateOrigin(origin)) {
     DVLOG(2) << "Origin trial token from different origin";
     return OriginTrialTokenStatus::kWrongOrigin;
   }
   if (!ValidateDate(now)) {
     DVLOG(2) << "Origin trial token expired";
     return OriginTrialTokenStatus::kExpired;
   }
   return OriginTrialTokenStatus::kSuccess;
 }

 // static
 OriginTrialTokenStatus TrialToken::Extract(base::StringPiece token_text,
                                            base::StringPiece public_key,
                                            std::string* out_token_payload,
                                            std::string* out_token_signature,
                                            uint8_t* out_token_version) {
   if (token_text.empty()) {
     return OriginTrialTokenStatus::kMalformed;
   }

   // Protect against attempting to extract arbitrarily large tokens.
   // See crbug.com/802377.
   if (token_text.length() > kMaxTokenSize) {
     return OriginTrialTokenStatus::kMalformed;
   }

   // Token is base64-encoded; decode first.
   std::string token_contents;
   if (!base::Base64Decode(token_text, &token_contents)) {
     return OriginTrialTokenStatus::kMalformed;
   }

   // Only version 2 and 3 currently supported.
   if (token_contents.length() < (kVersionOffset + kVersionSize)) {
     return OriginTrialTokenStatus::kMalformed;
   }
   uint8_t version = token_contents[kVersionOffset];
   if (version != kVersion2 && version != kVersion3) {
     return OriginTrialTokenStatus::kWrongVersion;
   }

   // Token must be large enough to contain a version, signature, and payload
   // length.
   if (token_contents.length() < (kPayloadLengthOffset + kPayloadLengthSize)) {
     return OriginTrialTokenStatus::kMalformed;
   }

   // Extract the length of the signed data (Big-endian).
   uint32_t payload_length;
   base::ReadBigEndian(&(token_contents[kPayloadLengthOffset]), &payload_length);

   // Validate that the stated length matches the actual payload length.
   if (payload_length != token_contents.length() - kPayloadOffset) {
     return OriginTrialTokenStatus::kMalformed;
   }

   // Extract the version-specific contents of the token.
   const char* token_bytes = token_contents.data();
   base::StringPiece version_piece(token_bytes + kVersionOffset, kVersionSize);
   base::StringPiece signature(token_bytes + kSignatureOffset, kSignatureSize);
   base::StringPiece payload_piece(token_bytes + kPayloadLengthOffset,
                                   kPayloadLengthSize + payload_length);

   // The data which is covered by the signature is (version + length + payload).
   std::string signed_data =
       version_piece.as_string() + payload_piece.as_string();

   // Validate the signature on the data before proceeding.
   if (!TrialToken::ValidateSignature(signature, signed_data, public_key)) {
     return OriginTrialTokenStatus::kInvalidSignature;
   }

   // Return the payload and signature, as new strings.
   *out_token_version = version;
   *out_token_payload = token_contents.substr(kPayloadOffset, payload_length);
   *out_token_signature = signature.as_string();
   return OriginTrialTokenStatus::kSuccess;
 }

 // static
 std::unique_ptr<TrialToken> TrialToken::Parse(const std::string& token_payload,
                                               const uint8_t version) {
   // Protect against attempting to parse arbitrarily large tokens. This check is
   // required here because the fuzzer calls Parse() directly, bypassing the size
   // check in Extract().
   // See crbug.com/802377.
   if (token_payload.length() > kMaxPayloadSize) {
     return nullptr;
   }

   base::Optional<base::Value> datadict = base::JSONReader::Read(token_payload);
   if (!datadict || !datadict->is_dict()) {
     return nullptr;
   }

   // Ensure that the origin is a valid (non-opaque) origin URL.
   std::string* origin_string = datadict->FindStringKey("origin");
   if (!origin_string) {
     return nullptr;
   }
   url::Origin origin = url::Origin::Create(GURL(*origin_string));
   if (origin.opaque()) {
     return nullptr;
   }

   // The |isSubdomain| flag is optional. If found, ensure it is a valid boolean.
   bool is_subdomain = false;
   base::Value* is_subdomain_value = datadict->FindKey("isSubdomain");
   if (is_subdomain_value) {
     if (!is_subdomain_value->is_bool()) {
       return nullptr;
     }
     is_subdomain = is_subdomain_value->GetBool();
   }

   // Ensure that the feature name is a valid string.
   std::string* feature_name = datadict->FindStringKey("feature");
   if (!feature_name || feature_name->empty()) {
     return nullptr;
   }

   // Ensure that the expiry timestamp is a valid (positive) integer.
   int expiry_timestamp = datadict->FindIntKey("expiry").value_or(0);
   if (expiry_timestamp <= 0) {
     return nullptr;
   }

   // Initialize optional version 3 fields to default values.
   bool is_third_party = false;
   UsageRestriction usage = UsageRestriction::kNone;

   if (version == kVersion3) {
     // The |isThirdParty| flag is optional. If found, ensure it is a valid
     // boolean.
     base::Value* is_third_party_value = datadict->FindKey("isThirdParty");
     if (is_third_party_value) {
       if (!is_third_party_value->is_bool()) {
         return nullptr;
       }
       is_third_party = is_third_party_value->GetBool();
     }

     // The |usage| field is optional. If found, ensure its value is either empty
     // or "subset".
     std::string* usage_value = datadict->FindStringKey("usage");
     if (usage_value) {
       if (usage_value->empty()) {
         usage = UsageRestriction::kNone;
       } else if (*usage_value == kUsageSubset) {
         usage = UsageRestriction::kSubset;
       } else {
         return nullptr;
       }
     }
   }

   return base::WrapUnique(new TrialToken(origin, is_subdomain, *feature_name,
                                          expiry_timestamp, is_third_party,
                                          usage));
 }

 bool TrialToken::ValidateOrigin(const url::Origin& origin) const {
   if (match_subdomains_) {
     return origin.scheme() == origin_.scheme() &&
            origin.DomainIs(origin_.host()) && origin.port() == origin_.port();
   }
   return origin == origin_;
 }

 bool TrialToken::ValidateFeatureName(base::StringPiece feature_name) const {
   return feature_name == feature_name_;
 }

 bool TrialToken::ValidateDate(const base::Time& now) const {
   return expiry_time_ > now;
 }

 // static
 bool TrialToken::ValidateSignature(base::StringPiece signature,
                                    const std::string& data,
                                    base::StringPiece public_key) {
   // Public key must be 32 bytes long for Ed25519.
   CHECK_EQ(public_key.length(), 32UL);

   // Signature must be 64 bytes long.
   if (signature.length() != 64) {
     return false;
   }

   int result = ED25519_verify(
       reinterpret_cast<const uint8_t*>(data.data()), data.length(),
       reinterpret_cast<const uint8_t*>(signature.data()),
       reinterpret_cast<const uint8_t*>(public_key.data()));
   return (result != 0);
 }

 TrialToken::TrialToken(const url::Origin& origin,
                        bool match_subdomains,
                        const std::string& feature_name,
                        uint64_t expiry_timestamp,
                        bool is_third_party,
                        UsageRestriction usage_restriction)
     : origin_(origin),
       match_subdomains_(match_subdomains),
       feature_name_(feature_name),
       expiry_time_(base::Time::FromDoubleT(expiry_timestamp)),
       is_third_party_(is_third_party),
       usage_restriction_(usage_restriction) {}

 }  // namespace blink
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "third_party/blink/public/common/origin_trials/trial_token.h"

	#include "base/base64.h"
	#include "base/big_endian.h"
	#include "base/json/json_reader.h"
	#include "base/logging.h"
	#include "base/macros.h"
	#include "base/memory/ptr_util.h"
	#include "base/optional.h"
	#include "base/strings/string_piece.h"
	#include "base/time/time.h"
	#include "base/values.h"
	#include "third_party/boringssl/src/include/openssl/curve25519.h"
	#include "url/gurl.h"
	#include "url/origin.h"

	namespace blink {

	namespace {

	// Token payloads can be at most 4KB in size, as a guard against trying to parse
	// excessively large tokens (see crbug.com/802377). The origin is the only part
	// of the payload that is user-supplied. The 4KB payload limit allows for the
	// origin to be ~3900 chars. In some cases, 2KB is suggested as the practical
	// limit for URLs, e.g.:
	// https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers
	// This means tokens can contain origins that are nearly twice as long as any
	// expected to be seen in the wild.
	const size_t kMaxPayloadSize = 4096;
	// Encoded tokens can be at most 6KB in size. Based on the 4KB payload limit,
	// this allows for the payload, signature, and other format bits, plus the
	// Base64 encoding overhead (~4/3 of the input).
	const size_t kMaxTokenSize = 6144;

	// Version is a 1-byte field at offset 0.
	const size_t kVersionOffset = 0;
	const size_t kVersionSize = 1;

	// These constants define the Version 2 field sizes and offsets.
	const size_t kSignatureOffset = kVersionOffset + kVersionSize;
	const size_t kSignatureSize = 64;
	const size_t kPayloadLengthOffset = kSignatureOffset + kSignatureSize;
	const size_t kPayloadLengthSize = 4;
	const size_t kPayloadOffset = kPayloadLengthOffset + kPayloadLengthSize;

	// Version 3 introduced support to match tokens against third party origins (see
	// design doc
	// https://docs.google.com/document/d/1xALH9W7rWmX0FpjudhDeS2TNTEOXuPn4Tlc9VmuPdHA
	// for more details).
	const uint8_t kVersion3 = 3;
	// Version 2 is also currently supported. Version 1 was
	// introduced in Chrome M50, and removed in M51. There were no experiments
	// enabled in the stable M50 release which would have used those tokens.
	const uint8_t kVersion2 = 2;

	const char* kUsageSubset = "subset";

	} // namespace

	TrialToken::~TrialToken() = default;

	// static
	std::unique_ptr<TrialToken> TrialToken::From(
	base::StringPiece token_text,
	base::StringPiece public_key,
	OriginTrialTokenStatus* out_status) {
	DCHECK(out_status);
	std::string token_payload;
	std::string token_signature;
	uint8_t token_version;
	*out_status = Extract(token_text, public_key, &token_payload,
	&token_signature, &token_version);
	if (*out_status != OriginTrialTokenStatus::kSuccess) {
	DVLOG(2) << "Malformed origin trial token found (unable to extract)";
	return nullptr;
	}
	std::unique_ptr<TrialToken> token = Parse(token_payload, token_version);
	if (token) {
	token->signature_ = token_signature;
	*out_status = OriginTrialTokenStatus::kSuccess;
	} else {
	DVLOG(2) << "Malformed origin trial token found (unable to parse)";
	*out_status = OriginTrialTokenStatus::kMalformed;
	}
	DVLOG(2) << "Valid origin trial token found for feature "
	<< token->feature_name();
	return token;
	}

	OriginTrialTokenStatus TrialToken::IsValid(const url::Origin& origin,
	const base::Time& now) const {
	// The order of these checks is intentional. For example, will only report a
	// token as expired if it is valid for the origin.
	if (!ValidateOrigin(origin)) {
	DVLOG(2) << "Origin trial token from different origin";
	return OriginTrialTokenStatus::kWrongOrigin;
	}
	if (!ValidateDate(now)) {
	DVLOG(2) << "Origin trial token expired";
	return OriginTrialTokenStatus::kExpired;
	}
	return OriginTrialTokenStatus::kSuccess;
	}

	// static
	OriginTrialTokenStatus TrialToken::Extract(base::StringPiece token_text,
	base::StringPiece public_key,
	std::string* out_token_payload,
	std::string* out_token_signature,
	uint8_t* out_token_version) {
	if (token_text.empty()) {
	return OriginTrialTokenStatus::kMalformed;
	}

	// Protect against attempting to extract arbitrarily large tokens.
	// See crbug.com/802377.
	if (token_text.length() > kMaxTokenSize) {
	return OriginTrialTokenStatus::kMalformed;
	}

	// Token is base64-encoded; decode first.
	std::string token_contents;
	if (!base::Base64Decode(token_text, &token_contents)) {
	return OriginTrialTokenStatus::kMalformed;
	}

	// Only version 2 and 3 currently supported.
	if (token_contents.length() < (kVersionOffset + kVersionSize)) {
	return OriginTrialTokenStatus::kMalformed;
	}
	uint8_t version = token_contents[kVersionOffset];
	if (version != kVersion2 && version != kVersion3) {
	return OriginTrialTokenStatus::kWrongVersion;
	}

	// Token must be large enough to contain a version, signature, and payload
	// length.
	if (token_contents.length() < (kPayloadLengthOffset + kPayloadLengthSize)) {
	return OriginTrialTokenStatus::kMalformed;
	}

	// Extract the length of the signed data (Big-endian).
	uint32_t payload_length;
	base::ReadBigEndian(&(token_contents[kPayloadLengthOffset]), &payload_length);

	// Validate that the stated length matches the actual payload length.
	if (payload_length != token_contents.length() - kPayloadOffset) {
	return OriginTrialTokenStatus::kMalformed;
	}

	// Extract the version-specific contents of the token.
	const char* token_bytes = token_contents.data();
	base::StringPiece version_piece(token_bytes + kVersionOffset, kVersionSize);
	base::StringPiece signature(token_bytes + kSignatureOffset, kSignatureSize);
	base::StringPiece payload_piece(token_bytes + kPayloadLengthOffset,
	kPayloadLengthSize + payload_length);

	// The data which is covered by the signature is (version + length + payload).
	std::string signed_data =
	version_piece.as_string() + payload_piece.as_string();

	// Validate the signature on the data before proceeding.
	if (!TrialToken::ValidateSignature(signature, signed_data, public_key)) {
	return OriginTrialTokenStatus::kInvalidSignature;
	}

	// Return the payload and signature, as new strings.
	*out_token_version = version;
	*out_token_payload = token_contents.substr(kPayloadOffset, payload_length);
	*out_token_signature = signature.as_string();
	return OriginTrialTokenStatus::kSuccess;
	}

	// static
	std::unique_ptr<TrialToken> TrialToken::Parse(const std::string& token_payload,
	const uint8_t version) {
	// Protect against attempting to parse arbitrarily large tokens. This check is
	// required here because the fuzzer calls Parse() directly, bypassing the size
	// check in Extract().
	// See crbug.com/802377.
	if (token_payload.length() > kMaxPayloadSize) {
	return nullptr;
	}

	base::Optional<base::Value> datadict = base::JSONReader::Read(token_payload);
	if (!datadict \|\| !datadict->is_dict()) {
	return nullptr;
	}

	// Ensure that the origin is a valid (non-opaque) origin URL.
	std::string* origin_string = datadict->FindStringKey("origin");
	if (!origin_string) {
	return nullptr;
	}
	url::Origin origin = url::Origin::Create(GURL(*origin_string));
	if (origin.opaque()) {
	return nullptr;
	}

	// The \|isSubdomain\| flag is optional. If found, ensure it is a valid boolean.
	bool is_subdomain = false;
	base::Value* is_subdomain_value = datadict->FindKey("isSubdomain");
	if (is_subdomain_value) {
	if (!is_subdomain_value->is_bool()) {
	return nullptr;
	}
	is_subdomain = is_subdomain_value->GetBool();
	}

	// Ensure that the feature name is a valid string.
	std::string* feature_name = datadict->FindStringKey("feature");
	if (!feature_name \|\| feature_name->empty()) {
	return nullptr;
	}

	// Ensure that the expiry timestamp is a valid (positive) integer.
	int expiry_timestamp = datadict->FindIntKey("expiry").value_or(0);
	if (expiry_timestamp <= 0) {
	return nullptr;
	}

	// Initialize optional version 3 fields to default values.
	bool is_third_party = false;
	UsageRestriction usage = UsageRestriction::kNone;

	if (version == kVersion3) {
	// The \|isThirdParty\| flag is optional. If found, ensure it is a valid
	// boolean.
	base::Value* is_third_party_value = datadict->FindKey("isThirdParty");
	if (is_third_party_value) {
	if (!is_third_party_value->is_bool()) {
	return nullptr;
	}
	is_third_party = is_third_party_value->GetBool();
	}

	// The \|usage\| field is optional. If found, ensure its value is either empty
	// or "subset".
	std::string* usage_value = datadict->FindStringKey("usage");
	if (usage_value) {
	if (usage_value->empty()) {
	usage = UsageRestriction::kNone;
	} else if (*usage_value == kUsageSubset) {
	usage = UsageRestriction::kSubset;
	} else {
	return nullptr;
	}
	}
	}

	return base::WrapUnique(new TrialToken(origin, is_subdomain, *feature_name,
	expiry_timestamp, is_third_party,
	usage));
	}

	bool TrialToken::ValidateOrigin(const url::Origin& origin) const {
	if (match_subdomains_) {
	return origin.scheme() == origin_.scheme() &&
	origin.DomainIs(origin_.host()) && origin.port() == origin_.port();
	}
	return origin == origin_;
	}

	bool TrialToken::ValidateFeatureName(base::StringPiece feature_name) const {
	return feature_name == feature_name_;
	}

	bool TrialToken::ValidateDate(const base::Time& now) const {
	return expiry_time_ > now;
	}

	// static
	bool TrialToken::ValidateSignature(base::StringPiece signature,
	const std::string& data,
	base::StringPiece public_key) {
	// Public key must be 32 bytes long for Ed25519.
	CHECK_EQ(public_key.length(), 32UL);

	// Signature must be 64 bytes long.
	if (signature.length() != 64) {
	return false;
	}

	int result = ED25519_verify(
	reinterpret_cast<const uint8_t*>(data.data()), data.length(),
	reinterpret_cast<const uint8_t*>(signature.data()),
	reinterpret_cast<const uint8_t*>(public_key.data()));
	return (result != 0);
	}

	TrialToken::TrialToken(const url::Origin& origin,
	bool match_subdomains,
	const std::string& feature_name,
	uint64_t expiry_timestamp,
	bool is_third_party,
	UsageRestriction usage_restriction)
	: origin_(origin),
	match_subdomains_(match_subdomains),
	feature_name_(feature_name),
	expiry_time_(base::Time::FromDoubleT(expiry_timestamp)),
	is_third_party_(is_third_party),
	usage_restriction_(usage_restriction) {}

	} // namespace blink