blob: 4a415109af3cdfd22762ff4bd2b440be4b4be896 [file] [log] [blame] [edit]
// Copyright 2019 The Cobalt Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "cobalt/browser/device_authentication.h"
#include <algorithm>
#include <map>
#include "base/base64.h"
#include "base/base64url.h"
#include "base/logging.h"
#include "base/time/time.h"
#include "crypto/hmac.h"
#include "net/base/escape.h"
#include "starboard/system.h"
namespace cobalt {
namespace browser {
#if SB_API_VERSION >= 11
namespace {
constexpr size_t kSHA256DigestSize = 32;
bool ComputeSignatureWithSystemPropertySecret(const std::string& message,
uint8_t* signature) {
const size_t kBase64EncodedCertificationSecretLength = 1023;
char base_64_secret_property[kBase64EncodedCertificationSecretLength + 1] = {
0};
bool result = SbSystemGetProperty(
kSbSystemPropertyBase64EncodedCertificationSecret,
base_64_secret_property, kBase64EncodedCertificationSecretLength);
if (!result) {
return false;
}
ComputeHMACSHA256SignatureWithProvidedKey(message, base_64_secret_property,
signature, kSHA256DigestSize);
return true;
}
bool ComputeSignatureFromSignAPI(const std::string& message,
uint8_t* signature) {
return SbSystemSignWithCertificationSecretKey(
reinterpret_cast<const uint8_t*>(message.data()), message.size(),
signature, kSHA256DigestSize);
}
// Check to see if we can query the platform for the secret key. If so,
// go ahead and use it to sign the message, otherwise try to use the
// SbSystemSignWithCertificationSecretKey() method to sign the message. If
// both methods fail, return an empty string.
std::string ComputeBase64Signature(const std::string& message) {
uint8_t signature[kSHA256DigestSize];
if (ComputeSignatureFromSignAPI(message, signature)) {
DLOG(INFO) << "Using certification signature provided by "
<< "SbSystemSignWithCertificationSecretKey().";
} else if (ComputeSignatureWithSystemPropertySecret(message, signature)) {
DLOG(INFO) << "Using certification key from SbSystemGetProperty().";
} else {
return std::string();
}
std::string base_64_url_signature;
base::Base64UrlEncode(std::string(signature, signature + kSHA256DigestSize),
base::Base64UrlEncodePolicy::OMIT_PADDING,
&base_64_url_signature);
return base_64_url_signature;
}
std::string NumberToFourByteString(size_t n) {
std::string str;
str += static_cast<char>(((n & 0xff000000) >> 24));
str += static_cast<char>(((n & 0x00ff0000) >> 16));
str += static_cast<char>(((n & 0x0000ff00) >> 8));
str += static_cast<char>((n & 0x000000ff));
return str;
}
// Used by ComputeMessage() to create a message component as a string.
std::string BuildMessageFragment(const std::string& key,
const std::string& value) {
std::string msg_fragment = NumberToFourByteString(key.length()) + key +
NumberToFourByteString(value.length()) + value;
return msg_fragment;
}
// Returns the certification scope provided by the platform to use with device
// authentication.
std::string GetCertScopeFromPlatform() {
// Get cert_scope and base_64_secret
const size_t kCertificationScopeLength = 1023;
char cert_scope_property[kCertificationScopeLength + 1] = {0};
bool result =
SbSystemGetProperty(kSbSystemPropertyCertificationScope,
cert_scope_property, kCertificationScopeLength);
if (!result) {
DLOG(ERROR) << "Unable to get kSbSystemPropertyCertificationScope";
return std::string();
}
return cert_scope_property;
}
// Returns the start time provided by the platform for use with device
// authentication.
std::string GetStartTime() {
return std::to_string(static_cast<int64_t>(base::Time::Now().ToDoubleT()));
}
} // namespace
std::string GetDeviceAuthenticationSignedURLQueryString() {
std::string cert_scope = GetCertScopeFromPlatform();
if (cert_scope.empty()) {
LOG(WARNING) << "Error retrieving certification scope required for "
<< "device authentication.";
return std::string();
}
std::string start_time = GetStartTime();
CHECK(!start_time.empty());
std::string base64_signature =
ComputeBase64Signature(ComputeMessage(cert_scope, start_time));
return GetDeviceAuthenticationSignedURLQueryStringFromComponents(
cert_scope, start_time, base64_signature);
}
std::string GetDeviceAuthenticationSignedURLQueryStringFromComponents(
const std::string& cert_scope, const std::string& start_time,
const std::string& base64_signature) {
CHECK(!cert_scope.empty());
CHECK(!start_time.empty());
if (base64_signature.empty()) {
return std::string();
}
std::map<std::string, std::string> signed_query_components;
signed_query_components["cert_scope"] = cert_scope;
signed_query_components["start_time"] = start_time;
signed_query_components["sig"] = base64_signature;
std::string query;
for (const auto& query_component : signed_query_components) {
const std::string& key = query_component.first;
const std::string& value = query_component.second;
if (!query.empty()) query += "&";
query += net::EscapeQueryParamValue(key, true);
if (!value.empty()) {
query += "=" + net::EscapeQueryParamValue(value, true);
}
}
return query;
}
// Combine multiple message components into a string that will be used as the
// message that we will sign.
std::string ComputeMessage(const std::string& cert_scope,
const std::string& start_time) {
// Build message from cert_scope and start_time.
return BuildMessageFragment("cert_scope", cert_scope) +
BuildMessageFragment("start_time", start_time);
}
void ComputeHMACSHA256SignatureWithProvidedKey(const std::string& message,
const std::string& base64_key,
uint8_t* signature,
size_t signature_size_in_bytes) {
CHECK_GE(signature_size_in_bytes, 32U);
std::string key;
base::Base64Decode(base64_key, &key);
// Generate signature from message using HMAC-SHA256.
crypto::HMAC hmac(crypto::HMAC::SHA256);
if (!hmac.Init(key)) {
DLOG(ERROR) << "Unable to initialize HMAC-SHA256.";
}
if (!hmac.Sign(message, signature, signature_size_in_bytes)) {
DLOG(ERROR) << "Unable to sign HMAC-SHA256.";
}
}
#endif // SB_API_VERSION >= 11
} // namespace browser
} // namespace cobalt