Allowlist Imprivata in KeyPermissions and platformKeys

Grant permissions to the Imprivata login screen to use chrome.platformKeys and chrome.enterprise.platformkeys (_permission_features.json). The Imprivata in-session extension does not need to be added here since it already has access to them as a regular extension. The login screen also needs to be able to sign with the private key obtained from chrome.platformKeys.getKeyPairBySpki() multiple times. Thus we add an allowlist to SignTask (extension_platform_keys_service.cc) in order to approve multiple sign operations in the Imprivata login screen. The Imprivata in-session extension will be covered by the KeyPermissions user policy. Bug: 1073466, 1065112 Change-Id: Iaf9bb6f1522706b76406c43604097f74dbcf1326 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2193615 Commit-Queue: Maria Petrisor <mpetrisor@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Cr-Commit-Position: refs/heads/master@{#781299}

Allowlist Imprivata in KeyPermissions and platformKeys
Grant permissions to the Imprivata login screen to use chrome.platformKeys and chrome.enterprise.platformkeys (_permission_features.json). The Imprivata in-session extension does not need to be added here since it already has access to them as a regular extension. The login screen also needs to be able to sign with the private key obtained from chrome.platformKeys.getKeyPairBySpki() multiple times. Thus we add an allowlist to SignTask (extension_platform_keys_service.cc) in order to approve multiple sign operations in the Imprivata login screen. The Imprivata in-session extension will be covered by the KeyPermissions user policy. Bug: 1073466, 1065112 Change-Id: Iaf9bb6f1522706b76406c43604097f74dbcf1326 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2193615 Commit-Queue: Maria Petrisor <mpetrisor@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Alexander Hendrich <hendrich@chromium.org> Cr-Commit-Position: refs/heads/master@{#781299}
7a4c0bbb · Maria Petrisor · Commit Bot · e42048fb · 7a4c0bbb · 7a4c0bbb
Commit 7a4c0bbb authored Jun 23, 2020 by Maria Petrisor Committed by Commit Bot Jun 23, 2020
6 changed files
--- a/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.cc
+++ b/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.cc
@@ -18,8 +18,15 @@
 #include "base/values.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/profiles/profile.h"
 #include "content/public/browser/browser_thread.h"
+#include "extensions/browser/extension_registry.h"
 #include "extensions/browser/state_store.h"
+#include "extensions/common/extension.h"
+#include "extensions/common/features/behavior_feature.h"
+#include "extensions/common/features/feature.h"
+#include "extensions/common/features/feature_provider.h"
 #include "net/cert/x509_certificate.h"

 using content::BrowserThread;
@@ -32,6 +39,24 @@ const char kErrorKeyNotAllowedForSigning[] =
    "This key is not allowed for signing. Either it was used for signing "
    "before or it was not correctly generated.";

+#if defined(OS_CHROMEOS)
+
+// Verify the allowlisted kKeyPermissionsInLoginScreen feature behaviors.
+bool IsExtensionAllowlisted(const extensions::Extension* extension) {
+  // Can be nullptr if the extension is uninstalled before the SignTask is
+  // completed.
+  if (!extension)
+    return false;
+
+  const extensions::Feature* key_permissions_in_login_screen =
+      extensions::FeatureProvider::GetBehaviorFeature(
+          extensions::behavior_feature::kKeyPermissionsInLoginScreen);
+
+  return key_permissions_in_login_screen->IsAvailableToExtension(extension)
+      .is_available();
+}
+#endif  // defined(OS_CHROMEOS)
+
 // Converts |token_ids| (string-based token identifiers used in the
 // platformKeys API) to a vector of KeyPermissions::KeyLocation. Currently only
 // accepts |kTokenIdUser| and |kTokenIdSystem| as |token_ids| elements.
@@ -290,8 +315,15 @@ class ExtensionPlatformKeysService::SignTask : public Task {
        return;
      case Step::SIGN_OR_ABORT: {
        next_step_ = Step::DONE;
+        const extensions::Extension* extension =
+            extensions::ExtensionRegistry::Get(service_->browser_context_)
+                ->GetExtensionById(extension_id_,
+                                   extensions::ExtensionRegistry::ENABLED);
        bool sign_granted = extension_permissions_->CanUseKeyForSigning(
-            public_key_spki_der_, key_locations_);
+                                public_key_spki_der_, key_locations_) ||
+                            (service_->IsUsingSigninProfile() &&
+                             IsExtensionAllowlisted(extension));
+
        if (sign_granted) {
          Sign();
        } else {
@@ -767,6 +799,11 @@ void ExtensionPlatformKeysService::GenerateECKey(
      token_id, named_curve, extension_id, callback, &key_permissions_, this));
 }

+bool ExtensionPlatformKeysService::IsUsingSigninProfile() {
+  return ProfileHelper::IsSigninProfile(
+      Profile::FromBrowserContext(browser_context_));
+}
+
 void ExtensionPlatformKeysService::SignDigest(
    const std::string& token_id,
    const std::string& data,

--- a/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h
+++ b/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h
@@ -117,6 +117,11 @@ class ExtensionPlatformKeysService : public KeyedService {
                     const std::string& extension_id,
                     const GenerateKeyCallback& callback);

+  // Gets the current profile using the BrowserContext object and returns
+  // whether the current profile is a sign in profile with
+  // ProfileHelper::IsSigninProfile.
+  bool IsUsingSigninProfile();
+
  // If signing was successful, |signature| will be contain the signature and
  // |error_message| will be empty. If it failed, |signature| will be empty and
  // |error_message| contain an error message.

--- a/chrome/common/extensions/api/_permission_features.json
+++ b/chrome/common/extensions/api/_permission_features.json
@@ -309,7 +309,28 @@
    "platforms": ["chromeos"],
    "extension_types": ["extension", "platform_app", "legacy_packaged_app"],
    "location": "policy"
-  }, {
+  },
+  {
+    "channel": "stable",
+    "extension_types": ["login_screen_extension"],
+    "location": "policy",
+    "platforms": ["chromeos"],
+    "whitelist": [
+      "E219EE36A3B40612FD2A8CD6937B03EF0C97D3FE", // Imprivata (login screen) crbug.com/1065112
+      "4DBFC1C52D6660DD90791976DF7FEF7B3D360509", // Imprivata (login screen) crbug.com/1065112
+      "CDA6A10BE50CE65C59B766D0CE6A27E8E0A1533F", // Imprivata (login screen) crbug.com/1065112
+      "D85454743B32D9F5ABF3E5F18DF78809F3A0ABD4", // Imprivata (login screen) crbug.com/1065112
+      "04569B963251EB28C0906099668D98EE65ECA2D8", // Imprivata (login screen) crbug.com/1065112
+      "7BF5B69C3ACA9E6ACA5C480661B8073EB9FA32A9", // Imprivata (login screen) crbug.com/1065112
+      "5F2EF8E9F7E975090278D6A0AD039860430C5684", // Imprivata (login screen) crbug.com/1065112
+      "97A4DC8AFC1FCF665C71B624A55675C297AB256C", // Imprivata (login screen) crbug.com/1065112
+      "A00EB72B456C374F1EA86C09833C7DBB6CD95CAE", // Imprivata (login screen) crbug.com/1065112
+      "51DDBADA37EF4D25AD03CB1BB6451799456FE183", // Imprivata (login screen) crbug.com/1065112
+      "DD97CAE4D8658003658140109BC119188A19A5B8", // Imprivata (login screen) crbug.com/1065112
+      "320857126E2180A5751AA384B7B7332A4964BD8C"  // Imprivata (login screen) crbug.com/1065112
+    ]
+  },
+  {
    "channel": "stable",
    "platforms": ["chromeos"],
    "extension_types": ["extension"],
@@ -712,11 +733,31 @@
    "extension_types": ["extension", "platform_app"],
    "location": "component"
  },
-  "platformKeys": {
+  "platformKeys": [{
    "channel": "stable",
    "platforms": ["chromeos"],
    "extension_types": ["extension", "platform_app"]
  },
+  {
+    "channel": "stable",
+    "extension_types": ["login_screen_extension"],
+    "location": "policy",
+    "platforms": ["chromeos"],
+    "whitelist": [
+      "E219EE36A3B40612FD2A8CD6937B03EF0C97D3FE", // Imprivata (login screen) crbug.com/1065112
+      "4DBFC1C52D6660DD90791976DF7FEF7B3D360509", // Imprivata (login screen) crbug.com/1065112
+      "CDA6A10BE50CE65C59B766D0CE6A27E8E0A1533F", // Imprivata (login screen) crbug.com/1065112
+      "D85454743B32D9F5ABF3E5F18DF78809F3A0ABD4", // Imprivata (login screen) crbug.com/1065112
+      "04569B963251EB28C0906099668D98EE65ECA2D8", // Imprivata (login screen) crbug.com/1065112
+      "7BF5B69C3ACA9E6ACA5C480661B8073EB9FA32A9", // Imprivata (login screen) crbug.com/1065112
+      "5F2EF8E9F7E975090278D6A0AD039860430C5684", // Imprivata (login screen) crbug.com/1065112
+      "97A4DC8AFC1FCF665C71B624A55675C297AB256C", // Imprivata (login screen) crbug.com/1065112
+      "A00EB72B456C374F1EA86C09833C7DBB6CD95CAE", // Imprivata (login screen) crbug.com/1065112
+      "51DDBADA37EF4D25AD03CB1BB6451799456FE183", // Imprivata (login screen) crbug.com/1065112
+      "DD97CAE4D8658003658140109BC119188A19A5B8", // Imprivata (login screen) crbug.com/1065112
+      "320857126E2180A5751AA384B7B7332A4964BD8C"  // Imprivata (login screen) crbug.com/1065112
+    ]
+  }],
  "plugin": {
    "channel": "stable",
    "extension_types": ["extension", "legacy_packaged_app"]

--- a/extensions/common/api/_behavior_features.json
+++ b/extensions/common/api/_behavior_features.json
@@ -119,5 +119,33 @@
  "allow_secondary_kiosk_app_enabled_on_launch": {
    "channel": "dev",
    "extension_types": ["platform_app"]
+  },
+  // Allowlist KeyPermissions for login screen extensions that cannot set the
+  // user policy (they don't have a user yet).
+  "key_permissions_in_login_screen": {
+    "channel": "stable",
+    "extension_types": ["login_screen_extension"],
+    "location": "policy",
+    "platforms": ["chromeos"],
+    "whitelist": [
+      // The Imprivata login extension should be able to sign more than once,
+      // see crbug.com/1073466. In it's authorization protocol, Imprivata needs
+      // to sign data in order to authorize requests to the server. We cannot
+      // apply the KeyPermissions policy to the Imprivata login screen since
+      // it's a User Policy, but we do need to be able to sign data on the login
+      // screen.
+      "E219EE36A3B40612FD2A8CD6937B03EF0C97D3FE", // Imprivata (login screen) crbug.com/1065112
+      "4DBFC1C52D6660DD90791976DF7FEF7B3D360509", // Imprivata (login screen) crbug.com/1065112
+      "CDA6A10BE50CE65C59B766D0CE6A27E8E0A1533F", // Imprivata (login screen) crbug.com/1065112
+      "D85454743B32D9F5ABF3E5F18DF78809F3A0ABD4", // Imprivata (login screen) crbug.com/1065112
+      "04569B963251EB28C0906099668D98EE65ECA2D8", // Imprivata (login screen) crbug.com/1065112
+      "7BF5B69C3ACA9E6ACA5C480661B8073EB9FA32A9", // Imprivata (login screen) crbug.com/1065112
+      "5F2EF8E9F7E975090278D6A0AD039860430C5684", // Imprivata (login screen) crbug.com/1065112
+      "97A4DC8AFC1FCF665C71B624A55675C297AB256C", // Imprivata (login screen) crbug.com/1065112
+      "A00EB72B456C374F1EA86C09833C7DBB6CD95CAE", // Imprivata (login screen) crbug.com/1065112
+      "51DDBADA37EF4D25AD03CB1BB6451799456FE183", // Imprivata (login screen) crbug.com/1065112
+      "DD97CAE4D8658003658140109BC119188A19A5B8", // Imprivata (login screen) crbug.com/1065112
+      "320857126E2180A5751AA384B7B7332A4964BD8C"  // Imprivata (login screen) crbug.com/1065112
+    ]
  }
 }
--- a/extensions/common/features/behavior_feature.cc
+++ b/extensions/common/features/behavior_feature.cc
@@ -22,6 +22,8 @@ const char kAllowDeprecatedAudioApi[] = "allow_deprecated_audio_api";
 const char kAllowSecondaryKioskAppEnabledOnLaunch[] =
    "allow_secondary_kiosk_app_enabled_on_launch";

+const char kKeyPermissionsInLoginScreen[] = "key_permissions_in_login_screen";
+
 }  // namespace behavior_feature

 }  // namespace extensions
--- a/extensions/common/features/behavior_feature.h
+++ b/extensions/common/features/behavior_feature.h
@@ -17,6 +17,7 @@ extern const char kAllowUsbDevicesPermissionInterfaceClass[];
 extern const char kSigninScreen[];
 extern const char kAllowDeprecatedAudioApi[];
 extern const char kAllowSecondaryKioskAppEnabledOnLaunch[];
+extern const char kKeyPermissionsInLoginScreen[];

 }  // namespace behavior_feature