Activate signature verification in client.

Signature is now mandatory in client when encryption is enabled. Bug: b:170054326 Change-Id: I1b884b5b39d326446c24794c10cab1ced443312d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2615662 Commit-Queue: Leonid Baraz <lbaraz@chromium.org> Reviewed-by: Zach Trudo <zatrudo@google.com> Cr-Commit-Position: refs/heads/master@{#841378}

Activate signature verification in client.
Signature is now mandatory in client when encryption is enabled. Bug: b:170054326 Change-Id: I1b884b5b39d326446c24794c10cab1ced443312d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2615662 Commit-Queue: Leonid Baraz <lbaraz@chromium.org> Reviewed-by: Zach Trudo <zatrudo@google.com> Cr-Commit-Position: refs/heads/master@{#841378}
ccbe5c4d · Leonid Baraz · Chromium LUCI CQ · 2355161c · ccbe5c4d · ccbe5c4d
Commit ccbe5c4d authored Jan 08, 2021 by Leonid Baraz Committed by Chromium LUCI CQ Jan 08, 2021
3 changed files
--- a/chrome/browser/policy/messaging_layer/upload/record_handler_impl.cc
+++ b/chrome/browser/policy/messaging_layer/upload/record_handler_impl.cc
@@ -257,17 +257,14 @@ void RecordHandlerImpl::ReportUploader::HandleSuccessfulUpload() {
        signed_encryption_key_record->FindStringKey("publicKey");
    const auto public_key_id_result =
        signed_encryption_key_record->FindIntKey("publicKeyId");
-    // TODO(b/170054326): Make signature mandatory too.
-    // const std::string* public_key_signature_str =
-    //     signed_encryption_key_record->FindStringKey("publicKeySignature");
+    const std::string* public_key_signature_str =
+        signed_encryption_key_record->FindStringKey("publicKeySignature");
    std::string public_key;
    std::string public_key_signature;
    if (public_key_str != nullptr &&
        base::Base64Decode(*public_key_str, &public_key) &&
-        // TODO(b/170054326): Make signature mandatory too.
-        // public_key_signature_str != nullptr
-        // base::Base64Decode(*public_key_signature_str,
-        //                    &public_key_signature) &&
+        public_key_signature_str != nullptr &&
+        base::Base64Decode(*public_key_signature_str, &public_key_signature) &&
        public_key_id_result.has_value()) {
      SignedEncryptionInfo signed_encryption_key;
      signed_encryption_key.set_public_asymmetric_key(public_key);

--- a/chrome/browser/policy/messaging_layer/upload/record_handler_impl_unittest.cc
+++ b/chrome/browser/policy/messaging_layer/upload/record_handler_impl_unittest.cc
@@ -28,9 +28,13 @@
 #include "testing/gtest/include/gtest/gtest.h"

 using ::testing::_;
+using ::testing::AllOf;
 using ::testing::Eq;
+using ::testing::Gt;
 using ::testing::Invoke;
+using ::testing::IsEmpty;
 using ::testing::MockFunction;
+using ::testing::Not;
 using ::testing::Property;
 using ::testing::Return;
 using ::testing::StrictMock;
@@ -132,7 +136,6 @@ base::Optional<base::Value> BuildEncryptionSettingsFromRequest(
  encryption_settings.SetStringKey("publicKey", public_key);
  encryption_settings.SetIntKey("publicKeyId", 12345);
  std::string public_key_signature;
-  // TODO(b/170054326): Generate signature.
  base::Base64Encode("PUBLIC KEY SIG", &public_key_signature);
  encryption_settings.SetStringKey("publicKeySignature", public_key_signature);
  return encryption_settings;
@@ -249,7 +252,12 @@ TEST_P(RecordHandlerImplTest, ForwardsRecordsToCloudPolicyClient) {
  StrictMock<TestCompletionResponder> responder;
  TestCallbackWaiter responder_waiter;

-  EXPECT_CALL(encryption_key_attached, Call(_))
+  EXPECT_CALL(
+      encryption_key_attached,
+      Call(AllOf(Property(&SignedEncryptionInfo::public_asymmetric_key,
+                          Not(IsEmpty())),
+                 Property(&SignedEncryptionInfo::public_key_id, Gt(0)),
+                 Property(&SignedEncryptionInfo::signature, Not(IsEmpty())))))
      .Times(need_encryption_key() ? 1 : 0);

  EXPECT_CALL(
@@ -313,7 +321,12 @@ TEST_P(RecordHandlerImplTest, ReportsEarlyFailure) {
      .WillOnce(Invoke([&responder_waiter]() { responder_waiter.Signal(); }));

  StrictMock<TestEncryptionKeyAttached> encryption_key_attached;
-  EXPECT_CALL(encryption_key_attached, Call(_))
+  EXPECT_CALL(
+      encryption_key_attached,
+      Call(AllOf(Property(&SignedEncryptionInfo::public_asymmetric_key,
+                          Not(IsEmpty())),
+                 Property(&SignedEncryptionInfo::public_key_id, Gt(0)),
+                 Property(&SignedEncryptionInfo::signature, Not(IsEmpty())))))
      .Times(need_encryption_key() ? 1 : 0);

  auto encryption_key_attached_callback =
@@ -389,7 +402,12 @@ TEST_P(RecordHandlerImplTest, UploadsGapRecordOnServerFailure) {
      .WillOnce(Invoke([&responder_waiter]() { responder_waiter.Signal(); }));

  StrictMock<TestEncryptionKeyAttached> encryption_key_attached;
-  EXPECT_CALL(encryption_key_attached, Call(_))
+  EXPECT_CALL(
+      encryption_key_attached,
+      Call(AllOf(Property(&SignedEncryptionInfo::public_asymmetric_key,
+                          Not(IsEmpty())),
+                 Property(&SignedEncryptionInfo::public_key_id, Gt(0)),
+                 Property(&SignedEncryptionInfo::signature, Not(IsEmpty())))))
      .Times(need_encryption_key() ? 1 : 0);
  auto encryption_key_attached_callback =
      base::BindRepeating(&TestEncryptionKeyAttached::Call,

--- a/chrome/browser/policy/messaging_layer/upload/upload_client_unittest.cc
+++ b/chrome/browser/policy/messaging_layer/upload/upload_client_unittest.cc
@@ -33,9 +33,14 @@ namespace {

 using ::policy::MockCloudPolicyClient;
 using ::testing::_;
+using ::testing::AllOf;
+using ::testing::Gt;
 using ::testing::Invoke;
 using ::testing::InvokeArgument;
+using ::testing::IsEmpty;
 using ::testing::MockFunction;
+using ::testing::Not;
+using ::testing::Property;
 using ::testing::StrictMock;
 using ::testing::WithArgs;

@@ -154,7 +159,6 @@ base::Value ValueFromSucceededSequencingInfo(
    encryption_settings.SetStringKey("publicKey", public_key);
    encryption_settings.SetIntKey("publicKeyId", 12345);
    std::string public_key_signature;
-    // TODO(b/170054326): Generate signature.
    base::Base64Encode("PUBLIC KEY SIG", &public_key_signature);
    encryption_settings.SetStringKey("publicKeySignature",
                                     public_key_signature);
@@ -240,7 +244,12 @@ TEST_P(UploadClientTest, CreateUploadClientAndUploadRecords) {
  TestCallbackWaiterWithCounter waiter(kExpectedCallTimes);

  StrictMock<TestEncryptionKeyAttached> encryption_key_attached;
-  EXPECT_CALL(encryption_key_attached, Call(_))
+  EXPECT_CALL(
+      encryption_key_attached,
+      Call(AllOf(Property(&SignedEncryptionInfo::public_asymmetric_key,
+                          Not(IsEmpty())),
+                 Property(&SignedEncryptionInfo::public_key_id, Gt(0)),
+                 Property(&SignedEncryptionInfo::signature, Not(IsEmpty())))))
      .Times(need_encryption_key() ? 1 : 0);
  auto encryption_key_attached_cb =
      base::BindRepeating(&TestEncryptionKeyAttached::Call,