blob: dad3a056eb5698d29f7b3bf22390034c04386e12 [file] [log] [blame]
#!/bin/sh
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script is temporary front-end to entd. It validates the policy's
# signature before starting the daemon. If the signing certificate or
# signature to not validate, then this script will log an error to syslog
# and exit without starting entd.
#
if [ -z "$HOME" ]; then
HOME=/home/chronos/user
fi
SCRIPT="$(basename $0)"
SIGNING_CERT="signing-cert.pem"
SIGNED_DIGEST="signed-digest.sha1"
ROOT_CA_FILE="root-ca.pem"
REQUIRED_TO_SIGN="isa-cros-policy manifest.json policy.js $SIGNING_CERT"
REQUIRED_TO_START="$REQUIRED_FOR_SIGN $SIGNED_DIGEST"
APPROVED_CA="approved-ca.pem"
CANDIDATE_CA="candidate-ca.pem"
ALLOW_CHAINING_FILE="chaining-allowed"
. "/usr/lib/shflags" || (echo "error loading shflags"; exit 1)
DEFINE_string command "" \
"Command to run; One of: sign, verify, or start" "c"
DEFINE_boolean verify_signature $FLAGS_TRUE \
"Verify the authenticity of the signature" "v"
DEFINE_boolean allow_self_signed $FLAGS_FALSE \
"Allow self signed certificates" "S"
DEFINE_string extension "" \
"Location of the enterprise extension" "x"
DEFINE_string extension_path "$HOME/Extensions" \
"Location to search for extensions when --extension is not provided" "p"
DEFINE_string enterprise_ca "" \
"URL of the enterprise root Certificate Authority." "C"
DEFINE_string signing_key "" \
"Location of the private key to use when signing." "K"
DEFINE_string crx_key "" \
"Location of the private key to use when creating the crx file." "k"
DEFINE_string entd "/usr/sbin/entd" \
"Path to the entd binary" "d"
DEFINE_string utility "/etc/entd/base-policy.js" \
"Path to policy utility file" "t"
DEFINE_string username "$CHROMEOS_USER" \
"ChromeOS Username (full email address)." "u"
DEFINE_string output "$(pwd)" \
"Destination directory or filename for crx files" "o"
DEFINE_string user_var "$HOME/var/entd/" \
"Directory to store user specific state" "V"
DEFINE_boolean allow_chaining $FLAGS_FALSE \
"Allow the extensions to be signed by a cert which chains to the approved \
cert (this option only matters when approving a cert)."
FLAGS "$@" || exit $?
eval set -- "${FLAGS_ARGV}"
main() {
local extension="$FLAGS_extension"
if [ -z "$FLAGS_command" ]; then
log "Missing option: --command"
exit 1
fi
if [ "$FLAGS_command" = "disapprove" ]; then
# Disable an approved enterprise ca.
cmd_disapprove
return $?
fi
if [ "$FLAGS_command" = "approve" ]; then
# Approve an enterprise ca.
cmd_approve "$FLAGS_enterprise_ca"
return $?
fi
log "Username: ${FLAGS_username}"
if [ -z "$extension" ]; then
extension="$(find_extension "$FLAGS_extension_path")"
fi
if [ -z "$extension" ]; then
return 1
fi
log "Enterprise extension: $extension"
local result
if [ "$FLAGS_command" = "makecrx" ]; then
# Sign an extension.
cmd_makecrx "$extension" "$FLAGS_crx_key" "$FLAGS_signing_key"
result=$?
elif [ "$FLAGS_command" = "verify" ]; then
# Verify a signature without starting entd.
cmd_verify "$extension"
result=$?
if [ "$result" = "0" ]; then
log "Extension verified: $extension"
fi
elif [ "$FLAGS_command" = "start" ]; then
# Verify the signature, then start entd.
cmd_start "$extension"
result=$?
else
log "Unknown command: $FLAGS_command"
result=1
fi
return $result
}
cmd_makecrx() {
local extension="$1"
local crx_key="$2"
local signing_key="$3"
if [ ! -d "$extension" ]; then
log "Missing or invalid extension: $extension"
return 1
fi
if [ ! -f "$crx_key" ]; then
log "Missing or invalid crx key: $crx_key"
return 1
fi
if [ ! -f "$signing_key" ]; then
log "Missing or invalid signing key: $signing_key"
return 1
fi
local chrome="$(which google-chrome)"
if [ ! -x "$chrome" ]; then
log "Unable to locate google-chrome executable"
return 1
fi
local workdir="$(mktemp -d)"
local signed="$workdir/signed"
mkdir -p "$signed"
cp -rL $extension/* "$signed"
rm $(find "$signed" -name '*~')
if ! cmd_sign "$signed" "$signing_key"; then
log "Error signing"
return 1
fi
local userdata="$workdir/userdata"
mkdir -p "$userdata"
"$chrome" --pack-extension="$signed" \
--pack-extension-key="$crx_key" \
--user-data-dir="$userdata" --no-message-box --no-first-run
if [ ! -f "$workdir/signed.crx" ]; then
log "Error creating crx"
return 1
fi
local output="$FLAGS_output"
if [ -d "$output" ]; then
local cn="$(get_cn "$extension")"
local version="$(get_version "$extension")"
output="$output/$cn-policy-$version.crx"
fi
mv "$workdir/signed.crx" "$output"
chmod a+r "$output"
log "CRX file written to: $output"
rm -rf "$workdir"
}
cmd_sign() {
local extension="$1"
local private_key="$2"
log "Signing: $extension"
if [ -z "$private_key" ]; then
log "Missing private key"
return 1
fi
if ! verify_files "$extension" "$REQUIRED_TO_SIGN"; then
log "Invalid extension: $extension"
return 1
fi
local catfile="$(make_catfile "$extension")"
if [ -z "$catfile" ]; then
return 1
fi
local output
output="$(openssl dgst -sha1 -sign "$private_key" \
-out "$extension/$SIGNED_DIGEST" "$catfile" 2>&1)"
local result=$?
rm "$catfile"
# If openssl exited with code 0 and the signature file is not zero length,
# then were probably successful.
if [ $result = 0 -a -s "$extension/$SIGNED_DIGEST" ]; then
cmd_verify "$extension"
return $?
fi
log "Error signing extension: $output"
return 1
}
cmd_verify() {
local extension="$1"
if ! (verify_files "$extension" "$REQUIRED_TO_START"); then
log "Invalid extension: $extension"
return 1
fi
if [ "$FLAGS_verify_signature" = "$FLAGS_TRUE" ]; then
if ! verify_cert "$extension"; then
return 1
fi
if ! verify_signature "$extension"; then
return 1
fi
else
log "WARNING: Not verifying extension certificate"
fi
}
cmd_start() {
local extension="$1"
if [ -z "$FLAGS_username" ]; then
log "Can't start enterprise daemon, no username provided."
return 1
fi
local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')"
if [ "$domain" = "gmail.com" ]; then
log "Enterprise daemon disabled for gmail.com users."
return 1
fi
local session_path="$extension/session-id.json"
# Remove session-id file as it should be ignored when verifying
# the signature.
log "removing $session_path"
rm -f "$session_path"
if ! cmd_verify "$extension"; then
return 1
fi
# Remove session-id.json at exit to enable the extension to remain
# backward compatible with earlier versions of entd/entwife.
trap "rm -f $session_path" EXIT TERM
# Provide a way for a developer to disable session id to simplify
# iterating new extensions.
local local_session_id=""
if [ ! -r "/root/.disable-entd-session-id" ]; then
session_id=$(head -c 8 /dev/urandom | openssl md5)
fi
cat > "$session_path" <<EOF
{
"session_id": "$session_id"
}
EOF
local root_ca_option=""
if [ -f "$extension/$ROOT_CA_FILE" ]; then
root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE"
fi
local extid="$(basename $(dirname "$extension"))"
local cryptohome_flag=""
if [ -r "/home/chronos/.cryptohome-init-pkcs11" ]; then
cryptohome_flag="--cryptohome-init-pkcs11"
fi
# Run entd in the background and wait on it - this allows the
# shell interpreter to catch TERM signal and clean up session_path.
"$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \
--policy="$extension/policy.js" --manifest="$extension/manifest.json" \
--username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" \
--session-id="$session_id" $cryptohome_flag &
local pid=$!
wait $pid
}
cmd_disapprove() {
if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then
log "Removing enterprise certificate authority"
rm -f "$FLAGS_user_var/$APPROVED_CA"
else
log "No enterprise certificate authority has been approved."
fi
}
cmd_approve() {
local ca_url="$1"
if [ -z "$ca_url" ]; then
log "Missing CA url"
exit 1
fi
if [ "$(echo "$ca_url" | cut -c1-7)" != "http://" -a \
"$(echo "$ca_url" | cut -c1-8)" != "https://" ]; then
log "Invalid CA url, must begin with http:// or https://"
return 1
fi
mkdir -p "$FLAGS_user_var"
rm -f "$FLAGS_user_var/$CANDIDATE_CA"
curl -sS "$ca_url" -o "$FLAGS_user_var/$CANDIDATE_CA"
if [ ! -s "$FLAGS_user_var/$CANDIDATE_CA" ]; then
log "Error fetching candidate CA file."
return 1
fi
if ! grep -q "BEGIN CERTIFICATE" "$FLAGS_user_var/$CANDIDATE_CA"; then
log "Not a PEM encoded certificate."
return 1
fi
local output="$(openssl verify "$FLAGS_user_var/$CANDIDATE_CA")"
if [ "$FLAGS_allow_self_signed" = "$FLAGS_TRUE" ]; then
local stripped_output="$(echo $output | grep -v "self signed certificate")"
if [ "$output" != "$stripped_output" ]; then
log
log "WARNING: This is a self signed certificate."
log
fi
output="$stripped_output"
fi
if [ ! -z "$(echo "$output" | grep "error")" ]; then
# `openssl verify` exits with a success code even if verification fails,
# so we have to grep the output to determine the result of verification.
log "Unable to verify certificate authority: $output"
return 1
fi
log "This certificate authority has the subject:"
log "$(get_subject "$FLAGS_user_var/$CANDIDATE_CA")"
log
read -p ">>> If you trust this certificate authority, type 'I DO': " I_DO_
if [ "$I_DO_" != "I DO" ]; then
log "Canceling CA approval."
return 1
fi
rm -f "$FLAGS_user_var/$APPROVED_CA"
mv "$FLAGS_user_var/$CANDIDATE_CA" "$FLAGS_user_var/$APPROVED_CA"
chmod 440 "$FLAGS_user_var/$APPROVED_CA"
if [ "$FLAGS_allow_chaining" = "$FLAGS_TRUE" ]; then
log "Enabling chaining for this CA."
touch "$FLAGS_user_var/$ALLOW_CHAINING_FILE"
chmod 440 "$FLAGS_user_var/$ALLOW_CHAINING_FILE"
else
rm -f "$FLAGS_user_var/$ALLOW_CHAINING_FILE"
fi
log "CA approval complete."
}
log() {
if [ -t 2 ]; then
echo "---" "$@" >&2
else
if [ -z "$@" ]; then
# Don't log blank lines to the system log, they're only useful on ttys.
return
fi
logger -t "$SCRIPT" -- "$@"
fi
}
abspath() {
if [ -d "$1" ]; then
echo "$(cd $1; pwd)"
else
echo "$(cd $(dirname "$1"); pwd)/$(basename $1)"
fi
}
get_cn() {
local extension="$1"
# Extract the CN from the certificate.
openssl x509 -in "$extension/$SIGNING_CERT" -noout -subject | \
sed 's:.*/CN=\([^/]\+\).*:\1:'
}
get_subject() {
local cert="$1"
# Extract the CN from the certificate.
openssl x509 -in "$cert" -noout -subject | sed 's:^subject=\s*\(.*\):\1:'
}
get_version() {
local extension="$1"
cat "$extension/manifest.json" | sed -n 's/\s*"version":\s*"\([^"]\+\).*/\1/p'
}
# Search through the given path for one and only one enterprise extension.
find_extension() {
local path="$(readlink -f "$1")"
local depth="$2"
if [ -z "$depth" ]; then
depth=3
fi
if [ ! -d "$path" ]; then
log "Extension path is not a directory: $path"
return
fi
local candidates="$(find -L "$path" -mindepth $depth -maxdepth $depth \
-name isa-cros-policy)"
if [ -z "$candidates" ]; then
log "No enterprise policy extension found in $path";
return
fi
if [ "$(echo "$candidates" | wc -w)" != "1" ]; then
log "Multiple enterprise policies found in $path: $candidates";
return
fi
dirname "$candidates"
}
# Verifies that the extension contains a list of files. If the list is not
# specified, assume they mean the list of files require to start entd with
# this extension.
verify_files() {
local extension="$1"
local required_files="$2"
if [ -z "$required_files" ]; then
required_files="$REQUIRED_TO_START"
fi
local err=0
for file in $required_files; do
if [ ! -f "$extension/$file" ]; then
log "Missing $extension/$file";
err=1
fi
done
return $err
}
# The "catfile" is the concatenation of all of the files from the extension
# into a single file.
#
# We locate all regular files in the extension, excluding any previous
# signature file, sort them in ascending order. Then for each file, we
# append the filename and contents to the catfile.
#
# The hash of this file is what is actually signed.
#
make_catfile() {
local extension="$1"
local normalized_manifest="$(normalize_manifest "$extension")"
if [ -z "$normalized_manifest" ]; then
return 1
fi
cd "$extension" > /dev/null
local filenames="$(find . -type f -not -wholename "./$SIGNED_DIGEST" | sort)"
cd - > /dev/null
if [ -z "$filenames" ]; then
log "Error enumerating files"
return 1
fi
local catfile="$(mktemp)"
for filename in $filenames; do
echo $filename >> "$catfile"
if [ "$filename" = "./manifest.json" ]; then
echo "$normalized_manifest" >> "$catfile"
else
cat "$extension/$filename" >> "$catfile"
fi
done
echo "$catfile"
}
# Verify that a certificate is valid.
verify_cert() {
local extension="$1"
if [ ! -f "$FLAGS_user_var/$APPROVED_CA" ]; then
log "Cannot verify cert: No approved enterprise certificate authority."
return 1
fi
if [ -f "$FLAGS_user_var/$ALLOW_CHAINING_FILE" ]; then
log "Checking certificate chain."
local output="$(openssl verify -CAfile "$FLAGS_user_var/$APPROVED_CA" \
"$extension/$SIGNING_CERT" 2>&1)"
if [ ! -z "$(echo "$output" | grep -i "error")" ]; then
# `openssl verify` exits with a success code even if verification fails,
# so we have to grep the output to determine the result of verification.
log "Unable to verify certificate: $output"
return 1
fi
else
log "Checking for exact certificate match."
if [ "$(cat "$FLAGS_user_var/$APPROVED_CA")" != \
"$(cat "$extension/$SIGNING_CERT")" ]; then
log "Approved cert does not match signing cert."
return 1
fi
fi
}
# Verify the signature of a policy.
verify_signature() {
local extension="$1"
# This file contains the signature of the extension.
local sigfile="$extension/$SIGNED_DIGEST"
local catfile="$(make_catfile "$extension")"
if [ -z "$catfile" ]; then
return 1
fi
# Extract the public key from the certificate.
local keyfile="$(mktemp)"
openssl x509 -in "$extension/$SIGNING_CERT" -pubkey -noout > "$keyfile"
local result=$?
if [ "$result" != "0" ]; then
log "Error extracting public key from certificate"
rm "$catfile"
return $result
fi
if [ ! -f "$keyfile" ]; then
log "Unknown error extracting public key from certificate"
return 1
fi
# Declare $output before assigning, so we don't lose the return code of
# the openssl command.
local output
# Verify the signature.
output="$(openssl dgst -sha1 -verify "$keyfile" \
-signature "$extension/$SIGNED_DIGEST" "$catfile" 2>&1)"
result=$?
# Clean up the temporary files.
rm "$catfile" "$keyfile"
if [ "$result" != "0" ]; then
log "Signature did not validate: $output"
else
log "Signature is valid"
fi
return $result
}
# Chrome takes liberties with the manifest file when it installs an extension.
# It deserializes it, adds the "key" if it is missing, and then re-serializes
# it. There is no guaranteed ordering for the keys when the file is finally
# written to disk. This royally screws up our recalculation of the signature.
#
# So, instead of signing the actual manifest source file, we pass it through
# a normalization procedure where we impose a guaranteed ordering on the keys,
# and remove the extra key (called "key") that Chrome adds during installation.
#
# For example, given { "name": "Foo", "browser": { "hello": "world" } }, we
# return:
#
# manifest.browser.hello = "world"
# manifest.name = "Foo"
#
# If we can, we use a small Python script to do the normalization. If Python
# isn't available (say, on the device) then we use entd itself.
#
#
# TODO(rginda): Do better.
normalize_manifest() {
local python="$(which python)"
if [ -x "$python" ]; then
normalize_manifest_py "$@"
elif [ -x "$FLAGS_entd" ]; then
normalize_manifest_js "$@"
else
log "Can't find python or entd, unable to normalize extension manifest"
return 1
fi
}
normalize_manifest_py() {
local extension="$1"
local scriptfile="$(mktemp)"
cat <<EOF > "$scriptfile"
import sys
try:
import json
except ImportError:
json = None
if not json or not hasattr(json, 'loads'):
# The contemporary version of the json module wasn't included until
# Python 2.6. If you want to build a policy extension on an earlier version,
# you need to install the simplejson module.
import simplejson
json = simplejson
def to_str(name, value, ary = []):
if type(value) == list:
ary.append(name + ": []");
for i in xrange(len(value)):
to_str(name + "." + str(i), value[i], ary);
elif type(value) == dict:
ary.append(name + ": {}");
for key in value.keys():
to_str(name + "." + key, value[key], ary);
else:
ary.append(name + ": " + json.dumps(value));
return ary
if __name__ == '__main__':
fp = open(sys.argv[1])
d = json.load(fp)
# Remove the "key" possibly added by Chrome.
if 'key' in d:
del d['key']
ary = to_str('manifest', d)
ary.sort()
ary.reverse()
print '\n'.join(ary)
EOF
python "$scriptfile" "$extension/manifest.json"
rm "$scriptfile"
}
normalize_manifest_js() {
local extension="$1"
local scriptfile="$(mktemp)"
cat <<EOF > "$scriptfile"
entd.onLoad = function(m) {
// Remove the "key" possibly added by Chrome.
delete m.key;
var ary = str("manifest", m);
// Sort the results so we can determine an ordering.
println(ary.sort().reverse().join("\n"));
}
function str(name, value, ary) {
ary = ary || [];
if (value instanceof Array) {
ary.push(name + ": []");
for (var i = 0; i < value.length; ++i)
str(name + "." + i, value[i], ary);
} else if (value instanceof Object) {
ary.push(name + ": {}");
for (var key in value)
str(name + "." + key, value[key], ary);
} else {
ary.push(name + ": " + JSON.stringify(value));
}
return ary
}
EOF
"$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \
--username=user@example.com --allow-dirty-exit 2>/dev/null
rm "$scriptfile"
}
main "$@"