Index: chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc |
diff --git a/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc b/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..965380e9a176c2fa04c4ceaaa901e0d52d9288b4 |
--- /dev/null |
+++ b/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc |
@@ -0,0 +1,92 @@ |
+// Copyright 2015 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.h" |
+ |
+#include "base/base_paths.h" |
+#include "base/files/file_util.h" |
+#include "base/path_service.h" |
+#include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_incident.h" |
+#include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h" |
+#include "chrome/browser/safe_browsing/signature_evaluator_mac.h" |
+#include "chrome/common/safe_browsing/csd.pb.h" |
+ |
+#define DEVELOPER_ID_APPLICATION_OID "field.1.2.840.113635.100.6.1.13" |
+#define DEVELOPER_ID_INTERMEDIATE_OID "field.1.2.840.113635.100.6.2.6" |
+ |
+namespace safe_browsing { |
+ |
+namespace { |
+ |
+void VerifyBinaryIntegrityHelper(IncidentReceiver* incident_receiver, |
+ const base::FilePath& path, |
+ const std::string& requirement) { |
+ base::FilePath binary_path(path); |
+ if (!base::PathExists(binary_path)) |
+ return; |
+ |
+ MacSignatureEvaluator evaluator(binary_path, requirement); |
+ if (!evaluator.Initialize()) { |
+ LOG(ERROR) << "Could not initialize mac signature evaluator"; |
+ return; |
+ } |
+ |
+ std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident> |
+ results; |
+ if (!evaluator.PerformEvaluation(&results)) { |
+ VLOG(1) << "Signature verification failed: " << path.value(); |
+ for (const auto& incident : results) { |
+ scoped_ptr<ClientIncidentReport_IncidentData_BinaryIntegrityIncident> |
+ incident_copy( |
+ new ClientIncidentReport_IncidentData_BinaryIntegrityIncident( |
+ incident)); |
+ incident_receiver->AddIncidentForProcess( |
+ make_scoped_ptr(new BinaryIntegrityIncident(incident_copy.Pass()))); |
+ } |
+ } |
+} |
+ |
+} // namespace |
+ |
+std::vector<PathAndRequirement> GetCriticalPathsAndRequirements() { |
+ // Get the path to the main executable. |
+ std::vector<PathAndRequirement> critical_binaries; |
+ base::FilePath main_exe; |
+ if (!PathService::Get(base::FILE_EXE, &main_exe)) { |
+ NOTREACHED(); |
+ return critical_binaries; |
+ } |
+ |
+ // This requirement describes a developer ID signed application, |
+ // with Google's team identifier, and the com.Google.Chrome[.canary] |
+ // identifier. |
+ std::string requirement = |
+ "anchor apple generic and certificate 1[" DEVELOPER_ID_INTERMEDIATE_OID |
+ "] exists and certificate leaf[" DEVELOPER_ID_APPLICATION_OID |
+ "] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and " |
+ "(identifier=\"com.google.Chrome\" or " |
+ "identifier=\"com.google.Chrome.canary\")"; |
+ critical_binaries.push_back(PathAndRequirement(main_exe, requirement)); |
+ // TODO(kerrnel): eventually add Adobe Flash Player to this list. |
+ return critical_binaries; |
+} |
+ |
+void VerifyBinaryIntegrityForTesting(IncidentReceiver* incident_receiver, |
+ const base::FilePath& path, |
+ const std::string& requirement) { |
+ VerifyBinaryIntegrityHelper(incident_receiver, path, requirement); |
+} |
+ |
+void VerifyBinaryIntegrity(scoped_ptr<IncidentReceiver> incident_receiver) { |
+ size_t i = 0; |
+ for (const auto& p : GetCriticalPathsAndRequirements()) { |
+ base::TimeTicks time_before = base::TimeTicks::Now(); |
+ VerifyBinaryIntegrityHelper(incident_receiver.get(), |
+ p.path, |
+ p.requirement); |
+ RecordSignatureVerificationTime(i++, base::TimeTicks::Now() - time_before); |
+ } |
+} |
+ |
+} // namespac |