Implement anonymous, opt-in, collection of OS X binary integrity incidents.

chrome/browser/safe_browsing/signature_evaluator_mac.h

Index: chrome/browser/safe_browsing/signature_evaluator_mac.h
diff --git a/chrome/browser/safe_browsing/signature_evaluator_mac.h b/chrome/browser/safe_browsing/signature_evaluator_mac.h
new file mode 100644
index 0000000000000000000000000000000000000000..3091e192b4725ab0964fb7549f5d795f4cb03285
--- /dev/null
+++ b/chrome/browser/safe_browsing/signature_evaluator_mac.h
@@ -0,0 +1,65 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_SAFE_BROWSING_SIGNATURE_EVALUATOR_MAC_H_
+#define CHROME_COMMON_SAFE_BROWSING_SIGNATURE_EVALUATOR_MAC_H_
+
+#include <Security/Security.h>
+
+#include <string>
+#include <vector>
+
+#include "base/files/file_path.h"
+#include "base/mac/scoped_cftyperef.h"
+#include "base/memory/ref_counted.h"
+#include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_incident.h"
+
+namespace safe_browsing {
+
+// Wraps the OS X SecStaticCode API, to evaluate a given file object
+// with a given code requirement, and produce a list of incident reports
+// for files that fail code signature validity checks.
+class MacSignatureEvaluator {

[mattm, 2015/10/21 02:06:34]

There is also a bug about signature checking for download protection
(crbug.com/464083)  Could this be structured so that the signature checking is
usable for both?

[Greg K, 2015/10/27 01:06:18]

I talked to Robert. On OS X the notion of "trusted" doesn't tell us much: it
just means it was developer ID signed, which lots of unwanted software is. In
fact, this MacSignatureEvaluator actually calls into some of the code Robert
wrote for download protection. So we don't currently see a future where we'll be
using this class to check downloads.

[mattm, 2015/10/27 01:28:12]

I see. I still think it could be useful, though. We do more than just check a
signed/not-signed bool. If we know the signature is valid, we  can check against
a whitelist
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/saf...).
We also send the cert chain in the download service ping
(https://code.google.com/p/chromium/codesearch#chromium/src/chrome/common/safe...),
but that's not super useful if we don't know if it was a valid signature.

+ public:
+  explicit MacSignatureEvaluator(const base::FilePath& signed_object_path);
+
+  // The requirement string must be a valid "Code Signing Requirement Language"
+  // string, which describes the identity of the signer.
+  MacSignatureEvaluator(const base::FilePath& signed_object_path,
+                        const std::string& requirement);
+
+  ~MacSignatureEvaluator();
+
+  // Creates the static code object and requirement string, and returns
+  // true if the object creation succeeds, else false.
+  bool Initialize();
+
+  // Evaluate the signature and return a list of any binary integrity incident
+  // reports. Returns true if and only if the signed code object is valid.
+  bool PerformEvaluation(
+      std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>*
+          results);
+
+ private:
+  // The path to the code object on disk.
+  base::FilePath path_;
+
+  // A Code Signing Requirement string.
+  std::string requirement_str_;
+
+  // Records whether or not a requirement string was specified.
+  bool has_requirement_;
+
+  // The static code object constructed from the code object on disk.
+  base::ScopedCFTypeRef<SecStaticCodeRef> code_;
+
+  // The requirement object constructed from the requirement string.
+  base::ScopedCFTypeRef<SecRequirementRef> requirement_;
+
+  DISALLOW_COPY_AND_ASSIGN(MacSignatureEvaluator);
+};
+
+}  // namespace safe_browsing
+
+#endif  // CHROME_COMMON_SAFE_BROWSING_SIGNATURE_EVALUATOR_MAC_H_