forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Origin Trials] Add utility script to check tokens
Add a script to inspect origin trial tokens and display the contents. This script provides similar functionality to the public page to check tokens (see http://jpchase.github.io/OriginTrials/check-token.html). This script will also display the token signature, which can be useful for testing the origin trials infrastructure to disable tokens. BUG= Review-Url: https://codereview.chromium.org/2764153002 Cr-Commit-Position: refs/heads/master@{#459447}
- Loading branch information
Showing
1 changed file
with
220 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,220 @@ | ||
| #!/usr/bin/env python | ||
| # Copyright (c) 2017 The Chromium Authors. All rights reserved. | ||
| # Use of this source code is governed by a BSD-style license that can be | ||
| # found in the LICENSE file. | ||
|
|
||
| """Utility for validating and inspecting origin trial tokens | ||
| usage: check_token.py [-h] [--use-chrome-key | | ||
| --use-test-key | | ||
| --private-key-file KEY_FILE] | ||
| "base64-encoded token" | ||
| Run "check_token.py -h" for more help on usage. | ||
| """ | ||
| import argparse | ||
| import base64 | ||
| from datetime import datetime | ||
| import json | ||
| import os | ||
| import struct | ||
| import sys | ||
| import time | ||
|
|
||
| script_dir = os.path.dirname(os.path.realpath(__file__)) | ||
| sys.path.insert(0, os.path.join(script_dir, 'third_party', 'ed25519')) | ||
| import ed25519 | ||
|
|
||
| # Version is a 1-byte field at offset 0. | ||
| # - To support version-dependent formats, the version number must be the first | ||
| # first part of the token. | ||
| VERSION_OFFSET = 0 | ||
| VERSION_SIZE = 1 | ||
|
|
||
| # These constants define the Version 2 field sizes and offsets. | ||
| # Contents are: version|signature|payload length|payload | ||
| SIGNATURE_OFFSET = VERSION_OFFSET + VERSION_SIZE | ||
| SIGNATURE_SIZE = 64 | ||
| PAYLOAD_LENGTH_OFFSET = SIGNATURE_OFFSET + SIGNATURE_SIZE | ||
| PAYLOAD_LENGTH_SIZE = 4 | ||
| PAYLOAD_OFFSET = PAYLOAD_LENGTH_OFFSET + PAYLOAD_LENGTH_SIZE | ||
|
|
||
| # This script only supports Version 2 tokens. | ||
| VERSION2 = "\x02" | ||
|
|
||
| # Chrome public key, used by default to validate signatures | ||
| # - Copied from chrome/common/origin_trials/chrome_origin_trial_policy.cc | ||
| CHROME_PUBLIC_KEY = [ | ||
| 0x7c, 0xc4, 0xb8, 0x9a, 0x93, 0xba, 0x6e, 0xe2, 0xd0, 0xfd, 0x03, | ||
| 0x1d, 0xfb, 0x32, 0x66, 0xc7, 0x3b, 0x72, 0xfd, 0x54, 0x3a, 0x07, | ||
| 0x51, 0x14, 0x66, 0xaa, 0x02, 0x53, 0x4e, 0x33, 0xa1, 0x15, | ||
| ] | ||
|
|
||
| # Default key file, relative to script_dir. | ||
| DEFAULT_KEY_FILE = 'eftest.key' | ||
|
|
||
|
|
||
| class OverrideKeyFileAction(argparse.Action): | ||
| def __init__(self, option_strings, dest, **kwargs): | ||
| super(OverrideKeyFileAction, self).__init__( | ||
| option_strings, dest, **kwargs) | ||
| def __call__(self, parser, namespace, values, option_string=None): | ||
| setattr(namespace, "use_chrome_key", None) | ||
| setattr(namespace, self.dest, values) | ||
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser( | ||
| description="Inspect origin trial tokens") | ||
| parser.add_argument("token", | ||
| help="Token to be checked (must be Base64 encoded)") | ||
|
|
||
| key_group = parser.add_mutually_exclusive_group() | ||
| key_group.add_argument("--use-chrome-key", | ||
| help="Validate token using the real Chrome public key", | ||
| dest="use_chrome_key", | ||
| action="store_true") | ||
| key_group.add_argument("--use-test-key", | ||
| help="Validate token using the eftest.key", | ||
| dest="use_chrome_key", | ||
| action="store_false") | ||
| key_group.add_argument("--key-file", | ||
| help="Ed25519 private key file to validate the token", | ||
| dest="key_file", | ||
| action=OverrideKeyFileAction) | ||
| parser.set_defaults(use_chrome_key=False) | ||
|
|
||
| args = parser.parse_args() | ||
|
|
||
| # Figure out which public key to use: Chrome, test key (default option), or | ||
| # key file provided on command line. | ||
| public_key = None | ||
| private_key_file = None | ||
| if (args.use_chrome_key is None): | ||
| private_key_file = args.key_file | ||
| else: | ||
| if (args.use_chrome_key): | ||
| public_key = "".join(chr(x) for x in CHROME_PUBLIC_KEY) | ||
| else: | ||
| # Use the test key, relative to this script. | ||
| private_key_file = os.path.join(script_dir, DEFAULT_KEY_FILE) | ||
|
|
||
| # If not using the Chrome public key, extract the public key from either the | ||
| # test key file, or the private key file provided on the command line. | ||
| if public_key is None: | ||
| try: | ||
| key_file = open(os.path.expanduser(private_key_file), mode="rb") | ||
| except IOError as exc: | ||
| print "Unable to open key file: %s" % private_key_file | ||
| print "(%s)" % exc | ||
| sys.exit(1) | ||
|
|
||
| private_key = key_file.read(64) | ||
|
|
||
| # Validate that the key file read was a proper Ed25519 key -- running the | ||
| # publickey method on the first half of the key should return the second | ||
| # half. | ||
| if (len(private_key) < 64 or | ||
| ed25519.publickey(private_key[:32]) != private_key[32:]): | ||
| print "Unable to use the specified private key file." | ||
| sys.exit(1) | ||
|
|
||
| public_key = private_key[32:] | ||
|
|
||
| try: | ||
| token_contents = base64.b64decode(args.token) | ||
| except TypeError as exc: | ||
| print "Error decoding the token (%s)" % exc | ||
| sys.exit(1) | ||
|
|
||
|
|
||
| # Only version 2 currently supported. | ||
| if (len(token_contents) < (VERSION_OFFSET + VERSION_SIZE)): | ||
| print "Token is malformed - too short." | ||
| sys.exit(1) | ||
|
|
||
| version = token_contents[VERSION_OFFSET:(VERSION_OFFSET + VERSION_SIZE)] | ||
| if (version != VERSION2): | ||
| # Convert the version string to a number | ||
| version_number = 0 | ||
| for x in version: | ||
| version_number <<= 8 | ||
| version_number += ord(x) | ||
| print "Token has wrong version: %d" % version_number | ||
| sys.exit(1) | ||
|
|
||
| # Token must be large enough to contain a version, signature, and payload | ||
| # length. | ||
| minimum_token_length = PAYLOAD_LENGTH_OFFSET + PAYLOAD_LENGTH_SIZE | ||
| if (len(token_contents) < minimum_token_length): | ||
| print "Token is malformed - too short: %d bytes, minimum is %d" % \ | ||
| (len(token_contents), minimum_token_length) | ||
| sys.exit(1) | ||
|
|
||
| # Extract the length of the signed data (Big-endian). | ||
| # (unpack returns a tuple). | ||
| payload_length = struct.unpack_from(">I", token_contents, | ||
| PAYLOAD_LENGTH_OFFSET)[0] | ||
|
|
||
| # Validate that the stated length matches the actual payload length. | ||
| actual_payload_length = len(token_contents) - PAYLOAD_OFFSET | ||
| if (payload_length != actual_payload_length): | ||
| print "Token is %d bytes, expected %d" % (actual_payload_length, | ||
| payload_length) | ||
| sys.exit(1) | ||
|
|
||
| # Extract the version-specific contents of the token. | ||
| # Contents are: version|signature|payload length|payload | ||
| signature = token_contents[SIGNATURE_OFFSET:PAYLOAD_LENGTH_OFFSET] | ||
|
|
||
| # The data which is covered by the signature is (version + length + payload). | ||
| signed_data = version + token_contents[PAYLOAD_LENGTH_OFFSET:] | ||
|
|
||
| # Validate the signature on the data. | ||
| try: | ||
| ed25519.checkvalid(signature, signed_data, public_key) | ||
| except Exception as exc: | ||
| print "Signature invalid (%s)" % exc | ||
| sys.exit(1) | ||
|
|
||
| try: | ||
| payload = token_contents[PAYLOAD_OFFSET:].decode('utf-8') | ||
| except UnicodeError as exc: | ||
| print "Unable to decode token contents (%s)" % exc | ||
| sys.exit(1) | ||
|
|
||
| try: | ||
| token_data = json.loads(payload) | ||
| except Exception as exc: | ||
| print "Unable to parse payload (%s)" % exc | ||
| print "Payload: %s" % payload | ||
| sys.exit(1) | ||
|
|
||
| print "Token data: %s" % token_data | ||
|
|
||
| # Extract the required fields | ||
| for field in ["origin", "feature", "expiry"]: | ||
| if not token_data.has_key(field): | ||
| print "Token is missing required field: %s" % field | ||
| sys.exit(1) | ||
|
|
||
| origin = token_data["origin"] | ||
| trial_name = token_data["feature"] | ||
| expiry = token_data["expiry"] | ||
|
|
||
| # Extract the optional fields | ||
| is_subdomain = token_data.get("isSubdomain") | ||
|
|
||
| # Output the token details | ||
| print "Token details:" | ||
| print " Origin: %s" % origin | ||
| print " Is Subdomain: %s" % is_subdomain | ||
| print " Feature: %s" % trial_name | ||
| print " Expiry: %d (%s UTC)" % (expiry, datetime.utcfromtimestamp(expiry)) | ||
| print " Signature: %s" % ", ".join('0x%02x' % ord(x) for x in signature) | ||
| print " Signature (Base64): %s" % base64.b64encode(signature) | ||
|
|
||
| if __name__ == "__main__": | ||
| main() |