forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_token.py
executable file
·220 lines (183 loc) · 7.48 KB
/
check_token.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#!/usr/bin/env python
# Copyright (c) 2017 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Utility for validating and inspecting origin trial tokens
usage: check_token.py [-h] [--use-chrome-key |
--use-test-key |
--private-key-file KEY_FILE]
"base64-encoded token"
Run "check_token.py -h" for more help on usage.
"""
import argparse
import base64
from datetime import datetime
import json
import os
import struct
import sys
import time
script_dir = os.path.dirname(os.path.realpath(__file__))
sys.path.insert(0, os.path.join(script_dir, 'third_party', 'ed25519'))
import ed25519
# Version is a 1-byte field at offset 0.
# - To support version-dependent formats, the version number must be the first
# first part of the token.
VERSION_OFFSET = 0
VERSION_SIZE = 1
# These constants define the Version 2 field sizes and offsets.
# Contents are: version|signature|payload length|payload
SIGNATURE_OFFSET = VERSION_OFFSET + VERSION_SIZE
SIGNATURE_SIZE = 64
PAYLOAD_LENGTH_OFFSET = SIGNATURE_OFFSET + SIGNATURE_SIZE
PAYLOAD_LENGTH_SIZE = 4
PAYLOAD_OFFSET = PAYLOAD_LENGTH_OFFSET + PAYLOAD_LENGTH_SIZE
# This script only supports Version 2 tokens.
VERSION2 = "\x02"
# Chrome public key, used by default to validate signatures
# - Copied from chrome/common/origin_trials/chrome_origin_trial_policy.cc
CHROME_PUBLIC_KEY = [
0x7c, 0xc4, 0xb8, 0x9a, 0x93, 0xba, 0x6e, 0xe2, 0xd0, 0xfd, 0x03,
0x1d, 0xfb, 0x32, 0x66, 0xc7, 0x3b, 0x72, 0xfd, 0x54, 0x3a, 0x07,
0x51, 0x14, 0x66, 0xaa, 0x02, 0x53, 0x4e, 0x33, 0xa1, 0x15,
]
# Default key file, relative to script_dir.
DEFAULT_KEY_FILE = 'eftest.key'
class OverrideKeyFileAction(argparse.Action):
def __init__(self, option_strings, dest, **kwargs):
super(OverrideKeyFileAction, self).__init__(
option_strings, dest, **kwargs)
def __call__(self, parser, namespace, values, option_string=None):
setattr(namespace, "use_chrome_key", None)
setattr(namespace, self.dest, values)
def main():
parser = argparse.ArgumentParser(
description="Inspect origin trial tokens")
parser.add_argument("token",
help="Token to be checked (must be Base64 encoded)")
key_group = parser.add_mutually_exclusive_group()
key_group.add_argument("--use-chrome-key",
help="Validate token using the real Chrome public key",
dest="use_chrome_key",
action="store_true")
key_group.add_argument("--use-test-key",
help="Validate token using the eftest.key",
dest="use_chrome_key",
action="store_false")
key_group.add_argument("--key-file",
help="Ed25519 private key file to validate the token",
dest="key_file",
action=OverrideKeyFileAction)
parser.set_defaults(use_chrome_key=False)
args = parser.parse_args()
# Figure out which public key to use: Chrome, test key (default option), or
# key file provided on command line.
public_key = None
private_key_file = None
if (args.use_chrome_key is None):
private_key_file = args.key_file
else:
if (args.use_chrome_key):
public_key = "".join(chr(x) for x in CHROME_PUBLIC_KEY)
else:
# Use the test key, relative to this script.
private_key_file = os.path.join(script_dir, DEFAULT_KEY_FILE)
# If not using the Chrome public key, extract the public key from either the
# test key file, or the private key file provided on the command line.
if public_key is None:
try:
key_file = open(os.path.expanduser(private_key_file), mode="rb")
except IOError as exc:
print "Unable to open key file: %s" % private_key_file
print "(%s)" % exc
sys.exit(1)
private_key = key_file.read(64)
# Validate that the key file read was a proper Ed25519 key -- running the
# publickey method on the first half of the key should return the second
# half.
if (len(private_key) < 64 or
ed25519.publickey(private_key[:32]) != private_key[32:]):
print "Unable to use the specified private key file."
sys.exit(1)
public_key = private_key[32:]
try:
token_contents = base64.b64decode(args.token)
except TypeError as exc:
print "Error decoding the token (%s)" % exc
sys.exit(1)
# Only version 2 currently supported.
if (len(token_contents) < (VERSION_OFFSET + VERSION_SIZE)):
print "Token is malformed - too short."
sys.exit(1)
version = token_contents[VERSION_OFFSET:(VERSION_OFFSET + VERSION_SIZE)]
if (version != VERSION2):
# Convert the version string to a number
version_number = 0
for x in version:
version_number <<= 8
version_number += ord(x)
print "Token has wrong version: %d" % version_number
sys.exit(1)
# Token must be large enough to contain a version, signature, and payload
# length.
minimum_token_length = PAYLOAD_LENGTH_OFFSET + PAYLOAD_LENGTH_SIZE
if (len(token_contents) < minimum_token_length):
print "Token is malformed - too short: %d bytes, minimum is %d" % \
(len(token_contents), minimum_token_length)
sys.exit(1)
# Extract the length of the signed data (Big-endian).
# (unpack returns a tuple).
payload_length = struct.unpack_from(">I", token_contents,
PAYLOAD_LENGTH_OFFSET)[0]
# Validate that the stated length matches the actual payload length.
actual_payload_length = len(token_contents) - PAYLOAD_OFFSET
if (payload_length != actual_payload_length):
print "Token is %d bytes, expected %d" % (actual_payload_length,
payload_length)
sys.exit(1)
# Extract the version-specific contents of the token.
# Contents are: version|signature|payload length|payload
signature = token_contents[SIGNATURE_OFFSET:PAYLOAD_LENGTH_OFFSET]
# The data which is covered by the signature is (version + length + payload).
signed_data = version + token_contents[PAYLOAD_LENGTH_OFFSET:]
# Validate the signature on the data.
try:
ed25519.checkvalid(signature, signed_data, public_key)
except Exception as exc:
print "Signature invalid (%s)" % exc
sys.exit(1)
try:
payload = token_contents[PAYLOAD_OFFSET:].decode('utf-8')
except UnicodeError as exc:
print "Unable to decode token contents (%s)" % exc
sys.exit(1)
try:
token_data = json.loads(payload)
except Exception as exc:
print "Unable to parse payload (%s)" % exc
print "Payload: %s" % payload
sys.exit(1)
print
print "Token data: %s" % token_data
print
# Extract the required fields
for field in ["origin", "feature", "expiry"]:
if not token_data.has_key(field):
print "Token is missing required field: %s" % field
sys.exit(1)
origin = token_data["origin"]
trial_name = token_data["feature"]
expiry = token_data["expiry"]
# Extract the optional fields
is_subdomain = token_data.get("isSubdomain")
# Output the token details
print "Token details:"
print " Origin: %s" % origin
print " Is Subdomain: %s" % is_subdomain
print " Feature: %s" % trial_name
print " Expiry: %d (%s UTC)" % (expiry, datetime.utcfromtimestamp(expiry))
print " Signature: %s" % ", ".join('0x%02x' % ord(x) for x in signature)
print " Signature (Base64): %s" % base64.b64encode(signature)
print
if __name__ == "__main__":
main()