New issue
Advanced search Search tips

Issue 830638 link

Starred by 1 user
Status: Assigned
Owner:
emaxx@chromium.org
Cc:
atwilson@chromium.org
pmarko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Policy key validation fails with fetched policy after the cache file is lost

Project Member Reported by emaxx@chromium.org, Apr 9 2018 
What steps will reproduce the problem?
(1) Sign in under a managed user on Chrome OS.
(2) Clobber the user policy cache file (e.g. delete it). Note: the file with the cached *key* should be kept.
(3) Try to sign into the user via the online sign-in flow.

What is the expected result?
The new policy is fetched and applied, the user session starts.

What happens instead?
The user session doesn't start (the device returns to the login screen after a couple of seconds on black screen). Two key messages in the logs:

  [ERROR:cloud_policy_validator.cc(342)] New public key rotation signature verification failed
  [ERROR:user_cloud_policy_manager_chromeos.cc(550)] Policy fetch failed for the user. Aborting profile initialization

Comment 1 by emaxx@chromium.org, Apr 9 2018 

Not sure whether this bug has been a recent regression; however, it may have become user-visible after the policy enforcement in bug 676624 was introduced.

The root cause is, I think, this discrepancy between the policy fetch request and the validation of its response:
* For the request, the |public_key_version| field is unset by the client whenever the policy cache file is lost. From the protocol structure, this means "the client doesn't have any key, the server should respond with the initial key provision".
* For the response validation, the cached policy key file is used whenever it's present. This means that the key provisioned with the fetched policy is treated as the "rotated" key, not as the "initial" key. This leads to the validation of the received key to be signed with the old cached key (via the |new_public_key_signature| field), which fails because the server sent nothing there.

I haven't thought much on the fix yet, but two possible directions that I see are:
A. Ignore the cached key whenever the cached policy file is missing/invalid.
B. Tweak the validation code to avoid some extra checks when the fetched key equals to the cached key.

Comment 2 by atwilson@chromium.org, Apr 9 2018 

Yes, if we've lost the policy, we probably should also ignore the cached key (allow any new key to be provisioned). In a world where signing keys are *themselves* signed by DMServer, there's not really any way to inject a bad signing key any more so not interested in validating vs the old key if policy is gone.

Sign in to add a comment