| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ | 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/callback.h" | 11 #include "base/callback.h" |
| 12 #include "base/macros.h" | 12 #include "base/macros.h" |
| 13 #include "base/memory/weak_ptr.h" | 13 #include "base/memory/weak_ptr.h" |
| 14 #include "components/keyed_service/core/keyed_service.h" | 14 #include "components/keyed_service/core/keyed_service.h" |
| 15 #include "crypto/scoped_nss_types.h" | 15 #include "crypto/scoped_nss_types.h" |
| 16 | 16 |
| 17 class PrefRegistrySimple; | 17 class PrefRegistrySimple; |
| 18 class PrefService; | 18 class PrefService; |
| 19 | 19 |
| 20 // Manages per user RSA keys stored in system TPM slot used in easy signin | 20 // Manages per user RSA keys stored in system TPM slot used in easy signin |
| 21 // protocol. The keys are used to sign a nonce exchanged during signin. | 21 // protocol. The keys are used to sign a nonce exchanged during signin. |
| 22 class EasyUnlockTpmKeyManager : public KeyedService { | 22 class EasyUnlockTpmKeyManager : public KeyedService { |
| 23 public: | 23 public: |
| 24 // Registers local state prefs used to store public RSA keys per user. | 24 // Registers local state prefs used to store public RSA keys per user. |
| 25 static void RegisterLocalStatePrefs(PrefRegistrySimple* registry); | 25 static void RegisterLocalStatePrefs(PrefRegistrySimple* registry); |
| 26 | 26 |
| 27 // Clears local state for user. Should be called when a user is removed. | 27 // Clears local state for user. Should be called when a user is removed. |
| 28 static void ResetLocalStateForUser(const std::string& user_id); | 28 static void ResetLocalStateForUser(const std::string& user_id); |
| 29 | 29 |
| 30 // |user_id|: Id for the user associated with the service. Empty for signin | 30 // |user_id|: Id for the user associated with the service. Empty for sign-in |
| 31 // service. | 31 // service. |
| 32 // |username_hash|: Username hash for the user associated with the service. |
| 33 // Empty for sign-in service. |
| 32 // |local_state|: The local state prefs. | 34 // |local_state|: The local state prefs. |
| 33 EasyUnlockTpmKeyManager(const std::string& user_id, PrefService* local_state); | 35 EasyUnlockTpmKeyManager(const std::string& user_id, |
| 36 const std::string& username_hash, |
| 37 PrefService* local_state); |
| 34 ~EasyUnlockTpmKeyManager() override; | 38 ~EasyUnlockTpmKeyManager() override; |
| 35 | 39 |
| 36 // Checks if the RSA public key is set in the local state. If not, creates | 40 // Checks if the RSA public key is set in the local state. If not, creates |
| 37 // one. If the key presence can be confirmed, immediately returns true and | 41 // one. If the key presence can be confirmed, immediately returns true and |
| 38 // |callback| never gets called, otherwise returns false (callback is called | 42 // |callback| never gets called, otherwise returns false (callback is called |
| 39 // when the key presence is confirmed). | 43 // when the key presence is confirmed). |
| 40 // Must not be called for signin profile. | 44 // Must not be called for signin profile. |
| 41 // |check_private_key|: If public RSA key is set in the local state, whether | 45 // |check_private_key|: If public RSA key is set in the local state, whether |
| 42 // the method should confirm that the private key is present in the system | 46 // the method should confirm that the private key is present in the system |
| 43 // slot. If the private key cannot be found, a new key pair will be | 47 // slot. If the private key cannot be found, a new key pair will be |
| (...skipping 18 matching lines...) Expand all Loading... |
| 62 // Gets the public RSA key for user. The key is retrieved from local state. | 66 // Gets the public RSA key for user. The key is retrieved from local state. |
| 63 std::string GetPublicTpmKey(const std::string& user_id); | 67 std::string GetPublicTpmKey(const std::string& user_id); |
| 64 | 68 |
| 65 // Signs |data| using private RSA key associated with |user_id| stored in TPM | 69 // Signs |data| using private RSA key associated with |user_id| stored in TPM |
| 66 // system slot. | 70 // system slot. |
| 67 void SignUsingTpmKey( | 71 void SignUsingTpmKey( |
| 68 const std::string& user_id, | 72 const std::string& user_id, |
| 69 const std::string& data, | 73 const std::string& data, |
| 70 const base::Callback<void(const std::string& data)> callback); | 74 const base::Callback<void(const std::string& data)> callback); |
| 71 | 75 |
| 76 bool StartedCreatingTpmKeys() const; |
| 77 |
| 72 private: | 78 private: |
| 73 enum CreateTpmKeyState { | 79 enum CreateTpmKeyState { |
| 74 CREATE_TPM_KEY_NOT_STARTED, | 80 CREATE_TPM_KEY_NOT_STARTED, |
| 81 CREATE_TPM_KEY_WAITING_FOR_USER_SLOT, |
| 75 CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT, | 82 CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT, |
| 76 CREATE_TPM_KEY_GOT_SYSTEM_SLOT, | 83 CREATE_TPM_KEY_GOT_SYSTEM_SLOT, |
| 77 CREATE_TPM_KEY_DONE | 84 CREATE_TPM_KEY_DONE |
| 78 }; | 85 }; |
| 79 | 86 |
| 80 // Utility method for setting public key values in local state. | 87 // Utility method for setting public key values in local state. |
| 81 // Note that the keys are saved base64 encoded. | 88 // Note that the keys are saved base64 encoded. |
| 82 void SetKeyInLocalState(const std::string& user_id, | 89 void SetKeyInLocalState(const std::string& user_id, |
| 83 const std::string& value); | 90 const std::string& value); |
| 84 | 91 |
| 85 // Called when TPM system slot is initialized and ready to be used. | 92 // Called when TPM system slot is initialized and ready to be used. |
| 86 // It creates RSA key pair for the user in the system slot. | 93 // It creates RSA key pair for the user in the system slot. |
| 87 // When the key pair is created, |OnTpmKeyCreated| will be called with the | 94 // When the key pair is created, |OnTpmKeyCreated| will be called with the |
| 88 // created public key. | 95 // created public key. |
| 89 // The key will not be created if |public_key| is non-empty and the associated | 96 // The key will not be created if |public_key| is non-empty and the associated |
| 90 // private key can be found in the slot. Instead |OnTpmKeyCreated| will be | 97 // private key can be found in the slot. Instead |OnTpmKeyCreated| will be |
| 91 // called with |public_key|. | 98 // called with |public_key|. |
| 92 void CreateKeyInSystemSlot(const std::string& public_key, | 99 void CreateKeyInSystemSlot(const std::string& public_key, |
| 93 crypto::ScopedPK11Slot system_slot); | 100 crypto::ScopedPK11Slot system_slot); |
| 94 | 101 |
| 102 // Called when user TPM token initialization is done. After this happens, |
| 103 // |this| may proceed with creating a user-specific TPM key for easy sign-in. |
| 104 // Note that this is done solely to ensure user TPM initialization, which is |
| 105 // done on IO thread, is not blocked by creating TPM keys in system slot. |
| 106 void OnUserTPMInitialized(const std::string& public_key); |
| 107 |
| 95 // Called when TPM system slot is initialized and ready to be used. | 108 // Called when TPM system slot is initialized and ready to be used. |
| 96 // It schedules data signing operation on a worker thread. The data is signed | 109 // It schedules data signing operation on a worker thread. The data is signed |
| 97 // by a private key stored in |system_slot| and identified by |public_key| | 110 // by a private key stored in |system_slot| and identified by |public_key| |
| 98 // (a private key that is part of the same RSA key pair as |public_key|). | 111 // (a private key that is part of the same RSA key pair as |public_key|). |
| 99 // Once data is signed |callback| is called with the signed data. | 112 // Once data is signed |callback| is called with the signed data. |
| 100 void SignDataWithSystemSlot( | 113 void SignDataWithSystemSlot( |
| 101 const std::string& public_key, | 114 const std::string& public_key, |
| 102 const std::string& data, | 115 const std::string& data, |
| 103 const base::Callback<void(const std::string& data)> callback, | 116 const base::Callback<void(const std::string& data)> callback, |
| 104 crypto::ScopedPK11Slot system_slot); | 117 crypto::ScopedPK11Slot system_slot); |
| 105 | 118 |
| 106 // Called when a RSA key pair is created for a user in TPM system slot. | 119 // Called when a RSA key pair is created for a user in TPM system slot. |
| 107 // It saves the pulic key in the local state and runs queued up | 120 // It saves the pulic key in the local state and runs queued up |
| 108 // |PrepareTpmKey| callbacks. | 121 // |PrepareTpmKey| callbacks. |
| 109 void OnTpmKeyCreated(const std::string& public_key); | 122 void OnTpmKeyCreated(const std::string& public_key); |
| 110 | 123 |
| 111 // Called when data signing requested in |SignUsingTpmKey| is done. | 124 // Called when data signing requested in |SignUsingTpmKey| is done. |
| 112 // It runs |callback| with the created |signature|. On error the callback will | 125 // It runs |callback| with the created |signature|. On error the callback will |
| 113 // be run with an empty string. | 126 // be run with an empty string. |
| 114 void OnDataSigned( | 127 void OnDataSigned( |
| 115 const base::Callback<void(const std::string&)>& callback, | 128 const base::Callback<void(const std::string&)>& callback, |
| 116 const std::string& signature); | 129 const std::string& signature); |
| 117 | 130 |
| 118 std::string user_id_; | 131 std::string user_id_; |
| 132 std::string username_hash_; |
| 119 | 133 |
| 120 PrefService* local_state_; | 134 PrefService* local_state_; |
| 121 | 135 |
| 122 // The current TPM key creation state. If key creation is in progress, | 136 // The current TPM key creation state. If key creation is in progress, |
| 123 // callbacks for further |PrepareTpmKey| will be queued up and run when the | 137 // callbacks for further |PrepareTpmKey| will be queued up and run when the |
| 124 // key is created. All queued callbacks will be run with the same key value. | 138 // key is created. All queued callbacks will be run with the same key value. |
| 125 CreateTpmKeyState create_tpm_key_state_; | 139 CreateTpmKeyState create_tpm_key_state_; |
| 126 | 140 |
| 127 // Queued up |PrepareTpmKey| callbacks. | 141 // Queued up |PrepareTpmKey| callbacks. |
| 128 std::vector<base::Closure> prepare_tpm_key_callbacks_; | 142 std::vector<base::Closure> prepare_tpm_key_callbacks_; |
| 129 | 143 |
| 130 base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_; | 144 base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_; |
| 131 base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_; | 145 base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_; |
| 132 | 146 |
| 133 DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager); | 147 DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager); |
| 134 }; | 148 }; |
| 135 | 149 |
| 136 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER
_H_ | 150 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER
_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1138123003:
Delay creating easy signin TPM keys until TPM is initialized (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master