| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ | 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/callback.h" | 11 #include "base/callback.h" |
| 12 #include "base/macros.h" | 12 #include "base/macros.h" |
| 13 #include "base/memory/weak_ptr.h" | 13 #include "base/memory/weak_ptr.h" |
| 14 #include "components/keyed_service/core/keyed_service.h" | 14 #include "components/keyed_service/core/keyed_service.h" |
| 15 #include "components/user_manager/user_id.h" |
| 15 #include "crypto/scoped_nss_types.h" | 16 #include "crypto/scoped_nss_types.h" |
| 16 | 17 |
| 17 class PrefRegistrySimple; | 18 class PrefRegistrySimple; |
| 18 class PrefService; | 19 class PrefService; |
| 19 | 20 |
| 21 namespace user_manager { |
| 22 class UserID; |
| 23 } |
| 24 |
| 20 // Manages per user RSA keys stored in system TPM slot used in easy signin | 25 // Manages per user RSA keys stored in system TPM slot used in easy signin |
| 21 // protocol. The keys are used to sign a nonce exchanged during signin. | 26 // protocol. The keys are used to sign a nonce exchanged during signin. |
| 22 class EasyUnlockTpmKeyManager : public KeyedService { | 27 class EasyUnlockTpmKeyManager : public KeyedService { |
| 23 public: | 28 public: |
| 24 // Registers local state prefs used to store public RSA keys per user. | 29 // Registers local state prefs used to store public RSA keys per user. |
| 25 static void RegisterLocalStatePrefs(PrefRegistrySimple* registry); | 30 static void RegisterLocalStatePrefs(PrefRegistrySimple* registry); |
| 26 | 31 |
| 27 // Clears local state for user. Should be called when a user is removed. | 32 // Clears local state for user. Should be called when a user is removed. |
| 28 static void ResetLocalStateForUser(const std::string& user_id); | 33 static void ResetLocalStateForUser(const user_manager::UserID& user_id); |
| 29 | 34 |
| 30 // |user_id|: Id for the user associated with the service. Empty for sign-in | 35 // |user_id|: Id for the user associated with the service. Empty for sign-in |
| 31 // service. | 36 // service. |
| 32 // |username_hash|: Username hash for the user associated with the service. | 37 // |username_hash|: Username hash for the user associated with the service. |
| 33 // Empty for sign-in service. | 38 // Empty for sign-in service. |
| 34 // |local_state|: The local state prefs. | 39 // |local_state|: The local state prefs. |
| 35 EasyUnlockTpmKeyManager(const std::string& user_id, | 40 EasyUnlockTpmKeyManager(const user_manager::UserID& user_id, |
| 36 const std::string& username_hash, | 41 const std::string& username_hash, |
| 37 PrefService* local_state); | 42 PrefService* local_state); |
| 38 ~EasyUnlockTpmKeyManager() override; | 43 ~EasyUnlockTpmKeyManager() override; |
| 39 | 44 |
| 40 // Checks if the RSA public key is set in the local state. If not, creates | 45 // Checks if the RSA public key is set in the local state. If not, creates |
| 41 // one. If the key presence can be confirmed, immediately returns true and | 46 // one. If the key presence can be confirmed, immediately returns true and |
| 42 // |callback| never gets called, otherwise returns false (callback is called | 47 // |callback| never gets called, otherwise returns false (callback is called |
| 43 // when the key presence is confirmed). | 48 // when the key presence is confirmed). |
| 44 // Must not be called for signin profile. | 49 // Must not be called for signin profile. |
| 45 // |check_private_key|: If public RSA key is set in the local state, whether | 50 // |check_private_key|: If public RSA key is set in the local state, whether |
| (...skipping 11 matching lines...) Expand all Loading... |
| 57 const base::Closure& callback); | 62 const base::Closure& callback); |
| 58 | 63 |
| 59 // If called, posts a delayed task that cancels |PrepareTpmKey| and all other | 64 // If called, posts a delayed task that cancels |PrepareTpmKey| and all other |
| 60 // started timeouts in case getting system slot takes more than |timeout_ms|. | 65 // started timeouts in case getting system slot takes more than |timeout_ms|. |
| 61 // In the case getting system slot times out, |PrepareTpmKey| callback will | 66 // In the case getting system slot times out, |PrepareTpmKey| callback will |
| 62 // be called with an empty public key. | 67 // be called with an empty public key. |
| 63 // Must be called after |PrepareTpmKey| to have the intended effect. | 68 // Must be called after |PrepareTpmKey| to have the intended effect. |
| 64 bool StartGetSystemSlotTimeoutMs(size_t timeout_ms); | 69 bool StartGetSystemSlotTimeoutMs(size_t timeout_ms); |
| 65 | 70 |
| 66 // Gets the public RSA key for user. The key is retrieved from local state. | 71 // Gets the public RSA key for user. The key is retrieved from local state. |
| 67 std::string GetPublicTpmKey(const std::string& user_id); | 72 std::string GetPublicTpmKey(const user_manager::UserID& user_id); |
| 68 | 73 |
| 69 // Signs |data| using private RSA key associated with |user_id| stored in TPM | 74 // Signs |data| using private RSA key associated with |user_id| stored in TPM |
| 70 // system slot. | 75 // system slot. |
| 71 void SignUsingTpmKey( | 76 void SignUsingTpmKey( |
| 72 const std::string& user_id, | 77 const user_manager::UserID& user_id, |
| 73 const std::string& data, | 78 const std::string& data, |
| 74 const base::Callback<void(const std::string& data)> callback); | 79 const base::Callback<void(const std::string& data)> callback); |
| 75 | 80 |
| 76 bool StartedCreatingTpmKeys() const; | 81 bool StartedCreatingTpmKeys() const; |
| 77 | 82 |
| 78 private: | 83 private: |
| 79 enum CreateTpmKeyState { | 84 enum CreateTpmKeyState { |
| 80 CREATE_TPM_KEY_NOT_STARTED, | 85 CREATE_TPM_KEY_NOT_STARTED, |
| 81 CREATE_TPM_KEY_WAITING_FOR_USER_SLOT, | 86 CREATE_TPM_KEY_WAITING_FOR_USER_SLOT, |
| 82 CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT, | 87 CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT, |
| 83 CREATE_TPM_KEY_GOT_SYSTEM_SLOT, | 88 CREATE_TPM_KEY_GOT_SYSTEM_SLOT, |
| 84 CREATE_TPM_KEY_DONE | 89 CREATE_TPM_KEY_DONE |
| 85 }; | 90 }; |
| 86 | 91 |
| 87 // Utility method for setting public key values in local state. | 92 // Utility method for setting public key values in local state. |
| 88 // Note that the keys are saved base64 encoded. | 93 // Note that the keys are saved base64 encoded. |
| 89 void SetKeyInLocalState(const std::string& user_id, | 94 void SetKeyInLocalState(const user_manager::UserID& user_id, |
| 90 const std::string& value); | 95 const std::string& value); |
| 91 | 96 |
| 92 // Called when TPM system slot is initialized and ready to be used. | 97 // Called when TPM system slot is initialized and ready to be used. |
| 93 // It creates RSA key pair for the user in the system slot. | 98 // It creates RSA key pair for the user in the system slot. |
| 94 // When the key pair is created, |OnTpmKeyCreated| will be called with the | 99 // When the key pair is created, |OnTpmKeyCreated| will be called with the |
| 95 // created public key. | 100 // created public key. |
| 96 // The key will not be created if |public_key| is non-empty and the associated | 101 // The key will not be created if |public_key| is non-empty and the associated |
| 97 // private key can be found in the slot. Instead |OnTpmKeyCreated| will be | 102 // private key can be found in the slot. Instead |OnTpmKeyCreated| will be |
| 98 // called with |public_key|. | 103 // called with |public_key|. |
| 99 void CreateKeyInSystemSlot(const std::string& public_key, | 104 void CreateKeyInSystemSlot(const std::string& public_key, |
| (...skipping 21 matching lines...) Expand all Loading... |
| 121 // |PrepareTpmKey| callbacks. | 126 // |PrepareTpmKey| callbacks. |
| 122 void OnTpmKeyCreated(const std::string& public_key); | 127 void OnTpmKeyCreated(const std::string& public_key); |
| 123 | 128 |
| 124 // Called when data signing requested in |SignUsingTpmKey| is done. | 129 // Called when data signing requested in |SignUsingTpmKey| is done. |
| 125 // It runs |callback| with the created |signature|. On error the callback will | 130 // It runs |callback| with the created |signature|. On error the callback will |
| 126 // be run with an empty string. | 131 // be run with an empty string. |
| 127 void OnDataSigned( | 132 void OnDataSigned( |
| 128 const base::Callback<void(const std::string&)>& callback, | 133 const base::Callback<void(const std::string&)>& callback, |
| 129 const std::string& signature); | 134 const std::string& signature); |
| 130 | 135 |
| 131 std::string user_id_; | 136 user_manager::UserID user_id_; |
| 132 std::string username_hash_; | 137 std::string username_hash_; |
| 133 | 138 |
| 134 PrefService* local_state_; | 139 PrefService* local_state_; |
| 135 | 140 |
| 136 // The current TPM key creation state. If key creation is in progress, | 141 // The current TPM key creation state. If key creation is in progress, |
| 137 // callbacks for further |PrepareTpmKey| will be queued up and run when the | 142 // callbacks for further |PrepareTpmKey| will be queued up and run when the |
| 138 // key is created. All queued callbacks will be run with the same key value. | 143 // key is created. All queued callbacks will be run with the same key value. |
| 139 CreateTpmKeyState create_tpm_key_state_; | 144 CreateTpmKeyState create_tpm_key_state_; |
| 140 | 145 |
| 141 // Queued up |PrepareTpmKey| callbacks. | 146 // Queued up |PrepareTpmKey| callbacks. |
| 142 std::vector<base::Closure> prepare_tpm_key_callbacks_; | 147 std::vector<base::Closure> prepare_tpm_key_callbacks_; |
| 143 | 148 |
| 144 base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_; | 149 base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_; |
| 145 base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_; | 150 base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_; |
| 146 | 151 |
| 147 DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager); | 152 DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager); |
| 148 }; | 153 }; |
| 149 | 154 |
| 150 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER
_H_ | 155 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER
_H_ |
| OLD | NEW |