Add a Key class

chrome/browser/chromeos/login/managed/supervised_user_authentication.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h"
 
 #include "base/base64.h"
 #include "base/json/json_file_value_serializer.h"
 #include "base/macros.h"
 #include "base/metrics/histogram.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/threading/sequenced_worker_pool.h"
+#include "chrome/browser/chromeos/login/auth/key.h"
 #include "chrome/browser/chromeos/login/managed/locally_managed_user_constants.h"
 #include "chrome/browser/chromeos/login/users/supervised_user_manager.h"
 #include "chrome/browser/chromeos/login/users/user.h"
 #include "chrome/browser/chromeos/login/users/user_manager.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chromeos/cryptohome/signed_secret.pb.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/hmac.h"
 #include "crypto/random.h"
 #include "crypto/symmetric_key.h"
 
 namespace chromeos {
 
 namespace {
 
 // Byte size of hash salt.
 const unsigned kSaltSize = 32;
 
-// Parameters of cryptographic hashing for new user schema.
-const unsigned kNumIterations = 1234;
-const unsigned kKeySizeInBits = 256;
-
 // Size of key signature.
 const unsigned kHMACKeySizeInBits = 256;
 const int kSignatureLength = 32;
 
 // Size of master key (in bytes).
 const int kMasterKeySize = 32;
 
 std::string CreateSalt() {
     char result[kSaltSize];
     crypto::RandBytes(&result, sizeof(result));
@@ skipping 51 matching lines @@
         stable_schema_(SCHEMA_SALT_HASHED) {
 }
 
 SupervisedUserAuthentication::~SupervisedUserAuthentication() {}
 
 SupervisedUserAuthentication::Schema
 SupervisedUserAuthentication::GetStableSchema() {
   return stable_schema_;
 }
 
-std::string SupervisedUserAuthentication::TransformPassword(
-    const std::string& user_id,
-    const std::string& password) {
-  int user_schema = GetPasswordSchema(user_id);
-  if (user_schema == SCHEMA_PLAIN)
-    return password;
-
-  if (user_schema == SCHEMA_SALT_HASHED) {
-    base::DictionaryValue holder;
-    std::string salt;
-    owner_->GetPasswordInformation(user_id, &holder);
-    holder.GetStringWithoutPathExpansion(kSalt, &salt);
-    DCHECK(!salt.empty());
-    return BuildPasswordForHashWithSaltSchema(salt, password);
-  }
-  NOTREACHED();
-  return password;
-}
-
-UserContext SupervisedUserAuthentication::TransformPasswordInContext(
+UserContext SupervisedUserAuthentication::TransformKey(
     const UserContext& context) {
   UserContext result = context;
   int user_schema = GetPasswordSchema(context.GetUserID());
   if (user_schema == SCHEMA_PLAIN)
     return result;
 
   if (user_schema == SCHEMA_SALT_HASHED) {
     base::DictionaryValue holder;
     std::string salt;
     owner_->GetPasswordInformation(context.GetUserID(), &holder);
     holder.GetStringWithoutPathExpansion(kSalt, &salt);
     DCHECK(!salt.empty());
-    result.SetPassword(
-        BuildPasswordForHashWithSaltSchema(salt, context.GetPassword()));
-    result.SetDoesNeedPasswordHashing(false);
+    Key* const key = result.GetKey();
+    key->Transform(Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234, salt);
+    key->SetLabel(kCryptohomeManagedUserKeyLabel);
     result.SetIsUsingOAuth(false);
-    result.SetKeyLabel(kCryptohomeManagedUserKeyLabel);
     return result;
   }
   NOTREACHED() << "Unknown password schema for " << context.GetUserID();
   return context;
 }
 
 bool SupervisedUserAuthentication::FillDataForNewUser(
     const std::string& user_id,
     const std::string& password,
     base::DictionaryValue* password_data,
     base::DictionaryValue* extra_data) {
   Schema schema = stable_schema_;
   if (schema == SCHEMA_PLAIN)
     return false;
 
   if (schema == SCHEMA_SALT_HASHED) {
     password_data->SetIntegerWithoutPathExpansion(kSchemaVersion, schema);
     std::string salt = CreateSalt();
     password_data->SetStringWithoutPathExpansion(kSalt, salt);
     int revision = kMinPasswordRevision;
     password_data->SetIntegerWithoutPathExpansion(kPasswordRevision, revision);
-    std::string salted_password =
-        BuildPasswordForHashWithSaltSchema(salt, password);
-    std::string base64_signature_key = BuildRawHMACKey();
-    std::string base64_signature =
+    Key key(password);
+    key.Transform(Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234, salt);
+    const std::string salted_password = key.GetSecret();
+    const std::string base64_signature_key = BuildRawHMACKey();
+    const std::string base64_signature =
         BuildPasswordSignature(salted_password, revision, base64_signature_key);
     password_data->SetStringWithoutPathExpansion(kEncryptedPassword,
                                                  salted_password);
     password_data->SetStringWithoutPathExpansion(kPasswordSignature,
                                                  base64_signature);
 
     extra_data->SetStringWithoutPathExpansion(kPasswordEncryptionKey,
                                               BuildRawHMACKey());
     extra_data->SetStringWithoutPathExpansion(kPasswordSignatureKey,
                                               base64_signature_key);
@@ skipping 126 matching lines @@
   const User* user = UserManager::Get()->FindUser(user_id);
   base::FilePath profile_path =
       ProfileHelper::GetProfilePathByUserIdHash(user->username_hash());
   PostTaskAndReplyWithResult(
       content::BrowserThread::GetBlockingPool(),
       FROM_HERE,
       base::Bind(&LoadPasswordData, profile_path),
       base::Bind(&OnPasswordDataLoaded, success_callback, failure_callback));
 }
 
-// static
-std::string SupervisedUserAuthentication::BuildPasswordForHashWithSaltSchema(
-    const std::string& salt,
-    const std::string& plain_password) {
-  scoped_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES,
-                                                  plain_password,
-                                                  salt,
-                                                  kNumIterations,
-                                                  kKeySizeInBits));
-  std::string raw_result, result;
-  key->GetRawKey(&raw_result);
-  base::Base64Encode(raw_result, &result);
-  return result;
-}
-
 std::string SupervisedUserAuthentication::BuildPasswordSignature(
     const std::string& password,
     int revision,
     const std::string& base64_signature_key) {
   ac::chrome::managedaccounts::account::Secret secret;
   secret.set_revision(revision);
   secret.set_secret(password);
   std::string buffer;
   if (!secret.SerializeToString(&buffer))
     LOG(FATAL) << "Protobuf::SerializeToString failed";
   std::string signature_key;
   base::Base64Decode(base64_signature_key, &signature_key);
 
   crypto::HMAC hmac(crypto::HMAC::SHA256);
   if (!hmac.Init(signature_key))
     LOG(FATAL) << "HMAC::Init failed";
 
   unsigned char out_bytes[kSignatureLength];
   if (!hmac.Sign(buffer, out_bytes, sizeof(out_bytes)))
     LOG(FATAL) << "HMAC::Sign failed";
 
   std::string raw_result(out_bytes, out_bytes + sizeof(out_bytes));
 
   std::string result;
   base::Base64Encode(raw_result, &result);
   return result;
 }
 
 }  // namespace chromeos