| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef LOGIN_MANAGER_OWNER_KEY_H_ | 5 #ifndef LOGIN_MANAGER_OWNER_KEY_H_ |
| 6 #define LOGIN_MANAGER_OWNER_KEY_H_ | 6 #define LOGIN_MANAGER_OWNER_KEY_H_ |
| 7 | 7 |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include <base/basictypes.h> | 10 #include <base/basictypes.h> |
| 11 #include <base/file_path.h> | 11 #include <base/file_path.h> |
| (...skipping 13 matching lines...) Expand all Loading... |
| 25 // If there is an owner key on disk, we will load that key, and deny | 25 // If there is an owner key on disk, we will load that key, and deny |
| 26 // attempts to set a new key programmatically. If there is no key | 26 // attempts to set a new key programmatically. If there is no key |
| 27 // present, we will allow the owner's key to be set programmatically, | 27 // present, we will allow the owner's key to be set programmatically, |
| 28 // and will persist it to disk upon request. Attempts to set the key | 28 // and will persist it to disk upon request. Attempts to set the key |
| 29 // before on-disk storage has been checked will be denied. | 29 // before on-disk storage has been checked will be denied. |
| 30 class OwnerKey { | 30 class OwnerKey { |
| 31 public: | 31 public: |
| 32 explicit OwnerKey(const FilePath& key_file); | 32 explicit OwnerKey(const FilePath& key_file); |
| 33 virtual ~OwnerKey(); | 33 virtual ~OwnerKey(); |
| 34 | 34 |
| 35 virtual bool Equals(const std::string& key_der) const; |
| 36 virtual bool VEquals(const std::vector<uint8>& key_der) const; |
| 35 virtual bool HaveCheckedDisk(); | 37 virtual bool HaveCheckedDisk(); |
| 36 virtual bool IsPopulated(); | 38 virtual bool IsPopulated(); |
| 37 | 39 |
| 38 // If |key_file_| exists, populate the object with the contents of the file. | 40 // If |key_file_| exists, populate the object with the contents of the file. |
| 39 // If the file isn't there, that's ok. | 41 // If the file isn't there, that's ok. |
| 40 // Will return false if the file exists and there are errors reading it. | 42 // Will return false if the file exists and there are errors reading it. |
| 41 // If this returns true, call IsPopulated() to tell whether or not data was | 43 // If this returns true, call IsPopulated() to tell whether or not data was |
| 42 // loaded off of disk. | 44 // loaded off of disk. |
| 43 virtual bool PopulateFromDiskIfPossible(); | 45 virtual bool PopulateFromDiskIfPossible(); |
| 44 | 46 |
| 45 // Load key material from |public_key_der|. | 47 // Load key material from |public_key_der|. |
| 46 // We will _deny_ such an attempt if we have not yet checked disk for a key, | 48 // We will _deny_ such an attempt if we have not yet checked disk for a key, |
| 47 // or if we have already successfully loaded a key from disk. | 49 // or if we have already successfully loaded a key from disk. |
| 48 virtual bool PopulateFromBuffer(const std::vector<uint8>& public_key_der); | 50 virtual bool PopulateFromBuffer(const std::vector<uint8>& public_key_der); |
| 49 | 51 |
| 50 // Load key material from |pair|. | 52 // Load key material from |pair|. |
| 51 // We will _deny_ such an attempt if we have not yet checked disk for a key, | 53 // We will _deny_ such an attempt if we have not yet checked disk for a key, |
| 52 // or if we have already successfully loaded a key from disk. | 54 // or if we have already successfully loaded a key from disk. |
| 53 virtual bool PopulateFromKeypair(base::RSAPrivateKey* pair); | 55 virtual bool PopulateFromKeypair(base::RSAPrivateKey* pair); |
| 54 | 56 |
| 55 // Persist |key_| to disk, at |key_file_|. | 57 // Persist |key_| to disk, at |key_file_|. |
| 56 // Calling this method before checking for a key on disk is an error. | 58 // Calling this method before checking for a key on disk is an error. |
| 57 // Returns false if |key_file_| already exists, or if there's an error while | 59 // Returns false if |key_file_| already exists, or if there's an error while |
| 58 // writing data. | 60 // writing data. |
| 59 virtual bool Persist(); | 61 virtual bool Persist(); |
| 60 | 62 |
| 63 // Load key material from |public_key_der|, as long as |sig| is a valid |
| 64 // signature over |public_key_der| with |key_|. |
| 65 // We will _deny_ such an attempt if we do not have a key loaded. |
| 66 // If you're trying to set a key for the first time, use PopulateFromBuffer() |
| 67 virtual bool Rotate(const std::vector<uint8>& public_key_der, |
| 68 const std::vector<uint8>& signature); |
| 69 |
| 70 // THIS IS ONLY INTENDED TO BE USED WHEN THE CURRENTLY REGISTERED KEY HAS BEEN |
| 71 // COMPROMISED OR LOST AND WE ARE RECOVERING. |
| 72 // Load key material from |public_key_der| into key_. |
| 73 virtual void ClobberCompromisedKey(const std::vector<uint8>& public_key_der); |
| 74 |
| 61 // Verify that |signature| is a valid sha1 w/ RSA signature over the data in | 75 // Verify that |signature| is a valid sha1 w/ RSA signature over the data in |
| 62 // |data| with |key_|. | 76 // |data| with |key_|. |
| 63 // Returns false if the sig is invalid, or there's an error. | 77 // Returns false if the sig is invalid, or there's an error. |
| 64 virtual bool Verify(const char* data, | 78 virtual bool Verify(const uint8* data, |
| 65 uint32 data_len, | 79 uint32 data_len, |
| 66 const char* signature, | 80 const uint8* signature, |
| 67 uint32 sig_len); | 81 uint32 sig_len); |
| 68 | 82 |
| 69 // Generate |OUT_signature|, a valid sha1 w/ RSA signature over the data in | 83 // Generate |OUT_signature|, a valid sha1 w/ RSA signature over the data in |
| 70 // |data| that can be verified with |key_|. | 84 // |data| that can be verified with |key_|. |
| 71 // Returns false if the sig is invalid, or there's an error. | 85 // Returns false if the sig is invalid, or there's an error. |
| 72 virtual bool Sign(const char* data, | 86 virtual bool Sign(const uint8* data, |
| 73 uint32 data_len, | 87 uint32 data_len, |
| 74 std::vector<uint8>* OUT_signature); | 88 std::vector<uint8>* OUT_signature); |
| 75 | 89 |
| 76 // Runs |generator| in a child process. Returns pid of the child. | 90 // Runs |generator| in a child process. Returns pid of the child. |
| 77 virtual int StartGeneration(ChildJobInterface* generator); | 91 virtual int StartGeneration(ChildJobInterface* generator); |
| 78 | 92 |
| 79 // Returned reference will be empty if we haven't populated |key_| yet. | 93 // Returned reference will be empty if we haven't populated |key_| yet. |
| 80 const std::vector<uint8>& public_key_der() const { | 94 const std::vector<uint8>& public_key_der() const { |
| 81 return key_; | 95 return key_; |
| 82 } | 96 } |
| 83 | 97 |
| 84 private: | 98 private: |
| 85 static const uint8 kAlgorithm[]; | 99 static const uint8 kAlgorithm[]; |
| 86 | 100 |
| 87 const FilePath key_file_; | 101 const FilePath key_file_; |
| 88 bool have_checked_disk_; | 102 bool have_checked_disk_; |
| 103 bool have_replaced_; |
| 89 std::vector<uint8> key_; | 104 std::vector<uint8> key_; |
| 90 scoped_ptr<SystemUtils> utils_; | 105 scoped_ptr<SystemUtils> utils_; |
| 91 | 106 |
| 92 DISALLOW_COPY_AND_ASSIGN(OwnerKey); | 107 DISALLOW_COPY_AND_ASSIGN(OwnerKey); |
| 93 }; | 108 }; |
| 94 } // namespace login_manager | 109 } // namespace login_manager |
| 95 | 110 |
| 96 #endif // LOGIN_MANAGER_OWNER_KEY_H_ | 111 #endif // LOGIN_MANAGER_OWNER_KEY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6793055:
[login_manager] Allow new owner keys to be pushed with StorePolicy (Closed)
Base URL: http://git.chromium.org/git/login_manager.git@master