| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.
h" |
| 6 |
| 7 #include <cryptohi.h> |
| 8 |
| 9 #include "base/base64.h" |
| 10 #include "base/bind.h" |
| 11 #include "base/location.h" |
| 12 #include "base/logging.h" |
| 13 #include "base/memory/ref_counted.h" |
| 14 #include "base/prefs/pref_registry_simple.h" |
| 15 #include "base/prefs/pref_service.h" |
| 16 #include "base/prefs/scoped_user_pref_update.h" |
| 17 #include "base/single_thread_task_runner.h" |
| 18 #include "base/thread_task_runner_handle.h" |
| 19 #include "base/threading/worker_pool.h" |
| 20 #include "base/time/time.h" |
| 21 #include "base/values.h" |
| 22 #include "chrome/browser/browser_process.h" |
| 23 #include "chrome/common/pref_names.h" |
| 24 #include "content/public/browser/browser_thread.h" |
| 25 #include "crypto/nss_util_internal.h" |
| 26 #include "crypto/rsa_private_key.h" |
| 27 #include "crypto/scoped_nss_types.h" |
| 28 |
| 29 namespace { |
| 30 |
| 31 // The modulus length for RSA keys used by easy sign-in. |
| 32 const int kKeyModulusLength = 2048; |
| 33 |
| 34 // Relays |GetSystemSlotOnIOThread| callback to |response_task_runner|. |
| 35 void RunCallbackOnThreadRunner( |
| 36 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 37 const base::Callback<void(crypto::ScopedPK11Slot)>& callback, |
| 38 crypto::ScopedPK11Slot slot) { |
| 39 response_task_runner->PostTask(FROM_HERE, |
| 40 base::Bind(callback, base::Passed(&slot))); |
| 41 } |
| 42 |
| 43 // Gets TPM system slot. Must be called on IO thread. |
| 44 // The callback wil be relayed to |response_task_runner|. |
| 45 void GetSystemSlotOnIOThread( |
| 46 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 47 const base::Callback<void(crypto::ScopedPK11Slot)>& callback) { |
| 48 base::Callback<void(crypto::ScopedPK11Slot)> callback_on_origin_thread = |
| 49 base::Bind(&RunCallbackOnThreadRunner, response_task_runner, callback); |
| 50 |
| 51 crypto::ScopedPK11Slot system_slot = |
| 52 crypto::GetSystemNSSKeySlot(callback_on_origin_thread); |
| 53 if (system_slot) |
| 54 callback_on_origin_thread.Run(system_slot.Pass()); |
| 55 } |
| 56 |
| 57 // Checks if a private RSA key associated with |public_key| can be found in |
| 58 // |slot|. |
| 59 // Must be called on a worker thread. |
| 60 scoped_ptr<crypto::RSAPrivateKey> GetPrivateKeyOnWorkerThread( |
| 61 PK11SlotInfo* slot, |
| 62 const std::string& public_key) { |
| 63 const uint8* public_key_uint8 = |
| 64 reinterpret_cast<const uint8*>(public_key.data()); |
| 65 std::vector<uint8> public_key_vector( |
| 66 public_key_uint8, public_key_uint8 + public_key.size()); |
| 67 |
| 68 scoped_ptr<crypto::RSAPrivateKey> rsa_key( |
| 69 crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key_vector)); |
| 70 if (!rsa_key || rsa_key->key()->pkcs11Slot != slot) |
| 71 return scoped_ptr<crypto::RSAPrivateKey>(); |
| 72 return rsa_key.Pass(); |
| 73 } |
| 74 |
| 75 // Signs |data| using a private key associated with |public_key| and stored in |
| 76 // |slot|. Once the data is signed, callback is run on |response_task_runner|. |
| 77 // In case of an error, the callback will be passed an empty string. |
| 78 void SignDataOnWorkerThread( |
| 79 crypto::ScopedPK11Slot slot, |
| 80 const std::string& public_key, |
| 81 const std::string& data, |
| 82 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 83 const base::Callback<void(const std::string&)>& callback) { |
| 84 scoped_ptr<crypto::RSAPrivateKey> private_key( |
| 85 GetPrivateKeyOnWorkerThread(slot.get(), public_key)); |
| 86 if (!private_key) { |
| 87 LOG(ERROR) << "Private key for signing data not found"; |
| 88 response_task_runner->PostTask(FROM_HERE, |
| 89 base::Bind(callback, std::string())); |
| 90 return; |
| 91 } |
| 92 |
| 93 SECItem sign_result = {siBuffer, NULL, 0}; |
| 94 if (SEC_SignData(&sign_result, |
| 95 reinterpret_cast<const unsigned char*>(data.data()), |
| 96 data.size(), |
| 97 private_key->key(), |
| 98 SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION) != SECSuccess) { |
| 99 LOG(ERROR) << "Failed to sign data"; |
| 100 response_task_runner->PostTask(FROM_HERE, |
| 101 base::Bind(callback, std::string())); |
| 102 return; |
| 103 } |
| 104 |
| 105 std::string signature(reinterpret_cast<const char*>(sign_result.data), |
| 106 sign_result.len); |
| 107 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, signature)); |
| 108 } |
| 109 |
| 110 // Creates a RSA key pair in |slot|. When done, it runs |callback| with the |
| 111 // created public key on |response_task_runner|. |
| 112 // If |public_key| is not empty, a key pair will be created only if the private |
| 113 // key associated with |public_key| does not exist in |slot|. Otherwise the |
| 114 // callback will be run with |public_key|. |
| 115 void CreateTpmKeyPairOnWorkerThread( |
| 116 crypto::ScopedPK11Slot slot, |
| 117 const std::string& public_key, |
| 118 const scoped_refptr<base::SingleThreadTaskRunner>& response_task_runner, |
| 119 const base::Callback<void(const std::string&)>& callback) { |
| 120 if (!public_key.empty() && |
| 121 GetPrivateKeyOnWorkerThread(slot.get(), public_key)) { |
| 122 response_task_runner->PostTask(FROM_HERE, base::Bind(callback, public_key)); |
| 123 return; |
| 124 } |
| 125 |
| 126 scoped_ptr<crypto::RSAPrivateKey> rsa_key( |
| 127 crypto::RSAPrivateKey::CreateSensitive(slot.get(), kKeyModulusLength)); |
| 128 if (!rsa_key) { |
| 129 LOG(ERROR) << "Failed to create an RSA key."; |
| 130 response_task_runner->PostTask(FROM_HERE, |
| 131 base::Bind(callback, std::string())); |
| 132 return; |
| 133 } |
| 134 |
| 135 std::vector<uint8> created_public_key; |
| 136 if (!rsa_key->ExportPublicKey(&created_public_key)) { |
| 137 LOG(ERROR) << "Failed to export public key."; |
| 138 response_task_runner->PostTask(FROM_HERE, |
| 139 base::Bind(callback, std::string())); |
| 140 return; |
| 141 } |
| 142 |
| 143 response_task_runner->PostTask( |
| 144 FROM_HERE, |
| 145 base::Bind(callback, |
| 146 std::string(created_public_key.begin(), |
| 147 created_public_key.end()))); |
| 148 } |
| 149 |
| 150 } // namespace |
| 151 |
| 152 // static |
| 153 void EasyUnlockTpmKeyManager::RegisterLocalStatePrefs( |
| 154 PrefRegistrySimple* registry) { |
| 155 registry->RegisterDictionaryPref(prefs::kEasyUnlockLocalStateTpmKeys); |
| 156 } |
| 157 |
| 158 // static |
| 159 void EasyUnlockTpmKeyManager::ResetLocalStateForUser( |
| 160 const std::string& user_id) { |
| 161 if (!g_browser_process) |
| 162 return; |
| 163 PrefService* local_state = g_browser_process->local_state(); |
| 164 if (!local_state) |
| 165 return; |
| 166 |
| 167 DictionaryPrefUpdate update(local_state, prefs::kEasyUnlockLocalStateTpmKeys); |
| 168 update->RemoveWithoutPathExpansion(user_id, NULL); |
| 169 } |
| 170 |
| 171 EasyUnlockTpmKeyManager::EasyUnlockTpmKeyManager(const std::string& user_id, |
| 172 PrefService* local_state) |
| 173 : user_id_(user_id), |
| 174 local_state_(local_state), |
| 175 create_tpm_key_state_(CREATE_TPM_KEY_NOT_STARTED), |
| 176 get_tpm_slot_weak_ptr_factory_(this), |
| 177 weak_ptr_factory_(this) { |
| 178 } |
| 179 |
| 180 EasyUnlockTpmKeyManager::~EasyUnlockTpmKeyManager() { |
| 181 } |
| 182 |
| 183 bool EasyUnlockTpmKeyManager::PrepareTpmKey( |
| 184 bool check_private_key, |
| 185 const base::Closure& callback) { |
| 186 CHECK(!user_id_.empty()); |
| 187 |
| 188 if (create_tpm_key_state_ == CREATE_TPM_KEY_DONE) |
| 189 return true; |
| 190 |
| 191 std::string key = GetPublicTpmKey(user_id_); |
| 192 if (!check_private_key && !key.empty() && |
| 193 create_tpm_key_state_ == CREATE_TPM_KEY_NOT_STARTED) { |
| 194 return true; |
| 195 } |
| 196 |
| 197 prepare_tpm_key_callbacks_.push_back(callback); |
| 198 |
| 199 if (create_tpm_key_state_ == CREATE_TPM_KEY_NOT_STARTED) { |
| 200 create_tpm_key_state_ = CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT; |
| 201 |
| 202 base::Callback<void(crypto::ScopedPK11Slot)> create_key_with_system_slot = |
| 203 base::Bind(&EasyUnlockTpmKeyManager::CreateKeyInSystemSlot, |
| 204 get_tpm_slot_weak_ptr_factory_.GetWeakPtr(), |
| 205 key); |
| 206 |
| 207 content::BrowserThread::PostTask( |
| 208 content::BrowserThread::IO, |
| 209 FROM_HERE, |
| 210 base::Bind(&GetSystemSlotOnIOThread, |
| 211 base::ThreadTaskRunnerHandle::Get(), |
| 212 create_key_with_system_slot)); |
| 213 } |
| 214 |
| 215 return false; |
| 216 } |
| 217 |
| 218 bool EasyUnlockTpmKeyManager::StartGetSystemSlotTimeoutMs(size_t timeout_ms) { |
| 219 if (create_tpm_key_state_ == CREATE_TPM_KEY_DONE || |
| 220 create_tpm_key_state_ == CREATE_TPM_KEY_GOT_SYSTEM_SLOT) { |
| 221 return false; |
| 222 } |
| 223 |
| 224 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask( |
| 225 FROM_HERE, |
| 226 base::Bind(&EasyUnlockTpmKeyManager::OnTpmKeyCreated, |
| 227 get_tpm_slot_weak_ptr_factory_.GetWeakPtr(), |
| 228 std::string()), |
| 229 base::TimeDelta::FromMilliseconds(timeout_ms)); |
| 230 return true; |
| 231 } |
| 232 |
| 233 std::string EasyUnlockTpmKeyManager::GetPublicTpmKey( |
| 234 const std::string& user_id) { |
| 235 if (!local_state_) |
| 236 return std::string(); |
| 237 const base::DictionaryValue* dict = |
| 238 local_state_->GetDictionary(prefs::kEasyUnlockLocalStateTpmKeys); |
| 239 std::string key; |
| 240 if (dict) |
| 241 dict->GetStringWithoutPathExpansion(user_id, &key); |
| 242 std::string decoded; |
| 243 base::Base64Decode(key, &decoded); |
| 244 return decoded; |
| 245 } |
| 246 |
| 247 void EasyUnlockTpmKeyManager::SignUsingTpmKey( |
| 248 const std::string& user_id, |
| 249 const std::string& data, |
| 250 const base::Callback<void(const std::string& data)> callback) { |
| 251 std::string key = GetPublicTpmKey(user_id); |
| 252 if (key.empty()) { |
| 253 callback.Run(std::string()); |
| 254 return; |
| 255 } |
| 256 |
| 257 base::Callback<void(crypto::ScopedPK11Slot)> sign_with_system_slot = |
| 258 base::Bind(&EasyUnlockTpmKeyManager::SignDataWithSystemSlot, |
| 259 weak_ptr_factory_.GetWeakPtr(), |
| 260 key, data, callback); |
| 261 |
| 262 content::BrowserThread::PostTask( |
| 263 content::BrowserThread::IO, |
| 264 FROM_HERE, |
| 265 base::Bind(&GetSystemSlotOnIOThread, |
| 266 base::ThreadTaskRunnerHandle::Get(), |
| 267 sign_with_system_slot)); |
| 268 } |
| 269 |
| 270 void EasyUnlockTpmKeyManager::SetKeyInLocalState(const std::string& user_id, |
| 271 const std::string& value) { |
| 272 if (!local_state_) |
| 273 return; |
| 274 |
| 275 std::string encoded; |
| 276 base::Base64Encode(value, &encoded); |
| 277 DictionaryPrefUpdate update(local_state_, |
| 278 prefs::kEasyUnlockLocalStateTpmKeys); |
| 279 update->SetStringWithoutPathExpansion(user_id, encoded); |
| 280 } |
| 281 |
| 282 void EasyUnlockTpmKeyManager::CreateKeyInSystemSlot( |
| 283 const std::string& public_key, |
| 284 crypto::ScopedPK11Slot system_slot) { |
| 285 CHECK(system_slot); |
| 286 |
| 287 create_tpm_key_state_ = CREATE_TPM_KEY_GOT_SYSTEM_SLOT; |
| 288 |
| 289 // If there are any delayed tasks posted using |StartGetSystemSlotTimeoutMs|, |
| 290 // this will cancel them. |
| 291 // Note that this would cancel other pending |CreateKeyInSystemSlot| tasks, |
| 292 // but there should be at most one such task at a time. |
| 293 get_tpm_slot_weak_ptr_factory_.InvalidateWeakPtrs(); |
| 294 |
| 295 base::WorkerPool::PostTask( |
| 296 FROM_HERE, |
| 297 base::Bind(&CreateTpmKeyPairOnWorkerThread, |
| 298 base::Passed(&system_slot), |
| 299 public_key, |
| 300 base::ThreadTaskRunnerHandle::Get(), |
| 301 base::Bind(&EasyUnlockTpmKeyManager::OnTpmKeyCreated, |
| 302 weak_ptr_factory_.GetWeakPtr())), |
| 303 true /* long task */); |
| 304 } |
| 305 |
| 306 void EasyUnlockTpmKeyManager::SignDataWithSystemSlot( |
| 307 const std::string& public_key, |
| 308 const std::string& data, |
| 309 const base::Callback<void(const std::string& data)> callback, |
| 310 crypto::ScopedPK11Slot system_slot) { |
| 311 CHECK(system_slot); |
| 312 |
| 313 base::WorkerPool::PostTask( |
| 314 FROM_HERE, |
| 315 base::Bind(&SignDataOnWorkerThread, |
| 316 base::Passed(&system_slot), |
| 317 public_key, |
| 318 data, |
| 319 base::ThreadTaskRunnerHandle::Get(), |
| 320 base::Bind(&EasyUnlockTpmKeyManager::OnDataSigned, |
| 321 weak_ptr_factory_.GetWeakPtr(), |
| 322 callback)), |
| 323 true /* long task */); |
| 324 } |
| 325 |
| 326 void EasyUnlockTpmKeyManager::OnTpmKeyCreated(const std::string& public_key) { |
| 327 // |OnTpmKeyCreated| is called by a timeout task posted by |
| 328 // |StartGetSystemSlotTimeoutMs|. Invalidating the factory will have |
| 329 // an effect of canceling any pending |GetSystemSlotOnIOThread| callbacks, |
| 330 // as well as other pending timeouts. |
| 331 // Note that in the case |OnTpmKeyCreated| was called as a result of |
| 332 // |CreateKeyInSystemSlot|, this should have no effect as no weak ptrs from |
| 333 // this factory should be in use in this case. |
| 334 get_tpm_slot_weak_ptr_factory_.InvalidateWeakPtrs(); |
| 335 |
| 336 if (!public_key.empty()) |
| 337 SetKeyInLocalState(user_id_, public_key); |
| 338 |
| 339 for (size_t i = 0; i < prepare_tpm_key_callbacks_.size(); ++i) { |
| 340 if (!prepare_tpm_key_callbacks_[i].is_null()) |
| 341 prepare_tpm_key_callbacks_[i].Run(); |
| 342 } |
| 343 |
| 344 prepare_tpm_key_callbacks_.clear(); |
| 345 |
| 346 // If key creation failed, reset the state machine. |
| 347 create_tpm_key_state_ = |
| 348 public_key.empty() ? CREATE_TPM_KEY_NOT_STARTED : CREATE_TPM_KEY_DONE; |
| 349 } |
| 350 |
| 351 void EasyUnlockTpmKeyManager::OnDataSigned( |
| 352 const base::Callback<void(const std::string&)>& callback, |
| 353 const std::string& signature) { |
| 354 callback.Run(signature); |
| 355 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 729803002:
Easy Sign-in: Use TPM RSA key to sign nonce in sign-in protocol (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master