| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_ |
| 7 |
| 8 #include <string> |
| 9 #include <vector> |
| 10 |
| 11 #include "base/callback.h" |
| 12 #include "base/macros.h" |
| 13 #include "base/memory/weak_ptr.h" |
| 14 #include "components/keyed_service/core/keyed_service.h" |
| 15 #include "crypto/scoped_nss_types.h" |
| 16 |
| 17 class PrefRegistrySimple; |
| 18 class PrefService; |
| 19 |
| 20 // Manages per user RSA keys stored in system TPM slot used in easy signin |
| 21 // protocol. The keys are used to sign a nonce exchanged during signin. |
| 22 class EasyUnlockTpmKeyManager : public KeyedService { |
| 23 public: |
| 24 // Registers local state prefs used to store public RSA keys per user. |
| 25 static void RegisterLocalStatePrefs(PrefRegistrySimple* registry); |
| 26 |
| 27 // Clears local state for user. Should be called when a user is removed. |
| 28 static void ResetLocalStateForUser(const std::string& user_id); |
| 29 |
| 30 // |user_id|: Id for the user associated with the service. Empty for signin |
| 31 // service. |
| 32 // |local_state|: The local state prefs. |
| 33 EasyUnlockTpmKeyManager(const std::string& user_id, PrefService* local_state); |
| 34 ~EasyUnlockTpmKeyManager() override; |
| 35 |
| 36 // Checks if the RSA public key is set in the local state. If not, creates |
| 37 // one. If the key presence can be confirmed, immediately returns true and |
| 38 // |callback| never gets called, otherwise returns false (callback is called |
| 39 // when the key presence is confirmed). |
| 40 // Must not be called for signin profile. |
| 41 // |check_private_key|: If public RSA key is set in the local state, whether |
| 42 // the method should confirm that the private key is present in the system |
| 43 // slot. If the private key cannot be found, a new key pair will be |
| 44 // created for the user. |
| 45 // Note: Checking TPM for the private key is more expensive than only |
| 46 // checking local state, so setting this to |false| should be preferable. |
| 47 // Generally, if public key is set in local state, the private key should |
| 48 // be present in the system TPM slot. This is used to make sure that easy |
| 49 // signin does not remain permanently broken if something goes wrong. |
| 50 // |callback|: If the method cannot return immediately, called when the key |
| 51 // pair presence is confirmed (or a key pair for the user is created). |
| 52 bool PrepareTpmKey(bool check_private_key, |
| 53 const base::Closure& callback); |
| 54 |
| 55 // If called, posts a delayed task that cancels |PrepareTpmKey| and all other |
| 56 // started timeouts in case getting system slot takes more than |timeout_ms|. |
| 57 // In the case getting system slot times out, |PrepareTpmKey| callback will |
| 58 // be called with an empty public key. |
| 59 // Must be called after |PrepareTpmKey| to have the intended effect. |
| 60 bool StartGetSystemSlotTimeoutMs(size_t timeout_ms); |
| 61 |
| 62 // Gets the public RSA key for user. The key is retrieved from local state. |
| 63 std::string GetPublicTpmKey(const std::string& user_id); |
| 64 |
| 65 // Signs |data| using private RSA key associated with |user_id| stored in TPM |
| 66 // system slot. |
| 67 void SignUsingTpmKey( |
| 68 const std::string& user_id, |
| 69 const std::string& data, |
| 70 const base::Callback<void(const std::string& data)> callback); |
| 71 |
| 72 private: |
| 73 enum CreateTpmKeyState { |
| 74 CREATE_TPM_KEY_NOT_STARTED, |
| 75 CREATE_TPM_KEY_WAITING_FOR_SYSTEM_SLOT, |
| 76 CREATE_TPM_KEY_GOT_SYSTEM_SLOT, |
| 77 CREATE_TPM_KEY_DONE |
| 78 }; |
| 79 |
| 80 // Utility method for setting public key values in local state. |
| 81 // Note that the keys are saved base64 encoded. |
| 82 void SetKeyInLocalState(const std::string& user_id, |
| 83 const std::string& value); |
| 84 |
| 85 // Called when TPM system slot is initialized and ready to be used. |
| 86 // It creates RSA key pair for the user in the system slot. |
| 87 // When the key pair is created, |OnTpmKeyCreated| will be called with the |
| 88 // created public key. |
| 89 // The key will not be created if |public_key| is non-empty and the associated |
| 90 // private key can be found in the slot. Instead |OnTpmKeyCreated| will be |
| 91 // called with |public_key|. |
| 92 void CreateKeyInSystemSlot(const std::string& public_key, |
| 93 crypto::ScopedPK11Slot system_slot); |
| 94 |
| 95 // Called when TPM system slot is initialized and ready to be used. |
| 96 // It schedules data signing operation on a worker thread. The data is signed |
| 97 // by a private key stored in |system_slot| and identified by |public_key| |
| 98 // (a private key that is part of the same RSA key pair as |public_key|). |
| 99 // Once data is signed |callback| is called with the signed data. |
| 100 void SignDataWithSystemSlot( |
| 101 const std::string& public_key, |
| 102 const std::string& data, |
| 103 const base::Callback<void(const std::string& data)> callback, |
| 104 crypto::ScopedPK11Slot system_slot); |
| 105 |
| 106 // Called when a RSA key pair is created for a user in TPM system slot. |
| 107 // It saves the pulic key in the local state and runs queued up |
| 108 // |PrepareTpmKey| callbacks. |
| 109 void OnTpmKeyCreated(const std::string& public_key); |
| 110 |
| 111 // Called when data signing requested in |SignUsingTpmKey| is done. |
| 112 // It runs |callback| with the created |signature|. On error the callback will |
| 113 // be run with an empty string. |
| 114 void OnDataSigned( |
| 115 const base::Callback<void(const std::string&)>& callback, |
| 116 const std::string& signature); |
| 117 |
| 118 std::string user_id_; |
| 119 |
| 120 PrefService* local_state_; |
| 121 |
| 122 // The current TPM key creation state. If key creation is in progress, |
| 123 // callbacks for further |PrepareTpmKey| will be queued up and run when the |
| 124 // key is created. All queued callbacks will be run with the same key value. |
| 125 CreateTpmKeyState create_tpm_key_state_; |
| 126 |
| 127 // Queued up |PrepareTpmKey| callbacks. |
| 128 std::vector<base::Closure> prepare_tpm_key_callbacks_; |
| 129 |
| 130 base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_; |
| 131 base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_; |
| 132 |
| 133 DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager); |
| 134 }; |
| 135 |
| 136 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER
_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 729803002:
Easy Sign-in: Use TPM RSA key to sign nonce in sign-in protocol (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master