Easy Sign-in: Use TPM RSA key to sign nonce in sign-in protocol

chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h

Index: chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h
diff --git a/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h
new file mode 100644
index 0000000000000000000000000000000000000000..9a447f65c6eafbb97c40372958d264ac6e72b84f
--- /dev/null
+++ b/chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h
@@ -0,0 +1,145 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_
+#define CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_
+
+#include <string>
+#include <vector>
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
+#include "components/keyed_service/core/keyed_service.h"
+#include "crypto/scoped_nss_types.h"
+
+class PrefRegistrySimple;
+class PrefService;
+
+namespace content {
+class BrowserContext;
+}
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
+// Manages per user RSA keys stored in system TPM slot used in easy signin
+// protocol. The keys are used to sign a nonce exchanged during signin.
+class EasyUnlockTpmKeyManager : public KeyedService {
+ public:
+  // Registers user's profile prefs.
+  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
+  // Registers local state prefs (used to expose public RSA keys before login).
+  static void RegisterLocalStatePrefs(PrefRegistrySimple* registry);
+  // Clears local state for user. Should be called when a user is removed.
+  static void ResetLocalStateForUser(const std::string& user_id);
+
+  // |user_id|: Id for the user associated with the service. Empty for signin
+  //     service.
+  // |browser_context|: The browser context that owns the service.
+  // |user_prefs|: The |browser_context| prefs. NULL for signin profile.
+  // |local_state|: The local state prefs.
+  EasyUnlockTpmKeyManager(
+      const std::string& user_id,
+      content::BrowserContext* browser_context,
+      PrefService* user_prefs,
+      PrefService* local_state);
+  ~EasyUnlockTpmKeyManager();

[xiyuan, 2014/12/02 23:15:58]

nit: override

[tbarzic, 2014/12/03 19:10:28]

Done.

+
+  // Checks if the RSA public key is set in the user prefs. If not, creates one.
+  // If the key presence can be confirmed, immediately returns true and
+  // |callback| never gets called, otherwise returns false (callback is called
+  // when the key presence is confirmed).
+  // Must not be called for signin profile.
+  // |check_private_key|: If public RSA key is set in the prefs, whether the
+  //     method should confirm that the private key is present in the system
+  //     slot. If the private key cannot be found, a new key pair will be
+  //     created for the user.
+  //     Note: Checking TPM for the private key is more expensive than only
+  //     checking user prefs, so setting this to |false| should be preferable.
+  //     Generally, if public key is set in user prefs, the private key should
+  //     be present in the system TPM slot. This is used to make sure that easy
+  //     signin does not remain permanently broken if something goes wrong.
+  // |callback|: If the method cannot return immediately, callled when the key

[xiyuan, 2014/12/02 23:15:58]

nit: callled -> called

[tbarzic, 2014/12/03 19:10:28]

Done.

+  //     pair presence is confirmed (or a key pair for the user is created).
+  bool IsTpmKeyPresent(const std::string& user_id,

[xiyuan, 2014/12/02 23:15:58]

nit: IsTpmKeyPresent sounds like just a key presence check and not obvious that
it would create the key. Maybe rename it to something like PrepareTpmKey or
GetTpmKey.

[tbarzic, 2014/12/03 19:10:28]

Done.

+                       bool check_private_key,
+                       const base::Closure& callback);
+
+  // If called, posts a delayed task that cancels |IsTpmKeyPresent| in case
+  // getting system slot takes more than |timeout_ms|. In the case getting
+  // system slot times out |IstpmKeyPresent| will be called with an empty
+  // public key.
+  bool SetGetSystemSlotTimeoutMs(size_t timeout_ms);
+
+
+  // Gets the public RSA key for user. For sign in profile it returns key from
+  // local state. For user profile returns the key from user prefs.
+  std::string GetPublicTpmKey(const std::string& user_id);
+
+  // Signs |data| using private RSA key associated with |user_id| stored in TPM
+  // system slot.
+  void SignUsingTpmKey(
+      const std::string& user_id,
+      const std::string& data,
+      const base::Callback<void(const std::string& data)> callback);
+
+ private:
+  // Utility methods for getting and setting public key values in local state
+  // and user prefs. Note that the keys are saved base64 encoded.
+  std::string GetKeyFromUserPrefs();
+  std::string GetKeyFromLocalState(const std::string& user_id);
+  void SetKeyInLocalState(const std::string& user_id,
+                          const std::string& value);
+  void SetKeyInUserPrefs(const std::string& value);
+
+  // Called when TPM system slot is initialized and ready to be used.
+  // It creates RSA key pair for the user in the system slot.
+  // When the key pair is created, |OnTpmKeyCreated| will be called with the
+  // created public key.
+  // The key will not be created if |public_key| is non-empty and the associated
+  // private key can be found in the slot. Instead |OnTpmKeyCreated| will be
+  // called with |public_key|.
+  void CreateKeyInSystemSlot(
+      const std::string& user_id,
+      const std::string& public_key,
+      crypto::ScopedPK11Slot system_slot);
+
+  // Called when a RSA key pair is created for a user in TOM system slot.
+  // It saves the pulic key in the prefs and runs queued up
+  // |IsTpmKeyPresent| callbacks.
+  void OnTpmKeyCreated(const std::string& user_id,
+                       const std::string& public_key);
+
+  // Called when data signing requested in |SignUsingTpmKey| is done.
+  // It runs |callback| with the created |signature|. On error the callback will
+  // be run with an empty string.
+  void OnDataSigned(
+      const base::Callback<void(const std::string&)>& callback,
+      const std::string& signature,
+      const std::string& error_message);
+
+  std::string user_id_;
+  content::BrowserContext* browser_context_;
+
+  PrefService* user_prefs_;
+  PrefService* local_state_;
+
+  // Whether TPM key pair is being created as a result of call to
+  // |IsTpmKeyPresent|. If set, callbacks for further |IsTpmKeyPresent|
+  // will be queued up and run when the original function call finishes.
+  bool creating_tpm_key_pair_;
+  bool got_tpm_slot_;
+
+  // Queued up |IsTpmKeyPresent| callbacks.
+  std::vector<base::Closure> tpm_key_present_callbacks_;
+
+  base::WeakPtrFactory<EasyUnlockTpmKeyManager> get_tpm_slot_weak_ptr_factory_;
+  base::WeakPtrFactory<EasyUnlockTpmKeyManager> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(EasyUnlockTpmKeyManager);
+};
+
+#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_EASY_UNLOCK_EASY_UNLOCK_TPM_KEY_MANAGER_H_