Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/callback_forward.h" | 11 #include "base/callback_forward.h" |
| 12 #include "base/macros.h" | 12 #include "base/macros.h" |
| 13 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "net/cert/x509_certificate.h" | |
| 15 #include "net/ssl/ssl_client_cert_type.h" | 16 #include "net/ssl/ssl_client_cert_type.h" |
| 16 | 17 |
| 17 namespace content { | 18 namespace content { |
| 18 class BrowserContext; | 19 class BrowserContext; |
| 19 } | 20 } |
| 20 | 21 |
| 21 namespace net { | |
| 22 class X509Certificate; | |
| 23 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | |
| 24 } | |
| 25 | |
| 26 namespace chromeos { | 22 namespace chromeos { |
| 27 | 23 |
| 28 namespace platform_keys { | 24 namespace platform_keys { |
| 29 | 25 |
| 30 // A token is a store for keys or certs and can provide cryptographic | 26 // A token is a store for keys or certs and can provide cryptographic |
| 31 // operations. | 27 // operations. |
| 32 // ChromeOS provides itself a user token and conditionally a system wide token, | 28 // ChromeOS provides itself a user token and conditionally a system wide token, |
| 33 // thus these tokens use static identifiers. The platform keys API is designed | 29 // thus these tokens use static identifiers. The platform keys API is designed |
| 34 // to support arbitrary other tokens in the future, which could then use | 30 // to support arbitrary other tokens in the future, which could then use |
| 35 // run-time generated IDs. | 31 // run-time generated IDs. |
| 36 extern const char kTokenIdUser[]; | 32 extern const char kTokenIdUser[]; |
| 37 extern const char kTokenIdSystem[]; | 33 extern const char kTokenIdSystem[]; |
| 38 | 34 |
| 39 // Supported hash algorithms. | 35 // Supported hash algorithms. |
| 40 enum HashAlgorithm { | 36 enum HashAlgorithm { |
| 37 HASH_ALGORITHM_NONE, // The value if no hash function is selected. | |
| 41 HASH_ALGORITHM_SHA1, | 38 HASH_ALGORITHM_SHA1, |
| 42 HASH_ALGORITHM_SHA256, | 39 HASH_ALGORITHM_SHA256, |
| 43 HASH_ALGORITHM_SHA384, | 40 HASH_ALGORITHM_SHA384, |
| 44 HASH_ALGORITHM_SHA512 | 41 HASH_ALGORITHM_SHA512 |
| 45 }; | 42 }; |
| 46 | 43 |
| 44 // Parameters to the SignRSA function. | |
| 45 struct SignRSAParams { | |
| 46 // The data that will be signed. | |
| 47 std::string data; | |
| 48 | |
| 49 // Must be the DER encoding of a SubjectPublicKeyInfo. | |
| 50 std::string public_key; | |
| 51 | |
| 52 // If true, |data| will not be hashed before signing. Only PKCS#1 v1.5 padding | |
| 53 // will be applied before signing. | |
| 54 // If false, |hash_algorithm| must be set to a value != NONE. | |
| 55 bool sign_direct_pkcs_padded = false; | |
|
Ryan Sleevi
2015/02/07 02:09:40
It feels like by moving this into a struct, you're
pneubeck (no reviews)
2015/02/08 10:52:00
The possibility of using this as default arguments
| |
| 56 | |
| 57 // Determines the hash algorithm that is used to digest |data| before signing. | |
| 58 // Ignored if |sign_direct_pkcs_padded| is true. | |
| 59 HashAlgorithm hash_algorithm = HASH_ALGORITHM_NONE; | |
| 60 }; | |
| 61 | |
| 47 struct ClientCertificateRequest { | 62 struct ClientCertificateRequest { |
| 48 ClientCertificateRequest(); | 63 ClientCertificateRequest(); |
| 49 ~ClientCertificateRequest(); | 64 ~ClientCertificateRequest(); |
| 50 | 65 |
| 51 // The list of the types of certificates requested, sorted in order of the | 66 // The list of the types of certificates requested, sorted in order of the |
| 52 // server's preference. | 67 // server's preference. |
| 53 std::vector<net::SSLClientCertType> certificate_key_types; | 68 std::vector<net::SSLClientCertType> certificate_key_types; |
| 54 | 69 |
| 55 // List of distinguished names of certificate authorities allowed by the | 70 // List of distinguished names of certificate authorities allowed by the |
| 56 // server. Each entry must be a DER-encoded X.509 DistinguishedName. | 71 // server. Each entry must be a DER-encoded X.509 DistinguishedName. |
| 57 std::vector<std::string> certificate_authorities; | 72 std::vector<std::string> certificate_authorities; |
| 58 }; | 73 }; |
| 59 | 74 |
| 75 // Holds details about a certificate's (subject) key, i.e. the X.509 Subject | |
| 76 // Public Key Info (SPKI) of the certificate. | |
| 77 // As this class supports only specific types of keys (currently only RSA), this | |
| 78 // does not necessarily mirror the internal structure of a X.509 SPKI. | |
| 79 struct SubjectPublicKeyInfo { | |
| 80 SubjectPublicKeyInfo(); | |
| 81 ~SubjectPublicKeyInfo(); | |
| 82 | |
| 83 std::string public_key_spki_der; | |
| 84 net::X509Certificate::PublicKeyType key_type; | |
| 85 | |
| 86 // For RSA a public exponent of 65537 is assumed, so there is no member for | |
| 87 // that. | |
| 88 | |
| 89 size_t key_size_bits = 0; | |
| 90 }; | |
|
Ryan Sleevi
2015/02/07 02:09:40
Ditto this. I don't really understand this structu
pneubeck (no reviews)
2015/02/08 10:52:00
I can only guess what you find problematic here.
A
Ryan Sleevi
2015/02/10 00:59:32
Sorry I wasn't clearer:
I don't understand why yo
| |
| 91 | |
| 60 namespace subtle { | 92 namespace subtle { |
| 61 // Functions of this namespace shouldn't be called directly from the context of | 93 // Functions of this namespace shouldn't be called directly from the context of |
| 62 // an extension. Instead use PlatformKeysService which enforces restrictions | 94 // an extension. Instead use PlatformKeysService which enforces restrictions |
| 63 // upon extensions. | 95 // upon extensions. |
| 64 | 96 |
| 65 typedef base::Callback<void(const std::string& public_key_spki_der, | 97 typedef base::Callback<void(const std::string& public_key_spki_der, |
| 66 const std::string& error_message)> | 98 const std::string& error_message)> |
| 67 GenerateKeyCallback; | 99 GenerateKeyCallback; |
| 68 | 100 |
| 69 // Generates a RSA key pair with |modulus_length_bits|. |token_id| is currently | 101 // Generates a RSA key pair with |modulus_length_bits|. |token_id| is currently |
| 70 // ignored, instead the user token associated with |browser_context| is always | 102 // ignored, instead the user token associated with |browser_context| is always |
| 71 // used. |callback| will be invoked with the resulting public key or an error. | 103 // used. |callback| will be invoked with the resulting public key or an error. |
| 72 void GenerateRSAKey(const std::string& token_id, | 104 void GenerateRSAKey(const std::string& token_id, |
| 73 unsigned int modulus_length_bits, | 105 unsigned int modulus_length_bits, |
| 74 const GenerateKeyCallback& callback, | 106 const GenerateKeyCallback& callback, |
| 75 content::BrowserContext* browser_context); | 107 content::BrowserContext* browser_context); |
| 76 | 108 |
| 77 typedef base::Callback<void(const std::string& signature, | 109 typedef base::Callback<void(const std::string& signature, |
| 78 const std::string& error_message)> SignCallback; | 110 const std::string& error_message)> SignCallback; |
| 79 | 111 |
| 80 // Digests |data| with |hash_algorithm| and afterwards signs the digest with the | 112 // Optionally digests |data|, applies PKCS1 padding and afterwards signs the |
| 81 // private key matching |public_key|, if that key is stored in the given token. | 113 // data with the private key matching |params.public_key|. If a non empty token |
| 82 // |token_id| is currently ignored, instead the user token associated with | 114 // id is provided and the key is not found in that token, the operation aborts. |
| 83 // |browser_context| is always used. |public_key| must be the DER encoding of a | 115 // |callback| will be invoked with the signature or an error message. |
| 84 // SubjectPublicKeyInfo. |callback| will be invoked with the signature or an | 116 void SignRSA(const std::string& token_id, |
| 85 // error message. | 117 scoped_ptr<SignRSAParams> params, |
| 86 // Currently supports RSA keys only. | 118 const SignCallback& callback, |
| 87 void Sign(const std::string& token_id, | 119 content::BrowserContext* browser_context); |
| 88 const std::string& public_key, | |
| 89 HashAlgorithm hash_algorithm, | |
| 90 const std::string& data, | |
| 91 const SignCallback& callback, | |
| 92 content::BrowserContext* browser_context); | |
| 93 | 120 |
| 94 // If the certificate request could be processed successfully, |matches| will | 121 // If the certificate request could be processed successfully, |matches| will |
| 95 // contain the list of matching certificates (which may be empty) and | 122 // contain the list of matching certificates (which may be empty) and |
| 96 // |error_message| will be empty. If an error occurred, |matches| will be null | 123 // |error_message| will be empty. If an error occurred, |matches| will be null |
| 97 // and |error_message| contain an error message. | 124 // and |error_message| contain an error message. |
| 98 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, | 125 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, |
| 99 const std::string& error_message)> | 126 const std::string& error_message)> |
| 100 SelectCertificatesCallback; | 127 SelectCertificatesCallback; |
| 101 | 128 |
| 102 // Returns the list of all certificates that match |request|. |callback| will be | 129 // Returns the list of all certificates that match |request|. |callback| will be |
| 103 // invoked with these matches or an error message. | 130 // invoked with these matches or an error message. |
| 104 void SelectClientCertificates(const ClientCertificateRequest& request, | 131 void SelectClientCertificates(const ClientCertificateRequest& request, |
| 105 const SelectCertificatesCallback& callback, | 132 const SelectCertificatesCallback& callback, |
| 106 content::BrowserContext* browser_context); | 133 content::BrowserContext* browser_context); |
| 107 | 134 |
| 108 } // namespace subtle | 135 } // namespace subtle |
| 109 | 136 |
| 137 // Fills |info| with information about the key certified by |certificate|. | |
| 138 bool GetPublicKey(scoped_refptr<net::X509Certificate> certificate, | |
| 139 SubjectPublicKeyInfo* info); | |
| 140 | |
| 110 // If the list of certificates could be successfully retrieved, |certs| will | 141 // If the list of certificates could be successfully retrieved, |certs| will |
| 111 // contain the list of available certificates (maybe empty) and |error_message| | 142 // contain the list of available certificates (maybe empty) and |error_message| |
| 112 // will be empty. If an error occurred, |certs| will be empty and | 143 // will be empty. If an error occurred, |certs| will be empty and |
| 113 // |error_message| contain an error message. | 144 // |error_message| contain an error message. |
| 114 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, | 145 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, |
| 115 const std::string& error_message)> | 146 const std::string& error_message)> |
| 116 GetCertificatesCallback; | 147 GetCertificatesCallback; |
| 117 | 148 |
| 118 // Returns the list of all certificates with stored private key available from | 149 // Returns the list of all certificates with stored private key available from |
| 119 // the given token. |token_id| is currently ignored, instead the user token | 150 // the given token. |token_id| is currently ignored, instead the user token |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 163 // of available tokens is determined, possibly with an error message. | 194 // of available tokens is determined, possibly with an error message. |
| 164 // Must be called and calls |callback| on the UI thread. | 195 // Must be called and calls |callback| on the UI thread. |
| 165 void GetTokens(const GetTokensCallback& callback, | 196 void GetTokens(const GetTokensCallback& callback, |
| 166 content::BrowserContext* browser_context); | 197 content::BrowserContext* browser_context); |
| 167 | 198 |
| 168 } // namespace platform_keys | 199 } // namespace platform_keys |
| 169 | 200 |
| 170 } // namespace chromeos | 201 } // namespace chromeos |
| 171 | 202 |
| 172 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 203 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| OLD | NEW |