OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/callback_forward.h" | 11 #include "base/callback_forward.h" |
12 #include "base/macros.h" | 12 #include "base/macros.h" |
13 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
15 #include "net/cert/x509_certificate.h" | |
15 #include "net/ssl/ssl_client_cert_type.h" | 16 #include "net/ssl/ssl_client_cert_type.h" |
16 | 17 |
17 namespace content { | 18 namespace content { |
18 class BrowserContext; | 19 class BrowserContext; |
19 } | 20 } |
20 | 21 |
21 namespace net { | |
22 class X509Certificate; | |
23 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | |
24 } | |
25 | |
26 namespace chromeos { | 22 namespace chromeos { |
27 | 23 |
28 namespace platform_keys { | 24 namespace platform_keys { |
29 | 25 |
30 // A token is a store for keys or certs and can provide cryptographic | 26 // A token is a store for keys or certs and can provide cryptographic |
31 // operations. | 27 // operations. |
32 // ChromeOS provides itself a user token and conditionally a system wide token, | 28 // ChromeOS provides itself a user token and conditionally a system wide token, |
33 // thus these tokens use static identifiers. The platform keys API is designed | 29 // thus these tokens use static identifiers. The platform keys API is designed |
34 // to support arbitrary other tokens in the future, which could then use | 30 // to support arbitrary other tokens in the future, which could then use |
35 // run-time generated IDs. | 31 // run-time generated IDs. |
36 extern const char kTokenIdUser[]; | 32 extern const char kTokenIdUser[]; |
37 extern const char kTokenIdSystem[]; | 33 extern const char kTokenIdSystem[]; |
38 | 34 |
39 // Supported hash algorithms. | 35 // Supported hash algorithms. |
40 enum HashAlgorithm { | 36 enum HashAlgorithm { |
37 HASH_ALGORITHM_NONE, // The value if no hash function is selected. | |
41 HASH_ALGORITHM_SHA1, | 38 HASH_ALGORITHM_SHA1, |
42 HASH_ALGORITHM_SHA256, | 39 HASH_ALGORITHM_SHA256, |
43 HASH_ALGORITHM_SHA384, | 40 HASH_ALGORITHM_SHA384, |
44 HASH_ALGORITHM_SHA512 | 41 HASH_ALGORITHM_SHA512 |
45 }; | 42 }; |
46 | 43 |
44 // This class contains the parameters required for signing data with a RSA key. | |
45 class SignRSAParams { | |
Ryan Sleevi
2015/02/10 00:59:32
I still have an issue with the SignRSAParams, whic
pneubeck (no reviews)
2015/02/10 10:40:52
If I follow your reasoning correctly, than _no_ AP
Ryan Sleevi
2015/02/10 21:25:28
Generally speaking, yes. That's correct. Don't mak
pneubeck (no reviews)
2015/02/11 15:57:51
Aaalright... the line has to bend to not cross it.
| |
46 public: | |
47 // Creates parameters for signing a digest, meaning that |data| will at first | |
48 // be hashed using the algorithm identified by |hash_algorithm|, then PKCS#1 | |
49 // v1.5 padded and afterwards signed. | |
50 static scoped_ptr<SignRSAParams> CreateSignParamsWithHashing( | |
51 const std::string data, | |
52 const std::string public_key, | |
53 HashAlgorithm hash_algorithm); | |
54 | |
55 // Creates parameters for direct signing, meaning that |data| will be PKCS#1 | |
56 // v1.5 padded and afterwards signed. No hashing/digesting will be done. | |
57 // The size of |data| (number of octets) must be smaller than k - 11, where k | |
58 // is the key size in octets. | |
59 static scoped_ptr<SignRSAParams> CreateDirectSignParams( | |
60 const std::string data, | |
61 const std::string public_key); | |
62 | |
63 ~SignRSAParams(); | |
64 | |
65 // The data that will be signed. | |
66 const std::string& data() const { return data_; } | |
67 | |
68 // The public key identifying the private key that will be used for signing. | |
69 // Must be the DER encoding of a GetPublicKeyResult. | |
70 const std::string& public_key() const { return public_key_; } | |
71 | |
72 // If true, |data| will not be hashed before signing. Only PKCS#1 v1.5 padding | |
73 // will be applied before signing. | |
74 // If false, |hash_algorithm| is set to a value != NONE. | |
75 bool sign_direct_pkcs_padded() const { return sign_direct_pkcs_padded_; } | |
76 | |
77 // Determines the hash algorithm that is used to digest |data| before signing. | |
78 // Returns HASH_ALGORITHM_NONE if |sign_direct_pkcs_padded| is true. | |
79 HashAlgorithm hash_algorithm() const { return hash_algorithm_; } | |
80 | |
81 private: | |
82 SignRSAParams(const std::string& data_, | |
83 const std::string& public_key_, | |
84 bool sign_direct_pkcs_padded_, | |
85 HashAlgorithm hash_algorithm_); | |
86 | |
87 // The data that will be signed. | |
88 const std::string data_; | |
89 | |
90 // Must be the DER encoding of a GetPublicKeyResult. | |
91 const std::string public_key_; | |
92 | |
93 // If true, |data| will not be hashed before signing. Only PKCS#1 v1.5 padding | |
94 // will be applied before signing. | |
95 // If false, |hash_algorithm| must be set to a value != NONE. | |
96 const bool sign_direct_pkcs_padded_; | |
97 | |
98 // Determines the hash algorithm that is used to digest |data| before signing. | |
99 // Ignored if |sign_direct_pkcs_padded| is true. | |
100 const HashAlgorithm hash_algorithm_; | |
Ryan Sleevi
2015/02/10 00:59:33
DISALLOW_COPY_AND_ASSIGN
pneubeck (no reviews)
2015/02/10 10:40:52
Acknowledged.
| |
101 }; | |
102 | |
47 struct ClientCertificateRequest { | 103 struct ClientCertificateRequest { |
48 ClientCertificateRequest(); | 104 ClientCertificateRequest(); |
49 ~ClientCertificateRequest(); | 105 ~ClientCertificateRequest(); |
50 | 106 |
51 // The list of the types of certificates requested, sorted in order of the | 107 // The list of the types of certificates requested, sorted in order of the |
52 // server's preference. | 108 // server's preference. |
53 std::vector<net::SSLClientCertType> certificate_key_types; | 109 std::vector<net::SSLClientCertType> certificate_key_types; |
54 | 110 |
55 // List of distinguished names of certificate authorities allowed by the | 111 // List of distinguished names of certificate authorities allowed by the |
56 // server. Each entry must be a DER-encoded X.509 DistinguishedName. | 112 // server. Each entry must be a DER-encoded X.509 DistinguishedName. |
57 std::vector<std::string> certificate_authorities; | 113 std::vector<std::string> certificate_authorities; |
58 }; | 114 }; |
59 | 115 |
116 // This struct is used to hold the results of the GetPublicKey() function. | |
117 // Holds details about a certificate's (subject) key, i.e. the X.509 Subject | |
118 // Public Key Info (SPKI) of the certificate. | |
119 struct GetPublicKeyResult { | |
120 GetPublicKeyResult(); | |
121 ~GetPublicKeyResult(); | |
122 | |
123 // The X.509 Subject Public Key Info of the key in DER encoding. | |
124 std::string public_key_spki_der; | |
125 | |
126 // The type of the key. | |
127 net::X509Certificate::PublicKeyType key_type; | |
128 | |
129 // The size of the key in bits. | |
130 size_t key_size_bits = 0; | |
131 }; | |
132 | |
60 namespace subtle { | 133 namespace subtle { |
61 // Functions of this namespace shouldn't be called directly from the context of | 134 // Functions of this namespace shouldn't be called directly from the context of |
62 // an extension. Instead use PlatformKeysService which enforces restrictions | 135 // an extension. Instead use PlatformKeysService which enforces restrictions |
63 // upon extensions. | 136 // upon extensions. |
64 | 137 |
65 typedef base::Callback<void(const std::string& public_key_spki_der, | 138 typedef base::Callback<void(const std::string& public_key_spki_der, |
66 const std::string& error_message)> | 139 const std::string& error_message)> |
67 GenerateKeyCallback; | 140 GenerateKeyCallback; |
68 | 141 |
69 // Generates a RSA key pair with |modulus_length_bits|. |token_id| is currently | 142 // Generates a RSA key pair with |modulus_length_bits|. |token_id| is currently |
70 // ignored, instead the user token associated with |browser_context| is always | 143 // ignored, instead the user token associated with |browser_context| is always |
71 // used. |callback| will be invoked with the resulting public key or an error. | 144 // used. |callback| will be invoked with the resulting public key or an error. |
72 void GenerateRSAKey(const std::string& token_id, | 145 void GenerateRSAKey(const std::string& token_id, |
73 unsigned int modulus_length_bits, | 146 unsigned int modulus_length_bits, |
74 const GenerateKeyCallback& callback, | 147 const GenerateKeyCallback& callback, |
75 content::BrowserContext* browser_context); | 148 content::BrowserContext* browser_context); |
76 | 149 |
77 typedef base::Callback<void(const std::string& signature, | 150 typedef base::Callback<void(const std::string& signature, |
78 const std::string& error_message)> SignCallback; | 151 const std::string& error_message)> SignCallback; |
79 | 152 |
80 // Digests |data| with |hash_algorithm| and afterwards signs the digest with the | 153 // Optionally digests |data|, applies PKCS1 padding and afterwards signs the |
81 // private key matching |public_key|, if that key is stored in the given token. | 154 // data with the private key matching |params.public_key|. If a non empty token |
82 // |token_id| is currently ignored, instead the user token associated with | 155 // id is provided and the key is not found in that token, the operation aborts. |
83 // |browser_context| is always used. |public_key| must be the DER encoding of a | 156 // |callback| will be invoked with the signature or an error message. |
84 // SubjectPublicKeyInfo. |callback| will be invoked with the signature or an | 157 void SignRSA(const std::string& token_id, |
85 // error message. | 158 scoped_ptr<SignRSAParams> params, |
86 // Currently supports RSA keys only. | 159 const SignCallback& callback, |
87 void Sign(const std::string& token_id, | 160 content::BrowserContext* browser_context); |
88 const std::string& public_key, | |
89 HashAlgorithm hash_algorithm, | |
90 const std::string& data, | |
91 const SignCallback& callback, | |
92 content::BrowserContext* browser_context); | |
93 | 161 |
94 // If the certificate request could be processed successfully, |matches| will | 162 // If the certificate request could be processed successfully, |matches| will |
95 // contain the list of matching certificates (which may be empty) and | 163 // contain the list of matching certificates (which may be empty) and |
96 // |error_message| will be empty. If an error occurred, |matches| will be null | 164 // |error_message| will be empty. If an error occurred, |matches| will be null |
97 // and |error_message| contain an error message. | 165 // and |error_message| contain an error message. |
98 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, | 166 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, |
99 const std::string& error_message)> | 167 const std::string& error_message)> |
100 SelectCertificatesCallback; | 168 SelectCertificatesCallback; |
101 | 169 |
102 // Returns the list of all certificates that match |request|. |callback| will be | 170 // Returns the list of all certificates that match |request|. |callback| will be |
103 // invoked with these matches or an error message. | 171 // invoked with these matches or an error message. |
104 void SelectClientCertificates(const ClientCertificateRequest& request, | 172 void SelectClientCertificates(const ClientCertificateRequest& request, |
105 const SelectCertificatesCallback& callback, | 173 const SelectCertificatesCallback& callback, |
106 content::BrowserContext* browser_context); | 174 content::BrowserContext* browser_context); |
107 | 175 |
108 } // namespace subtle | 176 } // namespace subtle |
109 | 177 |
178 // If possible, fills |info| with information about the key certified by | |
179 // |certificate| and returns true. | |
180 // If an error occurs, does not modify |info| and returns false. | |
181 // It is handled as an error, if the key is an RSA key with public exponent | |
182 // not equal to 65537. | |
183 bool GetPublicKey(scoped_refptr<net::X509Certificate> certificate, | |
Ryan Sleevi
2015/02/10 00:59:33
This should be "const scoped_refptr<...>&"
pneubeck (no reviews)
2015/02/10 10:40:52
Done.
| |
184 GetPublicKeyResult* info); | |
185 | |
110 // If the list of certificates could be successfully retrieved, |certs| will | 186 // If the list of certificates could be successfully retrieved, |certs| will |
111 // contain the list of available certificates (maybe empty) and |error_message| | 187 // contain the list of available certificates (maybe empty) and |error_message| |
112 // will be empty. If an error occurred, |certs| will be empty and | 188 // will be empty. If an error occurred, |certs| will be empty and |
113 // |error_message| contain an error message. | 189 // |error_message| contain an error message. |
114 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, | 190 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, |
115 const std::string& error_message)> | 191 const std::string& error_message)> |
116 GetCertificatesCallback; | 192 GetCertificatesCallback; |
117 | 193 |
118 // Returns the list of all certificates with stored private key available from | 194 // Returns the list of all certificates with stored private key available from |
119 // the given token. |token_id| is currently ignored, instead the user token | 195 // the given token. |token_id| is currently ignored, instead the user token |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
163 // of available tokens is determined, possibly with an error message. | 239 // of available tokens is determined, possibly with an error message. |
164 // Must be called and calls |callback| on the UI thread. | 240 // Must be called and calls |callback| on the UI thread. |
165 void GetTokens(const GetTokensCallback& callback, | 241 void GetTokens(const GetTokensCallback& callback, |
166 content::BrowserContext* browser_context); | 242 content::BrowserContext* browser_context); |
167 | 243 |
168 } // namespace platform_keys | 244 } // namespace platform_keys |
169 | 245 |
170 } // namespace chromeos | 246 } // namespace chromeos |
171 | 247 |
172 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 248 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
OLD | NEW |