Chromium Code Reviews Chromium Code Reviews
Issue 884073002:
Implement chrome.platformKeys.getKeyPair(). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_impl2| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/callback_forward.h" | 11 #include "base/callback_forward.h" |
| 12 #include "base/macros.h" | 12 #include "base/macros.h" |
| 13 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "net/cert/x509_certificate.h" | |
| 15 #include "net/ssl/ssl_client_cert_type.h" | 16 #include "net/ssl/ssl_client_cert_type.h" |
| 16 | 17 |
| 17 namespace content { | 18 namespace content { |
| 18 class BrowserContext; | 19 class BrowserContext; |
| 19 } | 20 } |
| 20 | 21 |
| 21 namespace net { | |
| 22 class X509Certificate; | |
| 23 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | |
| 24 } | |
| 25 | |
| 26 namespace chromeos { | 22 namespace chromeos { |
| 27 | 23 |
| 28 namespace platform_keys { | 24 namespace platform_keys { |
| 29 | 25 |
| 30 // A token is a store for keys or certs and can provide cryptographic | 26 // A token is a store for keys or certs and can provide cryptographic |
| 31 // operations. | 27 // operations. |
| 32 // ChromeOS provides itself a user token and conditionally a system wide token, | 28 // ChromeOS provides itself a user token and conditionally a system wide token, |
| 33 // thus these tokens use static identifiers. The platform keys API is designed | 29 // thus these tokens use static identifiers. The platform keys API is designed |
| 34 // to support arbitrary other tokens in the future, which could then use | 30 // to support arbitrary other tokens in the future, which could then use |
| 35 // run-time generated IDs. | 31 // run-time generated IDs. |
| 36 extern const char kTokenIdUser[]; | 32 extern const char kTokenIdUser[]; |
| 37 extern const char kTokenIdSystem[]; | 33 extern const char kTokenIdSystem[]; |
| 38 | 34 |
| 39 // Supported hash algorithms. | 35 // Supported hash algorithms. |
| 40 enum HashAlgorithm { | 36 enum HashAlgorithm { |
| 37 HASH_ALGORITHM_NONE, // The value if no hash function is selected. | |
| 41 HASH_ALGORITHM_SHA1, | 38 HASH_ALGORITHM_SHA1, |
| 42 HASH_ALGORITHM_SHA256, | 39 HASH_ALGORITHM_SHA256, |
| 43 HASH_ALGORITHM_SHA384, | 40 HASH_ALGORITHM_SHA384, |
| 44 HASH_ALGORITHM_SHA512 | 41 HASH_ALGORITHM_SHA512 |
| 45 }; | 42 }; |
| 46 | 43 |
| 47 struct ClientCertificateRequest { | 44 struct ClientCertificateRequest { |
| 48 ClientCertificateRequest(); | 45 ClientCertificateRequest(); |
| 49 ~ClientCertificateRequest(); | 46 ~ClientCertificateRequest(); |
| 50 | 47 |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 70 // ignored, instead the user token associated with |browser_context| is always | 67 // ignored, instead the user token associated with |browser_context| is always |
| 71 // used. |callback| will be invoked with the resulting public key or an error. | 68 // used. |callback| will be invoked with the resulting public key or an error. |
| 72 void GenerateRSAKey(const std::string& token_id, | 69 void GenerateRSAKey(const std::string& token_id, |
| 73 unsigned int modulus_length_bits, | 70 unsigned int modulus_length_bits, |
| 74 const GenerateKeyCallback& callback, | 71 const GenerateKeyCallback& callback, |
| 75 content::BrowserContext* browser_context); | 72 content::BrowserContext* browser_context); |
| 76 | 73 |
| 77 typedef base::Callback<void(const std::string& signature, | 74 typedef base::Callback<void(const std::string& signature, |
| 78 const std::string& error_message)> SignCallback; | 75 const std::string& error_message)> SignCallback; |
| 79 | 76 |
| 80 // Digests |data| with |hash_algorithm| and afterwards signs the digest with the | 77 // Digests |data|, applies PKCS1 padding and afterwards signs the data with the |
| 81 // private key matching |public_key|, if that key is stored in the given token. | 78 // private key matching |params.public_key|. If a non empty token id is provided |
| 82 // |token_id| is currently ignored, instead the user token associated with | 79 // and the key is not found in that token, the operation aborts. |callback| will |
| 83 // |browser_context| is always used. |public_key| must be the DER encoding of a | 80 // be invoked with the signature or an error message. |
| 84 // SubjectPublicKeyInfo. |callback| will be invoked with the signature or an | 81 void SignRSAPKCS1Digest(const std::string& token_id, |
| 85 // error message. | 82 const std::string& data, |
| 86 // Currently supports RSA keys only. | 83 const std::string& public_key, |
| 87 void Sign(const std::string& token_id, | 84 HashAlgorithm hash_algorithm, |
| 88 const std::string& public_key, | 85 const SignCallback& callback, |
| 89 HashAlgorithm hash_algorithm, | 86 content::BrowserContext* browser_context); |
| 90 const std::string& data, | 87 |
| 91 const SignCallback& callback, | 88 // Applies PKCS1 padding and afterwards signs the data with the private key |
| 92 content::BrowserContext* browser_context); | 89 // matching |params.public_key|. |data| is not digested. If a non empty token id |
| 90 // is provided and the key is not found in that token, the operation aborts. | |
| 91 // The size of |data| (number of octets) must be smaller than k - 11, where k | |
| 92 // is the key size in octets. | |
| 93 // |callback| will be invoked with the signature or an error message. | |
| 94 void SignRSAPKCS1Raw(const std::string& token_id, | |
| 95 const std::string& data, | |
| 96 const std::string& public_key, | |
| 97 const SignCallback& callback, | |
| 98 content::BrowserContext* browser_context); | |
| 93 | 99 |
| 94 // If the certificate request could be processed successfully, |matches| will | 100 // If the certificate request could be processed successfully, |matches| will |
| 95 // contain the list of matching certificates (which may be empty) and | 101 // contain the list of matching certificates (which may be empty) and |
| 96 // |error_message| will be empty. If an error occurred, |matches| will be null | 102 // |error_message| will be empty. If an error occurred, |matches| will be null |
| 97 // and |error_message| contain an error message. | 103 // and |error_message| contain an error message. |
| 98 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, | 104 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches, |
| 99 const std::string& error_message)> | 105 const std::string& error_message)> |
| 100 SelectCertificatesCallback; | 106 SelectCertificatesCallback; |
| 101 | 107 |
| 102 // Returns the list of all certificates that match |request|. |callback| will be | 108 // Returns the list of all certificates that match |request|. |callback| will be |
| 103 // invoked with these matches or an error message. | 109 // invoked with these matches or an error message. |
| 104 void SelectClientCertificates(const ClientCertificateRequest& request, | 110 void SelectClientCertificates(const ClientCertificateRequest& request, |
| 105 const SelectCertificatesCallback& callback, | 111 const SelectCertificatesCallback& callback, |
| 106 content::BrowserContext* browser_context); | 112 content::BrowserContext* browser_context); |
| 107 | 113 |
| 108 } // namespace subtle | 114 } // namespace subtle |
| 109 | 115 |
| 116 // If possible, fills the output arguments with information about the key | |
| 117 // certified by |certificate| and returns true. | |
| 118 // If an error occurs, does not modify the output arguments and returns false. | |
| 119 // It is handled as an error, if the key is an RSA key with public exponent | |
| 120 // not equal to 65537. | |
|
Ryan Sleevi
2015/02/10 21:25:28
Comment nit: This reads somewhat weird. Perhaps re
pneubeck (no reviews)
2015/02/11 14:37:04
adapted the implementation to ensure that false is
| |
| 121 // |public_key_spki_der|: Will be assigned the the X.509 Subject Public Key Info | |
| 122 // of the key in DER encoding, if not null. | |
| 123 // |key_type|: Will be assigned the type of the key, if not null. | |
| 124 // |key_size_bits|: Will the size of the key in bits, if not null. | |
| 125 bool GetPublicKey(const scoped_refptr<net::X509Certificate>& certificate, | |
| 126 std::string* out_public_key_spki_der, | |
| 127 net::X509Certificate::PublicKeyType* out_key_type, | |
| 128 size_t* out_key_size_bits); | |
|
Ryan Sleevi
2015/02/10 21:25:28
naming nit: None of these need to be named |out_|
pneubeck (no reviews)
2015/02/11 14:37:04
Done.
| |
| 129 | |
| 110 // If the list of certificates could be successfully retrieved, |certs| will | 130 // If the list of certificates could be successfully retrieved, |certs| will |
| 111 // contain the list of available certificates (maybe empty) and |error_message| | 131 // contain the list of available certificates (maybe empty) and |error_message| |
| 112 // will be empty. If an error occurred, |certs| will be empty and | 132 // will be empty. If an error occurred, |certs| will be empty and |
| 113 // |error_message| contain an error message. | 133 // |error_message| contain an error message. |
| 114 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, | 134 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs, |
| 115 const std::string& error_message)> | 135 const std::string& error_message)> |
| 116 GetCertificatesCallback; | 136 GetCertificatesCallback; |
| 117 | 137 |
| 118 // Returns the list of all certificates with stored private key available from | 138 // Returns the list of all certificates with stored private key available from |
| 119 // the given token. |token_id| is currently ignored, instead the user token | 139 // the given token. |token_id| is currently ignored, instead the user token |
| 120 // associated with |browser_context| is always used. |callback| will be invoked | 140 // associated with |browser_context| is always used. |callback| will be invoked |
| 121 // with the list of available certificates or an error message. | 141 // with the list of available certificates or an error message. |
| 122 void GetCertificates(const std::string& token_id, | 142 void GetCertificates(const std::string& token_id, |
| 123 const GetCertificatesCallback& callback, | 143 const GetCertificatesCallback& callback, |
| 124 content::BrowserContext* browser_context); | 144 content::BrowserContext* browser_context); |
| 125 | 145 |
| 126 // If an error occurred during import, |error_message| will be set to an error | 146 // If an error occurred during import, |error_message| will be set to an error |
| 127 // message. | 147 // message. |
| 128 typedef base::Callback<void(const std::string& error_message)> | 148 typedef base::Callback<void(const std::string& error_message)> |
| 129 ImportCertificateCallback; | 149 ImportCertificateCallback; |
| 130 | 150 |
| 131 // Imports |certificate| to the given token if the certified key is already | 151 // Imports |certificate| to the given token if the certified key is already |
| 132 // stored in this token. Any intermediate of |certificate| will be ignored. | 152 // stored in this token. Any intermediate of |certificate| will be ignored. |
| 133 // |token_id| is currently ignored, instead the user token associated with | 153 // |token_id| is currently ignored, instead the user token associated with |
| 134 // |browser_context| is always used. |callback| will be invoked when the import | 154 // |browser_context| is always used. |callback| will be invoked when the import |
| 135 // is finished, possibly with an error message. | 155 // is finished, possibly with an error message. |
| 136 void ImportCertificate(const std::string& token_id, | 156 void ImportCertificate(const std::string& token_id, |
| 137 scoped_refptr<net::X509Certificate> certificate, | 157 const scoped_refptr<net::X509Certificate>& certificate, |
| 138 const ImportCertificateCallback& callback, | 158 const ImportCertificateCallback& callback, |
| 139 content::BrowserContext* browser_context); | 159 content::BrowserContext* browser_context); |
| 140 | 160 |
| 141 // If an error occurred during removal, |error_message| will be set to an error | 161 // If an error occurred during removal, |error_message| will be set to an error |
| 142 // message. | 162 // message. |
| 143 typedef base::Callback<void(const std::string& error_message)> | 163 typedef base::Callback<void(const std::string& error_message)> |
| 144 RemoveCertificateCallback; | 164 RemoveCertificateCallback; |
| 145 | 165 |
| 146 // Removes |certificate| from the given token if present. Any intermediate of | 166 // Removes |certificate| from the given token if present. Any intermediate of |
| 147 // |certificate| will be ignored. |token_id| is currently ignored, instead the | 167 // |certificate| will be ignored. |token_id| is currently ignored, instead the |
| 148 // user token associated with |browser_context| is always used. |callback| will | 168 // user token associated with |browser_context| is always used. |callback| will |
| 149 // be invoked when the removal is finished, possibly with an error message. | 169 // be invoked when the removal is finished, possibly with an error message. |
| 150 void RemoveCertificate(const std::string& token_id, | 170 void RemoveCertificate(const std::string& token_id, |
| 151 scoped_refptr<net::X509Certificate> certificate, | 171 const scoped_refptr<net::X509Certificate>& certificate, |
| 152 const RemoveCertificateCallback& callback, | 172 const RemoveCertificateCallback& callback, |
| 153 content::BrowserContext* browser_context); | 173 content::BrowserContext* browser_context); |
| 154 | 174 |
| 155 // If the list of available tokens could be successfully retrieved, |token_ids| | 175 // If the list of available tokens could be successfully retrieved, |token_ids| |
| 156 // will contain the token ids. If an error occurs, |token_ids| will be NULL and | 176 // will contain the token ids. If an error occurs, |token_ids| will be NULL and |
| 157 // |error_message| will be set to an error message. | 177 // |error_message| will be set to an error message. |
| 158 typedef base::Callback<void(scoped_ptr<std::vector<std::string> > token_ids, | 178 typedef base::Callback<void(scoped_ptr<std::vector<std::string> > token_ids, |
| 159 const std::string& error_message)> | 179 const std::string& error_message)> |
| 160 GetTokensCallback; | 180 GetTokensCallback; |
| 161 | 181 |
| 162 // Gets the list of available tokens. |callback| will be invoked when the list | 182 // Gets the list of available tokens. |callback| will be invoked when the list |
| 163 // of available tokens is determined, possibly with an error message. | 183 // of available tokens is determined, possibly with an error message. |
| 164 // Must be called and calls |callback| on the UI thread. | 184 // Must be called and calls |callback| on the UI thread. |
| 165 void GetTokens(const GetTokensCallback& callback, | 185 void GetTokens(const GetTokensCallback& callback, |
| 166 content::BrowserContext* browser_context); | 186 content::BrowserContext* browser_context); |
| 167 | 187 |
| 168 } // namespace platform_keys | 188 } // namespace platform_keys |
| 169 | 189 |
| 170 } // namespace chromeos | 190 } // namespace chromeos |
| 171 | 191 |
| 172 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ | 192 #endif // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_ |
| OLD | NEW |
