1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/callback_forward.h" 12 #include "base/memory/scoped_ptr.h" 13 #include "base/memory/weak_ptr.h" 14 #include "chromeos/attestation/attestation_constants.h" 15 #include "chromeos/chromeos_export.h" 16 #include "chromeos/dbus/dbus_method_call_status.h" 17 #include "third_party/cros_system_api/dbus/service_constants.h" 18 19 namespace cryptohome { 20 21 class AsyncMethodCaller; 22 23 } // namespace cryptohome 24 25 namespace chromeos { 26 27 class CryptohomeClient; 28 29 namespace attestation { 30 31 // Interface for access to the Privacy CA server. 32 class CHROMEOS_EXPORT ServerProxy { 33 public: 34 typedef base::Callback<void(bool success, 35 const std::string& data)> DataCallback; ~ServerProxy()36 virtual ~ServerProxy() {} 37 virtual void SendEnrollRequest(const std::string& request, 38 const DataCallback& on_response) = 0; 39 virtual void SendCertificateRequest(const std::string& request, 40 const DataCallback& on_response) = 0; 41 }; 42 43 // Implements the message flow for Chrome OS attestation tasks. Generally this 44 // consists of coordinating messages between the Chrome OS attestation service 45 // and the Chrome OS Privacy CA server. Sample usage: 46 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), 47 // DBusThreadManager::Get().GetCryptohomeClient(), 48 // my_server_proxy.Pass()); 49 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); 50 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); 51 class CHROMEOS_EXPORT AttestationFlow { 52 public: 53 typedef base::Callback<void(bool success, 54 const std::string& pem_certificate_chain)> 55 CertificateCallback; 56 57 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, 58 CryptohomeClient* cryptohome_client, 59 scoped_ptr<ServerProxy> server_proxy); 60 virtual ~AttestationFlow(); 61 62 // Gets an attestation certificate for a hardware-protected key. If a key for 63 // the given profile does not exist, it will be generated and a certificate 64 // request will be made to the Chrome OS Privacy CA to issue a certificate for 65 // the key. If the key already exists and |force_new_key| is false, the 66 // existing certificate is returned. 67 // 68 // Parameters 69 // certificate_profile - Specifies what kind of certificate should be 70 // requested from the CA. 71 // user_id - Identifies the currently active user. For normal GAIA users 72 // this is a canonical email address. This is ignored when using 73 // the enterprise machine cert profile. 74 // request_origin - For content protection profiles, certificate requests 75 // are origin-specific. This string must uniquely identify 76 // the origin of the request. 77 // force_new_key - If set to true, a new key will be generated even if a key 78 // already exists for the profile. The new key will replace 79 // the existing key on success. 80 // callback - A callback which will be called when the operation completes. 81 // On success |result| will be true and |data| will contain the 82 // PCA-issued certificate chain in PEM format. 83 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, 84 const std::string& user_id, 85 const std::string& request_origin, 86 bool force_new_key, 87 const CertificateCallback& callback); 88 89 private: 90 // Asynchronously initiates the attestation enrollment flow. 91 // 92 // Parameters 93 // on_failure - Called if any failure occurs. 94 // next_task - Called on successful enrollment. 95 void StartEnroll(const base::Closure& on_failure, 96 const base::Closure& next_task); 97 98 // Called when the attestation daemon has finished creating an enrollment 99 // request for the Privacy CA. The request is asynchronously forwarded as-is 100 // to the PCA. 101 // 102 // Parameters 103 // on_failure - Called if any failure occurs. 104 // next_task - Called on successful enrollment. 105 // success - The status of request creation. 106 // data - The request data for the Privacy CA. 107 void SendEnrollRequestToPCA(const base::Closure& on_failure, 108 const base::Closure& next_task, 109 bool success, 110 const std::string& data); 111 112 // Called when the Privacy CA responds to an enrollment request. The response 113 // is asynchronously forwarded as-is to the attestation daemon in order to 114 // complete the enrollment operation. 115 // 116 // Parameters 117 // on_failure - Called if any failure occurs. 118 // next_task - Called on successful enrollment. 119 // success - The status of the Privacy CA operation. 120 // data - The response data from the Privacy CA. 121 void SendEnrollResponseToDaemon(const base::Closure& on_failure, 122 const base::Closure& next_task, 123 bool success, 124 const std::string& data); 125 126 // Called when the attestation daemon completes an enrollment operation. If 127 // the operation was successful, the next_task callback is called. 128 // 129 // Parameters 130 // on_failure - Called if any failure occurs. 131 // next_task - Called on successful enrollment. 132 // success - The status of the enrollment operation. 133 // not_used - An artifact of the cryptohome D-Bus interface; ignored. 134 void OnEnrollComplete(const base::Closure& on_failure, 135 const base::Closure& next_task, 136 bool success, 137 cryptohome::MountError not_used); 138 139 // Asynchronously initiates the certificate request flow. Attestation 140 // enrollment must complete successfully before this operation can succeed. 141 // 142 // Parameters 143 // certificate_profile - Specifies what kind of certificate should be 144 // requested from the CA. 145 // user_id - Identifies the active user. 146 // request_origin - An identifier for the origin of this request. 147 // generate_new_key - If set to true a new key is generated. 148 // callback - Called when the operation completes. 149 void StartCertificateRequest( 150 const AttestationCertificateProfile certificate_profile, 151 const std::string& user_id, 152 const std::string& request_origin, 153 bool generate_new_key, 154 const CertificateCallback& callback); 155 156 // Called when the attestation daemon has finished creating a certificate 157 // request for the Privacy CA. The request is asynchronously forwarded as-is 158 // to the PCA. 159 // 160 // Parameters 161 // key_type - The type of the key for which a certificate is requested. 162 // user_id - Identifies the active user. 163 // key_name - The name of the key for which a certificate is requested. 164 // callback - Called when the operation completes. 165 // success - The status of request creation. 166 // data - The request data for the Privacy CA. 167 void SendCertificateRequestToPCA(AttestationKeyType key_type, 168 const std::string& user_id, 169 const std::string& key_name, 170 const CertificateCallback& callback, 171 bool success, 172 const std::string& data); 173 174 // Called when the Privacy CA responds to a certificate request. The response 175 // is asynchronously forwarded as-is to the attestation daemon in order to 176 // complete the operation. 177 // 178 // Parameters 179 // key_type - The type of the key for which a certificate is requested. 180 // user_id - Identifies the active user. 181 // key_name - The name of the key for which a certificate is requested. 182 // callback - Called when the operation completes. 183 // success - The status of the Privacy CA operation. 184 // data - The response data from the Privacy CA. 185 void SendCertificateResponseToDaemon(AttestationKeyType key_type, 186 const std::string& user_id, 187 const std::string& key_name, 188 const CertificateCallback& callback, 189 bool success, 190 const std::string& data); 191 192 // Gets an existing certificate from the attestation daemon. 193 // 194 // Parameters 195 // key_type - The type of the key for which a certificate is requested. 196 // user_id - Identifies the active user. 197 // key_name - The name of the key for which a certificate is requested. 198 // callback - Called when the operation completes. 199 void GetExistingCertificate(AttestationKeyType key_type, 200 const std::string& user_id, 201 const std::string& key_name, 202 const CertificateCallback& callback); 203 204 cryptohome::AsyncMethodCaller* async_caller_; 205 CryptohomeClient* cryptohome_client_; 206 scoped_ptr<ServerProxy> server_proxy_; 207 208 base::WeakPtrFactory<AttestationFlow> weak_factory_; 209 210 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); 211 }; 212 213 } // namespace attestation 214 } // namespace chromeos 215 216 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 217