1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 6 #define CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/basictypes.h" 12 #include "base/callback.h" 13 #include "chromeos/attestation/attestation_constants.h" 14 #include "chromeos/chromeos_export.h" 15 #include "chromeos/dbus/dbus_client.h" 16 #include "chromeos/dbus/dbus_method_call_status.h" 17 18 namespace cryptohome { 19 20 class AccountIdentifier; 21 class AddKeyRequest; 22 class AuthorizationRequest; 23 class BaseReply; 24 class CheckKeyRequest; 25 class MountRequest; 26 class UpdateKeyRequest; 27 class RemoveKeyRequest; 28 29 } // namespace cryptohome 30 31 namespace chromeos { 32 33 // CryptohomeClient is used to communicate with the Cryptohome service. 34 // All method should be called from the origin thread (UI thread) which 35 // initializes the DBusThreadManager instance. 36 class CHROMEOS_EXPORT CryptohomeClient : public DBusClient { 37 public: 38 // A callback to handle AsyncCallStatus signals. 39 typedef base::Callback<void(int async_id, 40 bool return_status, 41 int return_code)> 42 AsyncCallStatusHandler; 43 // A callback to handle AsyncCallStatusWithData signals. 44 typedef base::Callback<void(int async_id, 45 bool return_status, 46 const std::string& data)> 47 AsyncCallStatusWithDataHandler; 48 // A callback to handle responses of AsyncXXX methods. 49 typedef base::Callback<void(int async_id)> AsyncMethodCallback; 50 // A callback for GetSystemSalt(). 51 typedef base::Callback<void( 52 DBusMethodCallStatus call_status, 53 const std::vector<uint8>& system_salt)> GetSystemSaltCallback; 54 // A callback for WaitForServiceToBeAvailable(). 55 typedef base::Callback<void(bool service_is_ready)> 56 WaitForServiceToBeAvailableCallback; 57 // A callback to handle responses of Pkcs11GetTpmTokenInfo method. The result 58 // of the D-Bus call is in |call_status|. On success, |label| holds the 59 // PKCS #11 token label. This is not useful in practice to identify a token 60 // but may be meaningful to a user. The |user_pin| can be used with the 61 // C_Login PKCS #11 function but is not necessary because tokens are logged in 62 // for the duration of a signed-in session. The |slot| corresponds to a 63 // CK_SLOT_ID for the PKCS #11 API and reliably identifies the token for the 64 // duration of the signed-in session. 65 typedef base::Callback<void( 66 DBusMethodCallStatus call_status, 67 const std::string& label, 68 const std::string& user_pin, 69 int slot)> Pkcs11GetTpmTokenInfoCallback; 70 // A callback for methods which return both a bool result and data. 71 typedef base::Callback<void(DBusMethodCallStatus call_status, 72 bool result, 73 const std::string& data)> DataMethodCallback; 74 75 // A callback for methods which return both a bool and a protobuf as reply. 76 typedef base::Callback< 77 void(DBusMethodCallStatus call_status, 78 bool result, 79 const cryptohome::BaseReply& reply)> ProtobufMethodCallback; 80 81 virtual ~CryptohomeClient(); 82 83 // Factory function, creates a new instance and returns ownership. 84 // For normal usage, access the singleton via DBusThreadManager::Get(). 85 static CryptohomeClient* Create(); 86 87 // Returns the sanitized |username| that the stub implementation would return. 88 static std::string GetStubSanitizedUsername(const std::string& username); 89 90 // Sets AsyncCallStatus signal handlers. 91 // |handler| is called when results for AsyncXXX methods are returned. 92 // Cryptohome service will process the calls in a first-in-first-out manner 93 // when they are made in parallel. 94 virtual void SetAsyncCallStatusHandlers( 95 const AsyncCallStatusHandler& handler, 96 const AsyncCallStatusWithDataHandler& data_handler) = 0; 97 98 // Resets AsyncCallStatus signal handlers. 99 virtual void ResetAsyncCallStatusHandlers() = 0; 100 101 // Runs the callback as soon as the service becomes available. 102 virtual void WaitForServiceToBeAvailable( 103 const WaitForServiceToBeAvailableCallback& callback) = 0; 104 105 // Calls IsMounted method and returns true when the call succeeds. 106 virtual void IsMounted(const BoolDBusMethodCallback& callback) = 0; 107 108 // Calls Unmount method and returns true when the call succeeds. 109 // This method blocks until the call returns. 110 virtual bool Unmount(bool* success) = 0; 111 112 // Calls AsyncCheckKey method. |callback| is called after the method call 113 // succeeds. 114 virtual void AsyncCheckKey(const std::string& username, 115 const std::string& key, 116 const AsyncMethodCallback& callback) = 0; 117 118 // Calls AsyncMigrateKey method. |callback| is called after the method call 119 // succeeds. 120 virtual void AsyncMigrateKey(const std::string& username, 121 const std::string& from_key, 122 const std::string& to_key, 123 const AsyncMethodCallback& callback) = 0; 124 125 // Calls AsyncRemove method. |callback| is called after the method call 126 // succeeds. 127 virtual void AsyncRemove(const std::string& username, 128 const AsyncMethodCallback& callback) = 0; 129 130 // Calls GetSystemSalt method. |callback| is called after the method call 131 // succeeds. 132 virtual void GetSystemSalt(const GetSystemSaltCallback& callback) = 0; 133 134 // Calls GetSanitizedUsername method. |callback| is called after the method 135 // call succeeds. 136 virtual void GetSanitizedUsername( 137 const std::string& username, 138 const StringDBusMethodCallback& callback) = 0; 139 140 // Same as GetSanitizedUsername() but blocks until a reply is received, and 141 // returns the sanitized username synchronously. Returns an empty string if 142 // the method call fails. 143 // This may only be called in situations where blocking the UI thread is 144 // considered acceptable (e.g. restarting the browser after a crash or after 145 // a flag change). 146 virtual std::string BlockingGetSanitizedUsername( 147 const std::string& username) = 0; 148 149 // Calls the AsyncMount method to asynchronously mount the cryptohome for 150 // |username|, using |key| to unlock it. For supported |flags|, see the 151 // documentation of AsyncMethodCaller::AsyncMount(). 152 // |callback| is called after the method call succeeds. 153 virtual void AsyncMount(const std::string& username, 154 const std::string& key, 155 int flags, 156 const AsyncMethodCallback& callback) = 0; 157 158 // Calls the AsyncAddKey method to asynchronously add another |new_key| for 159 // |username|, using |key| to unlock it first. 160 // |callback| is called after the method call succeeds. 161 virtual void AsyncAddKey(const std::string& username, 162 const std::string& key, 163 const std::string& new_key, 164 const AsyncMethodCallback& callback) = 0; 165 166 // Calls AsyncMountGuest method. |callback| is called after the method call 167 // succeeds. 168 virtual void AsyncMountGuest(const AsyncMethodCallback& callback) = 0; 169 170 // Calls the AsyncMount method to asynchronously mount the cryptohome for 171 // |public_mount_id|. For supported |flags|, see the documentation of 172 // AsyncMethodCaller::AsyncMount(). |callback| is called after the method 173 // call succeeds. 174 virtual void AsyncMountPublic(const std::string& public_mount_id, 175 int flags, 176 const AsyncMethodCallback& callback) = 0; 177 178 // Calls TpmIsReady method. 179 virtual void TpmIsReady(const BoolDBusMethodCallback& callback) = 0; 180 181 // Calls TpmIsEnabled method. 182 virtual void TpmIsEnabled(const BoolDBusMethodCallback& callback) = 0; 183 184 // Calls TpmIsEnabled method and returns true when the call succeeds. 185 // This method blocks until the call returns. 186 // TODO(hashimoto): Remove this method. crbug.com/141006 187 virtual bool CallTpmIsEnabledAndBlock(bool* enabled) = 0; 188 189 // Calls TpmGetPassword method. 190 virtual void TpmGetPassword(const StringDBusMethodCallback& callback) = 0; 191 192 // Calls TpmIsOwned method. 193 virtual void TpmIsOwned(const BoolDBusMethodCallback& callback) = 0; 194 195 // Calls TpmIsOwned method and returns true when the call succeeds. 196 // This method blocks until the call returns. 197 // TODO(hashimoto): Remove this method. crbug.com/141012 198 virtual bool CallTpmIsOwnedAndBlock(bool* owned) = 0; 199 200 // Calls TpmIsBeingOwned method. 201 virtual void TpmIsBeingOwned(const BoolDBusMethodCallback& callback) = 0; 202 203 // Calls TpmIsBeingOwned method and returns true when the call succeeds. 204 // This method blocks until the call returns. 205 // TODO(hashimoto): Remove this method. crbug.com/141011 206 virtual bool CallTpmIsBeingOwnedAndBlock(bool* owning) = 0; 207 208 // Calls TpmCanAttemptOwnership method. 209 // This method tells the service that it is OK to attempt ownership. 210 virtual void TpmCanAttemptOwnership( 211 const VoidDBusMethodCallback& callback) = 0; 212 213 // Calls TpmClearStoredPasswordMethod. 214 virtual void TpmClearStoredPassword( 215 const VoidDBusMethodCallback& callback) = 0; 216 217 // Calls TpmClearStoredPassword method and returns true when the call 218 // succeeds. This method blocks until the call returns. 219 // TODO(hashimoto): Remove this method. crbug.com/141010 220 virtual bool CallTpmClearStoredPasswordAndBlock() = 0; 221 222 // Calls Pkcs11IsTpmTokenReady method. 223 virtual void Pkcs11IsTpmTokenReady( 224 const BoolDBusMethodCallback& callback) = 0; 225 226 // Calls Pkcs11GetTpmTokenInfo method. This method is deprecated, you should 227 // use Pkcs11GetTpmTokenInfoForUser instead. On success |callback| will 228 // receive PKCS #11 token information for the token associated with the user 229 // who originally signed in (i.e. PKCS #11 slot 0). 230 virtual void Pkcs11GetTpmTokenInfo( 231 const Pkcs11GetTpmTokenInfoCallback& callback) = 0; 232 233 // Calls Pkcs11GetTpmTokenInfoForUser method. On success |callback| will 234 // receive PKCS #11 token information for the user identified by |user_email|. 235 // The |user_email| must be a canonical email address as returned by 236 // chromeos::User::email(). 237 virtual void Pkcs11GetTpmTokenInfoForUser( 238 const std::string& user_email, 239 const Pkcs11GetTpmTokenInfoCallback& callback) = 0; 240 241 // Calls InstallAttributesGet method and returns true when the call succeeds. 242 // This method blocks until the call returns. 243 // The original content of |value| is lost. 244 virtual bool InstallAttributesGet(const std::string& name, 245 std::vector<uint8>* value, 246 bool* successful) = 0; 247 248 // Calls InstallAttributesSet method and returns true when the call succeeds. 249 // This method blocks until the call returns. 250 virtual bool InstallAttributesSet(const std::string& name, 251 const std::vector<uint8>& value, 252 bool* successful) = 0; 253 254 // Calls InstallAttributesFinalize method and returns true when the call 255 // succeeds. This method blocks until the call returns. 256 virtual bool InstallAttributesFinalize(bool* successful) = 0; 257 258 // Calls InstallAttributesIsReady method. 259 virtual void InstallAttributesIsReady( 260 const BoolDBusMethodCallback& callback) = 0; 261 262 // Calls InstallAttributesIsInvalid method and returns true when the call 263 // succeeds. This method blocks until the call returns. 264 virtual bool InstallAttributesIsInvalid(bool* is_invalid) = 0; 265 266 // Calls InstallAttributesIsFirstInstall method and returns true when the call 267 // succeeds. This method blocks until the call returns. 268 virtual bool InstallAttributesIsFirstInstall(bool* is_first_install) = 0; 269 270 // Calls the TpmAttestationIsPrepared dbus method. The callback is called 271 // when the operation completes. 272 virtual void TpmAttestationIsPrepared( 273 const BoolDBusMethodCallback& callback) = 0; 274 275 // Calls the TpmAttestationIsEnrolled dbus method. The callback is called 276 // when the operation completes. 277 virtual void TpmAttestationIsEnrolled( 278 const BoolDBusMethodCallback& callback) = 0; 279 280 // Asynchronously creates an attestation enrollment request. The callback 281 // will be called when the dbus call completes. When the operation completes, 282 // the AsyncCallStatusWithDataHandler signal handler is called. The data that 283 // is sent with the signal is an enrollment request to be sent to the Privacy 284 // CA of type |pca_type|. The enrollment is completed by calling 285 // AsyncTpmAttestationEnroll. 286 virtual void AsyncTpmAttestationCreateEnrollRequest( 287 chromeos::attestation::PrivacyCAType pca_type, 288 const AsyncMethodCallback& callback) = 0; 289 290 // Asynchronously finishes an attestation enrollment operation. The callback 291 // will be called when the dbus call completes. When the operation completes, 292 // the AsyncCallStatusHandler signal handler is called. |pca_response| is the 293 // response to the enrollment request emitted by the Privacy CA of type 294 // |pca_type|. 295 virtual void AsyncTpmAttestationEnroll( 296 chromeos::attestation::PrivacyCAType pca_type, 297 const std::string& pca_response, 298 const AsyncMethodCallback& callback) = 0; 299 300 // Asynchronously creates an attestation certificate request according to 301 // |certificate_profile|. Some profiles require that the |user_id| of the 302 // currently active user and an identifier of the |request_origin| be 303 // provided. |callback| will be called when the dbus call completes. When 304 // the operation completes, the AsyncCallStatusWithDataHandler signal handler 305 // is called. The data that is sent with the signal is a certificate request 306 // to be sent to the Privacy CA of type |pca_type|. The certificate request 307 // is completed by calling AsyncTpmAttestationFinishCertRequest. The 308 // |user_id| will not be included in the certificate request for the Privacy 309 // CA. 310 virtual void AsyncTpmAttestationCreateCertRequest( 311 chromeos::attestation::PrivacyCAType pca_type, 312 attestation::AttestationCertificateProfile certificate_profile, 313 const std::string& user_id, 314 const std::string& request_origin, 315 const AsyncMethodCallback& callback) = 0; 316 317 // Asynchronously finishes a certificate request operation. The callback will 318 // be called when the dbus call completes. When the operation completes, the 319 // AsyncCallStatusWithDataHandler signal handler is called. The data that is 320 // sent with the signal is a certificate chain in PEM format. |pca_response| 321 // is the response to the certificate request emitted by the Privacy CA. 322 // |key_type| determines whether the certified key is to be associated with 323 // the current user. |key_name| is a name for the key. If |key_type| is 324 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 325 // For normal GAIA users the |user_id| is a canonical email address. 326 virtual void AsyncTpmAttestationFinishCertRequest( 327 const std::string& pca_response, 328 attestation::AttestationKeyType key_type, 329 const std::string& user_id, 330 const std::string& key_name, 331 const AsyncMethodCallback& callback) = 0; 332 333 // Checks if an attestation key already exists. If the key specified by 334 // |key_type| and |key_name| exists, then the result sent to the callback will 335 // be true. If |key_type| is KEY_USER, a |user_id| must be provided. 336 // Otherwise |user_id| is ignored. For normal GAIA users the |user_id| is a 337 // canonical email address. 338 virtual void TpmAttestationDoesKeyExist( 339 attestation::AttestationKeyType key_type, 340 const std::string& user_id, 341 const std::string& key_name, 342 const BoolDBusMethodCallback& callback) = 0; 343 344 // Gets the attestation certificate for the key specified by |key_type| and 345 // |key_name|. |callback| will be called when the operation completes. If 346 // the key does not exist the callback |result| parameter will be false. If 347 // |key_type| is KEY_USER, a |user_id| must be provided. Otherwise |user_id| 348 // is ignored. For normal GAIA users the |user_id| is a canonical email 349 // address. 350 virtual void TpmAttestationGetCertificate( 351 attestation::AttestationKeyType key_type, 352 const std::string& user_id, 353 const std::string& key_name, 354 const DataMethodCallback& callback) = 0; 355 356 // Gets the public key for the key specified by |key_type| and |key_name|. 357 // |callback| will be called when the operation completes. If the key does 358 // not exist the callback |result| parameter will be false. If |key_type| is 359 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 360 // For normal GAIA users the |user_id| is a canonical email address. 361 virtual void TpmAttestationGetPublicKey( 362 attestation::AttestationKeyType key_type, 363 const std::string& user_id, 364 const std::string& key_name, 365 const DataMethodCallback& callback) = 0; 366 367 // Asynchronously registers an attestation key with the current user's 368 // PKCS #11 token. The |callback| will be called when the dbus call 369 // completes. When the operation completes, the AsyncCallStatusHandler signal 370 // handler is called. |key_type| and |key_name| specify the key to register. 371 // If |key_type| is KEY_USER, a |user_id| must be provided. Otherwise 372 // |user_id| is ignored. For normal GAIA users the |user_id| is a canonical 373 // email address. 374 virtual void TpmAttestationRegisterKey( 375 attestation::AttestationKeyType key_type, 376 const std::string& user_id, 377 const std::string& key_name, 378 const AsyncMethodCallback& callback) = 0; 379 380 // Asynchronously signs an enterprise challenge with the key specified by 381 // |key_type| and |key_name|. |domain| and |device_id| will be included in 382 // the challenge response. |options| control how the challenge response is 383 // generated. |challenge| must be a valid enterprise attestation challenge. 384 // The |callback| will be called when the dbus call completes. When the 385 // operation completes, the AsyncCallStatusWithDataHandler signal handler is 386 // called. If |key_type| is KEY_USER, a |user_id| must be provided. 387 // Otherwise |user_id| is ignored. For normal GAIA users the |user_id| is a 388 // canonical email address. 389 virtual void TpmAttestationSignEnterpriseChallenge( 390 attestation::AttestationKeyType key_type, 391 const std::string& user_id, 392 const std::string& key_name, 393 const std::string& domain, 394 const std::string& device_id, 395 attestation::AttestationChallengeOptions options, 396 const std::string& challenge, 397 const AsyncMethodCallback& callback) = 0; 398 399 // Asynchronously signs a simple challenge with the key specified by 400 // |key_type| and |key_name|. |challenge| can be any set of arbitrary bytes. 401 // A nonce will be appended to the challenge before signing; this method 402 // cannot be used to sign arbitrary data. The |callback| will be called when 403 // the dbus call completes. When the operation completes, the 404 // AsyncCallStatusWithDataHandler signal handler is called. If |key_type| is 405 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 406 // For normal GAIA users the |user_id| is a canonical email address. 407 virtual void TpmAttestationSignSimpleChallenge( 408 attestation::AttestationKeyType key_type, 409 const std::string& user_id, 410 const std::string& key_name, 411 const std::string& challenge, 412 const AsyncMethodCallback& callback) = 0; 413 414 // Gets the payload associated with the key specified by |key_type| and 415 // |key_name|. The |callback| will be called when the operation completes. 416 // If the key does not exist the callback |result| parameter will be false. 417 // If no payload has been set for the key the callback |result| parameter will 418 // be true and the |data| parameter will be empty. If |key_type| is 419 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 420 // For normal GAIA users the |user_id| is a canonical email address. 421 virtual void TpmAttestationGetKeyPayload( 422 attestation::AttestationKeyType key_type, 423 const std::string& user_id, 424 const std::string& key_name, 425 const DataMethodCallback& callback) = 0; 426 427 // Sets the |payload| associated with the key specified by |key_type| and 428 // |key_name|. The |callback| will be called when the operation completes. 429 // If the operation succeeds, the callback |result| parameter will be true. 430 // If |key_type| is KEY_USER, a |user_id| must be provided. Otherwise 431 // |user_id| is ignored. For normal GAIA users the |user_id| is a canonical 432 // email address. 433 virtual void TpmAttestationSetKeyPayload( 434 attestation::AttestationKeyType key_type, 435 const std::string& user_id, 436 const std::string& key_name, 437 const std::string& payload, 438 const BoolDBusMethodCallback& callback) = 0; 439 440 // Deletes certified keys as specified by |key_type| and |key_prefix|. The 441 // |callback| will be called when the operation completes. If the operation 442 // succeeds, the callback |result| parameter will be true. If |key_type| is 443 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 444 // For normal GAIA users the |user_id| is a canonical email address. All keys 445 // where the key name has a prefix matching |key_prefix| will be deleted. All 446 // meta-data associated with the key, including certificates, will also be 447 // deleted. 448 virtual void TpmAttestationDeleteKeys( 449 attestation::AttestationKeyType key_type, 450 const std::string& user_id, 451 const std::string& key_prefix, 452 const BoolDBusMethodCallback& callback) = 0; 453 454 // Asynchronously calls CheckKeyEx method. |callback| is called after method 455 // call, and with reply protobuf. 456 // CheckKeyEx just checks if authorization information is valid. 457 virtual void CheckKeyEx( 458 const cryptohome::AccountIdentifier& id, 459 const cryptohome::AuthorizationRequest& auth, 460 const cryptohome::CheckKeyRequest& request, 461 const ProtobufMethodCallback& callback) = 0; 462 463 // Asynchronously calls MountEx method. |callback| is called after method 464 // call, and with reply protobuf. 465 // MountEx attempts to mount home dir using given authorization, and can 466 // create new home dir if necessary values are specified in |request|. 467 virtual void MountEx( 468 const cryptohome::AccountIdentifier& id, 469 const cryptohome::AuthorizationRequest& auth, 470 const cryptohome::MountRequest& request, 471 const ProtobufMethodCallback& callback) = 0; 472 473 // Asynchronously calls AddKeyEx method. |callback| is called after method 474 // call, and with reply protobuf. 475 // AddKeyEx adds another key to the given key set. |request| also defines 476 // behavior in case when key with specified label already exist. 477 virtual void AddKeyEx( 478 const cryptohome::AccountIdentifier& id, 479 const cryptohome::AuthorizationRequest& auth, 480 const cryptohome::AddKeyRequest& request, 481 const ProtobufMethodCallback& callback) = 0; 482 483 // Asynchronously calls UpdateKeyEx method. |callback| is called after method 484 // call, and with reply protobuf. Reply will contain MountReply extension. 485 // UpdateKeyEx replaces key used for authorization, without affecting any 486 // other keys. If specified at home dir creation time, new key may have 487 // to be signed and/or encrypted. 488 virtual void UpdateKeyEx( 489 const cryptohome::AccountIdentifier& id, 490 const cryptohome::AuthorizationRequest& auth, 491 const cryptohome::UpdateKeyRequest& request, 492 const ProtobufMethodCallback& callback) = 0; 493 494 // Asynchronously calls RemoveKeyEx method. |callback| is called after method 495 // call, and with reply protobuf. 496 // RemoveKeyEx removes key from the given key set. 497 virtual void RemoveKeyEx(const cryptohome::AccountIdentifier& id, 498 const cryptohome::AuthorizationRequest& auth, 499 const cryptohome::RemoveKeyRequest& request, 500 const ProtobufMethodCallback& callback) = 0; 501 502 protected: 503 // Create() should be used instead. 504 CryptohomeClient(); 505 506 private: 507 DISALLOW_COPY_AND_ASSIGN(CryptohomeClient); 508 }; 509 510 } // namespace chromeos 511 512 #endif // CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 513