1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 6 #define CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/basictypes.h" 12 #include "base/callback.h" 13 #include "chromeos/attestation/attestation_constants.h" 14 #include "chromeos/chromeos_export.h" 15 #include "chromeos/dbus/dbus_client.h" 16 #include "chromeos/dbus/dbus_method_call_status.h" 17 18 namespace chromeos { 19 20 // CryptohomeClient is used to communicate with the Cryptohome service. 21 // All method should be called from the origin thread (UI thread) which 22 // initializes the DBusThreadManager instance. 23 class CHROMEOS_EXPORT CryptohomeClient : public DBusClient { 24 public: 25 // A callback to handle AsyncCallStatus signals. 26 typedef base::Callback<void(int async_id, 27 bool return_status, 28 int return_code)> 29 AsyncCallStatusHandler; 30 // A callback to handle AsyncCallStatusWithData signals. 31 typedef base::Callback<void(int async_id, 32 bool return_status, 33 const std::string& data)> 34 AsyncCallStatusWithDataHandler; 35 // A callback to handle responses of AsyncXXX methods. 36 typedef base::Callback<void(int async_id)> AsyncMethodCallback; 37 // A callback for GetSystemSalt(). 38 typedef base::Callback<void( 39 DBusMethodCallStatus call_status, 40 const std::vector<uint8>& system_salt)> GetSystemSaltCallback; 41 // A callback for WaitForServiceToBeAvailable(). 42 typedef base::Callback<void(bool service_is_ready)> 43 WaitForServiceToBeAvailableCallback; 44 // A callback to handle responses of Pkcs11GetTpmTokenInfo method. The result 45 // of the D-Bus call is in |call_status|. On success, |label| holds the 46 // PKCS #11 token label. This is not useful in practice to identify a token 47 // but may be meaningful to a user. The |user_pin| can be used with the 48 // C_Login PKCS #11 function but is not necessary because tokens are logged in 49 // for the duration of a signed-in session. The |slot| corresponds to a 50 // CK_SLOT_ID for the PKCS #11 API and reliably identifies the token for the 51 // duration of the signed-in session. 52 typedef base::Callback<void( 53 DBusMethodCallStatus call_status, 54 const std::string& label, 55 const std::string& user_pin, 56 int slot)> Pkcs11GetTpmTokenInfoCallback; 57 // A callback for methods which return both a bool result and data. 58 typedef base::Callback<void(DBusMethodCallStatus call_status, 59 bool result, 60 const std::string& data)> DataMethodCallback; 61 62 virtual ~CryptohomeClient(); 63 64 // Factory function, creates a new instance and returns ownership. 65 // For normal usage, access the singleton via DBusThreadManager::Get(). 66 static CryptohomeClient* Create(); 67 68 // Returns the sanitized |username| that the stub implementation would return. 69 static std::string GetStubSanitizedUsername(const std::string& username); 70 71 // Sets AsyncCallStatus signal handlers. 72 // |handler| is called when results for AsyncXXX methods are returned. 73 // Cryptohome service will process the calls in a first-in-first-out manner 74 // when they are made in parallel. 75 virtual void SetAsyncCallStatusHandlers( 76 const AsyncCallStatusHandler& handler, 77 const AsyncCallStatusWithDataHandler& data_handler) = 0; 78 79 // Resets AsyncCallStatus signal handlers. 80 virtual void ResetAsyncCallStatusHandlers() = 0; 81 82 // Runs the callback as soon as the service becomes available. 83 virtual void WaitForServiceToBeAvailable( 84 const WaitForServiceToBeAvailableCallback& callback) = 0; 85 86 // Calls IsMounted method and returns true when the call succeeds. 87 virtual void IsMounted(const BoolDBusMethodCallback& callback) = 0; 88 89 // Calls Unmount method and returns true when the call succeeds. 90 // This method blocks until the call returns. 91 virtual bool Unmount(bool* success) = 0; 92 93 // Calls AsyncCheckKey method. |callback| is called after the method call 94 // succeeds. 95 virtual void AsyncCheckKey(const std::string& username, 96 const std::string& key, 97 const AsyncMethodCallback& callback) = 0; 98 99 // Calls AsyncMigrateKey method. |callback| is called after the method call 100 // succeeds. 101 virtual void AsyncMigrateKey(const std::string& username, 102 const std::string& from_key, 103 const std::string& to_key, 104 const AsyncMethodCallback& callback) = 0; 105 106 // Calls AsyncRemove method. |callback| is called after the method call 107 // succeeds. 108 virtual void AsyncRemove(const std::string& username, 109 const AsyncMethodCallback& callback) = 0; 110 111 // Calls GetSystemSalt method. |callback| is called after the method call 112 // succeeds. 113 virtual void GetSystemSalt(const GetSystemSaltCallback& callback) = 0; 114 115 // Calls GetSanitizedUsername method. |callback| is called after the method 116 // call succeeds. 117 virtual void GetSanitizedUsername( 118 const std::string& username, 119 const StringDBusMethodCallback& callback) = 0; 120 121 // Same as GetSanitizedUsername() but blocks until a reply is received, and 122 // returns the sanitized username synchronously. Returns an empty string if 123 // the method call fails. 124 // This may only be called in situations where blocking the UI thread is 125 // considered acceptable (e.g. restarting the browser after a crash or after 126 // a flag change). 127 virtual std::string BlockingGetSanitizedUsername( 128 const std::string& username) = 0; 129 130 // Calls the AsyncMount method to asynchronously mount the cryptohome for 131 // |username|, using |key| to unlock it. For supported |flags|, see the 132 // documentation of AsyncMethodCaller::AsyncMount(). 133 // |callback| is called after the method call succeeds. 134 virtual void AsyncMount(const std::string& username, 135 const std::string& key, 136 int flags, 137 const AsyncMethodCallback& callback) = 0; 138 139 // Calls the AsyncAddKey method to asynchronously add another |new_key| for 140 // |username|, using |key| to unlock it first. 141 // |callback| is called after the method call succeeds. 142 virtual void AsyncAddKey(const std::string& username, 143 const std::string& key, 144 const std::string& new_key, 145 const AsyncMethodCallback& callback) = 0; 146 147 // Calls AsyncMountGuest method. |callback| is called after the method call 148 // succeeds. 149 virtual void AsyncMountGuest(const AsyncMethodCallback& callback) = 0; 150 151 // Calls the AsyncMount method to asynchronously mount the cryptohome for 152 // |public_mount_id|. For supported |flags|, see the documentation of 153 // AsyncMethodCaller::AsyncMount(). |callback| is called after the method 154 // call succeeds. 155 virtual void AsyncMountPublic(const std::string& public_mount_id, 156 int flags, 157 const AsyncMethodCallback& callback) = 0; 158 159 // Calls TpmIsReady method. 160 virtual void TpmIsReady(const BoolDBusMethodCallback& callback) = 0; 161 162 // Calls TpmIsEnabled method. 163 virtual void TpmIsEnabled(const BoolDBusMethodCallback& callback) = 0; 164 165 // Calls TpmIsEnabled method and returns true when the call succeeds. 166 // This method blocks until the call returns. 167 // TODO(hashimoto): Remove this method. crbug.com/141006 168 virtual bool CallTpmIsEnabledAndBlock(bool* enabled) = 0; 169 170 // Calls TpmGetPassword method. 171 virtual void TpmGetPassword(const StringDBusMethodCallback& callback) = 0; 172 173 // Calls TpmIsOwned method. 174 virtual void TpmIsOwned(const BoolDBusMethodCallback& callback) = 0; 175 176 // Calls TpmIsOwned method and returns true when the call succeeds. 177 // This method blocks until the call returns. 178 // TODO(hashimoto): Remove this method. crbug.com/141012 179 virtual bool CallTpmIsOwnedAndBlock(bool* owned) = 0; 180 181 // Calls TpmIsBeingOwned method. 182 virtual void TpmIsBeingOwned(const BoolDBusMethodCallback& callback) = 0; 183 184 // Calls TpmIsBeingOwned method and returns true when the call succeeds. 185 // This method blocks until the call returns. 186 // TODO(hashimoto): Remove this method. crbug.com/141011 187 virtual bool CallTpmIsBeingOwnedAndBlock(bool* owning) = 0; 188 189 // Calls TpmCanAttemptOwnership method. 190 // This method tells the service that it is OK to attempt ownership. 191 virtual void TpmCanAttemptOwnership( 192 const VoidDBusMethodCallback& callback) = 0; 193 194 // Calls TpmClearStoredPasswordMethod. 195 virtual void TpmClearStoredPassword( 196 const VoidDBusMethodCallback& callback) = 0; 197 198 // Calls TpmClearStoredPassword method and returns true when the call 199 // succeeds. This method blocks until the call returns. 200 // TODO(hashimoto): Remove this method. crbug.com/141010 201 virtual bool CallTpmClearStoredPasswordAndBlock() = 0; 202 203 // Calls Pkcs11IsTpmTokenReady method. 204 virtual void Pkcs11IsTpmTokenReady( 205 const BoolDBusMethodCallback& callback) = 0; 206 207 // Calls Pkcs11GetTpmTokenInfo method. This method is deprecated, you should 208 // use Pkcs11GetTpmTokenInfoForUser instead. On success |callback| will 209 // receive PKCS #11 token information for the token associated with the user 210 // who originally signed in (i.e. PKCS #11 slot 0). 211 virtual void Pkcs11GetTpmTokenInfo( 212 const Pkcs11GetTpmTokenInfoCallback& callback) = 0; 213 214 // Calls Pkcs11GetTpmTokenInfoForUser method. On success |callback| will 215 // receive PKCS #11 token information for the user identified by |user_email|. 216 // The |user_email| must be a canonical email address as returned by 217 // chromeos::User::email(). 218 virtual void Pkcs11GetTpmTokenInfoForUser( 219 const std::string& user_email, 220 const Pkcs11GetTpmTokenInfoCallback& callback) = 0; 221 222 // Calls InstallAttributesGet method and returns true when the call succeeds. 223 // This method blocks until the call returns. 224 // The original content of |value| is lost. 225 virtual bool InstallAttributesGet(const std::string& name, 226 std::vector<uint8>* value, 227 bool* successful) = 0; 228 229 // Calls InstallAttributesSet method and returns true when the call succeeds. 230 // This method blocks until the call returns. 231 virtual bool InstallAttributesSet(const std::string& name, 232 const std::vector<uint8>& value, 233 bool* successful) = 0; 234 235 // Calls InstallAttributesFinalize method and returns true when the call 236 // succeeds. This method blocks until the call returns. 237 virtual bool InstallAttributesFinalize(bool* successful) = 0; 238 239 // Calls InstallAttributesIsReady method. 240 virtual void InstallAttributesIsReady( 241 const BoolDBusMethodCallback& callback) = 0; 242 243 // Calls InstallAttributesIsInvalid method and returns true when the call 244 // succeeds. This method blocks until the call returns. 245 virtual bool InstallAttributesIsInvalid(bool* is_invalid) = 0; 246 247 // Calls InstallAttributesIsFirstInstall method and returns true when the call 248 // succeeds. This method blocks until the call returns. 249 virtual bool InstallAttributesIsFirstInstall(bool* is_first_install) = 0; 250 251 // Calls the TpmAttestationIsPrepared dbus method. The callback is called 252 // when the operation completes. 253 virtual void TpmAttestationIsPrepared( 254 const BoolDBusMethodCallback& callback) = 0; 255 256 // Calls the TpmAttestationIsEnrolled dbus method. The callback is called 257 // when the operation completes. 258 virtual void TpmAttestationIsEnrolled( 259 const BoolDBusMethodCallback& callback) = 0; 260 261 // Asynchronously creates an attestation enrollment request. The callback 262 // will be called when the dbus call completes. When the operation completes, 263 // the AsyncCallStatusWithDataHandler signal handler is called. The data that 264 // is sent with the signal is an enrollment request to be sent to the Privacy 265 // CA. The enrollment is completed by calling AsyncTpmAttestationEnroll. 266 virtual void AsyncTpmAttestationCreateEnrollRequest( 267 const AsyncMethodCallback& callback) = 0; 268 269 // Asynchronously finishes an attestation enrollment operation. The callback 270 // will be called when the dbus call completes. When the operation completes, 271 // the AsyncCallStatusHandler signal handler is called. |pca_response| is the 272 // response to the enrollment request emitted by the Privacy CA. 273 virtual void AsyncTpmAttestationEnroll( 274 const std::string& pca_response, 275 const AsyncMethodCallback& callback) = 0; 276 277 // Asynchronously creates an attestation certificate request according to 278 // |certificate_profile|. Some profiles require that the |user_id| of the 279 // currently active user and an identifier of the |request_origin| be 280 // provided. |callback| will be called when the dbus call completes. When 281 // the operation completes, the AsyncCallStatusWithDataHandler signal handler 282 // is called. The data that is sent with the signal is a certificate request 283 // to be sent to the Privacy CA. The certificate request is completed by 284 // calling AsyncTpmAttestationFinishCertRequest. The |user_id| will not 285 // be included in the certificate request for the Privacy CA. 286 virtual void AsyncTpmAttestationCreateCertRequest( 287 attestation::AttestationCertificateProfile certificate_profile, 288 const std::string& user_id, 289 const std::string& request_origin, 290 const AsyncMethodCallback& callback) = 0; 291 292 // Asynchronously finishes a certificate request operation. The callback will 293 // be called when the dbus call completes. When the operation completes, the 294 // AsyncCallStatusWithDataHandler signal handler is called. The data that is 295 // sent with the signal is a certificate chain in PEM format. |pca_response| 296 // is the response to the certificate request emitted by the Privacy CA. 297 // |key_type| determines whether the certified key is to be associated with 298 // the current user. |key_name| is a name for the key. If |key_type| is 299 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 300 // For normal GAIA users the |user_id| is a canonical email address. 301 virtual void AsyncTpmAttestationFinishCertRequest( 302 const std::string& pca_response, 303 attestation::AttestationKeyType key_type, 304 const std::string& user_id, 305 const std::string& key_name, 306 const AsyncMethodCallback& callback) = 0; 307 308 // Checks if an attestation key already exists. If the key specified by 309 // |key_type| and |key_name| exists, then the result sent to the callback will 310 // be true. If |key_type| is KEY_USER, a |user_id| must be provided. 311 // Otherwise |user_id| is ignored. For normal GAIA users the |user_id| is a 312 // canonical email address. 313 virtual void TpmAttestationDoesKeyExist( 314 attestation::AttestationKeyType key_type, 315 const std::string& user_id, 316 const std::string& key_name, 317 const BoolDBusMethodCallback& callback) = 0; 318 319 // Gets the attestation certificate for the key specified by |key_type| and 320 // |key_name|. |callback| will be called when the operation completes. If 321 // the key does not exist the callback |result| parameter will be false. If 322 // |key_type| is KEY_USER, a |user_id| must be provided. Otherwise |user_id| 323 // is ignored. For normal GAIA users the |user_id| is a canonical email 324 // address. 325 virtual void TpmAttestationGetCertificate( 326 attestation::AttestationKeyType key_type, 327 const std::string& user_id, 328 const std::string& key_name, 329 const DataMethodCallback& callback) = 0; 330 331 // Gets the public key for the key specified by |key_type| and |key_name|. 332 // |callback| will be called when the operation completes. If the key does 333 // not exist the callback |result| parameter will be false. If |key_type| is 334 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 335 // For normal GAIA users the |user_id| is a canonical email address. 336 virtual void TpmAttestationGetPublicKey( 337 attestation::AttestationKeyType key_type, 338 const std::string& user_id, 339 const std::string& key_name, 340 const DataMethodCallback& callback) = 0; 341 342 // Asynchronously registers an attestation key with the current user's 343 // PKCS #11 token. The |callback| will be called when the dbus call 344 // completes. When the operation completes, the AsyncCallStatusHandler signal 345 // handler is called. |key_type| and |key_name| specify the key to register. 346 // If |key_type| is KEY_USER, a |user_id| must be provided. Otherwise 347 // |user_id| is ignored. For normal GAIA users the |user_id| is a canonical 348 // email address. 349 virtual void TpmAttestationRegisterKey( 350 attestation::AttestationKeyType key_type, 351 const std::string& user_id, 352 const std::string& key_name, 353 const AsyncMethodCallback& callback) = 0; 354 355 // Asynchronously signs an enterprise challenge with the key specified by 356 // |key_type| and |key_name|. |domain| and |device_id| will be included in 357 // the challenge response. |options| control how the challenge response is 358 // generated. |challenge| must be a valid enterprise attestation challenge. 359 // The |callback| will be called when the dbus call completes. When the 360 // operation completes, the AsyncCallStatusWithDataHandler signal handler is 361 // called. If |key_type| is KEY_USER, a |user_id| must be provided. 362 // Otherwise |user_id| is ignored. For normal GAIA users the |user_id| is a 363 // canonical email address. 364 virtual void TpmAttestationSignEnterpriseChallenge( 365 attestation::AttestationKeyType key_type, 366 const std::string& user_id, 367 const std::string& key_name, 368 const std::string& domain, 369 const std::string& device_id, 370 attestation::AttestationChallengeOptions options, 371 const std::string& challenge, 372 const AsyncMethodCallback& callback) = 0; 373 374 // Asynchronously signs a simple challenge with the key specified by 375 // |key_type| and |key_name|. |challenge| can be any set of arbitrary bytes. 376 // A nonce will be appended to the challenge before signing; this method 377 // cannot be used to sign arbitrary data. The |callback| will be called when 378 // the dbus call completes. When the operation completes, the 379 // AsyncCallStatusWithDataHandler signal handler is called. If |key_type| is 380 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 381 // For normal GAIA users the |user_id| is a canonical email address. 382 virtual void TpmAttestationSignSimpleChallenge( 383 attestation::AttestationKeyType key_type, 384 const std::string& user_id, 385 const std::string& key_name, 386 const std::string& challenge, 387 const AsyncMethodCallback& callback) = 0; 388 389 // Gets the payload associated with the key specified by |key_type| and 390 // |key_name|. The |callback| will be called when the operation completes. 391 // If the key does not exist the callback |result| parameter will be false. 392 // If no payload has been set for the key the callback |result| parameter will 393 // be true and the |data| parameter will be empty. If |key_type| is 394 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 395 // For normal GAIA users the |user_id| is a canonical email address. 396 virtual void TpmAttestationGetKeyPayload( 397 attestation::AttestationKeyType key_type, 398 const std::string& user_id, 399 const std::string& key_name, 400 const DataMethodCallback& callback) = 0; 401 402 // Sets the |payload| associated with the key specified by |key_type| and 403 // |key_name|. The |callback| will be called when the operation completes. 404 // If the operation succeeds, the callback |result| parameter will be true. 405 // If |key_type| is KEY_USER, a |user_id| must be provided. Otherwise 406 // |user_id| is ignored. For normal GAIA users the |user_id| is a canonical 407 // email address. 408 virtual void TpmAttestationSetKeyPayload( 409 attestation::AttestationKeyType key_type, 410 const std::string& user_id, 411 const std::string& key_name, 412 const std::string& payload, 413 const BoolDBusMethodCallback& callback) = 0; 414 415 // Deletes certified keys as specified by |key_type| and |key_prefix|. The 416 // |callback| will be called when the operation completes. If the operation 417 // succeeds, the callback |result| parameter will be true. If |key_type| is 418 // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. 419 // For normal GAIA users the |user_id| is a canonical email address. All keys 420 // where the key name has a prefix matching |key_prefix| will be deleted. All 421 // meta-data associated with the key, including certificates, will also be 422 // deleted. 423 virtual void TpmAttestationDeleteKeys( 424 attestation::AttestationKeyType key_type, 425 const std::string& user_id, 426 const std::string& key_prefix, 427 const BoolDBusMethodCallback& callback) = 0; 428 429 protected: 430 // Create() should be used instead. 431 CryptohomeClient(); 432 433 private: 434 DISALLOW_COPY_AND_ASSIGN(CryptohomeClient); 435 }; 436 437 } // namespace chromeos 438 439 #endif // CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_ 440
