Home | History | Annotate | Download | only in attestation 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
      6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
      7 
      8 #include <string>
      9 
     10 #include "base/basictypes.h"
     11 #include "base/callback_forward.h"
     12 #include "base/memory/scoped_ptr.h"
     13 #include "base/memory/weak_ptr.h"
     14 #include "chromeos/attestation/attestation_constants.h"
     15 #include "chromeos/chromeos_export.h"
     16 #include "chromeos/dbus/dbus_method_call_status.h"
     17 #include "third_party/cros_system_api/dbus/service_constants.h"
     18 
     19 namespace cryptohome {
     20 
     21 class AsyncMethodCaller;
     22 
     23 }  // namespace cryptohome
     24 
     25 namespace chromeos {
     26 
     27 class CryptohomeClient;
     28 
     29 namespace attestation {
     30 
     31 // Interface for access to the Privacy CA server.
     32 class CHROMEOS_EXPORT ServerProxy {
     33  public:
     34   typedef base::Callback<void(bool success,
     35                               const std::string& data)> DataCallback;
     36   virtual ~ServerProxy() {}
     37   virtual void SendEnrollRequest(const std::string& request,
     38                                  const DataCallback& on_response) = 0;
     39   virtual void SendCertificateRequest(const std::string& request,
     40                                       const DataCallback& on_response) = 0;
     41 };
     42 
     43 // Implements the message flow for Chrome OS attestation tasks.  Generally this
     44 // consists of coordinating messages between the Chrome OS attestation service
     45 // and the Chrome OS Privacy CA server.  Sample usage:
     46 //    AttestationFlow flow(AsyncMethodCaller::GetInstance(),
     47 //                         DBusThreadManager::Get().GetCryptohomeClient(),
     48 //                         my_server_proxy.Pass());
     49 //    AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback);
     50 //    flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback);
     51 class CHROMEOS_EXPORT AttestationFlow {
     52  public:
     53   typedef base::Callback<void(bool success,
     54                               const std::string& pem_certificate_chain)>
     55       CertificateCallback;
     56 
     57   AttestationFlow(cryptohome::AsyncMethodCaller* async_caller,
     58                   CryptohomeClient* cryptohome_client,
     59                   scoped_ptr<ServerProxy> server_proxy);
     60   virtual ~AttestationFlow();
     61 
     62   // Gets an attestation certificate for a hardware-protected key.  If a key for
     63   // the given profile does not exist, it will be generated and a certificate
     64   // request will be made to the Chrome OS Privacy CA to issue a certificate for
     65   // the key.  If the key already exists and |force_new_key| is false, the
     66   // existing certificate is returned.
     67   //
     68   // Parameters
     69   //   certificate_profile - Specifies what kind of certificate should be
     70   //                         requested from the CA.
     71   //   user_id - Identifies the currently active user.  For normal GAIA users
     72   //             this is a canonical email address.  This is ignored when using
     73   //             the enterprise machine cert profile.
     74   //   request_origin - For content protection profiles, certificate requests
     75   //                    are origin-specific.  This string must uniquely identify
     76   //                    the origin of the request.
     77   //   force_new_key - If set to true, a new key will be generated even if a key
     78   //                   already exists for the profile.  The new key will replace
     79   //                   the existing key on success.
     80   //   callback - A callback which will be called when the operation completes.
     81   //              On success |result| will be true and |data| will contain the
     82   //              PCA-issued certificate chain in PEM format.
     83   virtual void GetCertificate(AttestationCertificateProfile certificate_profile,
     84                               const std::string& user_id,
     85                               const std::string& request_origin,
     86                               bool force_new_key,
     87                               const CertificateCallback& callback);
     88 
     89  private:
     90   // Asynchronously initiates the attestation enrollment flow.
     91   //
     92   // Parameters
     93   //   on_failure - Called if any failure occurs.
     94   //   next_task - Called on successful enrollment.
     95   void StartEnroll(const base::Closure& on_failure,
     96                    const base::Closure& next_task);
     97 
     98   // Called when the attestation daemon has finished creating an enrollment
     99   // request for the Privacy CA.  The request is asynchronously forwarded as-is
    100   // to the PCA.
    101   //
    102   // Parameters
    103   //   on_failure - Called if any failure occurs.
    104   //   next_task - Called on successful enrollment.
    105   //   success - The status of request creation.
    106   //   data - The request data for the Privacy CA.
    107   void SendEnrollRequestToPCA(const base::Closure& on_failure,
    108                               const base::Closure& next_task,
    109                               bool success,
    110                               const std::string& data);
    111 
    112   // Called when the Privacy CA responds to an enrollment request.  The response
    113   // is asynchronously forwarded as-is to the attestation daemon in order to
    114   // complete the enrollment operation.
    115   //
    116   // Parameters
    117   //   on_failure - Called if any failure occurs.
    118   //   next_task - Called on successful enrollment.
    119   //   success - The status of the Privacy CA operation.
    120   //   data - The response data from the Privacy CA.
    121   void SendEnrollResponseToDaemon(const base::Closure& on_failure,
    122                                   const base::Closure& next_task,
    123                                   bool success,
    124                                   const std::string& data);
    125 
    126   // Called when the attestation daemon completes an enrollment operation.  If
    127   // the operation was successful, the next_task callback is called.
    128   //
    129   // Parameters
    130   //   on_failure - Called if any failure occurs.
    131   //   next_task - Called on successful enrollment.
    132   //   success - The status of the enrollment operation.
    133   //   not_used - An artifact of the cryptohome D-Bus interface; ignored.
    134   void OnEnrollComplete(const base::Closure& on_failure,
    135                         const base::Closure& next_task,
    136                         bool success,
    137                         cryptohome::MountError not_used);
    138 
    139   // Asynchronously initiates the certificate request flow.  Attestation
    140   // enrollment must complete successfully before this operation can succeed.
    141   //
    142   // Parameters
    143   //   certificate_profile - Specifies what kind of certificate should be
    144   //                         requested from the CA.
    145   //   user_id - Identifies the active user.
    146   //   request_origin - An identifier for the origin of this request.
    147   //   generate_new_key - If set to true a new key is generated.
    148   //   callback - Called when the operation completes.
    149   void StartCertificateRequest(
    150       const AttestationCertificateProfile certificate_profile,
    151       const std::string& user_id,
    152       const std::string& request_origin,
    153       bool generate_new_key,
    154       const CertificateCallback& callback);
    155 
    156   // Called when the attestation daemon has finished creating a certificate
    157   // request for the Privacy CA.  The request is asynchronously forwarded as-is
    158   // to the PCA.
    159   //
    160   // Parameters
    161   //   key_type - The type of the key for which a certificate is requested.
    162   //   user_id - Identifies the active user.
    163   //   key_name - The name of the key for which a certificate is requested.
    164   //   callback - Called when the operation completes.
    165   //   success - The status of request creation.
    166   //   data - The request data for the Privacy CA.
    167   void SendCertificateRequestToPCA(AttestationKeyType key_type,
    168                                    const std::string& user_id,
    169                                    const std::string& key_name,
    170                                    const CertificateCallback& callback,
    171                                    bool success,
    172                                    const std::string& data);
    173 
    174   // Called when the Privacy CA responds to a certificate request.  The response
    175   // is asynchronously forwarded as-is to the attestation daemon in order to
    176   // complete the operation.
    177   //
    178   // Parameters
    179   //   key_type - The type of the key for which a certificate is requested.
    180   //   user_id - Identifies the active user.
    181   //   key_name - The name of the key for which a certificate is requested.
    182   //   callback - Called when the operation completes.
    183   //   success - The status of the Privacy CA operation.
    184   //   data - The response data from the Privacy CA.
    185   void SendCertificateResponseToDaemon(AttestationKeyType key_type,
    186                                        const std::string& user_id,
    187                                        const std::string& key_name,
    188                                        const CertificateCallback& callback,
    189                                        bool success,
    190                                        const std::string& data);
    191 
    192   // Gets an existing certificate from the attestation daemon.
    193   //
    194   // Parameters
    195   //   key_type - The type of the key for which a certificate is requested.
    196   //   user_id - Identifies the active user.
    197   //   key_name - The name of the key for which a certificate is requested.
    198   //   callback - Called when the operation completes.
    199   void GetExistingCertificate(AttestationKeyType key_type,
    200                               const std::string& user_id,
    201                               const std::string& key_name,
    202                               const CertificateCallback& callback);
    203 
    204   cryptohome::AsyncMethodCaller* async_caller_;
    205   CryptohomeClient* cryptohome_client_;
    206   scoped_ptr<ServerProxy> server_proxy_;
    207 
    208   base::WeakPtrFactory<AttestationFlow> weak_factory_;
    209 
    210   DISALLOW_COPY_AND_ASSIGN(AttestationFlow);
    211 };
    212 
    213 }  // namespace attestation
    214 }  // namespace chromeos
    215 
    216 #endif  // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
    217