Home | History | Annotate | Download | only in attestation 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
      6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
      7 
      8 #include <string>
      9 
     10 #include "base/basictypes.h"
     11 #include "base/callback_forward.h"
     12 #include "base/memory/scoped_ptr.h"
     13 #include "base/memory/weak_ptr.h"
     14 #include "chromeos/attestation/attestation_constants.h"
     15 #include "chromeos/chromeos_export.h"
     16 #include "chromeos/dbus/dbus_method_call_status.h"
     17 #include "third_party/cros_system_api/dbus/service_constants.h"
     18 
     19 namespace cryptohome {
     20 
     21 class AsyncMethodCaller;
     22 
     23 }  // namespace cryptohome
     24 
     25 namespace chromeos {
     26 
     27 class CryptohomeClient;
     28 
     29 namespace attestation {
     30 
     31 // Interface for access to the Privacy CA server.
     32 class CHROMEOS_EXPORT ServerProxy {
     33  public:
     34   typedef base::Callback<void(bool success,
     35                               const std::string& data)> DataCallback;
     36   virtual ~ServerProxy();
     37   virtual void SendEnrollRequest(const std::string& request,
     38                                  const DataCallback& on_response) = 0;
     39   virtual void SendCertificateRequest(const std::string& request,
     40                                       const DataCallback& on_response) = 0;
     41   virtual PrivacyCAType GetType();
     42 };
     43 
     44 // Implements the message flow for Chrome OS attestation tasks.  Generally this
     45 // consists of coordinating messages between the Chrome OS attestation service
     46 // and the Chrome OS Privacy CA server.  Sample usage:
     47 //    AttestationFlow flow(AsyncMethodCaller::GetInstance(),
     48 //                         DBusThreadManager::Get().GetCryptohomeClient(),
     49 //                         my_server_proxy.Pass());
     50 //    AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback);
     51 //    flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback);
     52 class CHROMEOS_EXPORT AttestationFlow {
     53  public:
     54   typedef base::Callback<void(bool success,
     55                               const std::string& pem_certificate_chain)>
     56       CertificateCallback;
     57 
     58   AttestationFlow(cryptohome::AsyncMethodCaller* async_caller,
     59                   CryptohomeClient* cryptohome_client,
     60                   scoped_ptr<ServerProxy> server_proxy);
     61   virtual ~AttestationFlow();
     62 
     63   // Gets an attestation certificate for a hardware-protected key.  If a key for
     64   // the given profile does not exist, it will be generated and a certificate
     65   // request will be made to the Chrome OS Privacy CA to issue a certificate for
     66   // the key.  If the key already exists and |force_new_key| is false, the
     67   // existing certificate is returned.
     68   //
     69   // Parameters
     70   //   certificate_profile - Specifies what kind of certificate should be
     71   //                         requested from the CA.
     72   //   user_id - Identifies the currently active user.  For normal GAIA users
     73   //             this is a canonical email address.  This is ignored when using
     74   //             the enterprise machine cert profile.
     75   //   request_origin - For content protection profiles, certificate requests
     76   //                    are origin-specific.  This string must uniquely identify
     77   //                    the origin of the request.
     78   //   force_new_key - If set to true, a new key will be generated even if a key
     79   //                   already exists for the profile.  The new key will replace
     80   //                   the existing key on success.
     81   //   callback - A callback which will be called when the operation completes.
     82   //              On success |result| will be true and |data| will contain the
     83   //              PCA-issued certificate chain in PEM format.
     84   virtual void GetCertificate(AttestationCertificateProfile certificate_profile,
     85                               const std::string& user_id,
     86                               const std::string& request_origin,
     87                               bool force_new_key,
     88                               const CertificateCallback& callback);
     89 
     90  private:
     91   // Asynchronously initiates the attestation enrollment flow.
     92   //
     93   // Parameters
     94   //   on_failure - Called if any failure occurs.
     95   //   next_task - Called on successful enrollment.
     96   void StartEnroll(const base::Closure& on_failure,
     97                    const base::Closure& next_task);
     98 
     99   // Called when the attestation daemon has finished creating an enrollment
    100   // request for the Privacy CA.  The request is asynchronously forwarded as-is
    101   // to the PCA.
    102   //
    103   // Parameters
    104   //   on_failure - Called if any failure occurs.
    105   //   next_task - Called on successful enrollment.
    106   //   success - The status of request creation.
    107   //   data - The request data for the Privacy CA.
    108   void SendEnrollRequestToPCA(const base::Closure& on_failure,
    109                               const base::Closure& next_task,
    110                               bool success,
    111                               const std::string& data);
    112 
    113   // Called when the Privacy CA responds to an enrollment request.  The response
    114   // is asynchronously forwarded as-is to the attestation daemon in order to
    115   // complete the enrollment operation.
    116   //
    117   // Parameters
    118   //   on_failure - Called if any failure occurs.
    119   //   next_task - Called on successful enrollment.
    120   //   success - The status of the Privacy CA operation.
    121   //   data - The response data from the Privacy CA.
    122   void SendEnrollResponseToDaemon(const base::Closure& on_failure,
    123                                   const base::Closure& next_task,
    124                                   bool success,
    125                                   const std::string& data);
    126 
    127   // Called when the attestation daemon completes an enrollment operation.  If
    128   // the operation was successful, the next_task callback is called.
    129   //
    130   // Parameters
    131   //   on_failure - Called if any failure occurs.
    132   //   next_task - Called on successful enrollment.
    133   //   success - The status of the enrollment operation.
    134   //   not_used - An artifact of the cryptohome D-Bus interface; ignored.
    135   void OnEnrollComplete(const base::Closure& on_failure,
    136                         const base::Closure& next_task,
    137                         bool success,
    138                         cryptohome::MountError not_used);
    139 
    140   // Asynchronously initiates the certificate request flow.  Attestation
    141   // enrollment must complete successfully before this operation can succeed.
    142   //
    143   // Parameters
    144   //   certificate_profile - Specifies what kind of certificate should be
    145   //                         requested from the CA.
    146   //   user_id - Identifies the active user.
    147   //   request_origin - An identifier for the origin of this request.
    148   //   generate_new_key - If set to true a new key is generated.
    149   //   callback - Called when the operation completes.
    150   void StartCertificateRequest(
    151       const AttestationCertificateProfile certificate_profile,
    152       const std::string& user_id,
    153       const std::string& request_origin,
    154       bool generate_new_key,
    155       const CertificateCallback& callback);
    156 
    157   // Called when the attestation daemon has finished creating a certificate
    158   // request for the Privacy CA.  The request is asynchronously forwarded as-is
    159   // to the PCA.
    160   //
    161   // Parameters
    162   //   key_type - The type of the key for which a certificate is requested.
    163   //   user_id - Identifies the active user.
    164   //   key_name - The name of the key for which a certificate is requested.
    165   //   callback - Called when the operation completes.
    166   //   success - The status of request creation.
    167   //   data - The request data for the Privacy CA.
    168   void SendCertificateRequestToPCA(AttestationKeyType key_type,
    169                                    const std::string& user_id,
    170                                    const std::string& key_name,
    171                                    const CertificateCallback& callback,
    172                                    bool success,
    173                                    const std::string& data);
    174 
    175   // Called when the Privacy CA responds to a certificate request.  The response
    176   // is asynchronously forwarded as-is to the attestation daemon in order to
    177   // complete the operation.
    178   //
    179   // Parameters
    180   //   key_type - The type of the key for which a certificate is requested.
    181   //   user_id - Identifies the active user.
    182   //   key_name - The name of the key for which a certificate is requested.
    183   //   callback - Called when the operation completes.
    184   //   success - The status of the Privacy CA operation.
    185   //   data - The response data from the Privacy CA.
    186   void SendCertificateResponseToDaemon(AttestationKeyType key_type,
    187                                        const std::string& user_id,
    188                                        const std::string& key_name,
    189                                        const CertificateCallback& callback,
    190                                        bool success,
    191                                        const std::string& data);
    192 
    193   // Gets an existing certificate from the attestation daemon.
    194   //
    195   // Parameters
    196   //   key_type - The type of the key for which a certificate is requested.
    197   //   user_id - Identifies the active user.
    198   //   key_name - The name of the key for which a certificate is requested.
    199   //   callback - Called when the operation completes.
    200   void GetExistingCertificate(AttestationKeyType key_type,
    201                               const std::string& user_id,
    202                               const std::string& key_name,
    203                               const CertificateCallback& callback);
    204 
    205   cryptohome::AsyncMethodCaller* async_caller_;
    206   CryptohomeClient* cryptohome_client_;
    207   scoped_ptr<ServerProxy> server_proxy_;
    208 
    209   base::WeakPtrFactory<AttestationFlow> weak_factory_;
    210 
    211   DISALLOW_COPY_AND_ASSIGN(AttestationFlow);
    212 };
    213 
    214 }  // namespace attestation
    215 }  // namespace chromeos
    216 
    217 #endif  // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
    218