1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/callback_forward.h" 12 #include "base/memory/scoped_ptr.h" 13 #include "base/memory/weak_ptr.h" 14 #include "chromeos/attestation/attestation_constants.h" 15 #include "chromeos/chromeos_export.h" 16 #include "chromeos/dbus/dbus_method_call_status.h" 17 #include "third_party/cros_system_api/dbus/service_constants.h" 18 19 namespace cryptohome { 20 21 class AsyncMethodCaller; 22 23 } // namespace cryptohome 24 25 namespace chromeos { 26 27 class CryptohomeClient; 28 29 namespace attestation { 30 31 // Interface for access to the Privacy CA server. 32 class CHROMEOS_EXPORT ServerProxy { 33 public: 34 typedef base::Callback<void(bool success, 35 const std::string& data)> DataCallback; 36 virtual ~ServerProxy(); 37 virtual void SendEnrollRequest(const std::string& request, 38 const DataCallback& on_response) = 0; 39 virtual void SendCertificateRequest(const std::string& request, 40 const DataCallback& on_response) = 0; 41 virtual PrivacyCAType GetType(); 42 }; 43 44 // Implements the message flow for Chrome OS attestation tasks. Generally this 45 // consists of coordinating messages between the Chrome OS attestation service 46 // and the Chrome OS Privacy CA server. Sample usage: 47 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), 48 // DBusThreadManager::Get().GetCryptohomeClient(), 49 // my_server_proxy.Pass()); 50 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); 51 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); 52 class CHROMEOS_EXPORT AttestationFlow { 53 public: 54 typedef base::Callback<void(bool success, 55 const std::string& pem_certificate_chain)> 56 CertificateCallback; 57 58 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, 59 CryptohomeClient* cryptohome_client, 60 scoped_ptr<ServerProxy> server_proxy); 61 virtual ~AttestationFlow(); 62 63 // Gets an attestation certificate for a hardware-protected key. If a key for 64 // the given profile does not exist, it will be generated and a certificate 65 // request will be made to the Chrome OS Privacy CA to issue a certificate for 66 // the key. If the key already exists and |force_new_key| is false, the 67 // existing certificate is returned. 68 // 69 // Parameters 70 // certificate_profile - Specifies what kind of certificate should be 71 // requested from the CA. 72 // user_id - Identifies the currently active user. For normal GAIA users 73 // this is a canonical email address. This is ignored when using 74 // the enterprise machine cert profile. 75 // request_origin - For content protection profiles, certificate requests 76 // are origin-specific. This string must uniquely identify 77 // the origin of the request. 78 // force_new_key - If set to true, a new key will be generated even if a key 79 // already exists for the profile. The new key will replace 80 // the existing key on success. 81 // callback - A callback which will be called when the operation completes. 82 // On success |result| will be true and |data| will contain the 83 // PCA-issued certificate chain in PEM format. 84 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, 85 const std::string& user_id, 86 const std::string& request_origin, 87 bool force_new_key, 88 const CertificateCallback& callback); 89 90 private: 91 // Asynchronously initiates the attestation enrollment flow. 92 // 93 // Parameters 94 // on_failure - Called if any failure occurs. 95 // next_task - Called on successful enrollment. 96 void StartEnroll(const base::Closure& on_failure, 97 const base::Closure& next_task); 98 99 // Called when the attestation daemon has finished creating an enrollment 100 // request for the Privacy CA. The request is asynchronously forwarded as-is 101 // to the PCA. 102 // 103 // Parameters 104 // on_failure - Called if any failure occurs. 105 // next_task - Called on successful enrollment. 106 // success - The status of request creation. 107 // data - The request data for the Privacy CA. 108 void SendEnrollRequestToPCA(const base::Closure& on_failure, 109 const base::Closure& next_task, 110 bool success, 111 const std::string& data); 112 113 // Called when the Privacy CA responds to an enrollment request. The response 114 // is asynchronously forwarded as-is to the attestation daemon in order to 115 // complete the enrollment operation. 116 // 117 // Parameters 118 // on_failure - Called if any failure occurs. 119 // next_task - Called on successful enrollment. 120 // success - The status of the Privacy CA operation. 121 // data - The response data from the Privacy CA. 122 void SendEnrollResponseToDaemon(const base::Closure& on_failure, 123 const base::Closure& next_task, 124 bool success, 125 const std::string& data); 126 127 // Called when the attestation daemon completes an enrollment operation. If 128 // the operation was successful, the next_task callback is called. 129 // 130 // Parameters 131 // on_failure - Called if any failure occurs. 132 // next_task - Called on successful enrollment. 133 // success - The status of the enrollment operation. 134 // not_used - An artifact of the cryptohome D-Bus interface; ignored. 135 void OnEnrollComplete(const base::Closure& on_failure, 136 const base::Closure& next_task, 137 bool success, 138 cryptohome::MountError not_used); 139 140 // Asynchronously initiates the certificate request flow. Attestation 141 // enrollment must complete successfully before this operation can succeed. 142 // 143 // Parameters 144 // certificate_profile - Specifies what kind of certificate should be 145 // requested from the CA. 146 // user_id - Identifies the active user. 147 // request_origin - An identifier for the origin of this request. 148 // generate_new_key - If set to true a new key is generated. 149 // callback - Called when the operation completes. 150 void StartCertificateRequest( 151 const AttestationCertificateProfile certificate_profile, 152 const std::string& user_id, 153 const std::string& request_origin, 154 bool generate_new_key, 155 const CertificateCallback& callback); 156 157 // Called when the attestation daemon has finished creating a certificate 158 // request for the Privacy CA. The request is asynchronously forwarded as-is 159 // to the PCA. 160 // 161 // Parameters 162 // key_type - The type of the key for which a certificate is requested. 163 // user_id - Identifies the active user. 164 // key_name - The name of the key for which a certificate is requested. 165 // callback - Called when the operation completes. 166 // success - The status of request creation. 167 // data - The request data for the Privacy CA. 168 void SendCertificateRequestToPCA(AttestationKeyType key_type, 169 const std::string& user_id, 170 const std::string& key_name, 171 const CertificateCallback& callback, 172 bool success, 173 const std::string& data); 174 175 // Called when the Privacy CA responds to a certificate request. The response 176 // is asynchronously forwarded as-is to the attestation daemon in order to 177 // complete the operation. 178 // 179 // Parameters 180 // key_type - The type of the key for which a certificate is requested. 181 // user_id - Identifies the active user. 182 // key_name - The name of the key for which a certificate is requested. 183 // callback - Called when the operation completes. 184 // success - The status of the Privacy CA operation. 185 // data - The response data from the Privacy CA. 186 void SendCertificateResponseToDaemon(AttestationKeyType key_type, 187 const std::string& user_id, 188 const std::string& key_name, 189 const CertificateCallback& callback, 190 bool success, 191 const std::string& data); 192 193 // Gets an existing certificate from the attestation daemon. 194 // 195 // Parameters 196 // key_type - The type of the key for which a certificate is requested. 197 // user_id - Identifies the active user. 198 // key_name - The name of the key for which a certificate is requested. 199 // callback - Called when the operation completes. 200 void GetExistingCertificate(AttestationKeyType key_type, 201 const std::string& user_id, 202 const std::string& key_name, 203 const CertificateCallback& callback); 204 205 cryptohome::AsyncMethodCaller* async_caller_; 206 CryptohomeClient* cryptohome_client_; 207 scoped_ptr<ServerProxy> server_proxy_; 208 209 base::WeakPtrFactory<AttestationFlow> weak_factory_; 210 211 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); 212 }; 213 214 } // namespace attestation 215 } // namespace chromeos 216 217 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ 218