Home | History | Annotate | Download | only in shill
      1 //
      2 // Copyright (C) 2013 The Android Open Source Project
      3 //
      4 // Licensed under the Apache License, Version 2.0 (the "License");
      5 // you may not use this file except in compliance with the License.
      6 // You may obtain a copy of the License at
      7 //
      8 //      http://www.apache.org/licenses/LICENSE-2.0
      9 //
     10 // Unless required by applicable law or agreed to in writing, software
     11 // distributed under the License is distributed on an "AS IS" BASIS,
     12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13 // See the License for the specific language governing permissions and
     14 // limitations under the License.
     15 //
     16 
     17 #ifndef SHILL_EAP_CREDENTIALS_H_
     18 #define SHILL_EAP_CREDENTIALS_H_
     19 
     20 #include <map>
     21 #include <string>
     22 #include <vector>
     23 
     24 #include <base/files/file_path.h>
     25 
     26 #include "shill/technology.h"
     27 
     28 namespace shill {
     29 
     30 class CertificateFile;
     31 class Error;
     32 class KeyValueStore;
     33 class Metrics;
     34 class PropertyStore;
     35 class StoreInterface;
     36 
     37 class EapCredentials {
     38  public:
     39   // TODO(pstew): Storage constants shouldn't need to be public
     40   // crbug.com/208736
     41   static const char kStorageEapAnonymousIdentity[];
     42   static const char kStorageEapCACert[];
     43   static const char kStorageEapCACertID[];
     44   static const char kStorageEapCACertNSS[];
     45   static const char kStorageEapCACertPEM[];
     46   static const char kStorageEapCertID[];
     47   static const char kStorageEapClientCert[];
     48   static const char kStorageEapEap[];
     49   static const char kStorageEapIdentity[];
     50   static const char kStorageEapInnerEap[];
     51   static const char kStorageEapKeyID[];
     52   static const char kStorageEapKeyManagement[];
     53   static const char kStorageEapPIN[];
     54   static const char kStorageEapPassword[];
     55   static const char kStorageEapPrivateKey[];
     56   static const char kStorageEapPrivateKeyPassword[];
     57   static const char kStorageEapSubjectMatch[];
     58   static const char kStorageEapUseProactiveKeyCaching[];
     59   static const char kStorageEapUseSystemCAs[];
     60 
     61   EapCredentials();
     62   virtual ~EapCredentials();
     63 
     64   // Add property accessors to the EAP credential parameters in |this| to
     65   // |store|.
     66   void InitPropertyStore(PropertyStore* store);
     67 
     68   // Returns true if |property| is used for authentication in EapCredentials.
     69   static bool IsEapAuthenticationProperty(const std::string property);
     70 
     71   // Returns true if a connection can be made with |this| credentials using
     72   // either passphrase or certificates.
     73   virtual bool IsConnectable() const;
     74 
     75   // Returns true if a connection can be made with |this| credentials using
     76   // only passphrase properties.
     77   virtual bool IsConnectableUsingPassphrase() const;
     78 
     79   // Loads EAP properties from |storage| in group |id|.
     80   virtual void Load(StoreInterface* store, const std::string& id);
     81 
     82   // Output metrics about this EAP connection to |metrics| with technology
     83   // |technology|.
     84   virtual void OutputConnectionMetrics(Metrics* metrics,
     85                                        Technology::Identifier technology) const;
     86 
     87   // Populate the wpa_supplicant DBus parameter map |params| with the
     88   // credentials in |this|.  To do so, this function may use |certificate_file|
     89   // to export CA certificates to be passed to wpa_supplicant.
     90   virtual void PopulateSupplicantProperties(
     91       CertificateFile* certificate_file,
     92       KeyValueStore* params) const;
     93 
     94   // Populate the WiMax connection parameters |params| with the
     95   // credentials in |this|.
     96   virtual void PopulateWiMaxProperties(
     97       KeyValueStore* params) const;
     98 
     99   // Save EAP properties to |storage| in group |id|.  If |save_credentials|
    100   // is true, passwords and identities that are a part of the credentials are
    101   // also saved.
    102   virtual void Save(StoreInterface* store, const std::string& id,
    103                     bool save_credentials) const;
    104 
    105   // Restore EAP properties to their initial state.
    106   virtual void Reset();
    107 
    108   // Setter that guards against emptying the "Key Management" value.
    109   virtual bool SetKeyManagement(const std::string& key_management,
    110                                 Error* error);
    111 
    112   // Getters and setters.
    113   virtual const std::string& identity() const { return identity_; }
    114   void set_identity(const std::string& identity) {
    115     identity_ = identity;
    116   }
    117   virtual const std::string& key_management() const { return key_management_; }
    118   virtual void set_password(const std::string& password) {
    119     password_ = password;
    120   }
    121   virtual const std::string& pin() const { return pin_; }
    122 
    123  private:
    124   friend class EapCredentialsTest;
    125 
    126   // Returns true if the current EAP authentication type requires certificate
    127   // authentication and any of the client credentials are provided via
    128   // referencea cypto token.
    129   bool ClientAuthenticationUsesCryptoToken() const;
    130 
    131   // Expose a property in |store|, with the name |name|.
    132   //
    133   // Reads of the property will be handled by invoking |get|.
    134   // Writes to the property will be handled by invoking |set|.
    135   void HelpRegisterDerivedString(
    136       PropertyStore* store,
    137       const std::string& name,
    138       std::string(EapCredentials::*get)(Error* error),
    139       bool(EapCredentials::*set)(const std::string& value, Error* error));
    140 
    141   // Expose a property in |store|, with the name |name|.
    142   //
    143   // Reads of the property will be handled by invoking |get|.
    144   //
    145   // Clearing the property will be handled by invoking |clear|, or
    146   // calling |set| with |default_value| (whichever is non-NULL).  It
    147   // is an error to call this method with both |clear| and
    148   // |default_value| non-NULL.
    149   void HelpRegisterWriteOnlyDerivedString(
    150       PropertyStore* store,
    151       const std::string& name,
    152       bool(EapCredentials::*set)(const std::string& value, Error* error),
    153       void(EapCredentials::*clear)(Error* error),
    154       const std::string* default_value);
    155 
    156   // Assigns |value| to |key| in |storage| if |value| is non-empty and |save| is
    157   // true. Otherwise, removes |key| from |storage|. If |crypted| is true, the
    158   // value is encrypted.
    159   static void SaveString(StoreInterface* storage,
    160                          const std::string& id,
    161                          const std::string& key,
    162                          const std::string& value,
    163                          bool crypted,
    164                          bool save);
    165 
    166   // Setters for write-only RPC properties.
    167   bool SetEapPassword(const std::string& password, Error* error);
    168   bool SetEapPrivateKeyPassword(const std::string& password, Error* error);
    169 
    170   // RPC getter for key_management_.
    171   std::string GetKeyManagement(Error* error);
    172 
    173   // When there is an inner EAP type, use this identity for the outer.
    174   std::string anonymous_identity_;
    175   // Locator for the client certificate within the security token.
    176   std::string cert_id_;
    177   // Filename of the client certificate.
    178   std::string client_cert_;
    179   // Who we identify ourselves as to the EAP authenticator.
    180   std::string identity_;
    181   // Locator for the client private key within the security token.
    182   std::string key_id_;
    183   // Key management algorithm to use after EAP succeeds.
    184   std::string key_management_;
    185   // Password to use for EAP methods which require one.
    186   std::string password_;
    187   // PIN code for accessing the security token.
    188   std::string pin_;
    189   // Filename of the client private key.
    190   std::string private_key_;
    191   // Password for decrypting the client private key file.
    192   std::string private_key_password_;
    193 
    194   // Filename of the certificate authority (CA) certificate.
    195   std::string ca_cert_;
    196   // Locator for the CA certificate within the security token.
    197   std::string ca_cert_id_;
    198   // Locator for the CA certificate within the user NSS database.
    199   std::string ca_cert_nss_;
    200   // Raw PEM contents of the CA certificate.
    201   std::vector<std::string> ca_cert_pem_;
    202   // The outer or only EAP authetnication type.
    203   std::string eap_;
    204   // The inner EAP authentication type.
    205   std::string inner_eap_;
    206   // If non-empty, string to match remote subject against before connecting.
    207   std::string subject_match_;
    208   // If true, use the system-wide CA database to authenticate the remote.
    209   bool use_system_cas_;
    210   // If true, use per network proactive key caching.
    211   bool use_proactive_key_caching_;
    212 
    213   DISALLOW_COPY_AND_ASSIGN(EapCredentials);
    214 };
    215 
    216 }  // namespace shill
    217 
    218 #endif  // SHILL_EAP_CREDENTIALS_H_
    219