// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ #include <string> #include "base/basictypes.h" #include "base/callback_forward.h" #include "base/memory/scoped_ptr.h" #include "base/memory/weak_ptr.h" #include "chromeos/attestation/attestation_constants.h" #include "chromeos/chromeos_export.h" #include "chromeos/dbus/dbus_method_call_status.h" #include "third_party/cros_system_api/dbus/service_constants.h" namespace cryptohome { class AsyncMethodCaller; } // namespace cryptohome namespace chromeos { class CryptohomeClient; namespace attestation { // Interface for access to the Privacy CA server. class CHROMEOS_EXPORT ServerProxy { public: typedef base::Callback<void(bool success, const std::string& data)> DataCallback; virtual ~ServerProxy(); virtual void SendEnrollRequest(const std::string& request, const DataCallback& on_response) = 0; virtual void SendCertificateRequest(const std::string& request, const DataCallback& on_response) = 0; virtual PrivacyCAType GetType(); }; // Implements the message flow for Chrome OS attestation tasks. Generally this // consists of coordinating messages between the Chrome OS attestation service // and the Chrome OS Privacy CA server. Sample usage: // AttestationFlow flow(AsyncMethodCaller::GetInstance(), // DBusThreadManager::Get().GetCryptohomeClient(), // my_server_proxy.Pass()); // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); class CHROMEOS_EXPORT AttestationFlow { public: typedef base::Callback<void(bool success, const std::string& pem_certificate_chain)> CertificateCallback; AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, CryptohomeClient* cryptohome_client, scoped_ptr<ServerProxy> server_proxy); virtual ~AttestationFlow(); // Gets an attestation certificate for a hardware-protected key. If a key for // the given profile does not exist, it will be generated and a certificate // request will be made to the Chrome OS Privacy CA to issue a certificate for // the key. If the key already exists and |force_new_key| is false, the // existing certificate is returned. // // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. // user_id - Identifies the currently active user. For normal GAIA users // this is a canonical email address. This is ignored when using // the enterprise machine cert profile. // request_origin - For content protection profiles, certificate requests // are origin-specific. This string must uniquely identify // the origin of the request. // force_new_key - If set to true, a new key will be generated even if a key // already exists for the profile. The new key will replace // the existing key on success. // callback - A callback which will be called when the operation completes. // On success |result| will be true and |data| will contain the // PCA-issued certificate chain in PEM format. virtual void GetCertificate(AttestationCertificateProfile certificate_profile, const std::string& user_id, const std::string& request_origin, bool force_new_key, const CertificateCallback& callback); private: // Asynchronously initiates the attestation enrollment flow. // // Parameters // on_failure - Called if any failure occurs. // next_task - Called on successful enrollment. void StartEnroll(const base::Closure& on_failure, const base::Closure& next_task); // Called when the attestation daemon has finished creating an enrollment // request for the Privacy CA. The request is asynchronously forwarded as-is // to the PCA. // // Parameters // on_failure - Called if any failure occurs. // next_task - Called on successful enrollment. // success - The status of request creation. // data - The request data for the Privacy CA. void SendEnrollRequestToPCA(const base::Closure& on_failure, const base::Closure& next_task, bool success, const std::string& data); // Called when the Privacy CA responds to an enrollment request. The response // is asynchronously forwarded as-is to the attestation daemon in order to // complete the enrollment operation. // // Parameters // on_failure - Called if any failure occurs. // next_task - Called on successful enrollment. // success - The status of the Privacy CA operation. // data - The response data from the Privacy CA. void SendEnrollResponseToDaemon(const base::Closure& on_failure, const base::Closure& next_task, bool success, const std::string& data); // Called when the attestation daemon completes an enrollment operation. If // the operation was successful, the next_task callback is called. // // Parameters // on_failure - Called if any failure occurs. // next_task - Called on successful enrollment. // success - The status of the enrollment operation. // not_used - An artifact of the cryptohome D-Bus interface; ignored. void OnEnrollComplete(const base::Closure& on_failure, const base::Closure& next_task, bool success, cryptohome::MountError not_used); // Asynchronously initiates the certificate request flow. Attestation // enrollment must complete successfully before this operation can succeed. // // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. // user_id - Identifies the active user. // request_origin - An identifier for the origin of this request. // generate_new_key - If set to true a new key is generated. // callback - Called when the operation completes. void StartCertificateRequest( const AttestationCertificateProfile certificate_profile, const std::string& user_id, const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback); // Called when the attestation daemon has finished creating a certificate // request for the Privacy CA. The request is asynchronously forwarded as-is // to the PCA. // // Parameters // key_type - The type of the key for which a certificate is requested. // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of request creation. // data - The request data for the Privacy CA. void SendCertificateRequestToPCA(AttestationKeyType key_type, const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data); // Called when the Privacy CA responds to a certificate request. The response // is asynchronously forwarded as-is to the attestation daemon in order to // complete the operation. // // Parameters // key_type - The type of the key for which a certificate is requested. // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of the Privacy CA operation. // data - The response data from the Privacy CA. void SendCertificateResponseToDaemon(AttestationKeyType key_type, const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data); // Gets an existing certificate from the attestation daemon. // // Parameters // key_type - The type of the key for which a certificate is requested. // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. void GetExistingCertificate(AttestationKeyType key_type, const std::string& user_id, const std::string& key_name, const CertificateCallback& callback); cryptohome::AsyncMethodCaller* async_caller_; CryptohomeClient* cryptohome_client_; scoped_ptr<ServerProxy> server_proxy_; base::WeakPtrFactory<AttestationFlow> weak_factory_; DISALLOW_COPY_AND_ASSIGN(AttestationFlow); }; } // namespace attestation } // namespace chromeos #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_