chromeos/dbus/cryptohome_client.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_
   6 #define CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/basictypes.h"
  12 #include "base/callback.h"
  13 #include "chromeos/attestation/attestation_constants.h"
  14 #include "chromeos/chromeos_export.h"
  15 #include "chromeos/dbus/dbus_client.h"
  16 #include "chromeos/dbus/dbus_method_call_status.h"
  17
  18 namespace chromeos {
  19
  20 // CryptohomeClient is used to communicate with the Cryptohome service.
  21 // All method should be called from the origin thread (UI thread) which
  22 // initializes the DBusThreadManager instance.
  23 class CHROMEOS_EXPORT CryptohomeClient : public DBusClient {
  24  public:
  25   // A callback to handle AsyncCallStatus signals.
  26   typedef base::Callback<void(int async_id,
  27                               bool return_status,
  28                               int return_code)>
  29       AsyncCallStatusHandler;
  30   // A callback to handle AsyncCallStatusWithData signals.
  31   typedef base::Callback<void(int async_id,
  32                               bool return_status,
  33                               const std::string& data)>
  34       AsyncCallStatusWithDataHandler;
  35   // A callback to handle responses of AsyncXXX methods.
  36   typedef base::Callback<void(int async_id)> AsyncMethodCallback;
  37   // A callback for GetSystemSalt().
  38   typedef base::Callback<void(
  39       DBusMethodCallStatus call_status,
  40       const std::vector<uint8>& system_salt)> GetSystemSaltCallback;
  41   // A callback for WaitForServiceToBeAvailable().
  42   typedef base::Callback<void(bool service_is_ready)>
  43       WaitForServiceToBeAvailableCallback;
  44   // A callback to handle responses of Pkcs11GetTpmTokenInfo method.  The result
  45   // of the D-Bus call is in |call_status|.  On success, |label| holds the
  46   // PKCS #11 token label.  This is not useful in practice to identify a token
  47   // but may be meaningful to a user.  The |user_pin| can be used with the
  48   // C_Login PKCS #11 function but is not necessary because tokens are logged in
  49   // for the duration of a signed-in session.  The |slot| corresponds to a
  50   // CK_SLOT_ID for the PKCS #11 API and reliably identifies the token for the
  51   // duration of the signed-in session.
  52   typedef base::Callback<void(
  53       DBusMethodCallStatus call_status,
  54       const std::string& label,
  55       const std::string& user_pin,
  56       int slot)> Pkcs11GetTpmTokenInfoCallback;
  57   // A callback for methods which return both a bool result and data.
  58   typedef base::Callback<void(DBusMethodCallStatus call_status,
  59                               bool result,
  60                               const std::string& data)> DataMethodCallback;
  61
  62   virtual ~CryptohomeClient();
  63
  64   // Factory function, creates a new instance and returns ownership.
  65   // For normal usage, access the singleton via DBusThreadManager::Get().
  66   static CryptohomeClient* Create();
  67
  68   // Returns the sanitized |username| that the stub implementation would return.
  69   static std::string GetStubSanitizedUsername(const std::string& username);
  70
  71   // Sets AsyncCallStatus signal handlers.
  72   // |handler| is called when results for AsyncXXX methods are returned.
  73   // Cryptohome service will process the calls in a first-in-first-out manner
  74   // when they are made in parallel.
  75   virtual void SetAsyncCallStatusHandlers(
  76       const AsyncCallStatusHandler& handler,
  77       const AsyncCallStatusWithDataHandler& data_handler) = 0;
  78
  79   // Resets AsyncCallStatus signal handlers.
  80   virtual void ResetAsyncCallStatusHandlers() = 0;
  81
  82   // Runs the callback as soon as the service becomes available.
  83   virtual void WaitForServiceToBeAvailable(
  84       const WaitForServiceToBeAvailableCallback& callback) = 0;
  85
  86   // Calls IsMounted method and returns true when the call succeeds.
  87   virtual void IsMounted(const BoolDBusMethodCallback& callback) = 0;
  88
  89   // Calls Unmount method and returns true when the call succeeds.
  90   // This method blocks until the call returns.
  91   virtual bool Unmount(bool* success) = 0;
  92
  93   // Calls AsyncCheckKey method.  |callback| is called after the method call
  94   // succeeds.
  95   virtual void AsyncCheckKey(const std::string& username,
  96                              const std::string& key,
  97                              const AsyncMethodCallback& callback) = 0;
  98
  99   // Calls AsyncMigrateKey method.  |callback| is called after the method call
 100   // succeeds.
 101   virtual void AsyncMigrateKey(const std::string& username,
 102                                const std::string& from_key,
 103                                const std::string& to_key,
 104                                const AsyncMethodCallback& callback) = 0;
 105
 106   // Calls AsyncRemove method.  |callback| is called after the method call
 107   // succeeds.
 108   virtual void AsyncRemove(const std::string& username,
 109                            const AsyncMethodCallback& callback) = 0;
 110
 111   // Calls GetSystemSalt method.  |callback| is called after the method call
 112   // succeeds.
 113   virtual void GetSystemSalt(const GetSystemSaltCallback& callback) = 0;
 114
 115   // Calls GetSanitizedUsername method.  |callback| is called after the method
 116   // call succeeds.
 117   virtual void GetSanitizedUsername(
 118       const std::string& username,
 119       const StringDBusMethodCallback& callback) = 0;
 120
 121   // Same as GetSanitizedUsername() but blocks until a reply is received, and
 122   // returns the sanitized username synchronously. Returns an empty string if
 123   // the method call fails.
 124   // This may only be called in situations where blocking the UI thread is
 125   // considered acceptable (e.g. restarting the browser after a crash or after
 126   // a flag change).
 127   virtual std::string BlockingGetSanitizedUsername(
 128       const std::string& username) = 0;
 129
 130   // Calls the AsyncMount method to asynchronously mount the cryptohome for
 131   // |username|, using |key| to unlock it. For supported |flags|, see the
 132   // documentation of AsyncMethodCaller::AsyncMount().
 133   // |callback| is called after the method call succeeds.
 134   virtual void AsyncMount(const std::string& username,
 135                           const std::string& key,
 136                           int flags,
 137                           const AsyncMethodCallback& callback) = 0;
 138
 139   // Calls the AsyncAddKey method to asynchronously add another |new_key| for
 140   // |username|, using |key| to unlock it first.
 141   // |callback| is called after the method call succeeds.
 142   virtual void AsyncAddKey(const std::string& username,
 143                            const std::string& key,
 144                            const std::string& new_key,
 145                            const AsyncMethodCallback& callback) = 0;
 146
 147   // Calls AsyncMountGuest method.  |callback| is called after the method call
 148   // succeeds.
 149   virtual void AsyncMountGuest(const AsyncMethodCallback& callback) = 0;
 150
 151   // Calls the AsyncMount method to asynchronously mount the cryptohome for
 152   // |public_mount_id|. For supported |flags|, see the documentation of
 153   // AsyncMethodCaller::AsyncMount().  |callback| is called after the method
 154   // call succeeds.
 155   virtual void AsyncMountPublic(const std::string& public_mount_id,
 156                                 int flags,
 157                                 const AsyncMethodCallback& callback) = 0;
 158
 159   // Calls TpmIsReady method.
 160   virtual void TpmIsReady(const BoolDBusMethodCallback& callback) = 0;
 161
 162   // Calls TpmIsEnabled method.
 163   virtual void TpmIsEnabled(const BoolDBusMethodCallback& callback) = 0;
 164
 165   // Calls TpmIsEnabled method and returns true when the call succeeds.
 166   // This method blocks until the call returns.
 167   // TODO(hashimoto): Remove this method. crbug.com/141006
 168   virtual bool CallTpmIsEnabledAndBlock(bool* enabled) = 0;
 169
 170   // Calls TpmGetPassword method.
 171   virtual void TpmGetPassword(const StringDBusMethodCallback& callback) = 0;
 172
 173   // Calls TpmIsOwned method.
 174   virtual void TpmIsOwned(const BoolDBusMethodCallback& callback) = 0;
 175
 176   // Calls TpmIsOwned method and returns true when the call succeeds.
 177   // This method blocks until the call returns.
 178   // TODO(hashimoto): Remove this method. crbug.com/141012
 179   virtual bool CallTpmIsOwnedAndBlock(bool* owned) = 0;
 180
 181   // Calls TpmIsBeingOwned method.
 182   virtual void TpmIsBeingOwned(const BoolDBusMethodCallback& callback) = 0;
 183
 184   // Calls TpmIsBeingOwned method and returns true when the call succeeds.
 185   // This method blocks until the call returns.
 186   // TODO(hashimoto): Remove this method. crbug.com/141011
 187   virtual bool CallTpmIsBeingOwnedAndBlock(bool* owning) = 0;
 188
 189   // Calls TpmCanAttemptOwnership method.
 190   // This method tells the service that it is OK to attempt ownership.
 191   virtual void TpmCanAttemptOwnership(
 192       const VoidDBusMethodCallback& callback) = 0;
 193
 194   // Calls TpmClearStoredPasswordMethod.
 195   virtual void TpmClearStoredPassword(
 196       const VoidDBusMethodCallback& callback) = 0;
 197
 198   // Calls TpmClearStoredPassword method and returns true when the call
 199   // succeeds.  This method blocks until the call returns.
 200   // TODO(hashimoto): Remove this method. crbug.com/141010
 201   virtual bool CallTpmClearStoredPasswordAndBlock() = 0;
 202
 203   // Calls Pkcs11IsTpmTokenReady method.
 204   virtual void Pkcs11IsTpmTokenReady(
 205       const BoolDBusMethodCallback& callback) = 0;
 206
 207   // Calls Pkcs11GetTpmTokenInfo method.  This method is deprecated, you should
 208   // use Pkcs11GetTpmTokenInfoForUser instead.  On success |callback| will
 209   // receive PKCS #11 token information for the token associated with the user
 210   // who originally signed in (i.e. PKCS #11 slot 0).
 211   virtual void Pkcs11GetTpmTokenInfo(
 212       const Pkcs11GetTpmTokenInfoCallback& callback) = 0;
 213
 214   // Calls Pkcs11GetTpmTokenInfoForUser method.  On success |callback| will
 215   // receive PKCS #11 token information for the user identified by |user_email|.
 216   // The |user_email| must be a canonical email address as returned by
 217   // chromeos::User::email().
 218   virtual void Pkcs11GetTpmTokenInfoForUser(
 219       const std::string& user_email,
 220       const Pkcs11GetTpmTokenInfoCallback& callback) = 0;
 221
 222   // Calls InstallAttributesGet method and returns true when the call succeeds.
 223   // This method blocks until the call returns.
 224   // The original content of |value| is lost.
 225   virtual bool InstallAttributesGet(const std::string& name,
 226                                     std::vector<uint8>* value,
 227                                     bool* successful) = 0;
 228
 229   // Calls InstallAttributesSet method and returns true when the call succeeds.
 230   // This method blocks until the call returns.
 231   virtual bool InstallAttributesSet(const std::string& name,
 232                                     const std::vector<uint8>& value,
 233                                     bool* successful) = 0;
 234
 235   // Calls InstallAttributesFinalize method and returns true when the call
 236   // succeeds.  This method blocks until the call returns.
 237   virtual bool InstallAttributesFinalize(bool* successful) = 0;
 238
 239   // Calls InstallAttributesIsReady method.
 240   virtual void InstallAttributesIsReady(
 241       const BoolDBusMethodCallback& callback) = 0;
 242
 243   // Calls InstallAttributesIsInvalid method and returns true when the call
 244   // succeeds.  This method blocks until the call returns.
 245   virtual bool InstallAttributesIsInvalid(bool* is_invalid) = 0;
 246
 247   // Calls InstallAttributesIsFirstInstall method and returns true when the call
 248   // succeeds. This method blocks until the call returns.
 249   virtual bool InstallAttributesIsFirstInstall(bool* is_first_install) = 0;
 250
 251   // Calls the TpmAttestationIsPrepared dbus method.  The callback is called
 252   // when the operation completes.
 253   virtual void TpmAttestationIsPrepared(
 254         const BoolDBusMethodCallback& callback) = 0;
 255
 256   // Calls the TpmAttestationIsEnrolled dbus method.  The callback is called
 257   // when the operation completes.
 258   virtual void TpmAttestationIsEnrolled(
 259         const BoolDBusMethodCallback& callback) = 0;
 260
 261   // Asynchronously creates an attestation enrollment request.  The callback
 262   // will be called when the dbus call completes.  When the operation completes,
 263   // the AsyncCallStatusWithDataHandler signal handler is called.  The data that
 264   // is sent with the signal is an enrollment request to be sent to the Privacy
 265   // CA.  The enrollment is completed by calling AsyncTpmAttestationEnroll.
 266   virtual void AsyncTpmAttestationCreateEnrollRequest(
 267       const AsyncMethodCallback& callback) = 0;
 268
 269   // Asynchronously finishes an attestation enrollment operation.  The callback
 270   // will be called when the dbus call completes.  When the operation completes,
 271   // the AsyncCallStatusHandler signal handler is called.  |pca_response| is the
 272   // response to the enrollment request emitted by the Privacy CA.
 273   virtual void AsyncTpmAttestationEnroll(
 274       const std::string& pca_response,
 275       const AsyncMethodCallback& callback) = 0;
 276
 277   // Asynchronously creates an attestation certificate request according to
 278   // |certificate_profile|.  Some profiles require that the |user_id| of the
 279   // currently active user and an identifier of the |request_origin| be
 280   // provided.  |callback| will be called when the dbus call completes.  When
 281   // the operation completes, the AsyncCallStatusWithDataHandler signal handler
 282   // is called.  The data that is sent with the signal is a certificate request
 283   // to be sent to the Privacy CA.  The certificate request is completed by
 284   // calling AsyncTpmAttestationFinishCertRequest.  The |user_id| will not
 285   // be included in the certificate request for the Privacy CA.
 286   virtual void AsyncTpmAttestationCreateCertRequest(
 287       attestation::AttestationCertificateProfile certificate_profile,
 288       const std::string& user_id,
 289       const std::string& request_origin,
 290       const AsyncMethodCallback& callback) = 0;
 291
 292   // Asynchronously finishes a certificate request operation.  The callback will
 293   // be called when the dbus call completes.  When the operation completes, the
 294   // AsyncCallStatusWithDataHandler signal handler is called.  The data that is
 295   // sent with the signal is a certificate chain in PEM format.  |pca_response|
 296   // is the response to the certificate request emitted by the Privacy CA.
 297   // |key_type| determines whether the certified key is to be associated with
 298   // the current user.  |key_name| is a name for the key.  If |key_type| is
 299   // KEY_USER, a |user_id| must be provided.  Otherwise |user_id| is ignored.
 300   // For normal GAIA users the |user_id| is a canonical email address.
 301   virtual void AsyncTpmAttestationFinishCertRequest(
 302       const std::string& pca_response,
 303       attestation::AttestationKeyType key_type,
 304       const std::string& user_id,
 305       const std::string& key_name,
 306       const AsyncMethodCallback& callback) = 0;
 307
 308   // Checks if an attestation key already exists.  If the key specified by
 309   // |key_type| and |key_name| exists, then the result sent to the callback will
 310   // be true.  If |key_type| is KEY_USER, a |user_id| must be provided.
 311   // Otherwise |user_id| is ignored.  For normal GAIA users the |user_id| is a
 312   // canonical email address.
 313   virtual void TpmAttestationDoesKeyExist(
 314       attestation::AttestationKeyType key_type,
 315       const std::string& user_id,
 316       const std::string& key_name,
 317       const BoolDBusMethodCallback& callback) = 0;
 318
 319   // Gets the attestation certificate for the key specified by |key_type| and
 320   // |key_name|.  |callback| will be called when the operation completes.  If
 321   // the key does not exist the callback |result| parameter will be false.  If
 322   // |key_type| is KEY_USER, a |user_id| must be provided.  Otherwise |user_id|
 323   // is ignored.  For normal GAIA users the |user_id| is a canonical email
 324   // address.
 325   virtual void TpmAttestationGetCertificate(
 326       attestation::AttestationKeyType key_type,
 327       const std::string& user_id,
 328       const std::string& key_name,
 329       const DataMethodCallback& callback) = 0;
 330
 331   // Gets the public key for the key specified by |key_type| and |key_name|.
 332   // |callback| will be called when the operation completes.  If the key does
 333   // not exist the callback |result| parameter will be false.  If |key_type| is
 334   // KEY_USER, a |user_id| must be provided.  Otherwise |user_id| is ignored.
 335   // For normal GAIA users the |user_id| is a canonical email address.
 336   virtual void TpmAttestationGetPublicKey(
 337       attestation::AttestationKeyType key_type,
 338       const std::string& user_id,
 339       const std::string& key_name,
 340       const DataMethodCallback& callback) = 0;
 341
 342   // Asynchronously registers an attestation key with the current user's
 343   // PKCS #11 token.  The |callback| will be called when the dbus call
 344   // completes.  When the operation completes, the AsyncCallStatusHandler signal
 345   // handler is called.  |key_type| and |key_name| specify the key to register.
 346   // If |key_type| is KEY_USER, a |user_id| must be provided.  Otherwise
 347   // |user_id| is ignored.  For normal GAIA users the |user_id| is a canonical
 348   // email address.
 349   virtual void TpmAttestationRegisterKey(
 350       attestation::AttestationKeyType key_type,
 351       const std::string& user_id,
 352       const std::string& key_name,
 353       const AsyncMethodCallback& callback) = 0;
 354
 355   // Asynchronously signs an enterprise challenge with the key specified by
 356   // |key_type| and |key_name|.  |domain| and |device_id| will be included in
 357   // the challenge response.  |options| control how the challenge response is
 358   // generated.  |challenge| must be a valid enterprise attestation challenge.
 359   // The |callback| will be called when the dbus call completes.  When the
 360   // operation completes, the AsyncCallStatusWithDataHandler signal handler is
 361   // called.  If |key_type| is KEY_USER, a |user_id| must be provided.
 362   // Otherwise |user_id| is ignored.  For normal GAIA users the |user_id| is a
 363   // canonical email address.
 364   virtual void TpmAttestationSignEnterpriseChallenge(
 365       attestation::AttestationKeyType key_type,
 366       const std::string& user_id,
 367       const std::string& key_name,
 368       const std::string& domain,
 369       const std::string& device_id,
 370       attestation::AttestationChallengeOptions options,
 371       const std::string& challenge,
 372       const AsyncMethodCallback& callback) = 0;
 373
 374   // Asynchronously signs a simple challenge with the key specified by
 375   // |key_type| and |key_name|.  |challenge| can be any set of arbitrary bytes.
 376   // A nonce will be appended to the challenge before signing; this method
 377   // cannot be used to sign arbitrary data.  The |callback| will be called when
 378   // the dbus call completes.  When the operation completes, the
 379   // AsyncCallStatusWithDataHandler signal handler is called.  If |key_type| is
 380   // KEY_USER, a |user_id| must be provided.  Otherwise |user_id| is ignored.
 381   // For normal GAIA users the |user_id| is a canonical email address.
 382   virtual void TpmAttestationSignSimpleChallenge(
 383       attestation::AttestationKeyType key_type,
 384       const std::string& user_id,
 385       const std::string& key_name,
 386       const std::string& challenge,
 387       const AsyncMethodCallback& callback) = 0;
 388
 389   // Gets the payload associated with the key specified by |key_type| and
 390   // |key_name|.  The |callback| will be called when the operation completes.
 391   // If the key does not exist the callback |result| parameter will be false.
 392   // If no payload has been set for the key the callback |result| parameter will
 393   // be true and the |data| parameter will be empty.  If |key_type| is
 394   // KEY_USER, a |user_id| must be provided.  Otherwise |user_id| is ignored.
 395   // For normal GAIA users the |user_id| is a canonical email address.
 396   virtual void TpmAttestationGetKeyPayload(
 397       attestation::AttestationKeyType key_type,
 398       const std::string& user_id,
 399       const std::string& key_name,
 400       const DataMethodCallback& callback) = 0;
 401
 402   // Sets the |payload| associated with the key specified by |key_type| and
 403   // |key_name|.  The |callback| will be called when the operation completes.
 404   // If the operation succeeds, the callback |result| parameter will be true.
 405   // If |key_type| is KEY_USER, a |user_id| must be provided.  Otherwise
 406   // |user_id| is ignored.  For normal GAIA users the |user_id| is a canonical
 407   // email address.
 408   virtual void TpmAttestationSetKeyPayload(
 409       attestation::AttestationKeyType key_type,
 410       const std::string& user_id,
 411       const std::string& key_name,
 412       const std::string& payload,
 413       const BoolDBusMethodCallback& callback) = 0;
 414
 415   // Deletes certified keys as specified by |key_type| and |key_prefix|.  The
 416   // |callback| will be called when the operation completes.  If the operation
 417   // succeeds, the callback |result| parameter will be true.  If |key_type| is
 418   // KEY_USER, a |user_id| must be provided.  Otherwise |user_id| is ignored.
 419   // For normal GAIA users the |user_id| is a canonical email address.  All keys
 420   // where the key name has a prefix matching |key_prefix| will be deleted.  All
 421   // meta-data associated with the key, including certificates, will also be
 422   // deleted.
 423   virtual void TpmAttestationDeleteKeys(
 424       attestation::AttestationKeyType key_type,
 425       const std::string& user_id,
 426       const std::string& key_prefix,
 427       const BoolDBusMethodCallback& callback) = 0;
 428
 429  protected:
 430   // Create() should be used instead.
 431   CryptohomeClient();
 432
 433  private:
 434   DISALLOW_COPY_AND_ASSIGN(CryptohomeClient);
 435 };
 436
 437 }  // namespace chromeos
 438
 439 #endif  // CHROMEOS_DBUS_CRYPTOHOME_CLIENT_H_