Add new certificateProvider extension API.
[chromium-blink-merge.git] / chrome / common / extensions / api / easy_unlock_private.idl
blobf51daf61fdaecb17c34c34e72dbb30bf58589e4b
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // <code>chrome.easyUnlockPrivate</code> API that provides hooks to Chrome to
6 // be used by Easy Unlock component app.
7 namespace easyUnlockPrivate {
8 // Signature algorithms supported by the crypto library methods used by
9 // Easy Unlock.
10 enum SignatureType {
11 HMAC_SHA256,
12 ECDSA_P256_SHA256
15 // Encryption algorithms supported by the crypto library methods used by
16 // Easy Unlock.
17 enum EncryptionType {
18 AES_256_CBC
21 // Available states for the Easy Unlock app.
22 enum State {
23 // Screen is either not locked, or the Easy Unlock is not enabled.
24 INACTIVE,
25 // The Bluetooth is not enabled.
26 NO_BLUETOOTH,
27 // Bluetooth is being activated.
28 BLUETOOTH_CONNECTING,
29 // There are no phones eligible to unlock the device.
30 NO_PHONE,
31 // A phone eligible to unlock the device is detected, but can't be
32 // authenticated.
33 PHONE_NOT_AUTHENTICATED,
34 // A phone eligible to unlock the device is detected, but it's locked and
35 // thus unable to unlock the device.
36 PHONE_LOCKED,
37 // A phone eligible to unlock the device is detected, but it is not allowed
38 // to unlock the device because it doesn't have lock screen enabled.
39 PHONE_UNLOCKABLE,
40 // A phone eligible to unlock the device is detected, but it is not allowed
41 // to unlock the device because it does not report its lock screen state.
42 PHONE_UNSUPPORTED,
43 // A phone eligible to unlock the device is detected, but its received
44 // signal strength is too low, i.e. the phone is roughly more than 30 feet
45 // away, and therefore is not allowed to unlock the device.
46 RSSI_TOO_LOW,
47 // A phone eligible to unlock the device is found, but the local device's
48 // transmission power is too high, indicating that the phone is (probably)
49 // more than 1 foot away, and therefore is not allowed to unlock the device.
50 TX_POWER_TOO_HIGH,
51 // A phone eligible to unlock the device is found; but (a) the phone is
52 // locked, and (b) the local device's transmission power is too high,
53 // indicating that the phone is (probably) more than 1 foot away, and
54 // therefore is not allowed to unlock the device.
55 PHONE_LOCKED_AND_TX_POWER_TOO_HIGH,
56 // The device can be unlocked using Easy Unlock.
57 AUTHENTICATED
60 // Type of a permit. All lower case to match permit.PermitRecord.Type.
61 enum PermitType {access, license};
63 // Options that can be passed to |unwrapSecureMessage| method.
64 dictionary UnwrapSecureMessageOptions {
65 // The data associated with the message. For the message to be succesfully
66 // verified, the message should have been created with the same associated
67 // data.
68 ArrayBuffer? associatedData;
70 // The encryption algorithm that should be used to decrypt the message.
71 // Should not be set for a cleartext message.
72 EncryptionType? encryptType;
74 // The algorithm to be used to verify signature contained in the message.
75 // Defaults to |HMAC_SHA256|. |ECDSA_P256_SHA256| can currently be used
76 // only with cleartext messages.
77 SignatureType? signType;
80 dictionary CreateSecureMessageOptions {
81 // Data associated with the message. The data will not be sent with the
82 // message, but the message recepient will use the same data on its side
83 // to verify the message.
84 ArrayBuffer? associatedData;
86 // Metadata to be added to the message header.
87 ArrayBuffer? publicMetadata;
89 // Verification key id added to the message header. Should be set if the
90 // message is signed using |ECDSA_P256_SHA256|. Used by the message
91 // recepient to determine which key should be used to verify the message
92 // signature.
93 ArrayBuffer? verificationKeyId;
95 // Decryption key id added to the message header. Used by the message
96 // recepient to determine which key should be used to decrypt the message.
97 ArrayBuffer? decryptionKeyId;
99 // The encryption algorithm that should be used to encrypt the message.
100 // Should not be set for a cleartext message.
101 EncryptionType? encryptType;
103 // The algorithm to be used to sign the message.
104 // Defaults to |HMAC_SHA256|. |ECDSA_P256_SHA256| can currently be used
105 // only with cleartext messages.
106 SignatureType? signType;
109 // A permit record contains the credentials used to request or grant
110 // authorization of a permit.
111 dictionary PermitRecord {
112 // ID of the permit, which identifies the service/application that these
113 // permit records are used in.
114 DOMString permitId;
116 // An identifier for this record that should be unique among all other
117 // records of the same permit.
118 DOMString id;
120 // Type of the record.
121 PermitType type;
123 // Websafe base64 encoded payload data of the record.
124 DOMString data;
127 // Device information that can be authenticated for Easy unlock.
128 dictionary Device {
129 // The Bluetooth address of the device.
130 DOMString bluetoothAddress;
132 // The name of the device.
133 DOMString? name;
135 // The permit record of the device.
136 PermitRecord? permitRecord;
138 // Websafe base64 encoded persistent symmetric key.
139 DOMString? psk;
142 // The information about a user associated with Easy unlock service.
143 dictionary UserInfo {
144 // The user id.
145 DOMString userId;
147 // A stable identifier for the user and device. If a user is removed and
148 // added to the same device, this id will remain the same. However, this id
149 // will be different if another user is added to the same device or if the
150 // same user is added on another device.
151 DOMString deviceUserId;
153 // Whether the user is logged in. If not logged in, the app is running on
154 // the signin screen.
155 boolean loggedIn;
157 // Whether to require the remote device to be in very close proximity before
158 // allowing unlock (~1 feet).
159 boolean requireCloseProximity;
161 // Whether all data needed to use Easy unlock service has been loaded for
162 // the user.
163 boolean dataReady;
166 // A range.
167 dictionary Range {
168 long start;
169 long end;
172 // A rectangle, in screen coordinates, measured in device-independent pixels.
173 dictionary Rect {
174 long left;
175 long top;
176 long width;
177 long height;
180 // Auto pairing reuslt.
181 dictionary AutoPairingResult {
182 // Whether the auto pairing is completed successfully.
183 boolean success;
185 // Optional error message to indicate the failure.
186 DOMString? errorMessage;
189 // Callback for crypto methods that return a single array buffer.
190 callback DataCallback = void(optional ArrayBuffer data);
192 // An empty callback used purely for signalling success vs. failure.
193 callback EmptyCallback = void();
195 // Callback for the getStrings() method.
196 callback GetStringsCallback = void(object strings);
198 // Callback for method that generates an encryption key pair.
199 callback KeyPairCallback = void(optional ArrayBuffer public_key,
200 optional ArrayBuffer private_key);
202 // Callback for the getPermitAccess() method.
203 callback GetPermitAccessCallback = void(optional PermitRecord permitAccess);
205 // Callback for the getRemoteDevices() method.
206 callback GetRemoteDevicesCallback = void(Device[] devices);
208 // Callback for the |getUserInfo()| method. Note that the callback argument is
209 // a list for future use (on signin screen there may be more than one user
210 // associated with the easy unlock service). Currently the method returns at
211 // most one user.
212 callback GetUserInfoCallback = void(UserInfo[] users);
214 // Callback for |getSignInChallenge()| method.
215 // In case challenge could not be created both |challenge| and |signedNonce|
216 // will be empty.
217 // If the requested nonce could not be signed, |signedNonce| will be empty.
218 // |challenge|: The sign in challenge to be used when signing in the user
219 // currently associated with the Easy Unlock service.
220 // |signedNonce|: Nonce signed by Chrome OS TPM, provided as an argument to
221 // the |getSignInChallenge()| function and signed by the TPM key
222 // associated with the user.
223 callback SignInChallengeCallback = void(optional ArrayBuffer challenge,
224 optional ArrayBuffer signedNonce);
226 // Callback for the |getConnectionInfo()| method.
227 // |rssi|: The received signal strength from the remote device in dB.
228 // |transmit_power| The local transmission power to the remote device in dB.
229 // |max_transmit_power| The maximum transmission power that can be achieved.
230 callback ConnectionInfoCallback = void(
231 long rssi, long transmit_power, long max_transmit_power);
233 interface Functions {
234 // Gets localized strings required to render the API.
236 // |callback| : Called with a dictionary mapping names to resource strings.
237 // TODO(isherman): This is essentially copied from identity_private.idl.
238 // Perhaps this should be extracted to a common API instead?
239 static void getStrings(GetStringsCallback callback);
241 // Generates a ECDSA key pair for P256 curve.
242 // Public key will be in format recognized by secure wire transport protocol
243 // used by Easy Unlock app. Otherwise, the exact format for both key should
244 // should be considered obfuscated to the app. The app should not use them
245 // directly, but through this API.
246 // |callback|: Callback with the generated keys. On failure, none of the
247 // keys will be set.
248 static void generateEcP256KeyPair(KeyPairCallback callback);
250 // Given a private key and a public ECDSA key from different asymetric key
251 // pairs, it generates a symetric encryption key using EC Diffie-Hellman
252 // scheme.
253 // |privateKey|: A private key generated by the app using
254 // |generateEcP256KeyPair|.
255 // |publicKey|: A public key that should be in the same format as the
256 // public key generated by |generateEcP256KeyPair|. Generally not the
257 // one paired with |private_key|.
258 // |callback|: Function returning the generated secret symetric key.
259 // On failure, the returned value will not be set.
260 static void performECDHKeyAgreement(ArrayBuffer privateKey,
261 ArrayBuffer publicKey,
262 DataCallback callback);
264 // Creates a secure, signed message in format used by Easy Unlock app to
265 // establish secure communication channel over unsecure connection.
266 // |payload|: The payload the create message should carry.
267 // |key|: The key used to sign the message content. If encryption algorithm
268 // is set in |options| the same key will be used to encrypt the message.
269 // |options|: Additional (optional) parameters used to create the message.
270 // |callback|: Function returning the created message bytes. On failure,
271 // the returned value will not be set.
272 static void createSecureMessage(
273 ArrayBuffer payload,
274 ArrayBuffer key,
275 CreateSecureMessageOptions options,
276 DataCallback callback);
278 // Authenticates and, if needed, decrypts a secure message. The message is
279 // in the same format as the one created by |createSecureMessage|.
280 // |secureMessage|: The message to be unwrapped.
281 // |key|: Key to be used to authenticate the message sender. If encryption
282 // algorithm is set in |options|, the same key will be used to decrypt
283 // the message.
284 // |options|: Additional (optional) parameters used to unwrap the message.
285 // |callback|: Function returning an array buffer containing cleartext
286 // message header and body. They are returned in a single buffer in
287 // format used inside the message. If the massage authentication or
288 // decryption fails, the returned value will not be set.
289 static void unwrapSecureMessage(
290 ArrayBuffer secureMessage,
291 ArrayBuffer key,
292 UnwrapSecureMessageOptions options,
293 DataCallback callback);
295 // Connects to the SDP service on a device, given just the device's
296 // Bluetooth address. This function is useful as a faster alternative to
297 // Bluetooth discovery, when you already know the remote device's Bluetooth
298 // address. A successful call to this function has the side-effect of
299 // registering the device with the Bluetooth daemon, making it available for
300 // future outgoing connections.
301 // |deviceAddress|: The Bluetooth address of the device to connect to.
302 // |callback|: Called to indicate success or failure.
303 static void seekBluetoothDeviceByAddress(DOMString deviceAddress,
304 optional EmptyCallback callback);
306 // Connects the socket to a remote Bluetooth device over an insecure
307 // connection, i.e. a connection that requests no bonding and no
308 // man-in-the-middle protection. Other than the reduced security setting,
309 // behaves identically to the chrome.bluetoothSocket.connect() function.
310 // |socketId|: The socket identifier, as issued by the
311 // chrome.bluetoothSocket API.
312 // |deviceAddress|: The Bluetooth address of the device to connect to.
313 // |uuid|: The UUID of the service to connect to.
314 // |callback|: Called when the connect attempt is complete.
315 static void connectToBluetoothServiceInsecurely(long socketId,
316 DOMString deviceAddress,
317 DOMString uuid,
318 EmptyCallback callback);
320 // Updates the screenlock state to reflect the Easy Unlock app state.
321 static void updateScreenlockState(State state,
322 optional EmptyCallback callback);
324 // Saves the permit record for the local device.
325 // |permitAccess|: The permit record to be saved.
326 // |callback|: Called to indicate success or failure.
327 static void setPermitAccess(PermitRecord permitAccess,
328 optional EmptyCallback callback);
330 // Gets the permit record for the local device.
331 static void getPermitAccess(GetPermitAccessCallback callback);
333 // Clears the permit record for the local device.
334 static void clearPermitAccess(optional EmptyCallback callback);
336 // Saves the remote device list.
337 // |devices|: The list of remote devices to be saved.
338 // |callback|: Called to indicate success or failure.
339 static void setRemoteDevices(Device[] devices,
340 optional EmptyCallback callback);
342 // Gets the remote device list.
343 static void getRemoteDevices(GetRemoteDevicesCallback callback);
345 // Gets the sign-in challenge for the current user.
346 // |nonce|: Nonce that should be signed by the Chrome OS TPM. The signed
347 // nonce is returned with the sign-in challenge.
348 static void getSignInChallenge(ArrayBuffer nonce,
349 SignInChallengeCallback callback);
351 // Tries to sign-in the current user with a secret obtained by decrypting
352 // the sign-in challenge. Check chrome.runtime.lastError for failures. Upon
353 // success, the user session will be started.
354 static void trySignInSecret(ArrayBuffer signInSecret,
355 EmptyCallback callback);
357 // Retrieves information about the user associated with the Easy unlock
358 // service.
359 static void getUserInfo(GetUserInfoCallback callback);
361 // Gets the connection info for the Bluetooth device identified by
362 // deviceAddress.
363 static void getConnectionInfo(DOMString deviceAddress,
364 ConnectionInfoCallback callback);
366 // Shows an error bubble with the given |message|, anchored to an edge of
367 // the given |anchorRect| -- typically the right edge, but possibly a
368 // different edge if there is not space for the bubble to the right of the
369 // anchor rectangle. If the |link_range| is non-empty, renders the text
370 // within the |message| that is contained in the |link_range| as a link with
371 // the given |link_target| URL.
372 static void showErrorBubble(DOMString message,
373 Range link_range,
374 DOMString link_target,
375 Rect anchorRect);
377 // Hides the currently visible error bubble, if there is one.
378 static void hideErrorBubble();
380 // Sets the result of auto pairing triggered from onStartAutoPairing
381 // event. If auto pairing is completed successfully, |result.success|
382 // should be true so that Easy bootstrap flow would finish and starts
383 // the user session. Otherwise, |result.success| is set to false with
384 // an optional error message to be displayed to the user.
385 static void setAutoPairingResult(AutoPairingResult result,
386 optional EmptyCallback callback);
389 interface Events {
390 // Event fired when the data for the user currently associated with
391 // Easy unlock service is updated.
392 // |userInfo| The updated user information.
393 static void onUserInfoUpdated(UserInfo userInfo);
395 // Event fired at the end of Easy bootstrap to start auto pairing so
396 // that a proper cryptohome key could be generated for the user.
397 static void onStartAutoPairing();