chrome/browser/chromeos/settings/token_encryptor.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
   6 #define CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/memory/scoped_ptr.h"
  12
  13 namespace crypto {
  14 class SymmetricKey;
  15 }
  16
  17 namespace chromeos {
  18
  19 // Interface class for classes that encrypt and decrypt tokens using the
  20 // system salt.
  21 class TokenEncryptor {
  22  public:
  23   virtual ~TokenEncryptor() {}
  24
  25   // Encrypts |token| with the system salt key (stable for the lifetime
  26   // of the device).  Useful to avoid storing plain text in place like
  27   // Local State.
  28   virtual std::string EncryptWithSystemSalt(const std::string& token) = 0;
  29
  30   // Decrypts |token| with the system salt key (stable for the lifetime
  31   // of the device).
  32   virtual std::string DecryptWithSystemSalt(
  33       const std::string& encrypted_token_hex) = 0;
  34 };
  35
  36 // TokenEncryptor based on the system salt from cryptohome daemon. This
  37 // implementation is used in production.
  38 class CryptohomeTokenEncryptor : public TokenEncryptor {
  39  public:
  40   explicit CryptohomeTokenEncryptor(const std::string& system_salt);
  41   ~CryptohomeTokenEncryptor() override;
  42
  43   // TokenEncryptor overrides:
  44   std::string EncryptWithSystemSalt(const std::string& token) override;
  45   std::string DecryptWithSystemSalt(
  46       const std::string& encrypted_token_hex) override;
  47
  48  private:
  49   // Converts |passphrase| to a SymmetricKey using the given |salt|.
  50   crypto::SymmetricKey* PassphraseToKey(const std::string& passphrase,
  51                                         const std::string& salt);
  52
  53   // Encrypts (AES) the token given |key| and |salt|.
  54   std::string EncryptTokenWithKey(crypto::SymmetricKey* key,
  55                                   const std::string& salt,
  56                                   const std::string& token);
  57
  58   // Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
  59   std::string DecryptTokenWithKey(crypto::SymmetricKey* key,
  60                                   const std::string& salt,
  61                                   const std::string& encrypted_token_hex);
  62
  63   // The cached system salt passed to the constructor, originally coming
  64   // from cryptohome daemon.
  65   std::string system_salt_;
  66
  67   // A key based on the system salt.  Useful for encrypting device-level
  68   // data for which we have no additional credentials.
  69   scoped_ptr<crypto::SymmetricKey> system_salt_key_;
  70
  71   DISALLOW_COPY_AND_ASSIGN(CryptohomeTokenEncryptor);
  72 };
  73
  74 }  // namespace chromeos
  75
  76 #endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_