chrome/browser/chromeos/platform_keys/platform_keys.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_
   6 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/callback_forward.h"
  12 #include "base/macros.h"
  13 #include "base/memory/ref_counted.h"
  14 #include "base/memory/scoped_ptr.h"
  15 #include "net/cert/x509_certificate.h"
  16
  17 namespace content {
  18 class BrowserContext;
  19 }
  20
  21 namespace chromeos {
  22
  23 namespace platform_keys {
  24
  25 // A token is a store for keys or certs and can provide cryptographic
  26 // operations.
  27 // ChromeOS provides itself a user token and conditionally a system wide token,
  28 // thus these tokens use static identifiers. The platform keys API is designed
  29 // to support arbitrary other tokens in the future, which could then use
  30 // run-time generated IDs.
  31 extern const char kTokenIdUser[];
  32 extern const char kTokenIdSystem[];
  33
  34 // Supported hash algorithms.
  35 enum HashAlgorithm {
  36   HASH_ALGORITHM_NONE,  // The value if no hash function is selected.
  37   HASH_ALGORITHM_SHA1,
  38   HASH_ALGORITHM_SHA256,
  39   HASH_ALGORITHM_SHA384,
  40   HASH_ALGORITHM_SHA512
  41 };
  42
  43 struct ClientCertificateRequest {
  44   ClientCertificateRequest();
  45   ~ClientCertificateRequest();
  46
  47   // The list of the types of certificates requested, sorted in order of the
  48   // server's preference.
  49   std::vector<net::X509Certificate::PublicKeyType> certificate_key_types;
  50
  51   // List of distinguished names of certificate authorities allowed by the
  52   // server. Each entry must be a DER-encoded X.509 DistinguishedName.
  53   std::vector<std::string> certificate_authorities;
  54 };
  55
  56 namespace subtle {
  57 // Functions of this namespace shouldn't be called directly from the context of
  58 // an extension. Instead use PlatformKeysService which enforces restrictions
  59 // upon extensions.
  60
  61 typedef base::Callback<void(const std::string& public_key_spki_der,
  62                             const std::string& error_message)>
  63     GenerateKeyCallback;
  64
  65 // Generates a RSA key pair with |modulus_length_bits|. |token_id| is currently
  66 // ignored, instead the user token associated with |browser_context| is always
  67 // used. |callback| will be invoked with the resulting public key or an error.
  68 void GenerateRSAKey(const std::string& token_id,
  69                     unsigned int modulus_length_bits,
  70                     const GenerateKeyCallback& callback,
  71                     content::BrowserContext* browser_context);
  72
  73 typedef base::Callback<void(const std::string& signature,
  74                             const std::string& error_message)> SignCallback;
  75
  76 // Digests |data|, applies PKCS1 padding and afterwards signs the data with the
  77 // private key matching |params.public_key|. If a non empty token id is provided
  78 // and the key is not found in that token, the operation aborts. |callback| will
  79 // be invoked with the signature or an error message.
  80 void SignRSAPKCS1Digest(const std::string& token_id,
  81                         const std::string& data,
  82                         const std::string& public_key,
  83                         HashAlgorithm hash_algorithm,
  84                         const SignCallback& callback,
  85                         content::BrowserContext* browser_context);
  86
  87 // Applies PKCS1 padding and afterwards signs the data with the private key
  88 // matching |params.public_key|. |data| is not digested. If a non empty token id
  89 // is provided and the key is not found in that token, the operation aborts.
  90 // The size of |data| (number of octets) must be smaller than k - 11, where k
  91 // is the key size in octets.
  92 // |callback| will be invoked with the signature or an error message.
  93 void SignRSAPKCS1Raw(const std::string& token_id,
  94                      const std::string& data,
  95                      const std::string& public_key,
  96                      const SignCallback& callback,
  97                      content::BrowserContext* browser_context);
  98
  99 // If the certificate request could be processed successfully, |matches| will
 100 // contain the list of matching certificates (which may be empty) and
 101 // |error_message| will be empty. If an error occurred, |matches| will be null
 102 // and |error_message| contain an error message.
 103 typedef base::Callback<void(scoped_ptr<net::CertificateList> matches,
 104                             const std::string& error_message)>
 105     SelectCertificatesCallback;
 106
 107 // Returns the list of all certificates that were issued by one of the
 108 // |certificate_authorities|. If |certificate_authorities| is empty, all
 109 // certificates will be returned. |callback| will be invoked with the matches or
 110 // an error message.
 111 void SelectClientCertificates(
 112     const std::vector<std::string>& certificate_authorities,
 113     const SelectCertificatesCallback& callback,
 114     content::BrowserContext* browser_context);
 115
 116 }  // namespace subtle
 117
 118 // Returns the DER encoding of the X.509 Subject Public Key Info of the public
 119 // key in |certificate|.
 120 std::string GetSubjectPublicKeyInfo(
 121     const scoped_refptr<net::X509Certificate>& certificate);
 122
 123 // Obtains information about the public key in |certificate|.
 124 // If |certificate| contains an RSA key, sets |key_size_bits| to the modulus
 125 // length, and |key_type| to type RSA and returns true.
 126 // If |certificate| contains any other key type, or if the public exponent of
 127 // the RSA key in |certificate| is not F4, returns false and does not update any
 128 // of the output parameters.
 129 // All pointer arguments must not be null.
 130 bool GetPublicKey(const scoped_refptr<net::X509Certificate>& certificate,
 131                   net::X509Certificate::PublicKeyType* key_type,
 132                   size_t* key_size_bits);
 133
 134 // If the list of certificates could be successfully retrieved, |certs| will
 135 // contain the list of available certificates (maybe empty) and |error_message|
 136 // will be empty. If an error occurred, |certs| will be empty and
 137 // |error_message| contain an error message.
 138 typedef base::Callback<void(scoped_ptr<net::CertificateList> certs,
 139                             const std::string& error_message)>
 140     GetCertificatesCallback;
 141
 142 // Returns the list of all certificates with stored private key available from
 143 // the given token. |token_id| is currently ignored, instead the user token
 144 // associated with |browser_context| is always used. |callback| will be invoked
 145 // with the list of available certificates or an error message.
 146 void GetCertificates(const std::string& token_id,
 147                      const GetCertificatesCallback& callback,
 148                      content::BrowserContext* browser_context);
 149
 150 // If an error occurred during import, |error_message| will be set to an error
 151 // message.
 152 typedef base::Callback<void(const std::string& error_message)>
 153     ImportCertificateCallback;
 154
 155 // Imports |certificate| to the given token if the certified key is already
 156 // stored in this token. Any intermediate of |certificate| will be ignored.
 157 // |token_id| is currently ignored, instead the user token associated with
 158 // |browser_context| is always used. |callback| will be invoked when the import
 159 // is finished, possibly with an error message.
 160 void ImportCertificate(const std::string& token_id,
 161                        const scoped_refptr<net::X509Certificate>& certificate,
 162                        const ImportCertificateCallback& callback,
 163                        content::BrowserContext* browser_context);
 164
 165 // If an error occurred during removal, |error_message| will be set to an error
 166 // message.
 167 typedef base::Callback<void(const std::string& error_message)>
 168     RemoveCertificateCallback;
 169
 170 // Removes |certificate| from the given token if present. Any intermediate of
 171 // |certificate| will be ignored. |token_id| is currently ignored, instead the
 172 // user token associated with |browser_context| is always used. |callback| will
 173 // be invoked when the removal is finished, possibly with an error message.
 174 void RemoveCertificate(const std::string& token_id,
 175                        const scoped_refptr<net::X509Certificate>& certificate,
 176                        const RemoveCertificateCallback& callback,
 177                        content::BrowserContext* browser_context);
 178
 179 // If the list of available tokens could be successfully retrieved, |token_ids|
 180 // will contain the token ids. If an error occurs, |token_ids| will be NULL and
 181 // |error_message| will be set to an error message.
 182 typedef base::Callback<void(scoped_ptr<std::vector<std::string> > token_ids,
 183                             const std::string& error_message)>
 184     GetTokensCallback;
 185
 186 // Gets the list of available tokens. |callback| will be invoked when the list
 187 // of available tokens is determined, possibly with an error message.
 188 // Must be called and calls |callback| on the UI thread.
 189 void GetTokens(const GetTokensCallback& callback,
 190                content::BrowserContext* browser_context);
 191
 192 }  // namespace platform_keys
 193
 194 }  // namespace chromeos
 195
 196 #endif  // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_PLATFORM_KEYS_H_