1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__
6 #define CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__
10 #include "base/callback.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "chrome/browser/extensions/chrome_extension_function.h"
14 #include "chrome/common/extensions/api/enterprise_platform_keys_private.h"
15 #include "chromeos/attestation/attestation_constants.h"
16 #include "chromeos/attestation/attestation_flow.h"
17 #include "chromeos/dbus/cryptohome_client.h"
18 #include "chromeos/dbus/dbus_method_call_status.h"
19 #include "third_party/cros_system_api/dbus/service_constants.h"
24 class CryptohomeClient;
27 namespace cryptohome {
28 class AsyncMethodCaller;
32 class EnterpriseInstallAttributes;
35 namespace user_prefs {
36 class PrefRegistrySyncable;
39 namespace extensions {
41 class EPKPChallengeKeyBase : public ChromeAsyncExtensionFunction {
43 static const char kChallengeBadBase64Error[];
44 static const char kDevicePolicyDisabledError[];
45 static const char kExtensionNotWhitelistedError[];
46 static const char kResponseBadBase64Error[];
47 static const char kSignChallengeFailedError[];
48 static const char kUserNotManaged[];
51 enum PrepareKeyResult {
53 PREPARE_KEY_DBUS_ERROR,
54 PREPARE_KEY_USER_REJECTED,
55 PREPARE_KEY_GET_CERTIFICATE_FAILED,
56 PREPARE_KEY_RESET_REQUIRED
59 EPKPChallengeKeyBase();
61 chromeos::CryptohomeClient* cryptohome_client,
62 cryptohome::AsyncMethodCaller* async_caller,
63 chromeos::attestation::AttestationFlow* attestation_flow,
64 policy::EnterpriseInstallAttributes* install_attributes);
65 virtual ~EPKPChallengeKeyBase();
67 // Returns a trusted value from CroSettings indicating if the device
68 // attestation is enabled.
69 void GetDeviceAttestationEnabled(
70 const base::Callback<void(bool)>& callback) const;
72 // Returns true if the device is enterprise managed.
73 bool IsEnterpriseDevice() const;
75 // Returns true if the extension is white-listed in the user policy.
76 bool IsExtensionWhitelisted() const;
78 // Returns true if the user is enterprise managed.
79 bool IsUserManaged() const;
81 // Returns the enterprise domain the device is enrolled to.
82 std::string GetEnterpriseDomain() const;
84 // Returns the user email.
85 std::string GetUserEmail() const;
87 // Returns the enterprise virtual device ID.
88 std::string GetDeviceId() const;
90 // Prepares the key for signing. It will first check if the key exists. If
91 // the key does not exist, it will call AttestationFlow::GetCertificate() to
92 // get a new one. If require_user_consent is true, it will explicitly ask for
93 // user consent before calling GetCertificate().
95 chromeos::attestation::AttestationKeyType key_type,
96 const std::string& user_id,
97 const std::string& key_name,
98 chromeos::attestation::AttestationCertificateProfile certificate_profile,
99 bool require_user_consent,
100 const base::Callback<void(PrepareKeyResult)>& callback);
102 chromeos::CryptohomeClient* cryptohome_client_;
103 cryptohome::AsyncMethodCaller* async_caller_;
104 chromeos::attestation::AttestationFlow* attestation_flow_;
105 scoped_ptr<chromeos::attestation::AttestationFlow> default_attestation_flow_;
108 // Holds the context of a PrepareKey() operation.
109 struct PrepareKeyContext {
111 chromeos::attestation::AttestationKeyType key_type,
112 const std::string& user_id,
113 const std::string& key_name,
114 chromeos::attestation::AttestationCertificateProfile
116 bool require_user_consent,
117 const base::Callback<void(PrepareKeyResult)>& callback);
118 ~PrepareKeyContext();
120 chromeos::attestation::AttestationKeyType key_type;
121 const std::string user_id;
122 const std::string key_name;
123 chromeos::attestation::AttestationCertificateProfile certificate_profile;
124 bool require_user_consent;
125 const base::Callback<void(PrepareKeyResult)> callback;
128 void IsAttestationPreparedCallback(
129 const PrepareKeyContext& context,
130 chromeos::DBusMethodCallStatus status,
132 void DoesKeyExistCallback(
133 const PrepareKeyContext& context,
134 chromeos::DBusMethodCallStatus status,
136 void AskForUserConsent(const base::Callback<void(bool)>& callback) const;
137 void AskForUserConsentCallback(
138 const PrepareKeyContext& context,
140 void GetCertificateCallback(
141 const base::Callback<void(PrepareKeyResult)>& callback,
143 const std::string& pem_certificate_chain);
145 policy::EnterpriseInstallAttributes* install_attributes_;
148 class EPKPChallengeMachineKey : public EPKPChallengeKeyBase {
150 static const char kGetCertificateFailedError[];
151 static const char kNonEnterpriseDeviceError[];
153 EPKPChallengeMachineKey();
154 EPKPChallengeMachineKey(
155 chromeos::CryptohomeClient* cryptohome_client,
156 cryptohome::AsyncMethodCaller* async_caller,
157 chromeos::attestation::AttestationFlow* attestation_flow,
158 policy::EnterpriseInstallAttributes* install_attributes);
161 virtual bool RunAsync() override;
164 static const char kKeyName[];
166 virtual ~EPKPChallengeMachineKey();
168 void GetDeviceAttestationEnabledCallback(const std::string& challenge,
170 void PrepareKeyCallback(const std::string& challenge,
171 PrepareKeyResult result);
172 void SignChallengeCallback(bool success, const std::string& response);
174 DECLARE_EXTENSION_FUNCTION(
175 "enterprise.platformKeysPrivate.challengeMachineKey",
176 ENTERPRISE_PLATFORMKEYSPRIVATE_CHALLENGEMACHINEKEY);
179 typedef EPKPChallengeMachineKey
180 EnterprisePlatformKeysPrivateChallengeMachineKeyFunction;
182 class EPKPChallengeUserKey : public EPKPChallengeKeyBase {
184 static const char kGetCertificateFailedError[];
185 static const char kKeyRegistrationFailedError[];
186 static const char kUserPolicyDisabledError[];
188 EPKPChallengeUserKey();
189 EPKPChallengeUserKey(
190 chromeos::CryptohomeClient* cryptohome_client,
191 cryptohome::AsyncMethodCaller* async_caller,
192 chromeos::attestation::AttestationFlow* attestation_flow,
193 policy::EnterpriseInstallAttributes* install_attributes);
195 static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
198 virtual bool RunAsync() override;
201 static const char kKeyName[];
203 virtual ~EPKPChallengeUserKey();
205 void GetDeviceAttestationEnabledCallback(const std::string& challenge,
207 bool require_user_consent,
209 void PrepareKeyCallback(const std::string& challenge,
211 PrepareKeyResult result);
212 void SignChallengeCallback(bool register_key,
214 const std::string& response);
215 void RegisterKeyCallback(const std::string& response,
217 cryptohome::MountError return_code);
219 bool IsRemoteAttestationEnabledForUser() const;
221 DECLARE_EXTENSION_FUNCTION(
222 "enterprise.platformKeysPrivate.challengeUserKey",
223 ENTERPRISE_PLATFORMKEYSPRIVATE_CHALLENGEUSERKEY);
226 typedef EPKPChallengeUserKey
227 EnterprisePlatformKeysPrivateChallengeUserKeyFunction;
229 } // namespace extensions
231 #endif // CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__