1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROME_BROWSER_ASH_CROSAPI_KEYSTORE_SERVICE_ASH_H_
#define CHROME_BROWSER_ASH_CROSAPI_KEYSTORE_SERVICE_ASH_H_
#include <stdint.h>
#include <memory>
#include <string>
#include <vector>
#include "base/memory/raw_ptr.h"
#include "base/memory/weak_ptr.h"
#include "chrome/browser/chromeos/platform_keys/platform_keys.h"
#include "chromeos/crosapi/mojom/keystore_service.mojom-shared.h"
#include "chromeos/crosapi/mojom/keystore_service.mojom.h"
#include "components/keyed_service/core/keyed_service.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "mojo/public/cpp/bindings/receiver_set.h"
namespace content {
class BrowserContext;
} // namespace content
namespace ash {
namespace attestation {
class TpmChallengeKey;
struct TpmChallengeKeyResult;
} // namespace attestation
namespace platform_keys {
class KeyPermissionsService;
class PlatformKeysService;
} // namespace platform_keys
} // namespace ash
namespace crosapi {
// This class is the ash implementation of the KeystoreService crosapi. It
// allows lacros to expose blessed extension APIs which can query or modify the
// system keystores. This class is affine to the UI thread.
class KeystoreServiceAsh : public mojom::KeystoreService, public KeyedService {
public:
using KeystoreType = mojom::KeystoreType;
using SigningScheme = mojom::KeystoreSigningScheme;
using KeystoreKeyAttributeType = mojom::KeystoreKeyAttributeType;
explicit KeystoreServiceAsh(content::BrowserContext* fixed_context);
// Allows to create the service early. It will use the current primary profile
// whenever used. The profile should be specified explicitly when possible.
KeystoreServiceAsh();
// For testing only.
explicit KeystoreServiceAsh(
ash::platform_keys::PlatformKeysService* platform_keys_service,
ash::platform_keys::KeyPermissionsService* key_permissions_service);
KeystoreServiceAsh(const KeystoreServiceAsh&) = delete;
KeystoreServiceAsh& operator=(const KeystoreServiceAsh&) = delete;
~KeystoreServiceAsh() override;
void BindReceiver(mojo::PendingReceiver<mojom::KeystoreService> receiver);
// mojom::KeystoreService:
void ChallengeAttestationOnlyKeystore(
mojom::KeystoreType type,
const std::vector<uint8_t>& challenge,
bool migrate,
mojom::KeystoreAlgorithmName algorithm,
ChallengeAttestationOnlyKeystoreCallback callback) override;
void GetKeyStores(GetKeyStoresCallback callback) override;
void SelectClientCertificates(
const std::vector<std::vector<uint8_t>>& certificate_authorities,
SelectClientCertificatesCallback callback) override;
void GetCertificates(mojom::KeystoreType keystore,
GetCertificatesCallback callback) override;
void AddCertificate(mojom::KeystoreType keystore,
const std::vector<uint8_t>& certificate,
AddCertificateCallback callback) override;
void RemoveCertificate(mojom::KeystoreType keystore,
const std::vector<uint8_t>& certificate,
RemoveCertificateCallback callback) override;
void GetPublicKey(const std::vector<uint8_t>& certificate,
mojom::KeystoreAlgorithmName algorithm_name,
GetPublicKeyCallback callback) override;
void GenerateKey(mojom::KeystoreType keystore,
mojom::KeystoreAlgorithmPtr algorithm,
GenerateKeyCallback callback) override;
void RemoveKey(KeystoreType keystore,
const std::vector<uint8_t>& public_key,
RemoveKeyCallback callback) override;
void Sign(bool is_keystore_provided,
KeystoreType keystore,
const std::vector<uint8_t>& public_key,
SigningScheme scheme,
const std::vector<uint8_t>& data,
SignCallback callback) override;
void GetKeyTags(const std::vector<uint8_t>& public_key,
GetKeyTagsCallback callback) override;
void AddKeyTags(const std::vector<uint8_t>& public_key,
uint64_t tags,
AddKeyTagsCallback callback) override;
void CanUserGrantPermissionForKey(
const std::vector<uint8_t>& public_key,
CanUserGrantPermissionForKeyCallback callback) override;
void SetAttributeForKey(KeystoreType keystore,
const std::vector<uint8_t>& public_key,
KeystoreKeyAttributeType attribute_type,
const std::vector<uint8_t>& attribute_value,
SetAttributeForKeyCallback callback) override;
// DEPRECATED, use `GenerateKey` instead.
void DEPRECATED_ExtensionGenerateKey(
mojom::KeystoreType keystore,
mojom::KeystoreAlgorithmPtr algorithm,
const std::optional<std::string>& extension_id,
DEPRECATED_ExtensionGenerateKeyCallback callback) override;
// DEPRECATED, use `Sign` instead.
void DEPRECATED_ExtensionSign(
KeystoreType keystore,
const std::vector<uint8_t>& public_key,
SigningScheme scheme,
const std::vector<uint8_t>& data,
const std::string& extension_id,
DEPRECATED_ExtensionSignCallback callback) override;
// DEPRECATED, use `GetPublicKey` instead.
void DEPRECATED_GetPublicKey(
const std::vector<uint8_t>& certificate,
mojom::KeystoreAlgorithmName algorithm_name,
DEPRECATED_GetPublicKeyCallback callback) override;
// DEPRECATED, use `GetKeyStores` instead.
void DEPRECATED_GetKeyStores(
DEPRECATED_GetKeyStoresCallback callback) override;
// DEPRECATED, use `GetCertificates` instead.
void DEPRECATED_GetCertificates(
mojom::KeystoreType keystore,
DEPRECATED_GetCertificatesCallback callback) override;
// DEPRECATED, use `AddCertificate` instead.
void DEPRECATED_AddCertificate(
mojom::KeystoreType keystore,
const std::vector<uint8_t>& certificate,
DEPRECATED_AddCertificateCallback callback) override;
// DEPRECATED, use `RemoveCertificate` instead.
void DEPRECATED_RemoveCertificate(
mojom::KeystoreType keystore,
const std::vector<uint8_t>& certificate,
DEPRECATED_RemoveCertificateCallback callback) override;
// DEPRECATED, use `ChallengeAttestationOnlyKeystore` instead.
void DEPRECATED_ChallengeAttestationOnlyKeystore(
const std::string& challenge,
mojom::KeystoreType type,
bool migrate,
DEPRECATED_ChallengeAttestationOnlyKeystoreCallback callback) override;
private:
// Returns a correct instance of PlatformKeysService to use. If a specific
// browser context was passed into constructor, the corresponding
// PlatformKeysService instance will be used for all operations.
// Otherwise the class will use an instance for the primary profile.
ash::platform_keys::PlatformKeysService* GetPlatformKeys();
// Returns a correct instance of KeyPermissionsService to use. If a specific
// browser context was passed into constructor, the corresponding
// KeyPermissionsService instance will be used for all operations.
// Otherwise the class will use an instance for the primary profile.
ash::platform_keys::KeyPermissionsService* GetKeyPermissions();
// |challenge_key_ptr| is used as a opaque identifier to match against the
// unique_ptr in outstanding_challenges_. It should not be dereferenced.
void DidChallengeAttestationOnlyKeystore(
ChallengeAttestationOnlyKeystoreCallback callback,
void* challenge_key_ptr,
const ash::attestation::TpmChallengeKeyResult& result);
static void DidGetKeyStores(
GetKeyStoresCallback callback,
const std::vector<chromeos::platform_keys::TokenId>
platform_keys_token_ids,
chromeos::platform_keys::Status status);
static void DidSelectClientCertificates(
SelectClientCertificatesCallback callback,
std::unique_ptr<net::CertificateList> matches,
chromeos::platform_keys::Status status);
static void DidGetCertificates(GetCertificatesCallback callback,
std::unique_ptr<net::CertificateList> certs,
chromeos::platform_keys::Status status);
static void DidImportCertificate(AddCertificateCallback callback,
chromeos::platform_keys::Status status);
static void DidRemoveCertificate(RemoveCertificateCallback callback,
chromeos::platform_keys::Status status);
static void DidGenerateKey(GenerateKeyCallback callback,
std::vector<uint8_t> public_key,
chromeos::platform_keys::Status status);
static void DidRemoveKey(RemoveKeyCallback callback,
chromeos::platform_keys::Status status);
static void DidSign(SignCallback callback,
std::vector<uint8_t> signature,
chromeos::platform_keys::Status status);
static void DidGetKeyTags(GetKeyTagsCallback callback,
std::optional<bool> corporate,
chromeos::platform_keys::Status status);
static void DidAddKeyTags(AddKeyTagsCallback callback,
chromeos::platform_keys::Status status);
static void DidSetAttributeForKey(SetAttributeForKeyCallback callback,
chromeos::platform_keys::Status status);
// Can be nullptr, should not be used directly, use GetPlatformKeys() instead.
// Stores a pointer to a specific PlatformKeysService if it was specified in
// constructor.
const raw_ptr<ash::platform_keys::PlatformKeysService>
fixed_platform_keys_service_ = nullptr;
// Can be nullptr, should not be used directly, use GetKeyPermissions()
// instead. Stores a pointer to a specific KeyPermissionsService if it was
// specified in constructor.
const raw_ptr<ash::platform_keys::KeyPermissionsService>
fixed_key_permissions_service_ = nullptr;
// Container to keep outstanding challenges alive. The challenges should be
// destroyed together with this service to reduce the chance of them accessing
// other services that may be deleted by that point.
std::vector<std::unique_ptr<ash::attestation::TpmChallengeKey>>
outstanding_challenges_;
mojo::ReceiverSet<mojom::KeystoreService> receivers_;
base::WeakPtrFactory<KeystoreServiceAsh> weak_factory_{this};
};
} // namespace crosapi
#endif // CHROME_BROWSER_ASH_CROSAPI_KEYSTORE_SERVICE_ASH_H_
|
