Changed OAuth token+secret encryption to use supplemental user key from NSS DB.
BUG=chromium-os:18633 TEST=none Review URL: http://codereview.chromium.org/7756025 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@99912 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
@@ -176,6 +176,10 @@ class CertLibraryImpl
|
|||||||
return server_ca_certs_;
|
return server_ca_certs_;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
virtual crypto::SymmetricKey* GetSupplementalUserKey() const {
|
||||||
|
return crypto::GetSupplementalUserKey();
|
||||||
|
}
|
||||||
|
|
||||||
// net::CertDatabase::Observer implementation. Observer added on UI thread.
|
// net::CertDatabase::Observer implementation. Observer added on UI thread.
|
||||||
virtual void OnCertTrustChanged(const net::X509Certificate* cert) OVERRIDE {
|
virtual void OnCertTrustChanged(const net::X509Certificate* cert) OVERRIDE {
|
||||||
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
|
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
|
||||||
|
@@ -12,6 +12,10 @@
|
|||||||
#include "net/base/cert_database.h"
|
#include "net/base/cert_database.h"
|
||||||
#include "net/base/x509_certificate.h"
|
#include "net/base/x509_certificate.h"
|
||||||
|
|
||||||
|
namespace crypto {
|
||||||
|
class SymmetricKey;
|
||||||
|
}
|
||||||
|
|
||||||
namespace chromeos {
|
namespace chromeos {
|
||||||
|
|
||||||
class CertLibrary {
|
class CertLibrary {
|
||||||
@@ -96,6 +100,9 @@ class CertLibrary {
|
|||||||
|
|
||||||
// Returns the current list of server CA certificates.
|
// Returns the current list of server CA certificates.
|
||||||
virtual const CertList& GetCACertificates() const = 0;
|
virtual const CertList& GetCACertificates() const = 0;
|
||||||
|
|
||||||
|
// Returns the supplemental user key.
|
||||||
|
virtual crypto::SymmetricKey* GetSupplementalUserKey() const = 0;
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace chromeos
|
} // namespace chromeos
|
||||||
|
@@ -100,6 +100,9 @@ class Authenticator : public base::RefCountedThreadSafe<Authenticator> {
|
|||||||
// OAuth token encryption helpers.
|
// OAuth token encryption helpers.
|
||||||
virtual std::string EncryptToken(const std::string& token) = 0;
|
virtual std::string EncryptToken(const std::string& token) = 0;
|
||||||
virtual std::string DecryptToken(const std::string& encrypted_token) = 0;
|
virtual std::string DecryptToken(const std::string& encrypted_token) = 0;
|
||||||
|
// TODO(zelidrag): Remove legacy encryption support in R16.
|
||||||
|
virtual std::string DecryptLegacyToken(
|
||||||
|
const std::string& encrypted_token) = 0;
|
||||||
|
|
||||||
// Profile (usually off the record ) that was used to perform the last
|
// Profile (usually off the record ) that was used to perform the last
|
||||||
// authentication process.
|
// authentication process.
|
||||||
|
@@ -422,6 +422,11 @@ std::string GoogleAuthenticator::DecryptToken(const std::string& unused) {
|
|||||||
return std::string();
|
return std::string();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
std::string GoogleAuthenticator::DecryptLegacyToken(const std::string& unused) {
|
||||||
|
NOTIMPLEMENTED();
|
||||||
|
return std::string();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void GoogleAuthenticator::LoadSystemSalt() {
|
void GoogleAuthenticator::LoadSystemSalt() {
|
||||||
if (!system_salt_.empty())
|
if (!system_salt_.empty())
|
||||||
|
@@ -120,6 +120,8 @@ class GoogleAuthenticator : public Authenticator, public GaiaAuthConsumer {
|
|||||||
const std::string& oauth1_secret) OVERRIDE;
|
const std::string& oauth1_secret) OVERRIDE;
|
||||||
virtual std::string EncryptToken(const std::string& token) OVERRIDE;
|
virtual std::string EncryptToken(const std::string& token) OVERRIDE;
|
||||||
virtual std::string DecryptToken(const std::string& encrypted_token) OVERRIDE;
|
virtual std::string DecryptToken(const std::string& encrypted_token) OVERRIDE;
|
||||||
|
virtual std::string DecryptLegacyToken(
|
||||||
|
const std::string& encrypted_token) OVERRIDE;
|
||||||
|
|
||||||
// Callbacks from GaiaAuthFetcher
|
// Callbacks from GaiaAuthFetcher
|
||||||
virtual void OnClientLoginFailure(
|
virtual void OnClientLoginFailure(
|
||||||
|
@@ -935,8 +935,19 @@ bool LoginUtilsImpl::ReadOAuth1AccessToken(Profile* user_profile,
|
|||||||
|
|
||||||
std::string decoded_token = authenticator_->DecryptToken(encoded_token);
|
std::string decoded_token = authenticator_->DecryptToken(encoded_token);
|
||||||
std::string decoded_secret = authenticator_->DecryptToken(encoded_secret);
|
std::string decoded_secret = authenticator_->DecryptToken(encoded_secret);
|
||||||
if (!decoded_token.length() || !decoded_secret.length())
|
if (!decoded_token.length() || !decoded_secret.length()) {
|
||||||
return false;
|
// TODO(zelidrag): Remove legacy encryption support in R16.
|
||||||
|
// Check if tokens were encoded with the legacy encryption instead.
|
||||||
|
decoded_token = authenticator_->DecryptLegacyToken(encoded_token);
|
||||||
|
decoded_secret = authenticator_->DecryptLegacyToken(encoded_secret);
|
||||||
|
if (!decoded_token.length() || !decoded_secret.length())
|
||||||
|
return false;
|
||||||
|
|
||||||
|
pref_service->SetString(prefs::kOAuth1Token,
|
||||||
|
authenticator_->EncryptToken(decoded_token));
|
||||||
|
pref_service->SetString(prefs::kOAuth1Secret,
|
||||||
|
authenticator_->EncryptToken(decoded_secret));
|
||||||
|
}
|
||||||
|
|
||||||
*token = decoded_token;
|
*token = decoded_token;
|
||||||
*secret = decoded_secret;
|
*secret = decoded_secret;
|
||||||
|
@@ -69,6 +69,11 @@ std::string MockAuthenticator::DecryptToken(
|
|||||||
return std::string();
|
return std::string();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
std::string MockAuthenticator::DecryptLegacyToken(
|
||||||
|
const std::string& encrypted_token) {
|
||||||
|
return std::string();
|
||||||
|
}
|
||||||
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
////////////////////////////////////////////////////////////////////////////////
|
||||||
// MockLoginUtils
|
// MockLoginUtils
|
||||||
|
|
||||||
|
@@ -71,6 +71,8 @@ class MockAuthenticator : public Authenticator {
|
|||||||
|
|
||||||
virtual std::string DecryptToken(const std::string& encrypted_token);
|
virtual std::string DecryptToken(const std::string& encrypted_token);
|
||||||
|
|
||||||
|
virtual std::string DecryptLegacyToken(const std::string& encrypted_token);
|
||||||
|
|
||||||
virtual void VerifyOAuth1AccessToken(const std::string& oauth1_access_token,
|
virtual void VerifyOAuth1AccessToken(const std::string& oauth1_access_token,
|
||||||
const std::string& oauth1_secret) {}
|
const std::string& oauth1_secret) {}
|
||||||
|
|
||||||
|
@@ -16,6 +16,7 @@
|
|||||||
#include "base/string_number_conversions.h"
|
#include "base/string_number_conversions.h"
|
||||||
#include "base/string_util.h"
|
#include "base/string_util.h"
|
||||||
#include "base/synchronization/lock.h"
|
#include "base/synchronization/lock.h"
|
||||||
|
#include "chrome/browser/chromeos/cros/cert_library.h"
|
||||||
#include "chrome/browser/chromeos/cros/cryptohome_library.h"
|
#include "chrome/browser/chromeos/cros/cryptohome_library.h"
|
||||||
#include "chrome/browser/chromeos/login/auth_response_handler.h"
|
#include "chrome/browser/chromeos/login/auth_response_handler.h"
|
||||||
#include "chrome/browser/chromeos/login/authentication_notification_details.h"
|
#include "chrome/browser/chromeos/login/authentication_notification_details.h"
|
||||||
@@ -46,6 +47,37 @@ using file_util::PathExists;
|
|||||||
using file_util::ReadFile;
|
using file_util::ReadFile;
|
||||||
using file_util::ReadFileToString;
|
using file_util::ReadFileToString;
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
|
||||||
|
const int kPassHashLen = 32;
|
||||||
|
const size_t kKeySize = 16;
|
||||||
|
|
||||||
|
// Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
|
||||||
|
std::string DecryptTokenWithKey(
|
||||||
|
crypto::SymmetricKey* key,
|
||||||
|
const std::string& salt,
|
||||||
|
const std::string& encrypted_token_hex) {
|
||||||
|
std::vector<uint8> encrypted_token_bytes;
|
||||||
|
if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes))
|
||||||
|
return std::string();
|
||||||
|
|
||||||
|
std::string encrypted_token(
|
||||||
|
reinterpret_cast<char*>(encrypted_token_bytes.data()),
|
||||||
|
encrypted_token_bytes.size());
|
||||||
|
crypto::Encryptor encryptor;
|
||||||
|
if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string()))
|
||||||
|
return std::string();
|
||||||
|
|
||||||
|
std::string nonce = salt.substr(0, kKeySize);
|
||||||
|
std::string token;
|
||||||
|
CHECK(encryptor.SetCounter(nonce));
|
||||||
|
if (!encryptor.Decrypt(encrypted_token, &token))
|
||||||
|
return std::string();
|
||||||
|
return token;
|
||||||
|
}
|
||||||
|
|
||||||
|
} // namespace
|
||||||
|
|
||||||
namespace chromeos {
|
namespace chromeos {
|
||||||
|
|
||||||
// static
|
// static
|
||||||
@@ -56,9 +88,6 @@ const int ParallelAuthenticator::kClientLoginTimeoutMs = 10000;
|
|||||||
// static
|
// static
|
||||||
const int ParallelAuthenticator::kLocalaccountRetryIntervalMs = 20;
|
const int ParallelAuthenticator::kLocalaccountRetryIntervalMs = 20;
|
||||||
|
|
||||||
const int kPassHashLen = 32;
|
|
||||||
const size_t kKeySize = 16;
|
|
||||||
|
|
||||||
ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer)
|
ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer)
|
||||||
: Authenticator(consumer),
|
: Authenticator(consumer),
|
||||||
already_reported_success_(false),
|
already_reported_success_(false),
|
||||||
@@ -673,6 +702,15 @@ void ParallelAuthenticator::LoadSystemSalt() {
|
|||||||
CHECK_EQ(system_salt_.size() % 2, 0U);
|
CHECK_EQ(system_salt_.size() % 2, 0U);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool ParallelAuthenticator::LoadSupplementalUserKey() {
|
||||||
|
if (!supplemental_user_key_.get()) {
|
||||||
|
supplemental_user_key_.reset(
|
||||||
|
CrosLibrary::Get()->GetCertLibrary()->GetSupplementalUserKey());
|
||||||
|
}
|
||||||
|
return supplemental_user_key_.get() != NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void ParallelAuthenticator::LoadLocalaccount(const std::string& filename) {
|
void ParallelAuthenticator::LoadLocalaccount(const std::string& filename) {
|
||||||
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
|
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::FILE));
|
||||||
{
|
{
|
||||||
@@ -704,13 +742,11 @@ void ParallelAuthenticator::SetLocalaccount(const std::string& new_name) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
std::string ParallelAuthenticator::EncryptToken(const std::string& token) {
|
std::string ParallelAuthenticator::EncryptToken(const std::string& token) {
|
||||||
// TODO(zelidrag): Replace salt with
|
if (!LoadSupplementalUserKey())
|
||||||
scoped_ptr<crypto::SymmetricKey> key(
|
return std::string();
|
||||||
crypto::SymmetricKey::DeriveKeyFromPassword(
|
|
||||||
crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(),
|
|
||||||
SaltAsAscii(), 1000, 256));
|
|
||||||
crypto::Encryptor encryptor;
|
crypto::Encryptor encryptor;
|
||||||
if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string()))
|
if (!encryptor.Init(supplemental_user_key_.get(), crypto::Encryptor::CTR,
|
||||||
|
std::string()))
|
||||||
return std::string();
|
return std::string();
|
||||||
|
|
||||||
std::string nonce = SaltAsAscii().substr(0, kKeySize);
|
std::string nonce = SaltAsAscii().substr(0, kKeySize);
|
||||||
@@ -723,33 +759,24 @@ std::string ParallelAuthenticator::EncryptToken(const std::string& token) {
|
|||||||
reinterpret_cast<const void*>(encoded_token.data()),
|
reinterpret_cast<const void*>(encoded_token.data()),
|
||||||
encoded_token.size()));
|
encoded_token.size()));
|
||||||
}
|
}
|
||||||
|
|
||||||
std::string ParallelAuthenticator::DecryptToken(
|
std::string ParallelAuthenticator::DecryptToken(
|
||||||
const std::string& encrypted_token_hex) {
|
const std::string& encrypted_token_hex) {
|
||||||
std::vector<uint8> encrypted_token_bytes;
|
if (!LoadSupplementalUserKey())
|
||||||
if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes))
|
|
||||||
return std::string();
|
return std::string();
|
||||||
|
return DecryptTokenWithKey(supplemental_user_key_.get(),
|
||||||
|
SaltAsAscii(),
|
||||||
|
encrypted_token_hex);
|
||||||
|
}
|
||||||
|
|
||||||
std::string encrypted_token(
|
std::string ParallelAuthenticator::DecryptLegacyToken(
|
||||||
reinterpret_cast<char*>(encrypted_token_bytes.data()),
|
const std::string& encrypted_token_hex) {
|
||||||
encrypted_token_bytes.size());
|
|
||||||
scoped_ptr<crypto::SymmetricKey> key(
|
scoped_ptr<crypto::SymmetricKey> key(
|
||||||
crypto::SymmetricKey::DeriveKeyFromPassword(
|
crypto::SymmetricKey::DeriveKeyFromPassword(
|
||||||
crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(),
|
crypto::SymmetricKey::AES, UserSupplementalKeyAsAscii(),
|
||||||
SaltAsAscii(), 1000, 256));
|
SaltAsAscii(), 1000, 256));
|
||||||
crypto::Encryptor encryptor;
|
return DecryptTokenWithKey(key.get(), SaltAsAscii(), encrypted_token_hex);
|
||||||
if (!encryptor.Init(key.get(), crypto::Encryptor::CTR, std::string()))
|
|
||||||
return std::string();
|
|
||||||
|
|
||||||
std::string nonce = SaltAsAscii().substr(0, kKeySize);
|
|
||||||
std::string token;
|
|
||||||
CHECK(encryptor.SetCounter(nonce));
|
|
||||||
if (!encryptor.Decrypt(encrypted_token, &token))
|
|
||||||
return std::string();
|
|
||||||
return token;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
std::string ParallelAuthenticator::HashPassword(const std::string& password) {
|
std::string ParallelAuthenticator::HashPassword(const std::string& password) {
|
||||||
// Get salt, ascii encode, update sha with that, then update with ascii
|
// Get salt, ascii encode, update sha with that, then update with ascii
|
||||||
// of password, then end.
|
// of password, then end.
|
||||||
|
@@ -32,6 +32,10 @@ namespace base {
|
|||||||
class Lock;
|
class Lock;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
namespace crypto {
|
||||||
|
class SymmetricKey;
|
||||||
|
}
|
||||||
|
|
||||||
namespace chromeos {
|
namespace chromeos {
|
||||||
|
|
||||||
class LoginStatusConsumer;
|
class LoginStatusConsumer;
|
||||||
@@ -149,6 +153,8 @@ class ParallelAuthenticator : public Authenticator,
|
|||||||
const std::string& oauth1_secret) OVERRIDE;
|
const std::string& oauth1_secret) OVERRIDE;
|
||||||
virtual std::string EncryptToken(const std::string& token) OVERRIDE;
|
virtual std::string EncryptToken(const std::string& token) OVERRIDE;
|
||||||
virtual std::string DecryptToken(const std::string& encrypted_token) OVERRIDE;
|
virtual std::string DecryptToken(const std::string& encrypted_token) OVERRIDE;
|
||||||
|
virtual std::string DecryptLegacyToken(
|
||||||
|
const std::string& encrypted_token) OVERRIDE;
|
||||||
|
|
||||||
// AuthAttemptStateResolver overrides.
|
// AuthAttemptStateResolver overrides.
|
||||||
// Attempts to make a decision and call back |consumer_| based on
|
// Attempts to make a decision and call back |consumer_| based on
|
||||||
@@ -220,6 +226,9 @@ class ParallelAuthenticator : public Authenticator,
|
|||||||
|
|
||||||
// If we don't have the system salt yet, loads it from the CryptohomeLibrary.
|
// If we don't have the system salt yet, loads it from the CryptohomeLibrary.
|
||||||
void LoadSystemSalt();
|
void LoadSystemSalt();
|
||||||
|
// If we don't have supplemental_user_key_ yet, loads it from the NSS DB.
|
||||||
|
// Returns false if the key can not be loaded/created.
|
||||||
|
bool LoadSupplementalUserKey();
|
||||||
|
|
||||||
// If we haven't already, looks in a file called |filename| next to
|
// If we haven't already, looks in a file called |filename| next to
|
||||||
// the browser executable for a "localaccount" name, and retrieves it
|
// the browser executable for a "localaccount" name, and retrieves it
|
||||||
@@ -275,6 +284,7 @@ class ParallelAuthenticator : public Authenticator,
|
|||||||
|
|
||||||
std::string ascii_hash_;
|
std::string ascii_hash_;
|
||||||
chromeos::CryptohomeBlob system_salt_;
|
chromeos::CryptohomeBlob system_salt_;
|
||||||
|
scoped_ptr<crypto::SymmetricKey> supplemental_user_key_;
|
||||||
|
|
||||||
// When the user has changed her password, but gives us the old one, we will
|
// When the user has changed her password, but gives us the old one, we will
|
||||||
// be able to mount her cryptohome, but online authentication will fail.
|
// be able to mount her cryptohome, but online authentication will fail.
|
||||||
|
@@ -31,6 +31,10 @@
|
|||||||
#include "base/threading/thread_restrictions.h"
|
#include "base/threading/thread_restrictions.h"
|
||||||
#include "crypto/scoped_nss_types.h"
|
#include "crypto/scoped_nss_types.h"
|
||||||
|
|
||||||
|
#if defined(OS_CHROMEOS)
|
||||||
|
#include "crypto/symmetric_key.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
// USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not
|
// USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not
|
||||||
// defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
|
// defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
|
||||||
// use NSS for crypto or certificate verification, and we don't use the NSS
|
// use NSS for crypto or certificate verification, and we don't use the NSS
|
||||||
@@ -83,6 +87,15 @@ FilePath GetDefaultConfigDirectory() {
|
|||||||
return dir;
|
return dir;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(OS_CHROMEOS)
|
||||||
|
// Supplemental user key id.
|
||||||
|
unsigned char kSupplementalUserKeyId[] = {
|
||||||
|
0xCC, 0x13, 0x19, 0xDE, 0x75, 0x5E, 0xFE, 0xFA,
|
||||||
|
0x5E, 0x71, 0xD4, 0xA6, 0xFB, 0x00, 0x00, 0xCC
|
||||||
|
};
|
||||||
|
#endif // defined(OS_CHROMEOS)
|
||||||
|
|
||||||
|
|
||||||
// On non-chromeos platforms, return the default config directory.
|
// On non-chromeos platforms, return the default config directory.
|
||||||
// On chromeos, return a read-only directory with fake root CA certs for testing
|
// On chromeos, return a read-only directory with fake root CA certs for testing
|
||||||
// (which will not exist on non-testing images). These root CA certs are used
|
// (which will not exist on non-testing images). These root CA certs are used
|
||||||
@@ -288,6 +301,40 @@ class NSSInitSingleton {
|
|||||||
return FindSlotWithTokenName(token_name);
|
return FindSlotWithTokenName(token_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SymmetricKey* GetSupplementalUserKey() {
|
||||||
|
DCHECK(chromeos_user_logged_in_);
|
||||||
|
|
||||||
|
PK11SlotInfo* slot = NULL;
|
||||||
|
PK11SymKey* key = NULL;
|
||||||
|
SECItem keyID;
|
||||||
|
CK_MECHANISM_TYPE type = CKM_AES_ECB;
|
||||||
|
|
||||||
|
slot = GetPublicNSSKeySlot();
|
||||||
|
if (!slot)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
if (PK11_Authenticate(slot, PR_TRUE, NULL) != SECSuccess)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
keyID.type = siBuffer;
|
||||||
|
keyID.data = kSupplementalUserKeyId;
|
||||||
|
keyID.len = static_cast<int>(sizeof(kSupplementalUserKeyId));
|
||||||
|
|
||||||
|
// Find/generate AES key.
|
||||||
|
key = PK11_FindFixedKey(slot, type, &keyID, NULL);
|
||||||
|
if (!key) {
|
||||||
|
const int kKeySizeInBytes = 32;
|
||||||
|
key = PK11_TokenKeyGen(slot, type, NULL,
|
||||||
|
kKeySizeInBytes,
|
||||||
|
&keyID, PR_TRUE, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (slot)
|
||||||
|
PK11_FreeSlot(slot);
|
||||||
|
|
||||||
|
return key ? SymmetricKey::CreateFromKey(key) : NULL;
|
||||||
|
}
|
||||||
#endif // defined(OS_CHROMEOS)
|
#endif // defined(OS_CHROMEOS)
|
||||||
|
|
||||||
|
|
||||||
@@ -702,6 +749,9 @@ bool EnsureTPMTokenReady() {
|
|||||||
return g_nss_singleton.Get().EnsureTPMTokenReady();
|
return g_nss_singleton.Get().EnsureTPMTokenReady();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SymmetricKey* GetSupplementalUserKey() {
|
||||||
|
return g_nss_singleton.Get().GetSupplementalUserKey();
|
||||||
|
}
|
||||||
#endif // defined(OS_CHROMEOS)
|
#endif // defined(OS_CHROMEOS)
|
||||||
|
|
||||||
// TODO(port): Implement this more simply. We can convert by subtracting an
|
// TODO(port): Implement this more simply. We can convert by subtracting an
|
||||||
|
@@ -24,6 +24,8 @@ class Time;
|
|||||||
// initialization functions.
|
// initialization functions.
|
||||||
namespace crypto {
|
namespace crypto {
|
||||||
|
|
||||||
|
class SymmetricKey;
|
||||||
|
|
||||||
#if defined(USE_NSS)
|
#if defined(USE_NSS)
|
||||||
// EarlySetupForNSSInit performs lightweight setup which must occur before the
|
// EarlySetupForNSSInit performs lightweight setup which must occur before the
|
||||||
// process goes multithreaded. This does not initialise NSS. For test, see
|
// process goes multithreaded. This does not initialise NSS. For test, see
|
||||||
@@ -133,6 +135,14 @@ CRYPTO_EXPORT bool IsTPMTokenReady();
|
|||||||
// Same as IsTPMTokenReady() except this attempts to initialize the token
|
// Same as IsTPMTokenReady() except this attempts to initialize the token
|
||||||
// if necessary.
|
// if necessary.
|
||||||
CRYPTO_EXPORT bool EnsureTPMTokenReady();
|
CRYPTO_EXPORT bool EnsureTPMTokenReady();
|
||||||
|
|
||||||
|
// Gets supplemental user key. Creates one in NSS database if it does not exist.
|
||||||
|
// The supplemental user key is used for AES encryption of user data that is
|
||||||
|
// stored and protected by cryptohome. This additional layer of encryption of
|
||||||
|
// provided to ensure that sensitive data wouldn't be exposed in plain text in
|
||||||
|
// case when an attacker would somehow gain access to all content within
|
||||||
|
// cryptohome.
|
||||||
|
CRYPTO_EXPORT SymmetricKey* GetSupplementalUserKey();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
// Convert a NSS PRTime value into a base::Time object.
|
// Convert a NSS PRTime value into a base::Time object.
|
||||||
|
@@ -71,6 +71,11 @@ class CRYPTO_EXPORT SymmetricKey {
|
|||||||
// carefully.
|
// carefully.
|
||||||
bool GetRawKey(std::string* raw_key);
|
bool GetRawKey(std::string* raw_key);
|
||||||
|
|
||||||
|
#if defined(OS_CHROMEOS)
|
||||||
|
// Creates symmetric key from NSS key. Takes over the ownership of |key|.
|
||||||
|
static SymmetricKey* CreateFromKey(PK11SymKey* key);
|
||||||
|
#endif
|
||||||
|
|
||||||
private:
|
private:
|
||||||
#if defined(USE_OPENSSL)
|
#if defined(USE_OPENSSL)
|
||||||
SymmetricKey() {}
|
SymmetricKey() {}
|
||||||
|
@@ -120,6 +120,13 @@ bool SymmetricKey::GetRawKey(std::string* raw_key) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(OS_CHROMEOS)
|
||||||
|
// static
|
||||||
|
SymmetricKey* SymmetricKey::CreateFromKey(PK11SymKey* key) {
|
||||||
|
return new SymmetricKey(key);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
SymmetricKey::SymmetricKey(PK11SymKey* key) : key_(key) {
|
SymmetricKey::SymmetricKey(PK11SymKey* key) : key_(key) {
|
||||||
DCHECK(key);
|
DCHECK(key);
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user