blob: 0fc5bf926f7d4576c7051b5ff90a59f56078fc7f [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/chromeos/ownership/owner_settings_service.h"
#include <string>
#include "base/bind.h"
#include "chrome/browser/chrome_notification_types.h"
#include "chrome/browser/chromeos/login/users/user.h"
#include "chrome/browser/chromeos/login/users/user_manager.h"
#include "chrome/browser/chromeos/ownership/owner_settings_service_factory.h"
#include "chrome/browser/chromeos/profiles/profile_helper.h"
#include "chrome/browser/profiles/profile.h"
#include "chromeos/dbus/dbus_thread_manager.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/notification_details.h"
#include "content/public/browser/notification_source.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/rsa_private_key.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/signature_creator.h"
namespace em = enterprise_management;
using content::BrowserThread;
namespace chromeos {
namespace {
scoped_refptr<OwnerKeyUtil>* g_owner_key_util_for_testing = NULL;
DeviceSettingsService* g_device_settings_service_for_testing = NULL;
std::string AssembleAndSignPolicy(scoped_ptr<em::PolicyData> policy,
crypto::RSAPrivateKey* private_key) {
// Assemble the policy.
em::PolicyFetchResponse policy_response;
if (!policy->SerializeToString(policy_response.mutable_policy_data())) {
LOG(ERROR) << "Failed to encode policy payload.";
return std::string();
}
// Generate the signature.
scoped_ptr<crypto::SignatureCreator> signature_creator(
crypto::SignatureCreator::Create(private_key));
signature_creator->Update(
reinterpret_cast<const uint8*>(policy_response.policy_data().c_str()),
policy_response.policy_data().size());
std::vector<uint8> signature_bytes;
std::string policy_blob;
if (!signature_creator->Final(&signature_bytes)) {
LOG(ERROR) << "Failed to create policy signature.";
return std::string();
}
policy_response.mutable_policy_data_signature()->assign(
reinterpret_cast<const char*>(vector_as_array(&signature_bytes)),
signature_bytes.size());
return policy_response.SerializeAsString();
}
void LoadPrivateKeyByPublicKey(
const scoped_refptr<OwnerKeyUtil>& owner_key_util,
const std::vector<uint8>& public_key,
const std::string& username_hash,
const base::Callback<void(scoped_ptr<crypto::RSAPrivateKey>)>& callback) {
crypto::EnsureNSSInit();
crypto::ScopedPK11Slot slot =
crypto::GetPublicSlotForChromeOSUser(username_hash);
scoped_ptr<crypto::RSAPrivateKey> key(
owner_key_util->FindPrivateKeyInSlot(public_key, slot.get()));
BrowserThread::PostTask(
BrowserThread::UI, FROM_HERE, base::Bind(callback, base::Passed(&key)));
}
void LoadPrivateKey(
const scoped_refptr<OwnerKeyUtil>& owner_key_util,
const std::string username_hash,
const base::Callback<void(scoped_ptr<crypto::RSAPrivateKey>)>& callback) {
std::vector<uint8> public_key;
if (!owner_key_util->ImportPublicKey(&public_key)) {
scoped_ptr<crypto::RSAPrivateKey> result;
BrowserThread::PostTask(BrowserThread::UI,
FROM_HERE,
base::Bind(callback, base::Passed(&result)));
return;
}
bool rv = BrowserThread::PostTask(BrowserThread::IO,
FROM_HERE,
base::Bind(&LoadPrivateKeyByPublicKey,
owner_key_util,
public_key,
username_hash,
callback));
if (!rv) {
// IO thread doesn't exists in unit tests, but it's safe to use NSS from
// BlockingPool in unit tests.
LoadPrivateKeyByPublicKey(
owner_key_util, public_key, username_hash, callback);
}
}
bool IsPrivateKeyExistAsyncHelper(
const scoped_refptr<OwnerKeyUtil>& owner_key_util) {
std::vector<uint8> public_key;
if (!owner_key_util->ImportPublicKey(&public_key))
return false;
scoped_ptr<crypto::RSAPrivateKey> key(
crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key));
bool is_owner = key.get() != NULL;
return is_owner;
}
} // namespace
OwnerSettingsService::OwnerSettingsService(Profile* profile)
: profile_(profile),
owner_key_util_(OwnerKeyUtil::Create()),
waiting_for_profile_creation_(true),
waiting_for_tpm_token_(true),
weak_factory_(this) {
if (TPMTokenLoader::IsInitialized()) {
waiting_for_tpm_token_ = !TPMTokenLoader::Get()->IsTPMTokenReady();
TPMTokenLoader::Get()->AddObserver(this);
}
if (DBusThreadManager::IsInitialized() &&
DBusThreadManager::Get()->GetSessionManagerClient()) {
DBusThreadManager::Get()->GetSessionManagerClient()->AddObserver(this);
}
registrar_.Add(this,
chrome::NOTIFICATION_PROFILE_CREATED,
content::Source<Profile>(profile_));
}
OwnerSettingsService::~OwnerSettingsService() {
DCHECK(thread_checker_.CalledOnValidThread());
if (TPMTokenLoader::IsInitialized())
TPMTokenLoader::Get()->RemoveObserver(this);
if (DBusThreadManager::IsInitialized() &&
DBusThreadManager::Get()->GetSessionManagerClient()) {
DBusThreadManager::Get()->GetSessionManagerClient()->RemoveObserver(this);
}
}
bool OwnerSettingsService::IsOwner() {
DCHECK(thread_checker_.CalledOnValidThread());
return private_key_ && private_key_->key();
}
void OwnerSettingsService::IsOwnerAsync(const IsOwnerCallback& callback) {
DCHECK(thread_checker_.CalledOnValidThread());
if (private_key_) {
base::MessageLoop::current()->PostTask(FROM_HERE,
base::Bind(callback, IsOwner()));
} else {
pending_is_owner_callbacks_.push_back(callback);
}
}
bool OwnerSettingsService::AssembleAndSignPolicyAsync(
scoped_ptr<enterprise_management::PolicyData> policy,
const AssembleAndSignPolicyCallback& callback) {
DCHECK(thread_checker_.CalledOnValidThread());
if (!IsOwner())
return false;
base::PostTaskAndReplyWithResult(
BrowserThread::GetBlockingPool(),
FROM_HERE,
base::Bind(
&AssembleAndSignPolicy, base::Passed(&policy), private_key_->key()),
callback);
return true;
}
void OwnerSettingsService::Observe(
int type,
const content::NotificationSource& source,
const content::NotificationDetails& details) {
DCHECK(thread_checker_.CalledOnValidThread());
if (type != chrome::NOTIFICATION_PROFILE_CREATED) {
NOTREACHED();
return;
}
Profile* profile = content::Source<Profile>(source).ptr();
if (profile != profile_) {
NOTREACHED();
return;
}
waiting_for_profile_creation_ = false;
ReloadPrivateKey();
}
void OwnerSettingsService::OnTPMTokenReady() {
DCHECK(thread_checker_.CalledOnValidThread());
waiting_for_tpm_token_ = false;
// TPMTokenLoader initializes the TPM and NSS database which is necessary to
// determine ownership. Force a reload once we know these are initialized.
ReloadPrivateKey();
}
void OwnerSettingsService::OwnerKeySet(bool success) {
DCHECK(thread_checker_.CalledOnValidThread());
if (success)
ReloadPrivateKey();
}
// static
void OwnerSettingsService::IsPrivateKeyExistAsync(
const IsOwnerCallback& callback) {
scoped_refptr<OwnerKeyUtil> owner_key_util;
if (g_owner_key_util_for_testing)
owner_key_util = *g_owner_key_util_for_testing;
else
owner_key_util = OwnerKeyUtil::Create();
scoped_refptr<base::TaskRunner> task_runner =
content::BrowserThread::GetBlockingPool()
->GetTaskRunnerWithShutdownBehavior(
base::SequencedWorkerPool::SKIP_ON_SHUTDOWN);
base::PostTaskAndReplyWithResult(
task_runner.get(),
FROM_HERE,
base::Bind(&IsPrivateKeyExistAsyncHelper, owner_key_util),
callback);
}
// static
void OwnerSettingsService::SetOwnerKeyUtilForTesting(
const scoped_refptr<OwnerKeyUtil>& owner_key_util) {
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
if (g_owner_key_util_for_testing) {
delete g_owner_key_util_for_testing;
g_owner_key_util_for_testing = NULL;
}
if (owner_key_util.get()) {
g_owner_key_util_for_testing = new scoped_refptr<OwnerKeyUtil>();
*g_owner_key_util_for_testing = owner_key_util;
}
}
// static
void OwnerSettingsService::SetDeviceSettingsServiceForTesting(
DeviceSettingsService* device_settings_service) {
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
g_device_settings_service_for_testing = device_settings_service;
}
void OwnerSettingsService::ReloadPrivateKey() {
DCHECK(thread_checker_.CalledOnValidThread());
if (waiting_for_profile_creation_ || waiting_for_tpm_token_)
return;
scoped_refptr<base::TaskRunner> task_runner =
content::BrowserThread::GetBlockingPool()
->GetTaskRunnerWithShutdownBehavior(
base::SequencedWorkerPool::SKIP_ON_SHUTDOWN);
task_runner->PostTask(
FROM_HERE,
base::Bind(&LoadPrivateKey,
GetOwnerKeyUtil(),
ProfileHelper::GetUserIdHashFromProfile(profile_),
base::Bind(&OwnerSettingsService::OnPrivateKeyLoaded,
weak_factory_.GetWeakPtr())));
}
void OwnerSettingsService::OnPrivateKeyLoaded(
scoped_ptr<crypto::RSAPrivateKey> private_key) {
DCHECK(thread_checker_.CalledOnValidThread());
private_key_ = new PrivateKey(private_key.release());
const std::string& user_id = profile_->GetProfileName();
if (user_id == OwnerSettingsServiceFactory::GetInstance()->GetUsername())
GetDeviceSettingsService()->InitOwner(user_id, weak_factory_.GetWeakPtr());
std::vector<IsOwnerCallback> is_owner_callbacks;
is_owner_callbacks.swap(pending_is_owner_callbacks_);
const bool is_owner = IsOwner();
for (std::vector<IsOwnerCallback>::iterator it(is_owner_callbacks.begin());
it != is_owner_callbacks.end();
++it) {
it->Run(is_owner);
}
}
scoped_refptr<OwnerKeyUtil> OwnerSettingsService::GetOwnerKeyUtil() {
DCHECK(thread_checker_.CalledOnValidThread());
if (g_owner_key_util_for_testing)
return *g_owner_key_util_for_testing;
return owner_key_util_;
}
DeviceSettingsService* OwnerSettingsService::GetDeviceSettingsService() {
DCHECK(thread_checker_.CalledOnValidThread());
if (g_device_settings_service_for_testing)
return g_device_settings_service_for_testing;
if (DeviceSettingsService::IsInitialized())
return DeviceSettingsService::Get();
return NULL;
}
} // namespace chromeos