1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
6#define CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/memory/scoped_ptr.h"
12
13namespace crypto {
14class SymmetricKey;
15}
16
17namespace chromeos {
18
19// Interface class for classes that encrypt and decrypt tokens using the
20// system salt.
21class TokenEncryptor {
22 public:
23  virtual ~TokenEncryptor() {}
24
25  // Encrypts |token| with the system salt key (stable for the lifetime
26  // of the device).  Useful to avoid storing plain text in place like
27  // Local State.
28  virtual std::string EncryptWithSystemSalt(const std::string& token) = 0;
29
30  // Decrypts |token| with the system salt key (stable for the lifetime
31  // of the device).
32  virtual std::string DecryptWithSystemSalt(
33      const std::string& encrypted_token_hex) = 0;
34};
35
36// TokenEncryptor based on the system salt from cryptohome daemon. This
37// implementation is used in production.
38class CryptohomeTokenEncryptor : public TokenEncryptor {
39 public:
40  explicit CryptohomeTokenEncryptor(const std::string& system_salt);
41  virtual ~CryptohomeTokenEncryptor();
42
43  // TokenEncryptor overrides:
44  virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE;
45  virtual std::string DecryptWithSystemSalt(
46      const std::string& encrypted_token_hex) OVERRIDE;
47
48 private:
49  // Converts |passphrase| to a SymmetricKey using the given |salt|.
50  crypto::SymmetricKey* PassphraseToKey(const std::string& passphrase,
51                                        const std::string& salt);
52
53  // Encrypts (AES) the token given |key| and |salt|.
54  std::string EncryptTokenWithKey(crypto::SymmetricKey* key,
55                                  const std::string& salt,
56                                  const std::string& token);
57
58  // Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
59  std::string DecryptTokenWithKey(crypto::SymmetricKey* key,
60                                  const std::string& salt,
61                                  const std::string& encrypted_token_hex);
62
63  // The cached system salt passed to the constructor, originally coming
64  // from cryptohome daemon.
65  std::string system_salt_;
66
67  // A key based on the system salt.  Useful for encrypting device-level
68  // data for which we have no additional credentials.
69  scoped_ptr<crypto::SymmetricKey> system_salt_key_;
70
71  DISALLOW_COPY_AND_ASSIGN(CryptohomeTokenEncryptor);
72};
73
74}  // namespace chromeos
75
76#endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
77