token_encryptor.h revision 4e180b6a0b4720a9b8e9e959a882386f690f08ff 
1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
6#define CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/memory/scoped_ptr.h"
12
13namespace crypto {
14class SymmetricKey;
15}
16
17namespace chromeos {
18
19// Interface class for classes that encrypt and decrypt tokens using the
20// system salt.
21class TokenEncryptor {
22 public:
23  virtual ~TokenEncryptor() {}
24
25  // Encrypts |token| with the system salt key (stable for the lifetime
26  // of the device).  Useful to avoid storing plain text in place like
27  // Local State.
28  virtual std::string EncryptWithSystemSalt(const std::string& token) = 0;
29
30  // Decrypts |token| with the system salt key (stable for the lifetime
31  // of the device).
32  virtual std::string DecryptWithSystemSalt(
33      const std::string& encrypted_token_hex) = 0;
34};
35
36// TokenEncryptor based on the cryptohome daemon. This implementation is used
37// in production.
38class CryptohomeTokenEncryptor : public TokenEncryptor {
39 public:
40  CryptohomeTokenEncryptor();
41  virtual ~CryptohomeTokenEncryptor();
42
43  // TokenEncryptor overrides:
44  virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE;
45  virtual std::string DecryptWithSystemSalt(
46      const std::string& encrypted_token_hex) OVERRIDE;
47
48 private:
49  // Loads the system salt key based on the system salt from the cryptohome
50  // daemon. Returns true on success.
51  bool LoadSystemSaltKey();
52
53  // Converts |passphrase| to a SymmetricKey using the given |salt|.
54  crypto::SymmetricKey* PassphraseToKey(const std::string& passphrase,
55                                        const std::string& salt);
56
57  // Encrypts (AES) the token given |key| and |salt|.
58  std::string EncryptTokenWithKey(crypto::SymmetricKey* key,
59                                  const std::string& salt,
60                                  const std::string& token);
61
62  // Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
63  std::string DecryptTokenWithKey(crypto::SymmetricKey* key,
64                                  const std::string& salt,
65                                  const std::string& encrypted_token_hex);
66
67  // The cached system salt obtained from the cryptohome daemon.
68  std::string system_salt_;
69
70  // A key based on the system salt.  Useful for encrypting device-level
71  // data for which we have no additional credentials.
72  scoped_ptr<crypto::SymmetricKey> system_salt_key_;
73
74  DISALLOW_COPY_AND_ASSIGN(CryptohomeTokenEncryptor);
75};
76
77}  // namespace chromeos
78
79#endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_TOKEN_ENCRYPTOR_H_
80