1//
2// Copyright (C) 2013 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17#ifndef SHILL_EAP_CREDENTIALS_H_
18#define SHILL_EAP_CREDENTIALS_H_
19
20#include <map>
21#include <string>
22#include <vector>
23
24#include <base/files/file_path.h>
25
26#include "shill/technology.h"
27
28namespace shill {
29
30class CertificateFile;
31class Error;
32class KeyValueStore;
33class Metrics;
34class PropertyStore;
35class StoreInterface;
36
37class EapCredentials {
38 public:
39  // TODO(pstew): Storage constants shouldn't need to be public
40  // crbug.com/208736
41  static const char kStorageEapAnonymousIdentity[];
42  static const char kStorageEapCACert[];
43  static const char kStorageEapCACertID[];
44  static const char kStorageEapCACertNSS[];
45  static const char kStorageEapCACertPEM[];
46  static const char kStorageEapCertID[];
47  static const char kStorageEapClientCert[];
48  static const char kStorageEapEap[];
49  static const char kStorageEapIdentity[];
50  static const char kStorageEapInnerEap[];
51  static const char kStorageEapKeyID[];
52  static const char kStorageEapKeyManagement[];
53  static const char kStorageEapPIN[];
54  static const char kStorageEapPassword[];
55  static const char kStorageEapPrivateKey[];
56  static const char kStorageEapPrivateKeyPassword[];
57  static const char kStorageEapSubjectMatch[];
58  static const char kStorageEapUseProactiveKeyCaching[];
59  static const char kStorageEapUseSystemCAs[];
60
61  EapCredentials();
62  virtual ~EapCredentials();
63
64  // Add property accessors to the EAP credential parameters in |this| to
65  // |store|.
66  void InitPropertyStore(PropertyStore* store);
67
68  // Returns true if |property| is used for authentication in EapCredentials.
69  static bool IsEapAuthenticationProperty(const std::string property);
70
71  // Returns true if a connection can be made with |this| credentials using
72  // either passphrase or certificates.
73  virtual bool IsConnectable() const;
74
75  // Returns true if a connection can be made with |this| credentials using
76  // only passphrase properties.
77  virtual bool IsConnectableUsingPassphrase() const;
78
79  // Loads EAP properties from |storage| in group |id|.
80  virtual void Load(StoreInterface* store, const std::string& id);
81
82  // Output metrics about this EAP connection to |metrics| with technology
83  // |technology|.
84  virtual void OutputConnectionMetrics(Metrics* metrics,
85                                       Technology::Identifier technology) const;
86
87  // Populate the wpa_supplicant DBus parameter map |params| with the
88  // credentials in |this|.  To do so, this function may use |certificate_file|
89  // to export CA certificates to be passed to wpa_supplicant.
90  virtual void PopulateSupplicantProperties(
91      CertificateFile* certificate_file,
92      KeyValueStore* params) const;
93
94  // Populate the WiMax connection parameters |params| with the
95  // credentials in |this|.
96  virtual void PopulateWiMaxProperties(
97      KeyValueStore* params) const;
98
99  // Save EAP properties to |storage| in group |id|.  If |save_credentials|
100  // is true, passwords and identities that are a part of the credentials are
101  // also saved.
102  virtual void Save(StoreInterface* store, const std::string& id,
103                    bool save_credentials) const;
104
105  // Restore EAP properties to their initial state.
106  virtual void Reset();
107
108  // Setter that guards against emptying the "Key Management" value.
109  virtual bool SetKeyManagement(const std::string& key_management,
110                                Error* error);
111
112  // Getters and setters.
113  virtual const std::string& identity() const { return identity_; }
114  void set_identity(const std::string& identity) {
115    identity_ = identity;
116  }
117  virtual const std::string& key_management() const { return key_management_; }
118  virtual void set_password(const std::string& password) {
119    password_ = password;
120  }
121  virtual const std::string& pin() const { return pin_; }
122
123 private:
124  friend class EapCredentialsTest;
125
126  // Returns true if the current EAP authentication type requires certificate
127  // authentication and any of the client credentials are provided via
128  // referencea cypto token.
129  bool ClientAuthenticationUsesCryptoToken() const;
130
131  // Expose a property in |store|, with the name |name|.
132  //
133  // Reads of the property will be handled by invoking |get|.
134  // Writes to the property will be handled by invoking |set|.
135  void HelpRegisterDerivedString(
136      PropertyStore* store,
137      const std::string& name,
138      std::string(EapCredentials::*get)(Error* error),
139      bool(EapCredentials::*set)(const std::string& value, Error* error));
140
141  // Expose a property in |store|, with the name |name|.
142  //
143  // Reads of the property will be handled by invoking |get|.
144  //
145  // Clearing the property will be handled by invoking |clear|, or
146  // calling |set| with |default_value| (whichever is non-NULL).  It
147  // is an error to call this method with both |clear| and
148  // |default_value| non-NULL.
149  void HelpRegisterWriteOnlyDerivedString(
150      PropertyStore* store,
151      const std::string& name,
152      bool(EapCredentials::*set)(const std::string& value, Error* error),
153      void(EapCredentials::*clear)(Error* error),
154      const std::string* default_value);
155
156  // Assigns |value| to |key| in |storage| if |value| is non-empty and |save| is
157  // true. Otherwise, removes |key| from |storage|. If |crypted| is true, the
158  // value is encrypted.
159  static void SaveString(StoreInterface* storage,
160                         const std::string& id,
161                         const std::string& key,
162                         const std::string& value,
163                         bool crypted,
164                         bool save);
165
166  // Setters for write-only RPC properties.
167  bool SetEapPassword(const std::string& password, Error* error);
168  bool SetEapPrivateKeyPassword(const std::string& password, Error* error);
169
170  // RPC getter for key_management_.
171  std::string GetKeyManagement(Error* error);
172
173  // When there is an inner EAP type, use this identity for the outer.
174  std::string anonymous_identity_;
175  // Locator for the client certificate within the security token.
176  std::string cert_id_;
177  // Filename of the client certificate.
178  std::string client_cert_;
179  // Who we identify ourselves as to the EAP authenticator.
180  std::string identity_;
181  // Locator for the client private key within the security token.
182  std::string key_id_;
183  // Key management algorithm to use after EAP succeeds.
184  std::string key_management_;
185  // Password to use for EAP methods which require one.
186  std::string password_;
187  // PIN code for accessing the security token.
188  std::string pin_;
189  // Filename of the client private key.
190  std::string private_key_;
191  // Password for decrypting the client private key file.
192  std::string private_key_password_;
193
194  // Filename of the certificate authority (CA) certificate.
195  std::string ca_cert_;
196  // Locator for the CA certificate within the security token.
197  std::string ca_cert_id_;
198  // Locator for the CA certificate within the user NSS database.
199  std::string ca_cert_nss_;
200  // Raw PEM contents of the CA certificate.
201  std::vector<std::string> ca_cert_pem_;
202  // The outer or only EAP authetnication type.
203  std::string eap_;
204  // The inner EAP authentication type.
205  std::string inner_eap_;
206  // If non-empty, string to match remote subject against before connecting.
207  std::string subject_match_;
208  // If true, use the system-wide CA database to authenticate the remote.
209  bool use_system_cas_;
210  // If true, use per network proactive key caching.
211  bool use_proactive_key_caching_;
212
213  DISALLOW_COPY_AND_ASSIGN(EapCredentials);
214};
215
216}  // namespace shill
217
218#endif  // SHILL_EAP_CREDENTIALS_H_
219