cryptographer.h revision 731df977c0511bca2206b5f333555b1205ff1f43 
1// Copyright (c) 2010 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_SYNC_UTIL_CRYPTOGRAPHER_H_
6#define CHROME_BROWSER_SYNC_UTIL_CRYPTOGRAPHER_H_
7#pragma once
8
9#include <map>
10#include <string>
11
12#include "base/gtest_prod_util.h"
13#include "base/linked_ptr.h"
14#include "base/scoped_ptr.h"
15#include "chrome/browser/sync/protocol/nigori_specifics.pb.h"
16#include "chrome/browser/sync/util/nigori.h"
17
18namespace browser_sync {
19
20extern const char kNigoriTag[];
21
22// The parameters used to initialize a Nigori instance.
23struct KeyParams {
24  std::string hostname;
25  std::string username;
26  std::string password;
27};
28
29// This class manages the Nigori objects used to encrypt and decrypt sensitive
30// sync data (eg. passwords). Each Nigori object knows how to handle data
31// protected with a particular passphrase.
32//
33// Whenever an update to the Nigori sync node is received from the server,
34// SetPendingKeys should be called with the encrypted contents of that node.
35// Most likely, an updated Nigori node means that a new passphrase has been set
36// and that future node updates won't be decryptable. To remedy this, the user
37// should be prompted for the new passphrase and DecryptPendingKeys be called.
38//
39// Whenever a update to an encrypted node is received from the server,
40// CanDecrypt should be used to verify whether the Cryptographer can decrypt
41// that node. If it cannot, then the application of that update should be
42// delayed until after it can be decrypted.
43class Cryptographer {
44 public:
45  Cryptographer();
46  ~Cryptographer();
47
48  // |restored_bootstrap_token| can be provided via this method to bootstrap
49  // Cryptographer instance into the ready state (is_ready will be true).
50  // It must be a string that was previously built by the
51  // GetSerializedBootstrapToken function.  It is possible that the token is no
52  // longer valid (due to server key change), in which case the normal
53  // decryption code paths will fail and the user will need to provide a new
54  // passphrase.
55  // It is an error to call this if is_ready() == true, though it is fair to
56  // never call Bootstrap at all.
57  void Bootstrap(const std::string& restored_bootstrap_token);
58
59  // Returns whether we can decrypt |encrypted| using the keys we currently know
60  // about.
61  bool CanDecrypt(const sync_pb::EncryptedData& encrypted) const;
62
63  // Encrypts |message| into |encrypted|. Returns true unless encryption fails.
64  // Note that encryption will fail if |message| isn't valid (eg. a required
65  // field isn't set).
66  bool Encrypt(const ::google::protobuf::MessageLite& message,
67               sync_pb::EncryptedData* encrypted) const;
68
69  // Decrypts |encrypted| into |message|. Returns true unless decryption fails,
70  // or |message| fails to parse the decrypted data.
71  bool Decrypt(const sync_pb::EncryptedData& encrypted,
72               ::google::protobuf::MessageLite* message) const;
73
74  // Encrypts the set of currently known keys into |encrypted|. Returns true if
75  // successful.
76  bool GetKeys(sync_pb::EncryptedData* encrypted) const;
77
78  // Creates a new Nigori instance using |params|. If successful, |params| will
79  // become the default encryption key and be used for all future calls to
80  // Encrypt.
81  bool AddKey(const KeyParams& params);
82
83  // Decrypts |encrypted| and uses its contents to initialize Nigori instances.
84  // Returns true unless decryption of |encrypted| fails. The caller is
85  // responsible for checking that CanDecrypt(encrypted) == true.
86  bool SetKeys(const sync_pb::EncryptedData& encrypted);
87
88  // Makes a local copy of |encrypted| to later be decrypted by
89  // DecryptPendingKeys. This should only be used if CanDecrypt(encrypted) ==
90  // false.
91  void SetPendingKeys(const sync_pb::EncryptedData& encrypted);
92
93  // Attepmts to decrypt the set of keys that was copied in the previous call to
94  // SetPendingKeys using |params|. Returns true if the pending keys were
95  // successfully decrypted and installed.
96  bool DecryptPendingKeys(const KeyParams& params);
97
98  // Returns whether this Cryptographer is ready to encrypt and decrypt data.
99  bool is_ready() const { return !nigoris_.empty() && default_nigori_; }
100
101  // Returns whether there is a pending set of keys that needs to be decrypted.
102  bool has_pending_keys() const { return NULL != pending_keys_.get(); }
103
104  // Obtain a token that can be provided on construction to a future
105  // Cryptographer instance to bootstrap itself.  Returns false if such a token
106  // can't be created (i.e. if this Cryptograhper doesn't have valid keys).
107  bool GetBootstrapToken(std::string* token) const;
108
109 private:
110  FRIEND_TEST_ALL_PREFIXES(CryptographerTest, PackUnpack);
111  typedef std::map<std::string, linked_ptr<const Nigori> > NigoriMap;
112
113  // Helper method to instantiate Nigori instances for each set of key
114  // parameters in |bag| and setting the default encryption key to
115  // |default_key_name|.
116  void InstallKeys(const std::string& default_key_name,
117                   const sync_pb::NigoriKeyBag& bag);
118
119  bool AddKeyImpl(Nigori* nigori);
120
121  // Functions to serialize + encrypt a Nigori object in an opaque format for
122  // persistence by sync infrastructure.
123  bool PackBootstrapToken(const Nigori* nigori, std::string* pack_into) const;
124  Nigori* UnpackBootstrapToken(const std::string& token) const;
125
126  NigoriMap nigoris_;  // The Nigoris we know about, mapped by key name.
127  NigoriMap::value_type* default_nigori_;  // The Nigori used for encryption.
128
129  scoped_ptr<sync_pb::EncryptedData> pending_keys_;
130
131  DISALLOW_COPY_AND_ASSIGN(Cryptographer);
132};
133
134}  // namespace browser_sync
135
136#endif  // CHROME_BROWSER_SYNC_UTIL_CRYPTOGRAPHER_H_
137