Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 1 | // Copyright (c) 2013 The Chromium OS Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #ifndef SHILL_EAP_CREDENTIALS_H_ |
| 6 | #define SHILL_EAP_CREDENTIALS_H_ |
| 7 | |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 8 | #include <map> |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 9 | #include <string> |
| 10 | #include <vector> |
| 11 | |
Ben Chan | a0ddf46 | 2014-02-06 11:32:42 -0800 | [diff] [blame] | 12 | #include <base/files/file_path.h> |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 13 | #include <dbus-c++/dbus.h> |
| 14 | |
| 15 | #include "shill/technology.h" |
| 16 | |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 17 | namespace shill { |
| 18 | |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 19 | class CertificateFile; |
| 20 | class Error; |
| 21 | class KeyValueStore; |
| 22 | class Metrics; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 23 | class PropertyStore; |
| 24 | class StoreInterface; |
| 25 | |
| 26 | class EapCredentials { |
| 27 | public: |
| 28 | // TODO(pstew): Storage constants shouldn't need to be public |
Paul Stewart | ee6b3d7 | 2013-07-12 16:07:51 -0700 | [diff] [blame] | 29 | // crbug.com/208736 |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 30 | static const char kStorageEapAnonymousIdentity[]; |
| 31 | static const char kStorageEapCACert[]; |
| 32 | static const char kStorageEapCACertID[]; |
| 33 | static const char kStorageEapCACertNSS[]; |
| 34 | static const char kStorageEapCACertPEM[]; |
| 35 | static const char kStorageEapCertID[]; |
| 36 | static const char kStorageEapClientCert[]; |
| 37 | static const char kStorageEapEap[]; |
| 38 | static const char kStorageEapIdentity[]; |
| 39 | static const char kStorageEapInnerEap[]; |
| 40 | static const char kStorageEapKeyID[]; |
| 41 | static const char kStorageEapKeyManagement[]; |
| 42 | static const char kStorageEapPIN[]; |
| 43 | static const char kStorageEapPassword[]; |
| 44 | static const char kStorageEapPrivateKey[]; |
| 45 | static const char kStorageEapPrivateKeyPassword[]; |
| 46 | static const char kStorageEapSubjectMatch[]; |
Matthew Wein | fa6f8ce | 2015-04-08 16:19:25 -0700 | [diff] [blame] | 47 | static const char kStorageEapUseProactiveKeyCaching[]; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 48 | static const char kStorageEapUseSystemCAs[]; |
| 49 | |
| 50 | EapCredentials(); |
| 51 | virtual ~EapCredentials(); |
| 52 | |
| 53 | // Add property accessors to the EAP credential parameters in |this| to |
| 54 | // |store|. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 55 | void InitPropertyStore(PropertyStore* store); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 56 | |
| 57 | // Returns true if |property| is used for authentication in EapCredentials. |
| 58 | static bool IsEapAuthenticationProperty(const std::string property); |
| 59 | |
| 60 | // Returns true if a connection can be made with |this| credentials using |
| 61 | // either passphrase or certificates. |
| 62 | virtual bool IsConnectable() const; |
| 63 | |
| 64 | // Returns true if a connection can be made with |this| credentials using |
| 65 | // only passphrase properties. |
| 66 | virtual bool IsConnectableUsingPassphrase() const; |
| 67 | |
| 68 | // Loads EAP properties from |storage| in group |id|. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 69 | virtual void Load(StoreInterface* store, const std::string& id); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 70 | |
| 71 | // Output metrics about this EAP connection to |metrics| with technology |
| 72 | // |technology|. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 73 | virtual void OutputConnectionMetrics(Metrics* metrics, |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 74 | Technology::Identifier technology) const; |
| 75 | |
| 76 | // Populate the wpa_supplicant DBus parameter map |params| with the |
| 77 | // credentials in |this|. To do so, this function may use |certificate_file| |
Paul Stewart | c350e68 | 2014-06-19 15:44:30 -0700 | [diff] [blame] | 78 | // to export CA certificates to be passed to wpa_supplicant. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 79 | virtual void PopulateSupplicantProperties( |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 80 | CertificateFile* certificate_file, |
| 81 | std::map<std::string, DBus::Variant>* params) const; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 82 | |
| 83 | // Populate the WiMax connection parameters |params| with the |
| 84 | // credentials in |this|. |
| 85 | virtual void PopulateWiMaxProperties( |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 86 | KeyValueStore* params) const; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 87 | |
| 88 | // Save EAP properties to |storage| in group |id|. If |save_credentials| |
| 89 | // is true, passwords and identities that are a part of the credentials are |
| 90 | // also saved. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 91 | virtual void Save(StoreInterface* store, const std::string& id, |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 92 | bool save_credentials) const; |
| 93 | |
| 94 | // Restore EAP properties to their initial state. |
| 95 | virtual void Reset(); |
| 96 | |
| 97 | // Setter that guards against emptying the "Key Management" value. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 98 | virtual bool SetKeyManagement(const std::string& key_management, |
| 99 | Error* error); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 100 | |
| 101 | // Getters and setters. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 102 | virtual const std::string& identity() const { return identity_; } |
| 103 | void set_identity(const std::string& identity) { |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 104 | identity_ = identity; |
| 105 | } |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 106 | virtual const std::string& key_management() const { return key_management_; } |
| 107 | virtual void set_password(const std::string& password) { |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 108 | password_ = password; |
| 109 | } |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 110 | virtual const std::string& pin() const { return pin_; } |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 111 | |
| 112 | private: |
| 113 | friend class EapCredentialsTest; |
| 114 | |
Paul Stewart | 416a981 | 2013-08-27 09:38:54 -0700 | [diff] [blame] | 115 | // Returns true if the current EAP authentication type requires certificate |
| 116 | // authentication and any of the client credentials are provided via |
| 117 | // referencea cypto token. |
| 118 | bool ClientAuthenticationUsesCryptoToken() const; |
| 119 | |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 120 | // Expose a property in |store|, with the name |name|. |
| 121 | // |
| 122 | // Reads of the property will be handled by invoking |get|. |
| 123 | // Writes to the property will be handled by invoking |set|. |
| 124 | void HelpRegisterDerivedString( |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 125 | PropertyStore* store, |
| 126 | const std::string& name, |
| 127 | std::string(EapCredentials::*get)(Error* error), |
| 128 | bool(EapCredentials::*set)(const std::string& value, Error* error)); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 129 | |
| 130 | // Expose a property in |store|, with the name |name|. |
| 131 | // |
| 132 | // Reads of the property will be handled by invoking |get|. |
| 133 | // |
| 134 | // Clearing the property will be handled by invoking |clear|, or |
| 135 | // calling |set| with |default_value| (whichever is non-NULL). It |
| 136 | // is an error to call this method with both |clear| and |
| 137 | // |default_value| non-NULL. |
| 138 | void HelpRegisterWriteOnlyDerivedString( |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 139 | PropertyStore* store, |
| 140 | const std::string& name, |
| 141 | bool(EapCredentials::*set)(const std::string& value, Error* error), |
| 142 | void(EapCredentials::*clear)(Error* error), |
| 143 | const std::string* default_value); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 144 | |
| 145 | // Assigns |value| to |key| in |storage| if |value| is non-empty and |save| is |
| 146 | // true. Otherwise, removes |key| from |storage|. If |crypted| is true, the |
| 147 | // value is encrypted. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 148 | static void SaveString(StoreInterface* storage, |
| 149 | const std::string& id, |
| 150 | const std::string& key, |
| 151 | const std::string& value, |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 152 | bool crypted, |
| 153 | bool save); |
| 154 | |
| 155 | // Setters for write-only RPC properties. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 156 | bool SetEapPassword(const std::string& password, Error* error); |
| 157 | bool SetEapPrivateKeyPassword(const std::string& password, Error* error); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 158 | |
| 159 | // RPC getter for key_management_. |
Paul Stewart | a794cd6 | 2015-06-16 13:13:10 -0700 | [diff] [blame] | 160 | std::string GetKeyManagement(Error* error); |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 161 | |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 162 | // When there is an inner EAP type, use this identity for the outer. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 163 | std::string anonymous_identity_; |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 164 | // Locator for the client certificate within the security token. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 165 | std::string cert_id_; |
| 166 | // Filename of the client certificate. |
| 167 | std::string client_cert_; |
| 168 | // Who we identify ourselves as to the EAP authenticator. |
| 169 | std::string identity_; |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 170 | // Locator for the client private key within the security token. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 171 | std::string key_id_; |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 172 | // Key management algorithm to use after EAP succeeds. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 173 | std::string key_management_; |
| 174 | // Password to use for EAP methods which require one. |
| 175 | std::string password_; |
| 176 | // PIN code for accessing the security token. |
| 177 | std::string pin_; |
| 178 | // Filename of the client private key. |
| 179 | std::string private_key_; |
| 180 | // Password for decrypting the client private key file. |
| 181 | std::string private_key_password_; |
| 182 | |
| 183 | // Filename of the certificate authority (CA) certificate. |
| 184 | std::string ca_cert_; |
| 185 | // Locator for the CA certificate within the security token. |
| 186 | std::string ca_cert_id_; |
| 187 | // Locator for the CA certificate within the user NSS database. |
| 188 | std::string ca_cert_nss_; |
| 189 | // Raw PEM contents of the CA certificate. |
Paul Stewart | b3008ea | 2013-06-28 14:51:54 -0700 | [diff] [blame] | 190 | std::vector<std::string> ca_cert_pem_; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 191 | // The outer or only EAP authetnication type. |
| 192 | std::string eap_; |
| 193 | // The inner EAP authentication type. |
| 194 | std::string inner_eap_; |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 195 | // If non-empty, string to match remote subject against before connecting. |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 196 | std::string subject_match_; |
| 197 | // If true, use the system-wide CA database to authenticate the remote. |
| 198 | bool use_system_cas_; |
Matthew Wein | fa6f8ce | 2015-04-08 16:19:25 -0700 | [diff] [blame] | 199 | // If true, use per network proactive key caching. |
| 200 | bool use_proactive_key_caching_; |
Paul Stewart | c43cbbe | 2013-04-11 06:29:30 -0700 | [diff] [blame] | 201 | |
| 202 | DISALLOW_COPY_AND_ASSIGN(EapCredentials); |
Paul Stewart | 0654ece | 2013-03-26 15:21:26 -0700 | [diff] [blame] | 203 | }; |
| 204 | |
| 205 | } // namespace shill |
| 206 | |
| 207 | #endif // SHILL_EAP_CREDENTIALS_H_ |