1 // 2 // Copyright (C) 2013 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef SHILL_EAP_CREDENTIALS_H_ 18 #define SHILL_EAP_CREDENTIALS_H_ 19 20 #include <map> 21 #include <string> 22 #include <vector> 23 24 #include <base/files/file_path.h> 25 26 #include "shill/technology.h" 27 28 namespace shill { 29 30 class CertificateFile; 31 class Error; 32 class KeyValueStore; 33 class Metrics; 34 class PropertyStore; 35 class StoreInterface; 36 37 class EapCredentials { 38 public: 39 // TODO(pstew): Storage constants shouldn't need to be public 40 // crbug.com/208736 41 static const char kStorageEapAnonymousIdentity[]; 42 static const char kStorageEapCACert[]; 43 static const char kStorageEapCACertID[]; 44 static const char kStorageEapCACertNSS[]; 45 static const char kStorageEapCACertPEM[]; 46 static const char kStorageEapCertID[]; 47 static const char kStorageEapClientCert[]; 48 static const char kStorageEapEap[]; 49 static const char kStorageEapIdentity[]; 50 static const char kStorageEapInnerEap[]; 51 static const char kStorageEapKeyID[]; 52 static const char kStorageEapKeyManagement[]; 53 static const char kStorageEapPIN[]; 54 static const char kStorageEapPassword[]; 55 static const char kStorageEapPrivateKey[]; 56 static const char kStorageEapPrivateKeyPassword[]; 57 static const char kStorageEapSubjectMatch[]; 58 static const char kStorageEapUseProactiveKeyCaching[]; 59 static const char kStorageEapUseSystemCAs[]; 60 61 EapCredentials(); 62 virtual ~EapCredentials(); 63 64 // Add property accessors to the EAP credential parameters in |this| to 65 // |store|. 66 void InitPropertyStore(PropertyStore* store); 67 68 // Returns true if |property| is used for authentication in EapCredentials. 69 static bool IsEapAuthenticationProperty(const std::string property); 70 71 // Returns true if a connection can be made with |this| credentials using 72 // either passphrase or certificates. 73 virtual bool IsConnectable() const; 74 75 // Returns true if a connection can be made with |this| credentials using 76 // only passphrase properties. 77 virtual bool IsConnectableUsingPassphrase() const; 78 79 // Loads EAP properties from |storage| in group |id|. 80 virtual void Load(StoreInterface* store, const std::string& id); 81 82 // Output metrics about this EAP connection to |metrics| with technology 83 // |technology|. 84 virtual void OutputConnectionMetrics(Metrics* metrics, 85 Technology::Identifier technology) const; 86 87 // Populate the wpa_supplicant DBus parameter map |params| with the 88 // credentials in |this|. To do so, this function may use |certificate_file| 89 // to export CA certificates to be passed to wpa_supplicant. 90 virtual void PopulateSupplicantProperties( 91 CertificateFile* certificate_file, 92 KeyValueStore* params) const; 93 94 // Populate the WiMax connection parameters |params| with the 95 // credentials in |this|. 96 virtual void PopulateWiMaxProperties( 97 KeyValueStore* params) const; 98 99 // Save EAP properties to |storage| in group |id|. If |save_credentials| 100 // is true, passwords and identities that are a part of the credentials are 101 // also saved. 102 virtual void Save(StoreInterface* store, const std::string& id, 103 bool save_credentials) const; 104 105 // Restore EAP properties to their initial state. 106 virtual void Reset(); 107 108 // Setter that guards against emptying the "Key Management" value. 109 virtual bool SetKeyManagement(const std::string& key_management, 110 Error* error); 111 112 // Getters and setters. identity()113 virtual const std::string& identity() const { return identity_; } set_identity(const std::string & identity)114 void set_identity(const std::string& identity) { 115 identity_ = identity; 116 } key_management()117 virtual const std::string& key_management() const { return key_management_; } set_password(const std::string & password)118 virtual void set_password(const std::string& password) { 119 password_ = password; 120 } pin()121 virtual const std::string& pin() const { return pin_; } 122 123 private: 124 friend class EapCredentialsTest; 125 126 // Returns true if the current EAP authentication type requires certificate 127 // authentication and any of the client credentials are provided via 128 // referencea cypto token. 129 bool ClientAuthenticationUsesCryptoToken() const; 130 131 // Expose a property in |store|, with the name |name|. 132 // 133 // Reads of the property will be handled by invoking |get|. 134 // Writes to the property will be handled by invoking |set|. 135 void HelpRegisterDerivedString( 136 PropertyStore* store, 137 const std::string& name, 138 std::string(EapCredentials::*get)(Error* error), 139 bool(EapCredentials::*set)(const std::string& value, Error* error)); 140 141 // Expose a property in |store|, with the name |name|. 142 // 143 // Reads of the property will be handled by invoking |get|. 144 // 145 // Clearing the property will be handled by invoking |clear|, or 146 // calling |set| with |default_value| (whichever is non-NULL). It 147 // is an error to call this method with both |clear| and 148 // |default_value| non-NULL. 149 void HelpRegisterWriteOnlyDerivedString( 150 PropertyStore* store, 151 const std::string& name, 152 bool(EapCredentials::*set)(const std::string& value, Error* error), 153 void(EapCredentials::*clear)(Error* error), 154 const std::string* default_value); 155 156 // Assigns |value| to |key| in |storage| if |value| is non-empty and |save| is 157 // true. Otherwise, removes |key| from |storage|. If |crypted| is true, the 158 // value is encrypted. 159 static void SaveString(StoreInterface* storage, 160 const std::string& id, 161 const std::string& key, 162 const std::string& value, 163 bool crypted, 164 bool save); 165 166 // Setters for write-only RPC properties. 167 bool SetEapPassword(const std::string& password, Error* error); 168 bool SetEapPrivateKeyPassword(const std::string& password, Error* error); 169 170 // RPC getter for key_management_. 171 std::string GetKeyManagement(Error* error); 172 173 // When there is an inner EAP type, use this identity for the outer. 174 std::string anonymous_identity_; 175 // Locator for the client certificate within the security token. 176 std::string cert_id_; 177 // Filename of the client certificate. 178 std::string client_cert_; 179 // Who we identify ourselves as to the EAP authenticator. 180 std::string identity_; 181 // Locator for the client private key within the security token. 182 std::string key_id_; 183 // Key management algorithm to use after EAP succeeds. 184 std::string key_management_; 185 // Password to use for EAP methods which require one. 186 std::string password_; 187 // PIN code for accessing the security token. 188 std::string pin_; 189 // Filename of the client private key. 190 std::string private_key_; 191 // Password for decrypting the client private key file. 192 std::string private_key_password_; 193 194 // Filename of the certificate authority (CA) certificate. 195 std::string ca_cert_; 196 // Locator for the CA certificate within the security token. 197 std::string ca_cert_id_; 198 // Locator for the CA certificate within the user NSS database. 199 std::string ca_cert_nss_; 200 // Raw PEM contents of the CA certificate. 201 std::vector<std::string> ca_cert_pem_; 202 // The outer or only EAP authetnication type. 203 std::string eap_; 204 // The inner EAP authentication type. 205 std::string inner_eap_; 206 // If non-empty, string to match remote subject against before connecting. 207 std::string subject_match_; 208 // If true, use the system-wide CA database to authenticate the remote. 209 bool use_system_cas_; 210 // If true, use per network proactive key caching. 211 bool use_proactive_key_caching_; 212 213 DISALLOW_COPY_AND_ASSIGN(EapCredentials); 214 }; 215 216 } // namespace shill 217 218 #endif // SHILL_EAP_CREDENTIALS_H_ 219