Add easyUnlockPrivate extension API

The api will be used by Easy Unlock component app. Currently it contains
methods needed for establishing secure communication channel on top of
(unprotected) bluetooth.

BUG=390230

Review URL: https://codereview.chromium.org/391513002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@284637 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/extensions/api/easy_unlock_private/OWNERS

+tbarzic@chromium.org
+tengs@chromium.org

chrome/browser/extensions/api/easy_unlock_private/easy_unlock_private_api.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/extensions/api/easy_unlock_private/easy_unlock_private_api.h"
+
+#include "chrome/common/extensions/api/easy_unlock_private.h"
+
+namespace extensions {
+namespace api {
+
+EasyUnlockPrivatePerformECDHKeyAgreementFunction::
+EasyUnlockPrivatePerformECDHKeyAgreementFunction() {}
+
+EasyUnlockPrivatePerformECDHKeyAgreementFunction::
+~EasyUnlockPrivatePerformECDHKeyAgreementFunction() {}
+
+bool EasyUnlockPrivatePerformECDHKeyAgreementFunction::RunAsync() {
+  return false;
+}
+
+void EasyUnlockPrivatePerformECDHKeyAgreementFunction::OnData(
+    const std::string& secret_key) {
+  if (!secret_key.empty()) {
+    results_ = easy_unlock_private::PerformECDHKeyAgreement::Results::Create(
+        secret_key);
+  }
+  SendResponse(true);
+}
+
+EasyUnlockPrivateGenerateEcP256KeyPairFunction::
+EasyUnlockPrivateGenerateEcP256KeyPairFunction() {}
+
+EasyUnlockPrivateGenerateEcP256KeyPairFunction::
+~EasyUnlockPrivateGenerateEcP256KeyPairFunction() {}
+
+bool EasyUnlockPrivateGenerateEcP256KeyPairFunction::RunAsync() {
+  return false;
+}
+
+void EasyUnlockPrivateGenerateEcP256KeyPairFunction::OnData(
+    const std::string& public_key,
+    const std::string& private_key) {
+  if (!public_key.empty() && !private_key.empty()) {
+    results_ = easy_unlock_private::GenerateEcP256KeyPair::Results::Create(
+        public_key, private_key);
+  }
+  SendResponse(true);
+}
+
+EasyUnlockPrivateCreateSecureMessageFunction::
+EasyUnlockPrivateCreateSecureMessageFunction() {}
+
+EasyUnlockPrivateCreateSecureMessageFunction::
+~EasyUnlockPrivateCreateSecureMessageFunction() {}
+
+bool EasyUnlockPrivateCreateSecureMessageFunction::RunAsync() {
+  return false;
+}
+
+void EasyUnlockPrivateCreateSecureMessageFunction::OnData(
+    const std::string& message) {
+  if (!message.empty()) {
+    results_ = easy_unlock_private::CreateSecureMessage::Results::Create(
+        message);
+  }
+  SendResponse(true);
+}
+
+EasyUnlockPrivateUnwrapSecureMessageFunction::
+EasyUnlockPrivateUnwrapSecureMessageFunction() {}
+
+EasyUnlockPrivateUnwrapSecureMessageFunction::
+~EasyUnlockPrivateUnwrapSecureMessageFunction() {}
+
+bool EasyUnlockPrivateUnwrapSecureMessageFunction::RunAsync() {
+  return false;
+}
+
+void EasyUnlockPrivateUnwrapSecureMessageFunction::OnData(
+    const std::string& data) {
+  if (!data.empty())
+    results_ = easy_unlock_private::UnwrapSecureMessage::Results::Create(data);
+  SendResponse(true);
+}
+
+}  // namespace api
+}  // namespace extensions

chrome/browser/extensions/api/easy_unlock_private/easy_unlock_private_api.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_EXTENSIONS_API_EASY_UNLOCK_PRIVATE_EASY_UNLOCK_PRIVATE_API_H_
+#define CHROME_BROWSER_EXTENSIONS_API_EASY_UNLOCK_PRIVATE_EASY_UNLOCK_PRIVATE_API_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "extensions/browser/extension_function.h"
+
+// Implementations for chrome.easyUnlockPrivate API functions.
+
+namespace extensions {
+namespace api {
+
+class EasyUnlockPrivatePerformECDHKeyAgreementFunction
+    : public AsyncExtensionFunction {
+ public:
+  EasyUnlockPrivatePerformECDHKeyAgreementFunction();
+
+ protected:
+  virtual ~EasyUnlockPrivatePerformECDHKeyAgreementFunction();
+
+  virtual bool RunAsync() OVERRIDE;
+
+ private:
+  void OnData(const std::string& secret_key);
+
+  DECLARE_EXTENSION_FUNCTION("easyUnlockPrivate.performECDHKeyAgreement",
+                             EASYUNLOCKPRIVATE_PERFORMECDHKEYAGREEMENT)
+};
+
+class EasyUnlockPrivateGenerateEcP256KeyPairFunction
+    : public AsyncExtensionFunction {
+ public:
+  EasyUnlockPrivateGenerateEcP256KeyPairFunction();
+
+ protected:
+  virtual ~EasyUnlockPrivateGenerateEcP256KeyPairFunction();
+
+  virtual bool RunAsync() OVERRIDE;
+
+ private:
+  void OnData(const std::string& public_key,
+              const std::string& private_key);
+
+  DECLARE_EXTENSION_FUNCTION("easyUnlockPrivate.generateEcP256KeyPair",
+                             EASYUNLOCKPRIVATE_GENERATEECP256KEYPAIR)
+};
+
+class EasyUnlockPrivateCreateSecureMessageFunction
+    : public AsyncExtensionFunction {
+ public:
+  EasyUnlockPrivateCreateSecureMessageFunction();
+
+ protected:
+  virtual ~EasyUnlockPrivateCreateSecureMessageFunction();
+
+  virtual bool RunAsync() OVERRIDE;
+
+ private:
+  void OnData(const std::string& message);
+
+  DECLARE_EXTENSION_FUNCTION("easyUnlockPrivate.createSecureMessage",
+                             EASYUNLOCKPRIVATE_CREATESECUREMESSAGE)
+};
+
+class EasyUnlockPrivateUnwrapSecureMessageFunction
+    : public AsyncExtensionFunction {
+ public:
+  EasyUnlockPrivateUnwrapSecureMessageFunction();
+
+ protected:
+  virtual ~EasyUnlockPrivateUnwrapSecureMessageFunction();
+
+  virtual bool RunAsync() OVERRIDE;
+
+ private:
+  void OnData(const std::string& data);
+
+  DECLARE_EXTENSION_FUNCTION("easyUnlockPrivate.unwrapSecureMessage",
+                             EASYUNLOCKPRIVATE_UNWRAPSECUREMESSAGE)
+};
+
+}  // namespace api
+}  // namespace extensions
+
+#endif  // CHROME_BROWSER_EXTENSIONS_API_EASY_UNLOCK_PRIVATE_EASY_UNLOCK_PRIVATE_API_H_

chrome/browser/resources/easy_unlock/manifest.json

@@ -17,7 +17,8 @@
     "metricsPrivate",
     "storage",
     "identity",
-    "notifications"
+    "notifications",
+    "easyUnlockPrivate"
   ],
 
   "app": {

chrome/chrome_browser_extensions.gypi

@@ -543,6 +543,8 @@
       'browser/extensions/api/downloads/downloads_api.h',
       'browser/extensions/api/downloads_internal/downloads_internal_api.cc',
       'browser/extensions/api/downloads_internal/downloads_internal_api.h',
+      'browser/extensions/api/easy_unlock_private/easy_unlock_private_api.h',
+      'browser/extensions/api/easy_unlock_private/easy_unlock_private_api.cc',
       'browser/extensions/api/execute_code_function.cc',
       'browser/extensions/api/execute_code_function.h',
       'browser/extensions/api/extension_action/extension_action_api.cc',

chrome/common/extensions/api/_api_features.json

@@ -281,6 +281,10 @@
     "channel": "stable",
     "contexts": ["blessed_extension"]
   },
+  "easyUnlockPrivate": {
+    "dependencies": ["permission:easyUnlockPrivate"],
+    "contexts": ["blessed_extension"]
+  },
   "echoPrivate": {
     "dependencies": ["permission:echoPrivate"],
     "contexts": ["blessed_extension"]

chrome/common/extensions/api/_permission_features.json

@@ -396,6 +396,11 @@
       "16CA7A47AAE4BE49B1E75A6B960C3875E945B264"   // Google Cast Stable
     ]
   },
+  "easyUnlockPrivate": {
+    "channel": "stable",
+    "extension_types": ["platform_app"],
+    "location": "component"
+  },
   "enterprise.platformKeys": {
     "channel": "stable",
     "platforms": ["chromeos"],

chrome/common/extensions/api/api.gyp

@@ -50,6 +50,7 @@
       'dial.idl',
       'downloads.idl',
       'downloads_internal.idl',
+      'easy_unlock_private.idl',
       'echo_private.json',
       'enterprise_platform_keys_private.json',
       'events.json',

chrome/common/extensions/api/easy_unlock_private.idl

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// <code>chrome.easyUnlockPrivate</code> API that provides hooks to Chrome to
+// be used by Easy Unlock component app.
+[nodoc] namespace easyUnlockPrivate {
+  // Signature algorithms supported by the crypto library methods used by
+  // Easy Unlock.
+  enum SignatureType {
+    HMAC_SHA256,
+    ECDSA_P256_SHA256
+  };
+
+  // Encryption algorithms supported by the crypto library methods used by
+  // Easy Unlock.
+  enum EncryptionType {
+    AES_256_CBC
+  };
+
+  // Options that can be passed to |unwrapSecureMessage| method.
+  dictionary UnwrapSecureMessageOptions {
+    // The data associated with the message. For the message to be succesfully
+    // verified, the message should have been created with the same associated
+    // data.
+    ArrayBuffer? associatedData;
+
+    // The encryption algorithm that should be used to decrypt the message.
+    // Should not be set for a cleartext message.
+    EncryptionType? encryptType;
+
+    // The algorithm to be used to verify signature contained in the message.
+    // Defaults to |HMAC_SHA256|. |ECDSA_P256_SHA256| can currently be used
+    // only with cleartext messages.
+    SignatureType? signType;
+  };
+
+  dictionary CreateSecureMessageOptions {
+    // Data associated with the message. The data will not be sent with the
+    // message, but the message recepient will use the same data on its side
+    // to verify the message.
+    ArrayBuffer? associatedData;
+
+    // Metadata to be added to the message header.
+    ArrayBuffer? publicMetadata;
+
+    // Verification key id added to the message header. Should be set if the
+    // message is signed using |ECDSA_P256_SHA256|. It's used by the message
+    // recepient to determine which key should be used to verify the message
+    // signature.
+    ArrayBuffer? verificationKeyId;
+
+    // The encryption algorithm that should be used to encrypt the message.
+    // Should not be set for a cleartext message.
+    EncryptionType? encryptType;
+
+    // The algorithm to be used to sign the message.
+    // Defaults to |HMAC_SHA256|. |ECDSA_P256_SHA256| can currently be used
+    // only with cleartext messages.
+    SignatureType? signType;
+  };
+
+  // Callback for crypto methods that return a single array buffer.
+  callback DataCallback = void(optional ArrayBuffer data);
+
+  // Callback for method that generates an encryption key pair.
+  callback KeyPairCallback = void(optional ArrayBuffer public_key,
+                                  optional ArrayBuffer private_key);
+
+  interface Functions {
+    // Generates a ECDSA key pair for P256 curve.
+    // Public key will be in format recognized by secure wire transport protocol
+    // used by Easy Unlock app. Otherwise, the exact format for both key should
+    // should be considered obfuscated to the app. The app should not use them
+    // directly, but through this API.
+    // |callback|: Callback with the generated keys. On failure, none of the
+    //     keys will be set.
+    static void generateEcP256KeyPair(KeyPairCallback callback);
+
+    // Given a private key and a public ECDSA key from different asymetric key
+    // pairs, it generates a symetric encryption key using EC Diffie-Hellman
+    // scheme.
+    // |privateKey|: A private key generated by the app using
+    //     |generateEcP256KeyPair|.
+    // |publicKey|: A public key that should be in the same format as the
+    //     public key generated by |generateEcP256KeyPair|. Generally not the
+    //     one paired with |private_key|.
+    // |callback|: Function returning the generated secret symetric key.
+    //     On failure, the returned value will not be set.
+    static void performECDHKeyAgreement(ArrayBuffer privateKey,
+                                        ArrayBuffer publicKey,
+                                        DataCallback callback);
+
+    // Creates a secure, signed message in format used by Easy Unlock app to
+    // establish secure communication channel over unsecure connection.
+    // |payload|: The payload the create message should carry.
+    // |key|: The key used to sign the message content. If encryption algorithm
+    //     is set in |options| the same key will be used to encrypt the message.
+    // |options|: Additional (optional) parameters used to create the message.
+    // |callback|: Function returning the created message bytes. On failure,
+    //     the returned value will not be set.
+    static void createSecureMessage(
+        ArrayBuffer payload,
+        ArrayBuffer key,
+        CreateSecureMessageOptions options,
+        DataCallback callback);
+
+    // Authenticates and, if needed, decrypts a secure message. The message is
+    // in the same format as the one created by |createSecureMessage|.
+    // |secureMessage|: The message to be unwrapped.
+    // |key|: Key to be used to authenticate the message sender. If encryption
+    //     algorithm is set in |options|, the same key will be used to decrypt
+    //     the message.
+    // |options|: Additional (optional) parameters used to unwrap the message.
+    // |callback|: Function returning an array buffer containing cleartext
+    //     message header and body. They are returned in a single buffer in
+    //     format used inside the message. If the massage authentication or
+    //     decryption fails, the returned value will not be set.
+    static void unwrapSecureMessage(
+        ArrayBuffer secureMessage,
+        ArrayBuffer key,
+        UnwrapSecureMessageOptions options,
+        DataCallback callback);
+  };
+};

chrome/common/extensions/permissions/chrome_api_permissions.cc

@@ -56,6 +56,7 @@ std::vector<APIPermissionInfo*> ChromeAPIPermissions::GetAllPermissions()
        IDS_EXTENSION_PROMPT_WARNING_DOWNLOADS_OPEN,
        PermissionMessage::kDownloadsOpen},
       {APIPermission::kDownloadsShelf, "downloads.shelf"},
+      {APIPermission::kEasyUnlockPrivate, "easyUnlockPrivate"},
       {APIPermission::kIdentity, "identity"},
       {APIPermission::kIdentityEmail, "identity.email",
        APIPermissionInfo::kFlagNone,

chrome/common/extensions/permissions/permission_set_unittest.cc

@@ -721,6 +721,7 @@ TEST(PermissionsTest, PermissionMessages) {
   skip.insert(APIPermission::kDeveloperPrivate);
   skip.insert(APIPermission::kDial);
   skip.insert(APIPermission::kDownloadsInternal);
+  skip.insert(APIPermission::kEasyUnlockPrivate);
   skip.insert(APIPermission::kEchoPrivate);
   skip.insert(APIPermission::kEnterprisePlatformKeysPrivate);
   skip.insert(APIPermission::kFeedbackPrivate);

extensions/browser/extension_function_histogram_value.h

@@ -900,6 +900,10 @@ enum HistogramValue {
   APPVIEWINTERNAL_ATTACHFRAME,
   APPVIEWINTERNAL_DENYREQUEST,
   FILEBROWSERPRIVATE_GETDOWNLOADURL,
+  EASYUNLOCKPRIVATE_PERFORMECDHKEYAGREEMENT,
+  EASYUNLOCKPRIVATE_GENERATEECP256KEYPAIR,
+  EASYUNLOCKPRIVATE_CREATESECUREMESSAGE,
+  EASYUNLOCKPRIVATE_UNWRAPSECUREMESSAGE,
   // Last entry: Add new entries above and ensure to update
   // tools/metrics/histograms/histograms/histograms.xml.
   ENUM_BOUNDARY

extensions/common/permissions/api_permission.h

@@ -77,6 +77,7 @@ class APIPermission {
     kDownloadsInternal,
     kDownloadsOpen,
     kDownloadsShelf,
+    kEasyUnlockPrivate,
     kEchoPrivate,
     kEnterprisePlatformKeys,
     kEnterprisePlatformKeysPrivate,

tools/metrics/histograms/histograms.xml

@@ -38799,6 +38799,11 @@ Therefore, the affected-histogram name has to have at least one dot in it.
   <int value="838" label="GCDPRIVATE_GETCOMMANDSLIST"/>
   <int value="839" label="APPVIEWINTERNAL_ATTACHFRAME"/>
   <int value="840" label="APPVIEWINTERNAL_DENYREQUEST"/>
+  <int value="841" label="FILEBROWSERPRIVATE_GETDOWNLOADURL"/>
+  <int value="842" label="EASYUNLOCKPRIVATE_PERFORMECDHKEYAGREEMENT"/>
+  <int value="843" label="EASYUNLOCKPRIVATE_GENERATEECP256KEYPAIR"/>
+  <int value="844" label="EASYUNLOCKPRIVATE_CREATESECUREMESSAGE"/>
+  <int value="845" label="EASYUNLOCKPRIVATE_UNWRAPSECUREMESSAGE"/>
 </enum>
 
 <enum name="ExtensionInstallCause" type="int">