xref: /aosp_15_r20/external/cronet/crypto/unexportable_key_mac.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2024 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CRYPTO_UNEXPORTABLE_KEY_MAC_H_
6 #define CRYPTO_UNEXPORTABLE_KEY_MAC_H_
7 
8 #include <memory>
9 
10 #if defined(__OBJC__)
11 #import <LocalAuthentication/LocalAuthentication.h>
12 #endif  // defined(__OBJC__)
13 
14 #include "crypto/unexportable_key.h"
15 
16 namespace crypto {
17 
18 // UserVerifyingKeyProviderMac is an implementation of the
19 // UserVerifyingKeyProvider interface on top of Apple's Secure Enclave. Callers
20 // must provide a keychain access group when instantiating this class. This
21 // means that the build must be codesigned for any of this to work.
22 // https://developer.apple.com/documentation/bundleresources/entitlements/keychain-access-groups?language=objc
23 //
24 // Only NIST P-256 elliptic curves are supported.
25 //
26 // Unlike Windows keys, macOS will store key metadata locally. Callers are
27 // responsible for deleting keys when they are no longer needed.
28 class UnexportableKeyProviderMac : public UnexportableKeyProvider {
29  public:
30   explicit UnexportableKeyProviderMac(Config config);
31   ~UnexportableKeyProviderMac() override;
32 
33 #if defined(__OBJC__)
34   // Like UnexportableKeyProvider::FromWrappedSigningKeySlowly, but lets you
35   // pass an authenticated LAContext to avoid having macOS prompt the user for
36   // user verification.
37   std::unique_ptr<UnexportableSigningKey> FromWrappedSigningKeySlowly(
38       base::span<const uint8_t> wrapped_key,
39       LAContext* lacontext);
40 
41   // Like UnexportableKeyProvider::GenerateSigningKeySlowly, but lets you pass
42   // an authenticated LAContext to avoid having macOS prompt the user for user
43   // verification.
44   std::unique_ptr<UnexportableSigningKey> GenerateSigningKeySlowly(
45       base::span<const SignatureVerifier::SignatureAlgorithm>
46           acceptable_algorithms,
47       LAContext* lacontext);
48 #endif  // defined(__OBJC__)
49 
50   // UnexportableKeyProvider:
51   std::optional<SignatureVerifier::SignatureAlgorithm> SelectAlgorithm(
52       base::span<const SignatureVerifier::SignatureAlgorithm>
53           acceptable_algorithms) override;
54   std::unique_ptr<UnexportableSigningKey> GenerateSigningKeySlowly(
55       base::span<const SignatureVerifier::SignatureAlgorithm>
56           acceptable_algorithms) override;
57   std::unique_ptr<UnexportableSigningKey> FromWrappedSigningKeySlowly(
58       base::span<const uint8_t> wrapped_key) override;
59   bool DeleteSigningKey(base::span<const uint8_t> wrapped_key) override;
60 
61  private:
62   struct ObjCStorage;
63   const Config::AccessControl access_control_;
64   std::unique_ptr<ObjCStorage> objc_storage_;
65 };
66 
67 std::unique_ptr<UnexportableKeyProviderMac> GetUnexportableKeyProviderMac(
68     UnexportableKeyProvider::Config config);
69 
70 }  // namespace crypto
71 
72 #endif  // CRYPTO_UNEXPORTABLE_KEY_MAC_H_
73