diff options
author | dkrahn@chromium.org <dkrahn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 22:51:45 +0000 |
---|---|---|
committer | dkrahn@chromium.org <dkrahn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 22:51:45 +0000 |
commit | 027188c58c7a605ed9ed995e03e2c4deb2e3e0fe (patch) | |
tree | 6a84330d51a3f48f7efebfe7ca35b283b28029d5 | |
parent | 1b82aefbd6acc4e4cea6e445e0d770955dd9d021 (diff) | |
download | chromium_src-027188c58c7a605ed9ed995e03e2c4deb2e3e0fe.zip chromium_src-027188c58c7a605ed9ed995e03e2c4deb2e3e0fe.tar.gz chromium_src-027188c58c7a605ed9ed995e03e2c4deb2e3e0fe.tar.bz2 |
Clear content protection platform keys on Chrome OS.
When a user chooses to deauthorize content licenses we also want to
remove keys and certificates that may have been used in platform
verification for content protection.
BUG=chromium:280016
TEST=unit, manual
Review URL: https://codereview.chromium.org/50143007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@232496 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/browser/browsing_data/browsing_data_remover.cc | 43 | ||||
-rw-r--r-- | chrome/browser/browsing_data/browsing_data_remover.h | 9 | ||||
-rw-r--r-- | chrome/browser/browsing_data/browsing_data_remover_unittest.cc | 47 | ||||
-rw-r--r-- | chromeos/dbus/cryptohome_client.cc | 17 | ||||
-rw-r--r-- | chromeos/dbus/cryptohome_client.h | 14 | ||||
-rw-r--r-- | chromeos/dbus/fake_cryptohome_client.cc | 9 | ||||
-rw-r--r-- | chromeos/dbus/fake_cryptohome_client.h | 5 | ||||
-rw-r--r-- | chromeos/dbus/mock_cryptohome_client.h | 5 |
8 files changed, 148 insertions, 1 deletions
diff --git a/chrome/browser/browsing_data/browsing_data_remover.cc b/chrome/browser/browsing_data/browsing_data_remover.cc index 60ba4bb..4824b4a 100644 --- a/chrome/browser/browsing_data/browsing_data_remover.cc +++ b/chrome/browser/browsing_data/browsing_data_remover.cc @@ -17,6 +17,10 @@ #include "chrome/browser/browser_process.h" #include "chrome/browser/browsing_data/browsing_data_helper.h" #include "chrome/browser/chrome_notification_types.h" +#if defined(OS_CHROMEOS) +#include "chrome/browser/chromeos/login/user.h" +#include "chrome/browser/chromeos/login/user_manager.h" +#endif #include "chrome/browser/download/download_prefs.h" #include "chrome/browser/download/download_service_factory.h" #include "chrome/browser/extensions/activity_log/activity_log.h" @@ -46,6 +50,11 @@ #include "chrome/browser/sessions/tab_restore_service_factory.h" #include "chrome/common/pref_names.h" #include "chrome/common/url_constants.h" +#if defined(OS_CHROMEOS) +#include "chromeos/attestation/attestation_constants.h" +#include "chromeos/dbus/cryptohome_client.h" +#include "chromeos/dbus/dbus_thread_manager.h" +#endif #include "components/autofill/core/browser/personal_data_manager.h" #include "components/autofill/core/browser/webdata/autofill_webdata_service.h" #include "components/nacl/browser/nacl_browser.h" @@ -178,6 +187,7 @@ BrowsingDataRemover::BrowsingDataRemover(Profile* profile, waiting_for_clear_shader_cache_(false), waiting_for_clear_webrtc_identity_store_(false), waiting_for_clear_keyword_data_(false), + waiting_for_clear_platform_keys_(false), remove_mask_(0), remove_origin_(GURL()), origin_set_mask_(0) { @@ -588,6 +598,23 @@ void BrowsingDataRemover::RemoveImpl(int remove_mask, } deauthorize_content_licenses_request_id_ = pepper_flash_settings_manager_->DeauthorizeContentLicenses(prefs); +#if defined(OS_CHROMEOS) + // On Chrome OS, also delete any content protection platform keys. + chromeos::User* user = chromeos::UserManager::Get()-> + GetUserByProfile(profile_); + if (!user) { + LOG(WARNING) << "Failed to find user for current profile."; + } else { + chromeos::DBusThreadManager::Get()->GetCryptohomeClient()-> + TpmAttestationDeleteKeys( + chromeos::attestation::KEY_USER, + user->email(), + chromeos::attestation::kContentProtectionKeyPrefix, + base::Bind(&BrowsingDataRemover::OnClearPlatformKeys, + base::Unretained(this))); + waiting_for_clear_platform_keys_ = true; + } +#endif } #endif @@ -662,7 +689,8 @@ bool BrowsingDataRemover::AllDone() { !waiting_for_clear_hostname_resolution_cache_ && !waiting_for_clear_network_predictor_ && !waiting_for_clear_shader_cache_ && - !waiting_for_clear_webrtc_identity_store_; + !waiting_for_clear_webrtc_identity_store_ && + !waiting_for_clear_platform_keys_; } void BrowsingDataRemover::OnKeywordsLoaded() { @@ -1114,6 +1142,19 @@ void BrowsingDataRemover::OnDeauthorizeContentLicensesCompleted( } #endif +#if defined(OS_CHROMEOS) +void BrowsingDataRemover::OnClearPlatformKeys( + chromeos::DBusMethodCallStatus call_status, + bool result) { + DCHECK(waiting_for_clear_platform_keys_); + if (call_status != chromeos::DBUS_METHOD_CALL_SUCCESS || !result) { + LOG(ERROR) << "Failed to clear platform keys."; + } + waiting_for_clear_platform_keys_ = false; + NotifyAndDeleteIfDone(); +} +#endif + void BrowsingDataRemover::OnClearedCookies(int num_deleted) { if (!BrowserThread::CurrentlyOn(BrowserThread::UI)) { BrowserThread::PostTask( diff --git a/chrome/browser/browsing_data/browsing_data_remover.h b/chrome/browser/browsing_data/browsing_data_remover.h index ff31f09..083781e 100644 --- a/chrome/browser/browsing_data/browsing_data_remover.h +++ b/chrome/browser/browsing_data/browsing_data_remover.h @@ -17,6 +17,9 @@ #include "chrome/browser/pepper_flash_settings_manager.h" #include "chrome/browser/search_engines/template_url_service.h" #include "chrome/common/cancelable_task_tracker.h" +#if defined(OS_CHROMEOS) +#include "chromeos/dbus/dbus_method_call_status.h" +#endif #include "url/gurl.h" #include "webkit/common/quota/quota_types.h" @@ -226,6 +229,11 @@ class BrowsingDataRemover bool success) OVERRIDE; #endif +#if defined (OS_CHROMEOS) + void OnClearPlatformKeys(chromeos::DBusMethodCallStatus call_status, + bool result); +#endif + // Removes the specified items related to browsing for a specific host. If the // provided |origin| is empty, data is removed for all origins. The // |origin_set_mask| parameter defines the set of origins from which data @@ -436,6 +444,7 @@ class BrowsingDataRemover bool waiting_for_clear_shader_cache_; bool waiting_for_clear_webrtc_identity_store_; bool waiting_for_clear_keyword_data_; + bool waiting_for_clear_platform_keys_; // Tracking how many origins need to be deleted, and whether we're finished // gathering origins. diff --git a/chrome/browser/browsing_data/browsing_data_remover_unittest.cc b/chrome/browser/browsing_data/browsing_data_remover_unittest.cc index 559a199..228392c 100644 --- a/chrome/browser/browsing_data/browsing_data_remover_unittest.cc +++ b/chrome/browser/browsing_data/browsing_data_remover_unittest.cc @@ -19,6 +19,12 @@ #include "chrome/browser/autofill/personal_data_manager_factory.h" #include "chrome/browser/browsing_data/browsing_data_helper.h" #include "chrome/browser/chrome_notification_types.h" +#if defined(OS_CHROMEOS) +#include "chrome/browser/chromeos/login/mock_user_manager.h" +#include "chrome/browser/chromeos/login/user_manager.h" +#include "chrome/browser/chromeos/settings/cros_settings.h" +#include "chrome/browser/chromeos/settings/device_settings_service.h" +#endif #include "chrome/browser/extensions/mock_extension_special_storage_policy.h" #include "chrome/browser/history/history_service.h" #include "chrome/browser/history/history_service_factory.h" @@ -26,6 +32,11 @@ #include "chrome/common/pref_names.h" #include "chrome/test/base/testing_browser_process.h" #include "chrome/test/base/testing_profile.h" +#if defined(OS_CHROMEOS) +#include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/dbus/mock_cryptohome_client.h" +#include "chromeos/dbus/mock_dbus_thread_manager.h" +#endif #include "components/autofill/core/browser/autofill_common_test.h" #include "components/autofill/core/browser/autofill_profile.h" #include "components/autofill/core/browser/credit_card.h" @@ -43,12 +54,16 @@ #include "net/ssl/ssl_client_cert_type.h" #include "net/url_request/url_request_context.h" #include "net/url_request/url_request_context_getter.h" +#include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "webkit/browser/quota/mock_quota_manager.h" #include "webkit/browser/quota/quota_manager.h" #include "webkit/common/quota/quota_types.h" using content::BrowserThread; +using testing::_; +using testing::Invoke; +using testing::WithArgs; namespace { @@ -163,6 +178,14 @@ class AwaitCompletionHelper : public BrowsingDataRemover::Observer { DISALLOW_COPY_AND_ASSIGN(AwaitCompletionHelper); }; +#if defined(OS_CHROMEOS) +void FakeDBusCall(const chromeos::BoolDBusMethodCallback& callback) { + base::MessageLoop::current()->PostTask( + FROM_HERE, + base::Bind(callback, chromeos::DBUS_METHOD_CALL_SUCCESS, true)); +} +#endif + } // namespace // Testers ------------------------------------------------------------------- @@ -1391,3 +1414,27 @@ TEST_F(BrowsingDataRemoverTest, AutofillOriginsRemovedWithHistory) { EXPECT_FALSE(tester.HasOrigin(kWebOrigin)); EXPECT_TRUE(tester.HasOrigin(kChromeOrigin)); } + +#if defined(OS_CHROMEOS) +TEST_F(BrowsingDataRemoverTest, ContentProtectionPlatformKeysRemoval) { + chromeos::ScopedTestDeviceSettingsService test_device_settings_service; + chromeos::ScopedTestCrosSettings test_cros_settings; + chromeos::MockUserManager* mock_user_manager = + new testing::NiceMock<chromeos::MockUserManager>(); + mock_user_manager->SetActiveUser("test@example.com"); + chromeos::ScopedUserManagerEnabler user_manager_enabler(mock_user_manager); + chromeos::MockDBusThreadManager mock_dbus_manager; + chromeos::DBusThreadManager::InitializeForTesting(&mock_dbus_manager); + chromeos::MockCryptohomeClient* cryptohome_client = + mock_dbus_manager.mock_cryptohome_client(); + + // Expect exactly one call. No calls means no attempt to delete keys and more + // than one call means a significant performance problem. + EXPECT_CALL(*cryptohome_client, TpmAttestationDeleteKeys(_, _, _, _)) + .WillOnce(WithArgs<3>(Invoke(FakeDBusCall))); + + BlockUntilBrowsingDataRemoved( + BrowsingDataRemover::EVERYTHING, + BrowsingDataRemover::REMOVE_CONTENT_LICENSES, false); +} +#endif diff --git a/chromeos/dbus/cryptohome_client.cc b/chromeos/dbus/cryptohome_client.cc index 77848d3..7165aa7 100644 --- a/chromeos/dbus/cryptohome_client.cc +++ b/chromeos/dbus/cryptohome_client.cc @@ -675,6 +675,23 @@ class CryptohomeClientImpl : public CryptohomeClient { CallBoolMethod(&method_call, callback); } + // CryptohomeClient override. + virtual void TpmAttestationDeleteKeys( + attestation::AttestationKeyType key_type, + const std::string& user_id, + const std::string& key_prefix, + const BoolDBusMethodCallback& callback) OVERRIDE { + dbus::MethodCall method_call( + cryptohome::kCryptohomeInterface, + cryptohome::kCryptohomeTpmAttestationDeleteKeys); + dbus::MessageWriter writer(&method_call); + bool is_user_specific = (key_type == attestation::KEY_USER); + writer.AppendBool(is_user_specific); + writer.AppendString(user_id); + writer.AppendString(key_prefix); + CallBoolMethod(&method_call, callback); + } + protected: virtual void Init(dbus::Bus* bus) OVERRIDE { proxy_ = bus->GetObjectProxy( diff --git a/chromeos/dbus/cryptohome_client.h b/chromeos/dbus/cryptohome_client.h index 87457a7..2fcb975 100644 --- a/chromeos/dbus/cryptohome_client.h +++ b/chromeos/dbus/cryptohome_client.h @@ -413,6 +413,20 @@ class CHROMEOS_EXPORT CryptohomeClient : public DBusClient { const std::string& payload, const BoolDBusMethodCallback& callback) = 0; + // Deletes certified keys as specified by |key_type| and |key_prefix|. The + // |callback| will be called when the operation completes. If the operation + // succeeds, the callback |result| parameter will be true. If |key_type| is + // KEY_USER, a |user_id| must be provided. Otherwise |user_id| is ignored. + // For normal GAIA users the |user_id| is a canonical email address. All keys + // where the key name has a prefix matching |key_prefix| will be deleted. All + // meta-data associated with the key, including certificates, will also be + // deleted. + virtual void TpmAttestationDeleteKeys( + attestation::AttestationKeyType key_type, + const std::string& user_id, + const std::string& key_prefix, + const BoolDBusMethodCallback& callback) = 0; + protected: // Create() should be used instead. CryptohomeClient(); diff --git a/chromeos/dbus/fake_cryptohome_client.cc b/chromeos/dbus/fake_cryptohome_client.cc index 50ae793..c1baba0 100644 --- a/chromeos/dbus/fake_cryptohome_client.cc +++ b/chromeos/dbus/fake_cryptohome_client.cc @@ -382,6 +382,15 @@ void FakeCryptohomeClient::TpmAttestationSetKeyPayload( FROM_HERE, base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, false)); } +void FakeCryptohomeClient::TpmAttestationDeleteKeys( + attestation::AttestationKeyType key_type, + const std::string& user_id, + const std::string& key_prefix, + const BoolDBusMethodCallback& callback) { + base::MessageLoop::current()->PostTask( + FROM_HERE, base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, false)); +} + void FakeCryptohomeClient::SetServiceIsAvailable(bool is_available) { service_is_available_ = is_available; if (is_available) { diff --git a/chromeos/dbus/fake_cryptohome_client.h b/chromeos/dbus/fake_cryptohome_client.h index fd482b9..41b129d 100644 --- a/chromeos/dbus/fake_cryptohome_client.h +++ b/chromeos/dbus/fake_cryptohome_client.h @@ -152,6 +152,11 @@ class CHROMEOS_EXPORT FakeCryptohomeClient : public CryptohomeClient { const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) OVERRIDE; + virtual void TpmAttestationDeleteKeys( + attestation::AttestationKeyType key_type, + const std::string& user_id, + const std::string& key_prefix, + const BoolDBusMethodCallback& callback) OVERRIDE; // Changes the behavior of WaitForServiceToBeAvailable(). This method runs // pending callbacks if is_available is true. diff --git a/chromeos/dbus/mock_cryptohome_client.h b/chromeos/dbus/mock_cryptohome_client.h index c8232da..6767923 100644 --- a/chromeos/dbus/mock_cryptohome_client.h +++ b/chromeos/dbus/mock_cryptohome_client.h @@ -156,6 +156,11 @@ class MockCryptohomeClient : public CryptohomeClient { const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback)); + MOCK_METHOD4(TpmAttestationDeleteKeys, + void(attestation::AttestationKeyType key_type, + const std::string& user_id, + const std::string& key_prefix, + const BoolDBusMethodCallback& callback)); }; } // namespace chromeos |