Move to new attestation dbus methods.

The new attestation methods support selection of an alternate Privacy CA
which has been configured by enterprise policy.  This CL does not add
support for alternate PCAs, just support for the new methods.

BUG=chromium:243605
TEST=unit, manual

Review URL: https://codereview.chromium.org/177373006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@256760 0039d316-1c4b-4281-b951-d872f2087c98

15 files changed, 162 insertions, 55 deletions

diff --git a/chromeos/attestation/attestation_constants.h b/chromeos/attestation/attestation_constants.h
index 1429004..de55998 100644
--- a/chromeos/attestation/attestation_constants.h
+++ b/chromeos/attestation/attestation_constants.h
@@ -41,6 +41,11 @@ enum AttestationCertificateProfile {
   PROFILE_CONTENT_PROTECTION_CERTIFICATE,
 };
 
+enum PrivacyCAType {
+  DEFAULT_PCA,    // The Google-operated Privacy CA.
+  ALTERNATE_PCA,  // An alternate Privacy CA specified by enterprise policy.
+};
+
 // A key name for the Enterprise Machine Key.  This key should always be stored
 // as a DEVICE_KEY.
 CHROMEOS_EXPORT extern const char kEnterpriseMachineKey[];
diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc
index 5021ddf..7cfdc87 100644
--- a/chromeos/attestation/attestation_flow.cc
+++ b/chromeos/attestation/attestation_flow.cc
@@ -125,11 +125,12 @@ void AttestationFlow::GetCertificate(
 void AttestationFlow::StartEnroll(const base::Closure& on_failure,
                                   const base::Closure& next_task) {
   // Get the attestation service to create a Privacy CA enrollment request.
-  async_caller_->AsyncTpmAttestationCreateEnrollRequest(base::Bind(
-      &AttestationFlow::SendEnrollRequestToPCA,
-      weak_factory_.GetWeakPtr(),
-      on_failure,
-      next_task));
+  async_caller_->AsyncTpmAttestationCreateEnrollRequest(
+      server_proxy_->GetType(),
+      base::Bind(&AttestationFlow::SendEnrollRequestToPCA,
+                 weak_factory_.GetWeakPtr(),
+                 on_failure,
+                 next_task));
 }
 
 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure,
@@ -166,6 +167,7 @@ void AttestationFlow::SendEnrollResponseToDaemon(
 
   // Forward the response to the attestation service to complete enrollment.
   async_caller_->AsyncTpmAttestationEnroll(
+      server_proxy_->GetType(),
       data,
       base::Bind(&AttestationFlow::OnEnrollComplete,
                  weak_factory_.GetWeakPtr(),
@@ -201,6 +203,7 @@ void AttestationFlow::StartCertificateRequest(
   if (generate_new_key) {
     // Get the attestation service to create a Privacy CA certificate request.
     async_caller_->AsyncTpmAttestationCreateCertRequest(
+        server_proxy_->GetType(),
         certificate_profile,
         user_id,
         request_origin,
@@ -299,5 +302,11 @@ void AttestationFlow::GetExistingCertificate(
       base::Bind(&DBusDataMethodCallback, callback));
 }
 
+ServerProxy::~ServerProxy() {}
+
+PrivacyCAType ServerProxy::GetType() {
+  return DEFAULT_PCA;
+}
+
 }  // namespace attestation
 }  // namespace chromeos
diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h
index 3c846db..a6c6cd2 100644
--- a/chromeos/attestation/attestation_flow.h
+++ b/chromeos/attestation/attestation_flow.h
@@ -33,11 +33,12 @@ class CHROMEOS_EXPORT ServerProxy {
  public:
   typedef base::Callback<void(bool success,
                               const std::string& data)> DataCallback;
-  virtual ~ServerProxy() {}
+  virtual ~ServerProxy();
   virtual void SendEnrollRequest(const std::string& request,
                                  const DataCallback& on_response) = 0;
   virtual void SendCertificateRequest(const std::string& request,
                                       const DataCallback& on_response) = 0;
+  virtual PrivacyCAType GetType();
 };
 
 // Implements the message flow for Chrome OS attestation tasks.  Generally this
diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc
index 3597517..578393b 100644
--- a/chromeos/attestation/attestation_flow_unittest.cc
+++ b/chromeos/attestation/attestation_flow_unittest.cc
@@ -12,7 +12,11 @@
 #include "testing/gtest/include/gtest/gtest.h"
 
 using testing::_;
+using testing::AtLeast;
+using testing::DoDefault;
 using testing::Invoke;
+using testing::NiceMock;
+using testing::Return;
 using testing::Sequence;
 using testing::StrictMock;
 using testing::WithArgs;
@@ -79,12 +83,13 @@ TEST_F(AttestationFlowTest, GetCertificate) {
   // Use StrictMock when we want to verify invocation frequency.
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1)
       .InSequence(flow_order);
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1)
@@ -93,13 +98,15 @@ TEST_F(AttestationFlowTest, GetCertificate) {
   std::string fake_enroll_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest;
   fake_enroll_response += "_response";
-  EXPECT_CALL(async_caller, AsyncTpmAttestationEnroll(fake_enroll_response, _))
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(_, fake_enroll_response, _))
       .Times(1)
       .InSequence(flow_order);
 
   EXPECT_CALL(
       async_caller,
-      AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE,
+      AsyncTpmAttestationCreateCertRequest(_,
+                                           PROFILE_ENTERPRISE_USER_CERTIFICATE,
                                            "fake@test.com", "fake_origin", _))
           .Times(1)
           .InSequence(flow_order);
@@ -141,7 +148,7 @@ TEST_F(AttestationFlowTest, GetCertificate) {
 TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -150,6 +157,7 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, ""))
@@ -168,7 +176,7 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
 TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -177,6 +185,7 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(false);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1);
@@ -198,13 +207,14 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
 TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
   std::string fake_enroll_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest;
   fake_enroll_response += "_response";
-  EXPECT_CALL(async_caller, AsyncTpmAttestationEnroll(fake_enroll_response, _))
-      .WillOnce(WithArgs<1>(Invoke(AsyncCallbackFalse)));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(_, fake_enroll_response, _))
+      .WillOnce(WithArgs<2>(Invoke(AsyncCallbackFalse)));
 
   chromeos::MockCryptohomeClient client;
   EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
@@ -212,6 +222,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1);
@@ -234,7 +245,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _))
       .Times(1);
   std::string fake_cert_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest;
@@ -253,6 +264,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -277,7 +289,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) {
   async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -286,6 +298,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, "")).Times(1);
@@ -305,7 +318,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -314,6 +327,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(false);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -341,6 +355,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, "")).Times(1);
@@ -360,7 +375,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
   std::string fake_cert_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest;
@@ -382,6 +397,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -417,6 +433,7 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(true, "fake_cert")).Times(1);
@@ -431,5 +448,40 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) {
   Run();
 }
 
+TEST_F(AttestationFlowTest, AlternatePCA) {
+  // Strategy: Create a ServerProxy mock which reports ALTERNATE_PCA and check
+  // that all calls to the AsyncMethodCaller reflect this PCA type.
+  scoped_ptr<MockServerProxy> proxy(new NiceMock<MockServerProxy>());
+  proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(Return(ALTERNATE_PCA));
+
+  chromeos::MockCryptohomeClient client;
+  EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
+      .WillRepeatedly(Invoke(DBusCallbackFalse));
+
+  NiceMock<cryptohome::MockAsyncMethodCaller> async_caller;
+  async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationCreateEnrollRequest(ALTERNATE_PCA, _))
+      .Times(AtLeast(1));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(ALTERNATE_PCA, _, _))
+      .Times(AtLeast(1));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationCreateCertRequest(ALTERNATE_PCA, _, _, _, _))
+      .Times(AtLeast(1));
+
+  NiceMock<MockObserver> observer;
+  AttestationFlow::CertificateCallback mock_callback = base::Bind(
+      &MockObserver::MockCertificateCallback,
+      base::Unretained(&observer));
+
+  scoped_ptr<ServerProxy> proxy_interface(proxy.release());
+  AttestationFlow flow(&async_caller, &client, proxy_interface.Pass());
+  flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true,
+                      mock_callback);
+  Run();
+}
+
 }  // namespace attestation
 }  // namespace chromeos
diff --git a/chromeos/attestation/mock_attestation_flow.cc b/chromeos/attestation/mock_attestation_flow.cc
index b776899..b6eda5b3 100644
--- a/chromeos/attestation/mock_attestation_flow.cc
+++ b/chromeos/attestation/mock_attestation_flow.cc
@@ -8,6 +8,7 @@
 #include "testing/gmock/include/gmock/gmock.h"
 
 using testing::_;
+using testing::DefaultValue;
 using testing::Invoke;
 
 namespace chromeos {
@@ -27,7 +28,9 @@ void FakeServerProxy::SendCertificateRequest(const std::string& request,
   callback.Run(result_, request + "_response");
 }
 
-MockServerProxy::MockServerProxy() {}
+MockServerProxy::MockServerProxy() {
+  DefaultValue<PrivacyCAType>::Set(DEFAULT_PCA);
+}
 
 MockServerProxy::~MockServerProxy() {}
 
diff --git a/chromeos/attestation/mock_attestation_flow.h b/chromeos/attestation/mock_attestation_flow.h
index 1950246..1774964 100644
--- a/chromeos/attestation/mock_attestation_flow.h
+++ b/chromeos/attestation/mock_attestation_flow.h
@@ -46,6 +46,7 @@ class MockServerProxy : public ServerProxy {
                void(const std::string&, const DataCallback&));
   MOCK_METHOD2(SendCertificateRequest,
                void(const std::string&, const DataCallback&));
+  MOCK_METHOD0(GetType, PrivacyCAType());
 
  private:
   FakeServerProxy fake_;
diff --git a/chromeos/cryptohome/async_method_caller.cc b/chromeos/cryptohome/async_method_caller.cc
index 8e89309..5d9b844 100644
--- a/chromeos/cryptohome/async_method_caller.cc
+++ b/chromeos/cryptohome/async_method_caller.cc
@@ -113,19 +113,22 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller {
   }
 
   virtual void AsyncTpmAttestationCreateEnrollRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       const DataCallback& callback) OVERRIDE {
     DBusThreadManager::Get()->GetCryptohomeClient()->
-        AsyncTpmAttestationCreateEnrollRequest(base::Bind(
+        AsyncTpmAttestationCreateEnrollRequest(pca_type, base::Bind(
             &AsyncMethodCallerImpl::RegisterAsyncDataCallback,
             weak_ptr_factory_.GetWeakPtr(),
             callback,
             "Couldn't initiate async attestation enroll request."));
   }
 
-  virtual void AsyncTpmAttestationEnroll(const std::string& pca_response,
-                                         const Callback& callback) OVERRIDE {
+  virtual void AsyncTpmAttestationEnroll(
+      chromeos::attestation::PrivacyCAType pca_type,
+      const std::string& pca_response,
+      const Callback& callback) OVERRIDE {
     DBusThreadManager::Get()->GetCryptohomeClient()->
-        AsyncTpmAttestationEnroll(pca_response, base::Bind(
+        AsyncTpmAttestationEnroll(pca_type, pca_response, base::Bind(
             &AsyncMethodCallerImpl::RegisterAsyncCallback,
             weak_ptr_factory_.GetWeakPtr(),
             callback,
@@ -133,12 +136,14 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller {
   }
 
   virtual void AsyncTpmAttestationCreateCertRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       chromeos::attestation::AttestationCertificateProfile certificate_profile,
       const std::string& user_id,
       const std::string& request_origin,
       const DataCallback& callback) OVERRIDE {
     DBusThreadManager::Get()->GetCryptohomeClient()->
         AsyncTpmAttestationCreateCertRequest(
+            pca_type,
             certificate_profile,
             user_id,
             request_origin,
diff --git a/chromeos/cryptohome/async_method_caller.h b/chromeos/cryptohome/async_method_caller.h
index be1b0a8..7f1660e 100644
--- a/chromeos/cryptohome/async_method_caller.h
+++ b/chromeos/cryptohome/async_method_caller.h
@@ -103,23 +103,28 @@ class CHROMEOS_EXPORT AsyncMethodCaller {
 
   // Asks cryptohomed to asynchronously create an attestation enrollment
   // request.  On success the data sent to |callback| is a request to be sent
-  // to the Privacy CA.
+  // to the Privacy CA of type |pca_type|.
   virtual void AsyncTpmAttestationCreateEnrollRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       const DataCallback& callback) = 0;
 
   // Asks cryptohomed to asynchronously finish an attestation enrollment.
   // |pca_response| is the response to the enrollment request emitted by the
-  // Privacy CA.
-  virtual void AsyncTpmAttestationEnroll(const std::string& pca_response,
-                                         const Callback& callback) = 0;
+  // Privacy CA of type |pca_type|.
+  virtual void AsyncTpmAttestationEnroll(
+      chromeos::attestation::PrivacyCAType pca_type,
+      const std::string& pca_response,
+      const Callback& callback) = 0;
 
   // Asks cryptohomed to asynchronously create an attestation certificate
   // request according to |certificate_profile|.  Some profiles require that the
   // |user_id| of the currently active user and an identifier of the
   // |request_origin| be provided.  On success the data sent to |callback| is a
-  // request to be sent to the Privacy CA.  The |request_origin| may be sent to
-  // the Privacy CA but the |user_id| will never be sent.
+  // request to be sent to the Privacy CA of type |pca_type|.  The
+  // |request_origin| may be sent to the Privacy CA but the |user_id| will never
+  // be sent.
   virtual void AsyncTpmAttestationCreateCertRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       chromeos::attestation::AttestationCertificateProfile certificate_profile,
       const std::string& user_id,
       const std::string& request_origin,
diff --git a/chromeos/cryptohome/mock_async_method_caller.cc b/chromeos/cryptohome/mock_async_method_caller.cc
index 7f54164..7f39eef 100644
--- a/chromeos/cryptohome/mock_async_method_caller.cc
+++ b/chromeos/cryptohome/mock_async_method_caller.cc
@@ -44,16 +44,16 @@ void MockAsyncMethodCaller::SetUp(bool success, MountError return_code) {
   ON_CALL(*this, AsyncRemove(_, _))
       .WillByDefault(
           WithArgs<1>(Invoke(this, &MockAsyncMethodCaller::DoCallback)));
-  ON_CALL(*this, AsyncTpmAttestationCreateEnrollRequest(_))
+  ON_CALL(*this, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .WillByDefault(
-          WithArgs<0>(Invoke(this,
+          WithArgs<1>(Invoke(this,
                              &MockAsyncMethodCaller::FakeCreateEnrollRequest)));
-  ON_CALL(*this, AsyncTpmAttestationEnroll(_, _))
+  ON_CALL(*this, AsyncTpmAttestationEnroll(_, _, _))
       .WillByDefault(
-          WithArgs<1>(Invoke(this, &MockAsyncMethodCaller::DoCallback)));
-  ON_CALL(*this, AsyncTpmAttestationCreateCertRequest(_, _, _, _))
+          WithArgs<2>(Invoke(this, &MockAsyncMethodCaller::DoCallback)));
+  ON_CALL(*this, AsyncTpmAttestationCreateCertRequest(_, _, _, _, _))
       .WillByDefault(
-          WithArgs<3>(Invoke(this,
+          WithArgs<4>(Invoke(this,
                              &MockAsyncMethodCaller::FakeCreateCertRequest)));
   ON_CALL(*this, AsyncTpmAttestationFinishCertRequest(_, _, _, _, _))
       .WillByDefault(
diff --git a/chromeos/cryptohome/mock_async_method_caller.h b/chromeos/cryptohome/mock_async_method_caller.h
index e41457a..515ec78 100644
--- a/chromeos/cryptohome/mock_async_method_caller.h
+++ b/chromeos/cryptohome/mock_async_method_caller.h
@@ -48,13 +48,17 @@ class MockAsyncMethodCaller : public AsyncMethodCaller {
                                       Callback callback));
   MOCK_METHOD2(AsyncRemove, void(const std::string& user_email,
                                  Callback callback));
-  MOCK_METHOD1(AsyncTpmAttestationCreateEnrollRequest,
-               void(const DataCallback& callback));
-  MOCK_METHOD2(AsyncTpmAttestationEnroll,
-               void(const std::string& pca_response, const Callback& callback));
-  MOCK_METHOD4(
+  MOCK_METHOD2(AsyncTpmAttestationCreateEnrollRequest,
+               void(chromeos::attestation::PrivacyCAType pca_type,
+                    const DataCallback& callback));
+  MOCK_METHOD3(AsyncTpmAttestationEnroll,
+               void(chromeos::attestation::PrivacyCAType pca_type,
+                    const std::string& pca_response,
+                    const Callback& callback));
+  MOCK_METHOD5(
       AsyncTpmAttestationCreateCertRequest,
-      void(chromeos::attestation::AttestationCertificateProfile profile,
+      void(chromeos::attestation::PrivacyCAType pca_type,
+           chromeos::attestation::AttestationCertificateProfile profile,
            const std::string& user_id,
            const std::string& request_origin,
            const DataCallback& callback));
diff --git a/chromeos/dbus/cryptohome_client.cc b/chromeos/dbus/cryptohome_client.cc
index 9e24c32..e5b7db5 100644
--- a/chromeos/dbus/cryptohome_client.cc
+++ b/chromeos/dbus/cryptohome_client.cc
@@ -434,10 +434,13 @@ class CryptohomeClientImpl : public CryptohomeClient {
 
   // CryptohomeClient override.
   virtual void AsyncTpmAttestationCreateEnrollRequest(
+      attestation::PrivacyCAType pca_type,
       const AsyncMethodCallback& callback) OVERRIDE {
     dbus::MethodCall method_call(
         cryptohome::kCryptohomeInterface,
-        cryptohome::kCryptohomeAsyncTpmAttestationCreateEnrollRequest);
+        cryptohome::kCryptohomeAsyncTpmAttestationCreateEnrollRequestNew);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendInt32(pca_type);
     proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT,
                        base::Bind(&CryptohomeClientImpl::OnAsyncMethodCall,
                                   weak_ptr_factory_.GetWeakPtr(),
@@ -446,12 +449,14 @@ class CryptohomeClientImpl : public CryptohomeClient {
 
   // CryptohomeClient override.
   virtual void AsyncTpmAttestationEnroll(
+      attestation::PrivacyCAType pca_type,
       const std::string& pca_response,
       const AsyncMethodCallback& callback) OVERRIDE {
     dbus::MethodCall method_call(
         cryptohome::kCryptohomeInterface,
-        cryptohome::kCryptohomeAsyncTpmAttestationEnroll);
+        cryptohome::kCryptohomeAsyncTpmAttestationEnrollNew);
     dbus::MessageWriter writer(&method_call);
+    writer.AppendInt32(pca_type);
     writer.AppendArrayOfBytes(
         reinterpret_cast<const uint8*>(pca_response.data()),
         pca_response.size());
@@ -463,14 +468,16 @@ class CryptohomeClientImpl : public CryptohomeClient {
 
   // CryptohomeClient override.
   virtual void AsyncTpmAttestationCreateCertRequest(
+      attestation::PrivacyCAType pca_type,
       attestation::AttestationCertificateProfile certificate_profile,
       const std::string& user_id,
       const std::string& request_origin,
       const AsyncMethodCallback& callback) OVERRIDE {
     dbus::MethodCall method_call(
         cryptohome::kCryptohomeInterface,
-        cryptohome::kCryptohomeAsyncTpmAttestationCreateCertRequestByProfile);
+        cryptohome::kCryptohomeAsyncTpmAttestationCreateCertRequest);
     dbus::MessageWriter writer(&method_call);
+    writer.AppendInt32(pca_type);
     writer.AppendInt32(certificate_profile);
     writer.AppendString(user_id);
     writer.AppendString(request_origin);
diff --git a/chromeos/dbus/cryptohome_client.h b/chromeos/dbus/cryptohome_client.h
index 85fc6fd..a532e9f 100644
--- a/chromeos/dbus/cryptohome_client.h
+++ b/chromeos/dbus/cryptohome_client.h
@@ -280,15 +280,19 @@ class CHROMEOS_EXPORT CryptohomeClient : public DBusClient {
   // will be called when the dbus call completes.  When the operation completes,
   // the AsyncCallStatusWithDataHandler signal handler is called.  The data that
   // is sent with the signal is an enrollment request to be sent to the Privacy
-  // CA.  The enrollment is completed by calling AsyncTpmAttestationEnroll.
+  // CA of type |pca_type|.  The enrollment is completed by calling
+  // AsyncTpmAttestationEnroll.
   virtual void AsyncTpmAttestationCreateEnrollRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       const AsyncMethodCallback& callback) = 0;
 
   // Asynchronously finishes an attestation enrollment operation.  The callback
   // will be called when the dbus call completes.  When the operation completes,
   // the AsyncCallStatusHandler signal handler is called.  |pca_response| is the
-  // response to the enrollment request emitted by the Privacy CA.
+  // response to the enrollment request emitted by the Privacy CA of type
+  // |pca_type|.
   virtual void AsyncTpmAttestationEnroll(
+      chromeos::attestation::PrivacyCAType pca_type,
       const std::string& pca_response,
       const AsyncMethodCallback& callback) = 0;
 
@@ -298,10 +302,12 @@ class CHROMEOS_EXPORT CryptohomeClient : public DBusClient {
   // provided.  |callback| will be called when the dbus call completes.  When
   // the operation completes, the AsyncCallStatusWithDataHandler signal handler
   // is called.  The data that is sent with the signal is a certificate request
-  // to be sent to the Privacy CA.  The certificate request is completed by
-  // calling AsyncTpmAttestationFinishCertRequest.  The |user_id| will not
-  // be included in the certificate request for the Privacy CA.
+  // to be sent to the Privacy CA of type |pca_type|.  The certificate request
+  // is completed by calling AsyncTpmAttestationFinishCertRequest.  The
+  // |user_id| will not be included in the certificate request for the Privacy
+  // CA.
   virtual void AsyncTpmAttestationCreateCertRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       attestation::AttestationCertificateProfile certificate_profile,
       const std::string& user_id,
       const std::string& request_origin,
diff --git a/chromeos/dbus/fake_cryptohome_client.cc b/chromeos/dbus/fake_cryptohome_client.cc
index a4e7f28..df33138 100644
--- a/chromeos/dbus/fake_cryptohome_client.cc
+++ b/chromeos/dbus/fake_cryptohome_client.cc
@@ -279,17 +279,20 @@ void FakeCryptohomeClient::TpmAttestationIsEnrolled(
 }
 
 void FakeCryptohomeClient::AsyncTpmAttestationCreateEnrollRequest(
+    chromeos::attestation::PrivacyCAType pca_type,
     const AsyncMethodCallback& callback) {
   ReturnAsyncMethodResult(callback, true);
 }
 
 void FakeCryptohomeClient::AsyncTpmAttestationEnroll(
+    chromeos::attestation::PrivacyCAType pca_type,
     const std::string& pca_response,
     const AsyncMethodCallback& callback) {
   ReturnAsyncMethodResult(callback, false);
 }
 
 void FakeCryptohomeClient::AsyncTpmAttestationCreateCertRequest(
+    chromeos::attestation::PrivacyCAType pca_type,
     attestation::AttestationCertificateProfile certificate_profile,
     const std::string& user_id,
     const std::string& request_origin,
diff --git a/chromeos/dbus/fake_cryptohome_client.h b/chromeos/dbus/fake_cryptohome_client.h
index 96aeeab..f1b6538 100644
--- a/chromeos/dbus/fake_cryptohome_client.h
+++ b/chromeos/dbus/fake_cryptohome_client.h
@@ -91,11 +91,14 @@ class CHROMEOS_EXPORT FakeCryptohomeClient : public CryptohomeClient {
   virtual void TpmAttestationIsEnrolled(
       const BoolDBusMethodCallback& callback) OVERRIDE;
   virtual void AsyncTpmAttestationCreateEnrollRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       const AsyncMethodCallback& callback) OVERRIDE;
   virtual void AsyncTpmAttestationEnroll(
+      chromeos::attestation::PrivacyCAType pca_type,
       const std::string& pca_response,
       const AsyncMethodCallback& callback) OVERRIDE;
   virtual void AsyncTpmAttestationCreateCertRequest(
+      chromeos::attestation::PrivacyCAType pca_type,
       attestation::AttestationCertificateProfile certificate_profile,
       const std::string& user_id,
       const std::string& request_origin,
diff --git a/chromeos/dbus/mock_cryptohome_client.h b/chromeos/dbus/mock_cryptohome_client.h
index eedd26c..f36bbb58 100644
--- a/chromeos/dbus/mock_cryptohome_client.h
+++ b/chromeos/dbus/mock_cryptohome_client.h
@@ -94,14 +94,17 @@ class MockCryptohomeClient : public CryptohomeClient {
                void(const BoolDBusMethodCallback& callback));
   MOCK_METHOD1(TpmAttestationIsEnrolled,
                void(const BoolDBusMethodCallback& callback));
-  MOCK_METHOD1(AsyncTpmAttestationCreateEnrollRequest,
-               void(const AsyncMethodCallback& callback));
-  MOCK_METHOD2(AsyncTpmAttestationEnroll,
-               void(const std::string& pca_response,
+  MOCK_METHOD2(AsyncTpmAttestationCreateEnrollRequest,
+               void(attestation::PrivacyCAType pca_type,
+                    const AsyncMethodCallback& callback));
+  MOCK_METHOD3(AsyncTpmAttestationEnroll,
+               void(attestation::PrivacyCAType pca_type,
+                    const std::string& pca_response,
                     const AsyncMethodCallback& callback));
-  MOCK_METHOD4(
+  MOCK_METHOD5(
       AsyncTpmAttestationCreateCertRequest,
-      void(attestation::AttestationCertificateProfile certificate_profile,
+      void(attestation::PrivacyCAType pca_type,
+           attestation::AttestationCertificateProfile certificate_profile,
            const std::string& user_id,
            const std::string& request_origin,
            const AsyncMethodCallback& callback));