diff options
| author | dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-14 22:15:59 +0000 |
|---|---|---|
| committer | dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-14 22:15:59 +0000 |
| commit | 64494c3febd59f7c78f672e35ab60b705ce66017 (patch) | |
| tree | 844fea96e9b9af21c5b176f157ba0e50044ff87c /chromeos/attestation | |
| parent | 93f90980f27779675775113bc681021d020dd142 (diff) | |
| download | chromium_src-64494c3febd59f7c78f672e35ab60b705ce66017.zip chromium_src-64494c3febd59f7c78f672e35ab60b705ce66017.tar.gz chromium_src-64494c3febd59f7c78f672e35ab60b705ce66017.tar.bz2 | |
Added support for the content protection profile to AttestationFlow.
This change moves all attestation certificate requests to the
new CreateCertRequestByProfile dbus method.
BUG=chromium:260504
TEST=unit, manual
Review URL: https://chromiumcodereview.appspot.com/20873002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@217673 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chromeos/attestation')
| -rw-r--r-- | chromeos/attestation/attestation_constants.cc | 1 | ||||
| -rw-r--r-- | chromeos/attestation/attestation_constants.h | 17 | ||||
| -rw-r--r-- | chromeos/attestation/attestation_flow.cc | 34 | ||||
| -rw-r--r-- | chromeos/attestation/attestation_flow.h | 12 | ||||
| -rw-r--r-- | chromeos/attestation/attestation_flow_unittest.cc | 55 | ||||
| -rw-r--r-- | chromeos/attestation/mock_attestation_flow.h | 4 |
6 files changed, 72 insertions, 51 deletions
diff --git a/chromeos/attestation/attestation_constants.cc b/chromeos/attestation/attestation_constants.cc index 9f3833b..51d4e44 100644 --- a/chromeos/attestation/attestation_constants.cc +++ b/chromeos/attestation/attestation_constants.cc @@ -9,6 +9,7 @@ namespace attestation { const char kEnterpriseMachineKey[] = "attest-ent-machine"; const char kEnterpriseUserKey[] = "attest-ent-user"; +const char kContentProtectionKeyPrefix[] = "attest-cp-"; } // namespace attestation } // namespace chromeos diff --git a/chromeos/attestation/attestation_constants.h b/chromeos/attestation/attestation_constants.h index a704cfc..1429004 100644 --- a/chromeos/attestation/attestation_constants.h +++ b/chromeos/attestation/attestation_constants.h @@ -10,17 +10,6 @@ namespace chromeos { namespace attestation { -// Options available for customizing an attestation certificate. -enum AttestationCertificateOptions { - CERTIFICATE_OPTION_NONE = 0, - // A stable identifier is simply an identifier that is not affected by device - // state changes, including device recovery. - CERTIFICATE_INCLUDE_STABLE_ID = 1, - // Device state information contains a quoted assertion of whether the device - // is in verified mode. - CERTIFICATE_INCLUDE_DEVICE_STATE = 1 << 1, -}; - // Key types supported by the Chrome OS attestation subsystem. enum AttestationKeyType { // The key will be associated with the device itself and will be available @@ -48,6 +37,8 @@ enum AttestationCertificateProfile { // Uses the following certificate options: // CERTIFICATE_INCLUDE_DEVICE_STATE PROFILE_ENTERPRISE_USER_CERTIFICATE, + // A profile for certificates intended for protected content providers. + PROFILE_CONTENT_PROTECTION_CERTIFICATE, }; // A key name for the Enterprise Machine Key. This key should always be stored @@ -58,6 +49,10 @@ CHROMEOS_EXPORT extern const char kEnterpriseMachineKey[]; // a USER_KEY. CHROMEOS_EXPORT extern const char kEnterpriseUserKey[]; +// The key name prefix for content protection keys. This prefix must be +// appended with an origin-specific identifier to form the final key name. +CHROMEOS_EXPORT extern const char kContentProtectionKeyPrefix[]; + } // namespace attestation } // namespace chromeos diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc index 2fba761..9b22b65 100644 --- a/chromeos/attestation/attestation_flow.cc +++ b/chromeos/attestation/attestation_flow.cc @@ -59,36 +59,27 @@ AttestationKeyType GetKeyTypeForProfile( case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: return KEY_DEVICE; case PROFILE_ENTERPRISE_USER_CERTIFICATE: + case PROFILE_CONTENT_PROTECTION_CERTIFICATE: return KEY_USER; } NOTREACHED(); return KEY_USER; } -std::string GetKeyNameForProfile( - AttestationCertificateProfile profile) { +std::string GetKeyNameForProfile(AttestationCertificateProfile profile, + const std::string& origin) { switch (profile) { case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: return kEnterpriseMachineKey; case PROFILE_ENTERPRISE_USER_CERTIFICATE: return kEnterpriseUserKey; + case PROFILE_CONTENT_PROTECTION_CERTIFICATE: + return std::string(kContentProtectionKeyPrefix) + origin; } NOTREACHED(); return ""; } -int GetCertificateOptionsForProfile( - AttestationCertificateProfile profile) { - switch (profile) { - case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: - return CERTIFICATE_INCLUDE_STABLE_ID | CERTIFICATE_INCLUDE_DEVICE_STATE; - case PROFILE_ENTERPRISE_USER_CERTIFICATE: - return CERTIFICATE_INCLUDE_DEVICE_STATE; - } - NOTREACHED(); - return CERTIFICATE_OPTION_NONE; -} - } // namespace AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, @@ -105,6 +96,8 @@ AttestationFlow::~AttestationFlow() { void AttestationFlow::GetCertificate( AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const CertificateCallback& callback) { // If this device has not enrolled with the Privacy CA, we need to do that @@ -113,6 +106,8 @@ void AttestationFlow::GetCertificate( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, + user_email, + request_origin, force_new_key, callback); base::Closure on_enroll_failure = base::Bind(callback, false, ""); @@ -196,14 +191,19 @@ void AttestationFlow::OnEnrollComplete(const base::Closure& on_failure, void AttestationFlow::StartCertificateRequest( AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback) { AttestationKeyType key_type = GetKeyTypeForProfile(certificate_profile); - std::string key_name = GetKeyNameForProfile(certificate_profile); + std::string key_name = GetKeyNameForProfile(certificate_profile, + request_origin); if (generate_new_key) { // Get the attestation service to create a Privacy CA certificate request. async_caller_->AsyncTpmAttestationCreateCertRequest( - GetCertificateOptionsForProfile(certificate_profile), + certificate_profile, + user_email, + request_origin, base::Bind(&AttestationFlow::SendCertificateRequestToPCA, weak_factory_.GetWeakPtr(), key_type, @@ -223,6 +223,8 @@ void AttestationFlow::StartCertificateRequest( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, + user_email, + request_origin, true, callback); cryptohome_client_->TpmAttestationDoesKeyExist( diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h index 2c59f3b..bdbea1e 100644 --- a/chromeos/attestation/attestation_flow.h +++ b/chromeos/attestation/attestation_flow.h @@ -68,6 +68,12 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. + // user_email - The canonical email address of the currently active user. + // This is ignored when not using the content protection + // profile. + // request_origin - For content protection profiles, certificate requests + // are origin-specific. This string must uniquely identify + // the origin of the request. // force_new_key - If set to true, a new key will be generated even if a key // already exists for the profile. The new key will replace // the existing key on success. @@ -75,6 +81,8 @@ class CHROMEOS_EXPORT AttestationFlow { // On success |result| will be true and |data| will contain the // PCA-issued certificate chain in PEM format. virtual void GetCertificate(AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const CertificateCallback& callback); @@ -134,10 +142,14 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. + // user_email - The active user's canonical email. + // request_origin - An identifier for the origin of this request. // generate_new_key - If set to true a new key is generated. // callback - Called when the operation completes. void StartCertificateRequest( const AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback); diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc index ea819b0..9622230 100644 --- a/chromeos/attestation/attestation_flow_unittest.cc +++ b/chromeos/attestation/attestation_flow_unittest.cc @@ -99,7 +99,8 @@ TEST_F(AttestationFlowTest, GetCertificate) { EXPECT_CALL( async_caller, - AsyncTpmAttestationCreateCertRequest(CERTIFICATE_INCLUDE_DEVICE_STATE, _)) + AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE, + "fake_email", "fake_origin", _)) .Times(1) .InSequence(flow_order); @@ -131,7 +132,8 @@ TEST_F(AttestationFlowTest, GetCertificate) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake_email", + "fake_origin", true, mock_callback); Run(); } @@ -157,7 +159,8 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -186,7 +189,8 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -219,16 +223,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE | - CERTIFICATE_INCLUDE_STABLE_ID; - EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) + EXPECT_CALL(async_caller, + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _)) .Times(1); std::string fake_cert_response = cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest; @@ -260,17 +265,17 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, - true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, - AsyncTpmAttestationCreateCertRequest(options, _)) + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); chromeos::MockCryptohomeClient client; @@ -288,16 +293,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, - AsyncTpmAttestationCreateCertRequest(options, _)) + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); chromeos::MockCryptohomeClient client; @@ -318,7 +324,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -341,15 +348,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; - EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) + EXPECT_CALL(async_caller, + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); std::string fake_cert_response = cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest; @@ -384,8 +393,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, - false, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", false, + mock_callback); Run(); } @@ -414,8 +423,8 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, - false, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", false, + mock_callback); Run(); } diff --git a/chromeos/attestation/mock_attestation_flow.h b/chromeos/attestation/mock_attestation_flow.h index bda8a72..1950246 100644 --- a/chromeos/attestation/mock_attestation_flow.h +++ b/chromeos/attestation/mock_attestation_flow.h @@ -65,7 +65,9 @@ class MockAttestationFlow : public AttestationFlow { MockAttestationFlow(); virtual ~MockAttestationFlow(); - MOCK_METHOD3(GetCertificate, void(AttestationCertificateProfile, + MOCK_METHOD5(GetCertificate, void(AttestationCertificateProfile, + const std::string&, + const std::string&, bool, const CertificateCallback&)); }; |