summaryrefslogtreecommitdiffstats
path: root/chromeos/attestation
diff options
context:
space:
mode:
authordkrahn@chromium.org <dkrahn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-10-21 19:57:24 +0000
committerdkrahn@chromium.org <dkrahn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-10-21 19:57:24 +0000
commit1260076a7a6991acfead415cc53e86c5e45c04be (patch)
treeb400f75810929de8bf32db228699d17f34e9e0cd /chromeos/attestation
parent903a1f44903ea145b9698f26cac6fe0999fa7a6a (diff)
downloadchromium_src-1260076a7a6991acfead415cc53e86c5e45c04be.zip
chromium_src-1260076a7a6991acfead415cc53e86c5e45c04be.tar.gz
chromium_src-1260076a7a6991acfead415cc53e86c5e45c04be.tar.bz2
Added multi-profile support for attestation on chromeos.
All certified keys and certificates will be associated with the correct profile when multiple profiles are used. BUG=chromium:205206 TEST=unit, manual Review URL: https://codereview.chromium.org/27044004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@229891 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chromeos/attestation')
-rw-r--r--chromeos/attestation/OWNERS1
-rw-r--r--chromeos/attestation/attestation_flow.cc19
-rw-r--r--chromeos/attestation/attestation_flow.h18
-rw-r--r--chromeos/attestation/attestation_flow_unittest.cc19
4 files changed, 38 insertions, 19 deletions
diff --git a/chromeos/attestation/OWNERS b/chromeos/attestation/OWNERS
index cd1c574..a48744d 100644
--- a/chromeos/attestation/OWNERS
+++ b/chromeos/attestation/OWNERS
@@ -1,2 +1,3 @@
mnissler@chromium.org
pastarmovj@chromium.org
+bartfab@chromium.org
diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc
index 9b22b65..5021ddf 100644
--- a/chromeos/attestation/attestation_flow.cc
+++ b/chromeos/attestation/attestation_flow.cc
@@ -96,7 +96,7 @@ AttestationFlow::~AttestationFlow() {
void AttestationFlow::GetCertificate(
AttestationCertificateProfile certificate_profile,
- const std::string& user_email,
+ const std::string& user_id,
const std::string& request_origin,
bool force_new_key,
const CertificateCallback& callback) {
@@ -106,7 +106,7 @@ void AttestationFlow::GetCertificate(
&AttestationFlow::StartCertificateRequest,
weak_factory_.GetWeakPtr(),
certificate_profile,
- user_email,
+ user_id,
request_origin,
force_new_key,
callback);
@@ -191,7 +191,7 @@ void AttestationFlow::OnEnrollComplete(const base::Closure& on_failure,
void AttestationFlow::StartCertificateRequest(
AttestationCertificateProfile certificate_profile,
- const std::string& user_email,
+ const std::string& user_id,
const std::string& request_origin,
bool generate_new_key,
const CertificateCallback& callback) {
@@ -202,11 +202,12 @@ void AttestationFlow::StartCertificateRequest(
// Get the attestation service to create a Privacy CA certificate request.
async_caller_->AsyncTpmAttestationCreateCertRequest(
certificate_profile,
- user_email,
+ user_id,
request_origin,
base::Bind(&AttestationFlow::SendCertificateRequestToPCA,
weak_factory_.GetWeakPtr(),
key_type,
+ user_id,
key_name,
callback));
} else {
@@ -215,6 +216,7 @@ void AttestationFlow::StartCertificateRequest(
&AttestationFlow::GetExistingCertificate,
weak_factory_.GetWeakPtr(),
key_type,
+ user_id,
key_name,
callback);
// If the key does not exist, call this method back with |generate_new_key|
@@ -223,12 +225,13 @@ void AttestationFlow::StartCertificateRequest(
&AttestationFlow::StartCertificateRequest,
weak_factory_.GetWeakPtr(),
certificate_profile,
- user_email,
+ user_id,
request_origin,
true,
callback);
cryptohome_client_->TpmAttestationDoesKeyExist(
key_type,
+ user_id,
key_name,
base::Bind(&DBusBoolRedirectCallback,
on_key_exists,
@@ -239,6 +242,7 @@ void AttestationFlow::StartCertificateRequest(
void AttestationFlow::SendCertificateRequestToPCA(
AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
@@ -256,12 +260,14 @@ void AttestationFlow::SendCertificateRequestToPCA(
base::Bind(&AttestationFlow::SendCertificateResponseToDaemon,
weak_factory_.GetWeakPtr(),
key_type,
+ user_id,
key_name,
callback));
}
void AttestationFlow::SendCertificateResponseToDaemon(
AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
@@ -276,16 +282,19 @@ void AttestationFlow::SendCertificateResponseToDaemon(
// Forward the response to the attestation service to complete the operation.
async_caller_->AsyncTpmAttestationFinishCertRequest(data,
key_type,
+ user_id,
key_name,
base::Bind(callback));
}
void AttestationFlow::GetExistingCertificate(
AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback) {
cryptohome_client_->TpmAttestationGetCertificate(
key_type,
+ user_id,
key_name,
base::Bind(&DBusDataMethodCallback, callback));
}
diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h
index bdbea1e..3c846db 100644
--- a/chromeos/attestation/attestation_flow.h
+++ b/chromeos/attestation/attestation_flow.h
@@ -68,9 +68,9 @@ class CHROMEOS_EXPORT AttestationFlow {
// Parameters
// certificate_profile - Specifies what kind of certificate should be
// requested from the CA.
- // user_email - The canonical email address of the currently active user.
- // This is ignored when not using the content protection
- // profile.
+ // user_id - Identifies the currently active user. For normal GAIA users
+ // this is a canonical email address. This is ignored when using
+ // the enterprise machine cert profile.
// request_origin - For content protection profiles, certificate requests
// are origin-specific. This string must uniquely identify
// the origin of the request.
@@ -81,7 +81,7 @@ class CHROMEOS_EXPORT AttestationFlow {
// On success |result| will be true and |data| will contain the
// PCA-issued certificate chain in PEM format.
virtual void GetCertificate(AttestationCertificateProfile certificate_profile,
- const std::string& user_email,
+ const std::string& user_id,
const std::string& request_origin,
bool force_new_key,
const CertificateCallback& callback);
@@ -142,13 +142,13 @@ class CHROMEOS_EXPORT AttestationFlow {
// Parameters
// certificate_profile - Specifies what kind of certificate should be
// requested from the CA.
- // user_email - The active user's canonical email.
+ // user_id - Identifies the active user.
// request_origin - An identifier for the origin of this request.
// generate_new_key - If set to true a new key is generated.
// callback - Called when the operation completes.
void StartCertificateRequest(
const AttestationCertificateProfile certificate_profile,
- const std::string& user_email,
+ const std::string& user_id,
const std::string& request_origin,
bool generate_new_key,
const CertificateCallback& callback);
@@ -159,11 +159,13 @@ class CHROMEOS_EXPORT AttestationFlow {
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
+ // user_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
// success - The status of request creation.
// data - The request data for the Privacy CA.
void SendCertificateRequestToPCA(AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
@@ -175,11 +177,13 @@ class CHROMEOS_EXPORT AttestationFlow {
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
+ // user_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
// success - The status of the Privacy CA operation.
// data - The response data from the Privacy CA.
void SendCertificateResponseToDaemon(AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
@@ -189,9 +193,11 @@ class CHROMEOS_EXPORT AttestationFlow {
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
+ // user_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
void GetExistingCertificate(AttestationKeyType key_type,
+ const std::string& user_id,
const std::string& key_name,
const CertificateCallback& callback);
diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc
index 9622230..3597517 100644
--- a/chromeos/attestation/attestation_flow_unittest.cc
+++ b/chromeos/attestation/attestation_flow_unittest.cc
@@ -100,7 +100,7 @@ TEST_F(AttestationFlowTest, GetCertificate) {
EXPECT_CALL(
async_caller,
AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE,
- "fake_email", "fake_origin", _))
+ "fake@test.com", "fake_origin", _))
.Times(1)
.InSequence(flow_order);
@@ -115,6 +115,7 @@ TEST_F(AttestationFlowTest, GetCertificate) {
EXPECT_CALL(async_caller,
AsyncTpmAttestationFinishCertRequest(fake_cert_response,
KEY_USER,
+ "fake@test.com",
kEnterpriseUserKey,
_))
.Times(1)
@@ -132,7 +133,7 @@ TEST_F(AttestationFlowTest, GetCertificate) {
scoped_ptr<ServerProxy> proxy_interface(proxy.release());
AttestationFlow flow(&async_caller, &client, proxy_interface.Pass());
- flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake_email",
+ flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake@test.com",
"fake_origin", true, mock_callback);
Run();
}
@@ -241,6 +242,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) {
EXPECT_CALL(async_caller,
AsyncTpmAttestationFinishCertRequest(fake_cert_response,
KEY_DEVICE,
+ "",
kEnterpriseMachineKey,
_))
.Times(1);
@@ -366,6 +368,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
EXPECT_CALL(async_caller,
AsyncTpmAttestationFinishCertRequest(fake_cert_response,
KEY_USER,
+ "",
kEnterpriseUserKey,
_))
.Times(1);
@@ -374,8 +377,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
.WillRepeatedly(Invoke(DBusCallbackTrue));
EXPECT_CALL(client,
- TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _))
- .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackFalse)));
+ TpmAttestationDoesKeyExist(KEY_USER, "", kEnterpriseUserKey, _))
+ .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackFalse)));
scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
proxy->DeferToFake(true);
@@ -406,11 +409,11 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) {
EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
.WillRepeatedly(Invoke(DBusCallbackTrue));
EXPECT_CALL(client,
- TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _))
- .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackTrue)));
+ TpmAttestationDoesKeyExist(KEY_USER, "", kEnterpriseUserKey, _))
+ .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackTrue)));
EXPECT_CALL(client,
- TpmAttestationGetCertificate(KEY_USER, kEnterpriseUserKey, _))
- .WillRepeatedly(WithArgs<2>(Invoke(FakeDBusData("fake_cert"))));
+ TpmAttestationGetCertificate(KEY_USER, "", kEnterpriseUserKey, _))
+ .WillRepeatedly(WithArgs<3>(Invoke(FakeDBusData("fake_cert"))));
// We're not expecting any server calls in this case; StrictMock will verify.
scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
generated by cgit v1.1 at 2024-05-16 02:32:03 +0000