diff options
23 files changed, 152 insertions, 94 deletions
@@ -156,7 +156,8 @@ }, 'chromeos_attestation': { 'filepath': 'chromeos/attestation/|'\ - 'chrome/browser/chromeos/attestation/', + 'chrome/browser/chromeos/attestation/|'\ + 'chrome/browser/extensions/api/enterprise_platform_keys_private/', }, 'chromeos_calculator': { 'filepath': 'chrome/common/extensions/docs/examples/apps/calculator/', diff --git a/chrome/browser/chromeos/attestation/attestation_policy_observer.cc b/chrome/browser/chromeos/attestation/attestation_policy_observer.cc index 04df748..d28dc3f 100644 --- a/chrome/browser/chromeos/attestation/attestation_policy_observer.cc +++ b/chrome/browser/chromeos/attestation/attestation_policy_observer.cc @@ -189,6 +189,8 @@ void AttestationPolicyObserver::GetNewCertificate() { // We can reuse the dbus callback handler logic. attestation_flow_->GetCertificate( PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, + std::string(), // Not used. + std::string(), // Not used. true, // Force a new key to be generated. base::Bind(DBusStringCallback, base::Bind(&AttestationPolicyObserver::UploadCertificate, diff --git a/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc b/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc index 44b9173..ec12232 100644 --- a/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc +++ b/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc @@ -183,8 +183,8 @@ class AttestationPolicyObserverTest : public ::testing::Test { // another costly operation and if it gets triggered more than once during // a single pass this indicates a logical problem in the observer. if (new_key) { - EXPECT_CALL(attestation_flow_, GetCertificate(_, _, _)) - .WillOnce(WithArgs<2>(Invoke(CertCallbackSuccess))); + EXPECT_CALL(attestation_flow_, GetCertificate(_, _, _, _, _)) + .WillOnce(WithArgs<4>(Invoke(CertCallbackSuccess))); } } diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/OWNERS b/chrome/browser/extensions/api/enterprise_platform_keys_private/OWNERS new file mode 100644 index 0000000..14072cb --- /dev/null +++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/OWNERS @@ -0,0 +1,2 @@ +mnissler@chromium.org + diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc index 785016f..3a769b00 100644 --- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc +++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc @@ -205,6 +205,8 @@ void EPKPChallengeKeyBase::AskForUserConsentCallback( // Generate a new key and have it signed by PCA. attestation_flow_->GetCertificate( certificate_profile, + std::string(), // Not used. + std::string(), // Not used. true, // Force a new key to be generated. base::Bind(&EPKPChallengeKeyBase::GetCertificateCallback, this, callback)); diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc index 51a0b38..aab40d6 100644 --- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc +++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc @@ -95,6 +95,8 @@ void SignChallengeCallbackFalse( void GetCertificateCallbackTrue( chromeos::attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const chromeos::attestation::AttestationFlow::CertificateCallback& callback) { @@ -103,6 +105,8 @@ void GetCertificateCallbackTrue( void GetCertificateCallbackFalse( chromeos::attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const chromeos::attestation::AttestationFlow::CertificateCallback& callback) { @@ -121,7 +125,7 @@ class EPKPChallengeKeyTestBase : public BrowserWithTestWindowTest { ON_CALL(mock_async_method_caller_, TpmAttestationSignEnterpriseChallenge(_, _, _, _, _, _, _)) .WillByDefault(Invoke(SignChallengeCallbackTrue)); - ON_CALL(mock_attestation_flow_, GetCertificate(_, _, _)) + ON_CALL(mock_attestation_flow_, GetCertificate(_, _, _, _, _)) .WillByDefault(Invoke(GetCertificateCallbackTrue)); // Set the Enterprise install attributes. @@ -236,7 +240,7 @@ TEST_F(EPKPChallengeMachineKeyTest, DoesKeyExistDbusFailed) { } TEST_F(EPKPChallengeMachineKeyTest, GetCertificateFailed) { - EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _)) + EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _, _, _)) .WillRepeatedly(Invoke(GetCertificateCallbackFalse)); EXPECT_EQ(base::StringPrintf( @@ -257,7 +261,7 @@ TEST_F(EPKPChallengeMachineKeyTest, KeyExists) { EXPECT_CALL(mock_cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _)) .WillRepeatedly(Invoke(DoesKeyExistCallbackTrue)); // GetCertificate must not be called if the key exists. - EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _)) + EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _, _, _)) .Times(0); EXPECT_TRUE(utils::RunFunction(func_.get(), kArgs, browser(), utils::NONE)); @@ -268,7 +272,7 @@ TEST_F(EPKPChallengeMachineKeyTest, Success) { EXPECT_CALL(mock_attestation_flow_, GetCertificate( chromeos::attestation::PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, - _, _)) + _, _, _, _)) .Times(1); // SignEnterpriseChallenge must be called exactly once. EXPECT_CALL(mock_async_method_caller_, @@ -356,7 +360,7 @@ TEST_F(EPKPChallengeUserKeyTest, DoesKeyExistDbusFailed) { } TEST_F(EPKPChallengeUserKeyTest, GetCertificateFailed) { - EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _)) + EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _, _, _)) .WillRepeatedly(Invoke(GetCertificateCallbackFalse)); EXPECT_EQ(base::StringPrintf( @@ -385,7 +389,7 @@ TEST_F(EPKPChallengeUserKeyTest, KeyExists) { EXPECT_CALL(mock_cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _)) .WillRepeatedly(Invoke(DoesKeyExistCallbackTrue)); // GetCertificate must not be called if the key exists. - EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _)) + EXPECT_CALL(mock_attestation_flow_, GetCertificate(_, _, _, _, _)) .Times(0); EXPECT_TRUE(utils::RunFunction(func_.get(), kArgs, browser(), utils::NONE)); @@ -412,7 +416,7 @@ TEST_F(EPKPChallengeUserKeyTest, Success) { EXPECT_CALL(mock_attestation_flow_, GetCertificate( chromeos::attestation::PROFILE_ENTERPRISE_USER_CERTIFICATE, - _, _)) + _, _, _, _)) .Times(1); // SignEnterpriseChallenge must be called exactly once. EXPECT_CALL(mock_async_method_caller_, diff --git a/chromeos/attestation/attestation_constants.cc b/chromeos/attestation/attestation_constants.cc index 9f3833b..51d4e44 100644 --- a/chromeos/attestation/attestation_constants.cc +++ b/chromeos/attestation/attestation_constants.cc @@ -9,6 +9,7 @@ namespace attestation { const char kEnterpriseMachineKey[] = "attest-ent-machine"; const char kEnterpriseUserKey[] = "attest-ent-user"; +const char kContentProtectionKeyPrefix[] = "attest-cp-"; } // namespace attestation } // namespace chromeos diff --git a/chromeos/attestation/attestation_constants.h b/chromeos/attestation/attestation_constants.h index a704cfc..1429004 100644 --- a/chromeos/attestation/attestation_constants.h +++ b/chromeos/attestation/attestation_constants.h @@ -10,17 +10,6 @@ namespace chromeos { namespace attestation { -// Options available for customizing an attestation certificate. -enum AttestationCertificateOptions { - CERTIFICATE_OPTION_NONE = 0, - // A stable identifier is simply an identifier that is not affected by device - // state changes, including device recovery. - CERTIFICATE_INCLUDE_STABLE_ID = 1, - // Device state information contains a quoted assertion of whether the device - // is in verified mode. - CERTIFICATE_INCLUDE_DEVICE_STATE = 1 << 1, -}; - // Key types supported by the Chrome OS attestation subsystem. enum AttestationKeyType { // The key will be associated with the device itself and will be available @@ -48,6 +37,8 @@ enum AttestationCertificateProfile { // Uses the following certificate options: // CERTIFICATE_INCLUDE_DEVICE_STATE PROFILE_ENTERPRISE_USER_CERTIFICATE, + // A profile for certificates intended for protected content providers. + PROFILE_CONTENT_PROTECTION_CERTIFICATE, }; // A key name for the Enterprise Machine Key. This key should always be stored @@ -58,6 +49,10 @@ CHROMEOS_EXPORT extern const char kEnterpriseMachineKey[]; // a USER_KEY. CHROMEOS_EXPORT extern const char kEnterpriseUserKey[]; +// The key name prefix for content protection keys. This prefix must be +// appended with an origin-specific identifier to form the final key name. +CHROMEOS_EXPORT extern const char kContentProtectionKeyPrefix[]; + } // namespace attestation } // namespace chromeos diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc index 2fba761..9b22b65 100644 --- a/chromeos/attestation/attestation_flow.cc +++ b/chromeos/attestation/attestation_flow.cc @@ -59,36 +59,27 @@ AttestationKeyType GetKeyTypeForProfile( case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: return KEY_DEVICE; case PROFILE_ENTERPRISE_USER_CERTIFICATE: + case PROFILE_CONTENT_PROTECTION_CERTIFICATE: return KEY_USER; } NOTREACHED(); return KEY_USER; } -std::string GetKeyNameForProfile( - AttestationCertificateProfile profile) { +std::string GetKeyNameForProfile(AttestationCertificateProfile profile, + const std::string& origin) { switch (profile) { case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: return kEnterpriseMachineKey; case PROFILE_ENTERPRISE_USER_CERTIFICATE: return kEnterpriseUserKey; + case PROFILE_CONTENT_PROTECTION_CERTIFICATE: + return std::string(kContentProtectionKeyPrefix) + origin; } NOTREACHED(); return ""; } -int GetCertificateOptionsForProfile( - AttestationCertificateProfile profile) { - switch (profile) { - case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: - return CERTIFICATE_INCLUDE_STABLE_ID | CERTIFICATE_INCLUDE_DEVICE_STATE; - case PROFILE_ENTERPRISE_USER_CERTIFICATE: - return CERTIFICATE_INCLUDE_DEVICE_STATE; - } - NOTREACHED(); - return CERTIFICATE_OPTION_NONE; -} - } // namespace AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, @@ -105,6 +96,8 @@ AttestationFlow::~AttestationFlow() { void AttestationFlow::GetCertificate( AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const CertificateCallback& callback) { // If this device has not enrolled with the Privacy CA, we need to do that @@ -113,6 +106,8 @@ void AttestationFlow::GetCertificate( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, + user_email, + request_origin, force_new_key, callback); base::Closure on_enroll_failure = base::Bind(callback, false, ""); @@ -196,14 +191,19 @@ void AttestationFlow::OnEnrollComplete(const base::Closure& on_failure, void AttestationFlow::StartCertificateRequest( AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback) { AttestationKeyType key_type = GetKeyTypeForProfile(certificate_profile); - std::string key_name = GetKeyNameForProfile(certificate_profile); + std::string key_name = GetKeyNameForProfile(certificate_profile, + request_origin); if (generate_new_key) { // Get the attestation service to create a Privacy CA certificate request. async_caller_->AsyncTpmAttestationCreateCertRequest( - GetCertificateOptionsForProfile(certificate_profile), + certificate_profile, + user_email, + request_origin, base::Bind(&AttestationFlow::SendCertificateRequestToPCA, weak_factory_.GetWeakPtr(), key_type, @@ -223,6 +223,8 @@ void AttestationFlow::StartCertificateRequest( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, + user_email, + request_origin, true, callback); cryptohome_client_->TpmAttestationDoesKeyExist( diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h index 2c59f3b..bdbea1e 100644 --- a/chromeos/attestation/attestation_flow.h +++ b/chromeos/attestation/attestation_flow.h @@ -68,6 +68,12 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. + // user_email - The canonical email address of the currently active user. + // This is ignored when not using the content protection + // profile. + // request_origin - For content protection profiles, certificate requests + // are origin-specific. This string must uniquely identify + // the origin of the request. // force_new_key - If set to true, a new key will be generated even if a key // already exists for the profile. The new key will replace // the existing key on success. @@ -75,6 +81,8 @@ class CHROMEOS_EXPORT AttestationFlow { // On success |result| will be true and |data| will contain the // PCA-issued certificate chain in PEM format. virtual void GetCertificate(AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool force_new_key, const CertificateCallback& callback); @@ -134,10 +142,14 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. + // user_email - The active user's canonical email. + // request_origin - An identifier for the origin of this request. // generate_new_key - If set to true a new key is generated. // callback - Called when the operation completes. void StartCertificateRequest( const AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback); diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc index ea819b0..9622230 100644 --- a/chromeos/attestation/attestation_flow_unittest.cc +++ b/chromeos/attestation/attestation_flow_unittest.cc @@ -99,7 +99,8 @@ TEST_F(AttestationFlowTest, GetCertificate) { EXPECT_CALL( async_caller, - AsyncTpmAttestationCreateCertRequest(CERTIFICATE_INCLUDE_DEVICE_STATE, _)) + AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE, + "fake_email", "fake_origin", _)) .Times(1) .InSequence(flow_order); @@ -131,7 +132,8 @@ TEST_F(AttestationFlowTest, GetCertificate) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake_email", + "fake_origin", true, mock_callback); Run(); } @@ -157,7 +159,8 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -186,7 +189,8 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -219,16 +223,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE | - CERTIFICATE_INCLUDE_STABLE_ID; - EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) + EXPECT_CALL(async_caller, + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _)) .Times(1); std::string fake_cert_response = cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest; @@ -260,17 +265,17 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, - true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, - AsyncTpmAttestationCreateCertRequest(options, _)) + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); chromeos::MockCryptohomeClient client; @@ -288,16 +293,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, - AsyncTpmAttestationCreateCertRequest(options, _)) + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); chromeos::MockCryptohomeClient client; @@ -318,7 +324,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } @@ -341,15 +348,17 @@ TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true, + mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CERTIFICATE_INCLUDE_DEVICE_STATE; - EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) + EXPECT_CALL(async_caller, + AsyncTpmAttestationCreateCertRequest( + PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _)) .Times(1); std::string fake_cert_response = cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest; @@ -384,8 +393,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, - false, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", false, + mock_callback); Run(); } @@ -414,8 +423,8 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, - false, mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", false, + mock_callback); Run(); } diff --git a/chromeos/attestation/mock_attestation_flow.h b/chromeos/attestation/mock_attestation_flow.h index bda8a72..1950246 100644 --- a/chromeos/attestation/mock_attestation_flow.h +++ b/chromeos/attestation/mock_attestation_flow.h @@ -65,7 +65,9 @@ class MockAttestationFlow : public AttestationFlow { MockAttestationFlow(); virtual ~MockAttestationFlow(); - MOCK_METHOD3(GetCertificate, void(AttestationCertificateProfile, + MOCK_METHOD5(GetCertificate, void(AttestationCertificateProfile, + const std::string&, + const std::string&, bool, const CertificateCallback&)); }; diff --git a/chromeos/cryptohome/async_method_caller.cc b/chromeos/cryptohome/async_method_caller.cc index 92392d9..c9af98a 100644 --- a/chromeos/cryptohome/async_method_caller.cc +++ b/chromeos/cryptohome/async_method_caller.cc @@ -133,11 +133,15 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller { } virtual void AsyncTpmAttestationCreateCertRequest( - int options, + chromeos::attestation::AttestationCertificateProfile certificate_profile, + const std::string& username, + const std::string& request_origin, const DataCallback& callback) OVERRIDE { DBusThreadManager::Get()->GetCryptohomeClient()-> AsyncTpmAttestationCreateCertRequest( - options, + certificate_profile, + username, + request_origin, base::Bind(&AsyncMethodCallerImpl::RegisterAsyncDataCallback, weak_ptr_factory_.GetWeakPtr(), callback, diff --git a/chromeos/cryptohome/async_method_caller.h b/chromeos/cryptohome/async_method_caller.h index 7414284..e5ca604 100644 --- a/chromeos/cryptohome/async_method_caller.h +++ b/chromeos/cryptohome/async_method_caller.h @@ -9,6 +9,7 @@ #include "base/basictypes.h" #include "base/callback_forward.h" +#include "chromeos/attestation/attestation_constants.h" #include "chromeos/chromeos_export.h" #include "chromeos/dbus/cryptohome_client.h" #include "third_party/cros_system_api/dbus/service_constants.h" @@ -113,11 +114,15 @@ class CHROMEOS_EXPORT AsyncMethodCaller { const Callback& callback) = 0; // Asks cryptohomed to asynchronously create an attestation certificate - // request according to |options|, which is a combination of - // attestation::AttestationCertificateOptions. On success the data sent to - // |callback| is a request to be sent to the Privacy CA. + // request according to |certificate_profile|. Some profiles require that the + // |user_email| of the currently active user and an identifier of the + // |request_origin| be provided. On success the data sent to |callback| is a + // request to be sent to the Privacy CA. The |request_origin| may be sent to + // the Privacy CA but the |user_email| will never be sent. virtual void AsyncTpmAttestationCreateCertRequest( - int options, + chromeos::attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const DataCallback& callback) = 0; // Asks cryptohomed to asynchronously finish an attestation certificate diff --git a/chromeos/cryptohome/mock_async_method_caller.cc b/chromeos/cryptohome/mock_async_method_caller.cc index 9bd8193..dcd59a0 100644 --- a/chromeos/cryptohome/mock_async_method_caller.cc +++ b/chromeos/cryptohome/mock_async_method_caller.cc @@ -51,9 +51,9 @@ void MockAsyncMethodCaller::SetUp(bool success, MountError return_code) { ON_CALL(*this, AsyncTpmAttestationEnroll(_, _)) .WillByDefault( WithArgs<1>(Invoke(this, &MockAsyncMethodCaller::DoCallback))); - ON_CALL(*this, AsyncTpmAttestationCreateCertRequest(_, _)) + ON_CALL(*this, AsyncTpmAttestationCreateCertRequest(_, _, _, _)) .WillByDefault( - WithArgs<1>(Invoke(this, + WithArgs<3>(Invoke(this, &MockAsyncMethodCaller::FakeCreateCertRequest))); ON_CALL(*this, AsyncTpmAttestationFinishCertRequest(_, _, _, _)) .WillByDefault( diff --git a/chromeos/cryptohome/mock_async_method_caller.h b/chromeos/cryptohome/mock_async_method_caller.h index 74567ca..8f3796b 100644 --- a/chromeos/cryptohome/mock_async_method_caller.h +++ b/chromeos/cryptohome/mock_async_method_caller.h @@ -52,9 +52,12 @@ class MockAsyncMethodCaller : public AsyncMethodCaller { void(const DataCallback& callback)); MOCK_METHOD2(AsyncTpmAttestationEnroll, void(const std::string& pca_response, const Callback& callback)); - MOCK_METHOD2(AsyncTpmAttestationCreateCertRequest, - void(int options, - const DataCallback& callback)); + MOCK_METHOD4( + AsyncTpmAttestationCreateCertRequest, + void(chromeos::attestation::AttestationCertificateProfile profile, + const std::string& user_email, + const std::string& request_origin, + const DataCallback& callback)); MOCK_METHOD4(AsyncTpmAttestationFinishCertRequest, void(const std::string& pca_response, chromeos::attestation::AttestationKeyType key_type, diff --git a/chromeos/dbus/cryptohome_client.cc b/chromeos/dbus/cryptohome_client.cc index 445ba0b..965ef92 100644 --- a/chromeos/dbus/cryptohome_client.cc +++ b/chromeos/dbus/cryptohome_client.cc @@ -466,18 +466,17 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, - cryptohome::kCryptohomeAsyncTpmAttestationCreateCertRequest); + cryptohome::kCryptohomeAsyncTpmAttestationCreateCertRequestByProfile); dbus::MessageWriter writer(&method_call); - bool include_stable_id = - (options & attestation::CERTIFICATE_INCLUDE_STABLE_ID); - writer.AppendBool(include_stable_id); - bool include_device_state = - (options & attestation::CERTIFICATE_INCLUDE_DEVICE_STATE); - writer.AppendBool(include_device_state); + writer.AppendInt32(certificate_profile); + writer.AppendString(user_email); + writer.AppendString(request_origin); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, base::Bind(&CryptohomeClientImpl::OnAsyncMethodCall, weak_ptr_factory_.GetWeakPtr(), diff --git a/chromeos/dbus/cryptohome_client.h b/chromeos/dbus/cryptohome_client.h index 0bfc978..38d4880 100644 --- a/chromeos/dbus/cryptohome_client.h +++ b/chromeos/dbus/cryptohome_client.h @@ -250,14 +250,18 @@ class CHROMEOS_EXPORT CryptohomeClient { const AsyncMethodCallback& callback) = 0; // Asynchronously creates an attestation certificate request according to - // |options|, which is a combination of AttestationCertificateOptions. - // |callback| will be called when the dbus call completes. When the operation - // completes, the AsyncCallStatusWithDataHandler signal handler is called. - // The data that is sent with the signal is a certificate request to be sent - // to the Privacy CA. The certificate request is completed by calling - // AsyncTpmAttestationFinishCertRequest. + // |certificate_profile|. Some profiles require that the |user_email| of the + // currently active user and an identifier of the |request_origin| be + // provided. |callback| will be called when the dbus call completes. When + // the operation completes, the AsyncCallStatusWithDataHandler signal handler + // is called. The data that is sent with the signal is a certificate request + // to be sent to the Privacy CA. The certificate request is completed by + // calling AsyncTpmAttestationFinishCertRequest. The |user_email| will not + // be included in the certificate request for the Privacy CA. virtual void AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) = 0; // Asynchronously finishes a certificate request operation. The callback will diff --git a/chromeos/dbus/cryptohome_client_stub.cc b/chromeos/dbus/cryptohome_client_stub.cc index 96728a9..9942538 100644 --- a/chromeos/dbus/cryptohome_client_stub.cc +++ b/chromeos/dbus/cryptohome_client_stub.cc @@ -263,7 +263,9 @@ void CryptohomeClientStubImpl::AsyncTpmAttestationEnroll( } void CryptohomeClientStubImpl::AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) { ReturnAsyncMethodResult(callback, true); } diff --git a/chromeos/dbus/cryptohome_client_stub.h b/chromeos/dbus/cryptohome_client_stub.h index e38925a..8192600 100644 --- a/chromeos/dbus/cryptohome_client_stub.h +++ b/chromeos/dbus/cryptohome_client_stub.h @@ -90,7 +90,9 @@ class CryptohomeClientStubImpl : public CryptohomeClient { const std::string& pca_response, const AsyncMethodCallback& callback) OVERRIDE; virtual void AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) OVERRIDE; virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, diff --git a/chromeos/dbus/fake_cryptohome_client.cc b/chromeos/dbus/fake_cryptohome_client.cc index d13c0f7..c5df786 100644 --- a/chromeos/dbus/fake_cryptohome_client.cc +++ b/chromeos/dbus/fake_cryptohome_client.cc @@ -295,7 +295,9 @@ bool FakeCryptohomeClient::CallTpmClearStoredPasswordAndBlock() { } void FakeCryptohomeClient::AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) { } diff --git a/chromeos/dbus/fake_cryptohome_client.h b/chromeos/dbus/fake_cryptohome_client.h index a4e5bfb..e254648 100644 --- a/chromeos/dbus/fake_cryptohome_client.h +++ b/chromeos/dbus/fake_cryptohome_client.h @@ -91,7 +91,9 @@ class FakeCryptohomeClient : public CryptohomeClient { const std::string& pca_response, const AsyncMethodCallback& callback) OVERRIDE; virtual void AsyncTpmAttestationCreateCertRequest( - int options, + attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, const AsyncMethodCallback& callback) OVERRIDE; virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, diff --git a/chromeos/dbus/mock_cryptohome_client.h b/chromeos/dbus/mock_cryptohome_client.h index 05ae2a7..86986e6 100644 --- a/chromeos/dbus/mock_cryptohome_client.h +++ b/chromeos/dbus/mock_cryptohome_client.h @@ -92,9 +92,12 @@ class MockCryptohomeClient : public CryptohomeClient { MOCK_METHOD2(AsyncTpmAttestationEnroll, void(const std::string& pca_response, const AsyncMethodCallback& callback)); - MOCK_METHOD2(AsyncTpmAttestationCreateCertRequest, - void(int options, - const AsyncMethodCallback& callback)); + MOCK_METHOD4( + AsyncTpmAttestationCreateCertRequest, + void(attestation::AttestationCertificateProfile certificate_profile, + const std::string& user_email, + const std::string& request_origin, + const AsyncMethodCallback& callback)); MOCK_METHOD4(AsyncTpmAttestationFinishCertRequest, void(const std::string& pca_response, attestation::AttestationKeyType key_type, |