diff options
20 files changed, 486 insertions, 204 deletions
diff --git a/chrome/browser/chromeos/attestation/attestation_policy_observer.cc b/chrome/browser/chromeos/attestation/attestation_policy_observer.cc index 21664cd..a3ac890 100644 --- a/chrome/browser/chromeos/attestation/attestation_policy_observer.cc +++ b/chrome/browser/chromeos/attestation/attestation_policy_observer.cc @@ -143,7 +143,7 @@ void AttestationPolicyObserver::Start() { base::Bind(&AttestationPolicyObserver::GetNewCertificate, weak_factory_.GetWeakPtr()); cryptohome_client_->TpmAttestationDoesKeyExist( - CryptohomeClient::DEVICE_KEY, + KEY_DEVICE, kEnterpriseMachineKey, base::Bind(DBusBoolRedirectCallback, on_does_exist, on_does_not_exist)); } @@ -151,7 +151,8 @@ void AttestationPolicyObserver::Start() { void AttestationPolicyObserver::GetNewCertificate() { // We can reuse the dbus callback handler logic. attestation_flow_->GetCertificate( - kEnterpriseMachineKey, + PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, + true, // Force a new key to be generated. base::Bind(DBusStringCallback, base::Bind(&AttestationPolicyObserver::UploadCertificate, weak_factory_.GetWeakPtr()), @@ -160,7 +161,7 @@ void AttestationPolicyObserver::GetNewCertificate() { void AttestationPolicyObserver::GetExistingCertificate() { cryptohome_client_->TpmAttestationGetCertificate( - CryptohomeClient::DEVICE_KEY, + KEY_DEVICE, kEnterpriseMachineKey, base::Bind(DBusStringCallback, base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, diff --git a/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc b/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc index 37212c8..e5f4f64 100644 --- a/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc +++ b/chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc @@ -103,8 +103,8 @@ TEST_F(AttestationPolicyObserverTest, UnregisteredPolicyClient) { TEST_F(AttestationPolicyObserverTest, NewCertificate) { EXPECT_CALL(cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _)) .WillOnce(WithArgs<2>(Invoke(DBusCallbackFalse))); - EXPECT_CALL(attestation_flow_, GetCertificate(_, _)) - .WillOnce(WithArgs<1>(Invoke(CertCallbackSuccess))); + EXPECT_CALL(attestation_flow_, GetCertificate(_, _, _)) + .WillOnce(WithArgs<2>(Invoke(CertCallbackSuccess))); Run(); } diff --git a/chrome/browser/chromeos/policy/device_local_account_browsertest.cc b/chrome/browser/chromeos/policy/device_local_account_browsertest.cc index 2ce8a72..d3cbe86 100644 --- a/chrome/browser/chromeos/policy/device_local_account_browsertest.cc +++ b/chrome/browser/chromeos/policy/device_local_account_browsertest.cc @@ -327,44 +327,44 @@ class FakeCryptohomeClient : public chromeos::CryptohomeClient { const AsyncMethodCallback& callback) OVERRIDE {} virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const chromeos::BoolDBusMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationGetCertificate( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationGetPublicKey( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationRegisterKey( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + chromeos::attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE {} virtual void TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const chromeos::BoolDBusMethodCallback& callback) OVERRIDE {} diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc index 740b19b..bde7410 100644 --- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc +++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc @@ -129,11 +129,11 @@ void EPKPChallengeMachineKey::GetDeviceAttestationEnabledCallback( // Everything is checked. Sign the challenge. async_caller_->TpmAttestationSignEnterpriseChallenge( - chromeos::CryptohomeClient::DEVICE_KEY, + chromeos::attestation::KEY_DEVICE, kKeyName, GetEnterpriseDomain(), GetDeviceId(), - chromeos::CryptohomeClient::CHALLENGE_RESPONSE_OPTION_NONE, + chromeos::attestation::CHALLENGE_OPTION_NONE, challenge, base::Bind(&EPKPChallengeMachineKey::SignChallengeCallback, this)); } @@ -255,12 +255,13 @@ void EPKPChallengeUserKey::UserConsentCallback(const std::string& challenge, // Everything is checked. Sign the challenge. async_caller_->TpmAttestationSignEnterpriseChallenge( - chromeos::CryptohomeClient::USER_KEY, + chromeos::attestation::KEY_USER, kKeyName, domain, GetDeviceId(), - register_key ? chromeos::CryptohomeClient::INCLUDE_SIGNED_PUBLIC_KEY : - chromeos::CryptohomeClient::CHALLENGE_RESPONSE_OPTION_NONE, + register_key ? + chromeos::attestation::CHALLENGE_INCLUDE_SIGNED_PUBLIC_KEY : + chromeos::attestation::CHALLENGE_OPTION_NONE, challenge, base::Bind(&EPKPChallengeUserKey::SignChallengeCallback, this, register_key)); @@ -277,7 +278,7 @@ void EPKPChallengeUserKey::SignChallengeCallback(bool register_key, if (register_key) { async_caller_->TpmAttestationRegisterKey( - chromeos::CryptohomeClient::USER_KEY, + chromeos::attestation::KEY_USER, kKeyName, base::Bind(&EPKPChallengeUserKey::RegisterKeyCallback, this, response)); } else { diff --git a/chromeos/attestation/attestation_constants.cc b/chromeos/attestation/attestation_constants.cc new file mode 100644 index 0000000..9f3833b --- /dev/null +++ b/chromeos/attestation/attestation_constants.cc @@ -0,0 +1,14 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/attestation/attestation_constants.h" + +namespace chromeos { +namespace attestation { + +const char kEnterpriseMachineKey[] = "attest-ent-machine"; +const char kEnterpriseUserKey[] = "attest-ent-user"; + +} // namespace attestation +} // namespace chromeos diff --git a/chromeos/attestation/attestation_constants.h b/chromeos/attestation/attestation_constants.h new file mode 100644 index 0000000..a704cfc --- /dev/null +++ b/chromeos/attestation/attestation_constants.h @@ -0,0 +1,64 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_ATTESTATION_ATTESTATION_CONSTANTS_H_ +#define CHROMEOS_ATTESTATION_ATTESTATION_CONSTANTS_H_ + +#include "chromeos/chromeos_export.h" + +namespace chromeos { +namespace attestation { + +// Options available for customizing an attestation certificate. +enum AttestationCertificateOptions { + CERTIFICATE_OPTION_NONE = 0, + // A stable identifier is simply an identifier that is not affected by device + // state changes, including device recovery. + CERTIFICATE_INCLUDE_STABLE_ID = 1, + // Device state information contains a quoted assertion of whether the device + // is in verified mode. + CERTIFICATE_INCLUDE_DEVICE_STATE = 1 << 1, +}; + +// Key types supported by the Chrome OS attestation subsystem. +enum AttestationKeyType { + // The key will be associated with the device itself and will be available + // regardless of which user is signed-in. + KEY_DEVICE, + // The key will be associated with the current user and will only be available + // when that user is signed-in. + KEY_USER, +}; + +// Options available for customizing an attestation challenge response. +enum AttestationChallengeOptions { + CHALLENGE_OPTION_NONE = 0, + // Indicates that a SignedPublicKeyAndChallenge should be embedded in the + // challenge response. + CHALLENGE_INCLUDE_SIGNED_PUBLIC_KEY = 1, +}; + +// Available attestation certificate profiles. +enum AttestationCertificateProfile { + // Uses the following certificate options: + // CERTIFICATE_INCLUDE_STABLE_ID + // CERTIFICATE_INCLUDE_DEVICE_STATE + PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, + // Uses the following certificate options: + // CERTIFICATE_INCLUDE_DEVICE_STATE + PROFILE_ENTERPRISE_USER_CERTIFICATE, +}; + +// A key name for the Enterprise Machine Key. This key should always be stored +// as a DEVICE_KEY. +CHROMEOS_EXPORT extern const char kEnterpriseMachineKey[]; + +// A key name for the Enterprise User Key. This key should always be stored as +// a USER_KEY. +CHROMEOS_EXPORT extern const char kEnterpriseUserKey[]; + +} // namespace attestation +} // namespace chromeos + +#endif // CHROMEOS_ATTESTATION_ATTESTATION_CONSTANTS_H_ diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc index 97842a3..2fba761 100644 --- a/chromeos/attestation/attestation_flow.cc +++ b/chromeos/attestation/attestation_flow.cc @@ -38,30 +38,82 @@ void DBusBoolRedirectCallback(const base::Closure& on_true, task.Run(); } -} // namespace +void DBusDataMethodCallback( + const AttestationFlow::CertificateCallback& callback, + DBusMethodCallStatus status, + bool result, + const std::string& data) { + if (status != DBUS_METHOD_CALL_SUCCESS) { + LOG(ERROR) << "Attestation: DBus data operation failed."; + if (!callback.is_null()) + callback.Run(false, ""); + return; + } + if (!callback.is_null()) + callback.Run(result, data); +} + +AttestationKeyType GetKeyTypeForProfile( + AttestationCertificateProfile profile) { + switch (profile) { + case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: + return KEY_DEVICE; + case PROFILE_ENTERPRISE_USER_CERTIFICATE: + return KEY_USER; + } + NOTREACHED(); + return KEY_USER; +} -const char AttestationFlow::kEnterpriseMachineKey[] = "attest-ent-machine"; +std::string GetKeyNameForProfile( + AttestationCertificateProfile profile) { + switch (profile) { + case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: + return kEnterpriseMachineKey; + case PROFILE_ENTERPRISE_USER_CERTIFICATE: + return kEnterpriseUserKey; + } + NOTREACHED(); + return ""; +} + +int GetCertificateOptionsForProfile( + AttestationCertificateProfile profile) { + switch (profile) { + case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: + return CERTIFICATE_INCLUDE_STABLE_ID | CERTIFICATE_INCLUDE_DEVICE_STATE; + case PROFILE_ENTERPRISE_USER_CERTIFICATE: + return CERTIFICATE_INCLUDE_DEVICE_STATE; + } + NOTREACHED(); + return CERTIFICATE_OPTION_NONE; +} + +} // namespace AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, CryptohomeClient* cryptohome_client, scoped_ptr<ServerProxy> server_proxy) - : weak_factory_(this), - async_caller_(async_caller), + : async_caller_(async_caller), cryptohome_client_(cryptohome_client), - server_proxy_(server_proxy.Pass()) { + server_proxy_(server_proxy.Pass()), + weak_factory_(this) { } AttestationFlow::~AttestationFlow() { } -void AttestationFlow::GetCertificate(const std::string& name, - const CertificateCallback& callback) { +void AttestationFlow::GetCertificate( + AttestationCertificateProfile certificate_profile, + bool force_new_key, + const CertificateCallback& callback) { // If this device has not enrolled with the Privacy CA, we need to do that // first. Once enrolled we can proceed with the certificate request. base::Closure do_cert_request = base::Bind( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), - name, + certificate_profile, + force_new_key, callback); base::Closure on_enroll_failure = base::Bind(callback, false, ""); base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, @@ -143,22 +195,49 @@ void AttestationFlow::OnEnrollComplete(const base::Closure& on_failure, } void AttestationFlow::StartCertificateRequest( - const std::string& name, + AttestationCertificateProfile certificate_profile, + bool generate_new_key, const CertificateCallback& callback) { - // Get the attestation service to create a Privacy CA certificate request. - int options = CryptohomeClient::INCLUDE_DEVICE_STATE; - if (name == kEnterpriseMachineKey) - options |= CryptohomeClient::INCLUDE_STABLE_ID; - async_caller_->AsyncTpmAttestationCreateCertRequest( - options, - base::Bind(&AttestationFlow::SendCertificateRequestToPCA, - weak_factory_.GetWeakPtr(), - name, - callback)); + AttestationKeyType key_type = GetKeyTypeForProfile(certificate_profile); + std::string key_name = GetKeyNameForProfile(certificate_profile); + if (generate_new_key) { + // Get the attestation service to create a Privacy CA certificate request. + async_caller_->AsyncTpmAttestationCreateCertRequest( + GetCertificateOptionsForProfile(certificate_profile), + base::Bind(&AttestationFlow::SendCertificateRequestToPCA, + weak_factory_.GetWeakPtr(), + key_type, + key_name, + callback)); + } else { + // If the key already exists, query the existing certificate. + base::Closure on_key_exists = base::Bind( + &AttestationFlow::GetExistingCertificate, + weak_factory_.GetWeakPtr(), + key_type, + key_name, + callback); + // If the key does not exist, call this method back with |generate_new_key| + // set to true. + base::Closure on_key_not_exists = base::Bind( + &AttestationFlow::StartCertificateRequest, + weak_factory_.GetWeakPtr(), + certificate_profile, + true, + callback); + cryptohome_client_->TpmAttestationDoesKeyExist( + key_type, + key_name, + base::Bind(&DBusBoolRedirectCallback, + on_key_exists, + on_key_not_exists, + base::Bind(callback, false, ""))); + } } void AttestationFlow::SendCertificateRequestToPCA( - const std::string& name, + AttestationKeyType key_type, + const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data) { @@ -174,12 +253,14 @@ void AttestationFlow::SendCertificateRequestToPCA( data, base::Bind(&AttestationFlow::SendCertificateResponseToDaemon, weak_factory_.GetWeakPtr(), - name, + key_type, + key_name, callback)); } void AttestationFlow::SendCertificateResponseToDaemon( - const std::string& name, + AttestationKeyType key_type, + const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data) { @@ -191,14 +272,21 @@ void AttestationFlow::SendCertificateResponseToDaemon( } // Forward the response to the attestation service to complete the operation. - CryptohomeClient::AttestationKeyType key_type = CryptohomeClient::USER_KEY; - if (name == kEnterpriseMachineKey) - key_type = CryptohomeClient::DEVICE_KEY; async_caller_->AsyncTpmAttestationFinishCertRequest(data, key_type, - name, + key_name, base::Bind(callback)); } +void AttestationFlow::GetExistingCertificate( + AttestationKeyType key_type, + const std::string& key_name, + const CertificateCallback& callback) { + cryptohome_client_->TpmAttestationGetCertificate( + key_type, + key_name, + base::Bind(&DBusDataMethodCallback, callback)); +} + } // namespace attestation } // namespace chromeos diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h index 76049d7..2c59f3b 100644 --- a/chromeos/attestation/attestation_flow.h +++ b/chromeos/attestation/attestation_flow.h @@ -11,6 +11,7 @@ #include "base/callback_forward.h" #include "base/memory/scoped_ptr.h" #include "base/memory/weak_ptr.h" +#include "chromeos/attestation/attestation_constants.h" #include "chromeos/chromeos_export.h" #include "chromeos/dbus/dbus_method_call_status.h" #include "third_party/cros_system_api/dbus/service_constants.h" @@ -41,12 +42,12 @@ class CHROMEOS_EXPORT ServerProxy { // Implements the message flow for Chrome OS attestation tasks. Generally this // consists of coordinating messages between the Chrome OS attestation service -// and the Privacy CA server. Sample usage: +// and the Chrome OS Privacy CA server. Sample usage: // AttestationFlow flow(AsyncMethodCaller::GetInstance(), // DBusThreadManager::Get().GetCryptohomeClient(), -// my_server_proxy); -// CertificateCallback callback = base::Bind(&MyCallback); -// flow.GetCertificate("attest-ent-machine", callback); +// my_server_proxy.Pass()); +// AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); +// flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); class CHROMEOS_EXPORT AttestationFlow { public: typedef base::Callback<void(bool success, @@ -58,25 +59,26 @@ class CHROMEOS_EXPORT AttestationFlow { scoped_ptr<ServerProxy> server_proxy); virtual ~AttestationFlow(); - // Asynchronously gets an attestation certificate bound to the given name. - // If no certificate has been associated with the name, a new certificate is - // issued. + // Gets an attestation certificate for a hardware-protected key. If a key for + // the given profile does not exist, it will be generated and a certificate + // request will be made to the Chrome OS Privacy CA to issue a certificate for + // the key. If the key already exists and |force_new_key| is false, the + // existing certificate is returned. // // Parameters - // name - The name of the key for which to retrieve a certificate. The - // following key names are available: - // "attest-ent-machine" - The enterprise machine key. - // "attest-ent-user" - An enterprise user key for the current user. - // "content-[origin]" - A content protection key bound to a - // specific origin for the current user. + // certificate_profile - Specifies what kind of certificate should be + // requested from the CA. + // force_new_key - If set to true, a new key will be generated even if a key + // already exists for the profile. The new key will replace + // the existing key on success. // callback - A callback which will be called when the operation completes. - virtual void GetCertificate(const std::string& name, + // On success |result| will be true and |data| will contain the + // PCA-issued certificate chain in PEM format. + virtual void GetCertificate(AttestationCertificateProfile certificate_profile, + bool force_new_key, const CertificateCallback& callback); private: - // The key name defined for the special-purpose Enterprise Machine Key. - static const char kEnterpriseMachineKey[]; - // Asynchronously initiates the attestation enrollment flow. // // Parameters @@ -130,21 +132,27 @@ class CHROMEOS_EXPORT AttestationFlow { // enrollment must complete successfully before this operation can succeed. // // Parameters - // name - The name of the key for which a certificate is requested. + // certificate_profile - Specifies what kind of certificate should be + // requested from the CA. + // generate_new_key - If set to true a new key is generated. // callback - Called when the operation completes. - void StartCertificateRequest(const std::string& name, - const CertificateCallback& callback); + void StartCertificateRequest( + const AttestationCertificateProfile certificate_profile, + bool generate_new_key, + const CertificateCallback& callback); // Called when the attestation daemon has finished creating a certificate // request for the Privacy CA. The request is asynchronously forwarded as-is // to the PCA. // // Parameters - // name - The name of the key for which a certificate is requested. + // key_type - The type of the key for which a certificate is requested. + // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of request creation. // data - The request data for the Privacy CA. - void SendCertificateRequestToPCA(const std::string& name, + void SendCertificateRequestToPCA(AttestationKeyType key_type, + const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data); @@ -154,20 +162,33 @@ class CHROMEOS_EXPORT AttestationFlow { // complete the operation. // // Parameters - // name - The name of the key for which a certificate is requested. + // key_type - The type of the key for which a certificate is requested. + // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of the Privacy CA operation. // data - The response data from the Privacy CA. - void SendCertificateResponseToDaemon(const std::string& name, + void SendCertificateResponseToDaemon(AttestationKeyType key_type, + const std::string& key_name, const CertificateCallback& callback, bool success, const std::string& data); - base::WeakPtrFactory<AttestationFlow> weak_factory_; + // Gets an existing certificate from the attestation daemon. + // + // Parameters + // key_type - The type of the key for which a certificate is requested. + // key_name - The name of the key for which a certificate is requested. + // callback - Called when the operation completes. + void GetExistingCertificate(AttestationKeyType key_type, + const std::string& key_name, + const CertificateCallback& callback); + cryptohome::AsyncMethodCaller* async_caller_; CryptohomeClient* cryptohome_client_; scoped_ptr<ServerProxy> server_proxy_; + base::WeakPtrFactory<AttestationFlow> weak_factory_; + DISALLOW_COPY_AND_ASSIGN(AttestationFlow); }; diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc index 30ea3cc..9f70434 100644 --- a/chromeos/attestation/attestation_flow_unittest.cc +++ b/chromeos/attestation/attestation_flow_unittest.cc @@ -41,6 +41,20 @@ void AsyncCallbackFalse(cryptohome::AsyncMethodCaller::Callback callback) { callback.Run(false, cryptohome::MOUNT_ERROR_NONE); } +class FakeDBusData { + public: + explicit FakeDBusData(const std::string& data) : data_(data) {} + + void operator() (const CryptohomeClient::DataMethodCallback& callback) { + MessageLoop::current()->PostTask( + FROM_HERE, + base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, true, data_)); + } + + private: + std::string data_; +}; + } // namespace class AttestationFlowTest : public testing::Test { @@ -83,11 +97,11 @@ TEST_F(AttestationFlowTest, GetCertificate) { .Times(1) .InSequence(flow_order); - int options = CryptohomeClient::INCLUDE_DEVICE_STATE; - EXPECT_CALL(async_caller, - AsyncTpmAttestationCreateCertRequest(options, _)) - .Times(1) - .InSequence(flow_order); + EXPECT_CALL( + async_caller, + AsyncTpmAttestationCreateCertRequest(CERTIFICATE_INCLUDE_DEVICE_STATE, _)) + .Times(1) + .InSequence(flow_order); EXPECT_CALL(*proxy, SendCertificateRequest( cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest, @@ -99,8 +113,8 @@ TEST_F(AttestationFlowTest, GetCertificate) { fake_cert_response += "_response"; EXPECT_CALL(async_caller, AsyncTpmAttestationFinishCertRequest(fake_cert_response, - CryptohomeClient::USER_KEY, - "test", + KEY_USER, + kEnterpriseUserKey, _)) .Times(1) .InSequence(flow_order); @@ -117,7 +131,7 @@ TEST_F(AttestationFlowTest, GetCertificate) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } @@ -143,7 +157,7 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } @@ -172,7 +186,7 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } @@ -205,15 +219,15 @@ TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } -TEST_F(AttestationFlowTest, GetOwnerCertificateAlreadyEnrolled) { +TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CryptohomeClient::INCLUDE_DEVICE_STATE | - CryptohomeClient::INCLUDE_STABLE_ID; + int options = CERTIFICATE_INCLUDE_DEVICE_STATE | + CERTIFICATE_INCLUDE_STABLE_ID; EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) .Times(1); std::string fake_cert_response = @@ -221,8 +235,8 @@ TEST_F(AttestationFlowTest, GetOwnerCertificateAlreadyEnrolled) { fake_cert_response += "_response"; EXPECT_CALL(async_caller, AsyncTpmAttestationFinishCertRequest(fake_cert_response, - CryptohomeClient::DEVICE_KEY, - "attest-ent-machine", + KEY_DEVICE, + kEnterpriseMachineKey, _)) .Times(1); @@ -246,14 +260,15 @@ TEST_F(AttestationFlowTest, GetOwnerCertificateAlreadyEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("attest-ent-machine", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, + true, mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE); - int options = CryptohomeClient::INCLUDE_DEVICE_STATE; + int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) .Times(1); @@ -273,14 +288,14 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); - int options = CryptohomeClient::INCLUDE_DEVICE_STATE; + int options = CERTIFICATE_INCLUDE_DEVICE_STATE; EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) .Times(1); @@ -303,12 +318,12 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); Run(); } TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) { - // We're not expecting any server calls in this case; StrictMock will verify. + // We're not expecting any async calls in this case; StrictMock will verify. StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; chromeos::MockCryptohomeClient client; @@ -326,7 +341,81 @@ TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) { scoped_ptr<ServerProxy> proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate("test", mock_callback); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, true, mock_callback); + Run(); +} + +TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { + StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; + async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE); + int options = CERTIFICATE_INCLUDE_DEVICE_STATE; + EXPECT_CALL(async_caller, AsyncTpmAttestationCreateCertRequest(options, _)) + .Times(1); + std::string fake_cert_response = + cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest; + fake_cert_response += "_response"; + EXPECT_CALL(async_caller, + AsyncTpmAttestationFinishCertRequest(fake_cert_response, + KEY_USER, + kEnterpriseUserKey, + _)) + .Times(1); + + chromeos::MockCryptohomeClient client; + EXPECT_CALL(client, TpmAttestationIsEnrolled(_)) + .WillRepeatedly(Invoke(DBusCallbackTrue)); + EXPECT_CALL(client, + TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackFalse))); + + scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>()); + proxy->DeferToFake(true); + EXPECT_CALL(*proxy, SendCertificateRequest( + cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest, + _)).Times(1); + + StrictMock<MockObserver> observer; + EXPECT_CALL(observer, MockCertificateCallback( + true, + cryptohome::MockAsyncMethodCaller::kFakeAttestationCert)).Times(1); + AttestationFlow::CertificateCallback mock_callback = base::Bind( + &MockObserver::MockCertificateCallback, + base::Unretained(&observer)); + + scoped_ptr<ServerProxy> proxy_interface(proxy.release()); + AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, + false, mock_callback); + Run(); +} + +TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) { + // We're not expecting any async calls in this case; StrictMock will verify. + StrictMock<cryptohome::MockAsyncMethodCaller> async_caller; + + chromeos::MockCryptohomeClient client; + EXPECT_CALL(client, TpmAttestationIsEnrolled(_)) + .WillRepeatedly(Invoke(DBusCallbackTrue)); + EXPECT_CALL(client, + TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackTrue))); + EXPECT_CALL(client, + TpmAttestationGetCertificate(KEY_USER, kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<2>(Invoke(FakeDBusData("fake_cert")))); + + // We're not expecting any server calls in this case; StrictMock will verify. + scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>()); + + StrictMock<MockObserver> observer; + EXPECT_CALL(observer, MockCertificateCallback(true, "fake_cert")).Times(1); + AttestationFlow::CertificateCallback mock_callback = base::Bind( + &MockObserver::MockCertificateCallback, + base::Unretained(&observer)); + + scoped_ptr<ServerProxy> proxy_interface(proxy.release()); + AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, + false, mock_callback); Run(); } diff --git a/chromeos/attestation/mock_attestation_flow.h b/chromeos/attestation/mock_attestation_flow.h index 59462c54..bda8a72 100644 --- a/chromeos/attestation/mock_attestation_flow.h +++ b/chromeos/attestation/mock_attestation_flow.h @@ -65,7 +65,8 @@ class MockAttestationFlow : public AttestationFlow { MockAttestationFlow(); virtual ~MockAttestationFlow(); - MOCK_METHOD2(GetCertificate, void(const std::string&, + MOCK_METHOD3(GetCertificate, void(AttestationCertificateProfile, + bool, const CertificateCallback&)); }; diff --git a/chromeos/chromeos.gyp b/chromeos/chromeos.gyp index 4b6a7bb..57e36b5 100644 --- a/chromeos/chromeos.gyp +++ b/chromeos/chromeos.gyp @@ -36,6 +36,8 @@ 'audio/audio_pref_handler.h', 'audio/cras_audio_handler.cc', 'audio/cras_audio_handler.h', + 'attestation/attestation_constants.cc', + 'attestation/attestation_constants.h', 'attestation/attestation_flow.cc', 'attestation/attestation_flow.h', 'chromeos_export.h', diff --git a/chromeos/cryptohome/async_method_caller.cc b/chromeos/cryptohome/async_method_caller.cc index 2478182..97c64e2 100644 --- a/chromeos/cryptohome/async_method_caller.cc +++ b/chromeos/cryptohome/async_method_caller.cc @@ -123,7 +123,7 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller { virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataCallback& callback) OVERRIDE { DBusThreadManager::Get()->GetCryptohomeClient()-> @@ -139,7 +139,7 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller { } virtual void TpmAttestationRegisterKey( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const Callback& callback) OVERRIDE { DBusThreadManager::Get()->GetCryptohomeClient()-> @@ -154,11 +154,11 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller { } virtual void TpmAttestationSignEnterpriseChallenge( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - chromeos::CryptohomeClient::AttestationChallengeOptions options, + chromeos::attestation::AttestationChallengeOptions options, const std::string& challenge, const DataCallback& callback) OVERRIDE { DBusThreadManager::Get()->GetCryptohomeClient()-> @@ -177,7 +177,7 @@ class AsyncMethodCallerImpl : public AsyncMethodCaller { } virtual void TpmAttestationSignSimpleChallenge( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const DataCallback& callback) OVERRIDE { diff --git a/chromeos/cryptohome/async_method_caller.h b/chromeos/cryptohome/async_method_caller.h index 0957397..11499c9 100644 --- a/chromeos/cryptohome/async_method_caller.h +++ b/chromeos/cryptohome/async_method_caller.h @@ -98,8 +98,8 @@ class CHROMEOS_EXPORT AsyncMethodCaller { // Asks cryptohomed to asynchronously create an attestation certificate // request according to |options|, which is a combination of - // CryptohomeClient::AttestationCertificateOptions. On success the data sent - // to |callback| is a request to be sent to the Privacy CA. + // attestation::AttestationCertificateOptions. On success the data sent to + // |callback| is a request to be sent to the Privacy CA. virtual void AsyncTpmAttestationCreateCertRequest( int options, const DataCallback& callback) = 0; @@ -112,14 +112,14 @@ class CHROMEOS_EXPORT AsyncMethodCaller { // key. virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataCallback& callback) = 0; // Asks cryptohomed to asynchronously register the attestation key specified // by |key_type| and |key_name|. virtual void TpmAttestationRegisterKey( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const Callback& callback) = 0; @@ -129,11 +129,11 @@ class CHROMEOS_EXPORT AsyncMethodCaller { // a valid enterprise challenge. On success, the data sent to |callback| is // the challenge response. virtual void TpmAttestationSignEnterpriseChallenge( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - chromeos::CryptohomeClient::AttestationChallengeOptions options, + chromeos::attestation::AttestationChallengeOptions options, const std::string& challenge, const DataCallback& callback) = 0; @@ -142,7 +142,7 @@ class CHROMEOS_EXPORT AsyncMethodCaller { // set of bytes. On success, the data sent to |callback| is the challenge // response. virtual void TpmAttestationSignSimpleChallenge( - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const DataCallback& callback) = 0; diff --git a/chromeos/cryptohome/mock_async_method_caller.cc b/chromeos/cryptohome/mock_async_method_caller.cc index bf65376..b22f780 100644 --- a/chromeos/cryptohome/mock_async_method_caller.cc +++ b/chromeos/cryptohome/mock_async_method_caller.cc @@ -14,6 +14,8 @@ const char MockAsyncMethodCaller::kFakeAttestationEnrollRequest[] = "enrollreq"; const char MockAsyncMethodCaller::kFakeAttestationCertRequest[] = "certreq"; const char MockAsyncMethodCaller::kFakeAttestationCert[] = "cert"; const char MockAsyncMethodCaller::kFakeSanitizedUsername[] = "01234567890ABC"; +const char MockAsyncMethodCaller::kFakeChallengeResponse[] = + "challenge_response"; MockAsyncMethodCaller::MockAsyncMethodCaller() : success_(false), return_code_(cryptohome::MOUNT_ERROR_NONE) { @@ -59,6 +61,13 @@ void MockAsyncMethodCaller::SetUp(bool success, MountError return_code) { WithArgs<1>(Invoke(this, &MockAsyncMethodCaller:: FakeGetSanitizedUsername))); + ON_CALL(*this, TpmAttestationSignEnterpriseChallenge(_, _, _, _, _, _, _)) + .WillByDefault( + WithArgs<6>(Invoke(this, + &MockAsyncMethodCaller::FakeEnterpriseChallenge))); + ON_CALL(*this, TpmAttestationRegisterKey(_, _, _)) + .WillByDefault( + WithArgs<2>(Invoke(this, &MockAsyncMethodCaller::DoCallback))); } void MockAsyncMethodCaller::DoCallback(Callback callback) { @@ -85,4 +94,9 @@ void MockAsyncMethodCaller::FakeGetSanitizedUsername( callback.Run(success_, kFakeSanitizedUsername); } +void MockAsyncMethodCaller::FakeEnterpriseChallenge( + const DataCallback& callback) { + callback.Run(success_, kFakeChallengeResponse); +} + } // namespace cryptohome diff --git a/chromeos/cryptohome/mock_async_method_caller.h b/chromeos/cryptohome/mock_async_method_caller.h index 8fc2b8b..0bb0b29 100644 --- a/chromeos/cryptohome/mock_async_method_caller.h +++ b/chromeos/cryptohome/mock_async_method_caller.h @@ -20,6 +20,7 @@ class MockAsyncMethodCaller : public AsyncMethodCaller { static const char kFakeAttestationCertRequest[]; static const char kFakeAttestationCert[]; static const char kFakeSanitizedUsername[]; + static const char kFakeChallengeResponse[]; MockAsyncMethodCaller(); virtual ~MockAsyncMethodCaller(); @@ -49,24 +50,24 @@ class MockAsyncMethodCaller : public AsyncMethodCaller { const DataCallback& callback)); MOCK_METHOD4(AsyncTpmAttestationFinishCertRequest, void(const std::string& pca_response, - chromeos::CryptohomeClient::AttestationKeyType key_type, + chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const DataCallback& callback)); MOCK_METHOD3(TpmAttestationRegisterKey, - void(chromeos::CryptohomeClient::AttestationKeyType key_type, + void(chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const Callback& callback)); MOCK_METHOD7( TpmAttestationSignEnterpriseChallenge, - void(chromeos::CryptohomeClient::AttestationKeyType key_type, + void(chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - chromeos::CryptohomeClient::AttestationChallengeOptions options, + chromeos::attestation::AttestationChallengeOptions options, const std::string& challenge, const DataCallback& callback)); MOCK_METHOD4(TpmAttestationSignSimpleChallenge, - void(chromeos::CryptohomeClient::AttestationKeyType key_type, + void(chromeos::attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const DataCallback& callback)); @@ -84,6 +85,7 @@ class MockAsyncMethodCaller : public AsyncMethodCaller { void FakeCreateCertRequest(const DataCallback& callback); void FakeFinishCertRequest(const DataCallback& callback); void FakeGetSanitizedUsername(const DataCallback& callback); + void FakeEnterpriseChallenge(const DataCallback& callback); DISALLOW_COPY_AND_ASSIGN(MockAsyncMethodCaller); }; diff --git a/chromeos/dbus/cryptohome_client.cc b/chromeos/dbus/cryptohome_client.cc index 7bcbc4a..286533d 100644 --- a/chromeos/dbus/cryptohome_client.cc +++ b/chromeos/dbus/cryptohome_client.cc @@ -412,9 +412,11 @@ class CryptohomeClientImpl : public CryptohomeClient { cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeAsyncTpmAttestationCreateCertRequest); dbus::MessageWriter writer(&method_call); - bool include_stable_id = (options & INCLUDE_STABLE_ID); + bool include_stable_id = + (options & attestation::CERTIFICATE_INCLUDE_STABLE_ID); writer.AppendBool(include_stable_id); - bool include_device_state = (options & INCLUDE_DEVICE_STATE); + bool include_device_state = + (options & attestation::CERTIFICATE_INCLUDE_DEVICE_STATE); writer.AppendBool(include_device_state); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, base::Bind(&CryptohomeClientImpl::OnAsyncMethodCall, @@ -425,7 +427,7 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( @@ -435,7 +437,7 @@ class CryptohomeClientImpl : public CryptohomeClient { writer.AppendArrayOfBytes( reinterpret_cast<const uint8*>(pca_response.data()), pca_response.size()); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, @@ -446,14 +448,14 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationDoesKeyExist); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); CallBoolMethod(&method_call, callback); @@ -461,14 +463,14 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationGetCertificate( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationGetCertificate); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, @@ -479,14 +481,14 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationGetPublicKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationGetPublicKey); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, @@ -497,14 +499,14 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationRegisterKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationRegisterKey); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, @@ -515,24 +517,25 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationSignEnterpriseChallenge); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); writer.AppendString(domain); writer.AppendArrayOfBytes(reinterpret_cast<const uint8*>(device_id.data()), device_id.size()); - bool include_signed_public_key = (options & INCLUDE_SIGNED_PUBLIC_KEY); + bool include_signed_public_key = + (options & attestation::CHALLENGE_INCLUDE_SIGNED_PUBLIC_KEY); writer.AppendBool(include_signed_public_key); writer.AppendArrayOfBytes(reinterpret_cast<const uint8*>(challenge.data()), challenge.size()); @@ -544,7 +547,7 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE { @@ -552,7 +555,7 @@ class CryptohomeClientImpl : public CryptohomeClient { cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationSignEnterpriseChallenge); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); writer.AppendArrayOfBytes(reinterpret_cast<const uint8*>(challenge.data()), @@ -565,14 +568,14 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { dbus::MethodCall method_call( cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationGetKeyPayload); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); proxy_->CallMethod(&method_call, dbus::ObjectProxy::TIMEOUT_USE_DEFAULT, @@ -583,7 +586,7 @@ class CryptohomeClientImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) OVERRIDE { @@ -591,7 +594,7 @@ class CryptohomeClientImpl : public CryptohomeClient { cryptohome::kCryptohomeInterface, cryptohome::kCryptohomeTpmAttestationSetKeyPayload); dbus::MessageWriter writer(&method_call); - bool is_user_specific = (key_type == USER_KEY); + bool is_user_specific = (key_type == attestation::KEY_USER); writer.AppendBool(is_user_specific); writer.AppendString(key_name); writer.AppendArrayOfBytes(reinterpret_cast<const uint8*>(payload.data()), @@ -1043,7 +1046,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE { ReturnAsyncMethodResult(callback, true); @@ -1051,7 +1054,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback) OVERRIDE { MessageLoop::current()->PostTask( @@ -1061,7 +1064,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationGetCertificate( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { MessageLoop::current()->PostTask( @@ -1071,7 +1074,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationGetPublicKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { MessageLoop::current()->PostTask( @@ -1081,7 +1084,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationRegisterKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE { ReturnAsyncMethodResult(callback, true); @@ -1089,11 +1092,11 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE { ReturnAsyncMethodResult(callback, true); @@ -1101,7 +1104,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { // CryptohomeClient override. virtual void TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE { @@ -1109,7 +1112,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { } virtual void TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE { MessageLoop::current()->PostTask( @@ -1118,7 +1121,7 @@ class CryptohomeClientStubImpl : public CryptohomeClient { } virtual void TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) OVERRIDE { diff --git a/chromeos/dbus/cryptohome_client.h b/chromeos/dbus/cryptohome_client.h index d9ddf1b..69eb86f 100644 --- a/chromeos/dbus/cryptohome_client.h +++ b/chromeos/dbus/cryptohome_client.h @@ -10,6 +10,7 @@ #include "base/basictypes.h" #include "base/callback.h" +#include "chromeos/attestation/attestation_constants.h" #include "chromeos/chromeos_export.h" #include "chromeos/dbus/dbus_client_implementation_type.h" #include "chromeos/dbus/dbus_method_call_status.h" @@ -47,25 +48,6 @@ class CHROMEOS_EXPORT CryptohomeClient { bool result, const std::string& data)> DataMethodCallback; - // Options available for customizing an attestation certificate. - enum AttestationCertificateOptions { - CERTIFICATE_OPTION_NONE = 0, - INCLUDE_STABLE_ID = 1, - INCLUDE_DEVICE_STATE = 1 << 1 - }; - - // Key types supported by the Chrome OS attestation subsystem. - enum AttestationKeyType { - DEVICE_KEY, - USER_KEY - }; - - // Options available for customizing an attestation challenge response. - enum AttestationChallengeOptions { - CHALLENGE_RESPONSE_OPTION_NONE = 0, - INCLUDE_SIGNED_PUBLIC_KEY = 1 - }; - virtual ~CryptohomeClient(); // Factory function, creates a new instance and returns ownership. @@ -259,7 +241,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // the current user. |key_name| is a name for the key. virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) = 0; @@ -267,7 +249,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // |key_type| and |key_name| exists, then the result sent to the callback will // be true. virtual void TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback) = 0; @@ -275,7 +257,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // |key_name|. |callback| will be called when the operation completes. If // the key does not exist the callback |result| parameter will be false. virtual void TpmAttestationGetCertificate( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) = 0; @@ -283,7 +265,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // |callback| will be called when the operation completes. If the key does // not exist the callback |result| parameter will be false. virtual void TpmAttestationGetPublicKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) = 0; @@ -292,7 +274,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // completes. When the operation completes, the AsyncCallStatusHandler signal // handler is called. |key_type| and |key_name| specify the key to register. virtual void TpmAttestationRegisterKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) = 0; @@ -304,11 +286,11 @@ class CHROMEOS_EXPORT CryptohomeClient { // operation completes, the AsyncCallStatusWithDataHandler signal handler is // called. virtual void TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) = 0; @@ -319,7 +301,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // the dbus call completes. When the operation completes, the // AsyncCallStatusWithDataHandler signal handler is called. virtual void TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) = 0; @@ -330,7 +312,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // If no payload has been set for the key the callback |result| parameter will // be true and the |data| parameter will be empty. virtual void TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) = 0; @@ -338,7 +320,7 @@ class CHROMEOS_EXPORT CryptohomeClient { // |key_name|. The |callback| will be called when the operation completes. // If the operation succeeds, the callback |result| parameter will be true. virtual void TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) = 0; diff --git a/chromeos/dbus/fake_cryptohome_client.cc b/chromeos/dbus/fake_cryptohome_client.cc index 227ac99..fb54054 100644 --- a/chromeos/dbus/fake_cryptohome_client.cc +++ b/chromeos/dbus/fake_cryptohome_client.cc @@ -40,14 +40,14 @@ bool FakeCryptohomeClient::InstallAttributesIsInvalid(bool* is_invalid) { } void FakeCryptohomeClient::TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) { } void FakeCryptohomeClient::AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) { } @@ -141,7 +141,7 @@ bool FakeCryptohomeClient::InstallAttributesIsFirstInstall( } void FakeCryptohomeClient::TpmAttestationGetCertificate( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) { } @@ -154,13 +154,13 @@ void FakeCryptohomeClient::InstallAttributesIsReady( } void FakeCryptohomeClient::TpmAttestationGetPublicKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) { } void FakeCryptohomeClient::TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) { @@ -188,7 +188,7 @@ void FakeCryptohomeClient::ResetAsyncCallStatusHandlers() { } void FakeCryptohomeClient::TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback) { } @@ -202,7 +202,7 @@ void FakeCryptohomeClient::AsyncRemove(const std::string& username, } void FakeCryptohomeClient::TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) { @@ -214,11 +214,11 @@ void FakeCryptohomeClient::GetSanitizedUsername( } void FakeCryptohomeClient::TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) { } @@ -228,7 +228,7 @@ void FakeCryptohomeClient::TpmAttestationIsEnrolled( } void FakeCryptohomeClient::TpmAttestationRegisterKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) { } diff --git a/chromeos/dbus/fake_cryptohome_client.h b/chromeos/dbus/fake_cryptohome_client.h index fbdce7a..fd05882 100644 --- a/chromeos/dbus/fake_cryptohome_client.h +++ b/chromeos/dbus/fake_cryptohome_client.h @@ -86,44 +86,44 @@ class FakeCryptohomeClient : public CryptohomeClient { const AsyncMethodCallback& callback) OVERRIDE; virtual void AsyncTpmAttestationFinishCertRequest( const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE; virtual void TpmAttestationDoesKeyExist( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback) OVERRIDE; virtual void TpmAttestationGetCertificate( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE; virtual void TpmAttestationGetPublicKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE; virtual void TpmAttestationRegisterKey( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback) OVERRIDE; virtual void TpmAttestationSignEnterpriseChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE; virtual void TpmAttestationSignSimpleChallenge( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback) OVERRIDE; virtual void TpmAttestationGetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback) OVERRIDE; virtual void TpmAttestationSetKeyPayload( - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback) OVERRIDE; diff --git a/chromeos/dbus/mock_cryptohome_client.h b/chromeos/dbus/mock_cryptohome_client.h index 2563aac..b3e9b06 100644 --- a/chromeos/dbus/mock_cryptohome_client.h +++ b/chromeos/dbus/mock_cryptohome_client.h @@ -88,44 +88,44 @@ class MockCryptohomeClient : public CryptohomeClient { const AsyncMethodCallback& callback)); MOCK_METHOD4(AsyncTpmAttestationFinishCertRequest, void(const std::string& pca_response, - AttestationKeyType key_type, + attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback)); MOCK_METHOD3(TpmAttestationDoesKeyExist, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const BoolDBusMethodCallback& callback)); MOCK_METHOD3(TpmAttestationGetCertificate, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback)); MOCK_METHOD3(TpmAttestationGetPublicKey, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback)); MOCK_METHOD3(TpmAttestationRegisterKey, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const AsyncMethodCallback& callback)); MOCK_METHOD7(TpmAttestationSignEnterpriseChallenge, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& domain, const std::string& device_id, - AttestationChallengeOptions options, + attestation::AttestationChallengeOptions options, const std::string& challenge, const AsyncMethodCallback& callback)); MOCK_METHOD4(TpmAttestationSignSimpleChallenge, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& challenge, const AsyncMethodCallback& callback)); MOCK_METHOD3(TpmAttestationGetKeyPayload, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const DataMethodCallback& callback)); MOCK_METHOD4(TpmAttestationSetKeyPayload, - void(AttestationKeyType key_type, + void(attestation::AttestationKeyType key_type, const std::string& key_name, const std::string& payload, const BoolDBusMethodCallback& callback)); |