From 1260076a7a6991acfead415cc53e86c5e45c04be Mon Sep 17 00:00:00 2001 From: "dkrahn@chromium.org" Date: Mon, 21 Oct 2013 19:57:24 +0000 Subject: Added multi-profile support for attestation on chromeos. All certified keys and certificates will be associated with the correct profile when multiple profiles are used. BUG=chromium:205206 TEST=unit, manual Review URL: https://codereview.chromium.org/27044004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@229891 0039d316-1c4b-4281-b951-d872f2087c98 --- chromeos/attestation/OWNERS | 1 + chromeos/attestation/attestation_flow.cc | 19 ++++++++++++++----- chromeos/attestation/attestation_flow.h | 18 ++++++++++++------ chromeos/attestation/attestation_flow_unittest.cc | 19 +++++++++++-------- 4 files changed, 38 insertions(+), 19 deletions(-) (limited to 'chromeos/attestation') diff --git a/chromeos/attestation/OWNERS b/chromeos/attestation/OWNERS index cd1c574..a48744d 100644 --- a/chromeos/attestation/OWNERS +++ b/chromeos/attestation/OWNERS @@ -1,2 +1,3 @@ mnissler@chromium.org pastarmovj@chromium.org +bartfab@chromium.org diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc index 9b22b65..5021ddf 100644 --- a/chromeos/attestation/attestation_flow.cc +++ b/chromeos/attestation/attestation_flow.cc @@ -96,7 +96,7 @@ AttestationFlow::~AttestationFlow() { void AttestationFlow::GetCertificate( AttestationCertificateProfile certificate_profile, - const std::string& user_email, + const std::string& user_id, const std::string& request_origin, bool force_new_key, const CertificateCallback& callback) { @@ -106,7 +106,7 @@ void AttestationFlow::GetCertificate( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, - user_email, + user_id, request_origin, force_new_key, callback); @@ -191,7 +191,7 @@ void AttestationFlow::OnEnrollComplete(const base::Closure& on_failure, void AttestationFlow::StartCertificateRequest( AttestationCertificateProfile certificate_profile, - const std::string& user_email, + const std::string& user_id, const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback) { @@ -202,11 +202,12 @@ void AttestationFlow::StartCertificateRequest( // Get the attestation service to create a Privacy CA certificate request. async_caller_->AsyncTpmAttestationCreateCertRequest( certificate_profile, - user_email, + user_id, request_origin, base::Bind(&AttestationFlow::SendCertificateRequestToPCA, weak_factory_.GetWeakPtr(), key_type, + user_id, key_name, callback)); } else { @@ -215,6 +216,7 @@ void AttestationFlow::StartCertificateRequest( &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), key_type, + user_id, key_name, callback); // If the key does not exist, call this method back with |generate_new_key| @@ -223,12 +225,13 @@ void AttestationFlow::StartCertificateRequest( &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), certificate_profile, - user_email, + user_id, request_origin, true, callback); cryptohome_client_->TpmAttestationDoesKeyExist( key_type, + user_id, key_name, base::Bind(&DBusBoolRedirectCallback, on_key_exists, @@ -239,6 +242,7 @@ void AttestationFlow::StartCertificateRequest( void AttestationFlow::SendCertificateRequestToPCA( AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, @@ -256,12 +260,14 @@ void AttestationFlow::SendCertificateRequestToPCA( base::Bind(&AttestationFlow::SendCertificateResponseToDaemon, weak_factory_.GetWeakPtr(), key_type, + user_id, key_name, callback)); } void AttestationFlow::SendCertificateResponseToDaemon( AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, @@ -276,16 +282,19 @@ void AttestationFlow::SendCertificateResponseToDaemon( // Forward the response to the attestation service to complete the operation. async_caller_->AsyncTpmAttestationFinishCertRequest(data, key_type, + user_id, key_name, base::Bind(callback)); } void AttestationFlow::GetExistingCertificate( AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback) { cryptohome_client_->TpmAttestationGetCertificate( key_type, + user_id, key_name, base::Bind(&DBusDataMethodCallback, callback)); } diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h index bdbea1e..3c846db 100644 --- a/chromeos/attestation/attestation_flow.h +++ b/chromeos/attestation/attestation_flow.h @@ -68,9 +68,9 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. - // user_email - The canonical email address of the currently active user. - // This is ignored when not using the content protection - // profile. + // user_id - Identifies the currently active user. For normal GAIA users + // this is a canonical email address. This is ignored when using + // the enterprise machine cert profile. // request_origin - For content protection profiles, certificate requests // are origin-specific. This string must uniquely identify // the origin of the request. @@ -81,7 +81,7 @@ class CHROMEOS_EXPORT AttestationFlow { // On success |result| will be true and |data| will contain the // PCA-issued certificate chain in PEM format. virtual void GetCertificate(AttestationCertificateProfile certificate_profile, - const std::string& user_email, + const std::string& user_id, const std::string& request_origin, bool force_new_key, const CertificateCallback& callback); @@ -142,13 +142,13 @@ class CHROMEOS_EXPORT AttestationFlow { // Parameters // certificate_profile - Specifies what kind of certificate should be // requested from the CA. - // user_email - The active user's canonical email. + // user_id - Identifies the active user. // request_origin - An identifier for the origin of this request. // generate_new_key - If set to true a new key is generated. // callback - Called when the operation completes. void StartCertificateRequest( const AttestationCertificateProfile certificate_profile, - const std::string& user_email, + const std::string& user_id, const std::string& request_origin, bool generate_new_key, const CertificateCallback& callback); @@ -159,11 +159,13 @@ class CHROMEOS_EXPORT AttestationFlow { // // Parameters // key_type - The type of the key for which a certificate is requested. + // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of request creation. // data - The request data for the Privacy CA. void SendCertificateRequestToPCA(AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, @@ -175,11 +177,13 @@ class CHROMEOS_EXPORT AttestationFlow { // // Parameters // key_type - The type of the key for which a certificate is requested. + // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. // success - The status of the Privacy CA operation. // data - The response data from the Privacy CA. void SendCertificateResponseToDaemon(AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback, bool success, @@ -189,9 +193,11 @@ class CHROMEOS_EXPORT AttestationFlow { // // Parameters // key_type - The type of the key for which a certificate is requested. + // user_id - Identifies the active user. // key_name - The name of the key for which a certificate is requested. // callback - Called when the operation completes. void GetExistingCertificate(AttestationKeyType key_type, + const std::string& user_id, const std::string& key_name, const CertificateCallback& callback); diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc index 9622230..3597517 100644 --- a/chromeos/attestation/attestation_flow_unittest.cc +++ b/chromeos/attestation/attestation_flow_unittest.cc @@ -100,7 +100,7 @@ TEST_F(AttestationFlowTest, GetCertificate) { EXPECT_CALL( async_caller, AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE, - "fake_email", "fake_origin", _)) + "fake@test.com", "fake_origin", _)) .Times(1) .InSequence(flow_order); @@ -115,6 +115,7 @@ TEST_F(AttestationFlowTest, GetCertificate) { EXPECT_CALL(async_caller, AsyncTpmAttestationFinishCertRequest(fake_cert_response, KEY_USER, + "fake@test.com", kEnterpriseUserKey, _)) .Times(1) @@ -132,7 +133,7 @@ TEST_F(AttestationFlowTest, GetCertificate) { scoped_ptr proxy_interface(proxy.release()); AttestationFlow flow(&async_caller, &client, proxy_interface.Pass()); - flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake_email", + flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "fake@test.com", "fake_origin", true, mock_callback); Run(); } @@ -241,6 +242,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) { EXPECT_CALL(async_caller, AsyncTpmAttestationFinishCertRequest(fake_cert_response, KEY_DEVICE, + "", kEnterpriseMachineKey, _)) .Times(1); @@ -366,6 +368,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { EXPECT_CALL(async_caller, AsyncTpmAttestationFinishCertRequest(fake_cert_response, KEY_USER, + "", kEnterpriseUserKey, _)) .Times(1); @@ -374,8 +377,8 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) { EXPECT_CALL(client, TpmAttestationIsEnrolled(_)) .WillRepeatedly(Invoke(DBusCallbackTrue)); EXPECT_CALL(client, - TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _)) - .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackFalse))); + TpmAttestationDoesKeyExist(KEY_USER, "", kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackFalse))); scoped_ptr proxy(new StrictMock()); proxy->DeferToFake(true); @@ -406,11 +409,11 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) { EXPECT_CALL(client, TpmAttestationIsEnrolled(_)) .WillRepeatedly(Invoke(DBusCallbackTrue)); EXPECT_CALL(client, - TpmAttestationDoesKeyExist(KEY_USER, kEnterpriseUserKey, _)) - .WillRepeatedly(WithArgs<2>(Invoke(DBusCallbackTrue))); + TpmAttestationDoesKeyExist(KEY_USER, "", kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackTrue))); EXPECT_CALL(client, - TpmAttestationGetCertificate(KEY_USER, kEnterpriseUserKey, _)) - .WillRepeatedly(WithArgs<2>(Invoke(FakeDBusData("fake_cert")))); + TpmAttestationGetCertificate(KEY_USER, "", kEnterpriseUserKey, _)) + .WillRepeatedly(WithArgs<3>(Invoke(FakeDBusData("fake_cert")))); // We're not expecting any server calls in this case; StrictMock will verify. scoped_ptr proxy(new StrictMock()); -- cgit v1.1