1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
#define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
#include <string>
#include "base/callback_forward.h"
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "base/memory/weak_ptr.h"
#include "chromeos/attestation/attestation_constants.h"
#include "chromeos/chromeos_export.h"
#include "chromeos/dbus/dbus_method_call_status.h"
#include "third_party/cros_system_api/dbus/service_constants.h"
class AccountId;
namespace cryptohome {
class AsyncMethodCaller;
} // namespace cryptohome
namespace chromeos {
class CryptohomeClient;
namespace attestation {
// Interface for access to the Privacy CA server.
class CHROMEOS_EXPORT ServerProxy {
public:
typedef base::Callback<void(bool success,
const std::string& data)> DataCallback;
virtual ~ServerProxy();
virtual void SendEnrollRequest(const std::string& request,
const DataCallback& on_response) = 0;
virtual void SendCertificateRequest(const std::string& request,
const DataCallback& on_response) = 0;
virtual PrivacyCAType GetType();
};
// Implements the message flow for Chrome OS attestation tasks. Generally this
// consists of coordinating messages between the Chrome OS attestation service
// and the Chrome OS Privacy CA server. Sample usage:
// AttestationFlow flow(AsyncMethodCaller::GetInstance(),
// DBusThreadManager::Get().GetCryptohomeClient(),
// std::move(my_server_proxy));
// AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback);
// flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback);
class CHROMEOS_EXPORT AttestationFlow {
public:
typedef base::Callback<void(bool success,
const std::string& pem_certificate_chain)>
CertificateCallback;
AttestationFlow(cryptohome::AsyncMethodCaller* async_caller,
CryptohomeClient* cryptohome_client,
scoped_ptr<ServerProxy> server_proxy);
virtual ~AttestationFlow();
// Gets an attestation certificate for a hardware-protected key. If a key for
// the given profile does not exist, it will be generated and a certificate
// request will be made to the Chrome OS Privacy CA to issue a certificate for
// the key. If the key already exists and |force_new_key| is false, the
// existing certificate is returned.
//
// Parameters
// certificate_profile - Specifies what kind of certificate should be
// requested from the CA.
// account_id - Identifies the currently active user. This is ignored when
// using the enterprise machine cert profile.
// request_origin - For content protection profiles, certificate requests
// are origin-specific. This string must uniquely identify
// the origin of the request.
// force_new_key - If set to true, a new key will be generated even if a key
// already exists for the profile. The new key will replace
// the existing key on success.
// callback - A callback which will be called when the operation completes.
// On success |result| will be true and |data| will contain the
// PCA-issued certificate chain in PEM format.
virtual void GetCertificate(AttestationCertificateProfile certificate_profile,
const AccountId& account_id,
const std::string& request_origin,
bool force_new_key,
const CertificateCallback& callback);
private:
// Asynchronously initiates the attestation enrollment flow.
//
// Parameters
// on_failure - Called if any failure occurs.
// next_task - Called on successful enrollment.
void StartEnroll(const base::Closure& on_failure,
const base::Closure& next_task);
// Called when the attestation daemon has finished creating an enrollment
// request for the Privacy CA. The request is asynchronously forwarded as-is
// to the PCA.
//
// Parameters
// on_failure - Called if any failure occurs.
// next_task - Called on successful enrollment.
// success - The status of request creation.
// data - The request data for the Privacy CA.
void SendEnrollRequestToPCA(const base::Closure& on_failure,
const base::Closure& next_task,
bool success,
const std::string& data);
// Called when the Privacy CA responds to an enrollment request. The response
// is asynchronously forwarded as-is to the attestation daemon in order to
// complete the enrollment operation.
//
// Parameters
// on_failure - Called if any failure occurs.
// next_task - Called on successful enrollment.
// success - The status of the Privacy CA operation.
// data - The response data from the Privacy CA.
void SendEnrollResponseToDaemon(const base::Closure& on_failure,
const base::Closure& next_task,
bool success,
const std::string& data);
// Called when the attestation daemon completes an enrollment operation. If
// the operation was successful, the next_task callback is called.
//
// Parameters
// on_failure - Called if any failure occurs.
// next_task - Called on successful enrollment.
// success - The status of the enrollment operation.
// not_used - An artifact of the cryptohome D-Bus interface; ignored.
void OnEnrollComplete(const base::Closure& on_failure,
const base::Closure& next_task,
bool success,
cryptohome::MountError not_used);
// Asynchronously initiates the certificate request flow. Attestation
// enrollment must complete successfully before this operation can succeed.
//
// Parameters
// certificate_profile - Specifies what kind of certificate should be
// requested from the CA.
// account_id - Identifies the active user.
// request_origin - An identifier for the origin of this request.
// generate_new_key - If set to true a new key is generated.
// callback - Called when the operation completes.
void StartCertificateRequest(
const AttestationCertificateProfile certificate_profile,
const AccountId& account_id,
const std::string& request_origin,
bool generate_new_key,
const CertificateCallback& callback);
// Called when the attestation daemon has finished creating a certificate
// request for the Privacy CA. The request is asynchronously forwarded as-is
// to the PCA.
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
// account_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
// success - The status of request creation.
// data - The request data for the Privacy CA.
void SendCertificateRequestToPCA(AttestationKeyType key_type,
const AccountId& account_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
const std::string& data);
// Called when the Privacy CA responds to a certificate request. The response
// is asynchronously forwarded as-is to the attestation daemon in order to
// complete the operation.
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
// account_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
// success - The status of the Privacy CA operation.
// data - The response data from the Privacy CA.
void SendCertificateResponseToDaemon(AttestationKeyType key_type,
const AccountId& account_id,
const std::string& key_name,
const CertificateCallback& callback,
bool success,
const std::string& data);
// Gets an existing certificate from the attestation daemon.
//
// Parameters
// key_type - The type of the key for which a certificate is requested.
// account_id - Identifies the active user.
// key_name - The name of the key for which a certificate is requested.
// callback - Called when the operation completes.
void GetExistingCertificate(AttestationKeyType key_type,
const AccountId& account_id,
const std::string& key_name,
const CertificateCallback& callback);
cryptohome::AsyncMethodCaller* async_caller_;
CryptohomeClient* cryptohome_client_;
scoped_ptr<ServerProxy> server_proxy_;
base::WeakPtrFactory<AttestationFlow> weak_factory_;
DISALLOW_COPY_AND_ASSIGN(AttestationFlow);
};
} // namespace attestation
} // namespace chromeos
#endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_
|
