OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chromeos/attestation/attestation_flow.h" | 5 #include "chromeos/attestation/attestation_flow.h" |
6 | 6 |
7 #include <algorithm> | |
7 #include <utility> | 8 #include <utility> |
8 | 9 |
9 #include "base/bind.h" | 10 #include "base/bind.h" |
11 #include "base/memory/ptr_util.h" | |
12 #include "base/time/tick_clock.h" | |
13 #include "base/timer/timer.h" | |
10 #include "chromeos/cryptohome/async_method_caller.h" | 14 #include "chromeos/cryptohome/async_method_caller.h" |
11 #include "chromeos/cryptohome/cryptohome_parameters.h" | 15 #include "chromeos/cryptohome/cryptohome_parameters.h" |
12 #include "chromeos/dbus/cryptohome_client.h" | 16 #include "chromeos/dbus/cryptohome_client.h" |
13 #include "components/signin/core/account_id/account_id.h" | 17 #include "components/signin/core/account_id/account_id.h" |
14 | 18 |
15 namespace chromeos { | 19 namespace chromeos { |
16 namespace attestation { | 20 namespace attestation { |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
24 // Delay before checking whether attestation has been prepared again. | |
25 constexpr base::TimeDelta kRetryDelay = base::TimeDelta::FromSeconds(7); | |
26 | |
20 // Redirects to one of three callbacks based on a boolean value and dbus call | 27 // Redirects to one of three callbacks based on a boolean value and dbus call |
21 // status. | 28 // status. |
22 // | 29 // |
23 // Parameters | 30 // Parameters |
24 // on_true - Called when status=succes and value=true. | 31 // on_true - Called when status=succes and value=true. |
25 // on_false - Called when status=success and value=false. | 32 // on_false - Called when status=success and value=false. |
26 // on_fail - Called when status=failure. | 33 // on_fail - Called when status=failure. |
27 // status - The D-Bus operation status. | 34 // status - The D-Bus operation status. |
28 // value - The value returned by the D-Bus operation. | 35 // value - The value returned by the D-Bus operation. |
29 void DBusBoolRedirectCallback(const base::Closure& on_true, | 36 void DBusBoolRedirectCallback(const base::Closure& on_true, |
30 const base::Closure& on_false, | 37 const base::Closure& on_false, |
31 const base::Closure& on_fail, | 38 const base::Closure& on_fail, |
39 const std::string& on_fail_message, | |
32 DBusMethodCallStatus status, | 40 DBusMethodCallStatus status, |
33 bool value) { | 41 bool value) { |
34 if (status != DBUS_METHOD_CALL_SUCCESS) { | 42 if (status != DBUS_METHOD_CALL_SUCCESS) { |
35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; | 43 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << "."; |
36 if (!on_fail.is_null()) | 44 if (!on_fail.is_null()) |
37 on_fail.Run(); | 45 on_fail.Run(); |
38 return; | 46 return; |
39 } | 47 } |
40 const base::Closure& task = value ? on_true : on_false; | 48 const base::Closure& task = value ? on_true : on_false; |
41 if (!task.is_null()) | 49 if (!task.is_null()) |
42 task.Run(); | 50 task.Run(); |
43 } | 51 } |
44 | 52 |
45 void DBusDataMethodCallback( | 53 void DBusDataMethodCallback( |
46 const AttestationFlow::CertificateCallback& callback, | 54 const AttestationFlow::CertificateCallback& callback, |
47 DBusMethodCallStatus status, | 55 DBusMethodCallStatus status, |
48 bool result, | 56 bool result, |
49 const std::string& data) { | 57 const std::string& data) { |
50 if (status != DBUS_METHOD_CALL_SUCCESS) { | 58 if (status != DBUS_METHOD_CALL_SUCCESS) { |
51 LOG(ERROR) << "Attestation: DBus data operation failed."; | 59 LOG(ERROR) << "Attestation: DBus data operation failed."; |
52 if (!callback.is_null()) | 60 if (!callback.is_null()) |
53 callback.Run(false, ""); | 61 callback.Run(false, ""); |
54 return; | 62 return; |
55 } | 63 } |
56 if (!callback.is_null()) | 64 if (!callback.is_null()) |
57 callback.Run(result, data); | 65 callback.Run(result, data); |
58 } | 66 } |
59 | 67 |
60 } // namespace | 68 } // namespace |
61 | 69 |
70 struct AttestationFlow::RetryData { | |
71 RetryData(base::TimeDelta timeout, base::TickClock* tick_clock) | |
72 : timeout(timeout), | |
73 tick_clock(tick_clock), | |
74 retry_timer(tick_clock), | |
75 begin(tick_clock->NowTicks()) {} | |
76 base::TimeDelta timeout; | |
77 base::TickClock* tick_clock; | |
78 base::OneShotTimer retry_timer; | |
79 base::TimeTicks begin; | |
80 }; | |
81 | |
62 AttestationKeyType AttestationFlow::GetKeyTypeForProfile( | 82 AttestationKeyType AttestationFlow::GetKeyTypeForProfile( |
63 AttestationCertificateProfile certificate_profile) { | 83 AttestationCertificateProfile certificate_profile) { |
64 switch (certificate_profile) { | 84 switch (certificate_profile) { |
65 case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: | 85 case PROFILE_ENTERPRISE_MACHINE_CERTIFICATE: |
66 case PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE: | 86 case PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE: |
67 return KEY_DEVICE; | 87 return KEY_DEVICE; |
68 case PROFILE_ENTERPRISE_USER_CERTIFICATE: | 88 case PROFILE_ENTERPRISE_USER_CERTIFICATE: |
69 case PROFILE_CONTENT_PROTECTION_CERTIFICATE: | 89 case PROFILE_CONTENT_PROTECTION_CERTIFICATE: |
70 return KEY_USER; | 90 return KEY_USER; |
71 } | 91 } |
(...skipping 12 matching lines...) Expand all Loading... | |
84 return kEnterpriseUserKey; | 104 return kEnterpriseUserKey; |
85 case PROFILE_CONTENT_PROTECTION_CERTIFICATE: | 105 case PROFILE_CONTENT_PROTECTION_CERTIFICATE: |
86 return std::string(kContentProtectionKeyPrefix) + request_origin; | 106 return std::string(kContentProtectionKeyPrefix) + request_origin; |
87 } | 107 } |
88 NOTREACHED(); | 108 NOTREACHED(); |
89 return ""; | 109 return ""; |
90 } | 110 } |
91 | 111 |
92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 112 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
93 CryptohomeClient* cryptohome_client, | 113 CryptohomeClient* cryptohome_client, |
94 std::unique_ptr<ServerProxy> server_proxy) | 114 std::unique_ptr<ServerProxy> server_proxy, |
115 base::TimeDelta preparedness_timeout) | |
95 : async_caller_(async_caller), | 116 : async_caller_(async_caller), |
96 cryptohome_client_(cryptohome_client), | 117 cryptohome_client_(cryptohome_client), |
97 server_proxy_(std::move(server_proxy)), | 118 server_proxy_(std::move(server_proxy)), |
119 preparedness_timeout_(preparedness_timeout), | |
98 weak_factory_(this) {} | 120 weak_factory_(this) {} |
99 | 121 |
100 AttestationFlow::~AttestationFlow() { | 122 AttestationFlow::~AttestationFlow() { |
101 } | 123 } |
102 | 124 |
103 void AttestationFlow::GetCertificate( | 125 void AttestationFlow::GetCertificate( |
104 AttestationCertificateProfile certificate_profile, | 126 AttestationCertificateProfile certificate_profile, |
105 const AccountId& account_id, | 127 const AccountId& account_id, |
106 const std::string& request_origin, | 128 const std::string& request_origin, |
107 bool force_new_key, | 129 bool force_new_key, |
108 const CertificateCallback& callback) { | 130 const CertificateCallback& callback) { |
109 // If this device has not enrolled with the Privacy CA, we need to do that | 131 // If this device has not enrolled with the Privacy CA, we need to do that |
110 // first. Once enrolled we can proceed with the certificate request. | 132 // first. Once enrolled we can proceed with the certificate request. |
111 base::Closure do_cert_request = base::Bind( | 133 base::Closure do_cert_request = base::Bind( |
112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 134 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
113 certificate_profile, account_id, request_origin, force_new_key, callback); | 135 certificate_profile, account_id, request_origin, force_new_key, callback); |
114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 136 base::Closure on_enroll_failure = base::Bind(callback, false, ""); |
115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, | 137 base::Closure initiate_enroll = |
achuithb
2016/12/05 19:53:59
const.
on_enroll_failure too
| |
116 weak_factory_.GetWeakPtr(), | 138 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(), |
117 on_enroll_failure, | 139 on_enroll_failure, do_cert_request); |
118 do_cert_request); | 140 cryptohome_client_->TpmAttestationIsEnrolled( |
119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( | 141 base::Bind(&DBusBoolRedirectCallback, |
120 &DBusBoolRedirectCallback, | 142 do_cert_request, // If enrolled, proceed with cert request. |
121 do_cert_request, // If enrolled, proceed with cert request. | 143 initiate_enroll, // If not enrolled, initiate enrollment. |
122 do_enroll, // If not enrolled, initiate enrollment. | 144 on_enroll_failure, "check enrollment state")); |
123 on_enroll_failure)); | 145 } |
146 | |
147 void AttestationFlow::SetTickClockForTest(base::TickClock* tick_clock) { | |
148 tick_clock_ = tick_clock; | |
149 } | |
150 | |
151 void AttestationFlow::InitiateEnroll(const base::Closure& on_failure, | |
152 const base::Closure& next_task) { | |
153 TryInitiateEnroll(new RetryData(preparedness_timeout_, tick_clock_), | |
achuithb
2016/12/05 19:53:59
YOu should pass ownership with a unique_ptr.
Shou
| |
154 on_failure, next_task); | |
155 } | |
156 | |
157 void AttestationFlow::TryInitiateEnroll(RetryData* retry_data, | |
158 const base::Closure& on_failure, | |
159 const base::Closure& next_task) { | |
160 base::Closure do_enroll = base::Bind( | |
achuithb
2016/12/05 19:53:59
const here and below
| |
161 &AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), retry_data, | |
162 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(), | |
163 on_failure, next_task)); | |
164 base::Closure retry_initiate_enroll = base::Bind( | |
165 &AttestationFlow::StillRetrying, weak_factory_.GetWeakPtr(), retry_data, | |
166 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), | |
167 retry_data, on_failure), | |
168 base::Bind(&AttestationFlow::TryInitiateEnroll, | |
169 weak_factory_.GetWeakPtr(), retry_data, on_failure, | |
170 next_task)); | |
171 base::Closure do_fail = | |
172 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), | |
173 retry_data, on_failure); | |
174 cryptohome_client_->TpmAttestationIsPrepared( | |
175 base::Bind(&DBusBoolRedirectCallback, do_enroll, retry_initiate_enroll, | |
176 do_fail, "check for attestation readiness")); | |
124 } | 177 } |
125 | 178 |
126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 179 void AttestationFlow::StartEnroll(const base::Closure& on_failure, |
127 const base::Closure& next_task) { | 180 const base::Closure& next_task) { |
128 // Get the attestation service to create a Privacy CA enrollment request. | 181 // Get the attestation service to create a Privacy CA enrollment request. |
129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 182 async_caller_->AsyncTpmAttestationCreateEnrollRequest( |
130 server_proxy_->GetType(), | 183 server_proxy_->GetType(), |
131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 184 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, |
132 weak_factory_.GetWeakPtr(), | 185 weak_factory_.GetWeakPtr(), |
133 on_failure, | 186 on_failure, |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 268 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), |
216 key_type, account_id, key_name, callback); | 269 key_type, account_id, key_name, callback); |
217 // If the key does not exist, call this method back with |generate_new_key| | 270 // If the key does not exist, call this method back with |generate_new_key| |
218 // set to true. | 271 // set to true. |
219 base::Closure on_key_not_exists = base::Bind( | 272 base::Closure on_key_not_exists = base::Bind( |
220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 273 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
221 certificate_profile, account_id, request_origin, true, callback); | 274 certificate_profile, account_id, request_origin, true, callback); |
222 cryptohome_client_->TpmAttestationDoesKeyExist( | 275 cryptohome_client_->TpmAttestationDoesKeyExist( |
223 key_type, cryptohome::Identification(account_id), key_name, | 276 key_type, cryptohome::Identification(account_id), key_name, |
224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 277 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, |
225 base::Bind(callback, false, ""))); | 278 base::Bind(callback, false, ""), |
279 "check for existence of attestation key")); | |
226 } | 280 } |
227 } | 281 } |
228 | 282 |
229 void AttestationFlow::SendCertificateRequestToPCA( | 283 void AttestationFlow::SendCertificateRequestToPCA( |
230 AttestationKeyType key_type, | 284 AttestationKeyType key_type, |
231 const AccountId& account_id, | 285 const AccountId& account_id, |
232 const std::string& key_name, | 286 const std::string& key_name, |
233 const CertificateCallback& callback, | 287 const CertificateCallback& callback, |
234 bool success, | 288 bool success, |
235 const std::string& data) { | 289 const std::string& data) { |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
270 void AttestationFlow::GetExistingCertificate( | 324 void AttestationFlow::GetExistingCertificate( |
271 AttestationKeyType key_type, | 325 AttestationKeyType key_type, |
272 const AccountId& account_id, | 326 const AccountId& account_id, |
273 const std::string& key_name, | 327 const std::string& key_name, |
274 const CertificateCallback& callback) { | 328 const CertificateCallback& callback) { |
275 cryptohome_client_->TpmAttestationGetCertificate( | 329 cryptohome_client_->TpmAttestationGetCertificate( |
276 key_type, cryptohome::Identification(account_id), key_name, | 330 key_type, cryptohome::Identification(account_id), key_name, |
277 base::Bind(&DBusDataMethodCallback, callback)); | 331 base::Bind(&DBusDataMethodCallback, callback)); |
278 } | 332 } |
279 | 333 |
334 void AttestationFlow::StillRetrying(RetryData* retry_data, | |
335 const base::Closure& on_giving_up, | |
336 const base::Closure& on_retrying) { | |
337 base::TimeTicks now = retry_data->tick_clock->NowTicks(); | |
achuithb
2016/12/05 19:53:59
const
| |
338 base::TimeDelta elapsed = now - retry_data->begin; | |
achuithb
2016/12/05 19:53:59
const
| |
339 if (elapsed + kRetryDelay > retry_data->timeout) { | |
340 LOG(ERROR) << "Attestation: Not prepared." | |
341 << " Giving up on retrying after " << elapsed << "."; | |
342 if (!on_giving_up.is_null()) | |
343 on_giving_up.Run(); | |
344 } else { | |
345 LOG(WARNING) << "Attestation: Not prepared yet." | |
achuithb
2016/12/05 19:53:59
Should this be a LOG(WARNING)? Maybe VLOG(1)?
| |
346 << " Retrying in " << kRetryDelay << "."; | |
347 retry_data->retry_timer.Start(FROM_HERE, kRetryDelay, on_retrying); | |
348 } | |
349 } | |
350 | |
351 void AttestationFlow::DoneRetrying(RetryData* retry_data, | |
achuithb
2016/12/05 19:53:59
We don's pass naked pointers around like this with
| |
352 const base::Closure& continuation) { | |
353 retry_data->retry_timer.Stop(); | |
354 delete retry_data; | |
apronin1
2016/12/05 19:25:50
Not a big fan of deleting using the pointer passed
| |
355 if (!continuation.is_null()) | |
356 continuation.Run(); | |
357 } | |
358 | |
280 ServerProxy::~ServerProxy() {} | 359 ServerProxy::~ServerProxy() {} |
281 | 360 |
282 PrivacyCAType ServerProxy::GetType() { | 361 PrivacyCAType ServerProxy::GetType() { |
283 return DEFAULT_PCA; | 362 return DEFAULT_PCA; |
284 } | 363 } |
285 | 364 |
286 } // namespace attestation | 365 } // namespace attestation |
287 } // namespace chromeos | 366 } // namespace chromeos |
OLD | NEW |