OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
7 | 7 |
8 #include <map> | |
8 #include <memory> | 9 #include <memory> |
9 #include <string> | 10 #include <string> |
10 | 11 |
11 #include "base/callback_forward.h" | 12 #include "base/callback_forward.h" |
13 #include "base/gtest_prod_util.h" | |
14 #include "base/gtest_prod_util.h" | |
Darren Krahn
2016/12/06 17:31:25
included twice
| |
12 #include "base/macros.h" | 15 #include "base/macros.h" |
13 #include "base/memory/weak_ptr.h" | 16 #include "base/memory/weak_ptr.h" |
17 #include "base/time/tick_clock.h" | |
18 #include "base/time/time.h" | |
19 #include "base/timer/timer.h" | |
14 #include "chromeos/attestation/attestation_constants.h" | 20 #include "chromeos/attestation/attestation_constants.h" |
15 #include "chromeos/chromeos_export.h" | 21 #include "chromeos/chromeos_export.h" |
16 #include "chromeos/dbus/dbus_method_call_status.h" | 22 #include "chromeos/dbus/dbus_method_call_status.h" |
17 #include "third_party/cros_system_api/dbus/service_constants.h" | 23 #include "third_party/cros_system_api/dbus/service_constants.h" |
18 | 24 |
19 class AccountId; | 25 class AccountId; |
20 | 26 |
21 namespace cryptohome { | 27 namespace cryptohome { |
22 | 28 |
23 class AsyncMethodCaller; | 29 class AsyncMethodCaller; |
(...skipping 15 matching lines...) Expand all Loading... | |
39 virtual void SendEnrollRequest(const std::string& request, | 45 virtual void SendEnrollRequest(const std::string& request, |
40 const DataCallback& on_response) = 0; | 46 const DataCallback& on_response) = 0; |
41 virtual void SendCertificateRequest(const std::string& request, | 47 virtual void SendCertificateRequest(const std::string& request, |
42 const DataCallback& on_response) = 0; | 48 const DataCallback& on_response) = 0; |
43 virtual PrivacyCAType GetType(); | 49 virtual PrivacyCAType GetType(); |
44 }; | 50 }; |
45 | 51 |
46 // Implements the message flow for Chrome OS attestation tasks. Generally this | 52 // Implements the message flow for Chrome OS attestation tasks. Generally this |
47 // consists of coordinating messages between the Chrome OS attestation service | 53 // consists of coordinating messages between the Chrome OS attestation service |
48 // and the Chrome OS Privacy CA server. Sample usage: | 54 // and the Chrome OS Privacy CA server. Sample usage: |
55 // | |
49 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), | 56 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), |
50 // DBusThreadManager::Get().GetCryptohomeClient(), | 57 // DBusThreadManager::Get().GetCryptohomeClient(), |
51 // std::move(my_server_proxy)); | 58 // std::move(my_server_proxy)); |
52 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); | 59 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); |
53 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); | 60 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); |
61 // | |
62 // This class is not thread safe. | |
54 class CHROMEOS_EXPORT AttestationFlow { | 63 class CHROMEOS_EXPORT AttestationFlow { |
55 public: | 64 public: |
56 typedef base::Callback<void(bool success, | 65 typedef base::Callback<void(bool success, |
57 const std::string& pem_certificate_chain)> | 66 const std::string& pem_certificate_chain)> |
58 CertificateCallback; | 67 CertificateCallback; |
59 | 68 |
60 // Returns the attestation key type for a given |certificate_profile|. | 69 // Returns the attestation key type for a given |certificate_profile|. |
61 // | 70 // |
62 // Parameters | 71 // Parameters |
63 // certificate_profile - Specifies what kind of certificate the key is for. | 72 // certificate_profile - Specifies what kind of certificate the key is for. |
64 static AttestationKeyType GetKeyTypeForProfile( | 73 static AttestationKeyType GetKeyTypeForProfile( |
65 AttestationCertificateProfile certificate_profile); | 74 AttestationCertificateProfile certificate_profile); |
66 | 75 |
67 // Returns the name of the key for a given certificate profile. The | 76 // Returns the name of the key for a given certificate profile. The |
68 // |request_origin| parameter is for PROFILE_CONTENT_PROTECTION_CERTIFICATE | 77 // |request_origin| parameter is for PROFILE_CONTENT_PROTECTION_CERTIFICATE |
69 // profiles and is ignored for other profiles. | 78 // profiles and is ignored for other profiles. |
70 // | 79 // |
71 // Parameters | 80 // Parameters |
72 // certificate_profile - Specifies what kind of certificate the key is for. | 81 // certificate_profile - Specifies what kind of certificate the key is for. |
73 // request_origin - For content protection profiles, certificate requests | 82 // request_origin - For content protection profiles, certificate requests |
74 // are origin-specific. This string must uniquely identify | 83 // are origin-specific. This string must uniquely identify |
75 // the origin of the request. | 84 // the origin of the request. |
76 static std::string GetKeyNameForProfile( | 85 static std::string GetKeyNameForProfile( |
77 AttestationCertificateProfile certificate_profile, | 86 AttestationCertificateProfile certificate_profile, |
78 const std::string& request_origin); | 87 const std::string& request_origin); |
79 | 88 |
89 // Creates an attestation flow which will retry for attestation | |
90 // preparedness for a reasonable amount of time. | |
Darren Krahn
2016/12/06 17:31:25
nit: It does a lot of other things too. I don't th
| |
80 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 91 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
81 CryptohomeClient* cryptohome_client, | 92 CryptohomeClient* cryptohome_client, |
82 std::unique_ptr<ServerProxy> server_proxy); | 93 std::unique_ptr<ServerProxy> server_proxy); |
83 virtual ~AttestationFlow(); | 94 virtual ~AttestationFlow(); |
84 | 95 |
96 // Sets the timeout for attestation preparedness. | |
97 void SetPreparednessTimeout(base::TimeDelta preparedness_timeout) { | |
Darren Krahn
2016/12/06 17:31:25
nit: use set_timeout() and timeout() style.
optio
| |
98 preparedness_timeout_ = preparedness_timeout; | |
99 } | |
100 // Gets the timeout for attestation preparedness. | |
101 base::TimeDelta GetPreparednessTimeout() const { | |
102 return preparedness_timeout_; | |
103 } | |
104 | |
85 // Gets an attestation certificate for a hardware-protected key. If a key for | 105 // Gets an attestation certificate for a hardware-protected key. If a key for |
86 // the given profile does not exist, it will be generated and a certificate | 106 // the given profile does not exist, it will be generated and a certificate |
87 // request will be made to the Chrome OS Privacy CA to issue a certificate for | 107 // request will be made to the Chrome OS Privacy CA to issue a certificate for |
88 // the key. If the key already exists and |force_new_key| is false, the | 108 // the key. If the key already exists and |force_new_key| is false, the |
89 // existing certificate is returned. | 109 // existing certificate is returned. |
90 // | 110 // |
91 // Parameters | 111 // Parameters |
92 // certificate_profile - Specifies what kind of certificate should be | 112 // certificate_profile - Specifies what kind of certificate should be |
93 // requested from the CA. | 113 // requested from the CA. |
94 // account_id - Identifies the currently active user. This is ignored when | 114 // account_id - Identifies the currently active user. This is ignored when |
95 // using the enterprise machine cert profile. | 115 // using the enterprise machine cert profile. |
96 // request_origin - For content protection profiles, certificate requests | 116 // request_origin - For content protection profiles, certificate requests |
97 // are origin-specific. This string must uniquely identify | 117 // are origin-specific. This string must uniquely identify |
98 // the origin of the request. | 118 // the origin of the request. |
99 // force_new_key - If set to true, a new key will be generated even if a key | 119 // force_new_key - If set to true, a new key will be generated even if a key |
100 // already exists for the profile. The new key will replace | 120 // already exists for the profile. The new key will replace |
101 // the existing key on success. | 121 // the existing key on success. |
102 // callback - A callback which will be called when the operation completes. | 122 // callback - A callback which will be called when the operation completes. |
103 // On success |result| will be true and |data| will contain the | 123 // On success |result| will be true and |data| will contain the |
104 // PCA-issued certificate chain in PEM format. | 124 // PCA-issued certificate chain in PEM format. |
105 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, | 125 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, |
106 const AccountId& account_id, | 126 const AccountId& account_id, |
107 const std::string& request_origin, | 127 const std::string& request_origin, |
108 bool force_new_key, | 128 bool force_new_key, |
109 const CertificateCallback& callback); | 129 const CertificateCallback& callback); |
110 | 130 |
131 // Sets the tick clock for tests. | |
132 void SetTickClockForTest(base::TickClock* tick_clock); | |
133 | |
111 private: | 134 private: |
135 FRIEND_TEST_ALL_PREFIXES(AttestationFlowTest, CreateRetryData); | |
136 | |
137 using RetryId = int16_t; | |
138 constexpr static RetryId kInvalidRetryId = -1; | |
139 | |
140 struct RetryData; | |
141 | |
142 // Creates (retrieves) retry data. These data are then identified by a | |
143 // retry identifier. | |
144 RetryId CreateRetryData(); | |
145 RetryData& GetRetryData(RetryId retry_id); | |
146 | |
112 // Asynchronously initiates the attestation enrollment flow. | 147 // Asynchronously initiates the attestation enrollment flow. |
148 // If attestation is not ready yet, retry as needed. | |
113 // | 149 // |
114 // Parameters | 150 // Parameters |
115 // on_failure - Called if any failure occurs. | 151 // on_failure - Called if any failure occurs. |
152 // next_task - Called on successful enrollment. | |
153 void InitiateEnroll(const base::Closure& on_failure, | |
Darren Krahn
2016/12/06 17:31:25
Better naming please. The semantic difference betw
| |
154 const base::Closure& next_task); | |
155 | |
156 // Asynchronously tries to initiate the attestation enrollment flow. | |
157 // If attestation is not ready yet, retry as needed. | |
Darren Krahn
2016/12/06 17:31:25
This is identical to InitiateEnroll above, they do
| |
158 // | |
159 // Parameters | |
160 // retry_data - Data to manage retries. | |
161 // on_failure - Called if any failure occurs. | |
162 // next_task - Called on successful enrollment. | |
163 void TryInitiateEnroll(RetryId retry_id, | |
164 const base::Closure& on_failure, | |
165 const base::Closure& next_task); | |
166 | |
167 // Called when atestation is not prepared yet, to re-initiate enrollment | |
Darren Krahn
2016/12/06 17:31:25
sp:atestation->attestation
| |
168 // after a delay. | |
169 // | |
170 // Parameters | |
171 // on_failure - Called if any failure occurs. | |
172 // next_task - Called on successful enrollment. | |
173 void RetryInitiateEnroll(const base::Closure& on_failure, | |
174 const base::Closure& next_task); | |
175 | |
176 // Called when attestation is prepared, to start the actual enrollment flow. | |
177 // | |
178 // Parameters | |
179 // on_failure - Called if any failure occurs. | |
116 // next_task - Called on successful enrollment. | 180 // next_task - Called on successful enrollment. |
117 void StartEnroll(const base::Closure& on_failure, | 181 void StartEnroll(const base::Closure& on_failure, |
118 const base::Closure& next_task); | 182 const base::Closure& next_task); |
119 | 183 |
120 // Called when the attestation daemon has finished creating an enrollment | 184 // Called when the attestation daemon has finished creating an enrollment |
121 // request for the Privacy CA. The request is asynchronously forwarded as-is | 185 // request for the Privacy CA. The request is asynchronously forwarded as-is |
122 // to the PCA. | 186 // to the PCA. |
123 // | 187 // |
124 // Parameters | 188 // Parameters |
125 // on_failure - Called if any failure occurs. | 189 // on_failure - Called if any failure occurs. |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
216 // Parameters | 280 // Parameters |
217 // key_type - The type of the key for which a certificate is requested. | 281 // key_type - The type of the key for which a certificate is requested. |
218 // account_id - Identifies the active user. | 282 // account_id - Identifies the active user. |
219 // key_name - The name of the key for which a certificate is requested. | 283 // key_name - The name of the key for which a certificate is requested. |
220 // callback - Called when the operation completes. | 284 // callback - Called when the operation completes. |
221 void GetExistingCertificate(AttestationKeyType key_type, | 285 void GetExistingCertificate(AttestationKeyType key_type, |
222 const AccountId& account_id, | 286 const AccountId& account_id, |
223 const std::string& key_name, | 287 const std::string& key_name, |
224 const CertificateCallback& callback); | 288 const CertificateCallback& callback); |
225 | 289 |
290 void StartRetrying(const base::Closure& on_giving_up, | |
291 const base::Closure& on_retrying); | |
292 // Handles retries. If |retry_data| indicates that we are done retrying, | |
293 // runs |on_giving_up|, otherwise runs |on_retrying| after a delay. | |
294 void StillRetrying(RetryId retry_id, | |
295 const base::Closure& on_giving_up, | |
296 const base::Closure& on_retrying); | |
297 // Handles the end of retries. Deletes |retry_data| and runs |continuation|. | |
298 void DoneRetrying(RetryId retry_id, const base::Closure& continuation); | |
Darren Krahn
2016/12/06 17:31:25
6 methods and a data structure to implement retry,
| |
299 | |
226 cryptohome::AsyncMethodCaller* async_caller_; | 300 cryptohome::AsyncMethodCaller* async_caller_; |
227 CryptohomeClient* cryptohome_client_; | 301 CryptohomeClient* cryptohome_client_; |
228 std::unique_ptr<ServerProxy> server_proxy_; | 302 std::unique_ptr<ServerProxy> server_proxy_; |
229 | 303 |
304 base::TimeDelta preparedness_timeout_; | |
305 base::TickClock* tick_clock_ = nullptr; | |
306 | |
307 std::map<RetryId, std::unique_ptr<RetryData>> retries_; | |
308 RetryId next_retry_id_ = 0; | |
309 | |
230 base::WeakPtrFactory<AttestationFlow> weak_factory_; | 310 base::WeakPtrFactory<AttestationFlow> weak_factory_; |
231 | 311 |
232 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); | 312 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); |
233 }; | 313 }; |
234 | 314 |
235 } // namespace attestation | 315 } // namespace attestation |
236 } // namespace chromeos | 316 } // namespace chromeos |
237 | 317 |
238 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 318 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
OLD | NEW |