| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/attestation/attestation_flow.h" | 5 #include "chromeos/attestation/attestation_flow.h" |
| 6 | 6 |
| 7 #include <algorithm> |
| 7 #include <utility> | 8 #include <utility> |
| 8 | 9 |
| 9 #include "base/bind.h" | 10 #include "base/bind.h" |
| 11 #include "base/memory/ptr_util.h" |
| 12 #include "base/message_loop/message_loop.h" |
| 13 #include "base/timer/timer.h" |
| 10 #include "chromeos/cryptohome/async_method_caller.h" | 14 #include "chromeos/cryptohome/async_method_caller.h" |
| 11 #include "chromeos/cryptohome/cryptohome_parameters.h" | 15 #include "chromeos/cryptohome/cryptohome_parameters.h" |
| 12 #include "chromeos/dbus/cryptohome_client.h" | 16 #include "chromeos/dbus/cryptohome_client.h" |
| 13 #include "components/signin/core/account_id/account_id.h" | 17 #include "components/signin/core/account_id/account_id.h" |
| 14 | 18 |
| 15 namespace chromeos { | 19 namespace chromeos { |
| 16 namespace attestation { | 20 namespace attestation { |
| 17 | 21 |
| 18 namespace { | 22 namespace { |
| 19 | 23 |
| 24 // A reasonable timeout that gives enough time for attestation to be ready, |
| 25 // yet does not make the caller wait too long. |
| 26 constexpr uint16_t kReadyTimeoutInSeconds = 60; |
| 27 |
| 28 // Delay before checking again whether the TPM has been prepared for |
| 29 // attestation. |
| 30 constexpr uint16_t kRetryDelayInMilliseconds = 300; |
| 31 |
| 20 // Redirects to one of three callbacks based on a boolean value and dbus call | 32 // Redirects to one of three callbacks based on a boolean value and dbus call |
| 21 // status. | 33 // status. |
| 22 // | 34 // |
| 23 // Parameters | 35 // Parameters |
| 24 // on_true - Called when status=succes and value=true. | 36 // on_true - Called when status=succes and value=true. |
| 25 // on_false - Called when status=success and value=false. | 37 // on_false - Called when status=success and value=false. |
| 26 // on_fail - Called when status=failure. | 38 // on_fail - Called when status=failure. |
| 27 // status - The D-Bus operation status. | 39 // status - The D-Bus operation status. |
| 28 // value - The value returned by the D-Bus operation. | 40 // value - The value returned by the D-Bus operation. |
| 29 void DBusBoolRedirectCallback(const base::Closure& on_true, | 41 void DBusBoolRedirectCallback(const base::Closure& on_true, |
| 30 const base::Closure& on_false, | 42 const base::Closure& on_false, |
| 31 const base::Closure& on_fail, | 43 const base::Closure& on_fail, |
| 44 const std::string& on_fail_message, |
| 32 DBusMethodCallStatus status, | 45 DBusMethodCallStatus status, |
| 33 bool value) { | 46 bool value) { |
| 34 if (status != DBUS_METHOD_CALL_SUCCESS) { | 47 if (status != DBUS_METHOD_CALL_SUCCESS) { |
| 35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; | 48 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << "."; |
| 36 if (!on_fail.is_null()) | 49 if (!on_fail.is_null()) |
| 37 on_fail.Run(); | 50 on_fail.Run(); |
| 38 return; | 51 return; |
| 39 } | 52 } |
| 40 const base::Closure& task = value ? on_true : on_false; | 53 const base::Closure& task = value ? on_true : on_false; |
| 41 if (!task.is_null()) | 54 if (!task.is_null()) |
| 42 task.Run(); | 55 task.Run(); |
| 43 } | 56 } |
| 44 | 57 |
| 45 void DBusDataMethodCallback( | 58 void DBusDataMethodCallback( |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 88 NOTREACHED(); | 101 NOTREACHED(); |
| 89 return ""; | 102 return ""; |
| 90 } | 103 } |
| 91 | 104 |
| 92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 105 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
| 93 CryptohomeClient* cryptohome_client, | 106 CryptohomeClient* cryptohome_client, |
| 94 std::unique_ptr<ServerProxy> server_proxy) | 107 std::unique_ptr<ServerProxy> server_proxy) |
| 95 : async_caller_(async_caller), | 108 : async_caller_(async_caller), |
| 96 cryptohome_client_(cryptohome_client), | 109 cryptohome_client_(cryptohome_client), |
| 97 server_proxy_(std::move(server_proxy)), | 110 server_proxy_(std::move(server_proxy)), |
| 111 ready_timeout_(base::TimeDelta::FromSeconds(kReadyTimeoutInSeconds)), |
| 112 retry_delay_( |
| 113 base::TimeDelta::FromMilliseconds(kRetryDelayInMilliseconds)), |
| 98 weak_factory_(this) {} | 114 weak_factory_(this) {} |
| 99 | 115 |
| 100 AttestationFlow::~AttestationFlow() { | 116 AttestationFlow::~AttestationFlow() { |
| 101 } | 117 } |
| 102 | 118 |
| 103 void AttestationFlow::GetCertificate( | 119 void AttestationFlow::GetCertificate( |
| 104 AttestationCertificateProfile certificate_profile, | 120 AttestationCertificateProfile certificate_profile, |
| 105 const AccountId& account_id, | 121 const AccountId& account_id, |
| 106 const std::string& request_origin, | 122 const std::string& request_origin, |
| 107 bool force_new_key, | 123 bool force_new_key, |
| 108 const CertificateCallback& callback) { | 124 const CertificateCallback& callback) { |
| 109 // If this device has not enrolled with the Privacy CA, we need to do that | 125 // If this device has not enrolled with the Privacy CA, we need to do that |
| 110 // first. Once enrolled we can proceed with the certificate request. | 126 // first. Once enrolled we can proceed with the certificate request. |
| 111 base::Closure do_cert_request = base::Bind( | 127 const base::Closure do_cert_request = base::Bind( |
| 112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 128 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
| 113 certificate_profile, account_id, request_origin, force_new_key, callback); | 129 certificate_profile, account_id, request_origin, force_new_key, callback); |
| 114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 130 const base::Closure on_failure = base::Bind(callback, false, ""); |
| 115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, | 131 const base::Closure initiate_enroll = base::Bind( |
| 116 weak_factory_.GetWeakPtr(), | 132 &AttestationFlow::WaitForAttestationReadyAndStartEnroll, |
| 117 on_enroll_failure, | 133 weak_factory_.GetWeakPtr(), base::TimeTicks::Now() + ready_timeout_, |
| 118 do_cert_request); | 134 on_failure, |
| 119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( | 135 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(), |
| 120 &DBusBoolRedirectCallback, | 136 on_failure, do_cert_request)); |
| 121 do_cert_request, // If enrolled, proceed with cert request. | 137 cryptohome_client_->TpmAttestationIsEnrolled( |
| 122 do_enroll, // If not enrolled, initiate enrollment. | 138 base::Bind(&DBusBoolRedirectCallback, |
| 123 on_enroll_failure)); | 139 do_cert_request, // If enrolled, proceed with cert request. |
| 140 initiate_enroll, // If not enrolled, initiate enrollment. |
| 141 on_failure, "check enrollment state")); |
| 142 } |
| 143 |
| 144 void AttestationFlow::WaitForAttestationReadyAndStartEnroll( |
| 145 base::TimeTicks end_time, |
| 146 const base::Closure& on_failure, |
| 147 const base::Closure& next_task) { |
| 148 const base::Closure retry_initiate_enroll = |
| 149 base::Bind(&AttestationFlow::CheckAttestationReadyAndReschedule, |
| 150 weak_factory_.GetWeakPtr(), end_time, on_failure, next_task); |
| 151 cryptohome_client_->TpmAttestationIsPrepared( |
| 152 base::Bind(&DBusBoolRedirectCallback, next_task, retry_initiate_enroll, |
| 153 on_failure, "check for attestation readiness")); |
| 124 } | 154 } |
| 125 | 155 |
| 126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 156 void AttestationFlow::StartEnroll(const base::Closure& on_failure, |
| 127 const base::Closure& next_task) { | 157 const base::Closure& next_task) { |
| 128 // Get the attestation service to create a Privacy CA enrollment request. | 158 // Get the attestation service to create a Privacy CA enrollment request. |
| 129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 159 async_caller_->AsyncTpmAttestationCreateEnrollRequest( |
| 130 server_proxy_->GetType(), | 160 server_proxy_->GetType(), |
| 131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 161 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, |
| 132 weak_factory_.GetWeakPtr(), | 162 weak_factory_.GetWeakPtr(), |
| 133 on_failure, | 163 on_failure, |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 204 if (generate_new_key) { | 234 if (generate_new_key) { |
| 205 // Get the attestation service to create a Privacy CA certificate request. | 235 // Get the attestation service to create a Privacy CA certificate request. |
| 206 async_caller_->AsyncTpmAttestationCreateCertRequest( | 236 async_caller_->AsyncTpmAttestationCreateCertRequest( |
| 207 server_proxy_->GetType(), certificate_profile, | 237 server_proxy_->GetType(), certificate_profile, |
| 208 cryptohome::Identification(account_id), request_origin, | 238 cryptohome::Identification(account_id), request_origin, |
| 209 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, | 239 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, |
| 210 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, | 240 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, |
| 211 callback)); | 241 callback)); |
| 212 } else { | 242 } else { |
| 213 // If the key already exists, query the existing certificate. | 243 // If the key already exists, query the existing certificate. |
| 214 base::Closure on_key_exists = base::Bind( | 244 const base::Closure on_key_exists = base::Bind( |
| 215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 245 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), |
| 216 key_type, account_id, key_name, callback); | 246 key_type, account_id, key_name, callback); |
| 217 // If the key does not exist, call this method back with |generate_new_key| | 247 // If the key does not exist, call this method back with |generate_new_key| |
| 218 // set to true. | 248 // set to true. |
| 219 base::Closure on_key_not_exists = base::Bind( | 249 const base::Closure on_key_not_exists = base::Bind( |
| 220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 250 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
| 221 certificate_profile, account_id, request_origin, true, callback); | 251 certificate_profile, account_id, request_origin, true, callback); |
| 222 cryptohome_client_->TpmAttestationDoesKeyExist( | 252 cryptohome_client_->TpmAttestationDoesKeyExist( |
| 223 key_type, cryptohome::Identification(account_id), key_name, | 253 key_type, cryptohome::Identification(account_id), key_name, |
| 224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 254 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, |
| 225 base::Bind(callback, false, ""))); | 255 base::Bind(callback, false, ""), |
| 256 "check for existence of attestation key")); |
| 226 } | 257 } |
| 227 } | 258 } |
| 228 | 259 |
| 229 void AttestationFlow::SendCertificateRequestToPCA( | 260 void AttestationFlow::SendCertificateRequestToPCA( |
| 230 AttestationKeyType key_type, | 261 AttestationKeyType key_type, |
| 231 const AccountId& account_id, | 262 const AccountId& account_id, |
| 232 const std::string& key_name, | 263 const std::string& key_name, |
| 233 const CertificateCallback& callback, | 264 const CertificateCallback& callback, |
| 234 bool success, | 265 bool success, |
| 235 const std::string& data) { | 266 const std::string& data) { |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 270 void AttestationFlow::GetExistingCertificate( | 301 void AttestationFlow::GetExistingCertificate( |
| 271 AttestationKeyType key_type, | 302 AttestationKeyType key_type, |
| 272 const AccountId& account_id, | 303 const AccountId& account_id, |
| 273 const std::string& key_name, | 304 const std::string& key_name, |
| 274 const CertificateCallback& callback) { | 305 const CertificateCallback& callback) { |
| 275 cryptohome_client_->TpmAttestationGetCertificate( | 306 cryptohome_client_->TpmAttestationGetCertificate( |
| 276 key_type, cryptohome::Identification(account_id), key_name, | 307 key_type, cryptohome::Identification(account_id), key_name, |
| 277 base::Bind(&DBusDataMethodCallback, callback)); | 308 base::Bind(&DBusDataMethodCallback, callback)); |
| 278 } | 309 } |
| 279 | 310 |
| 311 void AttestationFlow::CheckAttestationReadyAndReschedule( |
| 312 base::TimeTicks end_time, |
| 313 const base::Closure& on_failure, |
| 314 const base::Closure& next_task) { |
| 315 if (base::TimeTicks::Now() < end_time) { |
| 316 LOG(WARNING) << "Attestation: Not prepared yet." |
| 317 << " Retrying in " << retry_delay_ << "."; |
| 318 base::MessageLoop::current()->task_runner()->PostDelayedTask( |
| 319 FROM_HERE, |
| 320 base::Bind(&AttestationFlow::WaitForAttestationReadyAndStartEnroll, |
| 321 weak_factory_.GetWeakPtr(), end_time, on_failure, next_task), |
| 322 retry_delay_); |
| 323 } else { |
| 324 LOG(ERROR) << "Attestation: Not prepared. Giving up on retrying."; |
| 325 if (!on_failure.is_null()) |
| 326 on_failure.Run(); |
| 327 } |
| 328 } |
| 329 |
| 280 ServerProxy::~ServerProxy() {} | 330 ServerProxy::~ServerProxy() {} |
| 281 | 331 |
| 282 PrivacyCAType ServerProxy::GetType() { | 332 PrivacyCAType ServerProxy::GetType() { |
| 283 return DEFAULT_PCA; | 333 return DEFAULT_PCA; |
| 284 } | 334 } |
| 285 | 335 |
| 286 } // namespace attestation | 336 } // namespace attestation |
| 287 } // namespace chromeos | 337 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2529743002:
Wait for the attestation to be ready (TPM being prepared for attestation) before trying to enroll. (Closed)
