OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chromeos/attestation/attestation_flow.h" | 5 #include "chromeos/attestation/attestation_flow.h" |
6 | 6 |
| 7 #include <algorithm> |
7 #include <utility> | 8 #include <utility> |
8 | 9 |
9 #include "base/bind.h" | 10 #include "base/bind.h" |
| 11 #include "base/memory/ptr_util.h" |
| 12 #include "base/message_loop/message_loop.h" |
| 13 #include "base/timer/timer.h" |
10 #include "chromeos/cryptohome/async_method_caller.h" | 14 #include "chromeos/cryptohome/async_method_caller.h" |
11 #include "chromeos/cryptohome/cryptohome_parameters.h" | 15 #include "chromeos/cryptohome/cryptohome_parameters.h" |
12 #include "chromeos/dbus/cryptohome_client.h" | 16 #include "chromeos/dbus/cryptohome_client.h" |
13 #include "components/signin/core/account_id/account_id.h" | 17 #include "components/signin/core/account_id/account_id.h" |
14 | 18 |
15 namespace chromeos { | 19 namespace chromeos { |
16 namespace attestation { | 20 namespace attestation { |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
| 24 // A reasonable timeout that gives enough time for attestation to be ready, |
| 25 // yet does not make the caller wait too long. |
| 26 constexpr uint16_t kReadyTimeoutInSeconds = 60; |
| 27 |
| 28 // Delay before checking again whether the TPM has been prepared for |
| 29 // attestation. |
| 30 constexpr uint16_t kRetryDelayInMilliseconds = 300; |
| 31 |
20 // Redirects to one of three callbacks based on a boolean value and dbus call | 32 // Redirects to one of three callbacks based on a boolean value and dbus call |
21 // status. | 33 // status. |
22 // | 34 // |
23 // Parameters | 35 // Parameters |
24 // on_true - Called when status=succes and value=true. | 36 // on_true - Called when status=succes and value=true. |
25 // on_false - Called when status=success and value=false. | 37 // on_false - Called when status=success and value=false. |
26 // on_fail - Called when status=failure. | 38 // on_fail - Called when status=failure. |
27 // status - The D-Bus operation status. | 39 // status - The D-Bus operation status. |
28 // value - The value returned by the D-Bus operation. | 40 // value - The value returned by the D-Bus operation. |
29 void DBusBoolRedirectCallback(const base::Closure& on_true, | 41 void DBusBoolRedirectCallback(const base::Closure& on_true, |
30 const base::Closure& on_false, | 42 const base::Closure& on_false, |
31 const base::Closure& on_fail, | 43 const base::Closure& on_fail, |
| 44 const std::string& on_fail_message, |
32 DBusMethodCallStatus status, | 45 DBusMethodCallStatus status, |
33 bool value) { | 46 bool value) { |
34 if (status != DBUS_METHOD_CALL_SUCCESS) { | 47 if (status != DBUS_METHOD_CALL_SUCCESS) { |
35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; | 48 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << "."; |
36 if (!on_fail.is_null()) | 49 if (!on_fail.is_null()) |
37 on_fail.Run(); | 50 on_fail.Run(); |
38 return; | 51 return; |
39 } | 52 } |
40 const base::Closure& task = value ? on_true : on_false; | 53 const base::Closure& task = value ? on_true : on_false; |
41 if (!task.is_null()) | 54 if (!task.is_null()) |
42 task.Run(); | 55 task.Run(); |
43 } | 56 } |
44 | 57 |
45 void DBusDataMethodCallback( | 58 void DBusDataMethodCallback( |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
88 NOTREACHED(); | 101 NOTREACHED(); |
89 return ""; | 102 return ""; |
90 } | 103 } |
91 | 104 |
92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 105 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
93 CryptohomeClient* cryptohome_client, | 106 CryptohomeClient* cryptohome_client, |
94 std::unique_ptr<ServerProxy> server_proxy) | 107 std::unique_ptr<ServerProxy> server_proxy) |
95 : async_caller_(async_caller), | 108 : async_caller_(async_caller), |
96 cryptohome_client_(cryptohome_client), | 109 cryptohome_client_(cryptohome_client), |
97 server_proxy_(std::move(server_proxy)), | 110 server_proxy_(std::move(server_proxy)), |
| 111 ready_timeout_(base::TimeDelta::FromSeconds(kReadyTimeoutInSeconds)), |
| 112 retry_delay_( |
| 113 base::TimeDelta::FromMilliseconds(kRetryDelayInMilliseconds)), |
98 weak_factory_(this) {} | 114 weak_factory_(this) {} |
99 | 115 |
100 AttestationFlow::~AttestationFlow() { | 116 AttestationFlow::~AttestationFlow() { |
101 } | 117 } |
102 | 118 |
103 void AttestationFlow::GetCertificate( | 119 void AttestationFlow::GetCertificate( |
104 AttestationCertificateProfile certificate_profile, | 120 AttestationCertificateProfile certificate_profile, |
105 const AccountId& account_id, | 121 const AccountId& account_id, |
106 const std::string& request_origin, | 122 const std::string& request_origin, |
107 bool force_new_key, | 123 bool force_new_key, |
108 const CertificateCallback& callback) { | 124 const CertificateCallback& callback) { |
109 // If this device has not enrolled with the Privacy CA, we need to do that | 125 // If this device has not enrolled with the Privacy CA, we need to do that |
110 // first. Once enrolled we can proceed with the certificate request. | 126 // first. Once enrolled we can proceed with the certificate request. |
111 base::Closure do_cert_request = base::Bind( | 127 const base::Closure do_cert_request = base::Bind( |
112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 128 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
113 certificate_profile, account_id, request_origin, force_new_key, callback); | 129 certificate_profile, account_id, request_origin, force_new_key, callback); |
114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 130 const base::Closure on_failure = base::Bind(callback, false, ""); |
115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, | 131 const base::Closure initiate_enroll = base::Bind( |
116 weak_factory_.GetWeakPtr(), | 132 &AttestationFlow::WaitForAttestationReadyAndStartEnroll, |
117 on_enroll_failure, | 133 weak_factory_.GetWeakPtr(), base::TimeTicks::Now() + ready_timeout_, |
118 do_cert_request); | 134 on_failure, |
119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( | 135 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(), |
120 &DBusBoolRedirectCallback, | 136 on_failure, do_cert_request)); |
121 do_cert_request, // If enrolled, proceed with cert request. | 137 cryptohome_client_->TpmAttestationIsEnrolled( |
122 do_enroll, // If not enrolled, initiate enrollment. | 138 base::Bind(&DBusBoolRedirectCallback, |
123 on_enroll_failure)); | 139 do_cert_request, // If enrolled, proceed with cert request. |
| 140 initiate_enroll, // If not enrolled, initiate enrollment. |
| 141 on_failure, "check enrollment state")); |
| 142 } |
| 143 |
| 144 void AttestationFlow::WaitForAttestationReadyAndStartEnroll( |
| 145 base::TimeTicks end_time, |
| 146 const base::Closure& on_failure, |
| 147 const base::Closure& next_task) { |
| 148 const base::Closure retry_initiate_enroll = |
| 149 base::Bind(&AttestationFlow::CheckAttestationReadyAndReschedule, |
| 150 weak_factory_.GetWeakPtr(), end_time, on_failure, next_task); |
| 151 cryptohome_client_->TpmAttestationIsPrepared( |
| 152 base::Bind(&DBusBoolRedirectCallback, next_task, retry_initiate_enroll, |
| 153 on_failure, "check for attestation readiness")); |
124 } | 154 } |
125 | 155 |
126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 156 void AttestationFlow::StartEnroll(const base::Closure& on_failure, |
127 const base::Closure& next_task) { | 157 const base::Closure& next_task) { |
128 // Get the attestation service to create a Privacy CA enrollment request. | 158 // Get the attestation service to create a Privacy CA enrollment request. |
129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 159 async_caller_->AsyncTpmAttestationCreateEnrollRequest( |
130 server_proxy_->GetType(), | 160 server_proxy_->GetType(), |
131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 161 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, |
132 weak_factory_.GetWeakPtr(), | 162 weak_factory_.GetWeakPtr(), |
133 on_failure, | 163 on_failure, |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
204 if (generate_new_key) { | 234 if (generate_new_key) { |
205 // Get the attestation service to create a Privacy CA certificate request. | 235 // Get the attestation service to create a Privacy CA certificate request. |
206 async_caller_->AsyncTpmAttestationCreateCertRequest( | 236 async_caller_->AsyncTpmAttestationCreateCertRequest( |
207 server_proxy_->GetType(), certificate_profile, | 237 server_proxy_->GetType(), certificate_profile, |
208 cryptohome::Identification(account_id), request_origin, | 238 cryptohome::Identification(account_id), request_origin, |
209 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, | 239 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, |
210 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, | 240 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, |
211 callback)); | 241 callback)); |
212 } else { | 242 } else { |
213 // If the key already exists, query the existing certificate. | 243 // If the key already exists, query the existing certificate. |
214 base::Closure on_key_exists = base::Bind( | 244 const base::Closure on_key_exists = base::Bind( |
215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 245 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), |
216 key_type, account_id, key_name, callback); | 246 key_type, account_id, key_name, callback); |
217 // If the key does not exist, call this method back with |generate_new_key| | 247 // If the key does not exist, call this method back with |generate_new_key| |
218 // set to true. | 248 // set to true. |
219 base::Closure on_key_not_exists = base::Bind( | 249 const base::Closure on_key_not_exists = base::Bind( |
220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 250 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
221 certificate_profile, account_id, request_origin, true, callback); | 251 certificate_profile, account_id, request_origin, true, callback); |
222 cryptohome_client_->TpmAttestationDoesKeyExist( | 252 cryptohome_client_->TpmAttestationDoesKeyExist( |
223 key_type, cryptohome::Identification(account_id), key_name, | 253 key_type, cryptohome::Identification(account_id), key_name, |
224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 254 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, |
225 base::Bind(callback, false, ""))); | 255 base::Bind(callback, false, ""), |
| 256 "check for existence of attestation key")); |
226 } | 257 } |
227 } | 258 } |
228 | 259 |
229 void AttestationFlow::SendCertificateRequestToPCA( | 260 void AttestationFlow::SendCertificateRequestToPCA( |
230 AttestationKeyType key_type, | 261 AttestationKeyType key_type, |
231 const AccountId& account_id, | 262 const AccountId& account_id, |
232 const std::string& key_name, | 263 const std::string& key_name, |
233 const CertificateCallback& callback, | 264 const CertificateCallback& callback, |
234 bool success, | 265 bool success, |
235 const std::string& data) { | 266 const std::string& data) { |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
270 void AttestationFlow::GetExistingCertificate( | 301 void AttestationFlow::GetExistingCertificate( |
271 AttestationKeyType key_type, | 302 AttestationKeyType key_type, |
272 const AccountId& account_id, | 303 const AccountId& account_id, |
273 const std::string& key_name, | 304 const std::string& key_name, |
274 const CertificateCallback& callback) { | 305 const CertificateCallback& callback) { |
275 cryptohome_client_->TpmAttestationGetCertificate( | 306 cryptohome_client_->TpmAttestationGetCertificate( |
276 key_type, cryptohome::Identification(account_id), key_name, | 307 key_type, cryptohome::Identification(account_id), key_name, |
277 base::Bind(&DBusDataMethodCallback, callback)); | 308 base::Bind(&DBusDataMethodCallback, callback)); |
278 } | 309 } |
279 | 310 |
| 311 void AttestationFlow::CheckAttestationReadyAndReschedule( |
| 312 base::TimeTicks end_time, |
| 313 const base::Closure& on_failure, |
| 314 const base::Closure& next_task) { |
| 315 if (base::TimeTicks::Now() < end_time) { |
| 316 LOG(WARNING) << "Attestation: Not prepared yet." |
| 317 << " Retrying in " << retry_delay_ << "."; |
| 318 base::MessageLoop::current()->task_runner()->PostDelayedTask( |
| 319 FROM_HERE, |
| 320 base::Bind(&AttestationFlow::WaitForAttestationReadyAndStartEnroll, |
| 321 weak_factory_.GetWeakPtr(), end_time, on_failure, next_task), |
| 322 retry_delay_); |
| 323 } else { |
| 324 LOG(ERROR) << "Attestation: Not prepared. Giving up on retrying."; |
| 325 if (!on_failure.is_null()) |
| 326 on_failure.Run(); |
| 327 } |
| 328 } |
| 329 |
280 ServerProxy::~ServerProxy() {} | 330 ServerProxy::~ServerProxy() {} |
281 | 331 |
282 PrivacyCAType ServerProxy::GetType() { | 332 PrivacyCAType ServerProxy::GetType() { |
283 return DEFAULT_PCA; | 333 return DEFAULT_PCA; |
284 } | 334 } |
285 | 335 |
286 } // namespace attestation | 336 } // namespace attestation |
287 } // namespace chromeos | 337 } // namespace chromeos |
OLD | NEW |