OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 5 #ifndef CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 6 #define CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
7 | 7 |
8 #include <memory> | 8 #include <memory> |
9 #include <string> | 9 #include <string> |
10 | 10 |
11 #include "base/callback_forward.h" | 11 #include "base/callback_forward.h" |
12 #include "base/macros.h" | 12 #include "base/macros.h" |
13 #include "base/memory/weak_ptr.h" | 13 #include "base/memory/weak_ptr.h" |
| 14 #include "base/time/time.h" |
| 15 #include "base/timer/timer.h" |
14 #include "chromeos/attestation/attestation_constants.h" | 16 #include "chromeos/attestation/attestation_constants.h" |
15 #include "chromeos/chromeos_export.h" | 17 #include "chromeos/chromeos_export.h" |
16 #include "chromeos/dbus/dbus_method_call_status.h" | 18 #include "chromeos/dbus/dbus_method_call_status.h" |
17 #include "third_party/cros_system_api/dbus/service_constants.h" | 19 #include "third_party/cros_system_api/dbus/service_constants.h" |
18 | 20 |
19 class AccountId; | 21 class AccountId; |
20 | 22 |
21 namespace cryptohome { | 23 namespace cryptohome { |
22 | 24 |
23 class AsyncMethodCaller; | 25 class AsyncMethodCaller; |
(...skipping 15 matching lines...) Expand all Loading... |
39 virtual void SendEnrollRequest(const std::string& request, | 41 virtual void SendEnrollRequest(const std::string& request, |
40 const DataCallback& on_response) = 0; | 42 const DataCallback& on_response) = 0; |
41 virtual void SendCertificateRequest(const std::string& request, | 43 virtual void SendCertificateRequest(const std::string& request, |
42 const DataCallback& on_response) = 0; | 44 const DataCallback& on_response) = 0; |
43 virtual PrivacyCAType GetType(); | 45 virtual PrivacyCAType GetType(); |
44 }; | 46 }; |
45 | 47 |
46 // Implements the message flow for Chrome OS attestation tasks. Generally this | 48 // Implements the message flow for Chrome OS attestation tasks. Generally this |
47 // consists of coordinating messages between the Chrome OS attestation service | 49 // consists of coordinating messages between the Chrome OS attestation service |
48 // and the Chrome OS Privacy CA server. Sample usage: | 50 // and the Chrome OS Privacy CA server. Sample usage: |
| 51 // |
49 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), | 52 // AttestationFlow flow(AsyncMethodCaller::GetInstance(), |
50 // DBusThreadManager::Get().GetCryptohomeClient(), | 53 // DBusThreadManager::Get().GetCryptohomeClient(), |
51 // std::move(my_server_proxy)); | 54 // std::move(my_server_proxy)); |
52 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); | 55 // AttestationFlow::CertificateCallback callback = base::Bind(&MyCallback); |
53 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); | 56 // flow.GetCertificate(ENTERPRISE_USER_CERTIFICATE, false, callback); |
| 57 // |
| 58 // This class is not thread safe. |
54 class CHROMEOS_EXPORT AttestationFlow { | 59 class CHROMEOS_EXPORT AttestationFlow { |
55 public: | 60 public: |
56 typedef base::Callback<void(bool success, | 61 typedef base::Callback<void(bool success, |
57 const std::string& pem_certificate_chain)> | 62 const std::string& pem_certificate_chain)> |
58 CertificateCallback; | 63 CertificateCallback; |
59 | 64 |
60 // Returns the attestation key type for a given |certificate_profile|. | 65 // Returns the attestation key type for a given |certificate_profile|. |
61 // | 66 // |
62 // Parameters | 67 // Parameters |
63 // certificate_profile - Specifies what kind of certificate the key is for. | 68 // certificate_profile - Specifies what kind of certificate the key is for. |
(...skipping 11 matching lines...) Expand all Loading... |
75 // the origin of the request. | 80 // the origin of the request. |
76 static std::string GetKeyNameForProfile( | 81 static std::string GetKeyNameForProfile( |
77 AttestationCertificateProfile certificate_profile, | 82 AttestationCertificateProfile certificate_profile, |
78 const std::string& request_origin); | 83 const std::string& request_origin); |
79 | 84 |
80 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 85 AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
81 CryptohomeClient* cryptohome_client, | 86 CryptohomeClient* cryptohome_client, |
82 std::unique_ptr<ServerProxy> server_proxy); | 87 std::unique_ptr<ServerProxy> server_proxy); |
83 virtual ~AttestationFlow(); | 88 virtual ~AttestationFlow(); |
84 | 89 |
| 90 // Sets the timeout for attestation to be ready. |
| 91 void set_ready_timeout(base::TimeDelta ready_timeout) { |
| 92 ready_timeout_ = ready_timeout; |
| 93 } |
| 94 // Gets the timeout for attestation to be ready. |
| 95 base::TimeDelta ready_timeout() const { return ready_timeout_; } |
| 96 |
| 97 // Sets the retry delay. |
| 98 void set_retry_delay(base::TimeDelta retry_delay) { |
| 99 retry_delay_ = retry_delay; |
| 100 } |
| 101 |
| 102 // Returns the retry delay. |
| 103 base::TimeDelta retry_delay() { return retry_delay_; } |
| 104 |
85 // Gets an attestation certificate for a hardware-protected key. If a key for | 105 // Gets an attestation certificate for a hardware-protected key. If a key for |
86 // the given profile does not exist, it will be generated and a certificate | 106 // the given profile does not exist, it will be generated and a certificate |
87 // request will be made to the Chrome OS Privacy CA to issue a certificate for | 107 // request will be made to the Chrome OS Privacy CA to issue a certificate for |
88 // the key. If the key already exists and |force_new_key| is false, the | 108 // the key. If the key already exists and |force_new_key| is false, the |
89 // existing certificate is returned. | 109 // existing certificate is returned. |
90 // | 110 // |
91 // Parameters | 111 // Parameters |
92 // certificate_profile - Specifies what kind of certificate should be | 112 // certificate_profile - Specifies what kind of certificate should be |
93 // requested from the CA. | 113 // requested from the CA. |
94 // account_id - Identifies the currently active user. This is ignored when | 114 // account_id - Identifies the currently active user. This is ignored when |
95 // using the enterprise machine cert profile. | 115 // using the enterprise machine cert profile. |
96 // request_origin - For content protection profiles, certificate requests | 116 // request_origin - For content protection profiles, certificate requests |
97 // are origin-specific. This string must uniquely identify | 117 // are origin-specific. This string must uniquely identify |
98 // the origin of the request. | 118 // the origin of the request. |
99 // force_new_key - If set to true, a new key will be generated even if a key | 119 // force_new_key - If set to true, a new key will be generated even if a key |
100 // already exists for the profile. The new key will replace | 120 // already exists for the profile. The new key will replace |
101 // the existing key on success. | 121 // the existing key on success. |
102 // callback - A callback which will be called when the operation completes. | 122 // callback - A callback which will be called when the operation completes. |
103 // On success |result| will be true and |data| will contain the | 123 // On success |result| will be true and |data| will contain the |
104 // PCA-issued certificate chain in PEM format. | 124 // PCA-issued certificate chain in PEM format. |
105 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, | 125 virtual void GetCertificate(AttestationCertificateProfile certificate_profile, |
106 const AccountId& account_id, | 126 const AccountId& account_id, |
107 const std::string& request_origin, | 127 const std::string& request_origin, |
108 bool force_new_key, | 128 bool force_new_key, |
109 const CertificateCallback& callback); | 129 const CertificateCallback& callback); |
110 | 130 |
111 private: | 131 private: |
112 // Asynchronously initiates the attestation enrollment flow. | 132 // Asynchronously waits for attestation to be ready and start enrollment once |
| 133 // it is. If attestation is not ready by the time the flow's timeout is |
| 134 // reached, fail. |
| 135 // |
| 136 // Parameters |
| 137 // retries_left - Number of retries left (-1 for infinite retries). |
| 138 // on_failure - Called if any failure occurs. |
| 139 // next_task - Called on successful enrollment. |
| 140 void WaitForAttestationReadyAndStartEnroll(base::TimeTicks end_time, |
| 141 const base::Closure& on_failure, |
| 142 const base::Closure& next_task); |
| 143 |
| 144 // Called when attestation is prepared, to start the actual enrollment flow. |
113 // | 145 // |
114 // Parameters | 146 // Parameters |
115 // on_failure - Called if any failure occurs. | 147 // on_failure - Called if any failure occurs. |
116 // next_task - Called on successful enrollment. | 148 // next_task - Called on successful enrollment. |
117 void StartEnroll(const base::Closure& on_failure, | 149 void StartEnroll(const base::Closure& on_failure, |
118 const base::Closure& next_task); | 150 const base::Closure& next_task); |
119 | 151 |
120 // Called when the attestation daemon has finished creating an enrollment | 152 // Called when the attestation daemon has finished creating an enrollment |
121 // request for the Privacy CA. The request is asynchronously forwarded as-is | 153 // request for the Privacy CA. The request is asynchronously forwarded as-is |
122 // to the PCA. | 154 // to the PCA. |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
216 // Parameters | 248 // Parameters |
217 // key_type - The type of the key for which a certificate is requested. | 249 // key_type - The type of the key for which a certificate is requested. |
218 // account_id - Identifies the active user. | 250 // account_id - Identifies the active user. |
219 // key_name - The name of the key for which a certificate is requested. | 251 // key_name - The name of the key for which a certificate is requested. |
220 // callback - Called when the operation completes. | 252 // callback - Called when the operation completes. |
221 void GetExistingCertificate(AttestationKeyType key_type, | 253 void GetExistingCertificate(AttestationKeyType key_type, |
222 const AccountId& account_id, | 254 const AccountId& account_id, |
223 const std::string& key_name, | 255 const std::string& key_name, |
224 const CertificateCallback& callback); | 256 const CertificateCallback& callback); |
225 | 257 |
| 258 // Checks whether attestation is ready. If it is, runs |next_task|. If not, |
| 259 // reschedules a check after a delay unless we are out of retry time, in |
| 260 // which case we run |on_failure|. |
| 261 // |
| 262 // Parameters |
| 263 // end_time - The time at or past which we give up retrying. |
| 264 // on_failure - Called if any failure occurs or after we give up retrying. |
| 265 // next_task - Called when attestation is ready. |
| 266 void CheckAttestationReadyAndReschedule(base::TimeTicks end_time, |
| 267 const base::Closure& on_failure, |
| 268 const base::Closure& next_task); |
| 269 |
226 cryptohome::AsyncMethodCaller* async_caller_; | 270 cryptohome::AsyncMethodCaller* async_caller_; |
227 CryptohomeClient* cryptohome_client_; | 271 CryptohomeClient* cryptohome_client_; |
228 std::unique_ptr<ServerProxy> server_proxy_; | 272 std::unique_ptr<ServerProxy> server_proxy_; |
229 | 273 |
| 274 base::TimeDelta ready_timeout_; |
| 275 base::TimeDelta retry_delay_; |
| 276 |
230 base::WeakPtrFactory<AttestationFlow> weak_factory_; | 277 base::WeakPtrFactory<AttestationFlow> weak_factory_; |
231 | 278 |
232 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); | 279 DISALLOW_COPY_AND_ASSIGN(AttestationFlow); |
233 }; | 280 }; |
234 | 281 |
235 } // namespace attestation | 282 } // namespace attestation |
236 } // namespace chromeos | 283 } // namespace chromeos |
237 | 284 |
238 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ | 285 #endif // CHROMEOS_ATTESTATION_ATTESTATION_FLOW_H_ |
OLD | NEW |