OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chromeos/attestation/attestation_flow.h" | 5 #include "chromeos/attestation/attestation_flow.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/memory/ptr_util.h" | |
11 #include "base/timer/timer.h" | |
10 #include "chromeos/cryptohome/async_method_caller.h" | 12 #include "chromeos/cryptohome/async_method_caller.h" |
11 #include "chromeos/cryptohome/cryptohome_parameters.h" | 13 #include "chromeos/cryptohome/cryptohome_parameters.h" |
12 #include "chromeos/dbus/cryptohome_client.h" | 14 #include "chromeos/dbus/cryptohome_client.h" |
13 #include "components/signin/core/account_id/account_id.h" | 15 #include "components/signin/core/account_id/account_id.h" |
14 | 16 |
15 namespace chromeos { | 17 namespace chromeos { |
16 namespace attestation { | 18 namespace attestation { |
17 | 19 |
18 namespace { | 20 namespace { |
19 | 21 |
22 // Default backoff policy. | |
23 const net::BackoffEntry::Policy kDefaultBackoffPolicy = { | |
24 // Number of initial errors (in sequence) to ignore before applying | |
25 // exponential back-off rules. | |
26 0, | |
27 | |
28 // Initial delay for exponential back-off in ms. | |
29 2000, | |
30 | |
31 // Factor by which the waiting time will be multiplied. | |
32 2, | |
33 | |
34 // Fuzzing percentage. ex: 10% will spread requests randomly | |
35 // between 90%-100% of the calculated time. | |
36 0, | |
37 | |
38 // Maximum amount of time we are willing to delay our request in ms. | |
39 -1, | |
40 | |
41 // Time to keep an entry from being discarded even when it | |
42 // has no significant state, -1 to never discard. | |
43 -1, | |
44 | |
45 // Don't use initial delay unless the last request was an error. | |
46 false, | |
47 }; | |
48 | |
20 // Redirects to one of three callbacks based on a boolean value and dbus call | 49 // Redirects to one of three callbacks based on a boolean value and dbus call |
21 // status. | 50 // status. |
22 // | 51 // |
23 // Parameters | 52 // Parameters |
24 // on_true - Called when status=succes and value=true. | 53 // on_true - Called when status=succes and value=true. |
25 // on_false - Called when status=success and value=false. | 54 // on_false - Called when status=success and value=false. |
26 // on_fail - Called when status=failure. | 55 // on_fail - Called when status=failure. |
27 // status - The D-Bus operation status. | 56 // status - The D-Bus operation status. |
28 // value - The value returned by the D-Bus operation. | 57 // value - The value returned by the D-Bus operation. |
29 void DBusBoolRedirectCallback(const base::Closure& on_true, | 58 void DBusBoolRedirectCallback(const base::Closure& on_true, |
30 const base::Closure& on_false, | 59 const base::Closure& on_false, |
31 const base::Closure& on_fail, | 60 const base::Closure& on_fail, |
61 const std::string& on_fail_message, | |
32 DBusMethodCallStatus status, | 62 DBusMethodCallStatus status, |
33 bool value) { | 63 bool value) { |
34 if (status != DBUS_METHOD_CALL_SUCCESS) { | 64 if (status != DBUS_METHOD_CALL_SUCCESS) { |
35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; | 65 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << "."; |
36 if (!on_fail.is_null()) | 66 if (!on_fail.is_null()) |
37 on_fail.Run(); | 67 on_fail.Run(); |
38 return; | 68 return; |
39 } | 69 } |
40 const base::Closure& task = value ? on_true : on_false; | 70 const base::Closure& task = value ? on_true : on_false; |
41 if (!task.is_null()) | 71 if (!task.is_null()) |
42 task.Run(); | 72 task.Run(); |
43 } | 73 } |
44 | 74 |
45 void DBusDataMethodCallback( | 75 void DBusDataMethodCallback( |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
88 NOTREACHED(); | 118 NOTREACHED(); |
89 return ""; | 119 return ""; |
90 } | 120 } |
91 | 121 |
92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 122 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, |
93 CryptohomeClient* cryptohome_client, | 123 CryptohomeClient* cryptohome_client, |
94 std::unique_ptr<ServerProxy> server_proxy) | 124 std::unique_ptr<ServerProxy> server_proxy) |
95 : async_caller_(async_caller), | 125 : async_caller_(async_caller), |
96 cryptohome_client_(cryptohome_client), | 126 cryptohome_client_(cryptohome_client), |
97 server_proxy_(std::move(server_proxy)), | 127 server_proxy_(std::move(server_proxy)), |
128 retry_timer_(new base::OneShotTimer()), | |
129 retry_backoff_(&kDefaultBackoffPolicy), | |
98 weak_factory_(this) {} | 130 weak_factory_(this) {} |
99 | 131 |
100 AttestationFlow::~AttestationFlow() { | 132 AttestationFlow::~AttestationFlow() { |
101 } | 133 } |
102 | 134 |
103 void AttestationFlow::GetCertificate( | 135 void AttestationFlow::GetCertificate( |
104 AttestationCertificateProfile certificate_profile, | 136 AttestationCertificateProfile certificate_profile, |
105 const AccountId& account_id, | 137 const AccountId& account_id, |
106 const std::string& request_origin, | 138 const std::string& request_origin, |
107 bool force_new_key, | 139 bool force_new_key, |
108 const CertificateCallback& callback) { | 140 const CertificateCallback& callback) { |
141 // Fail requests if we are backing off right now. | |
142 if (retry_backoff_.ShouldRejectRequest()) { | |
The one and only Dr. Crash
2016/12/02 05:57:49
I actually think that the behavior I want is to st
| |
143 if (!callback.is_null()) | |
144 callback.Run(false, ""); | |
145 return; | |
146 } | |
109 // If this device has not enrolled with the Privacy CA, we need to do that | 147 // If this device has not enrolled with the Privacy CA, we need to do that |
110 // first. Once enrolled we can proceed with the certificate request. | 148 // first. Once enrolled we can proceed with the certificate request. |
111 base::Closure do_cert_request = base::Bind( | 149 base::Closure do_cert_request = base::Bind( |
112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 150 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
113 certificate_profile, account_id, request_origin, force_new_key, callback); | 151 certificate_profile, account_id, request_origin, force_new_key, callback); |
114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 152 base::Closure on_enroll_failure = base::Bind(callback, false, ""); |
115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, | 153 base::Closure initiate_enroll = |
116 weak_factory_.GetWeakPtr(), | 154 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(), |
117 on_enroll_failure, | 155 on_enroll_failure, do_cert_request); |
118 do_cert_request); | 156 cryptohome_client_->TpmAttestationIsEnrolled( |
119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( | 157 base::Bind(&DBusBoolRedirectCallback, |
120 &DBusBoolRedirectCallback, | 158 do_cert_request, // If enrolled, proceed with cert request. |
121 do_cert_request, // If enrolled, proceed with cert request. | 159 initiate_enroll, // If not enrolled, initiate enrollment. |
122 do_enroll, // If not enrolled, initiate enrollment. | 160 on_enroll_failure, "check enrollment state")); |
123 on_enroll_failure)); | 161 } |
162 | |
163 void AttestationFlow::SetRetryTimerForTest( | |
164 std::unique_ptr<base::OneShotTimer> retry_timer) { | |
165 retry_timer_ = std::move(retry_timer); | |
166 } | |
167 | |
168 void AttestationFlow::InitiateEnroll(const base::Closure& on_failure, | |
169 const base::Closure& next_task) { | |
170 base::Closure do_enroll = | |
171 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(), | |
172 on_failure, next_task); | |
173 base::Closure retry_initiate_enroll = | |
174 base::Bind(&AttestationFlow::RetryInitiateEnroll, | |
175 weak_factory_.GetWeakPtr(), on_failure, next_task); | |
176 cryptohome_client_->TpmAttestationIsPrepared( | |
177 base::Bind(&DBusBoolRedirectCallback, do_enroll, retry_initiate_enroll, | |
178 on_failure, "check for attestation readiness")); | |
179 } | |
180 | |
181 void AttestationFlow::RetryInitiateEnroll(const base::Closure& on_failure, | |
182 const base::Closure& next_task) { | |
183 if (initiate_enroll_retries_ == 0) { | |
184 LOG(ERROR) << "Attestation: not ready for attestation." | |
185 << " Giving up on retrying."; | |
186 if (!on_failure.is_null()) | |
187 on_failure.Run(); | |
188 } else { | |
189 if (initiate_enroll_retries_ > 0) | |
190 --initiate_enroll_retries_; | |
191 retry_backoff_.InformOfRequest(false); | |
192 auto retry_delay = retry_backoff_.GetTimeUntilRelease().InMilliseconds(); | |
193 LOG(WARNING) << "Attestation: not ready for attestation yet." | |
194 << " Retrying in " << retry_delay << " ms."; | |
195 retry_timer_->Start( | |
196 FROM_HERE, retry_backoff_.GetTimeUntilRelease(), | |
197 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(), | |
198 on_failure, next_task)); | |
199 } | |
124 } | 200 } |
125 | 201 |
126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 202 void AttestationFlow::StartEnroll(const base::Closure& on_failure, |
127 const base::Closure& next_task) { | 203 const base::Closure& next_task) { |
204 // We are done retrying the enrollment initiation (i.e. TPM is ready). | |
205 retry_backoff_.Reset(); | |
128 // Get the attestation service to create a Privacy CA enrollment request. | 206 // Get the attestation service to create a Privacy CA enrollment request. |
129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 207 async_caller_->AsyncTpmAttestationCreateEnrollRequest( |
130 server_proxy_->GetType(), | 208 server_proxy_->GetType(), |
131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 209 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, |
132 weak_factory_.GetWeakPtr(), | 210 weak_factory_.GetWeakPtr(), |
133 on_failure, | 211 on_failure, |
134 next_task)); | 212 next_task)); |
135 } | 213 } |
136 | 214 |
137 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure, | 215 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure, |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 293 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), |
216 key_type, account_id, key_name, callback); | 294 key_type, account_id, key_name, callback); |
217 // If the key does not exist, call this method back with |generate_new_key| | 295 // If the key does not exist, call this method back with |generate_new_key| |
218 // set to true. | 296 // set to true. |
219 base::Closure on_key_not_exists = base::Bind( | 297 base::Closure on_key_not_exists = base::Bind( |
220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 298 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), |
221 certificate_profile, account_id, request_origin, true, callback); | 299 certificate_profile, account_id, request_origin, true, callback); |
222 cryptohome_client_->TpmAttestationDoesKeyExist( | 300 cryptohome_client_->TpmAttestationDoesKeyExist( |
223 key_type, cryptohome::Identification(account_id), key_name, | 301 key_type, cryptohome::Identification(account_id), key_name, |
224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 302 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, |
225 base::Bind(callback, false, ""))); | 303 base::Bind(callback, false, ""), |
304 "check for existence of attestation key")); | |
226 } | 305 } |
227 } | 306 } |
228 | 307 |
229 void AttestationFlow::SendCertificateRequestToPCA( | 308 void AttestationFlow::SendCertificateRequestToPCA( |
230 AttestationKeyType key_type, | 309 AttestationKeyType key_type, |
231 const AccountId& account_id, | 310 const AccountId& account_id, |
232 const std::string& key_name, | 311 const std::string& key_name, |
233 const CertificateCallback& callback, | 312 const CertificateCallback& callback, |
234 bool success, | 313 bool success, |
235 const std::string& data) { | 314 const std::string& data) { |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
278 } | 357 } |
279 | 358 |
280 ServerProxy::~ServerProxy() {} | 359 ServerProxy::~ServerProxy() {} |
281 | 360 |
282 PrivacyCAType ServerProxy::GetType() { | 361 PrivacyCAType ServerProxy::GetType() { |
283 return DEFAULT_PCA; | 362 return DEFAULT_PCA; |
284 } | 363 } |
285 | 364 |
286 } // namespace attestation | 365 } // namespace attestation |
287 } // namespace chromeos | 366 } // namespace chromeos |
OLD | NEW |