Easy Sign-in: Use TPM RSA key to sign nonce in sign-in protocol

chrome/browser/signin/easy_unlock_service.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/signin/easy_unlock_service.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/metrics/field_trial.h"
@@ skipping 11 matching lines @@
 #include "chrome/browser/signin/easy_unlock_service_factory.h"
 #include "chrome/browser/signin/easy_unlock_service_observer.h"
 #include "chrome/browser/signin/screenlock_bridge.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/api/easy_unlock_private.h"
 #include "chrome/common/extensions/extension_constants.h"
 #include "chrome/common/pref_names.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "components/proximity_auth/switches.h"
 #include "components/user_manager/user.h"
+#include "components/user_manager/user_manager.h"
 #include "device/bluetooth/bluetooth_adapter.h"
 #include "device/bluetooth/bluetooth_adapter_factory.h"
 #include "extensions/browser/event_router.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/browser/extension_system.h"
 #include "extensions/common/one_shot_event.h"
 #include "grit/browser_resources.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_key_manager.h"
+#include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h"
+#include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager_factory.h"
 #include "chrome/browser/chromeos/login/session/user_session_manager.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/power_manager_client.h"
 #endif
 
 namespace {
 
 extensions::ComponentLoader* GetComponentLoader(
     content::BrowserContext* context) {
@@ skipping 137 matching lines @@
   base::WeakPtrFactory<PowerMonitor> weak_ptr_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(PowerMonitor);
 };
 #endif
 
 EasyUnlockService::EasyUnlockService(Profile* profile)
     : profile_(profile),
       bluetooth_detector_(new BluetoothDetector(this)),
       shut_down_(false),
+      tpm_key_checked_(false),
       weak_ptr_factory_(this) {
   extensions::ExtensionSystem::Get(profile_)->ready().Post(
       FROM_HERE,
       base::Bind(&EasyUnlockService::Initialize,
                  weak_ptr_factory_.GetWeakPtr()));
 }
 
 EasyUnlockService::~EasyUnlockService() {
 }
 
 // static
 void EasyUnlockService::RegisterProfilePrefs(
     user_prefs::PrefRegistrySyncable* registry) {
   registry->RegisterBooleanPref(
       prefs::kEasyUnlockAllowed,
       true,
       user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF);
   registry->RegisterBooleanPref(
       prefs::kEasyUnlockEnabled,
       false,
       user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF);
   registry->RegisterDictionaryPref(
       prefs::kEasyUnlockPairing,
       new base::DictionaryValue(),
       user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF);
   registry->RegisterBooleanPref(
       prefs::kEasyUnlockProximityRequired,
       false,
       user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
+#if defined(OS_CHROMEOS)
+  EasyUnlockTpmKeyManager::RegisterProfilePrefs(registry);
+#endif
 }
 
 // static
 void EasyUnlockService::RegisterPrefs(PrefRegistrySimple* registry) {
   registry->RegisterDictionaryPref(prefs::kEasyUnlockHardlockState);
+#if defined(OS_CHROMEOS)
+  EasyUnlockTpmKeyManager::RegisterLocalStatePrefs(registry);
+#endif
 }
 
 // static
 void EasyUnlockService::ResetLocalStateForUser(const std::string& user_id) {
   DCHECK(!user_id.empty());
 
   PrefService* local_state = GetLocalState();
   if (!local_state)
     return;
 
   DictionaryPrefUpdate update(local_state, prefs::kEasyUnlockHardlockState);
   update->RemoveWithoutPathExpansion(user_id, NULL);
+
+#if defined(OS_CHROMEOS)
+EasyUnlockTpmKeyManager::ResetLocalStateForUser(user_id);

[xiyuan, 2014/12/02 23:15:58]

nit: fix indent

[tbarzic, 2014/12/03 19:10:28]

Done.

+#endif
 }
 
 bool EasyUnlockService::IsAllowed() {
   if (shut_down_)
     return false;
 
   if (!IsAllowedInternal())
     return false;
 
 #if defined(OS_CHROMEOS)
@@ skipping 270 matching lines @@
     return;
   extensions::ExtensionSystem* extension_system =
       extensions::ExtensionSystem::Get(profile_);
   extension_system->extension_service()->ReloadExtension(
       extension_misc::kEasyUnlockAppId);
   NotifyUserUpdated();
 }
 
 void EasyUnlockService::UpdateAppState() {
   if (IsAllowed()) {
+    EnsureTpmKeyPresentIfNeeded();
     LoadApp();
 
 #if defined(OS_CHROMEOS)
     if (!power_monitor_)
       power_monitor_.reset(new PowerMonitor(this));
 #endif
   } else {
     bool bluetooth_waking_up = false;
 #if defined(OS_CHROMEOS)
     // If the service is not allowed due to bluetooth not being detected just
@@ skipping 117 matching lines @@
 }
 #endif
 
 void EasyUnlockService::PrepareForSuspend() {
   DisableAppIfLoaded();
   if (screenlock_state_handler_ && screenlock_state_handler_->IsActive()) {
     UpdateScreenlockState(
         EasyUnlockScreenlockStateHandler::STATE_BLUETOOTH_CONNECTING);
   }
 }
+
+void EasyUnlockService::EnsureTpmKeyPresentIfNeeded() {
+  if (tpm_key_checked_ || GetType() != TYPE_REGULAR)
+    return;
+
+  // If this is called beforei the session is started, the chances are Chrome

[xiyuan, 2014/12/02 23:15:58]

nit: beforei -> before

[tbarzic, 2014/12/03 19:10:28]

Done.

+  // is restarting in order to apply user flags. Don't check TPM keys in this
+  // case.
+  if (!user_manager::UserManager::Get() ||
+      !user_manager::UserManager::Get()->IsSessionStarted())
+    return;
+
+  tpm_key_checked_ = true;
+
+#if defined(OS_CHROMEOS)
+  // TODO(tbarzic): Set check_private_key only if previous sign-in attempt
+  // failed.
+  EasyUnlockTpmKeyManagerFactory::GetInstance()->Get(profile_)
+      ->IsTpmKeyPresent(GetUserEmail(),
+                        true /* check_private_key */,
+                        base::Closure());
+#endif
+}