Easy Sign-in: Use TPM RSA key to sign nonce in sign-in protocol

chrome/browser/chromeos/login/easy_unlock/easy_unlock_key_manager.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_key_manager.h"
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
+#include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager.h"
+#include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_tpm_key_manager_factory.h"
 
 namespace chromeos {
 
 namespace {
 
 const char kKeyBluetoothAddress[] = "bluetoothAddress";
 const char kKeyPermitRecord[] = "permitRecord";
 const char kKeyPermitId[] = "permitRecord.id";
 const char kKeyPermitPermitId[] = "permitRecord.permitId";
 const char kKeyPermitData[] = "permitRecord.data";
@@ skipping 16 matching lines @@
   STLDeleteContainerPairSecondPointers(get_keys_ops_.begin(),
                                        get_keys_ops_.end());
 }
 
 void EasyUnlockKeyManager::RefreshKeys(const UserContext& user_context,
                                        const base::ListValue& remote_devices,
                                        const RefreshKeysCallback& callback) {
   // Must have the secret.
   DCHECK(!user_context.GetKey()->GetSecret().empty());
 
+  base::Closure do_refresh_keys = base::Bind(
+      &EasyUnlockKeyManager::RefreshKeysWithTpmKeyPresent,
+      weak_ptr_factory_.GetWeakPtr(),
+      user_context,
+      base::Owned(remote_devices.DeepCopy()),
+      callback);
+
+  EasyUnlockTpmKeyManager* tpm_key_manager =
+      EasyUnlockTpmKeyManagerFactory::GetInstance()->GetForUser(
+          user_context.GetUserID());
+  if (!tpm_key_manager) {
+    LOG(ERROR) << "No TPM key manager.";
+    callback.Run(false);
+    return;
+  }
+
+  if (tpm_key_manager->PrepareTpmKey(false /* check_private_key */,
+                                     do_refresh_keys)) {
+    do_refresh_keys.Run();
+  } else {
+    // In case Chrome is supposed to restart to apply user session flags, the
+    // Chrome restart will be postponed until Easy Sign-in keys are refreshed.
+    // This is to ensure that creating TPM key does not hang if TPM system
+    // loading takes too much time. Note that in normal circumstances the
+    // chances that TPM slot cannot be loaded should be extremely low.
+    // TODO(tbarzic): Add some metrics to measure if the timeout even gets hit.
+    tpm_key_manager->StartGetSystemSlotTimeoutMs(2000);
+  }
+}
+
+void EasyUnlockKeyManager::RefreshKeysWithTpmKeyPresent(
+    const UserContext& user_context,
+    base::ListValue* remote_devices,
+    const RefreshKeysCallback& callback) {
+  EasyUnlockTpmKeyManager* tpm_key_manager =
+      EasyUnlockTpmKeyManagerFactory::GetInstance()->GetForUser(
+          user_context.GetUserID());
+  std::string tpm_public_key =
+      tpm_key_manager->GetPublicTpmKey(user_context.GetUserID());
+
   EasyUnlockDeviceKeyDataList devices;
-  if (!RemoteDeviceListToDeviceDataList(remote_devices, &devices))
+  if (!RemoteDeviceListToDeviceDataList(*remote_devices, &devices))
     devices.clear();
 
   // Only one pending request.
   DCHECK(!HasPendingOperations());
   create_keys_op_.reset(new EasyUnlockCreateKeysOperation(
       user_context,
+      tpm_public_key,
       devices,
       base::Bind(&EasyUnlockKeyManager::OnKeysCreated,
                  weak_ptr_factory_.GetWeakPtr(),
                  devices.size(),
                  callback)));
   create_keys_op_->Start();
 }
 
 void EasyUnlockKeyManager::RemoveKeys(const UserContext& user_context,
                                       size_t start_index,
@@ skipping 169 matching lines @@
   }
 
   if (!callback.is_null())
     callback.Run(fetch_success, fetched_data);
 
   if (!HasPendingOperations())
     RunNextPendingOp();
 }
 
 }  // namespace chromeos