Implemented attestation message flow for Chrome OS.

chromeos/attestation/attestation.h

Index: chromeos/attestation/attestation.h
diff --git a/chromeos/attestation/attestation.h b/chromeos/attestation/attestation.h
new file mode 100644
index 0000000000000000000000000000000000000000..6aff4c2d8bb53ad8b0c9e5c258bb30310ae8070d
--- /dev/null
+++ b/chromeos/attestation/attestation.h
@@ -0,0 +1,181 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMEOS_ATTESTATION_ATTESTATION_H_
+#define CHROMEOS_ATTESTATION_ATTESTATION_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/callback_forward.h"
+#include "base/memory/weak_ptr.h"
+#include "chromeos/chromeos_export.h"
+#include "chromeos/dbus/dbus_method_call_status.h"
+#include "third_party/cros_system_api/dbus/service_constants.h"

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

needed in this file?

[dkrahn, 2013/01/17 23:36:24]

Yes, for cryptohome::MountError...

+
+

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

nit: remove extra blank line

[dkrahn, 2013/01/17 23:36:24]

Done.

+namespace cryptohome {
+
+class AsyncMethodCaller;
+
+}  // namespace cryptohome
+

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

nit: remove extra blank line.

[dkrahn, 2013/01/17 23:36:24]

Done.

+
+namespace chromeos {
+
+class CryptohomeClient;
+
+namespace attestation {
+
+// Interface for access to the Privacy CA server.
+class CHROMEOS_EXPORT ServerProxy {
+ public:

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

This needs a virtual dtor.

[dkrahn, 2013/01/17 23:36:24]

Done.

+  typedef base::Callback<void(bool success,
+                              const std::string& data)> DataCallback;
+  virtual void SendEnrollRequest(const std::string& request,
+                                 const DataCallback& on_response) = 0;
+  virtual void SendCertificateRequest(const std::string& request,
+                                      const DataCallback& on_response) = 0;
+};
+
+// Implements ChromeOS-specific attestation tasks.
+class CHROMEOS_EXPORT Attestation {

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

nit: I think the name is a bit generic, seeing it I have no clue what this class
does. Is it a data container that contains the Attestation cert? Is it the class
that implements the entire Attestation flow? Better class-level comments on what
this is good for and how you would use it would certainly help as well.

Edit: After reading the rest of the code I think this should be named
AttestationFlow or similar.

[dkrahn, 2013/01/17 23:36:24]

Done.

+ public:
+  typedef base::Callback<void(bool success)> StatusCallback;

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

unused?

[dkrahn, 2013/01/17 23:36:24]

Done.

+  typedef base::Callback<void(bool success,
+                              const std::string& pem_certificate_chain)>
+      CertificateCallback;
+
+  Attestation(cryptohome::AsyncMethodCaller* async_caller,
+              CryptohomeClient* cryptohome_client,
+              ServerProxy* server_proxy);
+  virtual ~Attestation();

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

Why all the virtualness in this class?

[dkrahn, 2013/01/17 23:36:24]

Removed. Was at one time thinking of allowing mocks to reuse / override these.

+
+  // Asynchronously gets an attestation certificate bound to the given name.
+  // If no certificate has been associated with the name, a new certificate is
+  // issued.
+  //
+  // Parameters
+  //   name - The name of the key for which to retrieve a certificate.  The
+  //          following key names are available:
+  //            "attest-ent-machine" - The enterprise machine key.
+  //            "attest-ent-user" - An enterprise user key for the current user.
+  //            "content-[origin]" - A content protection key bound to a
+  //                                 specific origin for the current user.
+  //   callback - A callback which will be called when the operation completes.
+  virtual void GetCertificate(const std::string& name,
+                              const CertificateCallback& callback);
+
+ private:
+  static const char* kEnterpriseMachineKey;
+
+  // Redirects to one of three callbacks based on a boolean value and dbus call
+  // status.
+  //
+  // Parameters
+  //   on_true - Called when status=succes and value=true.
+  //   on_false - Called when status=success and value=false.
+  //   on_fail - Called when status=failure.
+  //   status - The D-Bus operation status.
+  //   value - The value returned by the D-Bus operation.
+  virtual void DBusBoolRedirectCallback(const base::Closure& on_true,
+                                        const base::Closure& on_false,
+                                        const base::Closure& on_fail,
+                                        DBusMethodCallStatus status,
+                                        bool value);
+
+  // Asynchronously initiates the attestation enrollment flow.
+  //
+  // Parameters
+  //   on_failure - Called if any failure occurs.
+  //   next_task - Called on successful enrollment.
+  virtual void StartEnroll(const base::Closure& on_failure,
+                           const base::Closure& next_task);
+
+  // Called when the attestation daemon has finished creating an enrollment
+  // request for the Privacy CA.  The request is asynchronously forwarded as-is
+  // to the PCA.
+  //
+  // Parameters
+  //   on_failure - Called if any failure occurs.
+  //   next_task - Called on successful enrollment.
+  //   success - The status of request creation.
+  //   data - The request data for the Privacy CA.
+  virtual void OnCreateEnrollRequest(const base::Closure& on_failure,

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

Maybe rename to SendEnrollRequest?

[dkrahn, 2013/01/17 23:36:24]

Done. This was actually the original name of the method :). I couldn't decide
which was better, your vote has sealed it.  Added 'ToPCA' however as per your
suggestion below; I think it's more clear.

+                                     const base::Closure& next_task,
+                                     bool success,
+                                     const std::string& data);
+
+  // Called when the Privacy CA responds to an enrollment request.  The response
+  // is asynchronously forwarded as-is to the attestation daemon in order to
+  // complete the enrollment operation.
+  //
+  // Parameters
+  //   on_failure - Called if any failure occurs.
+  //   next_task - Called on successful enrollment.
+  //   success - The status of the Privacy CA operation.
+  //   data - The response data from the Privacy CA.
+  virtual void OnEnrollResponse(const base::Closure& on_failure,
+                                const base::Closure& next_task,
+                                bool success,
+                                const std::string& data);
+
+  // Called when the attestation daemon completes an enrollment operation.  If
+  // the operation was successful, the next_task callback is called.
+  //
+  // Parameters
+  //   on_failure - Called if any failure occurs.
+  //   next_task - Called on successful enrollment.
+  //   success - The status of the enrollment operation.
+  //   not_used - An artifact of the cryptohome D-Bus interface; ignored.
+  virtual void OnEnrollComplete(const base::Closure& on_failure,
+                                const base::Closure& next_task,
+                                bool success,
+                                cryptohome::MountError not_used);
+
+  // Asynchronously initiates the certificate request flow.  Attestation
+  // enrollment must success before this operation can succeed.

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

fix "must success"

[dkrahn, 2013/01/17 23:36:24]

Done.

+  //
+  // Parameters
+  //   name - The name of the key for which a certificate is requested.
+  //   callback - Called when the operation completes.
+  virtual void StartCertificateRequest(const std::string& name,
+                                       const CertificateCallback& callback);
+
+  // Called when the attestation daemon has finished creating a certificate
+  // request for the Privacy CA.  The request is asynchronously forwarded as-is
+  // to the PCA.
+  //
+  // Parameters
+  //   callback - Called when the operation completes.
+  //   success - The status of request creation.
+  //   data - The request data for the Privacy CA.
+  virtual void OnCreateCertificateRequest(const CertificateCallback& callback,

[Mattias Nissler (ping if slow), 2013/01/16 10:39:26]

Maybe rename to SendCertificateRequestToPCA?

[dkrahn, 2013/01/17 23:36:24]

Done.

+                                          bool success,
+                                          const std::string& data);
+
+  // Called when the Privacy CA responds to a certificate request.  The response
+  // is asynchronously forwarded as-is to the attestation daemon in order to
+  // complete the operation.
+  //
+  // Parameters
+  //   callback - Called when the operation completes.
+  //   success - The status of the Privacy CA operation.
+  //   data - The response data from the Privacy CA.
+  virtual void OnCertificateResponse(const CertificateCallback& callback,
+                                     bool success,
+                                     const std::string& data);
+
+  base::WeakPtrFactory<Attestation> weak_factory_;
+  cryptohome::AsyncMethodCaller* async_caller_;
+  CryptohomeClient* cryptohome_client_;
+  ServerProxy* server_proxy_;
+
+  DISALLOW_COPY_AND_ASSIGN(Attestation);
+};
+
+}  // namespace attestation
+}  // namespace chromeos
+
+#endif  // CHROMEOS_ATTESTATION_ATTESTATION_H_