cryptohome: add cert provision apis that don't take pca url.

There is no one who sets the pca url themselves; we should just remove
the capability of setting it because attestation service doesn't support
arbitrary server destination; leaving the capability could lead supprise
like ineffective pca url setup.

The follow-up actions would be changing all the consumer, and coming
back to remove the legacy APIs that take PCA url.

BUG=b:173470557
TEST=hwsec.CertProvision

Change-Id: I06b3837883a2150fcae5e5a083701e5565192272
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2549483
Tested-by: Leo Lai <cylai@google.com>
Commit-Queue: Leo Lai <cylai@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
diff --git a/cryptohome/cert/cert_provision.cc b/cryptohome/cert/cert_provision.cc
index 1eb03f5..ec825f3 100644
--- a/cryptohome/cert/cert_provision.cc
+++ b/cryptohome/cert/cert_provision.cc
@@ -87,6 +87,14 @@
 }  // namespace
 
 Status ProvisionCertificate(PCAType pca_type,
+                            const std::string& label,
+                            CertificateProfile cert_profile,
+                            const ProgressCallback& progress_callback) {
+  return ProvisionCertificate(pca_type, /*pca_url=*/std::string(), label,
+                              cert_profile, progress_callback);
+}
+
+Status ProvisionCertificate(PCAType pca_type,
                             const std::string& pca_url,
                             const std::string& label,
                             CertificateProfile cert_profile,
@@ -189,6 +197,11 @@
 }
 
 Status ForceEnroll(PCAType pca_type,
+                   const ProgressCallback& progress_callback) {
+  return ForceEnroll(pca_type, /*pca_url=*/std::string(), progress_callback);
+}
+
+Status ForceEnroll(PCAType pca_type,
                    const std::string& pca_url,
                    const ProgressCallback& progress_callback) {
   DCHECK(pca_url.empty()) << "The arbitrary pca server URL is not supported.";
diff --git a/cryptohome/cert/cert_provision_client.cc b/cryptohome/cert/cert_provision_client.cc
index 60b7d80..58e1b19 100644
--- a/cryptohome/cert/cert_provision_client.cc
+++ b/cryptohome/cert/cert_provision_client.cc
@@ -78,9 +78,8 @@
       return 2;
     }
 
-    sts = cert_provision::ProvisionCertificate(pca_type, std::string(),
-                                               cert_label, cert_profile,
-                                               base::Bind(&ProgressCallback));
+    sts = cert_provision::ProvisionCertificate(
+        pca_type, cert_label, cert_profile, base::Bind(&ProgressCallback));
     if (sts != cert_provision::Status::Success) {
       LOG(ERROR) << "ProvisionCertificate returned " << static_cast<int>(sts);
       return 3;
@@ -98,8 +97,7 @@
       return 2;
     }
 
-    sts = cert_provision::ForceEnroll(pca_type, std::string(),
-                                      base::Bind(&ProgressCallback));
+    sts = cert_provision::ForceEnroll(pca_type, base::Bind(&ProgressCallback));
     if (sts != cert_provision::Status::Success) {
       LOG(ERROR) << "ForceEnroll returned " << static_cast<int>(sts);
       return 3;
diff --git a/cryptohome/cert_provision.h b/cryptohome/cert_provision.h
index 18db526..a3553cd 100644
--- a/cryptohome/cert_provision.h
+++ b/cryptohome/cert_provision.h
@@ -84,6 +84,25 @@
                      CertificateProfile cert_profile,
                      const ProgressCallback& progress_callback);
 
+// Synchronously obtains a new certificate with |cert_profile| from the PCA.
+// The PCA is identified by the |pca_type|. Stores the obtained certificate, its
+// private and public keys in the keystore under |label|.
+//
+// |progress_callback| is called after major internal steps or on errors:
+// - on steps: status is set to Status::Success, progress is the number between
+//   0 and 100 that roughly defines the completeness percentage, and message
+//   is the description of the current step.
+// - on errors: status is set to the appropriate error, progress is set to 100,
+//   and message provides error details.
+//
+// Returns Status::Success if the certificate was successfully obtained, and
+// an appropriate other status on errors.
+CERT_PROVISION_EXPORT Status
+ProvisionCertificate(PCAType pca_type,
+                     const std::string& label,
+                     CertificateProfile cert_profile,
+                     const ProgressCallback& progress_callback);
+
 // Enroll with the PCA regardless of the current status (re-enroll if already
 // enrolled).
 // The PCA is identified by the |pca_type|. If |pca_url| is not empty, it
@@ -103,6 +122,21 @@
             const std::string& pca_url,
             const ProgressCallback& progress_callback);
 
+// Enroll with the PCA regardless of the current status (re-enroll if already
+// enrolled). The PCA is identified by the |pca_type|.
+//
+// |progress_callback| is called after major internal steps or on errors:
+// - on steps: status is set to Status::Success, progress is the number between
+//   0 and 100 that roughly defines the completeness percentage, and message
+//   is the description of the current step.
+// - on errors: status is set to the appropriate error, progress is set to 100,
+//   and message provides error details.
+//
+// Returns Status::Success if the certificate was successfully obtained, and
+// an appropriate other status on errors.
+CERT_PROVISION_EXPORT Status
+ForceEnroll(PCAType pca_type, const ProgressCallback& progress_callback);
+
 // Retrieves the provisioned certificate identified by |label| into |cert| in
 // PEM format. If |include_intermediate| is true, all intermediate certificates
 // in its chain are also obtained.