cryptohome: add cert provision apis that don't take pca url.
There is no one who sets the pca url themselves; we should just remove
the capability of setting it because attestation service doesn't support
arbitrary server destination; leaving the capability could lead supprise
like ineffective pca url setup.
The follow-up actions would be changing all the consumer, and coming
back to remove the legacy APIs that take PCA url.
BUG=b:173470557
TEST=hwsec.CertProvision
Change-Id: I06b3837883a2150fcae5e5a083701e5565192272
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2549483
Tested-by: Leo Lai <cylai@google.com>
Commit-Queue: Leo Lai <cylai@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
diff --git a/cryptohome/cert/cert_provision.cc b/cryptohome/cert/cert_provision.cc
index 1eb03f5..ec825f3 100644
--- a/cryptohome/cert/cert_provision.cc
+++ b/cryptohome/cert/cert_provision.cc
@@ -87,6 +87,14 @@
} // namespace
Status ProvisionCertificate(PCAType pca_type,
+ const std::string& label,
+ CertificateProfile cert_profile,
+ const ProgressCallback& progress_callback) {
+ return ProvisionCertificate(pca_type, /*pca_url=*/std::string(), label,
+ cert_profile, progress_callback);
+}
+
+Status ProvisionCertificate(PCAType pca_type,
const std::string& pca_url,
const std::string& label,
CertificateProfile cert_profile,
@@ -189,6 +197,11 @@
}
Status ForceEnroll(PCAType pca_type,
+ const ProgressCallback& progress_callback) {
+ return ForceEnroll(pca_type, /*pca_url=*/std::string(), progress_callback);
+}
+
+Status ForceEnroll(PCAType pca_type,
const std::string& pca_url,
const ProgressCallback& progress_callback) {
DCHECK(pca_url.empty()) << "The arbitrary pca server URL is not supported.";
diff --git a/cryptohome/cert/cert_provision_client.cc b/cryptohome/cert/cert_provision_client.cc
index 60b7d80..58e1b19 100644
--- a/cryptohome/cert/cert_provision_client.cc
+++ b/cryptohome/cert/cert_provision_client.cc
@@ -78,9 +78,8 @@
return 2;
}
- sts = cert_provision::ProvisionCertificate(pca_type, std::string(),
- cert_label, cert_profile,
- base::Bind(&ProgressCallback));
+ sts = cert_provision::ProvisionCertificate(
+ pca_type, cert_label, cert_profile, base::Bind(&ProgressCallback));
if (sts != cert_provision::Status::Success) {
LOG(ERROR) << "ProvisionCertificate returned " << static_cast<int>(sts);
return 3;
@@ -98,8 +97,7 @@
return 2;
}
- sts = cert_provision::ForceEnroll(pca_type, std::string(),
- base::Bind(&ProgressCallback));
+ sts = cert_provision::ForceEnroll(pca_type, base::Bind(&ProgressCallback));
if (sts != cert_provision::Status::Success) {
LOG(ERROR) << "ForceEnroll returned " << static_cast<int>(sts);
return 3;
diff --git a/cryptohome/cert_provision.h b/cryptohome/cert_provision.h
index 18db526..a3553cd 100644
--- a/cryptohome/cert_provision.h
+++ b/cryptohome/cert_provision.h
@@ -84,6 +84,25 @@
CertificateProfile cert_profile,
const ProgressCallback& progress_callback);
+// Synchronously obtains a new certificate with |cert_profile| from the PCA.
+// The PCA is identified by the |pca_type|. Stores the obtained certificate, its
+// private and public keys in the keystore under |label|.
+//
+// |progress_callback| is called after major internal steps or on errors:
+// - on steps: status is set to Status::Success, progress is the number between
+// 0 and 100 that roughly defines the completeness percentage, and message
+// is the description of the current step.
+// - on errors: status is set to the appropriate error, progress is set to 100,
+// and message provides error details.
+//
+// Returns Status::Success if the certificate was successfully obtained, and
+// an appropriate other status on errors.
+CERT_PROVISION_EXPORT Status
+ProvisionCertificate(PCAType pca_type,
+ const std::string& label,
+ CertificateProfile cert_profile,
+ const ProgressCallback& progress_callback);
+
// Enroll with the PCA regardless of the current status (re-enroll if already
// enrolled).
// The PCA is identified by the |pca_type|. If |pca_url| is not empty, it
@@ -103,6 +122,21 @@
const std::string& pca_url,
const ProgressCallback& progress_callback);
+// Enroll with the PCA regardless of the current status (re-enroll if already
+// enrolled). The PCA is identified by the |pca_type|.
+//
+// |progress_callback| is called after major internal steps or on errors:
+// - on steps: status is set to Status::Success, progress is the number between
+// 0 and 100 that roughly defines the completeness percentage, and message
+// is the description of the current step.
+// - on errors: status is set to the appropriate error, progress is set to 100,
+// and message provides error details.
+//
+// Returns Status::Success if the certificate was successfully obtained, and
+// an appropriate other status on errors.
+CERT_PROVISION_EXPORT Status
+ForceEnroll(PCAType pca_type, const ProgressCallback& progress_callback);
+
// Retrieves the provisioned certificate identified by |label| into |cert| in
// PEM format. If |include_intermediate| is true, all intermediate certificates
// in its chain are also obtained.
