cryptohome/cert_provision.cc - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2017 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // Library that provides certificate provisioning/signing interface.

 #include <base/logging.h>
 #include <base/strings/string_number_conversions.h>

 #include "cryptohome/cert_provision.h"
 #include "cryptohome/cert_provision_cryptohome.h"
 #include "cryptohome/cert_provision_keystore.h"
 #include "cryptohome/cert_provision_pca.h"
 #include "cryptohome/cert_provision_util.h"

 #include "cert_provision.pb.h"  // NOLINT(build/include)

 namespace {

 // Number of steps for different provision stages.
 constexpr int kInitSteps = 1;
 constexpr int kGetCertSteps = 3;
 constexpr int kRegisterSteps = 3;
 constexpr int kNoEnrollSteps = kInitSteps + kGetCertSteps + kRegisterSteps;
 constexpr int kEnrollSteps = 4;
 constexpr int kMaxSteps = kNoEnrollSteps + kEnrollSteps;

 const char kGetCertAction[] = "sign";
 const char kEnrollAction[] = "enroll";

 const char kEndCertificate[] = "-----END CERTIFICATE-----";

 std::string GetDefaultPCAUrl(cert_provision::PCAType pca_type) {
   std::string url;
   switch (pca_type) {
     case cert_provision::PCAType::kDefaultPCA:
       url = "https://chromeos-ca.gstatic.com";
       break;
     case cert_provision::PCAType::kTestPCA:
       url = "https://asbestos-qa.corp.google.com";
       break;
     default:
       break;
   }
   return url;
 }

 cert_provision::Status ReportAndReturn(cert_provision::Status status,
                                        const std::string& message) {
   LOG(ERROR) << message;
   return status;
 }

 cert_provision::Status ReportAndReturn(const cert_provision::OpResult& result) {
   return ReportAndReturn(result.status, result.message);
 }

 }  // namespace

 namespace cert_provision {

 Status ProvisionCertificate(PCAType pca_type,
                             const std::string& pca_url,
                             const std::string& label,
                             CertificateProfile cert_profile,
                             const ProgressCallback& progress_callback) {
   ProgressReporter reporter(progress_callback, kMaxSteps);
   std::string url(pca_url);
   if (url.empty()) {
     url = GetDefaultPCAUrl(pca_type);
     if (url.empty()) {
       return reporter.ReportAndReturn(Status::HttpError,
                                       "PCA url is not defined.");
     }
   }
   auto pca_proxy = PCAProxy::Create(url);
   auto c_proxy = CryptohomeProxy::Create();

   OpResult result = c_proxy->Init();
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   reporter.Step("Checking if enrolled");
   bool is_enrolled;
   result = c_proxy->CheckIfEnrolled(&is_enrolled);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   if (is_enrolled) {
     reporter.SetSteps(kNoEnrollSteps);
   } else {
     reporter.Step("Checking if ready for enrollment");
     bool is_prepared;
     result = c_proxy->CheckIfPrepared(&is_prepared);
     if (!result) {
       return reporter.ReportAndReturn(result);
     }
     if (!is_prepared) {
       return reporter.ReportAndReturn(Status::NotPrepared,
                                       "Not ready for enrollment.");
     }

     reporter.Step("Creating enroll request");
     brillo::SecureBlob request;
     result = c_proxy->CreateEnrollRequest(pca_type, &request);
     if (!result) {
       return reporter.ReportAndReturn(result);
     }
     reporter.Step("Sending enroll request");
     brillo::SecureBlob response;
     result = pca_proxy->MakeRequest(kEnrollAction, request, &response);
     if (!result) {
       return reporter.ReportAndReturn(result);
     }
     reporter.Step("Processing enroll response");
     result = c_proxy->ProcessEnrollResponse(pca_type, response);
     if (!result) {
       return reporter.ReportAndReturn(result);
     }
   }

   brillo::SecureBlob cert_chain;
   reporter.Step("Creating certificate request");
   brillo::SecureBlob request;
   result = c_proxy->CreateCertRequest(pca_type, cert_profile, &request);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }
   reporter.Step("Sending certificate request");
   brillo::SecureBlob response;
   result = pca_proxy->MakeRequest(kGetCertAction, request, &response);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }
   reporter.Step("Processing certificate response");
   result = c_proxy->ProcessCertResponse(label, response, &cert_chain);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   reporter.Step("Registering new keys");
   brillo::SecureBlob public_key;
   result = c_proxy->GetPublicKey(label, &public_key);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }
   std::string key_id = GetKeyID(public_key);
   if (key_id.empty()) {
     return reporter.ReportAndReturn(Status::KeyStoreError,
                                     "Failed to calculate key ID.");
   }
   VLOG(1) << "Obtained key id "
           << base::HexEncode(key_id.data(), key_id.size());

   result = c_proxy->Register(label);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   reporter.Step("Updating provision status");
   auto key_store = KeyStore::Create();
   result = key_store->Init();
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   ProvisionStatus provision_status;
   result = key_store->ReadProvisionStatus(label, &provision_status);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   std::string old_id;
   if (provision_status.provisioned()) {
     old_id = provision_status.key_id();
   }
   VLOG(1) << "Old key id " << base::HexEncode(old_id.data(), old_id.size());

   provision_status.set_provisioned(true);
   provision_status.set_key_id(key_id);
   provision_status.set_certificate_chain(cert_chain.to_string());
   result = key_store->WriteProvisionStatus(label, provision_status);
   if (!result) {
     return reporter.ReportAndReturn(result);
   }

   reporter.Step("Deleting old keys");
   if (!old_id.empty() && (key_id != old_id) &&
       !(result = key_store->DeleteKeys(old_id, label))) {
     return reporter.ReportAndReturn(result);
   }

   reporter.Done();
   return Status::Success;
 }

 Status GetCertificate(const std::string& label,
                       bool include_intermediate,
                       std::string* cert) {
   auto key_store = KeyStore::Create();
   ProvisionStatus provision_status;

   OpResult result = key_store->Init();
   if (!result) {
     return ReportAndReturn(result);
   }
   result = key_store->ReadProvisionStatus(label, &provision_status);
   if (!result) {
     return ReportAndReturn(result);
   }
   if (!provision_status.provisioned()) {
     return ReportAndReturn(Status::NotProvisioned, "Not provisioned");
   }

   size_t pos;
   if (include_intermediate) {
     pos = std::string::npos;
   } else {
     pos = provision_status.certificate_chain().find(kEndCertificate);
     if (pos != std::string::npos) {
       pos += arraysize(kEndCertificate) - 1;
     }
   }
   cert->assign(provision_status.certificate_chain().substr(0, pos));

   return Status::Success;
 }

 Status Sign(const std::string& label,
             SignMechanism mechanism,
             const std::string& data,
             std::string* signature) {
   auto key_store = KeyStore::Create();
   ProvisionStatus provision_status;

   OpResult result = key_store->Init();
   if (!result) {
     return ReportAndReturn(result);
   }
   result = key_store->ReadProvisionStatus(label, &provision_status);
   if (!result) {
     return ReportAndReturn(result);
   }
   if (!provision_status.provisioned()) {
     return ReportAndReturn(Status::NotProvisioned, "Not provisioned");
   }
   VLOG(1) << "Signing with key id " << provision_status.key_id();
   result = key_store->Sign(
       provision_status.key_id(), label, mechanism, data, signature);
   if (!result) {
     return ReportAndReturn(result);
   }
   return Status::Success;
 }

 }  // namespace cert_provision
	// Copyright 2017 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.
	//
	// Library that provides certificate provisioning/signing interface.

	#include <base/logging.h>
	#include <base/strings/string_number_conversions.h>

	#include "cryptohome/cert_provision.h"
	#include "cryptohome/cert_provision_cryptohome.h"
	#include "cryptohome/cert_provision_keystore.h"
	#include "cryptohome/cert_provision_pca.h"
	#include "cryptohome/cert_provision_util.h"

	#include "cert_provision.pb.h" // NOLINT(build/include)

	namespace {

	// Number of steps for different provision stages.
	constexpr int kInitSteps = 1;
	constexpr int kGetCertSteps = 3;
	constexpr int kRegisterSteps = 3;
	constexpr int kNoEnrollSteps = kInitSteps + kGetCertSteps + kRegisterSteps;
	constexpr int kEnrollSteps = 4;
	constexpr int kMaxSteps = kNoEnrollSteps + kEnrollSteps;

	const char kGetCertAction[] = "sign";
	const char kEnrollAction[] = "enroll";

	const char kEndCertificate[] = "-----END CERTIFICATE-----";

	std::string GetDefaultPCAUrl(cert_provision::PCAType pca_type) {
	std::string url;
	switch (pca_type) {
	case cert_provision::PCAType::kDefaultPCA:
	url = "https://chromeos-ca.gstatic.com";
	break;
	case cert_provision::PCAType::kTestPCA:
	url = "https://asbestos-qa.corp.google.com";
	break;
	default:
	break;
	}
	return url;
	}

	cert_provision::Status ReportAndReturn(cert_provision::Status status,
	const std::string& message) {
	LOG(ERROR) << message;
	return status;
	}

	cert_provision::Status ReportAndReturn(const cert_provision::OpResult& result) {
	return ReportAndReturn(result.status, result.message);
	}

	} // namespace

	namespace cert_provision {

	Status ProvisionCertificate(PCAType pca_type,
	const std::string& pca_url,
	const std::string& label,
	CertificateProfile cert_profile,
	const ProgressCallback& progress_callback) {
	ProgressReporter reporter(progress_callback, kMaxSteps);
	std::string url(pca_url);
	if (url.empty()) {
	url = GetDefaultPCAUrl(pca_type);
	if (url.empty()) {
	return reporter.ReportAndReturn(Status::HttpError,
	"PCA url is not defined.");
	}
	}
	auto pca_proxy = PCAProxy::Create(url);
	auto c_proxy = CryptohomeProxy::Create();

	OpResult result = c_proxy->Init();
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	reporter.Step("Checking if enrolled");
	bool is_enrolled;
	result = c_proxy->CheckIfEnrolled(&is_enrolled);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	if (is_enrolled) {
	reporter.SetSteps(kNoEnrollSteps);
	} else {
	reporter.Step("Checking if ready for enrollment");
	bool is_prepared;
	result = c_proxy->CheckIfPrepared(&is_prepared);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	if (!is_prepared) {
	return reporter.ReportAndReturn(Status::NotPrepared,
	"Not ready for enrollment.");
	}

	reporter.Step("Creating enroll request");
	brillo::SecureBlob request;
	result = c_proxy->CreateEnrollRequest(pca_type, &request);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	reporter.Step("Sending enroll request");
	brillo::SecureBlob response;
	result = pca_proxy->MakeRequest(kEnrollAction, request, &response);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	reporter.Step("Processing enroll response");
	result = c_proxy->ProcessEnrollResponse(pca_type, response);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	}

	brillo::SecureBlob cert_chain;
	reporter.Step("Creating certificate request");
	brillo::SecureBlob request;
	result = c_proxy->CreateCertRequest(pca_type, cert_profile, &request);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	reporter.Step("Sending certificate request");
	brillo::SecureBlob response;
	result = pca_proxy->MakeRequest(kGetCertAction, request, &response);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	reporter.Step("Processing certificate response");
	result = c_proxy->ProcessCertResponse(label, response, &cert_chain);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	reporter.Step("Registering new keys");
	brillo::SecureBlob public_key;
	result = c_proxy->GetPublicKey(label, &public_key);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}
	std::string key_id = GetKeyID(public_key);
	if (key_id.empty()) {
	return reporter.ReportAndReturn(Status::KeyStoreError,
	"Failed to calculate key ID.");
	}
	VLOG(1) << "Obtained key id "
	<< base::HexEncode(key_id.data(), key_id.size());

	result = c_proxy->Register(label);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	reporter.Step("Updating provision status");
	auto key_store = KeyStore::Create();
	result = key_store->Init();
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	ProvisionStatus provision_status;
	result = key_store->ReadProvisionStatus(label, &provision_status);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	std::string old_id;
	if (provision_status.provisioned()) {
	old_id = provision_status.key_id();
	}
	VLOG(1) << "Old key id " << base::HexEncode(old_id.data(), old_id.size());

	provision_status.set_provisioned(true);
	provision_status.set_key_id(key_id);
	provision_status.set_certificate_chain(cert_chain.to_string());
	result = key_store->WriteProvisionStatus(label, provision_status);
	if (!result) {
	return reporter.ReportAndReturn(result);
	}

	reporter.Step("Deleting old keys");
	if (!old_id.empty() && (key_id != old_id) &&
	!(result = key_store->DeleteKeys(old_id, label))) {
	return reporter.ReportAndReturn(result);
	}

	reporter.Done();
	return Status::Success;
	}

	Status GetCertificate(const std::string& label,
	bool include_intermediate,
	std::string* cert) {
	auto key_store = KeyStore::Create();
	ProvisionStatus provision_status;

	OpResult result = key_store->Init();
	if (!result) {
	return ReportAndReturn(result);
	}
	result = key_store->ReadProvisionStatus(label, &provision_status);
	if (!result) {
	return ReportAndReturn(result);
	}
	if (!provision_status.provisioned()) {
	return ReportAndReturn(Status::NotProvisioned, "Not provisioned");
	}

	size_t pos;
	if (include_intermediate) {
	pos = std::string::npos;
	} else {
	pos = provision_status.certificate_chain().find(kEndCertificate);
	if (pos != std::string::npos) {
	pos += arraysize(kEndCertificate) - 1;
	}
	}
	cert->assign(provision_status.certificate_chain().substr(0, pos));

	return Status::Success;
	}

	Status Sign(const std::string& label,
	SignMechanism mechanism,
	const std::string& data,
	std::string* signature) {
	auto key_store = KeyStore::Create();
	ProvisionStatus provision_status;

	OpResult result = key_store->Init();
	if (!result) {
	return ReportAndReturn(result);
	}
	result = key_store->ReadProvisionStatus(label, &provision_status);
	if (!result) {
	return ReportAndReturn(result);
	}
	if (!provision_status.provisioned()) {
	return ReportAndReturn(Status::NotProvisioned, "Not provisioned");
	}
	VLOG(1) << "Signing with key id " << provision_status.key_id();
	result = key_store->Sign(
	provision_status.key_id(), label, mechanism, data, signature);
	if (!result) {
	return ReportAndReturn(result);
	}
	return Status::Success;
	}

	} // namespace cert_provision