arc: add CertStoreBridge to keymaster

Set up a CertStoreBridge between arc-keymasterd and chrome to
allow arc-keymasterd to use the keys accessible by chrome.

Add SecurityTokenOperationBridge that implements SecurityTokenOperation and
performs the signature of pre-hashed digest using security token certificates.

Bug: b:119914122
Test: ./unit_tests --gtest_filter=SecurityTokenOperationBridgeTest*
Test: local device
Change-Id: I791ab28ab639b85652ae4ccaf0b3d4f8fb37ae83
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1852447Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Reviewed-by: Edman Anjos <edman@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Hidehiko Abe <hidehiko@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Polina Bondarenko <pbond@chromium.org>
Auto-Submit: Polina Bondarenko <pbond@chromium.org>
Cr-Commit-Position: refs/heads/master@{#729672}

chrome/browser/chromeos/BUILD.gn

@@ -88,6 +88,7 @@ source_set("chromeos") {
     "//chrome/services/app_service/public/cpp:app_update",
     "//chrome/services/app_service/public/cpp:instance_update",
     "//chrome/services/file_util/public/cpp",
+    "//chrome/services/keymaster/public/mojom",
     "//chrome/services/printing/public/mojom",
     "//chrome/services/wilco_dtc_supportd/public/mojom",
     "//chromeos",
@@ -528,6 +529,8 @@ source_set("chromeos") {
     "arc/enterprise/cert_store/arc_cert_store_bridge.h",
     "arc/enterprise/cert_store/arc_smart_card_manager_bridge.cc",
     "arc/enterprise/cert_store/arc_smart_card_manager_bridge.h",
+    "arc/enterprise/cert_store/security_token_operation_bridge.cc",
+    "arc/enterprise/cert_store/security_token_operation_bridge.h",
     "arc/extensions/arc_support_message_host.cc",
     "arc/extensions/arc_support_message_host.h",
     "arc/file_system_watcher/arc_file_system_watcher_service.cc",
@@ -613,6 +616,10 @@ source_set("chromeos") {
     "arc/intent_helper/open_with_menu.h",
     "arc/intent_helper/start_smart_selection_action_menu.cc",
     "arc/intent_helper/start_smart_selection_action_menu.h",
+    "arc/keymaster/arc_keymaster_bridge.cc",
+    "arc/keymaster/arc_keymaster_bridge.h",
+    "arc/keymaster/cert_store_bridge.cc",
+    "arc/keymaster/cert_store_bridge.h",
     "arc/kiosk/arc_kiosk_bridge.cc",
     "arc/kiosk/arc_kiosk_bridge.h",
     "arc/metrics/arc_metrics_service_proxy.cc",
@@ -2602,6 +2609,7 @@ source_set("unit_tests") {
     "arc/enterprise/cert_store/arc_cert_installer_unittest.cc",
     "arc/enterprise/cert_store/arc_cert_installer_utils_unittest.cc",
     "arc/enterprise/cert_store/arc_smart_card_manager_bridge_unittest.cc",
+    "arc/enterprise/cert_store/security_token_operation_bridge_unittest.cc",
     "arc/extensions/arc_support_message_host_unittest.cc",
     "arc/file_system_watcher/arc_file_system_watcher_service_unittest.cc",
     "arc/file_system_watcher/arc_file_system_watcher_util_unittest.cc",
@@ -3075,6 +3083,7 @@ source_set("unit_tests") {
     "//chrome/browser/ui:ash_test_support",
     "//chrome/browser/web_applications/components",
     "//chrome/common",
+    "//chrome/services/keymaster/public/mojom",
     "//chrome/services/wilco_dtc_supportd/public/mojom",
     "//chrome/test:test_support",
     "//chrome/test:test_support_ui",

chrome/browser/chromeos/DEPS

@@ -5,6 +5,7 @@ include_rules = [
   "+chrome/browser/ui/views/chrome_layout_provider.h",
 
   "+chrome/services/app_service/public",
+  "+chrome/services/keymaster/public",
   "+chrome/services/wilco_dtc_supportd/public",
   "+components/guest_os",
   "+cros",

chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge.h"
+
+#include <utility>
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/logging.h"
+#include "base/optional.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
+
+namespace arc {
+namespace keymaster {
+
+namespace {
+
+base::Optional<uint16_t> ConvertMojoAlgorithmToTls(mojom::Algorithm algorithm,
+                                                   mojom::Digest digest) {
+  // Currently, only RSA algorithm is supported.
+  if (algorithm != mojom::Algorithm::kRsaPkcs1)
+    return base::nullopt;
+  switch (digest) {
+    case mojom::Digest::kSha1:
+      return SSL_SIGN_RSA_PKCS1_SHA1;
+    case mojom::Digest::kSha256:
+      return SSL_SIGN_RSA_PKCS1_SHA256;
+    case mojom::Digest::kSha384:
+      return SSL_SIGN_RSA_PKCS1_SHA384;
+    case mojom::Digest::kSha512:
+      return SSL_SIGN_RSA_PKCS1_SHA512;
+  }
+  return base::nullopt;
+}
+
+mojom::SignatureResult ConvertNetToMojomError(net::Error error) {
+  switch (error) {
+    case net::OK:
+      return mojom::SignatureResult::kOk;
+    case net::ERR_FAILED:
+      LOG(ERROR) << "Signature operation failed due to generic reason";
+      return mojom::SignatureResult::kFailed;
+    default:
+      LOG(ERROR) << "Signature operation failed with error=" << error;
+      return mojom::SignatureResult::kFailed;
+  }
+}
+
+}  // namespace
+
+SecurityTokenOperationBridge::SecurityTokenOperationBridge(
+    content::BrowserContext* context,
+    mojo::PendingReceiver<mojom::SecurityTokenOperation> receiver)
+    : receiver_(this, std::move(receiver)),
+      certificate_provider_service_(
+          chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
+              context)),
+      weak_ptr_factory_(this) {
+  VLOG(2) << "SecurityTokenOperationBridge::SecurityTokenOperationBridge";
+  DCHECK(certificate_provider_service_);
+}
+
+SecurityTokenOperationBridge::SecurityTokenOperationBridge(
+    chromeos::CertificateProviderService* certificate_provider_service)
+    : receiver_(this),
+      certificate_provider_service_(certificate_provider_service),
+      weak_ptr_factory_(this) {
+  VLOG(2) << "SecurityTokenOperationBridge::SecurityTokenOperationBridge";
+  DCHECK(certificate_provider_service_);
+}
+
+SecurityTokenOperationBridge::~SecurityTokenOperationBridge() {
+  VLOG(2) << "SecurityTokenOperationBridge::~SecurityTokenOperationBridge";
+}
+
+void SecurityTokenOperationBridge::SignDigest(
+    const std::string& subject_public_key_info,
+    mojom::Algorithm algorithm,
+    mojom::Digest digest,
+    const std::vector<uint8_t>& data,
+    SignDigestCallback callback) {
+  VLOG(2) << "SecurityTokenOperationBridge::SignDigest";
+  base::Optional<uint16_t> crypto_algorithm =
+      ConvertMojoAlgorithmToTls(algorithm, digest);
+  if (!crypto_algorithm.has_value()) {
+    LOG(ERROR) << "Unsupported security token signature algorithm: "
+               << algorithm << " digest: " << digest;
+    std::move(callback).Run(mojom::SignatureResult::kUnsupportedAlgorithm,
+                            base::nullopt);
+    return;
+  }
+  certificate_provider_service_->RequestSignatureBySpki(
+      subject_public_key_info, crypto_algorithm.value(), data, base::nullopt,
+      base::BindOnce(&SecurityTokenOperationBridge::OnSignCompleted,
+                     weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+}
+
+void SecurityTokenOperationBridge::OnSignCompleted(
+    SignDigestCallback callback,
+    net::Error error,
+    const std::vector<uint8_t>& signature) {
+  VLOG(2) << "SecurityTokenOperationBridge::OnSignCompleted";
+  base::Optional<std::vector<uint8_t>> opt_signature;
+  if (error == net::OK)
+    opt_signature = signature;
+  std::move(callback).Run(ConvertNetToMojomError(error),
+                          std::move(opt_signature));
+}
+
+}  // namespace keymaster
+}  // namespace arc

chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_SECURITY_TOKEN_OPERATION_BRIDGE_H_
+#define CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_SECURITY_TOKEN_OPERATION_BRIDGE_H_
+
+#include <stdint.h>
+
+#include <string>
+#include <vector>
+
+#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
+#include "chrome/services/keymaster/public/mojom/cert_store.mojom.h"
+#include "mojo/public/cpp/bindings/receiver.h"
+#include "net/base/net_errors.h"
+
+namespace chromeos {
+
+class CertificateProviderService;
+
+}  // namespace chromeos
+
+namespace content {
+
+class BrowserContext;
+
+}  // namespace content
+
+namespace arc {
+namespace keymaster {
+
+class SecurityTokenOperationBridge : public mojom::SecurityTokenOperation {
+ public:
+  SecurityTokenOperationBridge(
+      content::BrowserContext* context,
+      mojo::PendingReceiver<mojom::SecurityTokenOperation> receiver);
+
+  // This constructor is used only for testing.
+  explicit SecurityTokenOperationBridge(
+      chromeos::CertificateProviderService* certificate_provider_service);
+  SecurityTokenOperationBridge(const SecurityTokenOperationBridge&) = delete;
+  SecurityTokenOperationBridge& operator=(const SecurityTokenOperationBridge&) =
+      delete;
+  ~SecurityTokenOperationBridge() override;
+
+  // mojom::SecurityTokenOperation overrides.
+  void SignDigest(const std::string& subject_public_key_info,
+                  mojom::Algorithm algorithm,
+                  mojom::Digest digest,
+                  const std::vector<uint8_t>& data,
+                  SignDigestCallback callback) override;
+
+ private:
+  void OnSignCompleted(SignDigestCallback callback,
+                       net::Error error,
+                       const std::vector<uint8_t>& signature);
+
+  mojo::Receiver<mojom::SecurityTokenOperation> receiver_;
+
+  chromeos::CertificateProviderService*
+      certificate_provider_service_;  // Not owned.
+
+  base::WeakPtrFactory<SecurityTokenOperationBridge> weak_ptr_factory_;
+};
+
+}  // namespace keymaster
+}  // namespace arc
+
+#endif  // CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_SECURITY_TOKEN_OPERATION_BRIDGE_H_

chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge_unittest.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+#include <tuple>
+#include <vector>
+
+#include "base//strings/string_piece.h"
+#include "base/bind.h"
+#include "base/memory/ptr_util.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_info.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/services/keymaster/public/mojom/cert_store.mojom.h"
+#include "content/public/test/browser_task_environment.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
+
+namespace arc {
+namespace keymaster {
+
+constexpr char kCertFileName[] = "client_1.pem";
+constexpr char kExtensionId[] = "extension";
+
+namespace {
+
+void ReplyToSignRequest(chromeos::CertificateProviderService* service,
+                        int sign_request_id,
+                        const std::vector<uint8_t>* signature) {
+  service->ReplyToSignRequest(kExtensionId, sign_request_id, *signature);
+}
+
+class FakeDelegate : public chromeos::CertificateProviderService::Delegate {
+ public:
+  // * |cert_file_name| - should be empty if there is no certificates.
+  // * |expected_signature| - should be empty to cause an error.
+  FakeDelegate(chromeos::CertificateProviderService* service,
+               const std::string& cert_file_name,
+               const std::vector<uint8_t> expected_signature)
+      : service_(service),
+        cert_file_name_(cert_file_name),
+        expected_signature_(expected_signature) {}
+
+  std::vector<std::string> CertificateProviderExtensions() override {
+    return std::vector<std::string>{kExtensionId};
+  }
+
+  void BroadcastCertificateRequest(int cert_request_id) override {
+    chromeos::certificate_provider::CertificateInfoList infos;
+    if (!cert_file_name_.empty()) {
+      chromeos::certificate_provider::CertificateInfo cert_info;
+      cert_info.certificate = net::ImportCertFromFile(
+          net::GetTestCertsDirectory(), cert_file_name_);
+      EXPECT_TRUE(cert_info.certificate)
+          << "Could not load " << cert_file_name_;
+      cert_info.supported_algorithms.push_back(SSL_SIGN_RSA_PKCS1_SHA256);
+      infos.push_back(cert_info);
+    }
+    service_->SetCertificatesProvidedByExtension(kExtensionId, cert_request_id,
+                                                 infos);
+  }
+
+  bool DispatchSignRequestToExtension(
+      const std::string& extension_id,
+      int sign_request_id,
+      uint16_t algorithm,
+      const scoped_refptr<net::X509Certificate>& certificate,
+      base::span<const uint8_t> digest) override {
+    EXPECT_EQ(kExtensionId, extension_id);
+
+    // Reply after the method result is returned.
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE, base::BindOnce(&ReplyToSignRequest, service_,
+                                  sign_request_id, &expected_signature_));
+    return true;
+  }
+
+ private:
+  chromeos::CertificateProviderService* service_;  // Not owned.
+  std::string cert_file_name_;
+  std::vector<uint8_t> expected_signature_;
+
+  DISALLOW_COPY_AND_ASSIGN(FakeDelegate);
+};
+
+}  // namespace
+
+class SecurityTokenOperationBridgeTest
+    : public testing::TestWithParam<std::tuple<mojom::SignatureResult,
+                                               std::string,
+                                               std::vector<uint8_t>>> {
+ public:
+  SecurityTokenOperationBridgeTest() = default;
+  SecurityTokenOperationBridgeTest(const SecurityTokenOperationBridgeTest&) =
+      delete;
+  SecurityTokenOperationBridgeTest& operator=(
+      const SecurityTokenOperationBridgeTest&) = delete;
+
+  void SetUp() override {
+    certificate_provider_service_.SetDelegate(
+        std::make_unique<FakeDelegate>(&certificate_provider_service_,
+                                       cert_file_name(), expected_signature()));
+    bridge_ = std::make_unique<SecurityTokenOperationBridge>(
+        &certificate_provider_service_);
+
+    // Request available certificates.
+    auto certificate_provider =
+        certificate_provider_service()->CreateCertificateProvider();
+    base::RunLoop run_loop;
+    certificate_provider->GetCertificates(base::BindOnce(
+        [](base::RepeatingClosure quit_closure,
+           net::ClientCertIdentityList certs) { quit_closure.Run(); },
+        run_loop.QuitClosure()));
+    run_loop.Run();
+  }
+
+  void TearDown() override { bridge_ = nullptr; }
+
+  chromeos::CertificateProviderService* certificate_provider_service() {
+    return &certificate_provider_service_;
+  }
+
+  SecurityTokenOperationBridge* bridge() { return bridge_.get(); }
+  mojom::SignatureResult expected_result() { return std::get<0>(GetParam()); }
+  std::string cert_file_name() { return std::get<1>(GetParam()); }
+  std::vector<uint8_t> expected_signature() { return std::get<2>(GetParam()); }
+
+  // Extract SPKI from certificate stored in |kCertFileName|.
+  std::string spki() {
+    auto certificate =
+        net::ImportCertFromFile(net::GetTestCertsDirectory(), kCertFileName);
+    base::StringPiece spki_bytes;
+    if (!net::asn1::ExtractSPKIFromDERCert(
+            net::x509_util::CryptoBufferAsStringPiece(
+                certificate->cert_buffer()),
+            &spki_bytes)) {
+      return "";
+    }
+    return spki_bytes.as_string();
+  }
+
+ private:
+  content::BrowserTaskEnvironment browser_task_environment_;
+  chromeos::CertificateProviderService certificate_provider_service_;
+  std::unique_ptr<SecurityTokenOperationBridge> bridge_;
+};
+
+TEST_P(SecurityTokenOperationBridgeTest, BasicTest) {
+  base::RunLoop run_loop;
+
+  bridge()->SignDigest(
+      spki(), mojom::Algorithm::kRsaPkcs1, mojom::Digest::kSha256,
+      std::vector<uint8_t>(),
+      base::BindOnce(
+          [](mojom::SignatureResult expected_result,
+             const std::vector<uint8_t>& expected_signature,
+             base::RepeatingClosure quit_closure, mojom::SignatureResult result,
+             const base::Optional<std::vector<uint8_t>>& signature) {
+            quit_closure.Run();
+            EXPECT_EQ(expected_result, result);
+            if (result == mojom::SignatureResult::kOk) {
+              EXPECT_EQ(expected_signature, signature);
+            } else {
+              EXPECT_FALSE(signature.has_value());
+            }
+          },
+          expected_result(), expected_signature(), run_loop.QuitClosure()));
+  run_loop.Run();
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    SecurityTokenOperationBridgeTest,
+    SecurityTokenOperationBridgeTest,
+    ::testing::Values(std::make_tuple(mojom::SignatureResult::kOk,
+                                      kCertFileName,
+                                      std::vector<uint8_t>(1)),
+                      std::make_tuple(mojom::SignatureResult::kFailed,
+                                      kCertFileName,
+                                      std::vector<uint8_t>()),
+                      std::make_tuple(mojom::SignatureResult::kFailed,
+                                      "",
+                                      std::vector<uint8_t>(1))));
+}  // namespace keymaster
+}  // namespace arc

components/arc/keymaster/arc_keymaster_bridge.cc → chrome/browser/chromeos/arc/keymaster/arc_keymaster_bridge.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "components/arc/keymaster/arc_keymaster_bridge.h"
+#include "chrome/browser/chromeos/arc/keymaster/arc_keymaster_bridge.h"
 
 #include <utility>
 
@@ -49,7 +49,9 @@ ArcKeymasterBridge* ArcKeymasterBridge::GetForBrowserContext(
 
 ArcKeymasterBridge::ArcKeymasterBridge(content::BrowserContext* context,
                                        ArcBridgeService* bridge_service)
-    : arc_bridge_service_(bridge_service), weak_factory_(this) {
+    : arc_bridge_service_(bridge_service),
+      cert_store_bridge_(std::make_unique<keymaster::CertStoreBridge>(context)),
+      weak_factory_(this) {
   arc_bridge_service_->keymaster()->SetHost(this);
 }
 
@@ -67,6 +69,7 @@ void ArcKeymasterBridge::GetServer(GetServerCallback callback) {
 
 void ArcKeymasterBridge::OnBootstrapMojoConnection(GetServerCallback callback,
                                                    bool result) {
+  cert_store_bridge_->OnBootstrapMojoConnection(result);
   if (!result) {
     LOG(ERROR) << "Error bootstrapping Mojo in arc-keymasterd.";
     keymaster_server_proxy_.reset();
@@ -79,10 +82,15 @@ void ArcKeymasterBridge::OnBootstrapMojoConnection(GetServerCallback callback,
 
 void ArcKeymasterBridge::BootstrapMojoConnection(GetServerCallback callback) {
   DVLOG(1) << "Bootstrapping arc-keymasterd Mojo connection via D-Bus.";
+
   mojo::OutgoingInvitation invitation;
   mojo::PlatformChannel channel;
   mojo::ScopedMessagePipeHandle server_pipe =
       invitation.AttachMessagePipe("arc-keymaster-pipe");
+
+  // Bootstrap cert_store channel attached to the same invitation.
+  cert_store_bridge_->BindToInvitation(&invitation);
+
   mojo::OutgoingInvitation::Send(std::move(invitation),
                                  base::kNullProcessHandle,
                                  channel.TakeLocalEndpoint());

components/arc/keymaster/arc_keymaster_bridge.h → chrome/browser/chromeos/arc/keymaster/arc_keymaster_bridge.h

@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef COMPONENTS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_
-#define COMPONENTS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_
+#ifndef CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_
+#define CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_
 
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
+#include "chrome/browser/chromeos/arc/keymaster/cert_store_bridge.h"
 #include "components/arc/mojom/keymaster.mojom.h"
 #include "components/keyed_service/core/keyed_service.h"
 
@@ -47,6 +48,9 @@ class ArcKeymasterBridge : public KeyedService, public mojom::KeymasterHost {
   // Points to a proxy bound to the implementation in arc-keymasterd.
   mojom::KeymasterServerPtr keymaster_server_proxy_;
 
+  // Points to a proxy bound to the implementation in arc-keymasterd.
+  std::unique_ptr<keymaster::CertStoreBridge> cert_store_bridge_;
+
   // WeakPtrFactory to use for callbacks.
   base::WeakPtrFactory<ArcKeymasterBridge> weak_factory_;
 
@@ -55,4 +59,4 @@ class ArcKeymasterBridge : public KeyedService, public mojom::KeymasterHost {
 
 }  // namespace arc
 
-#endif  // COMPONENTS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_
+#endif  // CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_ARC_KEYMASTER_BRIDGE_H_

chrome/browser/chromeos/arc/keymaster/cert_store_bridge.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/arc/keymaster/cert_store_bridge.h"
+
+#include <utility>
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/logging.h"
+
+#include "mojo/public/cpp/bindings/interface_ptr.h"
+#include "mojo/public/cpp/bindings/interface_request.h"
+#include "mojo/public/cpp/platform/platform_channel.h"
+
+namespace arc {
+namespace keymaster {
+
+CertStoreBridge::CertStoreBridge(content::BrowserContext* context)
+    : context_(context), weak_ptr_factory_(this) {
+  VLOG(2) << "CertStoreBridge::CertStoreBridge";
+}
+
+CertStoreBridge::~CertStoreBridge() {
+  VLOG(2) << "CertStoreBridge::~CertStoreBridge";
+  security_token_operation_.reset();
+}
+
+void CertStoreBridge::GetSecurityTokenOperation(
+    mojom::SecurityTokenOperationRequest operation_request,
+    GetSecurityTokenOperationCallback callback) {
+  VLOG(2) << "CertStoreBridge::GetSecurityTokenOperation";
+  security_token_operation_ = std::make_unique<SecurityTokenOperationBridge>(
+      context_, mojo::PendingReceiver<mojom::SecurityTokenOperation>(
+                    std::move(operation_request)));
+  std::move(callback).Run();
+}
+
+void CertStoreBridge::BindToInvitation(mojo::OutgoingInvitation* invitation) {
+  VLOG(2) << "CertStoreBridge::BootstrapMojoConnection";
+
+  mojo::ScopedMessagePipeHandle pipe =
+      invitation->AttachMessagePipe("arc-cert-store-pipe");
+
+  cert_store_proxy_.Bind(
+      mojo::InterfacePtrInfo<keymaster::mojom::CertStoreInstance>(
+          std::move(pipe), 0u));
+  VLOG(2) << "Bound remote CertStoreInstance interface to pipe.";
+  cert_store_proxy_.set_connection_error_handler(base::BindOnce(
+      &mojo::InterfacePtr<keymaster::mojom::CertStoreInstance>::reset,
+      base::Unretained(&cert_store_proxy_)));
+}
+
+void CertStoreBridge::OnBootstrapMojoConnection(bool result) {
+  if (!result) {
+    cert_store_proxy_.reset();
+    return;
+  }
+
+  auto binding =
+      std::make_unique<mojo::Binding<keymaster::mojom::CertStoreHost>>(this);
+  mojo::InterfacePtr<keymaster::mojom::CertStoreHost> host_proxy;
+  binding->Bind(mojo::MakeRequest(&host_proxy));
+
+  cert_store_proxy_->Init(
+      std::move(host_proxy),
+      base::BindOnce(&CertStoreBridge::OnConnectionReady,
+                     weak_ptr_factory_.GetWeakPtr(), std::move(binding)));
+}
+
+void CertStoreBridge::OnConnectionReady(
+    std::unique_ptr<mojo::Binding<mojom::CertStoreHost>> binding) {
+  VLOG(2) << "CertStoreBridge::OnConnectionReady";
+  DCHECK(!binding_);
+  binding->set_connection_error_handler(base::BindOnce(
+      &CertStoreBridge::OnConnectionClosed, base::Unretained(this)));
+  binding_ = std::move(binding);
+}
+
+void CertStoreBridge::OnConnectionClosed() {
+  VLOG(2) << "CertStoreBridge::OnConnectionClosed";
+  DCHECK(binding_);
+  binding_.reset();
+}
+
+}  // namespace keymaster
+}  // namespace arc

chrome/browser/chromeos/arc/keymaster/cert_store_bridge.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_CERT_STORE_BRIDGE_H_
+#define CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_CERT_STORE_BRIDGE_H_
+
+#include <memory>
+
+#include "base/memory/weak_ptr.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/security_token_operation_bridge.h"
+#include "chrome/services/keymaster/public/mojom/cert_store.mojom.h"
+#include "mojo/public/cpp/bindings/binding.h"
+#include "mojo/public/cpp/system/invitation.h"
+
+namespace content {
+
+class BrowserContext;
+
+}  // namespace content
+
+namespace arc {
+namespace keymaster {
+
+class CertStoreBridge : public mojom::CertStoreHost {
+ public:
+  explicit CertStoreBridge(content::BrowserContext* context);
+  CertStoreBridge(const CertStoreBridge&) = delete;
+  CertStoreBridge& operator=(const CertStoreBridge&) = delete;
+  ~CertStoreBridge() override;
+
+  // Attaches a new message pipe to the invitation and binds it to the cert
+  // store instance proxy.
+  void BindToInvitation(mojo::OutgoingInvitation* invitation);
+  void OnBootstrapMojoConnection(bool result);
+
+  // CertStoreHost overrides.
+  void GetSecurityTokenOperation(
+      mojom::SecurityTokenOperationRequest operation_request,
+      GetSecurityTokenOperationCallback callback) override;
+
+ private:
+  void OnConnectionReady(
+      std::unique_ptr<mojo::Binding<mojom::CertStoreHost>> binding);
+  void OnConnectionClosed();
+
+  content::BrowserContext* context_;  // not owned.
+
+  // Points to a proxy bound to the implementation in arc-keymasterd.
+  keymaster::mojom::CertStoreInstancePtr cert_store_proxy_;
+
+  std::unique_ptr<SecurityTokenOperationBridge> security_token_operation_;
+
+  std::unique_ptr<mojo::Binding<mojom::CertStoreHost>> binding_;
+
+  base::WeakPtrFactory<CertStoreBridge> weak_ptr_factory_;
+};
+
+}  // namespace keymaster
+}  // namespace arc
+
+#endif  // CHROME_BROWSER_CHROMEOS_ARC_KEYMASTER_CERT_STORE_BRIDGE_H_

chrome/browser/chromeos/arc/session/arc_service_launcher.cc

@@ -28,6 +28,7 @@
 #include "chrome/browser/chromeos/arc/input_method_manager/arc_input_method_manager_service.h"
 #include "chrome/browser/chromeos/arc/instance_throttle/arc_instance_throttle.h"
 #include "chrome/browser/chromeos/arc/intent_helper/arc_settings_service.h"
+#include "chrome/browser/chromeos/arc/keymaster/arc_keymaster_bridge.h"
 #include "chrome/browser/chromeos/arc/kiosk/arc_kiosk_bridge.h"
 #include "chrome/browser/chromeos/arc/metrics/arc_metrics_service_proxy.h"
 #include "chrome/browser/chromeos/arc/notification/arc_boot_error_notification.h"
@@ -63,7 +64,6 @@
 #include "components/arc/disk_quota/arc_disk_quota_bridge.h"
 #include "components/arc/ime/arc_ime_service.h"
 #include "components/arc/intent_helper/arc_intent_helper_bridge.h"
-#include "components/arc/keymaster/arc_keymaster_bridge.h"
 #include "components/arc/lock_screen/arc_lock_screen_bridge.h"
 #include "components/arc/media_session/arc_media_session_bridge.h"
 #include "components/arc/metrics/arc_metrics_service.h"

chrome/services/keymaster/public/mojom/BUILD.gn

+# Copyright 2019 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import("//mojo/public/tools/bindings/mojom.gni")
+
+assert(is_chromeos)
+
+mojom("mojom") {
+  sources = [
+    "cert_store.mojom",
+  ]
+
+  public_deps = [
+    "//mojo/public/mojom/base",
+  ]
+}

chrome/services/keymaster/public/mojom/OWNERS

+per-file *.mojom=set noparent
+per-file *.mojom=file://ipc/SECURITY_OWNERS

chrome/services/keymaster/public/mojom/cert_store.mojom

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Next MinVersion: 1
+
+// This file defines the mojo interface between arc-keymaster and Chrome for the
+// keys hardware-backed and accessible by Chrome.
+
+module arc.keymaster.mojom;
+
+// Enumerates the crypto algorithms supported by Host.
+[Extensible]
+enum Algorithm {
+  kRsaPkcs1,
+};
+
+// Enumerates the digests supported by Host.
+[Extensible]
+enum Digest {
+  kSha1,
+  kSha256,
+  kSha384,
+  kSha512,
+};
+
+// Enumerates the result codes of signature operation.
+[Extensible]
+enum SignatureResult {
+  kOk,
+  // Failed with error.
+  kFailed,
+  // Inspect Chrome's logs for the exact net::Error.
+  kNetError,
+  kUnsupportedAlgorithm,
+};
+
+// Interface exposed by Chrome.
+// Next method ID: 1
+interface CertStoreHost {
+  // Returns an interface to SecurityTokenOperation.
+  GetSecurityTokenOperation@0(SecurityTokenOperation& operation) => ();
+};
+
+// Interface exposed by arc-keymaster daemon.
+// Next method ID: 1
+interface CertStoreInstance {
+  // Establishes full-duplex communication with the host.
+  Init@0(CertStoreHost host_ptr) => ();
+};
+
+// Implemented in Chrome.
+// Next method ID: 1
+interface SecurityTokenOperation {
+  // Signs input |data| pre-hashed with the given |digest|.
+  // Retrieves a |signature| signed by a certificate identified by
+  // |subject_public_key_info| by |algorithm| (currently, only RSA is
+  // supported).
+  // In case of any error, |signature| is null.
+  SignDigest@0(string subject_public_key_info, Algorithm algorithm,
+       Digest digest, array<uint8> data) => (SignatureResult result,
+           array<uint8>? signature);
+};

components/arc/BUILD.gn

@@ -41,8 +41,6 @@ static_library("arc") {
     "intent_helper/link_handler_model.cc",
     "intent_helper/link_handler_model.h",
     "intent_helper/open_url_delegate.h",
-    "keymaster/arc_keymaster_bridge.cc",
-    "keymaster/arc_keymaster_bridge.h",
     "lock_screen/arc_lock_screen_bridge.cc",
     "lock_screen/arc_lock_screen_bridge.h",
     "metrics/arc_metrics_service.cc",