Split TpmChallengeKey into separate steps

This CL splits TpmChallengeKey::BuildResponse method into separate
steps: PrepareKey, SignChallenge, RegisterKey. This allows to
observe public key that will be used for creating challenge and to
register a key without signing challenge. RestoreState allowes
to continue attestation flow with a new TpmChallengeKey object.
This will be used to observe public key that will be used for
serialization.

Bug: 1045895
Test: TpmChallenge*
Change-Id: I031072027cfd883eff0f69483f73799d970f1cc3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2062130
Commit-Queue: Michael Ershov <miersh@google.com>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#750938}

chrome/browser/chromeos/BUILD.gn

@@ -749,6 +749,8 @@ source_set("chromeos") {
     "attestation/tpm_challenge_key.h",
     "attestation/tpm_challenge_key_result.cc",
     "attestation/tpm_challenge_key_result.h",
+    "attestation/tpm_challenge_key_subtle.cc",
+    "attestation/tpm_challenge_key_subtle.h",
     "attestation/tpm_challenge_key_with_timeout.cc",
     "attestation/tpm_challenge_key_with_timeout.h",
     "authpolicy/authpolicy_credentials_manager.cc",
@@ -2745,6 +2747,8 @@ source_set("unit_tests") {
     "attestation/machine_certificate_uploader_impl_unittest.cc",
     "attestation/mock_tpm_challenge_key.cc",
     "attestation/mock_tpm_challenge_key.h",
+    "attestation/mock_tpm_challenge_key_subtle.cc",
+    "attestation/mock_tpm_challenge_key_subtle.h",
     "attestation/platform_verification_flow_unittest.cc",
     "attestation/tpm_challenge_key_unittest.cc",
     "authpolicy/authpolicy_credentials_manager_unittest.cc",

chrome/browser/chromeos/attestation/mock_tpm_challenge_key.cc

@@ -23,7 +23,8 @@ void MockTpmChallengeKey::EnableFake() {
 
 void MockTpmChallengeKey::FakeBuildResponseSuccess(
     TpmChallengeKeyCallback callback) {
-  std::move(callback).Run(TpmChallengeKeyResult::MakeResult("response"));
+  std::move(callback).Run(
+      TpmChallengeKeyResult::MakeChallengeResponse("response"));
 }
 
 }  // namespace attestation

chrome/browser/chromeos/attestation/mock_tpm_challenge_key_subtle.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/attestation/mock_tpm_challenge_key_subtle.h"
+
+namespace chromeos {
+namespace attestation {
+
+MockTpmChallengeKeySubtle::MockTpmChallengeKeySubtle() = default;
+MockTpmChallengeKeySubtle::~MockTpmChallengeKeySubtle() = default;
+
+}  // namespace attestation
+}  // namespace chromeos

chrome/browser/chromeos/attestation/mock_tpm_challenge_key_subtle.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ATTESTATION_MOCK_TPM_CHALLENGE_KEY_SUBTLE_H_
+#define CHROME_BROWSER_CHROMEOS_ATTESTATION_MOCK_TPM_CHALLENGE_KEY_SUBTLE_H_
+
+#include <string>
+
+#include "chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.h"
+#include "testing/gmock/include/gmock/gmock.h"
+
+namespace chromeos {
+namespace attestation {
+
+class MockTpmChallengeKeySubtle : public TpmChallengeKeySubtle {
+ public:
+  MockTpmChallengeKeySubtle();
+  MockTpmChallengeKeySubtle(const MockTpmChallengeKeySubtle&) = delete;
+  MockTpmChallengeKeySubtle& operator=(const MockTpmChallengeKeySubtle&) =
+      delete;
+  ~MockTpmChallengeKeySubtle() override;
+
+  MOCK_METHOD(void,
+              StartPrepareKeyStep,
+              (AttestationKeyType key_type,
+               const std::string& key_name,
+               Profile* profile,
+               const std::string& key_name_for_spkac,
+               TpmChallengeKeyCallback callback),
+              (override));
+
+  MOCK_METHOD(void,
+              StartSignChallengeStep,
+              (const std::string& challenge,
+               bool include_signed_public_key,
+               TpmChallengeKeyCallback callback),
+              (override));
+
+  MOCK_METHOD(void,
+              StartRegisterKeyStep,
+              (TpmChallengeKeyCallback callback),
+              (override));
+
+  MOCK_METHOD(void,
+              RestorePreparedKeyState,
+              (AttestationKeyType key_type,
+               const std::string& key_name,
+               Profile* profile,
+               const std::string& key_name_for_spkac),
+              (override));
+};
+
+}  // namespace attestation
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_ATTESTATION_MOCK_TPM_CHALLENGE_KEY_SUBTLE_H_

chrome/browser/chromeos/attestation/tpm_challenge_key.h

@@ -8,20 +8,14 @@
 #include <memory>
 #include <string>
 
-#include "base/callback.h"
-#include "base/macros.h"
 #include "base/memory/weak_ptr.h"
-#include "base/optional.h"
 #include "base/sequence_checker.h"
 #include "chrome/browser/chromeos/attestation/tpm_challenge_key_result.h"
-#include "chromeos/attestation/attestation_flow.h"
+#include "chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.h"
 #include "chromeos/dbus/constants/attestation_constants.h"
-#include "chromeos/dbus/cryptohome/cryptohome_client.h"
-#include "components/account_id/account_id.h"
-#include "components/user_manager/user.h"
-#include "third_party/cros_system_api/dbus/cryptohome/dbus-constants.h"
 
 class Profile;
+class AttestationFlow;
 
 namespace user_prefs {
 class PrefRegistrySyncable;
@@ -34,7 +28,7 @@ namespace attestation {
 
 class TpmChallengeKey;
 
-class TpmChallengeKeyFactory {
+class TpmChallengeKeyFactory final {
  public:
   static std::unique_ptr<TpmChallengeKey> Create();
   static void SetForTesting(std::unique_ptr<TpmChallengeKey> next_result);
@@ -45,10 +39,10 @@ class TpmChallengeKeyFactory {
 
 //=========================== TpmChallengeKey ==================================
 
-using TpmChallengeKeyCallback =
-    base::OnceCallback<void(const TpmChallengeKeyResult& result)>;
-
-// Asynchronously run the flow to challenge a key in the caller context.
+// Asynchronously runs the flow to challenge a key in the caller context. This
+// is a wrapper around TpmChallengeKeySubtle with an easier-to-use interface.
+// TpmChallengeKeySubtle can be used directly to get more control over main
+// steps to build the response.
 class TpmChallengeKey {
  public:
   TpmChallengeKey(const TpmChallengeKey&) = delete;
@@ -77,7 +71,7 @@ class TpmChallengeKey {
 
 //=========================== TpmChallengeKeyImpl ==============================
 
-class TpmChallengeKeyImpl : public TpmChallengeKey {
+class TpmChallengeKeyImpl final : public TpmChallengeKey {
  public:
   // Use TpmChallengeKeyFactory for creation.
   TpmChallengeKeyImpl();
@@ -96,65 +90,18 @@ class TpmChallengeKeyImpl : public TpmChallengeKey {
                      const std::string& key_name_for_spkac) override;
 
  private:
-  void ChallengeUserKey();
-  void ChallengeMachineKey();
-
-  // Returns true if the user is managed and is affiliated with the domain the
-  // device is enrolled to.
-  bool IsUserAffiliated() const;
-  // Returns true if remote attestation is allowed and the setting is managed.
-  bool IsRemoteAttestationEnabledForUser() const;
-
-  // Returns the enterprise domain the device is enrolled to or user email.
-  std::string GetEmail() const;
-  const char* GetKeyName() const;
-  AttestationCertificateProfile GetCertificateProfile() const;
-  std::string GetKeyNameForRegister() const;
-  const user_manager::User* GetUser() const;
-  AccountId GetAccountId() const;
-
-  // Prepares the key for signing. It will first check if a new key should be
-  // generated, i.e. |key_name_for_spkac_| is not empty or the key doesn't exist
-  // and, if necessary, call AttestationFlow::GetCertificate() to get a new one.
-  // If |IsUserConsentRequired()| is true, it will explicitly ask for user
-  // consent before calling GetCertificate().
-  void PrepareKey();
-  void PrepareKeyFinished();
-
-  void SignChallengeCallback(bool register_key,
-                             bool success,
-                             const std::string& response);
-  void RegisterKeyCallback(const std::string& response,
-                           bool success,
-                           cryptohome::MountError return_code);
-  // Returns a trusted value from CrosSettings indicating if the device
-  // attestation is enabled.
-  void GetDeviceAttestationEnabled(
-      const base::RepeatingCallback<void(bool)>& callback);
-  void GetDeviceAttestationEnabledCallback(bool enabled);
-
-  void IsAttestationPreparedCallback(base::Optional<bool> result);
-  void PrepareKeyErrorHandlerCallback(base::Optional<bool> is_tpm_enabled);
-  void DoesKeyExistCallback(base::Optional<bool> result);
-  void AskForUserConsent(base::OnceCallback<void(bool)> callback) const;
-  void AskForUserConsentCallback(bool result);
-  void GetCertificateCallback(AttestationStatus status,
-                              const std::string& pem_certificate_chain);
-
-  std::unique_ptr<AttestationFlow> default_attestation_flow_;
-  AttestationFlow* attestation_flow_ = nullptr;
-
-  TpmChallengeKeyCallback callback_;
-  Profile* profile_ = nullptr;
-
-  AttestationKeyType key_type_ = AttestationKeyType::KEY_DEVICE;
-  std::string challenge_;
+  void OnPrepareKeyDone(const TpmChallengeKeyResult& prepare_key_result);
+  void OnSignChallengeDone(const TpmChallengeKeyResult& sign_challenge_result);
+  void OnRegisterKeyDone(const TpmChallengeKeyResult& challenge_response,
+                         const TpmChallengeKeyResult& register_key_result);
 
   bool register_key_ = false;
-  std::string key_name_for_spkac_;
+  std::string challenge_;
+  TpmChallengeKeyResult challenge_response_;
+  TpmChallengeKeyCallback callback_;
+  std::unique_ptr<TpmChallengeKeySubtle> tpm_challenge_key_subtle_;
 
   SEQUENCE_CHECKER(sequence_checker_);
-
   base::WeakPtrFactory<TpmChallengeKeyImpl> weak_factory_{this};
 };
 

chrome/browser/chromeos/attestation/tpm_challenge_key_result.cc

@@ -48,20 +48,42 @@ const char TpmChallengeKeyResult::kChallengeBadBase64ErrorMsg[] =
     "Challenge is not base64 encoded.";
 const char TpmChallengeKeyResult::kDeviceWebBasedAttestationNotOobeErrorMsg[] =
     "Device web based attestation is only available on the OOBE screen.";
+const char TpmChallengeKeyResult::kGetPublicKeyFailedErrorMsg[] =
+    "Failed to get public key.";
 
 // static
-TpmChallengeKeyResult TpmChallengeKeyResult::MakeResult(
-    const std::string& success_result) {
+TpmChallengeKeyResult TpmChallengeKeyResult::MakeChallengeResponse(
+    const std::string& challenge_response) {
   return TpmChallengeKeyResult{
       /*result_code=*/TpmChallengeKeyResultCode::kSuccess,
-      /*data=*/success_result};
+      /*public_key=*/"",
+      /*challenge_response=*/challenge_response};
+}
+
+// static
+TpmChallengeKeyResult TpmChallengeKeyResult::MakePublicKey(
+    const std::string& public_key) {
+  return TpmChallengeKeyResult{
+      /*result_code=*/TpmChallengeKeyResultCode::kSuccess,
+      /*public_key=*/public_key,
+      /*challenge_response=*/""};
+}
+
+// static
+TpmChallengeKeyResult TpmChallengeKeyResult::MakeSuccess() {
+  return TpmChallengeKeyResult{
+      /*result_code=*/TpmChallengeKeyResultCode::kSuccess,
+      /*public_key=*/"",
+      /*challenge_response=*/""};
 }
 
 // static
 TpmChallengeKeyResult TpmChallengeKeyResult::MakeError(
     TpmChallengeKeyResultCode error_code) {
+  DCHECK_NE(error_code, TpmChallengeKeyResultCode::kSuccess);
   return TpmChallengeKeyResult{/*result_code=*/error_code,
-                               /*data=*/""};
+                               /*public_key=*/"",
+                               /*challenge_response=*/""};
 }
 
 const char* TpmChallengeKeyResult::GetErrorMessage() const {
@@ -100,6 +122,8 @@ const char* TpmChallengeKeyResult::GetErrorMessage() const {
       return kChallengeBadBase64ErrorMsg;
     case TpmChallengeKeyResultCode::kDeviceWebBasedAttestationNotOobeError:
       return kDeviceWebBasedAttestationNotOobeErrorMsg;
+    case TpmChallengeKeyResultCode::kGetPublicKeyFailedError:
+      return kGetPublicKeyFailedErrorMsg;
     case TpmChallengeKeyResultCode::kSuccess:
       // Not an error message.
       NOTREACHED();

chrome/browser/chromeos/attestation/tpm_challenge_key_result.h

@@ -32,10 +32,16 @@ enum class TpmChallengeKeyResultCode {
   kExtensionNotWhitelistedError = 15,
   kChallengeBadBase64Error = 16,
   kDeviceWebBasedAttestationNotOobeError = 17,
-  kMaxValue = kDeviceWebBasedAttestationNotOobeError,
+  kGetPublicKeyFailedError = 18,
+  kMaxValue = kGetPublicKeyFailedError,
 };
 
-// If |result_code| is success then |data| contains a challenge response.
+// If |IsSuccess| returns false, |result_code| contains error code and
+// |public_key| and |challenge_response| are empty.
+// Otherwise, if the object was returned from
+// |TpmChallengeKeySubtle::PrepareKey|, the |public_key| is filled. If the
+// object was returned from |TpmChallengeKey::BuildResponse| or
+// |TpmChallengeKeySubtle::SignChallenge|, the |challenge_response| is filled.
 struct TpmChallengeKeyResult {
   static const char kDevicePolicyDisabledErrorMsg[];
   static const char kSignChallengeFailedErrorMsg[];
@@ -54,15 +60,20 @@ struct TpmChallengeKeyResult {
   static const char kExtensionNotWhitelistedErrorMsg[];
   static const char kChallengeBadBase64ErrorMsg[];
   static const char kDeviceWebBasedAttestationNotOobeErrorMsg[];
+  static const char kGetPublicKeyFailedErrorMsg[];
 
-  static TpmChallengeKeyResult MakeResult(const std::string& success_result);
+  static TpmChallengeKeyResult MakeChallengeResponse(
+      const std::string& challenge_response);
+  static TpmChallengeKeyResult MakePublicKey(const std::string& public_key);
+  static TpmChallengeKeyResult MakeSuccess();
   static TpmChallengeKeyResult MakeError(TpmChallengeKeyResultCode error_code);
 
   const char* GetErrorMessage() const;
   bool IsSuccess() const;
 
   TpmChallengeKeyResultCode result_code = TpmChallengeKeyResultCode::kSuccess;
-  std::string data;
+  std::string public_key;
+  std::string challenge_response;
 };
 
 }  // namespace attestation

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ATTESTATION_TPM_CHALLENGE_KEY_SUBTLE_H_
+#define CHROME_BROWSER_CHROMEOS_ATTESTATION_TPM_CHALLENGE_KEY_SUBTLE_H_
+
+#include <memory>
+#include <string>
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
+#include "base/optional.h"
+#include "base/sequence_checker.h"
+#include "chrome/browser/chromeos/attestation/tpm_challenge_key_result.h"
+#include "chromeos/attestation/attestation_flow.h"
+#include "chromeos/dbus/constants/attestation_constants.h"
+#include "chromeos/dbus/cryptohome/cryptohome_client.h"
+#include "components/account_id/account_id.h"
+#include "components/user_manager/user.h"
+#include "third_party/cros_system_api/dbus/cryptohome/dbus-constants.h"
+
+class Profile;
+
+namespace chromeos {
+namespace attestation {
+
+//==================== TpmChallengeKeySubtleFactory ============================
+
+class TpmChallengeKeySubtle;
+
+class TpmChallengeKeySubtleFactory final {
+ public:
+  static std::unique_ptr<TpmChallengeKeySubtle> Create();
+
+  // Recreates an object as it would be after |StartPrepareKeyStep| method call.
+  // It is the caller's responsibility to guarantee that |StartPrepareKeyStep|
+  // has successfully finished before and that only one call of
+  // |StartSignChallengeStep| and/or |StartRegisterKeyStep| for a prepared key
+  // pair will ever happen.
+  static std::unique_ptr<TpmChallengeKeySubtle> CreateForPreparedKey(
+      AttestationKeyType key_type,
+      const std::string& key_name,
+      Profile* profile,
+      const std::string& key_name_for_spkac);
+
+  static void SetForTesting(std::unique_ptr<TpmChallengeKeySubtle> next_result);
+  static bool WillReturnTestingInstance();
+
+ private:
+  static TpmChallengeKeySubtle* next_result_for_testing_;
+};
+
+//===================== TpmChallengeKeySubtle ==================================
+
+using TpmChallengeKeyCallback =
+    base::OnceCallback<void(const TpmChallengeKeyResult& result)>;
+
+// Asynchronously runs the flow to challenge a key in the caller context. Allows
+// to generate a key pair and then build VA challenge response using it. If
+// observing the key pair is not required, consider using |TpmChallengeKey|
+// class.
+
+// Asynchronously runs the flow to challenge a key in the caller context.
+// Consider using |TpmChallengeKey| class for simple cases.
+// This class provides a detailed API for calculating Verified Access challenge
+// response and manipulating keys that are used for that.
+//
+// The order of calling methods is important. Expected usage:
+// 1. |StartPrepareKeyStep| should always be called first.
+// 2. After that, if the object is destroyed, it can be recreated by using
+// |TpmChallengeKeySubtleFactory::CreateForPreparedKey|.
+// 3. |StartSignChallengeStep| allows to calculate challenge response, can be
+// skipped.
+// 4. As a last step, |StartRegisterKeyStep| allows change key type so it cannot
+// sign challenges anymore, but can be used for general puprose cryptographic
+// operations (via PlatformKeysService).
+class TpmChallengeKeySubtle {
+ public:
+  TpmChallengeKeySubtle(const TpmChallengeKeySubtle&) = delete;
+  TpmChallengeKeySubtle& operator=(const TpmChallengeKeySubtle&) = delete;
+  virtual ~TpmChallengeKeySubtle() = default;
+
+  // Checks that it is allowed to generate a VA challenge response and generates
+  // a new key pair if necessary. Returns result via |callback|. In case of
+  // success |TpmChallengeKeyResult::public_key| will be filled.
+  virtual void StartPrepareKeyStep(AttestationKeyType key_type,
+                                   const std::string& key_name,
+                                   Profile* profile,
+                                   const std::string& key_name_for_spkac,
+                                   TpmChallengeKeyCallback callback) = 0;
+
+  // Generates a VA challenge response using the key pair prepared by
+  // |PrepareKey| method. Returns VA challenge response via |callback|. In case
+  // of success |TpmChallengeKeyResult::challenge_response| will be filled.
+  virtual void StartSignChallengeStep(const std::string& challenge,
+                                      bool include_signed_public_key,
+                                      TpmChallengeKeyCallback callback) = 0;
+
+  // Registers the key that makes it available for general purpose cryptographic
+  // operations.
+  virtual void StartRegisterKeyStep(TpmChallengeKeyCallback callback) = 0;
+
+ protected:
+  // Allow access to |RestorePrepareKeyResult| method.
+  friend class TpmChallengeKeySubtleFactory;
+
+  // Use TpmChallengeKeySubtleFactory for creation.
+  TpmChallengeKeySubtle() = default;
+
+  // Restores internal state of the object as if it would be after
+  // |StartPrepareKeyStep|.
+  virtual void RestorePreparedKeyState(
+      AttestationKeyType key_type,
+      const std::string& key_name,
+      Profile* profile,
+      const std::string& key_name_for_spkac) = 0;
+};
+
+//================= TpmChallengeKeySubtleImpl ==================================
+
+class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle {
+ public:
+  // Use TpmChallengeKeySubtleFactory for creation.
+  TpmChallengeKeySubtleImpl();
+  // Use only for testing.
+  explicit TpmChallengeKeySubtleImpl(
+      AttestationFlow* attestation_flow_for_testing);
+
+  TpmChallengeKeySubtleImpl(const TpmChallengeKeySubtleImpl&) = delete;
+  TpmChallengeKeySubtleImpl& operator=(const TpmChallengeKeySubtleImpl&) =
+      delete;
+  ~TpmChallengeKeySubtleImpl() override;
+
+  // TpmChallengeKeySubtle
+  void StartPrepareKeyStep(AttestationKeyType key_type,
+                           const std::string& key_name,
+                           Profile* profile,
+                           const std::string& key_name_for_spkac,
+                           TpmChallengeKeyCallback callback) override;
+  void StartSignChallengeStep(const std::string& challenge,
+                              bool include_signed_public_key,
+                              TpmChallengeKeyCallback callback) override;
+  void StartRegisterKeyStep(TpmChallengeKeyCallback callback) override;
+
+ private:
+  // TpmChallengeKeySubtle
+  void RestorePreparedKeyState(AttestationKeyType key_type,
+                               const std::string& key_name,
+                               Profile* profile,
+                               const std::string& key_name_for_spkac) override;
+
+  void PrepareUserKey();
+  void PrepareMachineKey();
+
+  // Returns true if the user is managed and is affiliated with the domain the
+  // device is enrolled to.
+  bool IsUserAffiliated() const;
+  // Returns true if remote attestation is allowed and the setting is managed.
+  bool IsRemoteAttestationEnabledForUser() const;
+
+  // Returns the enterprise domain the device is enrolled to or user email.
+  std::string GetEmail() const;
+  const char* GetKeyName() const;
+  AttestationCertificateProfile GetCertificateProfile() const;
+  std::string GetKeyNameForRegister() const;
+  const user_manager::User* GetUser() const;
+  AccountId GetAccountId() const;
+
+  // Actually prepares a key after all checks are passed.
+  void PrepareKey();
+  // Returns a public key (or an error) via |prepare_key_callback_|.
+  void PrepareKeyFinished(
+      base::Optional<CryptohomeClient::TpmAttestationDataResult>
+          prepare_key_result);
+
+  void SignChallengeCallback(bool success, const std::string& response);
+
+  void RegisterKeyCallback(bool success, cryptohome::MountError return_code);
+
+  // Returns a trusted value from CrosSettings indicating if the device
+  // attestation is enabled.
+  void GetDeviceAttestationEnabled(
+      const base::RepeatingCallback<void(bool)>& callback);
+  void GetDeviceAttestationEnabledCallback(bool enabled);
+
+  void IsAttestationPreparedCallback(base::Optional<bool> result);
+  void PrepareKeyErrorHandlerCallback(base::Optional<bool> is_tpm_enabled);
+  void DoesKeyExistCallback(base::Optional<bool> result);
+  void AskForUserConsent(base::OnceCallback<void(bool)> callback) const;
+  void AskForUserConsentCallback(bool result);
+  void GetCertificateCallback(AttestationStatus status,
+                              const std::string& pem_certificate_chain);
+  void GetPublicKey();
+
+  // Runs |callback_| and resets it. Resetting it in this function and checking
+  // it in public functions prevents simultaneous calls on the same object.
+  // |this| may be destructed during the |callback_| run.
+  void RunCallback(const TpmChallengeKeyResult& result);
+
+  std::unique_ptr<AttestationFlow> default_attestation_flow_;
+  AttestationFlow* attestation_flow_ = nullptr;
+
+  TpmChallengeKeyCallback callback_;
+  Profile* profile_ = nullptr;
+
+  AttestationKeyType key_type_ = AttestationKeyType::KEY_DEVICE;
+
+  std::string key_name_;
+  std::string key_name_for_spkac_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  base::WeakPtrFactory<TpmChallengeKeySubtleImpl> weak_factory_{this};
+};
+
+}  // namespace attestation
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_ATTESTATION_TPM_CHALLENGE_KEY_SUBTLE_H_

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.cc

@@ -308,7 +308,7 @@ void EnterprisePlatformKeysChallengeMachineKeyFunction::OnChallengedKey(
     const chromeos::attestation::TpmChallengeKeyResult& result) {
   if (result.IsSuccess()) {
     Respond(ArgumentList(api_epk::ChallengeMachineKey::Results::Create(
-        VectorFromString(result.data))));
+        VectorFromString(result.challenge_response))));
   } else {
     Respond(Error(result.GetErrorMessage()));
   }
@@ -342,7 +342,7 @@ void EnterprisePlatformKeysChallengeUserKeyFunction::OnChallengedKey(
     const chromeos::attestation::TpmChallengeKeyResult& result) {
   if (result.IsSuccess()) {
     Respond(ArgumentList(api_epk::ChallengeUserKey::Results::Create(
-        VectorFromString(result.data))));
+        VectorFromString(result.challenge_response))));
   } else {
     Respond(Error(result.GetErrorMessage()));
   }

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api_unittest.cc

@@ -41,7 +41,8 @@ void FakeRunCheckNotRegister(
     const std::string& key_name_for_spkac) {
   EXPECT_FALSE(register_key);
   std::move(callback).Run(
-      chromeos::attestation::TpmChallengeKeyResult::MakeResult("response"));
+      chromeos::attestation::TpmChallengeKeyResult::MakeChallengeResponse(
+          "response"));
 }
 
 class EPKChallengeKeyTestBase : public BrowserWithTestWindowTest {

chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

@@ -124,7 +124,7 @@ void EnterprisePlatformKeysPrivateChallengeMachineKeyFunction::OnChallengedKey(
     const chromeos::attestation::TpmChallengeKeyResult& result) {
   if (result.IsSuccess()) {
     std::string encoded_response;
-    base::Base64Encode(result.data, &encoded_response);
+    base::Base64Encode(result.challenge_response, &encoded_response);
     Respond(ArgumentList(
         api_epkp::ChallengeMachineKey::Results::Create(encoded_response)));
   } else {
@@ -169,7 +169,7 @@ void EnterprisePlatformKeysPrivateChallengeUserKeyFunction::OnChallengedKey(
     const chromeos::attestation::TpmChallengeKeyResult& result) {
   if (result.IsSuccess()) {
     std::string encoded_response;
-    base::Base64Encode(result.data, &encoded_response);
+    base::Base64Encode(result.challenge_response, &encoded_response);
     Respond(ArgumentList(
         api_epkp::ChallengeUserKey::Results::Create(encoded_response)));
   } else {

chrome/browser/ui/webui/chromeos/login/saml_challenge_key_handler.cc

@@ -152,7 +152,7 @@ void SamlChallengeKeyHandler::ReturnResult(
   }
 
   std::string encoded_result_data;
-  base::Base64Encode(result.data, &encoded_result_data);
+  base::Base64Encode(result.challenge_response, &encoded_result_data);
 
   js_result.SetKey(kSuccessField, base::Value(result.IsSuccess()));
   js_result.SetKey(kResponseField, base::Value(encoded_result_data));