Skip to content

GitLab

T
tangled
Commit 6f72a978 authored by Michael Ershov's avatar Michael Ershov Committed by Commit Bot
Browse files
Options

Cert Provisioning: Check public key of certificate 

Compare public key inside the certificate and public key from
key pair to make sure that they are the same and certificate
was issued for the expected key pair.

Bug: 1045895
Test: CertProvisioning*
Change-Id: I37a72a8b1c39e424782826f6ba278365af4c4b8a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2246687Reviewed-by: default avatarPavol Marko <pmarko@chromium.org>
Commit-Queue: Michael Ershov <miersh@google.com>
Cr-Commit-Position: refs/heads/master@{#779746}
parent b1c51908
Hide whitespace changes
Inline Side-by-side
Showing with 162 additions and 109 deletions
chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.cc
View file @ 6f72a978
...@@ -20,6 +20,8 @@ ...@@ -20,6 +20,8 @@
#include "components/policy/core/common/cloud/cloud_policy_client.h" #include "components/policy/core/common/cloud/cloud_policy_client.h"
#include "components/policy/core/common/cloud/device_management_service.h" #include "components/policy/core/common/cloud/device_management_service.h"
#include "content/public/browser/browser_context.h" #include "content/public/browser/browser_context.h"
#include "net/cert/asn1_util.h"
#include "net/cert/x509_util.h"
namespace em = enterprise_management; namespace em = enterprise_management;
...@@ -105,6 +107,19 @@ int GetStateOrderedIndex(CertProvisioningWorkerState state) { ...@@ -105,6 +107,19 @@ int GetStateOrderedIndex(CertProvisioningWorkerState state) {
return res; return res;
} }
bool CheckPublicKeyInCertificate(
const scoped_refptr<net::X509Certificate>& cert,
const std::string& public_key) {
base::StringPiece spki_from_cert;
if (!net::asn1::ExtractSPKIFromDERCert(
net::x509_util::CryptoBufferAsStringPiece(cert->cert_buffer()),
&spki_from_cert)) {
return false;
}
return (public_key == spki_from_cert);
}
} // namespace } // namespace
// ============= CertProvisioningWorkerFactory ================================= // ============= CertProvisioningWorkerFactory =================================
...@@ -568,6 +583,12 @@ void CertProvisioningWorkerImpl::ImportCert( ...@@ -568,6 +583,12 @@ void CertProvisioningWorkerImpl::ImportCert(
return; return;
} }
if (!CheckPublicKeyInCertificate(cert, public_key_)) {
LOG(ERROR) << "Downloaded certificate does not match the expected key pair";
UpdateState(CertProvisioningWorkerState::kFailed);
return;
}
platform_keys_service_->ImportCertificate( platform_keys_service_->ImportCertificate(
GetPlatformKeysTokenId(cert_scope_), cert, GetPlatformKeysTokenId(cert_scope_), cert,
base::BindRepeating(&CertProvisioningWorkerImpl::OnImportCertDone, base::BindRepeating(&CertProvisioningWorkerImpl::OnImportCertDone,
......
chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker_unittest.cc
View file @ 6f72a978
...@@ -4,9 +4,11 @@ ...@@ -4,9 +4,11 @@
#include "chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.h" #include "chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.h"
#include "base/base64.h"
#include "base/callback.h" #include "base/callback.h"
#include "base/json/json_string_value_serializer.h" #include "base/json/json_string_value_serializer.h"
#include "base/json/json_writer.h" #include "base/json/json_writer.h"
#include "base/strings/stringprintf.h"
#include "base/test/gmock_callback_support.h" #include "base/test/gmock_callback_support.h"
#include "base/test/metrics/histogram_tester.h" #include "base/test/metrics/histogram_tester.h"
#include "base/test/values_test_util.h" #include "base/test/values_test_util.h"
...@@ -63,12 +65,23 @@ sDkn58N5eWm+hZADOAKROHR47j85VcsmYGK7z2x479YzsyWyOm0dbACXv7/HvFkz ...@@ -63,12 +65,23 @@ sDkn58N5eWm+hZADOAKROHR47j85VcsmYGK7z2x479YzsyWyOm0dbACXv7/HvFkz
mMhGDBfgEskdbM+0agsZrJupoQMBUbD5gflcJlW3kwlboi3dTtiGixfYWw== mMhGDBfgEskdbM+0agsZrJupoQMBUbD5gflcJlW3kwlboi3dTtiGixfYWw==
-----END CERTIFICATE-----)"; -----END CERTIFICATE-----)";
// Extracted from the certificate using the command:
// openssl x509 -pubkey -noout -in cert.pem
// and reformatted as a single line.
const char kPublicKeyBase64[] =
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1na7r6WiaL5slsyHI7bEpP5ad9ffsz"
"T0mBi8yc03hJpxaA3/2/"
"PX7esUdTSGoZr1XVBxjjJc4AypzZKlsPqYKZ+lPHZPpXlp8JVHn8w8+"
"zmPKl319vVYdJv5AE0HOuJZ6a19fXxItgzoB+"
"oXgkA0mhyPygJwF3HMJfJHRrkxJ73c23R6kKvKTxqRKswvzTo5O5AzZFLdCe+"
"GVTJuPo4VToGd+ZhS7QvsY38nAYG57fMnzzs5jjMF042AzzWiMt9gGbeuqCE6LXqFuSJYPo+"
"TLaN7pwQx68PK5pd/lv58B7jjxCIAai0BX1rV6bl/Am3EukhTSuIcQiTr5c1G4E6bKwIDAQAB";
const char kCertProfileId[] = "cert_profile_1"; const char kCertProfileId[] = "cert_profile_1";
const char kCertProfileVersion[] = "cert_profile_version_1"; const char kCertProfileVersion[] = "cert_profile_version_1";
// Prefix + certificate profile name. // Prefix + certificate profile name.
const char kCertScopeStrUser[] = "google/chromeos/user"; const char kCertScopeStrUser[] = "google/chromeos/user";
const char kCertScopeStrDevice[] = "google/chromeos/device"; const char kCertScopeStrDevice[] = "google/chromeos/device";
const char kPublicKey[] = "fake_public_key_1";
const char kInvalidationTopic[] = "fake_invalidation_topic_1"; const char kInvalidationTopic[] = "fake_invalidation_topic_1";
const char kDataToSign[] = "fake_data_to_sign_1"; const char kDataToSign[] = "fake_data_to_sign_1";
const em::HashingAlgorithm kProtoHashAlgo = em::HashingAlgorithm::SHA256; const em::HashingAlgorithm kProtoHashAlgo = em::HashingAlgorithm::SHA256;
...@@ -78,18 +91,26 @@ const char kChallenge[] = "fake_va_challenge_1"; ...@@ -78,18 +91,26 @@ const char kChallenge[] = "fake_va_challenge_1";
const char kChallengeResponse[] = "fake_va_challenge_response_1"; const char kChallengeResponse[] = "fake_va_challenge_response_1";
const char kSignature[] = "fake_signature_1"; const char kSignature[] = "fake_signature_1";
const std::string& GetPublicKey() {
static std::string public_key;
if (public_key.empty()) {
base::Base64Decode(kPublicKeyBase64, &public_key);
}
return public_key;
}
// Using macros to reduce boilerplate code, but keep real line numbers in // Using macros to reduce boilerplate code, but keep real line numbers in
// error messages in case of expectation failure. They use some of protected // error messages in case of expectation failure. They use some of protected
// fields of CertProvisioningWorkerTest class and may be considered as extra // fields of CertProvisioningWorkerTest class and may be considered as extra
// methods of it. *_OK macros immediately call callbacks with some successful // methods of it. *_OK macros immediately call callbacks with some successful
// results. *_NO_OP doesn't call callbacks. // results. *_NO_OP doesn't call callbacks.
#define EXPECT_PREPARE_KEY_OK(MOCK_TPM_CHALLENGE_KEY, PREPARE_KEY_FUNC) \ #define EXPECT_PREPARE_KEY_OK(MOCK_TPM_CHALLENGE_KEY, PREPARE_KEY_FUNC) \
{ \ { \
auto public_key_result = \ auto public_key_result = \
attestation::TpmChallengeKeyResult::MakePublicKey(kPublicKey); \ attestation::TpmChallengeKeyResult::MakePublicKey(GetPublicKey()); \
EXPECT_CALL((MOCK_TPM_CHALLENGE_KEY), PREPARE_KEY_FUNC) \ EXPECT_CALL((MOCK_TPM_CHALLENGE_KEY), PREPARE_KEY_FUNC) \
.Times(1) \ .Times(1) \
.WillOnce(RunOnceCallback<4>(public_key_result)); \ .WillOnce(RunOnceCallback<4>(public_key_result)); \
} }
#define EXPECT_SIGN_CHALLENGE_OK(MOCK_TPM_CHALLENGE_KEY, SIGN_CHALLENGE_FUNC) \ #define EXPECT_SIGN_CHALLENGE_OK(MOCK_TPM_CHALLENGE_KEY, SIGN_CHALLENGE_FUNC) \
...@@ -401,7 +422,7 @@ TEST_F(CertProvisioningWorkerTest, Success) { ...@@ -401,7 +422,7 @@ TEST_F(CertProvisioningWorkerTest, Success) {
/*callback=*/_)); /*callback=*/_));
EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_CALL(*mock_invalidator, Register(kInvalidationTopic, _)).Times(1); EXPECT_CALL(*mock_invalidator, Register(kInvalidationTopic, _)).Times(1);
...@@ -414,20 +435,20 @@ TEST_F(CertProvisioningWorkerTest, Success) { ...@@ -414,20 +435,20 @@ TEST_F(CertProvisioningWorkerTest, Success) {
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
platform_keys::kTokenIdUser, kPublicKey, platform_keys::kTokenIdUser, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
EXPECT_SIGN_RSAPKC1_DIGEST_OK( EXPECT_SIGN_RSAPKC1_DIGEST_OK(
SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign, kPublicKey, SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
kPkHashAlgo, /*callback=*/_)); GetPublicKey(), kPkHashAlgo, /*callback=*/_));
EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr( EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
kChallengeResponse, kSignature, /*callback=*/_)); kChallengeResponse, kSignature, /*callback=*/_));
EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert( EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate( EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
...@@ -477,26 +498,26 @@ TEST_F(CertProvisioningWorkerTest, NoVaSuccess) { ...@@ -477,26 +498,26 @@ TEST_F(CertProvisioningWorkerTest, NoVaSuccess) {
/*callback=*/_)); /*callback=*/_));
EXPECT_START_CSR_OK_WITHOUT_VA(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK_WITHOUT_VA(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
platform_keys::kTokenIdUser, kPublicKey, platform_keys::kTokenIdUser, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
EXPECT_SIGN_RSAPKC1_DIGEST_OK( EXPECT_SIGN_RSAPKC1_DIGEST_OK(
SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign, kPublicKey, SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
kPkHashAlgo, /*callback=*/_)); GetPublicKey(), kPkHashAlgo, /*callback=*/_));
EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr( EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*va_challenge_response=*/"", kSignature, /*callback=*/_)); /*va_challenge_response=*/"", kSignature, /*callback=*/_));
EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert( EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate( EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
...@@ -533,7 +554,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -533,7 +554,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
EXPECT_START_CSR_TRY_LATER( EXPECT_START_CSR_TRY_LATER(
ClientCertProvisioningStartCsr(kCertScopeStrDevice, kCertProfileId, ClientCertProvisioningStartCsr(kCertScopeStrDevice, kCertProfileId,
kCertProfileVersion, kPublicKey, kCertProfileVersion, GetPublicKey(),
/*callback=*/_), /*callback=*/_),
delay.InMilliseconds()); delay.InMilliseconds());
...@@ -545,9 +566,10 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -545,9 +566,10 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
{ {
testing::InSequence seq; testing::InSequence seq;
EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK(
kCertScopeStrDevice, kCertProfileId, kCertProfileVersion, kPublicKey, ClientCertProvisioningStartCsr(kCertScopeStrDevice, kCertProfileId,
/*callback=*/_)); kCertProfileVersion, GetPublicKey(),
/*callback=*/_));
EXPECT_SIGN_CHALLENGE_OK( EXPECT_SIGN_CHALLENGE_OK(
*mock_tpm_challenge_key, *mock_tpm_challenge_key,
...@@ -557,7 +579,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -557,7 +579,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
platform_keys::kTokenIdSystem, kPublicKey, platform_keys::kTokenIdSystem, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
...@@ -566,7 +588,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -566,7 +588,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
EXPECT_FINISH_CSR_TRY_LATER( EXPECT_FINISH_CSR_TRY_LATER(
ClientCertProvisioningFinishCsr( ClientCertProvisioningFinishCsr(
kCertScopeStrDevice, kCertProfileId, kCertProfileVersion, kCertScopeStrDevice, kCertProfileId, kCertProfileVersion,
kPublicKey, kChallengeResponse, kSignature, /*callback=*/_), GetPublicKey(), kChallengeResponse, kSignature, /*callback=*/_),
delay.InMilliseconds()); delay.InMilliseconds());
worker.DoStep(); worker.DoStep();
...@@ -577,12 +599,12 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -577,12 +599,12 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
testing::InSequence seq; testing::InSequence seq;
EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr( EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
kCertScopeStrDevice, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrDevice, kCertProfileId, kCertProfileVersion,
kChallengeResponse, kSignature, /*callback=*/_)); GetPublicKey(), kChallengeResponse, kSignature, /*callback=*/_));
EXPECT_DOWNLOAD_CERT_TRY_LATER( EXPECT_DOWNLOAD_CERT_TRY_LATER(
ClientCertProvisioningDownloadCert(kCertScopeStrDevice, kCertProfileId, ClientCertProvisioningDownloadCert(kCertScopeStrDevice, kCertProfileId,
kCertProfileVersion, kPublicKey, kCertProfileVersion, GetPublicKey(),
/*callback=*/_), /*callback=*/_),
delay.InMilliseconds()); delay.InMilliseconds());
...@@ -594,9 +616,10 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) { ...@@ -594,9 +616,10 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
{ {
testing::InSequence seq; testing::InSequence seq;
EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert( EXPECT_DOWNLOAD_CERT_OK(
kCertScopeStrDevice, kCertProfileId, kCertProfileVersion, kPublicKey, ClientCertProvisioningDownloadCert(kCertScopeStrDevice, kCertProfileId,
/*callback=*/_)); kCertProfileVersion, GetPublicKey(),
/*callback=*/_));
EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate( EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
platform_keys::kTokenIdSystem, /*certificate=*/_, /*callback=*/_)); platform_keys::kTokenIdSystem, /*certificate=*/_, /*callback=*/_));
...@@ -638,7 +661,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) { ...@@ -638,7 +661,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
EXPECT_START_CSR_TRY_LATER( EXPECT_START_CSR_TRY_LATER(
ClientCertProvisioningStartCsr(kCertScopeStrUser, kCertProfileId, ClientCertProvisioningStartCsr(kCertScopeStrUser, kCertProfileId,
kCertProfileVersion, kPublicKey, kCertProfileVersion, GetPublicKey(),
/*callback=*/_), /*callback=*/_),
start_csr_delay.InMilliseconds()); start_csr_delay.InMilliseconds());
...@@ -651,7 +674,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) { ...@@ -651,7 +674,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
testing::InSequence seq; testing::InSequence seq;
EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_SIGN_CHALLENGE_OK( EXPECT_SIGN_CHALLENGE_OK(
...@@ -662,18 +685,18 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) { ...@@ -662,18 +685,18 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
platform_keys::kTokenIdUser, kPublicKey, platform_keys::kTokenIdUser, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
EXPECT_SIGN_RSAPKC1_DIGEST_OK( EXPECT_SIGN_RSAPKC1_DIGEST_OK(
SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign, kPublicKey, SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
kPkHashAlgo, /*callback=*/_)); GetPublicKey(), kPkHashAlgo, /*callback=*/_));
EXPECT_FINISH_CSR_TRY_LATER( EXPECT_FINISH_CSR_TRY_LATER(
ClientCertProvisioningFinishCsr( ClientCertProvisioningFinishCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion,
kChallengeResponse, kSignature, /*callback=*/_), GetPublicKey(), kChallengeResponse, kSignature, /*callback=*/_),
finish_csr_delay.InMilliseconds()); finish_csr_delay.InMilliseconds());
FastForwardBy(start_csr_delay + small_delay); FastForwardBy(start_csr_delay + small_delay);
...@@ -684,12 +707,12 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) { ...@@ -684,12 +707,12 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
testing::InSequence seq; testing::InSequence seq;
EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr( EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
kChallengeResponse, kSignature, /*callback=*/_)); kChallengeResponse, kSignature, /*callback=*/_));
EXPECT_DOWNLOAD_CERT_TRY_LATER( EXPECT_DOWNLOAD_CERT_TRY_LATER(
ClientCertProvisioningDownloadCert(kCertScopeStrUser, kCertProfileId, ClientCertProvisioningDownloadCert(kCertScopeStrUser, kCertProfileId,
kCertProfileVersion, kPublicKey, kCertProfileVersion, GetPublicKey(),
/*callback=*/_), /*callback=*/_),
download_cert_server_delay.InMilliseconds()); download_cert_server_delay.InMilliseconds());
...@@ -741,7 +764,7 @@ TEST_F(CertProvisioningWorkerTest, StatusErrorHandling) { ...@@ -741,7 +764,7 @@ TEST_F(CertProvisioningWorkerTest, StatusErrorHandling) {
/*callback=*/_)); /*callback=*/_));
EXPECT_START_CSR_INVALID_REQUEST(ClientCertProvisioningStartCsr( EXPECT_START_CSR_INVALID_REQUEST(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_CALL( EXPECT_CALL(
...@@ -865,7 +888,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) { ...@@ -865,7 +888,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) {
/*callback=*/_)); /*callback=*/_));
EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr( EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
worker.DoStep(); worker.DoStep();
} }
...@@ -874,7 +897,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) { ...@@ -874,7 +897,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) {
{ {
EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr( EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
FastForwardBy(next_delay + small_delay * 10); FastForwardBy(next_delay + small_delay * 10);
next_delay *= 2; next_delay *= 2;
...@@ -884,7 +907,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) { ...@@ -884,7 +907,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) {
{ {
EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr( EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
FastForwardBy(next_delay + small_delay * 10); FastForwardBy(next_delay + small_delay * 10);
next_delay *= 2; next_delay *= 2;
...@@ -894,7 +917,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) { ...@@ -894,7 +917,7 @@ TEST_F(CertProvisioningWorkerTest, BackoffStrategy) {
{ {
EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr( EXPECT_START_CSR_TEMPORARY_UNAVAILABLE(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
FastForwardBy(next_delay + small_delay); FastForwardBy(next_delay + small_delay);
next_delay *= 2; next_delay *= 2;
...@@ -924,7 +947,7 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) { ...@@ -924,7 +947,7 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) {
/*callback=*/_)); /*callback=*/_));
EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_CALL(*mock_invalidator, Register(kInvalidationTopic, _)).Times(1); EXPECT_CALL(*mock_invalidator, Register(kInvalidationTopic, _)).Times(1);
...@@ -937,15 +960,16 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) { ...@@ -937,15 +960,16 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) {
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_FAIL(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_FAIL(SetAttributeForKey(
platform_keys::kTokenIdUser, kPublicKey, platform_keys::kTokenIdUser, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
EXPECT_CALL(*mock_invalidator, Unregister()).Times(1); EXPECT_CALL(*mock_invalidator, Unregister()).Times(1);
EXPECT_CALL(*platform_keys_service_, EXPECT_CALL(
RemoveKey(platform_keys::kTokenIdUser, *platform_keys_service_,
/*public_key_spki_der=*/kPublicKey, /*callback=*/_)) RemoveKey(platform_keys::kTokenIdUser,
/*public_key_spki_der=*/GetPublicKey(), /*callback=*/_))
.Times(1) .Times(1)
.WillOnce(RunOnceCallback<2>(/*error_message=*/"")); .WillOnce(RunOnceCallback<2>(/*error_message=*/""));
...@@ -1019,22 +1043,24 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) { ...@@ -1019,22 +1043,24 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
/*profile=*/_, /*key_name_for_spkac=*/"", /*profile=*/_, /*key_name_for_spkac=*/"",
/*callback=*/_)); /*callback=*/_));
pref_val = ParseJson(R"({ pref_val = ParseJson(base::StringPrintf(
"cert_profile_1": { R"({
"cert_profile": { "cert_profile_1": {
"policy_version": "cert_profile_version_1", "cert_profile": {
"profile_id": "cert_profile_1" "policy_version": "cert_profile_version_1",
}, "profile_id": "cert_profile_1"
"cert_scope": 0, },
"invalidation_topic": "", "cert_scope": 0,
"public_key": "ZmFrZV9wdWJsaWNfa2V5XzE=", "invalidation_topic": "",
"state": 1 "public_key": "%s",
} "state": 1
})"); }
})",
kPublicKeyBase64));
EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1); EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1);
EXPECT_START_CSR_NO_OP(ClientCertProvisioningStartCsr( EXPECT_START_CSR_NO_OP(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
worker->DoStep(); worker->DoStep();
...@@ -1064,7 +1090,7 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) { ...@@ -1064,7 +1090,7 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
testing::InSequence seq; testing::InSequence seq;
EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr( EXPECT_START_CSR_OK(ClientCertProvisioningStartCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
pref_val = ParseJson("{}"); pref_val = ParseJson("{}");
...@@ -1080,34 +1106,36 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) { ...@@ -1080,34 +1106,36 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep); EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey( EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
platform_keys::kTokenIdUser, kPublicKey, platform_keys::kTokenIdUser, GetPublicKey(),
platform_keys::KeyAttributeType::CertificateProvisioningId, platform_keys::KeyAttributeType::CertificateProvisioningId,
kCertProfileId, _)); kCertProfileId, _));
EXPECT_SIGN_RSAPKC1_DIGEST_OK( EXPECT_SIGN_RSAPKC1_DIGEST_OK(
SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign, kPublicKey, SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
kPkHashAlgo, /*callback=*/_)); GetPublicKey(), kPkHashAlgo, /*callback=*/_));
EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr( EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
kChallengeResponse, kSignature, /*callback=*/_)); kChallengeResponse, kSignature, /*callback=*/_));
pref_val = ParseJson(R"({ pref_val = ParseJson(base::StringPrintf(
"cert_profile_1": { R"({
"cert_profile": { "cert_profile_1": {
"policy_version": "cert_profile_version_1", "cert_profile": {
"profile_id": "cert_profile_1" "policy_version": "cert_profile_version_1",
}, "profile_id": "cert_profile_1"
"cert_scope": 0, },
"invalidation_topic": "fake_invalidation_topic_1", "cert_scope": 0,
"public_key": "ZmFrZV9wdWJsaWNfa2V5XzE=", "invalidation_topic": "fake_invalidation_topic_1",
"state": 7 "public_key": "%s",
} "state": 7
})"); }
})",
kPublicKeyBase64));
EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1); EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1);
EXPECT_DOWNLOAD_CERT_NO_OP(ClientCertProvisioningDownloadCert( EXPECT_DOWNLOAD_CERT_NO_OP(ClientCertProvisioningDownloadCert(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
worker->DoStep(); worker->DoStep();
...@@ -1138,7 +1166,7 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) { ...@@ -1138,7 +1166,7 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
testing::InSequence seq; testing::InSequence seq;
EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert( EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert(
kCertScopeStrUser, kCertProfileId, kCertProfileVersion, kPublicKey, kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
/*callback=*/_)); /*callback=*/_));
EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate( EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
...@@ -1178,18 +1206,20 @@ TEST_F(CertProvisioningWorkerTest, SerializationOnFailure) { ...@@ -1178,18 +1206,20 @@ TEST_F(CertProvisioningWorkerTest, SerializationOnFailure) {
/*profile=*/_, /*key_name_for_spkac=*/"", /*profile=*/_, /*key_name_for_spkac=*/"",
/*callback=*/_)); /*callback=*/_));
pref_val = ParseJson(R"({ pref_val = ParseJson(base::StringPrintf(
"cert_profile_1": { R"({
"cert_profile": { "cert_profile_1": {
"policy_version": "cert_profile_version_1", "cert_profile": {
"profile_id": "cert_profile_1" "policy_version": "cert_profile_version_1",
}, "profile_id": "cert_profile_1"
"cert_scope": 0, },
"invalidation_topic": "", "cert_scope": 0,
"public_key": "ZmFrZV9wdWJsaWNfa2V5XzE=", "invalidation_topic": "",
"state": 1 "public_key": "%s",
} "state": 1
})"); }
})",
kPublicKeyBase64));
EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1); EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1);
EXPECT_START_CSR_CA_ERROR(ClientCertProvisioningStartCsr); EXPECT_START_CSR_CA_ERROR(ClientCertProvisioningStartCsr);
...@@ -1234,7 +1264,7 @@ TEST_F(CertProvisioningWorkerTest, InformationalGetters) { ...@@ -1234,7 +1264,7 @@ TEST_F(CertProvisioningWorkerTest, InformationalGetters) {
EXPECT_EQ(worker.GetPreviousState(), EXPECT_EQ(worker.GetPreviousState(),
CertProvisioningWorkerState::kInitState); CertProvisioningWorkerState::kInitState);
EXPECT_EQ(worker.GetCertProfile(), cert_profile); EXPECT_EQ(worker.GetCertProfile(), cert_profile);
EXPECT_EQ(worker.GetPublicKey(), kPublicKey); EXPECT_EQ(worker.GetPublicKey(), GetPublicKey());
} }
{ {
...@@ -1259,7 +1289,7 @@ TEST_F(CertProvisioningWorkerTest, InformationalGetters) { ...@@ -1259,7 +1289,7 @@ TEST_F(CertProvisioningWorkerTest, InformationalGetters) {
EXPECT_EQ(worker.GetPreviousState(), EXPECT_EQ(worker.GetPreviousState(),
CertProvisioningWorkerState::kKeypairGenerated); CertProvisioningWorkerState::kKeypairGenerated);
EXPECT_EQ(worker.GetCertProfile(), cert_profile); EXPECT_EQ(worker.GetCertProfile(), cert_profile);
EXPECT_EQ(worker.GetPublicKey(), kPublicKey); EXPECT_EQ(worker.GetPublicKey(), GetPublicKey());
} }
} }
...@@ -1291,18 +1321,20 @@ TEST_F(CertProvisioningWorkerTest, CancelDeviceWorker) { ...@@ -1291,18 +1321,20 @@ TEST_F(CertProvisioningWorkerTest, CancelDeviceWorker) {
/*key_name_for_spkac=*/GetKeyName(kCertProfileId), /*key_name_for_spkac=*/GetKeyName(kCertProfileId),
/*callback=*/_)); /*callback=*/_));
pref_val = ParseJson(R"({ pref_val = ParseJson(base::StringPrintf(
"cert_profile_1": { R"({
"cert_profile": { "cert_profile_1": {
"policy_version": "cert_profile_version_1", "cert_profile": {
"profile_id": "cert_profile_1" "policy_version": "cert_profile_version_1",
}, "profile_id": "cert_profile_1"
"cert_scope": 1, },
"invalidation_topic": "", "cert_scope": 1,
"public_key": "ZmFrZV9wdWJsaWNfa2V5XzE=", "invalidation_topic": "",
"state": 1 "public_key": "%s",
} "state": 1
})"); }
})",
kPublicKeyBase64));
EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1); EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1);
EXPECT_START_CSR_NO_OP(ClientCertProvisioningStartCsr); EXPECT_START_CSR_NO_OP(ClientCertProvisioningStartCsr);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment