PlatformKeysService functions for built-in certificate provisioning

This CL extends PlatformKeysService by introducing the following new functions: - RemoveKey This function will be used to remove the key pair corresponding to a given DER-encoded SubjectPublicKeyInfo. - GetAttributeForKey This function retrieves the value of an attribute for a private key corresponding to a provided DER-encoded public key. - SetAttributeForKey This function sets the value of an attribute for a private key corresponding to a provided DER-encoded public key. This is not planned to be exposed as an actual extension API. Instead, the functions are implemented mainly to be used by another component (built-in cert_provisioning). Bug: 1045895 Test: browser_tests --gtest_filter= *PlatformKeys* Change-Id: I8797e690487b866c80377aafce615546afd8f54d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2151868Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Omar Morsi <omorsi@google.com> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Michael Ershov <miersh@google.com> Commit-Queue: Omar Morsi <omorsi@google.com> Cr-Commit-Position: refs/heads/master@{#762796}

PlatformKeysService functions for built-in certificate provisioning
This CL extends PlatformKeysService by introducing the following new functions: - RemoveKey This function will be used to remove the key pair corresponding to a given DER-encoded SubjectPublicKeyInfo. - GetAttributeForKey This function retrieves the value of an attribute for a private key corresponding to a provided DER-encoded public key. - SetAttributeForKey This function sets the value of an attribute for a private key corresponding to a provided DER-encoded public key. This is not planned to be exposed as an actual extension API. Instead, the functions are implemented mainly to be used by another component (built-in cert_provisioning). Bug: 1045895 Test: browser_tests --gtest_filter= *PlatformKeys* Change-Id: I8797e690487b866c80377aafce615546afd8f54d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2151868Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Omar Morsi <omorsi@google.com> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Michael Ershov <miersh@google.com> Commit-Queue: Omar Morsi <omorsi@google.com> Cr-Commit-Position: refs/heads/master@{#762796}
86042f0a · Omar Morsi · Commit Bot · c714a458 · 86042f0a · 86042f0a
Commit 86042f0a authored Apr 27, 2020 by Omar Morsi Committed by Commit Bot Apr 27, 2020
4 changed files
--- a/chrome/browser/chromeos/platform_keys/mock_platform_keys_service.h
+++ b/chrome/browser/chromeos/platform_keys/mock_platform_keys_service.h
@@ -92,6 +92,13 @@ class MockPlatformKeysService : public PlatformKeysService {
               const RemoveCertificateCallback& callback),
              (override));

+  MOCK_METHOD(void,
+              RemoveKey,
+              (const std::string& token_id,
+               const std::string& public_key_spki_der,
+               RemoveKeyCallback callback),
+              (override));
+
  MOCK_METHOD(void, GetTokens, (const GetTokensCallback& callback), (override));

  MOCK_METHOD(void,
@@ -99,6 +106,28 @@ class MockPlatformKeysService : public PlatformKeysService {
              (const std::string& public_key_spki_der,
               const GetKeyLocationsCallback& callback),
              (override));
+
+  MOCK_METHOD(void,
+              SetAttributeForKey,
+              (const std::string& token_id,
+               const std::string& public_key_spki_der,
+               KeyAttributeType attribute_type,
+               const std::string& attribute_value,
+               SetAttributeForKeyCallback callback),
+              (override));
+
+  MOCK_METHOD(void,
+              GetAttributeForKey,
+              (const std::string& token_id,
+               const std::string& public_key_spki_der,
+               KeyAttributeType attribute_type,
+               GetAttributeForKeyCallback callback),
+              (override));
+
+  MOCK_METHOD(void,
+              SetMapToSoftokenAttrsForTesting,
+              (bool map_to_softoken_attrs_for_testing),
+              (override));
 };

 std::unique_ptr<KeyedService> BuildMockPlatformKeysService(

--- a/chrome/browser/chromeos/platform_keys/platform_keys_service.h
+++ b/chrome/browser/chromeos/platform_keys/platform_keys_service.h
@@ -36,6 +36,9 @@ extern const char kTokenIdSystem[];
 // Supported key types.
 enum class KeyType { kRsassaPkcs1V15, kEcdsa };

+// Supported key attribute types.
+enum class KeyAttributeType { CertificateProvisioningId };
+
 // Supported hash algorithms.
 enum HashAlgorithm {
  HASH_ALGORITHM_NONE,  // The value if no hash function is selected.
@@ -126,6 +129,11 @@ using ImportCertificateCallback =
 using RemoveCertificateCallback =
    base::Callback<void(const std::string& error_message)>;

+// If the the key pair has been successfully removed, |error_message| will be
+// empty. If an error occurs, |error_message| will be set to the error message.
+using RemoveKeyCallback =
+    base::OnceCallback<void(const std::string& error_message)>;
+
 // If the list of available tokens could be successfully retrieved, |token_ids|
 // will contain the token ids. If an error occurs, |token_ids| will be nullptr
 // and |error_message| will be set to an error message.
@@ -149,9 +157,24 @@ using GetKeyLocationsCallback =
    base::RepeatingCallback<void(const std::vector<std::string>& token_ids,
                                 const std::string& error_message)>;

+// If the attribute value has been successfully set, |error_message| will be
+// empty.
+// If an error occurs, |error_message| will be set to the error message.
+using SetAttributeForKeyCallback =
+    base::OnceCallback<void(const std::string& error_message)>;
+
+// If the attribute value has been successfully retrieved, |attribute_value|
+// will contain the result and |error_message| will be empty.
+// If an error occurs, |attribute_value| will be empty and |error_message| will
+// be set to the error message.
+using GetAttributeForKeyCallback =
+    base::OnceCallback<void(const std::string& attribute_value,
+                            const std::string& error_message)>;
+
 // Functions of this class shouldn't be called directly from the context of
 // an extension. Instead use ExtensionPlatformKeysService which enforces
 // restrictions upon extensions.
+// All public methods of this class should be called on the UI thread.
 class PlatformKeysService : public KeyedService {
 public:
  PlatformKeysService() = default;
@@ -225,7 +248,7 @@ class PlatformKeysService : public KeyedService {
  // Returns the list of all keys available from the given |token_id| as a list
  // of der-encoded SubjectPublicKeyInfo strings. |callback| will be invoked on
  // the UI thread with the list of available public keys, possibly with an
-  // error message. Must be called on the UI thread.
+  // error message.
  virtual void GetAllKeys(const std::string& token_id,
                          GetAllKeysCallback callback) = 0;

@@ -250,17 +273,54 @@ class PlatformKeysService : public KeyedService {
      const scoped_refptr<net::X509Certificate>& certificate,
      const RemoveCertificateCallback& callback) = 0;

+  // Removes the key pair if no matching certificates exist. Only keys in the
+  // given |token_id| are considered. |callback| will be invoked on the UI
+  // thread when the removal is finished, possibly with an error message.
+  virtual void RemoveKey(const std::string& token_id,
+                         const std::string& public_key_spki_der,
+                         RemoveKeyCallback callback) = 0;
+
  // Gets the list of available tokens. |callback| will be invoked when the list
  // of available tokens is determined, possibly with an error message.
-  // Must be called and calls |callback| on the UI thread.
+  // Calls |callback| on the UI thread.
  virtual void GetTokens(const GetTokensCallback& callback) = 0;

  // Determines the token(s) on which the private key corresponding to
  // |public_key_spki_der| is stored. |callback| will be invoked when the token
-  // ids are determined, possibly with an error message. Must be called and
-  // calls |callback| on the UI thread.
+  // ids are determined, possibly with an error message. Calls |callback| on the
+  // UI thread.
  virtual void GetKeyLocations(const std::string& public_key_spki_der,
                               const GetKeyLocationsCallback& callback) = 0;
+
+  // Sets |attribute_type| for the private key corresponding to
+  // |public_key_spki_der| to |attribute_value| only if the key is in
+  // |token_id|. |callback| will be invoked on the UI thread when setting the
+  // attribute is done, possibly with an error message.
+  virtual void SetAttributeForKey(const std::string& token_id,
+                                  const std::string& public_key_spki_der,
+                                  KeyAttributeType attribute_type,
+                                  const std::string& attribute_value,
+                                  SetAttributeForKeyCallback callback) = 0;
+
+  // Gets |attribute_type| for the private key corresponding to
+  // |public_key_spki_der| only if the key is in |token_id|.
+  // |callback| will be invoked on the UI thread when getting the attribute
+  // is done, possibly with an error message.
+  virtual void GetAttributeForKey(const std::string& token_id,
+                                  const std::string& public_key_spki_der,
+                                  KeyAttributeType attribute_type,
+                                  GetAttributeForKeyCallback callback) = 0;
+
+  // Softoken NSS PKCS11 module (used for testing) allows only predefined key
+  // attributes to be set and retrieved. Chaps supports setting and retrieving
+  // custom attributes.
+  // If |map_to_softoken_attrs_for_testing| is true, the service will use
+  // fake KeyAttribute mappings predefined in softoken module for testing.
+  // Otherwise, the real mappings to constants in
+  // third_party/cros_system_api/constants/pkcs11_custom_attributes.h will be
+  // used.
+  virtual void SetMapToSoftokenAttrsForTesting(
+      const bool map_to_softoken_attrs_for_testing) = 0;
 };

 class PlatformKeysServiceImpl final : public PlatformKeysService {
@@ -302,12 +362,28 @@ class PlatformKeysServiceImpl final : public PlatformKeysService {
  void RemoveCertificate(const std::string& token_id,
                         const scoped_refptr<net::X509Certificate>& certificate,
                         const RemoveCertificateCallback& callback) override;
+  void RemoveKey(const std::string& token_id,
+                 const std::string& public_key_spki_der,
+                 RemoveKeyCallback callback) override;
  void GetTokens(const GetTokensCallback& callback) override;
  void GetKeyLocations(const std::string& public_key_spki_der,
                       const GetKeyLocationsCallback& callback) override;
+  void SetAttributeForKey(const std::string& token_id,
+                          const std::string& public_key_spki_der,
+                          KeyAttributeType attribute_type,
+                          const std::string& attribute_value,
+                          SetAttributeForKeyCallback callback) override;
+  void GetAttributeForKey(const std::string& token_id,
+                          const std::string& public_key_spki_der,
+                          KeyAttributeType attribute_type,
+                          GetAttributeForKeyCallback callback) override;
+  void SetMapToSoftokenAttrsForTesting(
+      bool map_to_softoken_attrs_for_testing) override;
+  bool IsSetMapToSoftokenAttrsForTesting();

 private:
  content::BrowserContext* const browser_context_;
+  bool map_to_softoken_attrs_for_testing_ = false;
  base::WeakPtrFactory<PlatformKeysServiceImpl> weak_factory_{this};
 };


--- a/chrome/browser/chromeos/platform_keys/platform_keys_service_browsertest.cc
+++ b/chrome/browser/chromeos/platform_keys/platform_keys_service_browsertest.cc
--- a/chrome/browser/chromeos/platform_keys/platform_keys_service_nss.cc
+++ b/chrome/browser/chromeos/platform_keys/platform_keys_service_nss.cc