use AttestationClient to delete attested keys for cert provisioning.

We are deprecating attestation methods by CryptohomeClient.

BUG=b:158955123
TEST=unit_tests.

Change-Id: I901403863794308619bec161354884808988b2f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497386Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Michael Ershov <miersh@google.com>
Commit-Queue: Leo Lai <cylai@google.com>
Cr-Commit-Position: refs/heads/master@{#821186}

chrome/browser/chromeos/cert_provisioning/cert_provisioning_common.cc

@@ -15,7 +15,8 @@
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
-#include "chromeos/dbus/cryptohome/cryptohome_client.h"
+#include "chromeos/dbus/attestation/attestation_client.h"
+#include "chromeos/dbus/attestation/interface.pb.h"
 #include "components/account_id/account_id.h"
 #include "components/prefs/pref_registry_simple.h"
 
@@ -41,6 +42,35 @@ base::Optional<AccountId> GetAccountId(CertScope scope, Profile* profile) {
 
   NOTREACHED();
 }
+
+// This function implements `DeleteVaKey()` and `DeleteVaKeysByPrefix()`, both
+// of which call this function with a proper match behavior.
+void DeleteVaKeysWithMatchBehavior(
+    CertScope scope,
+    Profile* profile,
+    ::attestation::DeleteKeysRequest::MatchBehavior match_behavior,
+    const std::string& label_match,
+    DeleteVaKeyCallback callback) {
+  auto account_id = GetAccountId(scope, profile);
+  if (!account_id.has_value()) {
+    std::move(callback).Run(false);
+    return;
+  }
+  ::attestation::DeleteKeysRequest request;
+  request.set_username(
+      cryptohome::CreateAccountIdentifierFromAccountId(account_id.value())
+          .account_id());
+  request.set_key_label_match(label_match);
+  request.set_match_behavior(match_behavior);
+
+  auto wrapped_callback = [](DeleteVaKeyCallback cb,
+                             const ::attestation::DeleteKeysReply& reply) {
+    std::move(cb).Run(reply.status() == ::attestation::STATUS_SUCCESS);
+  };
+  AttestationClient::Get()->DeleteKeys(
+      request, base::BindOnce(wrapped_callback, std::move(callback)));
+}
+
 }  // namespace
 
 bool IsFinalState(CertProvisioningWorkerState state) {
@@ -170,14 +200,8 @@ void DeleteVaKey(CertScope scope,
                  Profile* profile,
                  const std::string& key_name,
                  DeleteVaKeyCallback callback) {
-  auto account_id = GetAccountId(scope, profile);
-  if (!account_id.has_value()) {
-    return;
-  }
-
-  CryptohomeClient::Get()->TpmAttestationDeleteKey(
-      GetVaKeyType(scope),
-      cryptohome::CreateAccountIdentifierFromAccountId(account_id.value()),
+  DeleteVaKeysWithMatchBehavior(
+      scope, profile, ::attestation::DeleteKeysRequest::MATCH_BEHAVIOR_EXACT,
       key_name, std::move(callback));
 }
 
@@ -185,14 +209,8 @@ void DeleteVaKeysByPrefix(CertScope scope,
                           Profile* profile,
                           const std::string& key_prefix,
                           DeleteVaKeyCallback callback) {
-  auto account_id = GetAccountId(scope, profile);
-  if (!account_id.has_value()) {
-    return;
-  }
-
-  CryptohomeClient::Get()->TpmAttestationDeleteKeysByPrefix(
-      GetVaKeyType(scope),
-      cryptohome::CreateAccountIdentifierFromAccountId(account_id.value()),
+  DeleteVaKeysWithMatchBehavior(
+      scope, profile, ::attestation::DeleteKeysRequest::MATCH_BEHAVIOR_PREFIX,
       key_prefix, std::move(callback));
 }
 

chrome/browser/chromeos/cert_provisioning/cert_provisioning_common.h

@@ -14,6 +14,7 @@
 #include "base/values.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
+#include "chromeos/dbus/attestation/interface.pb.h"
 #include "chromeos/dbus/constants/attestation_constants.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 #include "net/cert/x509_certificate.h"
@@ -30,7 +31,7 @@ class PlatformKeysService;
 namespace cert_provisioning {
 
 // Used for both DeleteVaKey and DeleteVaKeysByPrefix
-using DeleteVaKeyCallback = base::OnceCallback<void(base::Optional<bool>)>;
+using DeleteVaKeyCallback = base::OnceCallback<void(bool)>;
 
 const char kKeyNamePrefix[] = "cert-provis-";
 

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.cc

@@ -291,10 +291,10 @@ void CertProvisioningSchedulerImpl::CleanVaKeysIfIdle() {
 }
 
 void CertProvisioningSchedulerImpl::OnCleanVaKeysIfIdleDone(
-    base::Optional<bool> delete_result) {
+    bool delete_result) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
-  if (!delete_result.has_value() || !delete_result.value()) {
+  if (!delete_result) {
     LOG(ERROR) << "Failed to delete keys while idle";
   }
 

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.h

@@ -156,7 +156,7 @@ class CertProvisioningSchedulerImpl
   void OnDeleteCertsWithoutPolicyDone(platform_keys::Status status);
   void CancelWorkersWithoutPolicy(const std::vector<CertProfile>& profiles);
   void CleanVaKeysIfIdle();
-  void OnCleanVaKeysIfIdleDone(base::Optional<bool> delete_result);
+  void OnCleanVaKeysIfIdleDone(bool delete_result);
   void RegisterForPrefsChanges();
 
   void InitiateRenewal(const CertProfileId& cert_profile_id);

chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.cc

@@ -817,11 +817,10 @@ void CertProvisioningWorkerImpl::CleanUpAndRunCallback() {
   OnCleanUpDone();
 }
 
-void CertProvisioningWorkerImpl::OnDeleteVaKeyDone(
-    base::Optional<bool> delete_result) {
+void CertProvisioningWorkerImpl::OnDeleteVaKeyDone(bool delete_result) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-  if (!delete_result.has_value() || !delete_result.value()) {
+  if (!delete_result) {
     LOG(ERROR) << "Failed to delete a va key";
   }
   OnCleanUpDone();

chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.h

@@ -211,7 +211,7 @@ class CertProvisioningWorkerImpl : public CertProvisioningWorker {
   void InitAfterDeserialization();
 
   void CleanUpAndRunCallback();
-  void OnDeleteVaKeyDone(base::Optional<bool> delete_result);
+  void OnDeleteVaKeyDone(bool delete_result);
   void OnRemoveKeyDone(platform_keys::Status status);
   void OnCleanUpDone();
 

chromeos/dbus/attestation/attestation_client.h

@@ -6,6 +6,7 @@
 #define CHROMEOS_DBUS_ATTESTATION_ATTESTATION_CLIENT_H_
 
 #include <deque>
+#include <vector>
 
 #include "base/callback.h"
 #include "base/component_export.h"
@@ -110,6 +111,13 @@ class COMPONENT_EXPORT(CHROMEOS_DBUS_ATTESTATION) AttestationClient {
     // queried.
     virtual ::attestation::CreateCertificateRequestReply*
     mutable_certificate_request_reply() = 0;
+
+    // Gets the history of `DeleteKeys()` requests.
+    virtual const std::vector<::attestation::DeleteKeysRequest>&
+    delete_keys_history() const = 0;
+
+    // Clears the request history of `DeleteKeys()`.
+    virtual void ClearDeleteKeysHistory() = 0;
   };
 
   // Not copyable or movable.

chromeos/dbus/attestation/fake_attestation_client.cc

@@ -234,7 +234,10 @@ void FakeAttestationClient::SetKeyPayload(
 void FakeAttestationClient::DeleteKeys(
     const ::attestation::DeleteKeysRequest& request,
     DeleteKeysCallback callback) {
-  NOTIMPLEMENTED();
+  delete_keys_history_.push_back(request);
+  ::attestation::DeleteKeysReply reply;
+  reply.set_status(::attestation::STATUS_SUCCESS);
+  PostProtoResponse(std::move(callback), reply);
 }
 
 void FakeAttestationClient::ResetIdentity(
@@ -296,6 +299,15 @@ void FakeAttestationClient::AllowlistLegacyCreateCertificateRequest(
   allowlisted_create_requests_.push_back(request);
 }
 
+const std::vector<::attestation::DeleteKeysRequest>&
+FakeAttestationClient::delete_keys_history() const {
+  return delete_keys_history_;
+}
+
+void FakeAttestationClient::ClearDeleteKeysHistory() {
+  delete_keys_history_.clear();
+}
+
 AttestationClient::TestInterface* FakeAttestationClient::GetTestInterface() {
   return this;
 }

chromeos/dbus/attestation/fake_attestation_client.h

@@ -106,6 +106,9 @@ class COMPONENT_EXPORT(CHROMEOS_DBUS_ATTESTATION) FakeAttestationClient
       ::attestation::KeyType key_type) override;
   ::attestation::CreateCertificateRequestReply*
   mutable_certificate_request_reply() override;
+  const std::vector<::attestation::DeleteKeysRequest>& delete_keys_history()
+      const override;
+  void ClearDeleteKeysHistory() override;
 
   AttestationClient::TestInterface* GetTestInterface() override;
 
@@ -130,6 +133,9 @@ class COMPONENT_EXPORT(CHROMEOS_DBUS_ATTESTATION) FakeAttestationClient
   std::vector<int> certificate_indices_;
   // The count of certificates that has been issued.
   int certificate_count_ = 0;
+
+  // Maintains the input request history of `DeleteKeys()`.
+  std::vector<::attestation::DeleteKeysRequest> delete_keys_history_;
 };
 
 }  // namespace chromeos