don't set username for device key in TpmChallengeKeySubtle.

crypthome used to do the job but attestaion only judges the EMK/EUK type
with emptiness of account id, so we have to filter out the account id
for EMK.

BUG=b:173060033
TEST=unit_tests and check if the following 3 cases are tested:
KEY_DEVICE with non-empty account id, KEY_DEVICE w/ empty account id,
and KEY_USER w/ account id.

Change-Id: I273e8e53304ee4a9a2740f12135a00c02eae6c78
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2531807Reviewed-by: Michael Ershov <miersh@google.com>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Leo Lai <cylai@google.com>
Cr-Commit-Position: refs/heads/master@{#826765}

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.cc

@@ -317,6 +317,28 @@ AccountId TpmChallengeKeySubtleImpl::GetAccountId() const {
   return EmptyAccountId();
 }
 
+AccountId TpmChallengeKeySubtleImpl::GetAccountIdForAttestationFlow() const {
+  switch (key_type_) {
+    case KEY_DEVICE:
+      return EmptyAccountId();
+    case KEY_USER:
+      return GetAccountId();
+  }
+  LOG(DFATAL) << "Unrecognized key type value: " << key_type_;
+  return EmptyAccountId();
+}
+
+std::string TpmChallengeKeySubtleImpl::GetUsernameForAttestationClient() const {
+  switch (key_type_) {
+    case KEY_DEVICE:
+      return std::string();
+    case KEY_USER:
+      return cryptohome::Identification(GetAccountId()).id();
+  }
+  LOG(DFATAL) << "Unrecognized key type value: " << key_type_;
+  return std::string();
+}
+
 void TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabled(
     const base::RepeatingCallback<void(bool)>& callback) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -403,7 +425,7 @@ void TpmChallengeKeySubtleImpl::GetEnrollmentPreparationsCallback(
   }
 
   ::attestation::GetKeyInfoRequest request;
-  request.set_username(cryptohome::Identification(GetAccountId()).id());
+  request.set_username(GetUsernameForAttestationClient());
   request.set_key_label(key_name_);
   AttestationClient::Get()->GetKeyInfo(
       request, base::BindOnce(&TpmChallengeKeySubtleImpl::DoesKeyExistCallback,
@@ -480,7 +502,7 @@ void TpmChallengeKeySubtleImpl::AskForUserConsentCallback(bool result) {
 
   // Generate a new key and have it signed by PCA.
   attestation_flow_->GetCertificate(
-      GetCertificateProfile(), GetAccountId(),
+      GetCertificateProfile(), GetAccountIdForAttestationFlow(),
       /*request_origin=*/std::string(),  // Not used.
       /*force_new_key=*/true, key_name_,
       base::BindOnce(&TpmChallengeKeySubtleImpl::GetCertificateCallback,
@@ -505,7 +527,7 @@ void TpmChallengeKeySubtleImpl::GetPublicKey() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   ::attestation::GetKeyInfoRequest request;
-  request.set_username(cryptohome::Identification(GetAccountId()).id());
+  request.set_username(GetUsernameForAttestationClient());
   request.set_key_label(key_name_);
   AttestationClient::Get()->GetKeyInfo(
       request, base::BindOnce(&TpmChallengeKeySubtleImpl::PrepareKeyFinished,
@@ -551,7 +573,7 @@ void TpmChallengeKeySubtleImpl::StartSignChallengeStep(
                                                       : std::string();
 
   ::attestation::SignEnterpriseChallengeRequest request;
-  request.set_username(cryptohome::Identification(GetAccountId()).id());
+  request.set_username(GetUsernameForAttestationClient());
   request.set_key_label(key_name_for_challenge);
   request.set_key_name_for_spkac(key_name_for_spkac);
   request.set_domain(GetEmail());
@@ -587,7 +609,7 @@ void TpmChallengeKeySubtleImpl::StartRegisterKeyStep(
   callback_ = std::move(callback);
 
   ::attestation::RegisterKeyWithChapsTokenRequest request;
-  request.set_username(cryptohome::Identification(GetAccountId()).id());
+  request.set_username(GetUsernameForAttestationClient());
   request.set_key_label(key_name_);
   request.set_include_certificates(false);
 

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.h

@@ -176,6 +176,12 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle {
   // Returns the AccountId associated with |profile_|. Will return
   // EmptyAccountId() if GetUser() returns nullptr.
   AccountId GetAccountId() const;
+  // Returns `GetAccountId()` if the key type is `KEY_USER`; otherwise, returns
+  // empty `AccountId` for `KEY_DEVICE`.
+  AccountId GetAccountIdForAttestationFlow() const;
+  // Returns the account id in string if the key type is `KEY_USER`; otherwise,
+  // returns empty string for `KEY_DEVICE`.
+  std::string GetUsernameForAttestationClient() const;
 
   // Actually prepares a key after all checks are passed and if `can_continue`
   // is true.

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle_unittest.cc

@@ -709,7 +709,7 @@ TEST_F(TpmChallengeKeySubtleTest, GetPublicKeyFailed) {
   // attestation flow.
   AttestationClient::Get()
       ->GetTestInterface()
-      ->GetMutableKeyInfoReply(kTestUserEmail, key_name)
+      ->GetMutableKeyInfoReply(/*username=*/"", key_name)
       ->set_status(::attestation::STATUS_INVALID_PARAMETER);
 
   RunOneStepAndExpect(KEY_DEVICE, /*will_register_key=*/true, key_name,