chromeos: Enable ExtendedAuthenticator to call CheckKey(FINGERPRINT)

When the key type is set to KEY_TYPE_FINGERPRINT, CheckKey will wait
for a fingerprint scan result from biometrics daemon and report the
result. (See http://crrev/c/1941087 for more details.)

This change enables ExtendedAuthenticator to request fingerprint scan
result by calling CheckKey(KEY_TYPE_FINGERPRINT). With this change,
clients of ExtendedAuthenticator can perform fingerprint auth without
having to talk to biometrics daemon directly.

Bug: b:156258540, b:144861739
Change-Id: I923a53afa283dd4794ab8af239da894800a7a3f0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2364797
Commit-Queue: Yicheng Li <yichengli@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#800780}

chromeos/cryptohome/cryptohome_parameters.h

@@ -80,6 +80,10 @@ struct COMPONENT_EXPORT(CHROMEOS_CRYPTOHOME) KeyDefinition {
     // challenged is stored in |challenge_response_keys|, while |secret| should
     // be empty.
     TYPE_CHALLENGE_RESPONSE = 1,
+    // Fingerprint-based key. It doesn't carry secrets but indicates that
+    // cryptohome needs to query fingerprint scan results from biod and
+    // compare with the identity passed along with the key.
+    TYPE_FINGERPRINT = 2,
   };
 
   struct AuthorizationData {

chromeos/cryptohome/cryptohome_util.cc

@@ -272,6 +272,8 @@ AuthorizationRequest CreateAuthorizationRequestFromKeyDef(
       auth_request.mutable_key_delegate()->set_dbus_object_path(
           cryptohome::kCryptohomeKeyDelegateServicePath);
       break;
+    case KeyDefinition::TYPE_FINGERPRINT:
+      break;
   }
 
   return auth_request;
@@ -297,6 +299,10 @@ void KeyDefinitionToKey(const KeyDefinition& key_def, Key* key) {
                                             data->add_challenge_response_key());
       }
       break;
+
+    case KeyDefinition::TYPE_FINGERPRINT:
+      data->set_type(KeyData::KEY_TYPE_FINGERPRINT);
+      break;
   }
 
   if (key_def.revision > 0)

chromeos/login/auth/cryptohome_parameter_utils.cc

@@ -54,6 +54,8 @@ KeyDefinition CreateAuthorizationKeyDefFromUserContext(
       break;
     case KeyDefinition::TYPE_CHALLENGE_RESPONSE:
       break;
+    case KeyDefinition::TYPE_FINGERPRINT:
+      break;
   }
 
   return key_def;

chromeos/login/auth/extended_authenticator.h

@@ -80,6 +80,13 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticator
   // response.
   virtual void EndFingerprintAuthSession() = 0;
 
+  // Waits for a fingerprint scan from the user in |context|, and calls
+  // |callback| with a fingerprint-specific CryptohomeErrorCode. No further
+  // actions are taken after authentication.
+  virtual void AuthenticateWithFingerprint(
+      const UserContext& context,
+      base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback) = 0;
+
   // Attempts to add a new |key| for the user identified/authorized by
   // |context|. If a key with the same label already exists, the behavior
   // depends on the |replace_existing| flag. If the flag is set, the old key is

chromeos/login/auth/extended_authenticator_impl.cc

@@ -122,6 +122,30 @@ void ExtendedAuthenticatorImpl::EndFingerprintAuthSession() {
       }));
 }
 
+void ExtendedAuthenticatorImpl::AuthenticateWithFingerprint(
+    const UserContext& context,
+    base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback) {
+  cryptohome::KeyDefinition key_def;
+  key_def.type = cryptohome::KeyDefinition::TYPE_FINGERPRINT;
+  CryptohomeClient::Get()->CheckKeyEx(
+      cryptohome::CreateAccountIdentifierFromAccountId(context.GetAccountId()),
+      cryptohome::CreateAuthorizationRequestFromKeyDef(key_def),
+      cryptohome::CheckKeyRequest(),
+      base::BindOnce(&ExtendedAuthenticatorImpl::OnFingerprintScanComplete,
+                     this, std::move(callback)));
+}
+
+void ExtendedAuthenticatorImpl::OnFingerprintScanComplete(
+    base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback,
+    base::Optional<cryptohome::BaseReply> reply) {
+  if (!reply) {
+    std::move(callback).Run(cryptohome::CryptohomeErrorCode::
+                                CRYPTOHOME_ERROR_FINGERPRINT_ERROR_INTERNAL);
+  }
+
+  std::move(callback).Run(reply->error());
+}
+
 void ExtendedAuthenticatorImpl::AddKey(const UserContext& context,
                                        const cryptohome::KeyDefinition& key,
                                        bool clobber_if_exists,

chromeos/login/auth/extended_authenticator_impl.h

@@ -41,6 +41,10 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticatorImpl
       const AccountId& account_id,
       base::OnceCallback<void(bool)> callback) override;
   void EndFingerprintAuthSession() override;
+  void AuthenticateWithFingerprint(
+      const UserContext& context,
+      base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback)
+      override;
   void AddKey(const UserContext& context,
               const cryptohome::KeyDefinition& key,
               bool clobber_if_exists,
@@ -93,6 +97,9 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticatorImpl
   void OnStartFingerprintAuthSessionComplete(
       base::OnceCallback<void(bool)> callback,
       base::Optional<cryptohome::BaseReply> reply);
+  void OnFingerprintScanComplete(
+      base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback,
+      base::Optional<cryptohome::BaseReply> reply);
 
   bool salt_obtained_;
   std::string system_salt_;

chromeos/login/auth/fake_extended_authenticator.cc

@@ -72,6 +72,19 @@ void FakeExtendedAuthenticator::StartFingerprintAuthSession(
 
 void FakeExtendedAuthenticator::EndFingerprintAuthSession() {}
 
+void FakeExtendedAuthenticator::AuthenticateWithFingerprint(
+    const UserContext& context,
+    base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback) {
+  if (expected_user_context_ == context) {
+    std::move(callback).Run(cryptohome::CryptohomeErrorCode::
+                                CRYPTOHOME_ERROR_FINGERPRINT_RETRY_REQUIRED);
+    return;
+  }
+
+  std::move(callback).Run(
+      cryptohome::CryptohomeErrorCode::CRYPTOHOME_ERROR_NOT_SET);
+}
+
 void FakeExtendedAuthenticator::AddKey(const UserContext& context,
                                        const cryptohome::KeyDefinition& key,
                                        bool replace_existing,

chromeos/login/auth/fake_extended_authenticator.h

@@ -32,6 +32,10 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) FakeExtendedAuthenticator
       const AccountId& account_id,
       base::OnceCallback<void(bool)> callback) override;
   void EndFingerprintAuthSession() override;
+  void AuthenticateWithFingerprint(
+      const UserContext& context,
+      base::OnceCallback<void(cryptohome::CryptohomeErrorCode)> callback)
+      override;
   void AddKey(const UserContext& context,
               const cryptohome::KeyDefinition& key,
               bool replace_existing,