1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
|
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ash/attestation/tpm_challenge_key_result.h"
#include <ostream>
#include "base/base64.h"
#include "base/check_op.h"
#include "base/notreached.h"
#include "base/values.h"
namespace ash {
namespace attestation {
namespace {
std::string Base64EncodeStr(const std::string& str) {
return base::Base64Encode(str);
}
} // namespace
// These messages are exposed to the extensions that using
// chrome.enterprise.platformKeys API. Someone can rely on exectly these
// strings. Should be changed carefully.
const char TpmChallengeKeyResult::kDevicePolicyDisabledErrorMsg[] =
"Remote attestation is not enabled for your device.";
const char TpmChallengeKeyResult::kSignChallengeFailedErrorMsg[] =
"Failed to sign the challenge.";
const char TpmChallengeKeyResult::kUserNotManagedErrorMsg[] =
"The user account is not enterprise managed.";
const char TpmChallengeKeyResult::kKeyRegistrationFailedErrorMsg[] =
"Key registration failed.";
const char TpmChallengeKeyResult::kUserPolicyDisabledErrorMsg[] =
"Remote attestation is not enabled for your account.";
const char TpmChallengeKeyResult::kUserKeyNotAvailableErrorMsg[] =
"User keys cannot be challenged in this profile.";
const char TpmChallengeKeyResult::kNonEnterpriseDeviceErrorMsg[] =
"The device is not enterprise enrolled.";
const char TpmChallengeKeyResult::kDbusErrorMsg[] =
"Failed to get Enterprise certificate. Error code = 1";
const char TpmChallengeKeyResult::kUserRejectedErrorMsg[] =
"Failed to get Enterprise certificate. Error code = 2";
const char TpmChallengeKeyResult::kGetCertificateFailedErrorMsg[] =
"Failed to get Enterprise certificate. Error code = 3";
const char TpmChallengeKeyResult::kResetRequiredErrorMsg[] =
"Failed to get Enterprise certificate. Error code = 4";
const char TpmChallengeKeyResult::kAttestationUnsupportedErrorMsg[] =
"Failed to get Enterprise certificate. Error code = 5";
const char TpmChallengeKeyResult::kTimeoutErrorMsg[] =
"Device web based attestation failed with timeout error.";
const char TpmChallengeKeyResult::kDeviceWebBasedAttestationUrlErrorMsg[] =
"Device web based attestation is not enabled for the provided URL.";
const char TpmChallengeKeyResult::kExtensionNotAllowedErrorMsg[] =
"The extension does not have permission to call this function.";
const char TpmChallengeKeyResult::kChallengeBadBase64ErrorMsg[] =
"Challenge is not base64 encoded.";
const char TpmChallengeKeyResult::kDeviceWebBasedAttestationNotOobeErrorMsg[] =
"Device web based attestation is only available on the OOBE screen.";
const char TpmChallengeKeyResult::kGetPublicKeyFailedErrorMsg[] =
"Failed to get public key.";
const char TpmChallengeKeyResult::kMarkCorporateKeyFailedErrorMsg[] =
"Failed to mark key as corporate.";
const char TpmChallengeKeyResult::kAttestationServiceInternalErrorMsg[] =
"OS platform service internal error.";
const char TpmChallengeKeyResult::kUploadCertificateFailedErrorMsg[] =
"Failed to upload machine certificate.";
const char TpmChallengeKeyResult::kDeviceTrustURLConflictError[] =
"Both policies DeviceContextAwareAccessSignalsAllowlist and "
"DeviceWebBasedAttestationAllowedUrls are enabled for this URL.";
const char TpmChallengeKeyResult::kVerifiedAccessFlowUnsupportedErrorMsg[] =
"Verified Access flow type is not supported on ChromeOS.";
// static
TpmChallengeKeyResult TpmChallengeKeyResult::MakeChallengeResponse(
const std::string& challenge_response) {
return TpmChallengeKeyResult{
/*result_code=*/TpmChallengeKeyResultCode::kSuccess,
/*public_key=*/"",
/*challenge_response=*/challenge_response};
}
// static
TpmChallengeKeyResult TpmChallengeKeyResult::MakePublicKey(
const std::string& public_key) {
return TpmChallengeKeyResult{
/*result_code=*/TpmChallengeKeyResultCode::kSuccess,
/*public_key=*/public_key,
/*challenge_response=*/""};
}
// static
TpmChallengeKeyResult TpmChallengeKeyResult::MakeSuccess() {
return TpmChallengeKeyResult{
/*result_code=*/TpmChallengeKeyResultCode::kSuccess,
/*public_key=*/"",
/*challenge_response=*/""};
}
// static
TpmChallengeKeyResult TpmChallengeKeyResult::MakeError(
TpmChallengeKeyResultCode error_code) {
DCHECK_NE(error_code, TpmChallengeKeyResultCode::kSuccess);
return TpmChallengeKeyResult{/*result_code=*/error_code,
/*public_key=*/"",
/*challenge_response=*/""};
}
const char* TpmChallengeKeyResult::GetErrorMessage() const {
switch (result_code) {
case TpmChallengeKeyResultCode::kDevicePolicyDisabledError:
return kDevicePolicyDisabledErrorMsg;
case TpmChallengeKeyResultCode::kSignChallengeFailedError:
return kSignChallengeFailedErrorMsg;
case TpmChallengeKeyResultCode::kUserNotManagedError:
return kUserNotManagedErrorMsg;
case TpmChallengeKeyResultCode::kKeyRegistrationFailedError:
return kKeyRegistrationFailedErrorMsg;
case TpmChallengeKeyResultCode::kUserKeyNotAvailableError:
return kUserKeyNotAvailableErrorMsg;
case TpmChallengeKeyResultCode::kUserPolicyDisabledError:
return kUserPolicyDisabledErrorMsg;
case TpmChallengeKeyResultCode::kNonEnterpriseDeviceError:
return kNonEnterpriseDeviceErrorMsg;
case TpmChallengeKeyResultCode::kDbusError:
return kDbusErrorMsg;
case TpmChallengeKeyResultCode::kUserRejectedError:
return kUserRejectedErrorMsg;
case TpmChallengeKeyResultCode::kGetCertificateFailedError:
return kGetCertificateFailedErrorMsg;
case TpmChallengeKeyResultCode::kResetRequiredError:
return kResetRequiredErrorMsg;
case TpmChallengeKeyResultCode::kAttestationUnsupportedError:
return kAttestationUnsupportedErrorMsg;
case TpmChallengeKeyResultCode::kTimeoutError:
return kTimeoutErrorMsg;
case TpmChallengeKeyResultCode::kDeviceWebBasedAttestationUrlError:
return kDeviceWebBasedAttestationUrlErrorMsg;
case TpmChallengeKeyResultCode::kExtensionNotAllowedError:
return kExtensionNotAllowedErrorMsg;
case TpmChallengeKeyResultCode::kChallengeBadBase64Error:
return kChallengeBadBase64ErrorMsg;
case TpmChallengeKeyResultCode::kDeviceWebBasedAttestationNotOobeError:
return kDeviceWebBasedAttestationNotOobeErrorMsg;
case TpmChallengeKeyResultCode::kGetPublicKeyFailedError:
return kGetPublicKeyFailedErrorMsg;
case TpmChallengeKeyResultCode::kMarkCorporateKeyFailedError:
return kMarkCorporateKeyFailedErrorMsg;
case TpmChallengeKeyResultCode::kAttestationServiceInternalError:
return kAttestationServiceInternalErrorMsg;
case TpmChallengeKeyResultCode::kUploadCertificateFailedError:
return kUploadCertificateFailedErrorMsg;
case TpmChallengeKeyResultCode::kDeviceTrustURLConflictError:
return kDeviceTrustURLConflictError;
case TpmChallengeKeyResultCode::kVerifiedAccessFlowUnsupportedError:
return kVerifiedAccessFlowUnsupportedErrorMsg;
case TpmChallengeKeyResultCode::kSuccess:
// Not an error message.
NOTREACHED();
}
NOTREACHED() << static_cast<int>(result_code);
}
bool TpmChallengeKeyResult::IsSuccess() const {
return result_code == TpmChallengeKeyResultCode::kSuccess;
}
std::ostream& operator<<(std::ostream& os,
const TpmChallengeKeyResult& result) {
base::Value::Dict value;
value.Set("result_code", static_cast<int>(result.result_code));
if (!result.IsSuccess()) {
value.Set("error_message", result.GetErrorMessage());
}
value.Set("public_key", Base64EncodeStr(result.public_key));
value.Set("challenge_response", Base64EncodeStr(result.challenge_response));
os << value;
return os;
}
} // namespace attestation
} // namespace ash
|