// Copyright 2023 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "chrome/browser/enterprise/connectors/device_trust/attestation/browser/browser_attestation_service.h" #include <utility> #include "base/barrier_closure.h" #include "base/check.h" #include "base/command_line.h" #include "base/json/json_writer.h" #include "base/strings/string_util.h" #include "base/task/task_traits.h" #include "base/task/thread_pool.h" #include "base/values.h" #include "chrome/browser/enterprise/connectors/device_trust/attestation/browser/attestation_switches.h" #include "chrome/browser/enterprise/connectors/device_trust/attestation/browser/crypto_utility.h" #include "chrome/browser/enterprise/connectors/device_trust/attestation/common/attestation_utils.h" #include "chrome/browser/enterprise/connectors/device_trust/attestation/common/proto/device_trust_attestation_ca.pb.h" #include "chrome/browser/enterprise/connectors/device_trust/common/common_types.h" #include "crypto/random.h" namespace enterprise_connectors { namespace { // Size of nonce for challenge response. const size_t kChallengeResponseNonceBytesSize = …; // Verifies that the `signed_challenge_data` comes from Verified Access. bool ChallengeComesFromVerifiedAccess( const SignedData& signed_challenge_data, const std::string& va_public_key_modulus_hex) { … } VAType GetVAType() { … } // The KeyInfo message encrypted using a public encryption key, with // the following parameters: // Key encryption: RSA-OAEP with no custom parameters. // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. // MAC: HMAC-SHA-512 using the AES key. std::optional<std::string> CreateChallengeResponseString( const std::string& serialized_key_info, const SignedData& signed_challenge_data, const std::string& wrapping_key_modulus_hex, const std::string& wrapping_key_id) { … } } // namespace BrowserAttestationService::BrowserAttestationService( std::vector<std::unique_ptr<Attester>> attesters) : … { … } BrowserAttestationService::~BrowserAttestationService() = default; // Goes through the following steps in order: // - Validate challenge comes from VA, // - Generated challenge response, // - Sign response, // - Encode encrypted data, // - Reply to callback. void BrowserAttestationService::BuildChallengeResponseForVAChallenge( const std::string& challenge, base::Value::Dict signals, const std::set<DTCPolicyLevel>& levels, AttestationCallback callback) { … } void BrowserAttestationService::OnChallengeValidated( const SignedData& signed_data, base::Value::Dict signals, const std::set<DTCPolicyLevel>& levels, AttestationCallback callback, bool is_va_challenge) { … } void BrowserAttestationService::OnKeyInfoDecorated( const SignedData& signed_data, const std::set<DTCPolicyLevel>& levels, AttestationCallback callback, std::unique_ptr<KeyInfo> key_info) { … } void BrowserAttestationService::OnResponseCreated( const std::set<DTCPolicyLevel>& levels, AttestationCallback callback, std::optional<std::string> encrypted_response) { … } void BrowserAttestationService::OnResponseSigned( AttestationCallback callback, const std::string& encrypted_response, std::unique_ptr<SignedData> signed_data) { … } } // namespace enterprise_connectors
Codebase Browser
chromium