New issue
Advanced search Search tips

Issue 849899 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jul 2
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Support multiple ACA identities in attestationd

Project Member Reported by drcrash@chromium.org, Jun 5 2018

Issue description

See chromium:768140 for the cryptohomed work. This bug is about doing the same work in attestationd.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b

commit 3fb2b65d94196152c7ca7f1b643b9e55efc98c1b
Author: Yves Arrouye <drcrash@google.com>
Date: Sat Jun 23 05:51:23 2018

cryptohome and attestation: Support multiple ACA identities

Move identity-related data into better entities (names here from
their types in AttestationDatabase, see attestation.proto):
  - Identity: AIK and other TPM-generated identity data (e.g. PCR
    quotes)
  - Identity Certificate: An association between an identity and PCA
    data (the PCA itself and the PCA-signed AIK certificate)

These entities allow us to use create as many Identities as we would
like, and to enroll any of those Identities with any or all of the
PCAs. This in turns allows (will allow, see below) one to present
multiple identities to any PCA.

Create one Identity when preparing for enrollment, and encrypt
endorsement credentials for all known PCAs.

Allow enrollment of any Identity with any PCA. For now, only the
one Identity we create is used by default. Also only create at most
one Identity Certificate per PCA. These limitations allow us to keep
the existing DBUS API as is while still allowing simultaneous use of
the default and test PCAs with the single identity we created.

Allow certificate requests to use any Identity Certificate. For now,
use the first (and only, given the above) Identity Certificate for the
PCA used for the request. This limitation has the same reason as for
above.

Unit tests check every call against the default and test PCAs as well
as initialization and database migration scenarios.

See https://paste.googleplex.com/5189305878183936 for manual tests.
(My apologies to non-Googlers. These just use a shell script wrapping
cryptohome and curl commands to take ownership of the TPM, enroll
with the default PCA, request a machine cert from that PCA, then
enroll with the test PCA---unavailable outside of Google---before
asking it for a machine certificate and then making that same
request from the test PCA.)

BUG= chromium:849899 
TEST=unit tests

Change-Id: I9a661ad3f8177c37c9845b7cf18a858e64ac3ec1
Reviewed-on: https://chromium-review.googlesource.com/1087515
Commit-Ready: Yves Arrouye <drcrash@chromium.org>
Tested-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/common/interface.proto
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/server/database_impl.cc
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/common/database.proto
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/server/attestation_service.cc
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/common/print_interface_proto.cc
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/common/print_interface_proto.h
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/cryptohome/service_distributed.cc
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/server/database_impl.h
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/server/attestation_service.h
[modify] https://crrev.com/3fb2b65d94196152c7ca7f1b643b9e55efc98c1b/attestation/client/main.cc

Status: Verified (was: Assigned)

Sign in to add a comment