| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/cert_loader.h" | 5 #include "chromeos/cert_loader.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| 11 #include "base/sequenced_task_runner.h" |
| 11 #include "base/strings/string_number_conversions.h" | 12 #include "base/strings/string_number_conversions.h" |
| 12 #include "base/task_runner_util.h" | 13 #include "base/task_runner_util.h" |
| 13 #include "base/threading/worker_pool.h" | 14 #include "base/threading/worker_pool.h" |
| 14 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
| 15 #include "net/cert/nss_cert_database.h" | 16 #include "net/cert/nss_cert_database.h" |
| 17 #include "net/cert/nss_cert_database_chromeos.h" |
| 16 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
| 17 | 19 |
| 18 namespace chromeos { | 20 namespace chromeos { |
| 19 | 21 |
| 20 namespace { | 22 namespace { |
| 21 | 23 |
| 22 // Loads certificates from |cert_database| into |cert_list|. | 24 // Loads certificates from |cert_database| into |cert_list|. |
| 23 void LoadNSSCertificates(net::NSSCertDatabase* cert_database, | 25 void LoadNSSCertificates(net::NSSCertDatabase* cert_database, |
| 24 net::CertificateList* cert_list) { | 26 net::CertificateList* cert_list) { |
| 25 cert_database->ListCerts(cert_list); | 27 cert_database->ListCerts(cert_list); |
| (...skipping 21 matching lines...) Expand all Loading... |
| 47 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; | 49 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; |
| 48 return g_cert_loader; | 50 return g_cert_loader; |
| 49 } | 51 } |
| 50 | 52 |
| 51 // static | 53 // static |
| 52 bool CertLoader::IsInitialized() { | 54 bool CertLoader::IsInitialized() { |
| 53 return g_cert_loader; | 55 return g_cert_loader; |
| 54 } | 56 } |
| 55 | 57 |
| 56 CertLoader::CertLoader() | 58 CertLoader::CertLoader() |
| 57 : certificates_requested_(false), | 59 : certificates_loaded_(false), |
| 58 certificates_loaded_(false), | |
| 59 certificates_update_required_(false), | 60 certificates_update_required_(false), |
| 60 certificates_update_running_(false), | 61 certificates_update_running_(false), |
| 61 tpm_token_slot_id_(-1), | 62 database_(NULL), |
| 63 force_hardware_backed_for_test_(false), |
| 62 weak_factory_(this) { | 64 weak_factory_(this) { |
| 63 if (TPMTokenLoader::IsInitialized()) | 65 } |
| 64 TPMTokenLoader::Get()->AddObserver(this); | 66 |
| 67 CertLoader::~CertLoader() { |
| 68 net::CertDatabase::GetInstance()->RemoveObserver(this); |
| 69 } |
| 70 |
| 71 void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) { |
| 72 CHECK(!database_); |
| 73 database_ = database; |
| 74 |
| 75 // Start observing cert database for changes. |
| 76 // Observing net::CertDatabase is preferred over observing |database_| |
| 77 // directly, as |database_| observers receive only events generated directly |
| 78 // by |database_|, so they may miss a few relevant ones. |
| 79 // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if |
| 80 // it would be OK to observe |database_| directly; or change NSSCertDatabase |
| 81 // to send notification on all relevant changes. |
| 82 net::CertDatabase::GetInstance()->AddObserver(this); |
| 83 |
| 84 LoadCertificates(); |
| 65 } | 85 } |
| 66 | 86 |
| 67 void CertLoader::SetSlowTaskRunnerForTest( | 87 void CertLoader::SetSlowTaskRunnerForTest( |
| 68 const scoped_refptr<base::TaskRunner>& task_runner) { | 88 const scoped_refptr<base::TaskRunner>& task_runner) { |
| 69 slow_task_runner_for_test_ = task_runner; | 89 slow_task_runner_for_test_ = task_runner; |
| 70 } | 90 } |
| 71 | 91 |
| 72 CertLoader::~CertLoader() { | |
| 73 net::CertDatabase::GetInstance()->RemoveObserver(this); | |
| 74 if (TPMTokenLoader::IsInitialized()) | |
| 75 TPMTokenLoader::Get()->RemoveObserver(this); | |
| 76 } | |
| 77 | |
| 78 void CertLoader::AddObserver(CertLoader::Observer* observer) { | 92 void CertLoader::AddObserver(CertLoader::Observer* observer) { |
| 79 observers_.AddObserver(observer); | 93 observers_.AddObserver(observer); |
| 80 } | 94 } |
| 81 | 95 |
| 82 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { | 96 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { |
| 83 observers_.RemoveObserver(observer); | 97 observers_.RemoveObserver(observer); |
| 84 } | 98 } |
| 85 | 99 |
| 100 int CertLoader::TPMTokenSlotID() const { |
| 101 if (!database_) |
| 102 return -1; |
| 103 return static_cast<int>(PK11_GetSlotID(database_->GetPrivateSlot().get())); |
| 104 } |
| 105 |
| 86 bool CertLoader::IsHardwareBacked() const { | 106 bool CertLoader::IsHardwareBacked() const { |
| 87 return !tpm_token_name_.empty(); | 107 return force_hardware_backed_for_test_ || |
| 108 (database_ && PK11_IsHW(database_->GetPrivateSlot().get())); |
| 109 } |
| 110 |
| 111 bool CertLoader::IsCertificateHardwareBacked( |
| 112 const net::X509Certificate* cert) const { |
| 113 if (!database_) |
| 114 return false; |
| 115 return database_->IsHardwareBacked(cert); |
| 88 } | 116 } |
| 89 | 117 |
| 90 bool CertLoader::CertificatesLoading() const { | 118 bool CertLoader::CertificatesLoading() const { |
| 91 return certificates_requested_ && !certificates_loaded_; | 119 return database_ && !certificates_loaded_; |
| 92 } | 120 } |
| 93 | 121 |
| 94 // This is copied from chrome/common/net/x509_certificate_model_nss.cc. | 122 // This is copied from chrome/common/net/x509_certificate_model_nss.cc. |
| 95 // For background see this discussion on dev-tech-crypto.lists.mozilla.org: | 123 // For background see this discussion on dev-tech-crypto.lists.mozilla.org: |
| 96 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX | 124 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX |
| 97 // | 125 // |
| 98 // NOTE: This function relies on the convention that the same PKCS#11 ID | 126 // NOTE: This function relies on the convention that the same PKCS#11 ID |
| 99 // is shared between a certificate and its associated private and public | 127 // is shared between a certificate and its associated private and public |
| 100 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), | 128 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), |
| 101 // but that always returns NULL on Chrome OS for me. | 129 // but that always returns NULL on Chrome OS for me. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 113 std::string pkcs11_id; | 141 std::string pkcs11_id; |
| 114 if (sec_item) { | 142 if (sec_item) { |
| 115 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); | 143 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); |
| 116 SECITEM_FreeItem(sec_item, PR_TRUE); | 144 SECITEM_FreeItem(sec_item, PR_TRUE); |
| 117 } | 145 } |
| 118 SECKEY_DestroyPrivateKey(priv_key); | 146 SECKEY_DestroyPrivateKey(priv_key); |
| 119 | 147 |
| 120 return pkcs11_id; | 148 return pkcs11_id; |
| 121 } | 149 } |
| 122 | 150 |
| 123 void CertLoader::RequestCertificates() { | |
| 124 if (certificates_requested_) | |
| 125 return; | |
| 126 certificates_requested_ = true; | |
| 127 | |
| 128 DCHECK(!certificates_loaded_ && !certificates_update_running_); | |
| 129 net::CertDatabase::GetInstance()->AddObserver(this); | |
| 130 LoadCertificates(); | |
| 131 } | |
| 132 | |
| 133 void CertLoader::LoadCertificates() { | 151 void CertLoader::LoadCertificates() { |
| 134 CHECK(thread_checker_.CalledOnValidThread()); | 152 CHECK(thread_checker_.CalledOnValidThread()); |
| 135 VLOG(1) << "LoadCertificates: " << certificates_update_running_; | 153 VLOG(1) << "LoadCertificates: " << certificates_update_running_; |
| 136 | 154 |
| 137 if (certificates_update_running_) { | 155 if (certificates_update_running_) { |
| 138 certificates_update_required_ = true; | 156 certificates_update_required_ = true; |
| 139 return; | 157 return; |
| 140 } | 158 } |
| 141 | 159 |
| 142 net::CertificateList* cert_list = new net::CertificateList; | 160 net::CertificateList* cert_list = new net::CertificateList; |
| 143 certificates_update_running_ = true; | 161 certificates_update_running_ = true; |
| 144 certificates_update_required_ = false; | 162 certificates_update_required_ = false; |
| 145 | 163 |
| 146 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); | 164 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); |
| 147 if (!task_runner) | 165 if (!task_runner) |
| 148 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); | 166 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); |
| 149 task_runner->PostTaskAndReply( | 167 task_runner->PostTaskAndReply( |
| 150 FROM_HERE, | 168 FROM_HERE, |
| 151 base::Bind(LoadNSSCertificates, | 169 base::Bind(LoadNSSCertificates, |
| 152 net::NSSCertDatabase::GetInstance(), | 170 // Create a copy of the database so it can be used on the |
| 171 // worker pool. |
| 172 // TODO(tbarzic): Make net::NSSCertDatabase::ListCerts async |
| 173 // and change it to do the certificate listing on worker |
| 174 // pool. |
| 175 base::Owned(new net::NSSCertDatabaseChromeOS( |
| 176 database_->GetPublicSlot(), |
| 177 database_->GetPrivateSlot())), |
| 153 cert_list), | 178 cert_list), |
| 154 base::Bind(&CertLoader::UpdateCertificates, | 179 base::Bind(&CertLoader::UpdateCertificates, |
| 155 weak_factory_.GetWeakPtr(), | 180 weak_factory_.GetWeakPtr(), |
| 156 base::Owned(cert_list))); | 181 base::Owned(cert_list))); |
| 157 } | 182 } |
| 158 | 183 |
| 159 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { | 184 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { |
| 160 CHECK(thread_checker_.CalledOnValidThread()); | 185 CHECK(thread_checker_.CalledOnValidThread()); |
| 161 DCHECK(certificates_update_running_); | 186 DCHECK(certificates_update_running_); |
| 162 VLOG(1) << "UpdateCertificates: " << cert_list->size(); | 187 VLOG(1) << "UpdateCertificates: " << cert_list->size(); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 188 // This is triggered when a client certificate is added. | 213 // This is triggered when a client certificate is added. |
| 189 VLOG(1) << "OnCertAdded"; | 214 VLOG(1) << "OnCertAdded"; |
| 190 LoadCertificates(); | 215 LoadCertificates(); |
| 191 } | 216 } |
| 192 | 217 |
| 193 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { | 218 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { |
| 194 VLOG(1) << "OnCertRemoved"; | 219 VLOG(1) << "OnCertRemoved"; |
| 195 LoadCertificates(); | 220 LoadCertificates(); |
| 196 } | 221 } |
| 197 | 222 |
| 198 void CertLoader::OnTPMTokenReady(const std::string& tpm_user_pin, | |
| 199 const std::string& tpm_token_name, | |
| 200 int tpm_token_slot_id) { | |
| 201 tpm_user_pin_ = tpm_user_pin; | |
| 202 tpm_token_name_ = tpm_token_name; | |
| 203 tpm_token_slot_id_ = tpm_token_slot_id; | |
| 204 | |
| 205 VLOG(1) << "TPM token ready."; | |
| 206 RequestCertificates(); | |
| 207 } | |
| 208 | |
| 209 } // namespace chromeos | 223 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 135193007:
Use user specific NSSDatabase in CertLoader. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src