| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROMEOS_CERT_LOADER_H_ | 5 #ifndef CHROMEOS_CERT_LOADER_H_ |
| 6 #define CHROMEOS_CERT_LOADER_H_ | 6 #define CHROMEOS_CERT_LOADER_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> |
| 9 | 10 |
| 10 #include "base/basictypes.h" | 11 #include "base/basictypes.h" |
| 12 #include "base/compiler_specific.h" |
| 11 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
| 12 #include "base/memory/weak_ptr.h" | 14 #include "base/memory/weak_ptr.h" |
| 13 #include "base/observer_list.h" | 15 #include "base/observer_list.h" |
| 14 #include "base/threading/thread_checker.h" | 16 #include "base/threading/thread_checker.h" |
| 15 #include "chromeos/chromeos_export.h" | 17 #include "chromeos/chromeos_export.h" |
| 16 #include "chromeos/tpm_token_loader.h" | |
| 17 #include "net/cert/cert_database.h" | 18 #include "net/cert/cert_database.h" |
| 18 | 19 |
| 19 namespace base { | 20 namespace base { |
| 20 class TaskRunner; | 21 class TaskRunner; |
| 21 } | 22 } |
| 22 | 23 |
| 23 namespace net { | 24 namespace net { |
| 25 class NSSCertDatabase; |
| 24 class X509Certificate; | 26 class X509Certificate; |
| 27 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
| 25 } | 28 } |
| 26 | 29 |
| 27 namespace chromeos { | 30 namespace chromeos { |
| 28 | 31 |
| 29 // This class is responsible for loading certificates once the TPM is | 32 // This class is responsible for loading certificates once the TPM is |
| 30 // initialized. It is expected to be constructed on the UI thread and public | 33 // initialized. It is expected to be constructed on the UI thread and public |
| 31 // methods should all be called from the UI thread. | 34 // methods should all be called from the UI thread. |
| 32 // When certificates have been loaded (after login completes and tpm token is | 35 // When certificates have been loaded (after login completes and tpm token is |
| 33 // initialized), or the cert database changes, observers are called with | 36 // initialized), or the cert database changes, observers are called with |
| 34 // OnCertificatesLoaded(). | 37 // OnCertificatesLoaded(). |
| 35 // TODO(tbarzic): Remove direct dependency on TPMTokenLoader. The reason | 38 class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer { |
| 36 // TPMTokenLoader has to be observed is to make sure singleton NSS DB is | |
| 37 // initialized before certificate loading starts. CertLoader should use | |
| 38 // (primary) user specific NSS DB, whose loading already takes this into | |
| 39 // account (crypto::GetPrivateSlotForChromeOSUser waits until TPM token is | |
| 40 // ready). | |
| 41 class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer, | |
| 42 public TPMTokenLoader::Observer { | |
| 43 public: | 39 public: |
| 44 class Observer { | 40 class Observer { |
| 45 public: | 41 public: |
| 46 // Called when the certificates, passed for convenience as |cert_list|, | 42 // Called when the certificates, passed for convenience as |cert_list|, |
| 47 // have completed loading. |initial_load| is true the first time this | 43 // have completed loading. |initial_load| is true the first time this |
| 48 // is called. | 44 // is called. |
| 49 virtual void OnCertificatesLoaded(const net::CertificateList& cert_list, | 45 virtual void OnCertificatesLoaded(const net::CertificateList& cert_list, |
| 50 bool initial_load) = 0; | 46 bool initial_load) = 0; |
| 51 | 47 |
| 52 protected: | 48 protected: |
| 53 virtual ~Observer() {} | 49 virtual ~Observer() {} |
| 54 }; | 50 }; |
| 55 | 51 |
| 56 // Sets the global instance. Must be called before any calls to Get(). | 52 // Sets the global instance. Must be called before any calls to Get(). |
| 57 static void Initialize(); | 53 static void Initialize(); |
| 58 | 54 |
| 59 // Destroys the global instance. | 55 // Destroys the global instance. |
| 60 static void Shutdown(); | 56 static void Shutdown(); |
| 61 | 57 |
| 62 // Gets the global instance. Initialize() must be called first. | 58 // Gets the global instance. Initialize() must be called first. |
| 63 static CertLoader* Get(); | 59 static CertLoader* Get(); |
| 64 | 60 |
| 65 // Returns true if the global instance has been initialized. | 61 // Returns true if the global instance has been initialized. |
| 66 static bool IsInitialized(); | 62 static bool IsInitialized(); |
| 67 | 63 |
| 68 static std::string GetPkcs11IdForCert(const net::X509Certificate& cert); | 64 static std::string GetPkcs11IdForCert(const net::X509Certificate& cert); |
| 69 | 65 |
| 66 // Starts the CertLoader with the NSS cert database. |
| 67 // The CertLoader will _not_ take the ownership of the database. |
| 68 void StartWithNSSDB(net::NSSCertDatabase* database); |
| 69 |
| 70 // Sets the task runner that any slow calls will be made from, e.g. calls | 70 // Sets the task runner that any slow calls will be made from, e.g. calls |
| 71 // to the NSS database. If not set, uses base::WorkerPool. | 71 // to the NSS database. If not set, uses base::WorkerPool. |
| 72 void SetSlowTaskRunnerForTest( | 72 void SetSlowTaskRunnerForTest( |
| 73 const scoped_refptr<base::TaskRunner>& task_runner); | 73 const scoped_refptr<base::TaskRunner>& task_runner); |
| 74 | 74 |
| 75 void AddObserver(CertLoader::Observer* observer); | 75 void AddObserver(CertLoader::Observer* observer); |
| 76 void RemoveObserver(CertLoader::Observer* observer); | 76 void RemoveObserver(CertLoader::Observer* observer); |
| 77 | 77 |
| 78 // Returns true if the TPM is available for hardware-backed certificates. | 78 int TPMTokenSlotID() const; |
| 79 bool IsHardwareBacked() const; | 79 bool IsHardwareBacked() const; |
| 80 | 80 |
| 81 // Whether the certificate is hardware backed. Returns false if the CertLoader |
| 82 // was not yet started (both |CertificatesLoading()| and |
| 83 // |certificates_loaded()| are false). |
| 84 bool IsCertificateHardwareBacked(const net::X509Certificate* cert) const; |
| 85 |
| 81 // Returns true when the certificate list has been requested but not loaded. | 86 // Returns true when the certificate list has been requested but not loaded. |
| 82 bool CertificatesLoading() const; | 87 bool CertificatesLoading() const; |
| 83 | 88 |
| 84 bool certificates_loaded() const { return certificates_loaded_; } | 89 bool certificates_loaded() const { return certificates_loaded_; } |
| 85 | 90 |
| 86 // This will be empty until certificates_loaded() is true. | 91 // This will be empty until certificates_loaded() is true. |
| 87 const net::CertificateList& cert_list() const { return cert_list_; } | 92 const net::CertificateList& cert_list() const { return cert_list_; } |
| 88 | 93 |
| 89 // Getters for cached TPM token info. | 94 void force_hardware_backed_for_test() { |
| 90 std::string tpm_user_pin() const { return tpm_user_pin_; } | 95 force_hardware_backed_for_test_ = true; |
| 91 std::string tpm_token_name() const { return tpm_token_name_; } | 96 } |
| 92 int tpm_token_slot_id() const { return tpm_token_slot_id_; } | |
| 93 | 97 |
| 94 private: | 98 private: |
| 95 CertLoader(); | 99 CertLoader(); |
| 96 virtual ~CertLoader(); | 100 virtual ~CertLoader(); |
| 97 | 101 |
| 98 // Starts certificate loading. | |
| 99 void RequestCertificates(); | |
| 100 | |
| 101 // Trigger a certificate load. If a certificate loading task is already in | 102 // Trigger a certificate load. If a certificate loading task is already in |
| 102 // progress, will start a reload once the current task finished. | 103 // progress, will start a reload once the current task is finished. |
| 103 void LoadCertificates(); | 104 void LoadCertificates(); |
| 104 | 105 |
| 105 // Called if a certificate load task is finished. | 106 // Called if a certificate load task is finished. |
| 106 void UpdateCertificates(net::CertificateList* cert_list); | 107 void UpdateCertificates(net::CertificateList* cert_list); |
| 107 | 108 |
| 108 void NotifyCertificatesLoaded(bool initial_load); | 109 void NotifyCertificatesLoaded(bool initial_load); |
| 109 | 110 |
| 110 // net::CertDatabase::Observer | 111 // net::CertDatabase::Observer |
| 111 virtual void OnCACertChanged(const net::X509Certificate* cert) OVERRIDE; | 112 virtual void OnCACertChanged(const net::X509Certificate* cert) OVERRIDE; |
| 112 virtual void OnCertAdded(const net::X509Certificate* cert) OVERRIDE; | 113 virtual void OnCertAdded(const net::X509Certificate* cert) OVERRIDE; |
| 113 virtual void OnCertRemoved(const net::X509Certificate* cert) OVERRIDE; | 114 virtual void OnCertRemoved(const net::X509Certificate* cert) OVERRIDE; |
| 114 | 115 |
| 115 // chromeos::TPMTokenLoader::Observer | |
| 116 virtual void OnTPMTokenReady(const std::string& tpm_user_pin, | |
| 117 const std::string& tpm_token_name, | |
| 118 int tpm_token_slot_id) OVERRIDE; | |
| 119 | |
| 120 ObserverList<Observer> observers_; | 116 ObserverList<Observer> observers_; |
| 121 | 117 |
| 122 // Flags describing current CertLoader state. | 118 // Flags describing current CertLoader state. |
| 123 bool certificates_requested_; | |
| 124 bool certificates_loaded_; | 119 bool certificates_loaded_; |
| 125 bool certificates_update_required_; | 120 bool certificates_update_required_; |
| 126 bool certificates_update_running_; | 121 bool certificates_update_running_; |
| 127 | 122 |
| 128 // Cached TPM token info. Set when the |OnTPMTokenReady| gets called. | 123 // The user-specific NSS certificate database from which the certificates |
| 129 std::string tpm_user_pin_; | 124 // should be loaded. |
| 130 std::string tpm_token_name_; | 125 net::NSSCertDatabase* database_; |
| 131 int tpm_token_slot_id_; | |
| 132 | 126 |
| 133 // Cached Certificates. | 127 // Set during tests if |IsHardwareBacked()| should always return true. |
| 128 bool force_hardware_backed_for_test_; |
| 129 |
| 130 // Cached Certificates loaded from the database. |
| 134 net::CertificateList cert_list_; | 131 net::CertificateList cert_list_; |
| 135 | 132 |
| 136 base::ThreadChecker thread_checker_; | 133 base::ThreadChecker thread_checker_; |
| 137 | 134 |
| 138 // TaskRunner for other slow tasks. May be set in tests. | 135 // TaskRunner that, if set, replaces base::WorkerPool. Should only be set in |
| 136 // tests. |
| 139 scoped_refptr<base::TaskRunner> slow_task_runner_for_test_; | 137 scoped_refptr<base::TaskRunner> slow_task_runner_for_test_; |
| 140 | 138 |
| 141 base::WeakPtrFactory<CertLoader> weak_factory_; | 139 base::WeakPtrFactory<CertLoader> weak_factory_; |
| 142 | 140 |
| 143 DISALLOW_COPY_AND_ASSIGN(CertLoader); | 141 DISALLOW_COPY_AND_ASSIGN(CertLoader); |
| 144 }; | 142 }; |
| 145 | 143 |
| 146 } // namespace chromeos | 144 } // namespace chromeos |
| 147 | 145 |
| 148 #endif // CHROMEOS_CERT_LOADER_H_ | 146 #endif // CHROMEOS_CERT_LOADER_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 135193007:
Use user specific NSSDatabase in CertLoader. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src