Use user specific NSSDatabase in CertLoader.

chromeos/network/network_connection_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/strings/string_number_conversions.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_manager_client.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/client_cert_util.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/network_handler_callbacks.h"
 #include "chromeos/network/network_profile_handler.h"
 #include "chromeos/network/network_state.h"
 #include "chromeos/network/network_state_handler.h"
 #include "chromeos/network/network_ui_data.h"
 #include "chromeos/network/shill_property_util.h"
+#include "chromeos/tpm_token_loader.h"
 #include "dbus/object_path.h"
 #include "net/cert/x509_certificate.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 void InvokeErrorCallback(const std::string& service_path,
                          const network_handler::ErrorCallback& error_callback,
@@ skipping 149 matching lines @@
 }
 
 void NetworkConnectionHandler::OnCertificatesLoaded(
     const net::CertificateList& cert_list,
     bool initial_load) {
   certificates_loaded_ = true;
   NET_LOG_EVENT("Certificates Loaded", "");
   if (queued_connect_) {
     NET_LOG_EVENT("Connecting to Queued Network",
                   queued_connect_->service_path);
-    ConnectToNetwork(queued_connect_->service_path,
-                     queued_connect_->success_callback,
-                     queued_connect_->error_callback,
+    // Make a copy of |queued_connect_| parameters, because |queued_connect_|
+    // will get reset at the beginning of |ConnectToNetwork|.

[stevenjb, 2014/01/23 18:17:42]

Ugh. Subtle. Good catch, thanks.

+    std::string service_path = queued_connect_->service_path;
+    base::Closure success_callback = queued_connect_->success_callback;
+    network_handler::ErrorCallback error_callback =
+        queued_connect_->error_callback;
+
+    ConnectToNetwork(service_path, success_callback, error_callback,
                      false /* check_error_state */);
   } else if (initial_load) {
     // Once certificates have loaded, connect to the "best" available network.
     network_state_handler_->ConnectToBestWifiNetwork();
   }
 }
 
 void NetworkConnectionHandler::ConnectToNetwork(
     const std::string& service_path,
     const base::Closure& success_callback,
@@ skipping 210 matching lines @@
           return;
         }
         NET_LOG_EVENT("Connect Request Queued", service_path);
         queued_connect_.reset(new ConnectRequest(
             service_path, request->profile_path,
             request->success_callback, request->error_callback));
         pending_requests_.erase(service_path);
         return;
       }
 
-      pkcs11_id = CertificateIsConfigured(ui_data.get());
+      pkcs11_id = CertificateIsConfigured(ui_data.get(),
+                                          cert_loader_->cert_list());
       // Ensure the certificate is available and configured.
-      if (!cert_loader_->IsHardwareBacked() || pkcs11_id.empty()) {
+      if (!cert_loader_->is_hardware_backed() || pkcs11_id.empty()) {
         ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
         return;
       }
     } else if (check_error_state &&
                !client_cert::IsCertificateConfigured(client_cert_type,
                                                      service_properties)) {
       // Network may not be configured.
       ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
       return;
     }
 
     // The network may not be 'Connectable' because the TPM properties are not
     // set up, so configure tpm slot/pin before connecting.
-    if (cert_loader_ && cert_loader_->IsHardwareBacked()) {
+    if (cert_loader_ && cert_loader_->is_hardware_backed()) {
+      std::string tpm_user_pin;
+      if (TPMTokenLoader::IsInitialized())

[stevenjb, 2014/01/23 18:17:42]

Again, can a cert be hardware backed and TPMTokenLoader not be initialized? If
this is only a problem in some tests, maybe we should have the tests create a
dummy TPMTokenLoader?

[tbarzic, 2014/01/23 19:18:37]

Done.

+        tpm_user_pin = TPMTokenLoader::Get()->tpm_user_pin();
       // Pass NULL if pkcs11_id is empty, so that it doesn't clear any
       // previously configured client cert.
       client_cert::SetShillProperties(
           client_cert_type,
           base::IntToString(cert_loader_->tpm_token_slot_id()),
-          cert_loader_->tpm_user_pin(),
+          tpm_user_pin,
           pkcs11_id.empty() ? NULL : &pkcs11_id,
           &config_properties);
     }
   }
 
   if (type == shill::kTypeVPN) {
     // VPN may require a username, and/or passphrase to be set. (Check after
     // ensuring that any required certificates are configured).
     DCHECK(provider_properties);
     if (VPNRequiresCredentials(
@@ skipping 154 matching lines @@
 }
 
 void NetworkConnectionHandler::CheckAllPendingRequests() {
   for (std::map<std::string, ConnectRequest>::iterator iter =
            pending_requests_.begin(); iter != pending_requests_.end(); ++iter) {
     CheckPendingRequest(iter->first);
   }
 }
 
 std::string NetworkConnectionHandler::CertificateIsConfigured(
-    NetworkUIData* ui_data) {
+    NetworkUIData* ui_data,
+    const net::CertificateList& cert_list) {
   if (ui_data->certificate_pattern().Empty())
     return std::string();
   // Find the matching certificate.
   scoped_refptr<net::X509Certificate> matching_cert =
-      client_cert::GetCertificateMatch(ui_data->certificate_pattern());
+      client_cert::GetCertificateMatch(ui_data->certificate_pattern(),
+                                       cert_list);
   if (!matching_cert.get())
     return std::string();
   return CertLoader::GetPkcs11IdForCert(*matching_cert.get());
 }
 
 void NetworkConnectionHandler::ErrorCallbackForPendingRequest(
     const std::string& service_path,
     const std::string& error_name) {
   ConnectRequest* request = GetPendingRequest(service_path);
   if (!request) {
@@ skipping 24 matching lines @@
 
 void NetworkConnectionHandler::HandleShillDisconnectSuccess(
     const std::string& service_path,
     const base::Closure& success_callback) {
   NET_LOG_EVENT("Disconnect Request Sent", service_path);
   if (!success_callback.is_null())
     success_callback.Run();
 }
 
 }  // namespace chromeos