Chromium Code Reviews Chromium Code Reviews
Issue 135193007:
Use user specific NSSDatabase in CertLoader. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/cert_loader.h" | 5 #include "chromeos/cert_loader.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| 11 #include "base/sequenced_task_runner.h" | |
| 11 #include "base/strings/string_number_conversions.h" | 12 #include "base/strings/string_number_conversions.h" |
| 12 #include "base/task_runner_util.h" | 13 #include "base/task_runner_util.h" |
| 13 #include "base/threading/worker_pool.h" | 14 #include "base/threading/worker_pool.h" |
| 14 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
| 15 #include "net/cert/nss_cert_database.h" | 16 #include "net/cert/nss_cert_database.h" |
| 17 #include "net/cert/nss_cert_database_chromeos.h" | |
| 16 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
| 17 | 19 |
| 18 namespace chromeos { | 20 namespace chromeos { |
| 19 | 21 |
| 20 namespace { | 22 namespace { |
| 21 | 23 |
| 22 // Loads certificates from |cert_database| into |cert_list|. | 24 // Loads certificates from |cert_database| into |cert_list|. |
| 23 void LoadNSSCertificates(net::NSSCertDatabase* cert_database, | 25 void LoadNSSCertificates(net::NSSCertDatabase* cert_database, |
| 24 net::CertificateList* cert_list) { | 26 net::CertificateList* cert_list) { |
| 25 cert_database->ListCerts(cert_list); | 27 cert_database->ListCerts(cert_list); |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 47 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; | 49 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; |
| 48 return g_cert_loader; | 50 return g_cert_loader; |
| 49 } | 51 } |
| 50 | 52 |
| 51 // static | 53 // static |
| 52 bool CertLoader::IsInitialized() { | 54 bool CertLoader::IsInitialized() { |
| 53 return g_cert_loader; | 55 return g_cert_loader; |
| 54 } | 56 } |
| 55 | 57 |
| 56 CertLoader::CertLoader() | 58 CertLoader::CertLoader() |
| 57 : certificates_requested_(false), | 59 : certificates_loaded_(false), |
| 58 certificates_loaded_(false), | |
| 59 certificates_update_required_(false), | 60 certificates_update_required_(false), |
| 60 certificates_update_running_(false), | 61 certificates_update_running_(false), |
| 61 tpm_token_slot_id_(-1), | 62 database_(NULL), |
| 63 force_hardware_backed_for_test_(false), | |
| 62 weak_factory_(this) { | 64 weak_factory_(this) { |
| 63 if (TPMTokenLoader::IsInitialized()) | 65 } |
| 64 TPMTokenLoader::Get()->AddObserver(this); | 66 |
| 67 CertLoader::~CertLoader() { | |
| 68 net::CertDatabase::GetInstance()->RemoveObserver(this); | |
| 69 } | |
| 70 | |
| 71 void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) { | |
| 72 CHECK(!database_); | |
| 73 database_ = database; | |
| 74 | |
| 75 // Start observing cert database for changes. | |
| 76 net::CertDatabase::GetInstance()->AddObserver(this); | |
|
pneubeck (no reviews)
2014/01/27 08:23:24
oh. shouldn't this be
database->AddObserver(this
tbarzic
2014/01/27 20:26:12
added a comment about this.
| |
| 77 | |
| 78 LoadCertificates(); | |
| 65 } | 79 } |
| 66 | 80 |
| 67 void CertLoader::SetSlowTaskRunnerForTest( | 81 void CertLoader::SetSlowTaskRunnerForTest( |
| 68 const scoped_refptr<base::TaskRunner>& task_runner) { | 82 const scoped_refptr<base::TaskRunner>& task_runner) { |
| 69 slow_task_runner_for_test_ = task_runner; | 83 slow_task_runner_for_test_ = task_runner; |
| 70 } | 84 } |
| 71 | 85 |
| 72 CertLoader::~CertLoader() { | |
| 73 net::CertDatabase::GetInstance()->RemoveObserver(this); | |
| 74 if (TPMTokenLoader::IsInitialized()) | |
| 75 TPMTokenLoader::Get()->RemoveObserver(this); | |
| 76 } | |
| 77 | |
| 78 void CertLoader::AddObserver(CertLoader::Observer* observer) { | 86 void CertLoader::AddObserver(CertLoader::Observer* observer) { |
| 79 observers_.AddObserver(observer); | 87 observers_.AddObserver(observer); |
| 80 } | 88 } |
| 81 | 89 |
| 82 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { | 90 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { |
| 83 observers_.RemoveObserver(observer); | 91 observers_.RemoveObserver(observer); |
| 84 } | 92 } |
| 85 | 93 |
| 94 int CertLoader::TPMTokenSlotID() const { | |
| 95 if (!database_) | |
| 96 return -1; | |
| 97 return static_cast<int>(PK11_GetSlotID(database_->GetPrivateSlot().get())); | |
| 98 } | |
| 99 | |
| 86 bool CertLoader::IsHardwareBacked() const { | 100 bool CertLoader::IsHardwareBacked() const { |
| 87 return !tpm_token_name_.empty(); | 101 return force_hardware_backed_for_test_ || |
| 102 (database_ && PK11_IsHW(database_->GetPrivateSlot().get())); | |
| 103 } | |
| 104 | |
| 105 bool CertLoader::IsCertificateHardwareBacked( | |
| 106 const net::X509Certificate* cert) const { | |
| 107 if (!database_) | |
| 108 return false; | |
| 109 return database_->IsHardwareBacked(cert); | |
| 88 } | 110 } |
| 89 | 111 |
| 90 bool CertLoader::CertificatesLoading() const { | 112 bool CertLoader::CertificatesLoading() const { |
| 91 return certificates_requested_ && !certificates_loaded_; | 113 return database_ && !certificates_loaded_; |
| 92 } | 114 } |
| 93 | 115 |
| 94 // This is copied from chrome/common/net/x509_certificate_model_nss.cc. | 116 // This is copied from chrome/common/net/x509_certificate_model_nss.cc. |
| 95 // For background see this discussion on dev-tech-crypto.lists.mozilla.org: | 117 // For background see this discussion on dev-tech-crypto.lists.mozilla.org: |
| 96 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX | 118 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX |
| 97 // | 119 // |
| 98 // NOTE: This function relies on the convention that the same PKCS#11 ID | 120 // NOTE: This function relies on the convention that the same PKCS#11 ID |
| 99 // is shared between a certificate and its associated private and public | 121 // is shared between a certificate and its associated private and public |
| 100 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), | 122 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), |
| 101 // but that always returns NULL on Chrome OS for me. | 123 // but that always returns NULL on Chrome OS for me. |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 113 std::string pkcs11_id; | 135 std::string pkcs11_id; |
| 114 if (sec_item) { | 136 if (sec_item) { |
| 115 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); | 137 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); |
| 116 SECITEM_FreeItem(sec_item, PR_TRUE); | 138 SECITEM_FreeItem(sec_item, PR_TRUE); |
| 117 } | 139 } |
| 118 SECKEY_DestroyPrivateKey(priv_key); | 140 SECKEY_DestroyPrivateKey(priv_key); |
| 119 | 141 |
| 120 return pkcs11_id; | 142 return pkcs11_id; |
| 121 } | 143 } |
| 122 | 144 |
| 123 void CertLoader::RequestCertificates() { | |
| 124 if (certificates_requested_) | |
| 125 return; | |
| 126 certificates_requested_ = true; | |
| 127 | |
| 128 DCHECK(!certificates_loaded_ && !certificates_update_running_); | |
| 129 net::CertDatabase::GetInstance()->AddObserver(this); | |
| 130 LoadCertificates(); | |
| 131 } | |
| 132 | |
| 133 void CertLoader::LoadCertificates() { | 145 void CertLoader::LoadCertificates() { |
| 134 CHECK(thread_checker_.CalledOnValidThread()); | 146 CHECK(thread_checker_.CalledOnValidThread()); |
| 135 VLOG(1) << "LoadCertificates: " << certificates_update_running_; | 147 VLOG(1) << "LoadCertificates: " << certificates_update_running_; |
| 136 | 148 |
| 137 if (certificates_update_running_) { | 149 if (certificates_update_running_) { |
| 138 certificates_update_required_ = true; | 150 certificates_update_required_ = true; |
| 139 return; | 151 return; |
| 140 } | 152 } |
| 141 | 153 |
| 142 net::CertificateList* cert_list = new net::CertificateList; | 154 net::CertificateList* cert_list = new net::CertificateList; |
| 143 certificates_update_running_ = true; | 155 certificates_update_running_ = true; |
| 144 certificates_update_required_ = false; | 156 certificates_update_required_ = false; |
| 145 | 157 |
| 146 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); | 158 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); |
| 147 if (!task_runner) | 159 if (!task_runner) |
| 148 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); | 160 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); |
| 149 task_runner->PostTaskAndReply( | 161 task_runner->PostTaskAndReply( |
| 150 FROM_HERE, | 162 FROM_HERE, |
| 151 base::Bind(LoadNSSCertificates, | 163 base::Bind(LoadNSSCertificates, |
| 152 net::NSSCertDatabase::GetInstance(), | 164 // Create a copy of the database so it can be used on the |
| 165 // worker pool. | |
| 166 // TODO(tbarzic): Make net::NSSCertDatabase::ListCerts async | |
| 167 // and change it to do the certificate listing on worker | |
| 168 // pool. | |
| 169 base::Owned(new net::NSSCertDatabaseChromeOS( | |
| 170 database_->GetPublicSlot(), | |
| 171 database_->GetPrivateSlot())), | |
| 153 cert_list), | 172 cert_list), |
| 154 base::Bind(&CertLoader::UpdateCertificates, | 173 base::Bind(&CertLoader::UpdateCertificates, |
| 155 weak_factory_.GetWeakPtr(), | 174 weak_factory_.GetWeakPtr(), |
| 156 base::Owned(cert_list))); | 175 base::Owned(cert_list))); |
| 157 } | 176 } |
| 158 | 177 |
| 159 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { | 178 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { |
| 160 CHECK(thread_checker_.CalledOnValidThread()); | 179 CHECK(thread_checker_.CalledOnValidThread()); |
| 161 DCHECK(certificates_update_running_); | 180 DCHECK(certificates_update_running_); |
| 162 VLOG(1) << "UpdateCertificates: " << cert_list->size(); | 181 VLOG(1) << "UpdateCertificates: " << cert_list->size(); |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 188 // This is triggered when a client certificate is added. | 207 // This is triggered when a client certificate is added. |
| 189 VLOG(1) << "OnCertAdded"; | 208 VLOG(1) << "OnCertAdded"; |
| 190 LoadCertificates(); | 209 LoadCertificates(); |
| 191 } | 210 } |
| 192 | 211 |
| 193 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { | 212 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { |
| 194 VLOG(1) << "OnCertRemoved"; | 213 VLOG(1) << "OnCertRemoved"; |
| 195 LoadCertificates(); | 214 LoadCertificates(); |
| 196 } | 215 } |
| 197 | 216 |
| 198 void CertLoader::OnTPMTokenReady(const std::string& tpm_user_pin, | |
| 199 const std::string& tpm_token_name, | |
| 200 int tpm_token_slot_id) { | |
| 201 tpm_user_pin_ = tpm_user_pin; | |
| 202 tpm_token_name_ = tpm_token_name; | |
| 203 tpm_token_slot_id_ = tpm_token_slot_id; | |
| 204 | |
| 205 VLOG(1) << "TPM token ready."; | |
| 206 RequestCertificates(); | |
| 207 } | |
| 208 | |
| 209 } // namespace chromeos | 217 } // namespace chromeos |
| OLD | NEW |
