Use user specific NSSDatabase in CertLoader.

chromeos/cert_loader.h

Index: chromeos/cert_loader.h
diff --git a/chromeos/cert_loader.h b/chromeos/cert_loader.h
index 0ce661c10636460a81521cf3fdd93c0639b826f1..5fd27ea339988207b5453f883b1ac30823d0d2d8 100644
--- a/chromeos/cert_loader.h
+++ b/chromeos/cert_loader.h
@@ -13,7 +13,6 @@
 #include "base/observer_list.h"
 #include "base/threading/thread_checker.h"
 #include "chromeos/chromeos_export.h"
-#include "chromeos/tpm_token_loader.h"
 #include "net/cert/cert_database.h"
 
 namespace base {
@@ -21,6 +20,7 @@ class TaskRunner;
 }
 
 namespace net {
+class NSSCertDatabase;
 class X509Certificate;

[pneubeck (no reviews), 2014/01/24 13:18:02]

missing forward declaration of net::CertificateList

[tbarzic, 2014/01/25 00:26:27]

Done.

 }
 
@@ -32,14 +32,7 @@ namespace chromeos {
 // When certificates have been loaded (after login completes and tpm token is
 // initialized), or the cert database changes, observers are called with
 // OnCertificatesLoaded().
-// TODO(tbarzic): Remove direct dependency on TPMTokenLoader. The reason
-//     TPMTokenLoader has to be observed is to make sure singleton NSS DB is
-//     initialized before certificate loading starts. CertLoader should use
-//     (primary) user specific NSS DB, whose loading already takes this into
-//     account (crypto::GetPrivateSlotForChromeOSUser waits until TPM token is
-//     ready).
-class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
-                                   public TPMTokenLoader::Observer {
+class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer {
  public:
   class Observer {
    public:
@@ -66,16 +59,22 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
 
   static std::string GetPkcs11IdForCert(const net::X509Certificate& cert);
 
-  // Sets the task runner that any slow calls will be made from, e.g. calls
-  // to the NSS database. If not set, uses base::WorkerPool.
+  // Starts the CertLoader with the NSS cert database.
+  // The CertLoader will _not_ take the ownership of the database.
+  void StartWithNSSDB(net::NSSCertDatabase* database);
+
+   // Sets the task runner that any slow calls will be made from, e.g. calls

[pneubeck (no reviews), 2014/01/24 13:18:02]

nit: indentation

[tbarzic, 2014/01/25 00:26:27]

Done.

+   // to the NSS database. If not set, uses base::WorkerPool.
   void SetSlowTaskRunnerForTest(
       const scoped_refptr<base::TaskRunner>& task_runner);
 
   void AddObserver(CertLoader::Observer* observer);
   void RemoveObserver(CertLoader::Observer* observer);
 
-  // Returns true if the TPM is available for hardware-backed certificates.
-  bool IsHardwareBacked() const;
+  // Whether the certificate is hardware backed. Returns false if the CertLoader
+  // was not yet started (both |CertificatesLoading()| and
+  // |certificates_loaded()| are false).
+  bool IsCertificateHardwareBacked(const net::X509Certificate* cert) const;
 
   // Returns true when the certificate list has been requested but not loaded.
   bool CertificatesLoading() const;
@@ -85,20 +84,18 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
   // This will be empty until certificates_loaded() is true.
   const net::CertificateList& cert_list() const { return cert_list_; }
 
-  // Getters for cached TPM token info.
-  std::string tpm_user_pin() const { return tpm_user_pin_; }
-  std::string tpm_token_name() const { return tpm_token_name_; }
+  // Note that |is_hardware_backed()| will return false if the CertLoader was
+  // not started.
+  bool is_hardware_backed() const { return is_hardware_backed_; }
+  void set_hardware_backed_for_test() { hardware_backed_for_test_ = true; }
   int tpm_token_slot_id() const { return tpm_token_slot_id_; }
 
  private:
   CertLoader();
   virtual ~CertLoader();
 
-  // Starts certificate loading.
-  void RequestCertificates();
-
   // Trigger a certificate load. If a certificate loading task is already in
-  // progress, will start a reload once the current task finished.
+  // progress, will start a reload once the current task is finished.
   void LoadCertificates();
 
   // Called if a certificate load task is finished.
@@ -111,11 +108,6 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
   virtual void OnCertAdded(const net::X509Certificate* cert) OVERRIDE;
   virtual void OnCertRemoved(const net::X509Certificate* cert) OVERRIDE;
 
-  // chromeos::TPMTokenLoader::Observer
-  virtual void OnTPMTokenReady(const std::string& tpm_user_pin,
-                               const std::string& tpm_token_name,
-                               int tpm_token_slot_id) OVERRIDE;
-
   ObserverList<Observer> observers_;
 
   // Flags describing current CertLoader state.
@@ -124,17 +116,24 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
   bool certificates_update_required_;
   bool certificates_update_running_;
 
-  // Cached TPM token info. Set when the |OnTPMTokenReady| gets called.
-  std::string tpm_user_pin_;
-  std::string tpm_token_name_;
+  // The user-specific NSS certificate database from which the certificates
+  // should be loaded.
+  net::NSSCertDatabase* database_;
+
+  // The user NSS database's private slot id.
   int tpm_token_slot_id_;
 
-  // Cached Certificates.
+  // Whether |database_| is hardware backed.
+  bool is_hardware_backed_;
+  bool hardware_backed_for_test_;
+
+  // Cached Certificates loaded from the database.
   net::CertificateList cert_list_;
 
   base::ThreadChecker thread_checker_;
 
-  // TaskRunner for other slow tasks. May be set in tests.
+  // TaskRunner that, if set, replaces base::WorkerPool. Should only be set in
+  // tests.
   scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
 
   base::WeakPtrFactory<CertLoader> weak_factory_;