| Index: chromeos/cert_loader.h
|
| diff --git a/chromeos/cert_loader.h b/chromeos/cert_loader.h
|
| index 0ce661c10636460a81521cf3fdd93c0639b826f1..5f9e623d6742fdb3ece8e4a62aebd36f4c9db278 100644
|
| --- a/chromeos/cert_loader.h
|
| +++ b/chromeos/cert_loader.h
|
| @@ -13,7 +13,6 @@
|
| #include "base/observer_list.h"
|
| #include "base/threading/thread_checker.h"
|
| #include "chromeos/chromeos_export.h"
|
| -#include "chromeos/tpm_token_loader.h"
|
| #include "net/cert/cert_database.h"
|
|
|
| namespace base {
|
| @@ -21,6 +20,7 @@ class TaskRunner;
|
| }
|
|
|
| namespace net {
|
| +class NSSCertDatabaseChromeOS;
|
| class X509Certificate;
|
| }
|
|
|
| @@ -32,14 +32,7 @@ namespace chromeos {
|
| // When certificates have been loaded (after login completes and tpm token is
|
| // initialized), or the cert database changes, observers are called with
|
| // OnCertificatesLoaded().
|
| -// TODO(tbarzic): Remove direct dependency on TPMTokenLoader. The reason
|
| -// TPMTokenLoader has to be observed is to make sure singleton NSS DB is
|
| -// initialized before certificate loading starts. CertLoader should use
|
| -// (primary) user specific NSS DB, whose loading already takes this into
|
| -// account (crypto::GetPrivateSlotForChromeOSUser waits until TPM token is
|
| -// ready).
|
| -class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
| - public TPMTokenLoader::Observer {
|
| +class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer {
|
| public:
|
| class Observer {
|
| public:
|
| @@ -66,6 +59,22 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
|
|
| static std::string GetPkcs11IdForCert(const net::X509Certificate& cert);
|
|
|
| + // Starts the CertLoader with the user. It requests a user's NSS cert
|
| + // database instance, and once it gets it, it starts loading certificates from
|
| + // it. The database can be requested before TPM token is ready, but it will
|
| + // not be returned before that. It may be called only once.
|
| + // InitForUser must not be called before crypto::InitializeNSSForChromeOSUser
|
| + // is called for the user.
|
| + void StartWithUser(const std::string& userhash);
|
| +
|
| + // |crypto_task_runner| is the task runner that any synchronous crypto calls
|
| + // should be made from, e.g. in Chrome this is the IO thread. Must be called
|
| + // after the thread is started. CertLoader uses the task runner only for
|
| + // creating its NSS cert database instance. The actual calls to the database
|
| + // are done on the base::WorkerPool.
|
| + void SetCryptoTaskRunner(
|
| + const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner);
|
| +
|
| // Sets the task runner that any slow calls will be made from, e.g. calls
|
| // to the NSS database. If not set, uses base::WorkerPool.
|
| void SetSlowTaskRunnerForTest(
|
| @@ -74,8 +83,9 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
| void AddObserver(CertLoader::Observer* observer);
|
| void RemoveObserver(CertLoader::Observer* observer);
|
|
|
| - // Returns true if the TPM is available for hardware-backed certificates.
|
| - bool IsHardwareBacked() const;
|
| + // Whether |cert| belongs to the CertLoader's NSS database's private slot.
|
| + // Returns false if certificates are not yet loaded.
|
| + bool IsCertificateInPrivateSlot(const net::X509Certificate& cert) const;
|
|
|
| // Returns true when the certificate list has been requested but not loaded.
|
| bool CertificatesLoading() const;
|
| @@ -85,20 +95,25 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
| // This will be empty until certificates_loaded() is true.
|
| const net::CertificateList& cert_list() const { return cert_list_; }
|
|
|
| - // Getters for cached TPM token info.
|
| - std::string tpm_user_pin() const { return tpm_user_pin_; }
|
| - std::string tpm_token_name() const { return tpm_token_name_; }
|
| + // Note that |is_hardware_backed()| may give false negatives if
|
| + // |certificates_loaded()| is false.
|
| + bool is_hardware_backed() const { return is_hardware_backed_; }
|
| + void set_hardware_backed_for_test() { hardware_backed_for_test_ = true; }
|
| int tpm_token_slot_id() const { return tpm_token_slot_id_; }
|
|
|
| private:
|
| CertLoader();
|
| virtual ~CertLoader();
|
|
|
| - // Starts certificate loading.
|
| + // Starts the loader. It initiates loading of the user's NSS database.
|
| void RequestCertificates();
|
|
|
| + // Callback for user's NSS database loading. It caches user's TPM token info,
|
| + // starts observing net::CertDatabse and triggers initial certificate load.
|
| + void OnDatabaseReady(scoped_ptr<net::NSSCertDatabaseChromeOS> database);
|
| +
|
| // Trigger a certificate load. If a certificate loading task is already in
|
| - // progress, will start a reload once the current task finished.
|
| + // progress, will start a reload once the current task is finished.
|
| void LoadCertificates();
|
|
|
| // Called if a certificate load task is finished.
|
| @@ -111,11 +126,6 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
| virtual void OnCertAdded(const net::X509Certificate* cert) OVERRIDE;
|
| virtual void OnCertRemoved(const net::X509Certificate* cert) OVERRIDE;
|
|
|
| - // chromeos::TPMTokenLoader::Observer
|
| - virtual void OnTPMTokenReady(const std::string& tpm_user_pin,
|
| - const std::string& tpm_token_name,
|
| - int tpm_token_slot_id) OVERRIDE;
|
| -
|
| ObserverList<Observer> observers_;
|
|
|
| // Flags describing current CertLoader state.
|
| @@ -124,17 +134,31 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
|
| bool certificates_update_required_;
|
| bool certificates_update_running_;
|
|
|
| - // Cached TPM token info. Set when the |OnTPMTokenReady| gets called.
|
| - std::string tpm_user_pin_;
|
| - std::string tpm_token_name_;
|
| + // The username hash for the user the CertLoader is bound to.
|
| + std::string userhash_;
|
| +
|
| + // The user-specific NSS certificate database from which the certificates
|
| + // should be loaded. The database is loaded on crypto_task_runner_.
|
| + scoped_ptr<net::NSSCertDatabaseChromeOS> database_;
|
| +
|
| + // The user NSS database's private slot id.
|
| int tpm_token_slot_id_;
|
|
|
| - // Cached Certificates.
|
| + // Whether |database_| is hardware backed. The value is not guaranteed to be
|
| + // correct before |certificates_loaded()| is true.
|
| + bool is_hardware_backed_;
|
| + bool hardware_backed_for_test_;
|
| +
|
| + // Cached Certificates loaded from the database.
|
| net::CertificateList cert_list_;
|
|
|
| base::ThreadChecker thread_checker_;
|
|
|
| - // TaskRunner for other slow tasks. May be set in tests.
|
| + // TaskRunner for NSS database loading.
|
| + scoped_refptr<base::SequencedTaskRunner> crypto_task_runner_;
|
| +
|
| + // TaskRunner that, if set, replaces base::WorkerPool. Should only be set in
|
| + // tests.
|
| scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
|
|
|
| base::WeakPtrFactory<CertLoader> weak_factory_;
|
|
|
Chromium Code Reviews
Issue 135193007:
Use user specific NSSDatabase in CertLoader. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src