OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chromeos/network/cert_loader.h" |
| 6 |
| 7 #include <algorithm> |
| 8 |
| 9 #include "base/chromeos/chromeos_version.h" |
| 10 #include "base/observer_list_threadsafe.h" |
| 11 #include "base/task_runner_util.h" |
| 12 #include "base/threading/worker_pool.h" |
| 13 #include "chromeos/dbus/cryptohome_client.h" |
| 14 #include "chromeos/dbus/dbus_thread_manager.h" |
| 15 #include "crypto/encryptor.h" |
| 16 #include "crypto/nss_util.h" |
| 17 #include "crypto/sha2.h" |
| 18 #include "crypto/symmetric_key.h" |
| 19 #include "net/cert/nss_cert_database.h" |
| 20 |
| 21 namespace chromeos { |
| 22 |
| 23 namespace { |
| 24 |
| 25 // Delay between certificate requests while waiting for TPM/PKCS#11 init. |
| 26 const int kRequestDelayMs = 500; |
| 27 |
| 28 net::CertificateList* LoadNSSCertificates() { |
| 29 net::CertificateList* cert_list(new net::CertificateList()); |
| 30 net::NSSCertDatabase::GetInstance()->ListCerts(cert_list); |
| 31 return cert_list; |
| 32 } |
| 33 |
| 34 } // namespace |
| 35 |
| 36 static CertLoader* g_cert_loader = NULL; |
| 37 |
| 38 // static |
| 39 void CertLoader::Initialize() { |
| 40 CHECK(!g_cert_loader); |
| 41 g_cert_loader = new CertLoader(); |
| 42 } |
| 43 |
| 44 // static |
| 45 void CertLoader::Shutdown() { |
| 46 CHECK(g_cert_loader); |
| 47 delete g_cert_loader; |
| 48 g_cert_loader = NULL; |
| 49 } |
| 50 |
| 51 // static |
| 52 CertLoader* CertLoader::Get() { |
| 53 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; |
| 54 return g_cert_loader; |
| 55 } |
| 56 |
| 57 CertLoader::CertLoader() |
| 58 : observer_list_(new ObserverList), |
| 59 tpm_token_ready_(false), |
| 60 certificates_requested_(false), |
| 61 certificates_loaded_(false), |
| 62 key_store_loaded_(false), |
| 63 ALLOW_THIS_IN_INITIALIZER_LIST(weak_ptr_factory_(this)) { |
| 64 net::CertDatabase::GetInstance()->AddObserver(this); |
| 65 LoginState::Get()->AddObserver(this); |
| 66 if (LoginState::Get()->IsUserLoggedIn()) |
| 67 RequestCertificates(); |
| 68 } |
| 69 |
| 70 CertLoader::~CertLoader() { |
| 71 DCHECK(request_task_.is_null()); |
| 72 net::CertDatabase::GetInstance()->RemoveObserver(this); |
| 73 LoginState::Get()->RemoveObserver(this); |
| 74 } |
| 75 |
| 76 void CertLoader::AddObserver(CertLoader::Observer* observer) { |
| 77 observer_list_->AddObserver(observer); |
| 78 } |
| 79 |
| 80 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { |
| 81 observer_list_->RemoveObserver(observer); |
| 82 } |
| 83 |
| 84 bool CertLoader::RequestCertificates() { |
| 85 VLOG(1) << "RequestCertificates: " << LoginState::Get()->IsUserLoggedIn(); |
| 86 if (!LoginState::Get()->IsUserLoggedIn()) |
| 87 return false; |
| 88 |
| 89 if (!key_store_loaded_) { |
| 90 // Ensure we've opened the real user's key/certificate database. |
| 91 crypto::OpenPersistentNSSDB(); |
| 92 |
| 93 if (base::chromeos::IsRunningOnChromeOS()) |
| 94 crypto::EnableTPMTokenForNSS(); |
| 95 |
| 96 key_store_loaded_ = true; |
| 97 } |
| 98 |
| 99 certificates_requested_ = true; |
| 100 |
| 101 VLOG(1) << "Requesting Certificates."; |
| 102 DBusThreadManager::Get()->GetCryptohomeClient()->TpmIsEnabled( |
| 103 base::Bind(&CertLoader::OnTpmIsEnabled, |
| 104 weak_ptr_factory_.GetWeakPtr())); |
| 105 |
| 106 return true; |
| 107 } |
| 108 |
| 109 bool CertLoader::CertificatesLoading() const { |
| 110 return certificates_requested_ && !certificates_loaded_; |
| 111 } |
| 112 |
| 113 bool CertLoader::IsHardwareBacked() const { |
| 114 return !tpm_token_name_.empty(); |
| 115 } |
| 116 |
| 117 // private methods |
| 118 |
| 119 void CertLoader::OnTpmIsEnabled(DBusMethodCallStatus call_status, |
| 120 bool tpm_is_enabled) { |
| 121 VLOG(1) << "OnTpmIsEnabled: " << tpm_is_enabled; |
| 122 if (call_status != DBUS_METHOD_CALL_SUCCESS || !tpm_is_enabled) { |
| 123 // TPM is not enabled, so proceed with empty tpm token name. |
| 124 VLOG(1) << "TPM not available."; |
| 125 StartLoadCertificates(); |
| 126 } else if (tpm_token_ready_) { |
| 127 InitializeTPMToken(); |
| 128 } else { |
| 129 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11IsTpmTokenReady( |
| 130 base::Bind(&CertLoader::OnPkcs11IsTpmTokenReady, |
| 131 weak_ptr_factory_.GetWeakPtr())); |
| 132 } |
| 133 } |
| 134 |
| 135 void CertLoader::OnPkcs11IsTpmTokenReady(DBusMethodCallStatus call_status, |
| 136 bool is_tpm_token_ready) { |
| 137 VLOG(1) << "OnPkcs11IsTpmTokenReady: " << is_tpm_token_ready; |
| 138 if (call_status != DBUS_METHOD_CALL_SUCCESS || !is_tpm_token_ready) { |
| 139 MaybeRetryRequestCertificates(); |
| 140 return; |
| 141 } |
| 142 |
| 143 // Retrieve token_name_ and user_pin_ here since they will never change |
| 144 // and CryptohomeClient calls are not thread safe. |
| 145 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11GetTpmTokenInfo( |
| 146 base::Bind(&CertLoader::OnPkcs11GetTpmTokenInfo, |
| 147 weak_ptr_factory_.GetWeakPtr())); |
| 148 } |
| 149 |
| 150 void CertLoader::OnPkcs11GetTpmTokenInfo(DBusMethodCallStatus call_status, |
| 151 const std::string& token_name, |
| 152 const std::string& user_pin) { |
| 153 VLOG(1) << "OnPkcs11GetTpmTokenInfo: " << token_name; |
| 154 if (call_status != DBUS_METHOD_CALL_SUCCESS) { |
| 155 MaybeRetryRequestCertificates(); |
| 156 return; |
| 157 } |
| 158 tpm_token_name_ = token_name; |
| 159 tpm_user_pin_ = user_pin; |
| 160 tpm_token_ready_ = true; |
| 161 |
| 162 InitializeTPMToken(); |
| 163 } |
| 164 |
| 165 void CertLoader::InitializeTPMToken() { |
| 166 VLOG(1) << "InitializeTPMToken"; |
| 167 if (!crypto::InitializeTPMToken(tpm_token_name_, tpm_user_pin_)) { |
| 168 MaybeRetryRequestCertificates(); |
| 169 return; |
| 170 } |
| 171 StartLoadCertificates(); |
| 172 } |
| 173 |
| 174 void CertLoader::StartLoadCertificates() { |
| 175 VLOG(1) << "Start Load Certificates"; |
| 176 base::PostTaskAndReplyWithResult( |
| 177 base::WorkerPool::GetTaskRunner(true /* task_is_slow */), |
| 178 FROM_HERE, |
| 179 base::Bind(LoadNSSCertificates), |
| 180 base::Bind(&CertLoader::UpdateCertificates, |
| 181 weak_ptr_factory_.GetWeakPtr())); |
| 182 } |
| 183 |
| 184 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { |
| 185 DCHECK(cert_list); |
| 186 VLOG(1) << "Update Certificates: " << cert_list->size(); |
| 187 |
| 188 // Clear any existing certificates. |
| 189 cert_list_ = *cert_list; // Copy vector |
| 190 |
| 191 // cert_list is constructed in LoadCertificates. |
| 192 delete cert_list; |
| 193 |
| 194 // Set loaded state and notify observers. |
| 195 if (!certificates_loaded_) { |
| 196 certificates_loaded_ = true; |
| 197 NotifyCertificatesLoaded(true); |
| 198 } else { |
| 199 NotifyCertificatesLoaded(false); |
| 200 } |
| 201 } |
| 202 |
| 203 void CertLoader::MaybeRetryRequestCertificates() { |
| 204 if (!request_task_.is_null()) |
| 205 return; |
| 206 |
| 207 // Cryptohome does not notify us when the token is ready, so call |
| 208 // this again after a delay. |
| 209 request_task_ = base::Bind(&CertLoader::RequestCertificatesTask, |
| 210 weak_ptr_factory_.GetWeakPtr()); |
| 211 MessageLoop::current()->PostDelayedTask( |
| 212 FROM_HERE, |
| 213 request_task_, |
| 214 base::TimeDelta::FromMilliseconds(kRequestDelayMs)); |
| 215 } |
| 216 |
| 217 void CertLoader::RequestCertificatesTask() { |
| 218 // Reset the task to the initial state so is_null() returns true. |
| 219 request_task_.Reset(); |
| 220 RequestCertificates(); |
| 221 } |
| 222 |
| 223 void CertLoader::NotifyCertificatesLoaded(bool initial_load) { |
| 224 observer_list_->Notify( |
| 225 &CertLoader::Observer::OnCertificatesLoaded, cert_list_, initial_load); |
| 226 } |
| 227 |
| 228 void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) { |
| 229 } |
| 230 |
| 231 void CertLoader::OnCertAdded(const net::X509Certificate* cert) { |
| 232 // Only load certificates if we have completed an initial request. |
| 233 if (!certificates_loaded_) |
| 234 return; |
| 235 StartLoadCertificates(); |
| 236 } |
| 237 |
| 238 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { |
| 239 // Only load certificates if we have completed an initial request. |
| 240 if (!certificates_loaded_) |
| 241 return; |
| 242 StartLoadCertificates(); |
| 243 } |
| 244 |
| 245 void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) { |
| 246 VLOG(1) << "LoggedInStateChanged: " << state; |
| 247 if (LoginState::Get()->IsUserLoggedIn() && !certificates_requested_) |
| 248 RequestCertificates(); |
| 249 } |
| 250 |
| 251 } // namespace chromeos |
OLD | NEW |