Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(93)

Side by Side Diff: chromeos/network/cert_loader.cc

Issue 14522013: Separate cert loading code from CertLibrary and move to src/chromeos (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix browser tests Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
(Empty)
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/network/cert_loader.h"
6
7 #include <algorithm>
8
9 #include "base/chromeos/chromeos_version.h"
10 #include "base/observer_list_threadsafe.h"
11 #include "base/task_runner_util.h"
12 #include "base/threading/worker_pool.h"
13 #include "chromeos/dbus/cryptohome_client.h"
14 #include "chromeos/dbus/dbus_thread_manager.h"
15 #include "crypto/encryptor.h"
16 #include "crypto/nss_util.h"
17 #include "crypto/sha2.h"
18 #include "crypto/symmetric_key.h"
19 #include "net/cert/nss_cert_database.h"
20
21 namespace chromeos {
22
23 namespace {
24
25 // Delay between certificate requests while waiting for TPM/PKCS#11 init.
26 const int kRequestDelayMs = 500;
27
28 net::CertificateList* LoadNSSCertificates() {
29 net::CertificateList* cert_list(new net::CertificateList());
30 net::NSSCertDatabase::GetInstance()->ListCerts(cert_list);
31 return cert_list;
32 }
33
34 } // namespace
35
36 static CertLoader* g_cert_loader = NULL;
37
38 // static
39 void CertLoader::Initialize() {
40 CHECK(!g_cert_loader);
41 g_cert_loader = new CertLoader();
42 }
43
44 // static
45 void CertLoader::Shutdown() {
46 CHECK(g_cert_loader);
47 delete g_cert_loader;
48 g_cert_loader = NULL;
49 }
50
51 // static
52 CertLoader* CertLoader::Get() {
53 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()";
54 return g_cert_loader;
55 }
56
57 CertLoader::CertLoader()
58 : observer_list_(new ObserverList),
59 tpm_token_ready_(false),
60 certificates_requested_(false),
61 certificates_loaded_(false),
62 key_store_loaded_(false),
63 ALLOW_THIS_IN_INITIALIZER_LIST(weak_ptr_factory_(this)) {
64 net::CertDatabase::GetInstance()->AddObserver(this);
65 LoginState::Get()->AddObserver(this);
66 if (LoginState::Get()->IsUserLoggedIn())
67 RequestCertificates();
68 }
69
70 CertLoader::~CertLoader() {
71 DCHECK(request_task_.is_null());
72 net::CertDatabase::GetInstance()->RemoveObserver(this);
73 LoginState::Get()->RemoveObserver(this);
74 }
75
76 void CertLoader::AddObserver(CertLoader::Observer* observer) {
77 observer_list_->AddObserver(observer);
78 }
79
80 void CertLoader::RemoveObserver(CertLoader::Observer* observer) {
81 observer_list_->RemoveObserver(observer);
82 }
83
84 bool CertLoader::RequestCertificates() {
85 VLOG(1) << "RequestCertificates: " << LoginState::Get()->IsUserLoggedIn();
86 if (!LoginState::Get()->IsUserLoggedIn())
87 return false;
88
89 if (!key_store_loaded_) {
90 // Ensure we've opened the real user's key/certificate database.
91 crypto::OpenPersistentNSSDB();
92
93 if (base::chromeos::IsRunningOnChromeOS())
94 crypto::EnableTPMTokenForNSS();
95
96 key_store_loaded_ = true;
97 }
98
99 certificates_requested_ = true;
100
101 VLOG(1) << "Requesting Certificates.";
102 DBusThreadManager::Get()->GetCryptohomeClient()->TpmIsEnabled(
103 base::Bind(&CertLoader::OnTpmIsEnabled,
104 weak_ptr_factory_.GetWeakPtr()));
105
106 return true;
107 }
108
109 bool CertLoader::CertificatesLoading() const {
110 return certificates_requested_ && !certificates_loaded_;
111 }
112
113 bool CertLoader::IsHardwareBacked() const {
114 return !tpm_token_name_.empty();
115 }
116
117 // private methods
118
119 void CertLoader::OnTpmIsEnabled(DBusMethodCallStatus call_status,
120 bool tpm_is_enabled) {
121 VLOG(1) << "OnTpmIsEnabled: " << tpm_is_enabled;
122 if (call_status != DBUS_METHOD_CALL_SUCCESS || !tpm_is_enabled) {
123 // TPM is not enabled, so proceed with empty tpm token name.
124 VLOG(1) << "TPM not available.";
125 StartLoadCertificates();
126 } else if (tpm_token_ready_) {
127 InitializeTPMToken();
128 } else {
129 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11IsTpmTokenReady(
130 base::Bind(&CertLoader::OnPkcs11IsTpmTokenReady,
131 weak_ptr_factory_.GetWeakPtr()));
132 }
133 }
134
135 void CertLoader::OnPkcs11IsTpmTokenReady(DBusMethodCallStatus call_status,
136 bool is_tpm_token_ready) {
137 VLOG(1) << "OnPkcs11IsTpmTokenReady: " << is_tpm_token_ready;
138 if (call_status != DBUS_METHOD_CALL_SUCCESS || !is_tpm_token_ready) {
139 MaybeRetryRequestCertificates();
140 return;
141 }
142
143 // Retrieve token_name_ and user_pin_ here since they will never change
144 // and CryptohomeClient calls are not thread safe.
145 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11GetTpmTokenInfo(
146 base::Bind(&CertLoader::OnPkcs11GetTpmTokenInfo,
147 weak_ptr_factory_.GetWeakPtr()));
148 }
149
150 void CertLoader::OnPkcs11GetTpmTokenInfo(DBusMethodCallStatus call_status,
151 const std::string& token_name,
152 const std::string& user_pin) {
153 VLOG(1) << "OnPkcs11GetTpmTokenInfo: " << token_name;
154 if (call_status != DBUS_METHOD_CALL_SUCCESS) {
155 MaybeRetryRequestCertificates();
156 return;
157 }
158 tpm_token_name_ = token_name;
159 tpm_user_pin_ = user_pin;
160 tpm_token_ready_ = true;
161
162 InitializeTPMToken();
163 }
164
165 void CertLoader::InitializeTPMToken() {
166 VLOG(1) << "InitializeTPMToken";
167 if (!crypto::InitializeTPMToken(tpm_token_name_, tpm_user_pin_)) {
168 MaybeRetryRequestCertificates();
169 return;
170 }
171 StartLoadCertificates();
172 }
173
174 void CertLoader::StartLoadCertificates() {
175 VLOG(1) << "Start Load Certificates";
176 base::PostTaskAndReplyWithResult(
177 base::WorkerPool::GetTaskRunner(true /* task_is_slow */),
178 FROM_HERE,
179 base::Bind(LoadNSSCertificates),
180 base::Bind(&CertLoader::UpdateCertificates,
181 weak_ptr_factory_.GetWeakPtr()));
182 }
183
184 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) {
185 DCHECK(cert_list);
186 VLOG(1) << "Update Certificates: " << cert_list->size();
187
188 // Clear any existing certificates.
189 cert_list_ = *cert_list; // Copy vector
190
191 // cert_list is constructed in LoadCertificates.
192 delete cert_list;
193
194 // Set loaded state and notify observers.
195 if (!certificates_loaded_) {
196 certificates_loaded_ = true;
197 NotifyCertificatesLoaded(true);
198 } else {
199 NotifyCertificatesLoaded(false);
200 }
201 }
202
203 void CertLoader::MaybeRetryRequestCertificates() {
204 if (!request_task_.is_null())
205 return;
206
207 // Cryptohome does not notify us when the token is ready, so call
208 // this again after a delay.
209 request_task_ = base::Bind(&CertLoader::RequestCertificatesTask,
210 weak_ptr_factory_.GetWeakPtr());
211 MessageLoop::current()->PostDelayedTask(
212 FROM_HERE,
213 request_task_,
214 base::TimeDelta::FromMilliseconds(kRequestDelayMs));
215 }
216
217 void CertLoader::RequestCertificatesTask() {
218 // Reset the task to the initial state so is_null() returns true.
219 request_task_.Reset();
220 RequestCertificates();
221 }
222
223 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
224 observer_list_->Notify(
225 &CertLoader::Observer::OnCertificatesLoaded, cert_list_, initial_load);
226 }
227
228 void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) {
229 }
230
231 void CertLoader::OnCertAdded(const net::X509Certificate* cert) {
232 // Only load certificates if we have completed an initial request.
233 if (!certificates_loaded_)
234 return;
235 StartLoadCertificates();
236 }
237
238 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
239 // Only load certificates if we have completed an initial request.
240 if (!certificates_loaded_)
241 return;
242 StartLoadCertificates();
243 }
244
245 void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) {
246 VLOG(1) << "LoggedInStateChanged: " << state;
247 if (LoginState::Get()->IsUserLoggedIn() && !certificates_requested_)
248 RequestCertificates();
249 }
250
251 } // namespace chromeos
OLDNEW
« chromeos/network/cert_loader.h ('K') | « chromeos/network/cert_loader.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698