Show extension provided certificates in chrome://settings/certificates

chrome/browser/certificate_manager_model.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/certificate_manager_model.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/i18n/time_formatting.h"
 #include "base/logging.h"
+#include "base/stl_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/ui/crypto_module_password_dialog_nss.h"
 #include "chrome/common/net/x509_certificate_model.h"
 #include "chrome/grit/generated_resources.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/resource_context.h"
 #include "crypto/nss_util.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
@@ skipping 19 matching lines @@
 //                               CertificateManagerModel::DidGetCertDBOnIOThread
 //                                                         |
 //                                       crypto::IsTPMTokenEnabledForNSS
 //                  v--------------------------------------/
 // CertificateManagerModel::DidGetCertDBOnUIThread
 //                  |
 //     new CertificateManagerModel
 //                  |
 //               callback
 
+namespace {
+
+std::string GetCertificateOrg(net::X509Certificate* cert) {
+    std::string org;
+    if (!cert->subject().organization_names.empty())
+      org = cert->subject().organization_names[0];
+    if (org.empty())
+      org = cert->subject().GetDisplayName();
+
+    return org;
+}
+
+}  // namespace
+
 // static
 void CertificateManagerModel::Create(
     content::BrowserContext* browser_context,
     CertificateManagerModel::Observer* observer,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   BrowserThread::PostTask(
       BrowserThread::IO,
       FROM_HERE,
       base::Bind(&CertificateManagerModel::GetCertDBOnIOThread,
                  browser_context->GetResourceContext(),
                  observer,
+                 browser_context,
                  callback));
 }
 
 CertificateManagerModel::CertificateManagerModel(
     net::NSSCertDatabase* nss_cert_database,
     bool is_user_db_available,
     bool is_tpm_available,
-    Observer* observer)
+    Observer* observer,
+    content::BrowserContext* browser_context)
     : cert_db_(nss_cert_database),
       is_user_db_available_(is_user_db_available),
       is_tpm_available_(is_tpm_available),
-      observer_(observer) {
+      observer_(observer),
+      weak_ptr_factory_(this) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+#if defined(OS_CHROMEOS)
+  chromeos::CertificateProviderService* service =
+      chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
+          browser_context);

[mattm, 2016/09/06 22:41:04]

don't think browser_context is guaranteed to be valid here. I would do the
createCertificateProvider in CertificateManagerModel::Create and then pass it
through the calls instead of the BrowserContext.

[Ivan Šandrk, 2016/09/07 15:47:34]

Done.

+  certificate_provider_ = service->CreateCertificateProvider();
+#endif
 }
 
 CertificateManagerModel::~CertificateManagerModel() {
 }
 
 void CertificateManagerModel::Refresh() {
   DVLOG(1) << "refresh started";
   net::CryptoModuleList modules;
   cert_db_->ListModules(&modules, false);
   DVLOG(1) << "refresh waiting for unlocking...";
   chrome::UnlockSlotsIfNecessary(
       modules,
       chrome::kCryptoModulePasswordListCerts,
       net::HostPortPair(),  // unused.
       NULL, // TODO(mattm): supply parent window.
       base::Bind(&CertificateManagerModel::RefreshSlotsUnlocked,
                  base::Unretained(this)));
+
+#if defined(OS_CHROMEOS)
+  certificate_provider_->GetCertificates(base::Bind(
+      &CertificateManagerModel::RefreshExtensionCertificates,
+      weak_ptr_factory_.GetWeakPtr()));
+#endif
 }
 
 void CertificateManagerModel::RefreshSlotsUnlocked() {
   DVLOG(1) << "refresh listing certs...";
   // TODO(tbarzic): Use async |ListCerts|.
   cert_db_->ListCertsSync(&cert_list_);
   observer_->CertificatesRefreshed();
-  DVLOG(1) << "refresh finished";
+  DVLOG(1) << "refresh finished for platform provided certificates";
+}
+
+void CertificateManagerModel::RefreshExtensionCertificates(
+    const net::CertificateList& new_certs) {
+  extension_cert_list_ = new_certs;
+  observer_->CertificatesRefreshed();

[mattm, 2016/09/06 22:41:04]

a little worried about CertificatesRefreshed being called twice now. If both
happen quickly then it might just be jarring/inefficient, and if they happen
farther apart it could be more confusing (would seem like it was loaded, you
start doing stuff, but then more certs magically appear.)

[Ivan Šandrk, 2016/09/07 15:47:34]

The initial idea was to call it just once, but the problem is that extensions do
not always play nicely when returning a list of certificates. On a normal day
they take a couple of seconds to return the list, and if they misbehave they may
take up to 5 minutes (hard limit), and we don't want to block platform provided
certificates from showing in the list because of that. Note that extensions are
third-party software.

+  DVLOG(1) << "refresh finished for extension provided certificates";
 }
 
 void CertificateManagerModel::FilterAndBuildOrgGroupingMap(
     net::CertType filter_type,
     CertificateManagerModel::OrgGroupingMap* map) const {
   for (net::CertificateList::const_iterator i = cert_list_.begin();
        i != cert_list_.end(); ++i) {
     net::X509Certificate* cert = i->get();
     net::CertType type =
         x509_certificate_model::GetType(cert->os_cert_handle());
     if (type != filter_type)
       continue;
 
-    std::string org;
-    if (!cert->subject().organization_names.empty())
-      org = cert->subject().organization_names[0];
-    if (org.empty())
-      org = cert->subject().GetDisplayName();
+    std::string org = GetCertificateOrg(cert);
+    (*map)[org].push_back(cert);
+  }
 
-    (*map)[org].push_back(cert);
+  // Display extension provided certificates under the "Your Certificates" tab.
+  if (filter_type == net::USER_CERT) {
+    for (auto cert : extension_cert_list_) {
+      std::string org = GetCertificateOrg(cert.get());
+      (*map)[org].push_back(cert);
+    }
   }
 }
 
 base::string16 CertificateManagerModel::GetColumnText(
     const net::X509Certificate& cert,
     Column column) const {
   base::string16 rv;
   switch (column) {
     case COL_SUBJECT_NAME:
       rv = base::UTF8ToUTF16(
           x509_certificate_model::GetCertNameOrNickname(cert.os_cert_handle()));
 
+      // Mark extension provided certificates.
+      if (base::ContainsValue(extension_cert_list_, &cert)) {
+        rv = l10n_util::GetStringFUTF16(
+            IDS_CERT_MANAGER_EXTENSION_PROVIDED_FORMAT,
+            rv);
+      }
+
       // TODO(xiyuan): Put this into a column when we have js tree-table.
       if (IsHardwareBacked(&cert)) {
         rv = l10n_util::GetStringFUTF16(
             IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
             rv,
             l10n_util::GetStringUTF16(IDS_CERT_MANAGER_HARDWARE_BACKED));
       }
       break;
     case COL_CERTIFICATE_STORE:
       rv = base::UTF8ToUTF16(
@@ skipping 70 matching lines @@
     const net::X509Certificate* cert) const {
   return cert_db_->IsHardwareBacked(cert);
 }
 
 // static
 void CertificateManagerModel::DidGetCertDBOnUIThread(
     net::NSSCertDatabase* cert_db,
     bool is_user_db_available,
     bool is_tpm_available,
     CertificateManagerModel::Observer* observer,
+    content::BrowserContext* browser_context,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
   std::unique_ptr<CertificateManagerModel> model(new CertificateManagerModel(
-      cert_db, is_user_db_available, is_tpm_available, observer));
+      cert_db, is_user_db_available, is_tpm_available, observer,
+      browser_context));
   callback.Run(std::move(model));
 }
 
 // static
 void CertificateManagerModel::DidGetCertDBOnIOThread(
     CertificateManagerModel::Observer* observer,
+    content::BrowserContext* browser_context,
     const CreationCallback& callback,
     net::NSSCertDatabase* cert_db) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
   bool is_user_db_available = !!cert_db->GetPublicSlot();
   bool is_tpm_available = false;
 #if defined(OS_CHROMEOS)
   is_tpm_available = crypto::IsTPMTokenEnabledForNSS();
 #endif
   BrowserThread::PostTask(
       BrowserThread::UI,
       FROM_HERE,
       base::Bind(&CertificateManagerModel::DidGetCertDBOnUIThread,
                  cert_db,
                  is_user_db_available,
                  is_tpm_available,
                  observer,
+                 browser_context,
                  callback));
 }
 
 // static
 void CertificateManagerModel::GetCertDBOnIOThread(
     content::ResourceContext* context,
     CertificateManagerModel::Observer* observer,
+    content::BrowserContext* browser_context,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
       context,
       base::Bind(&CertificateManagerModel::DidGetCertDBOnIOThread,
                  observer,
+                 browser_context,
                  callback));
+
   if (cert_db)
-    DidGetCertDBOnIOThread(observer, callback, cert_db);
+    DidGetCertDBOnIOThread(observer, browser_context, callback, cert_db);
 }