Show extension provided certificates in chrome://settings/certificates

chrome/browser/certificate_manager_model.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/certificate_manager_model.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/i18n/time_formatting.h"
 #include "base/logging.h"
+#include "base/stl_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/ui/crypto_module_password_dialog_nss.h"
 #include "chrome/common/net/x509_certificate_model.h"
 #include "chrome/grit/generated_resources.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/resource_context.h"
 #include "crypto/nss_util.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
@@ skipping 19 matching lines @@
 //                               CertificateManagerModel::DidGetCertDBOnIOThread
 //                                                         |
 //                                       crypto::IsTPMTokenEnabledForNSS
 //                  v--------------------------------------/
 // CertificateManagerModel::DidGetCertDBOnUIThread
 //                  |
 //     new CertificateManagerModel
 //                  |
 //               callback
 
+namespace {
+
+std::string GetCertificateOrg(net::X509Certificate* cert) {
+    std::string org;
+    if (!cert->subject().organization_names.empty())
+      org = cert->subject().organization_names[0];
+    if (org.empty())
+      org = cert->subject().GetDisplayName();
+
+    return org;
+}
+
+}  // namespace
+
 // static
 void CertificateManagerModel::Create(
     content::BrowserContext* browser_context,
     CertificateManagerModel::Observer* observer,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  std::unique_ptr<chromeos::CertificateProvider> extension_certificate_provider;
+#if defined(OS_CHROMEOS)
+  chromeos::CertificateProviderService* service =
+      chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
+          browser_context);
+  extension_certificate_provider = service->CreateCertificateProvider();
+#endif
+
   BrowserThread::PostTask(
       BrowserThread::IO,
       FROM_HERE,
       base::Bind(&CertificateManagerModel::GetCertDBOnIOThread,
                  browser_context->GetResourceContext(),
                  observer,
+                 base::Passed(&extension_certificate_provider),
                  callback));
 }
 
 CertificateManagerModel::CertificateManagerModel(
     net::NSSCertDatabase* nss_cert_database,
     bool is_user_db_available,
     bool is_tpm_available,
-    Observer* observer)
+    Observer* observer,
+    std::unique_ptr<chromeos::CertificateProvider>
+        extension_certificate_provider)
     : cert_db_(nss_cert_database),
       is_user_db_available_(is_user_db_available),
       is_tpm_available_(is_tpm_available),
-      observer_(observer) {
+      observer_(observer),
+      extension_certificate_provider_(std::move(
+                                          extension_certificate_provider)),
+      weak_ptr_factory_(this) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 }
 
 CertificateManagerModel::~CertificateManagerModel() {
 }
 
 void CertificateManagerModel::Refresh() {
   DVLOG(1) << "refresh started";
   net::CryptoModuleList modules;
   cert_db_->ListModules(&modules, false);
   DVLOG(1) << "refresh waiting for unlocking...";
   chrome::UnlockSlotsIfNecessary(
       modules,
       chrome::kCryptoModulePasswordListCerts,
       net::HostPortPair(),  // unused.
       NULL, // TODO(mattm): supply parent window.
       base::Bind(&CertificateManagerModel::RefreshSlotsUnlocked,
                  base::Unretained(this)));
+
+#if defined(OS_CHROMEOS)
+  extension_certificate_provider_->GetCertificates(base::Bind(
+      &CertificateManagerModel::RefreshExtensionCertificates,
+      weak_ptr_factory_.GetWeakPtr()));
+#endif
 }
 
 void CertificateManagerModel::RefreshSlotsUnlocked() {
   DVLOG(1) << "refresh listing certs...";
   // TODO(tbarzic): Use async |ListCerts|.
   cert_db_->ListCertsSync(&cert_list_);
   observer_->CertificatesRefreshed();
-  DVLOG(1) << "refresh finished";
+  DVLOG(1) << "refresh finished for platform provided certificates";
+}
+
+void CertificateManagerModel::RefreshExtensionCertificates(
+    const net::CertificateList& new_certs) {
+  extension_cert_list_ = new_certs;
+  observer_->CertificatesRefreshed();
+  DVLOG(1) << "refresh finished for extension provided certificates";
 }
 
 void CertificateManagerModel::FilterAndBuildOrgGroupingMap(
     net::CertType filter_type,
     CertificateManagerModel::OrgGroupingMap* map) const {
   for (net::CertificateList::const_iterator i = cert_list_.begin();
        i != cert_list_.end(); ++i) {
     net::X509Certificate* cert = i->get();
     net::CertType type =
         x509_certificate_model::GetType(cert->os_cert_handle());
     if (type != filter_type)
       continue;
 
-    std::string org;
-    if (!cert->subject().organization_names.empty())
-      org = cert->subject().organization_names[0];
-    if (org.empty())
-      org = cert->subject().GetDisplayName();
+    std::string org = GetCertificateOrg(cert);
+    (*map)[org].push_back(cert);
+  }
 
-    (*map)[org].push_back(cert);
+  // Display extension provided certificates under the "Your Certificates" tab.
+  if (filter_type == net::USER_CERT) {
+    for (auto cert : extension_cert_list_) {

[Lei Zhang, 2016/09/22 17:13:03]

auto& ?

[Ivan Šandrk, 2016/09/22 17:28:09]

extension_cert_list_ is a std::vector<scoped_refptr<X509Certificate>>, so a cert
here would be scoped_refptr<...>. I don't know about best practices, is it good
to also make it "auto&"? Maybe that avoids creation of a new scoped_refptr and
is therefore faster. Sound logic?

[Lei Zhang, 2016/09/22 17:32:19]

I generally do const auto& or auto& unless:

a) it's a pointer, then auto*
b) it's POD, then auto

+      std::string org = GetCertificateOrg(cert.get());
+      (*map)[org].push_back(cert);
+    }
   }
 }
 
 base::string16 CertificateManagerModel::GetColumnText(
     const net::X509Certificate& cert,
     Column column) const {
   base::string16 rv;
   switch (column) {
     case COL_SUBJECT_NAME:
       rv = base::UTF8ToUTF16(
           x509_certificate_model::GetCertNameOrNickname(cert.os_cert_handle()));
 
+      // Mark extension provided certificates.
+      if (base::ContainsValue(extension_cert_list_, &cert)) {
+        rv = l10n_util::GetStringFUTF16(
+            IDS_CERT_MANAGER_EXTENSION_PROVIDED_FORMAT,
+            rv);
+      }

[Lei Zhang, 2016/09/22 17:13:03]

should the next if statement be an "else if" now?

[Ivan Šandrk, 2016/09/22 17:28:09]

You are right, if the first if is true then the second one cannot be true. I
guess another good practice I need to learn.

+
       // TODO(xiyuan): Put this into a column when we have js tree-table.
       if (IsHardwareBacked(&cert)) {
         rv = l10n_util::GetStringFUTF16(
             IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
             rv,
             l10n_util::GetStringUTF16(IDS_CERT_MANAGER_HARDWARE_BACKED));
       }
       break;
     case COL_CERTIFICATE_STORE:
       rv = base::UTF8ToUTF16(
@@ skipping 70 matching lines @@
     const net::X509Certificate* cert) const {
   return cert_db_->IsHardwareBacked(cert);
 }
 
 // static
 void CertificateManagerModel::DidGetCertDBOnUIThread(
     net::NSSCertDatabase* cert_db,
     bool is_user_db_available,
     bool is_tpm_available,
     CertificateManagerModel::Observer* observer,
+    std::unique_ptr<chromeos::CertificateProvider>
+        extension_certificate_provider,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
   std::unique_ptr<CertificateManagerModel> model(new CertificateManagerModel(
-      cert_db, is_user_db_available, is_tpm_available, observer));
+      cert_db, is_user_db_available, is_tpm_available, observer,
+      std::move(extension_certificate_provider)));
   callback.Run(std::move(model));
 }
 
 // static
 void CertificateManagerModel::DidGetCertDBOnIOThread(
     CertificateManagerModel::Observer* observer,
+    std::unique_ptr<chromeos::CertificateProvider>
+        extension_certificate_provider,
     const CreationCallback& callback,
     net::NSSCertDatabase* cert_db) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
   bool is_user_db_available = !!cert_db->GetPublicSlot();
   bool is_tpm_available = false;
 #if defined(OS_CHROMEOS)
   is_tpm_available = crypto::IsTPMTokenEnabledForNSS();
 #endif
   BrowserThread::PostTask(
       BrowserThread::UI,
       FROM_HERE,
       base::Bind(&CertificateManagerModel::DidGetCertDBOnUIThread,
                  cert_db,
                  is_user_db_available,
                  is_tpm_available,
                  observer,
+                 base::Passed(&extension_certificate_provider),
                  callback));
 }
 
 // static
 void CertificateManagerModel::GetCertDBOnIOThread(
     content::ResourceContext* context,
     CertificateManagerModel::Observer* observer,
+    std::unique_ptr<chromeos::CertificateProvider>
+        extension_certificate_provider,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  auto did_get_cert_db_callback = base::Bind(
+      &CertificateManagerModel::DidGetCertDBOnIOThread, observer,
+      base::Passed(&extension_certificate_provider), callback);
+
   net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
-      context,
-      base::Bind(&CertificateManagerModel::DidGetCertDBOnIOThread,
-                 observer,
-                 callback));
+      context, did_get_cert_db_callback);
+
+  // The callback is run here instead of the actual function call because of
+  // extension_certificate_provider ownership semantics, ie. ownership can only
+  // be released once. The callback will only be run once (either inside the
+  // function above or here).
   if (cert_db)
-    DidGetCertDBOnIOThread(observer, callback, cert_db);
+    did_get_cert_db_callback.Run(cert_db);
 }