chromeos/cert_loader.cc - Issue 2828713002: Enable client certificate patterns in device ONC policy

Side by Side Diff: chromeos/cert_loader.cc

Issue 2828713002: Enable client certificate patterns in device ONC policy (Closed)

Patch Set: Rebase. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chromeos/cert_loader.h"	5 #include "chromeos/cert_loader.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <utility>	8 #include <utility>

9	9

10 #include "base/bind.h"	10 #include "base/bind.h"

(...skipping 142 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
153	153

154 void CertLoader::UpdateCertificates(	154 void CertLoader::UpdateCertificates(

155 std::unique_ptr<net::CertificateList> cert_list) {	155 std::unique_ptr<net::CertificateList> cert_list) {

156 CHECK(thread_checker_.CalledOnValidThread());	156 CHECK(thread_checker_.CalledOnValidThread());

157 DCHECK(certificates_update_running_);	157 DCHECK(certificates_update_running_);

158 VLOG(1) << "UpdateCertificates: " << cert_list->size();	158 VLOG(1) << "UpdateCertificates: " << cert_list->size();

159	159

160 // Ignore any existing certificates.	160 // Ignore any existing certificates.

161 cert_list_ = std::move(cert_list);	161 cert_list_ = std::move(cert_list);

162	162

	163 // Extract certificates which are in the system token into the

	164 // system_cert_list_ sublist.

	165 system_cert_list_.clear();

	166 for (net::CertificateList::const_iterator it = cert_list_->begin();
	emaxx 2017/04/20 20:10:39 nit: Use range-based for loop? nit: Use range-based for loop? pmarko 2017/04/24 14:49:55 Done. Show quoted text On 2017/04/20 20:10:39, emaxx wrote: > nit: Use range-based for loop? Done.
	167 it != cert_list_->end(); ++it) {

	168 const scoped_refptr<net::X509Certificate> cert = *it;

	169

	170 if (IsCertificateInSystemToken(cert.get())) {
	emaxx 2017/04/20 20:10:39 Isn't it bad to call this function on the UI threa Isn't it bad to call this function on the UI thread? I mean, considering NSS as a black box, it may easily happen that listing all slots for a dozen of certs may work noticeably long. Or there's some evidence that performing this is fine on the UI thread? pmarko 2017/04/24 14:49:55 Done. Offloaded to slow task runner, see new membe Show quoted text On 2017/04/20 20:10:39, emaxx wrote: > Isn't it bad to call this function on the UI thread? I mean, considering NSS as > a black box, it may easily happen that listing all slots for a dozen of certs > may work noticeably long. Or there's some evidence that performing this is fine > on the UI thread? Done. Offloaded to slow task runner, see new member function CertLoader:: CertificatesLoaded and anonymous namespace::FilterSystemTokenCertificates.
	171 system_cert_list_.push_back(cert);

	172 }

	173 }

	174

163 bool initial_load = !certificates_loaded_;	175 bool initial_load = !certificates_loaded_;

164 certificates_loaded_ = true;	176 certificates_loaded_ = true;

165 NotifyCertificatesLoaded(initial_load);	177 NotifyCertificatesLoaded(initial_load);

166	178

167 certificates_update_running_ = false;	179 certificates_update_running_ = false;

168 if (certificates_update_required_)	180 if (certificates_update_required_)

169 LoadCertificates();	181 LoadCertificates();

170 }	182 }

171	183

172 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {	184 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {

173 for (auto& observer : observers_)	185 for (auto& observer : observers_)

174 observer.OnCertificatesLoaded(*cert_list_, initial_load);	186 observer.OnCertificatesLoaded(*cert_list_, initial_load);

175 }	187 }

176	188

177 void CertLoader::OnCertDBChanged() {	189 void CertLoader::OnCertDBChanged() {

178 VLOG(1) << "OnCertDBChanged";	190 VLOG(1) << "OnCertDBChanged";

179 LoadCertificates();	191 LoadCertificates();

180 }	192 }

181	193

	194 bool CertLoader::IsCertificateInSystemToken(const net::X509Certificate* cert) {

	195 if (!database_->GetSystemSlot())

	196 return false;

	197

	198 PK11SlotInfo* system_slot = database_->GetSystemSlot().get();

	199

	200 crypto::ScopedPK11SlotList slots_for_cert(

	201 PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL));

	202 if (!slots_for_cert)

	203 return false;

	204

	205 for (PK11SlotListElement* slot_element =

	206 PK11_GetFirstSafe(slots_for_cert.get());

	207 slot_element; slot_element = PK11_GetNextSafe(slots_for_cert.get(),

	208 slot_element, PR_FALSE)) {

	209 if (slot_element->slot == system_slot)

	210 return true;
	emaxx 2017/04/20 20:10:39 I didn't look into the NSS sources to check, but c I didn't look into the NSS sources to check, but can't a memory leak happen there? Or ScopedPK11SlotList will take care of that? (hopefully without double-freeing stuff due to PK11_GetNextSafe() calls) pmarko 2017/04/24 14:49:55 You are right! I forgot and repeated bug 329104. D Show quoted text On 2017/04/20 20:10:39, emaxx wrote: > I didn't look into the NSS sources to check, but can't a memory leak happen > there? Or ScopedPK11SlotList will take care of that? (hopefully without > double-freeing stuff due to PK11_GetNextSafe() calls) You are right! I forgot and repeated bug 329104. Done. (This is now in the anonymous namespace on the top of this file)
	211 }

	212 return false;

	213 }

	214

182 } // namespace chromeos	215 } // namespace chromeos

OLD	NEW

« chromeos/cert_loader.h ('K') | « chromeos/cert_loader.h ('k') | chromeos/cert_loader_unittest.cc » ('j') | chromeos/cert_loader_unittest.cc » ('J')