OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CHROMEOS_CERT_LOADER_H_ | 5 #ifndef CHROMEOS_CERT_LOADER_H_ |
6 #define CHROMEOS_CERT_LOADER_H_ | 6 #define CHROMEOS_CERT_LOADER_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/compiler_specific.h" | 11 #include "base/compiler_specific.h" |
12 #include "base/macros.h" | 12 #include "base/macros.h" |
13 #include "base/memory/ref_counted.h" | 13 #include "base/memory/ref_counted.h" |
14 #include "base/memory/weak_ptr.h" | 14 #include "base/memory/weak_ptr.h" |
15 #include "base/observer_list.h" | 15 #include "base/observer_list.h" |
16 #include "base/threading/thread_checker.h" | 16 #include "base/threading/thread_checker.h" |
17 #include "chromeos/chromeos_export.h" | 17 #include "chromeos/chromeos_export.h" |
18 #include "net/cert/cert_database.h" | 18 #include "net/cert/x509_certificate.h" |
19 | 19 |
20 namespace net { | 20 namespace net { |
21 class NSSCertDatabase; | 21 class NSSCertDatabase; |
22 class X509Certificate; | 22 class X509Certificate; |
emaxx
2017/05/11 14:36:53
nit: Not necessary now.
pmarko
2017/05/11 17:24:57
Done.
| |
23 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; | 23 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; |
24 } | 24 } |
25 | 25 |
26 namespace chromeos { | 26 namespace chromeos { |
27 | 27 |
28 // This class is responsible for loading certificates once the TPM is | 28 // This class is responsible for loading certificates once the TPM is |
29 // initialized. It is expected to be constructed on the UI thread and public | 29 // initialized. It is expected to be constructed on the UI thread and public |
30 // methods should all be called from the UI thread. | 30 // methods should all be called from the UI thread. |
31 // When certificates have been loaded (after login completes and tpm token is | 31 // When certificates have been loaded (after login completes and tpm token is |
32 // initialized), or the cert database changes, observers are called with | 32 // initialized), or the cert database changes, observers are called with |
33 // OnCertificatesLoaded(). | 33 // OnCertificatesLoaded(). |
34 class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer { | 34 // This class supports using one or two cert databases. The expected usage is |
35 // that CertLoader is used with a NSSCertDatabase backed by the system token | |
36 // before user sign-in, and additionally with a user-specific NSSCertDatabase | |
37 // after user sign-in. When both NSSCertDatabase are used, CertLoader combines | |
38 // certificates from both into |all_certs()|. | |
39 class CHROMEOS_EXPORT CertLoader { | |
35 public: | 40 public: |
36 class Observer { | 41 class Observer { |
37 public: | 42 public: |
38 // Called when the certificates, passed for convenience as |all_certs|, | 43 // Called when the certificates, passed for convenience as |all_certs|, |
39 // have completed loading. |initial_load| is true the first time this | 44 // have completed loading. |initial_load| is true the first time this |
40 // is called. | 45 // is called. It will be false if this is called because another slot has |
46 // been added to CertLoader's data sources. | |
41 virtual void OnCertificatesLoaded(const net::CertificateList& all_certs, | 47 virtual void OnCertificatesLoaded(const net::CertificateList& all_certs, |
42 bool initial_load) = 0; | 48 bool initial_load) = 0; |
43 | 49 |
44 protected: | 50 protected: |
45 virtual ~Observer() {} | 51 virtual ~Observer() {} |
46 }; | 52 }; |
47 | 53 |
48 // Sets the global instance. Must be called before any calls to Get(). | 54 // Sets the global instance. Must be called before any calls to Get(). |
49 static void Initialize(); | 55 static void Initialize(); |
50 | 56 |
51 // Destroys the global instance. | 57 // Destroys the global instance. |
52 static void Shutdown(); | 58 static void Shutdown(); |
53 | 59 |
54 // Gets the global instance. Initialize() must be called first. | 60 // Gets the global instance. Initialize() must be called first. |
55 static CertLoader* Get(); | 61 static CertLoader* Get(); |
56 | 62 |
57 // Returns true if the global instance has been initialized. | 63 // Returns true if the global instance has been initialized. |
58 static bool IsInitialized(); | 64 static bool IsInitialized(); |
59 | 65 |
60 // Returns the PKCS#11 attribute CKA_ID for a certificate as an upper-case | 66 // Returns the PKCS#11 attribute CKA_ID for a certificate as an upper-case |
61 // hex string and sets |slot_id| to the id of the containing slot, or returns | 67 // hex string and sets |slot_id| to the id of the containing slot, or returns |
62 // an empty string and doesn't modify |slot_id| if the PKCS#11 id could not be | 68 // an empty string and doesn't modify |slot_id| if the PKCS#11 id could not be |
63 // determined. | 69 // determined. |
64 static std::string GetPkcs11IdAndSlotForCert(const net::X509Certificate& cert, | 70 static std::string GetPkcs11IdAndSlotForCert(const net::X509Certificate& cert, |
65 int* slot_id); | 71 int* slot_id); |
66 | 72 |
67 // Starts the CertLoader with the NSS cert database. | 73 // Starts the CertLoader with the passed system NSS cert database. |
74 // The CertLoader will _not_ take ownership of the database - see comment on | |
75 // SetUserNSSDB. | |
76 // CertLoader supports working with only one database or with both (system and | |
77 // user) databases. | |
78 void SetSystemNSSDB(net::NSSCertDatabase* system_slot_database); | |
79 | |
80 // Starts the CertLoader with the passed user NSS cert database. | |
68 // The CertLoader will _not_ take the ownership of the database, but it | 81 // The CertLoader will _not_ take the ownership of the database, but it |
69 // expects it to stay alive at least until the shutdown starts on the main | 82 // expects it to stay alive at least until the shutdown starts on the main |
70 // thread. This assumes that |StartWithNSSDB| and other methods directly | 83 // thread. This assumes that SetUserNSSDB and other methods directly |
71 // using |database_| are not called during shutdown. | 84 // using |database_| are not called during shutdown. |
72 void StartWithNSSDB(net::NSSCertDatabase* database); | 85 // CertLoader supports working with only one database or with both (system and |
86 // user) databases. | |
87 void SetUserNSSDB(net::NSSCertDatabase* user_database); | |
73 | 88 |
74 void AddObserver(CertLoader::Observer* observer); | 89 void AddObserver(CertLoader::Observer* observer); |
75 void RemoveObserver(CertLoader::Observer* observer); | 90 void RemoveObserver(CertLoader::Observer* observer); |
76 | 91 |
77 // Returns true if |cert| is hardware backed. See also | 92 // Returns true if |cert| is hardware backed. See also |
78 // ForceHardwareBackedForTesting(). | 93 // ForceHardwareBackedForTesting(). |
79 static bool IsCertificateHardwareBacked(const net::X509Certificate* cert); | 94 static bool IsCertificateHardwareBacked(const net::X509Certificate* cert); |
80 | 95 |
81 // Returns true when the certificate list has been requested but not loaded. | 96 // Returns true when the certificate list has been requested but not loaded. |
82 bool CertificatesLoading() const; | 97 // When two databases are in use (SetSystemNSSDB and SetUserNSSDB have both |
98 // been called), this returns true when at least one of them is currently | |
99 // loading certificates. | |
100 // Note that this method poses an exception in the CertLoader interface: | |
101 // While most of CertLoader's interface treats the initial load of a second | |
102 // database the same way as an update in the first database, this method does | |
103 // not. The reason is that it's targeted at displaying a message in the GUI, | |
104 // so the user knows that (more) certificates will be available soon. | |
105 bool initial_load_of_any_database_running() const; | |
83 | 106 |
84 bool certificates_loaded() const { return certificates_loaded_; } | 107 // Returns true if any certificates have been loaded. If CertLoader uses a |
108 // system and a user NSS database, this returns true after the certificates | |
109 // from the first (usually system) database have been loaded. | |
110 bool initial_load_finished() const; | |
85 | 111 |
86 // Returns all certificates. This will be empty until certificates_loaded() is | 112 // Returns all certificates. This will be empty until certificates_loaded() is |
87 // true. | 113 // true. |
88 const net::CertificateList& all_certs() const { | 114 const net::CertificateList& all_certs() const { |
89 DCHECK(thread_checker_.CalledOnValidThread()); | 115 DCHECK(thread_checker_.CalledOnValidThread()); |
90 return *all_certs_; | 116 return *all_certs_; |
91 } | 117 } |
92 | 118 |
93 // Returns certificates from the system token. This will be empty until | 119 // Returns certificates from the system token. This will be empty until |
94 // certificates_loaded() is true. | 120 // certificates_loaded() is true. |
95 const net::CertificateList& system_certs() const { | 121 const net::CertificateList& system_certs() const { |
96 DCHECK(thread_checker_.CalledOnValidThread()); | 122 DCHECK(thread_checker_.CalledOnValidThread()); |
97 return *system_certs_; | 123 return *system_certs_; |
98 } | 124 } |
99 | 125 |
100 // Called in tests if |IsCertificateHardwareBacked()| should always return | 126 // Called in tests if |IsCertificateHardwareBacked()| should always return |
101 // true. | 127 // true. |
102 static void ForceHardwareBackedForTesting(); | 128 static void ForceHardwareBackedForTesting(); |
103 | 129 |
104 private: | 130 private: |
131 class CertCache; | |
132 | |
105 CertLoader(); | 133 CertLoader(); |
106 ~CertLoader() override; | 134 ~CertLoader(); |
107 | 135 |
108 // Trigger a certificate load. If a certificate loading task is already in | 136 // Called by |system_cert_cache_| or |user_cert_cache| when these had an |
109 // progress, will start a reload once the current task is finished. | 137 // update. |
110 void LoadCertificates(); | 138 void CacheUpdated(); |
111 | |
112 // Called when the underlying NSS database finished loading certificates. | |
113 void CertificatesLoaded(std::unique_ptr<net::CertificateList> all_certs); | |
114 | 139 |
115 // Called if a certificate load task is finished. | 140 // Called if a certificate load task is finished. |
116 void UpdateCertificates(std::unique_ptr<net::CertificateList> all_certs, | 141 void UpdateCertificates(std::unique_ptr<net::CertificateList> all_certs, |
117 std::unique_ptr<net::CertificateList> system_certs); | 142 std::unique_ptr<net::CertificateList> system_certs); |
118 | 143 |
119 void NotifyCertificatesLoaded(bool initial_load); | 144 void NotifyCertificatesLoaded(bool initial_load); |
120 | 145 |
121 // net::CertDatabase::Observer | 146 // True if the initial load of CertLoader is still pending. This is used to |
122 void OnCertDBChanged() override; | 147 // set the |initial_load| parameter when calling Observers. |
148 bool pending_initial_load_; | |
123 | 149 |
124 base::ObserverList<Observer> observers_; | 150 base::ObserverList<Observer> observers_; |
125 | 151 |
126 // Flags describing current CertLoader state. | 152 // Cache for certificates from the system-token NSSCertDatabase. |
127 bool certificates_loaded_; | 153 std::unique_ptr<CertCache> system_cert_cache_; |
128 bool certificates_update_required_; | 154 // Cache for certificates from the user-specific NSSCertDatabase. |
129 bool certificates_update_running_; | 155 std::unique_ptr<CertCache> user_cert_cache_; |
130 | 156 |
131 // The user-specific NSS certificate database from which the certificates | 157 // Cached certificates loaded from the database(s). |
132 // should be loaded. | |
133 net::NSSCertDatabase* database_; | |
134 | |
135 // Cached certificates loaded from the database. | |
136 std::unique_ptr<net::CertificateList> all_certs_; | 158 std::unique_ptr<net::CertificateList> all_certs_; |
137 | 159 |
138 // Cached certificates from system token. Currently this is a sublist of | 160 // Cached certificates from system token. |
139 // |all_certs_|. | |
140 std::unique_ptr<net::CertificateList> system_certs_; | 161 std::unique_ptr<net::CertificateList> system_certs_; |
141 | 162 |
142 base::ThreadChecker thread_checker_; | 163 base::ThreadChecker thread_checker_; |
143 | 164 |
144 base::WeakPtrFactory<CertLoader> weak_factory_; | 165 base::WeakPtrFactory<CertLoader> weak_factory_; |
145 | 166 |
146 DISALLOW_COPY_AND_ASSIGN(CertLoader); | 167 DISALLOW_COPY_AND_ASSIGN(CertLoader); |
147 }; | 168 }; |
148 | 169 |
149 } // namespace chromeos | 170 } // namespace chromeos |
150 | 171 |
151 #endif // CHROMEOS_CERT_LOADER_H_ | 172 #endif // CHROMEOS_CERT_LOADER_H_ |
OLD | NEW |