Enable device-wide EAP-TLS networks

chrome/browser/chromeos/chrome_browser_main_chromeos.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/chrome_browser_main_chromeos.h"
 
 #include <stddef.h>
 
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "ash/shell.h"
 #include "ash/sticky_keys/sticky_keys_controller.h"
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/lazy_instance.h"
 #include "base/linux_util.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
+#include "base/memory/weak_ptr.h"
 #include "base/path_service.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/sys_info.h"
 #include "base/task_scheduler/post_task.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part_chromeos.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/accessibility/accessibility_manager.h"
 #include "chrome/browser/chromeos/accessibility/magnification_manager.h"
@@ skipping 106 matching lines @@
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "components/user_manager/user_names.h"
 #include "components/version_info/version_info.h"
 #include "components/wallpaper/wallpaper_manager_base.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/media_capture_devices.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
+#include "crypto/nss_util_internal.h"
+#include "crypto/scoped_nss_types.h"
 #include "dbus/object_path.h"
 #include "device/bluetooth/bluetooth_adapter_factory.h"
 #include "device/bluetooth/dbus/bluez_dbus_manager.h"
 #include "media/audio/sounds/sounds_manager.h"
 #include "net/base/network_change_notifier.h"
+#include "net/cert/nss_cert_database.h"
+#include "net/cert/nss_cert_database_chromeos.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "printing/backend/print_backend.h"
 #include "rlz/features/features.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 #include "ui/base/ime/chromeos/ime_keyboard.h"
 #include "ui/base/ime/chromeos/input_method_manager.h"
 #include "ui/base/touch/touch_device.h"
 #include "ui/chromeos/events/event_rewriter_chromeos.h"
 #include "ui/chromeos/events/pref_names.h"
@@ skipping 194 matching lines @@
   std::unique_ptr<CrosDBusService> cros_dbus_service_;
 
   std::unique_ptr<CrosDBusService> proxy_resolution_service_;
   std::unique_ptr<CrosDBusService> kiosk_info_service_;
 
   std::unique_ptr<NetworkConnectDelegateChromeOS> network_connect_delegate_;
 
   DISALLOW_COPY_AND_ASSIGN(DBusServices);
 };
 
+// Initializes a global NSSCertDatabase for the system token and starts
+// CertLoader with that database. Note that this is triggered from
+// PreMainMessageLoopRun, which is executed after PostMainMessageLoopStart,
+// where CertLoader is initialized. We can thus assume that CertLoader is
+// initialized.
+class SystemTokenCertDBInitializer {
+ public:
+  SystemTokenCertDBInitializer() : weak_ptr_factory_(this) {}
+  ~SystemTokenCertDBInitializer() {}
+
+  // Entry point, called on UI thread.
+  void Initialize() {
+    content::BrowserThread::PostTask(
+        content::BrowserThread::IO, FROM_HERE,
+        base::BindOnce(&SystemTokenCertDBInitializer::GetSystemSlotOnIOThread,
+                       weak_ptr_factory_.GetWeakPtr()));
+  }
+
+ private:
+  // Called on IO Thread, initiates retrieval of system slot.
+  void GetSystemSlotOnIOThread() {
+    auto callback =
+        base::Bind(&SystemTokenCertDBInitializer::GotSystemSlotOnIOThread,

[stevenjb, 2017/05/11 18:25:35]

nit: BindRepeating?

[pmarko, 2017/05/11 21:01:46]

Done.

+                   weak_ptr_factory_.GetWeakPtr());
+    crypto::ScopedPK11Slot system_nss_slot =
+        crypto::GetSystemNSSKeySlot(callback);
+    if (system_nss_slot) {
+      callback.Run(std::move(system_nss_slot));
+    }
+  }
+
+  // Called on IO Thread when the system slot has been retrieved.
+  void GotSystemSlotOnIOThread(crypto::ScopedPK11Slot system_slot) {
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE,
+        base::BindOnce(&SystemTokenCertDBInitializer::InitializeDatabase,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(system_slot)));
+  }
+
+  // Initializes the global system token NSSCertDatabase with |system_slot|.
+  // Also starts CertLoader with the system token database.
+  void InitializeDatabase(crypto::ScopedPK11Slot system_slot) {
+    // Currently, NSSCertDatabase requires a public slot to be set, so we use
+    // the system slot there. We also want GetSystemSlot() to return the system
+    // slot. As ScopedPK11Slot is actually a unique_ptr which will be moved into
+    // the NSSCertDatabase, we need to create a copy, referencing the same slot
+    // (using PK11_ReferenceSlot).
+    crypto::ScopedPK11Slot system_slot_copy =
+        crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot.get()));
+    auto database = base::MakeUnique<net::NSSCertDatabaseChromeOS>(
+        std::move(system_slot) /* public_slot */,
+        crypto::ScopedPK11Slot() /* private_slot */);
+    database->SetSystemSlot(std::move(system_slot_copy));
+    system_token_cert_database_ = std::move(database);
+
+    CertLoader::Get()->SetSystemNSSDB(system_token_cert_database_.get());
+  }
+
+  // Global NSSCertDatabase which sees the system token.
+  std::unique_ptr<net::NSSCertDatabase> system_token_cert_database_;
+
+  base::WeakPtrFactory<SystemTokenCertDBInitializer> weak_ptr_factory_;
+};
+
 }  //  namespace internal
 
 // ChromeBrowserMainPartsChromeos ----------------------------------------------
 
 ChromeBrowserMainPartsChromeos::ChromeBrowserMainPartsChromeos(
     const content::MainFunctionParams& parameters)
     : ChromeBrowserMainPartsLinux(parameters) {
 }
 
 ChromeBrowserMainPartsChromeos::~ChromeBrowserMainPartsChromeos() {
@@ skipping 85 matching lines @@
 }
 
 // Threads are initialized between MainMessageLoopStart and MainMessageLoopRun.
 // about_flags settings are applied in ChromeBrowserMainParts::PreCreateThreads.
 void ChromeBrowserMainPartsChromeos::PreMainMessageLoopRun() {
   // Set the crypto thread after the IO thread has been created/started.
   TPMTokenLoader::Get()->SetCryptoTaskRunner(
       content::BrowserThread::GetTaskRunnerForThread(
           content::BrowserThread::IO));
 
+  // Initialize NSS database for system token.
+  TPMTokenLoader::Get()->EnsureStarted();
+  system_token_certdb_initializer_ =
+      base::MakeUnique<internal::SystemTokenCertDBInitializer>();
+  system_token_certdb_initializer_->Initialize();
+
   CrasAudioHandler::Initialize(
       new AudioDevicesPrefHandlerImpl(g_browser_process->local_state()));
 
   content::MediaCaptureDevices::GetInstance()->AddVideoCaptureObserver(
       CrasAudioHandler::Get());
 
   quirks::QuirksManager::Initialize(
       std::unique_ptr<quirks::QuirksManager::Delegate>(
           new quirks::QuirksManagerDelegateImpl()),
       content::BrowserThread::GetBlockingPool(),
@@ skipping 509 matching lines @@
   network_portal_detector::Shutdown();
 
   g_browser_process->platform_part()->ShutdownSessionManager();
   g_browser_process->platform_part()->DestroyChromeUserManager();
 }
 
 void ChromeBrowserMainPartsChromeos::PostDestroyThreads() {
   // Destroy DBus services immediately after threads are stopped.
   dbus_services_.reset();
 
+  // Reset SystemTokenCertDBInitializer after DBus services because it should
+  // outlive CertLoader.
+  system_token_certdb_initializer_.reset();
+
   ChromeBrowserMainPartsLinux::PostDestroyThreads();
 
   // Destroy DeviceSettingsService after g_browser_process.
   DeviceSettingsService::Shutdown();
 
   chromeos::ShutdownCloseTracking();
 }
 
 }  //  namespace chromeos