Enable device-wide EAP-TLS networks

chrome/browser/chromeos/chrome_browser_main_chromeos.cc

Index: chrome/browser/chromeos/chrome_browser_main_chromeos.cc
diff --git a/chrome/browser/chromeos/chrome_browser_main_chromeos.cc b/chrome/browser/chromeos/chrome_browser_main_chromeos.cc
index 2840377dde423f13a1b377a78c932fa9ddbc48b7..4d3491328191d208bf6d632caa12ecc26cf9c166 100644
--- a/chrome/browser/chromeos/chrome_browser_main_chromeos.cc
+++ b/chrome/browser/chromeos/chrome_browser_main_chromeos.cc
@@ -146,11 +146,13 @@
 #include "content/public/browser/notification_service.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
+#include "crypto/nss_util_internal.h"
 #include "dbus/object_path.h"
 #include "device/bluetooth/bluetooth_adapter_factory.h"
 #include "device/bluetooth/dbus/bluez_dbus_manager.h"
 #include "media/audio/sounds/sounds_manager.h"
 #include "net/base/network_change_notifier.h"
+#include "net/cert/nss_cert_database_chromeos.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "printing/backend/print_backend.h"
@@ -365,6 +367,56 @@ class DBusServices {
   DISALLOW_COPY_AND_ASSIGN(DBusServices);
 };
 
+// Initializes a global NSSCertDatabase for the system token and starts
+// CertLoader with that database.
+class SystemTokenCertDBInitializer {
+ public:
+  // Entry point, called on UI thread.
+  void Initialize() {
+    content::BrowserThread::PostTask(
+        content::BrowserThread::IO, FROM_HERE,
+        base::BindOnce(&SystemTokenCertDBInitializer::GetSystemSlotOnIOThread,
+                       base::Unretained(this)));

[emaxx, 2017/05/11 02:57:45]

It seems to be unsafe to use Unretained(this) throughout this class. I don't
know whether it can be ever destroyed in the current architecture, but it's
still better to use a cleaner approach, like WeakPtrFactory.

[pmarko, 2017/05/11 11:49:17]

You are right, this could get destroyed if we close the browser again during
startup. Switched to WeakPtrFactory as suggested.
Done.

+  }
+
+ private:
+  // Called on IO Thread, initiates retrieval of system slot.
+  void GetSystemSlotOnIOThread() {
+    auto callback =
+        base::Bind(&SystemTokenCertDBInitializer::GotSystemSlotOnIOThread,
+                   base::Unretained(this));
+    crypto::ScopedPK11Slot system_nss_slot =

[emaxx, 2017/05/11 02:57:46]

nit: #include "crypto/scoped_nss_types.h"

[pmarko, 2017/05/11 11:49:17]

Done.

+        crypto::GetSystemNSSKeySlot(callback);
+    if (system_nss_slot) {
+      callback.Run(std::move(system_nss_slot));
+    }
+  }
+
+  // Called on IO Thread when the system slot has been retrieved.
+  void GotSystemSlotOnIOThread(crypto::ScopedPK11Slot system_slot) {
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE,
+        base::BindOnce(&SystemTokenCertDBInitializer::InitializeDatabase,
+                       base::Unretained(this), std::move(system_slot)));
+  }
+
+  // Initializes the global system token NSSCertDatabase with |system_slot|.
+  // Also starts CertLoader with the system token database.
+  void InitializeDatabase(crypto::ScopedPK11Slot system_slot) {
+    crypto::ScopedPK11Slot system_slot_copy =
+        crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot.get()));
+    auto database = base::MakeUnique<net::NSSCertDatabaseChromeOS>(
+        std::move(system_slot), crypto::ScopedPK11Slot());

[emaxx, 2017/05/11 02:57:46]

nit: I'd prefer having some hints here for what these arguments actually mean,
e.g.:
... /* public_slot */, ... /* private_slot */

[pmarko, 2017/05/11 11:49:17]

Done.

+    database->SetSystemSlot(std::move(system_slot_copy));

[emaxx, 2017/05/11 02:57:46]

I think this trick with passing the same slot twice (both as a public and as a
system slot) deserves an explanatory comment (probably, in the beginning of the
function body).

[pmarko, 2017/05/11 11:49:17]

Done.

+    system_token_cert_database_ = std::move(database);
+
+    CertLoader::Get()->StartWithSystemNSSDB(system_token_cert_database_.get());
+  }
+
+  // Global NSSCertDatabase which sees the system token.
+  std::unique_ptr<net::NSSCertDatabase> system_token_cert_database_;

[emaxx, 2017/05/11 02:57:45]

nit: #include "net/cert/nss_cert_database.h"

[pmarko, 2017/05/11 11:49:17]

Done.

+};
+
 }  //  namespace internal
 
 // ChromeBrowserMainPartsChromeos ----------------------------------------------
@@ -470,6 +522,12 @@ void ChromeBrowserMainPartsChromeos::PreMainMessageLoopRun() {
       content::BrowserThread::GetTaskRunnerForThread(
           content::BrowserThread::IO));
 
+  // Initialize NSS database for system token.
+  TPMTokenLoader::Get()->EnsureStarted();
+  system_token_certdb_initializer_ =
+      base::MakeUnique<internal::SystemTokenCertDBInitializer>();
+  system_token_certdb_initializer_->Initialize();
+
   CrasAudioHandler::Initialize(
       new AudioDevicesPrefHandlerImpl(g_browser_process->local_state()));