Chromium Code Reviews Chromium Code Reviews
Issue 2858113003:
Enable device-wide EAP-TLS networks (Closed)
| Index: chrome/browser/chromeos/chrome_browser_main_chromeos.cc |
| diff --git a/chrome/browser/chromeos/chrome_browser_main_chromeos.cc b/chrome/browser/chromeos/chrome_browser_main_chromeos.cc |
| index 2840377dde423f13a1b377a78c932fa9ddbc48b7..10e82e2057386d3295720940d55ec5c249f11afe 100644 |
| --- a/chrome/browser/chromeos/chrome_browser_main_chromeos.cc |
| +++ b/chrome/browser/chromeos/chrome_browser_main_chromeos.cc |
| @@ -20,6 +20,7 @@ |
| #include "base/linux_util.h" |
| #include "base/macros.h" |
| #include "base/memory/ptr_util.h" |
| +#include "base/memory/weak_ptr.h" |
| #include "base/path_service.h" |
| #include "base/strings/string_number_conversions.h" |
| #include "base/strings/string_split.h" |
| @@ -146,11 +147,15 @@ |
| #include "content/public/browser/notification_service.h" |
| #include "content/public/common/content_switches.h" |
| #include "content/public/common/main_function_params.h" |
| +#include "crypto/nss_util_internal.h" |
| +#include "crypto/scoped_nss_types.h" |
| #include "dbus/object_path.h" |
| #include "device/bluetooth/bluetooth_adapter_factory.h" |
| #include "device/bluetooth/dbus/bluez_dbus_manager.h" |
| #include "media/audio/sounds/sounds_manager.h" |
| #include "net/base/network_change_notifier.h" |
| +#include "net/cert/nss_cert_database.h" |
| +#include "net/cert/nss_cert_database_chromeos.h" |
| #include "net/url_request/url_request.h" |
| #include "net/url_request/url_request_context_getter.h" |
| #include "printing/backend/print_backend.h" |
| @@ -365,6 +370,67 @@ class DBusServices { |
| DISALLOW_COPY_AND_ASSIGN(DBusServices); |
| }; |
| +// Initializes a global NSSCertDatabase for the system token and starts |
| +// CertLoader with that database. |
| +class SystemTokenCertDBInitializer { |
| + public: |
| + SystemTokenCertDBInitializer() : weak_ptr_factory_(this) {} |
| + ~SystemTokenCertDBInitializer() {} |
| + |
| + // Entry point, called on UI thread. |
| + void Initialize() { |
| + content::BrowserThread::PostTask( |
| + content::BrowserThread::IO, FROM_HERE, |
| + base::BindOnce(&SystemTokenCertDBInitializer::GetSystemSlotOnIOThread, |
| + weak_ptr_factory_.GetWeakPtr())); |
| + } |
| + |
| + private: |
| + // Called on IO Thread, initiates retrieval of system slot. |
| + void GetSystemSlotOnIOThread() { |
| + auto callback = |
| + base::Bind(&SystemTokenCertDBInitializer::GotSystemSlotOnIOThread, |
| + weak_ptr_factory_.GetWeakPtr()); |
| + crypto::ScopedPK11Slot system_nss_slot = |
| + crypto::GetSystemNSSKeySlot(callback); |
| + if (system_nss_slot) { |
| + callback.Run(std::move(system_nss_slot)); |
| + } |
| + } |
| + |
| + // Called on IO Thread when the system slot has been retrieved. |
| + void GotSystemSlotOnIOThread(crypto::ScopedPK11Slot system_slot) { |
| + content::BrowserThread::PostTask( |
| + content::BrowserThread::UI, FROM_HERE, |
| + base::BindOnce(&SystemTokenCertDBInitializer::InitializeDatabase, |
| + weak_ptr_factory_.GetWeakPtr(), std::move(system_slot))); |
| + } |
| + |
| + // Initializes the global system token NSSCertDatabase with |system_slot|. |
| + // Also starts CertLoader with the system token database. |
| + void InitializeDatabase(crypto::ScopedPK11Slot system_slot) { |
| + // Currently, NSSCertDatabase requires a public slot to be set, so we use |
| + // the system slot there. We also want GetSystemSlot() to return the system |
| + // slot. As ScopedPK11Slot is actually a unique_ptr which will be moved into |
| + // the NSSCertDatabase, we need to create a copy, referencing the same slot |
| + // (using PK11_ReferenceSlot). |
| + crypto::ScopedPK11Slot system_slot_copy = |
| + crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot.get())); |
| + auto database = base::MakeUnique<net::NSSCertDatabaseChromeOS>( |
| + std::move(system_slot) /* public_slot */, |
| + crypto::ScopedPK11Slot() /* private_slot */); |
| + database->SetSystemSlot(std::move(system_slot_copy)); |
| + system_token_cert_database_ = std::move(database); |
| + |
| + CertLoader::Get()->SetSystemNSSDB(system_token_cert_database_.get()); |
|
emaxx
2017/05/11 14:36:53
Another question is whether the lifetime of this N
emaxx
2017/05/11 14:36:53
Is CertLoader guaranteed to be initialized at this
pmarko
2017/05/11 17:24:57
Order: For a moment I thought this could be a prob
pmarko
2017/05/11 17:24:57
Actually, I've added an explicit reset() to the un
|
| + } |
| + |
| + // Global NSSCertDatabase which sees the system token. |
| + std::unique_ptr<net::NSSCertDatabase> system_token_cert_database_; |
| + |
| + base::WeakPtrFactory<SystemTokenCertDBInitializer> weak_ptr_factory_; |
| +}; |
| + |
| } // namespace internal |
| // ChromeBrowserMainPartsChromeos ---------------------------------------------- |
| @@ -470,6 +536,12 @@ void ChromeBrowserMainPartsChromeos::PreMainMessageLoopRun() { |
| content::BrowserThread::GetTaskRunnerForThread( |
| content::BrowserThread::IO)); |
| + // Initialize NSS database for system token. |
| + TPMTokenLoader::Get()->EnsureStarted(); |
| + system_token_certdb_initializer_ = |
| + base::MakeUnique<internal::SystemTokenCertDBInitializer>(); |
| + system_token_certdb_initializer_->Initialize(); |
| + |
| CrasAudioHandler::Initialize( |
| new AudioDevicesPrefHandlerImpl(g_browser_process->local_state())); |
