Enable device-wide EAP-TLS networks

chromeos/cert_loader.cc

Index: chromeos/cert_loader.cc
diff --git a/chromeos/cert_loader.cc b/chromeos/cert_loader.cc
index 9d9a4a90f95903d0d792f0af14f9f027a0ca561a..79bfe3f59d13c8b1a46f901fb8a27ca915f7c9dc 100644
--- a/chromeos/cert_loader.cc
+++ b/chromeos/cert_loader.cc
@@ -9,17 +9,139 @@
 
 #include "base/bind.h"
 #include "base/location.h"
+#include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/task_scheduler/post_task.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
+#include "net/cert/cert_database.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/nss_cert_database_chromeos.h"
 #include "net/cert/x509_certificate.h"
 
 namespace chromeos {
 
+// Caches certificates from a NSSCertDatabase. Handles reloading of certificates
+// on update notifications and provides status flags (loading / loaded).
+// CertLoader can use multiple CertCaches to combine certificates from multiple
+// sources.
+class CertLoader::CertCache : public net::CertDatabase::Observer {
+ public:
+  explicit CertCache(base::RepeatingClosure certificates_updated_callback)
+      : certificates_updated_callback_(certificates_updated_callback),
+        cert_list_(base::MakeUnique<net::CertificateList>()),
+        weak_factory_(this) {}
+
+  ~CertCache() override {
+    net::CertDatabase::GetInstance()->RemoveObserver(this);
+  }
+
+  void SetNSSDB(net::NSSCertDatabase* nss_database) {
+    CHECK(!nss_database_);
+    nss_database_ = nss_database;
+
+    // Start observing cert database for changes.
+    // Observing net::CertDatabase is preferred over observing |nss_database_|
+    // directly, as |nss_database_| observers receive only events generated
+    // directly by |nss_database_|, so they may miss a few relevant ones.
+    // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if
+    // it would be OK to observe |nss_database_| directly; or change
+    // NSSCertDatabase to send notification on all relevant changes.
+    net::CertDatabase::GetInstance()->AddObserver(this);
+
+    LoadCertificates();
+  }
+
+  net::NSSCertDatabase* nss_database() { return nss_database_; }
+
+  // net::CertDatabase::Observer
+  void OnCertDBChanged() override {
+    VLOG(1) << "OnCertDBChanged";
+    LoadCertificates();
+  }
+
+  const net::CertificateList& cert_list() const { return *cert_list_; }
+
+  bool initial_load_running() const {
+    return nss_database_ && !initial_load_finished_;
+  }
+
+  bool initial_load_finished() const { return initial_load_finished_; }
+
+  // Returns true if this CertCache has finished its initial load and the
+  // underlying NSSCertDatabase has access to the system slot.
+  bool has_system_certificates() const {

[emaxx, 2017/05/11 14:36:53]

nit: It's a bit weird that this method returns a bit different thing than the
private member that is named almost the same.
So I'd suggest either just returning has_system_certificates_ here (with leaving
the magic of combining two booleans to the calling code) or inventing a better
name for this accessor.

[pmarko, 2017/05/11 17:24:57]

Agreed and Done. (combining at callsite)

+    return initial_load_finished_ && has_system_certificates_;
+  }
+
+ private:
+  // Trigger a certificate load. If a certificate loading task is already in
+  // progress, will start a reload once the current task is finished.
+  void LoadCertificates() {
+    CHECK(thread_checker_.CalledOnValidThread());
+    VLOG(1) << "LoadCertificates: " << certificates_update_running_;
+
+    if (certificates_update_running_) {
+      certificates_update_required_ = true;
+      return;
+    }
+
+    certificates_update_running_ = true;
+    certificates_update_required_ = false;
+
+    if (nss_database_) {
+      has_system_certificates_ =
+          static_cast<bool>(nss_database_->GetSystemSlot());
+      nss_database_->ListCerts(base::Bind(&CertCache::UpdateCertificates,
+                                          weak_factory_.GetWeakPtr()));
+    }
+  }
+
+  // Called if a certificate load task is finished.
+  void UpdateCertificates(std::unique_ptr<net::CertificateList> cert_list) {
+    CHECK(thread_checker_.CalledOnValidThread());
+    DCHECK(certificates_update_running_);
+    VLOG(1) << "UpdateCertificates: " << cert_list->size();
+
+    // Ignore any existing certificates.
+    cert_list_ = std::move(cert_list);
+
+    initial_load_finished_ = true;
+    certificates_updated_callback_.Run();
+
+    certificates_update_running_ = false;
+    if (certificates_update_required_)
+      LoadCertificates();
+  }
+
+  // To be called when certificates have been updated.
+  base::RepeatingClosure certificates_updated_callback_;
+
+  bool has_system_certificates_ = false;
+
+  // This is true after certificates have been loaded initially.
+  bool initial_load_finished_ = false;
+  // This is true if a notification about certificate DB changes arrived while
+  // loading certificates and means that we will have to trigger another
+  // certificates load after that.
+  bool certificates_update_required_ = false;
+  // This is true while certificates are being loaded.
+  bool certificates_update_running_ = false;
+
+  // The NSS certificate database from which the certificates should be loaded.
+  net::NSSCertDatabase* nss_database_ = nullptr;
+
+  // Cached Certificates loaded from the database.
+  std::unique_ptr<net::CertificateList> cert_list_;
+
+  base::ThreadChecker thread_checker_;
+
+  base::WeakPtrFactory<CertCache> weak_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(CertCache);
+};
+
 namespace {
 
 // Checks if |certificate| is on the given |slot|.
@@ -97,31 +219,26 @@ bool CertLoader::IsInitialized() {
 }
 
 CertLoader::CertLoader()
-    : certificates_loaded_(false),
-      certificates_update_required_(false),
-      certificates_update_running_(false),
-      database_(nullptr),
+    : pending_initial_load_(true),
+      system_cert_cache_(base::MakeUnique<CertCache>(
+          base::BindRepeating(&CertLoader::CacheUpdated,
+                              base::Unretained(this)))),
+      user_cert_cache_(base::MakeUnique<CertCache>(
+          base::BindRepeating(&CertLoader::CacheUpdated,
+                              base::Unretained(this)))),
       all_certs_(base::MakeUnique<net::CertificateList>()),
+      system_certs_(base::MakeUnique<net::CertificateList>()),
       weak_factory_(this) {}
 
 CertLoader::~CertLoader() {
-  net::CertDatabase::GetInstance()->RemoveObserver(this);
 }
 
-void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) {
-  CHECK(!database_);
-  database_ = database;
-
-  // Start observing cert database for changes.
-  // Observing net::CertDatabase is preferred over observing |database_|
-  // directly, as |database_| observers receive only events generated directly
-  // by |database_|, so they may miss a few relevant ones.
-  // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if
-  // it would be OK to observe |database_| directly; or change NSSCertDatabase
-  // to send notification on all relevant changes.
-  net::CertDatabase::GetInstance()->AddObserver(this);
+void CertLoader::SetSystemNSSDB(net::NSSCertDatabase* system_slot_database) {
+  system_cert_cache_->SetNSSDB(system_slot_database);
+}
 
-  LoadCertificates();
+void CertLoader::SetUserNSSDB(net::NSSCertDatabase* user_database) {
+  user_cert_cache_->SetNSSDB(user_database);
 }
 
 void CertLoader::AddObserver(CertLoader::Observer* observer) {
@@ -140,8 +257,14 @@ bool CertLoader::IsCertificateHardwareBacked(const net::X509Certificate* cert) {
   return slot && PK11_IsHW(slot);
 }
 
-bool CertLoader::CertificatesLoading() const {
-  return database_ && !certificates_loaded_;
+bool CertLoader::initial_load_of_any_database_running() const {
+  return system_cert_cache_->initial_load_running() ||
+         user_cert_cache_->initial_load_running();
+}
+
+bool CertLoader::initial_load_finished() const {
+  return system_cert_cache_->initial_load_finished() ||
+         user_cert_cache_->initial_load_finished();
 }
 
 // static
@@ -183,56 +306,58 @@ std::string CertLoader::GetPkcs11IdAndSlotForCert(
   return pkcs11_id;
 }
 
-void CertLoader::LoadCertificates() {
+void CertLoader::CacheUpdated() {
   DCHECK(thread_checker_.CalledOnValidThread());
-  VLOG(1) << "LoadCertificates: " << certificates_update_running_;
-
-  if (certificates_update_running_) {
-    certificates_update_required_ = true;
-    return;
+  VLOG(1) << "CacheUpdated";
+
+  // has_system_certificates() only returns true if the user_cert_cache_ has
+  // already finished its initial load and has access to system certificates.
+  if (user_cert_cache_->has_system_certificates()) {
+    crypto::ScopedPK11Slot system_slot =
+        user_cert_cache_->nss_database()->GetSystemSlot();
+    DCHECK(system_slot);
+    std::unique_ptr<net::CertificateList> all_certs =
+        base::MakeUnique<net::CertificateList>(user_cert_cache_->cert_list());
+    net::CertificateList* all_certs_ptr = all_certs.get();
+    // We will transfer ownership of all_certs to the UpdateCertificates
+    // callback object. This is guaranteed to outlive
+    // FilterSystemTokenCertificates runtime, so we can pass a raw pointer
+    // there.
+    base::PostTaskWithTraitsAndReplyWithResult(
+        FROM_HERE,
+        {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
+        base::BindOnce(&FilterSystemTokenCertificates,
+                       base::Unretained(all_certs_ptr), std::move(system_slot)),
+        base::BindOnce(&CertLoader::UpdateCertificates,
+                       weak_factory_.GetWeakPtr(), std::move(all_certs)));
+  } else {
+    // The user's cert cache does not contain system certificates.
+    std::unique_ptr<net::CertificateList> system_certs =
+        base::MakeUnique<net::CertificateList>(system_cert_cache_->cert_list());
+    std::unique_ptr<net::CertificateList> all_certs =
+        base::MakeUnique<net::CertificateList>(user_cert_cache_->cert_list());
+    all_certs->insert(all_certs->end(), system_certs->begin(),
+                      system_certs->end());
+    UpdateCertificates(std::move(all_certs), std::move(system_certs));
   }
-
-  certificates_update_running_ = true;
-  certificates_update_required_ = false;
-
-  database_->ListCerts(
-      base::Bind(&CertLoader::CertificatesLoaded, weak_factory_.GetWeakPtr()));
-}
-
-void CertLoader::CertificatesLoaded(
-    std::unique_ptr<net::CertificateList> all_certs) {
-  DCHECK(thread_checker_.CalledOnValidThread());
-  VLOG(1) << "CertificatesLoaded: " << all_certs->size();
-
-  crypto::ScopedPK11Slot system_slot = database_->GetSystemSlot();
-  base::PostTaskWithTraitsAndReplyWithResult(
-      FROM_HERE,
-      {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
-      base::BindOnce(&FilterSystemTokenCertificates,
-                     base::Unretained(all_certs.get()), std::move(system_slot)),
-      base::BindOnce(&CertLoader::UpdateCertificates,
-                     weak_factory_.GetWeakPtr(), std::move(all_certs)));
 }
 
 void CertLoader::UpdateCertificates(
     std::unique_ptr<net::CertificateList> all_certs,
     std::unique_ptr<net::CertificateList> system_certs) {
   DCHECK(thread_checker_.CalledOnValidThread());
-  DCHECK(certificates_update_running_);
+  bool initial_load = pending_initial_load_;
+  pending_initial_load_ = false;
+
   VLOG(1) << "UpdateCertificates: " << all_certs->size() << " ("
-          << system_certs->size() << " on system slot)";
+          << system_certs->size() << " on system slot)"
+          << ", initial_load=" << initial_load;
 
   // Ignore any existing certificates.
   all_certs_ = std::move(all_certs);
   system_certs_ = std::move(system_certs);
 
-  bool initial_load = !certificates_loaded_;
-  certificates_loaded_ = true;
   NotifyCertificatesLoaded(initial_load);
-
-  certificates_update_running_ = false;
-  if (certificates_update_required_)
-    LoadCertificates();
 }
 
 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
@@ -240,9 +365,4 @@ void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
     observer.OnCertificatesLoaded(*all_certs_, initial_load);
 }
 
-void CertLoader::OnCertDBChanged() {
-  VLOG(1) << "OnCertDBChanged";
-  LoadCertificates();
-}
-
 }  // namespace chromeos