Enable device-wide EAP-TLS networks

chrome/browser/browser_process_platform_part_chromeos.cc

Index: chrome/browser/browser_process_platform_part_chromeos.cc
diff --git a/chrome/browser/browser_process_platform_part_chromeos.cc b/chrome/browser/browser_process_platform_part_chromeos.cc
index 4b63b33c1daa1e26f6c42546c58b4710352232d9..3d41fb3259be3e0e7d7713393de72a64419a3755 100644
--- a/chrome/browser/browser_process_platform_part_chromeos.cc
+++ b/chrome/browser/browser_process_platform_part_chromeos.cc
@@ -28,6 +28,7 @@
 #include "chromeos/timezone/timezone_resolver.h"
 #include "components/session_manager/core/session_manager.h"
 #include "components/user_manager/user_manager.h"
+#include "net/cert/nss_cert_database_chromeos.h"
 
 BrowserProcessPlatformPart::BrowserProcessPlatformPart()
     : created_profile_helper_(false) {}
@@ -83,6 +84,34 @@ void BrowserProcessPlatformPart::ShutdownSessionManager() {
   session_manager_.reset();
 }
 
+void BrowserProcessPlatformPart::InitializeSystemSlotCertDatabase(
+    crypto::ScopedPK11Slot system_slot) {
+  crypto::ScopedPK11Slot system_slot_copy =
+      crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot.get()));
+  auto database = base::MakeUnique<net::NSSCertDatabaseChromeOS>(
+      std::move(system_slot), crypto::ScopedPK11Slot());
+  database->SetSystemSlot(std::move(system_slot_copy));
+  system_token_cert_database_ = std::move(database);
+
+  // Notify clients waiting for the system token cert database to be available.
+  std::vector<base::Callback<void(net::NSSCertDatabase*)>> callbacks;
+  callbacks.swap(system_token_ready_callbacks_);
+  for (auto& callback : callbacks)
+    callback.Run(system_token_cert_database_.get());
+}
+
+void BrowserProcessPlatformPart::ShutdownSystemSlotCertDatabase() {
+  system_token_cert_database_.reset();
+}
+
+void BrowserProcessPlatformPart::GetSystemSlotCertDatabase(
+    base::Callback<void(net::NSSCertDatabase*)> callback) {
+  if (system_token_cert_database_)
+    callback.Run(system_token_cert_database_.get());
+  else
+    system_token_ready_callbacks_.push_back(callback);
+}

[stevenjb, 2017/05/09 17:04:02]

Looking through the code, I don't see access to any of these methods outside of
chrome_browser_main_chromeos.cc.

Is there any reason not to make this part of CertLoader or
ChromeBrowserMainPartsChromeos (encapsulated as a helper class)?

The reason I ask is that for mus+ash I expect we will need to access
certificates from both the Chrome and Ash processes, and I don't think we will
want this code to be part of the Browser at that point. Putting the code here
will make that extraction a bit more complicated.

[pmarko, 2017/05/10 11:48:01]

Good point. I expected other clients to use this global system token database in
the future (e.g. extensions on the sign-in screen, as currently implemented by
Yves), but now I think the nice solution would be to inject that into the
sign-in profile from ChromeBrowserMainPArtsChromeos. So: Done.

+
 void BrowserProcessPlatformPart::RegisterKeepAlive() {
   DCHECK(!keep_alive_);
   keep_alive_.reset(