Replace c/b/nss_context by a KeyedService.

chrome/browser/profiles/profile_io_data.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/profiles/profile_io_data.h"
 
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
@@ skipping 101 matching lines @@
 #include "chrome/browser/net/spdyproxy/data_reduction_proxy_chrome_settings.h"
 #include "chrome/browser/net/spdyproxy/data_reduction_proxy_chrome_settings_factory.h"
 #include "components/data_reduction_proxy/core/common/data_reduction_proxy_switches.h"
 #endif  // defined(OS_ANDROID)
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/fileapi/external_file_protocol_handler.h"
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
 #include "chrome/browser/chromeos/net/client_cert_filter_chromeos.h"
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
-#include "chrome/browser/net/nss_context.h"
-#include "chromeos/dbus/cryptohome_client.h"
-#include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #include "net/ssl/client_cert_store_chromeos.h"
 #endif  // defined(OS_CHROMEOS)
 
 #if defined(USE_NSS)
+#include "chrome/browser/net/cert_database_service_factory.h"
 #include "chrome/browser/ui/crypto_module_delegate_nss.h"
+#include "components/cert_database/public/cert_database_service.h"
+#include "components/cert_database/public/cert_database_service_io_part.h"
 #include "net/ssl/client_cert_store_nss.h"
 #endif
 
 #if defined(OS_WIN)
 #include "net/ssl/client_cert_store_win.h"
 #endif
 
 #if defined(OS_MACOSX)
 #include "net/ssl/client_cert_store_mac.h"
 #endif
@@ skipping 68 matching lines @@
           request, network_delegate, path,
           content::BrowserThread::GetBlockingPool()->
               GetTaskRunnerWithShutdownBehavior(
                   base::SequencedWorkerPool::SKIP_ON_SHUTDOWN));
 
     return NULL;
   }
 };
 #endif  // defined(DEBUG_DEVTOOLS)
 
-#if defined(OS_CHROMEOS)
-// The following four functions are responsible for initializing NSS for each
-// profile on ChromeOS, which has a separate NSS database and TPM slot
-// per-profile.
-//
-// Initialization basically follows these steps:
-// 1) Get some info from user_manager::UserManager about the User for this
-// profile.
-// 2) Tell nss_util to initialize the software slot for this profile.
-// 3) Wait for the TPM module to be loaded by nss_util if it isn't already.
-// 4) Ask CryptohomeClient which TPM slot id corresponds to this profile.
-// 5) Tell nss_util to use that slot id on the TPM module.
-//
-// Some of these steps must happen on the UI thread, others must happen on the
-// IO thread:
-//               UI thread                              IO Thread
-//
-//  ProfileIOData::InitializeOnUIThread
-//                   |
-//  ProfileHelper::Get()->GetUserByProfile()
-//                   \---------------------------------------v
-//                                                 StartNSSInitOnIOThread
-//                                                           |
-//                                          crypto::InitializeNSSForChromeOSUser
-//                                                           |
-//                                                crypto::IsTPMTokenReady
-//                                                           |
-//                                          StartTPMSlotInitializationOnIOThread
-//                   v---------------------------------------/
-//     GetTPMInfoForUserOnUIThread
-//                   |
-// CryptohomeClient::Pkcs11GetTpmTokenInfoForUser
-//                   |
-//     DidGetTPMInfoForUserOnUIThread
-//                   \---------------------------------------v
-//                                          crypto::InitializeTPMForChromeOSUser
-
-void DidGetTPMInfoForUserOnUIThread(const std::string& username_hash,
-                                    chromeos::DBusMethodCallStatus call_status,
-                                    const std::string& label,
-                                    const std::string& user_pin,
-                                    int slot_id) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  if (call_status == chromeos::DBUS_METHOD_CALL_FAILURE) {
-    NOTREACHED() << "dbus error getting TPM info for " << username_hash;
-    return;
-  }
-  DVLOG(1) << "Got TPM slot for " << username_hash << ": " << slot_id;
-  BrowserThread::PostTask(
-      BrowserThread::IO,
-      FROM_HERE,
-      base::Bind(
-          &crypto::InitializeTPMForChromeOSUser, username_hash, slot_id));
-}
-
-void GetTPMInfoForUserOnUIThread(const std::string& username,
-                                 const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  DVLOG(1) << "Getting TPM info from cryptohome for "
-           << " " << username << " " << username_hash;
-  chromeos::DBusThreadManager::Get()
-      ->GetCryptohomeClient()
-      ->Pkcs11GetTpmTokenInfoForUser(
-            username,
-            base::Bind(&DidGetTPMInfoForUserOnUIThread, username_hash));
-}
-
-void StartTPMSlotInitializationOnIOThread(const std::string& username,
-                                          const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-
-  BrowserThread::PostTask(
-      BrowserThread::UI,
-      FROM_HERE,
-      base::Bind(&GetTPMInfoForUserOnUIThread, username, username_hash));
-}
-
-void StartNSSInitOnIOThread(const std::string& username,
-                            const std::string& username_hash,
-                            const base::FilePath& path) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-  DVLOG(1) << "Starting NSS init for " << username
-           << "  hash:" << username_hash;
-
-  // Make sure NSS is initialized for the user.
-  crypto::InitializeNSSForChromeOSUser(username_hash, path);
-
-  // Check if it's OK to initialize TPM for the user before continuing. This
-  // may not be the case if the TPM slot initialization was previously
-  // requested for the same user.
-  if (!crypto::ShouldInitializeTPMForChromeOSUser(username_hash))
-    return;
-
-  crypto::WillInitializeTPMForChromeOSUser(username_hash);
-
-  if (crypto::IsTPMTokenEnabledForNSS()) {
-    if (crypto::IsTPMTokenReady(base::Bind(
-            &StartTPMSlotInitializationOnIOThread, username, username_hash))) {
-      StartTPMSlotInitializationOnIOThread(username, username_hash);
-    } else {
-      DVLOG(1) << "Waiting for tpm ready ...";
-    }
-  } else {
-    crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash);
-  }
-}
-#endif  // defined(OS_CHROMEOS)
-
 #if defined(USE_NSS)
 void InitializeAndPassKeygenHandler(
     scoped_ptr<net::KeygenHandler> keygen_handler,
     const base::Callback<void(scoped_ptr<net::KeygenHandler>)>& callback,
     scoped_ptr<ChromeNSSCryptoModuleDelegate> delegate) {
   if (delegate)
     keygen_handler->set_crypto_module_delegate(delegate.Pass());
   callback.Run(keygen_handler.Pass());
 }
 #endif  // defined(USE_NSS)
@@ skipping 52 matching lines @@
   SupervisedUserService* supervised_user_service =
       SupervisedUserServiceFactory::GetForProfile(profile);
   params->supervised_user_url_filter =
       supervised_user_service->GetURLFilterForIOThread();
 #endif
 #if defined(OS_CHROMEOS)
   user_manager::UserManager* user_manager = user_manager::UserManager::Get();
   if (user_manager) {
     user_manager::User* user =
         chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
-    // No need to initialize NSS for users with empty username hash:
-    // Getters for a user's NSS slots always return NULL slot if the user's
-    // username hash is empty, even when the NSS is not initialized for the
-    // user.
     if (user && !user->username_hash().empty()) {
       params->username_hash = user->username_hash();
       DCHECK(!params->username_hash.empty());
-      BrowserThread::PostTask(BrowserThread::IO,
-                              FROM_HERE,
-                              base::Bind(&StartNSSInitOnIOThread,
-                                         user->email(),
-                                         user->username_hash(),
-                                         profile->GetPath()));
-
-      // Use the device-wide system key slot only if the user is of the same
-      // domain as the device is registered to.
-      policy::BrowserPolicyConnectorChromeOS* connector =
-          g_browser_process->platform_part()
-              ->browser_policy_connector_chromeos();
-      params->use_system_key_slot =
-          connector->GetUserAffiliation(user->email()) ==
-          policy::USER_AFFILIATION_MANAGED;
     }
   }
 #endif
 
   params->profile = profile;
   params->prerender_tracker = g_browser_process->prerender_tracker();
   profile_params_.reset(params.release());
 
   ChromeNetworkDelegate::InitializePrefsOnUIThread(
       &enable_referrers_,
@@ skipping 47 matching lines @@
                             local_state_pref_service);
   quick_check_enabled_.MoveToThread(io_message_loop_proxy);
 
   media_device_id_salt_ = new MediaDeviceIDSalt(pref_service, IsOffTheRecord());
 
   network_prediction_options_.Init(prefs::kNetworkPredictionOptions,
                                    pref_service);
 
   network_prediction_options_.MoveToThread(io_message_loop_proxy);
 
+#if defined(USE_NSS)
+  cert_database::CertDatabaseService* service =
+      cert_database::CertDatabaseServiceFactory::GetForBrowserContext(profile);
+  if (service)
+    cert_db_io_ = service->GetIOPart();
+#endif
+
 #if defined(OS_CHROMEOS)
   scoped_ptr<policy::PolicyCertVerifier> verifier =
       policy::PolicyCertServiceFactory::CreateForProfile(profile);
   policy_cert_verifier_ = verifier.get();
   cert_verifier_ = verifier.Pass();
 #endif
   // The URLBlacklistManager has to be created on the UI thread to register
   // observers of |pref_service|, and it also has to clean up on
   // ShutdownOnUIThread to release these observers on the right thread.
   // Don't pass it in |profile_params_| to make sure it is correctly cleaned up,
@@ skipping 69 matching lines @@
   job_factory_ = job_factory.Pass();
   set_job_factory(job_factory_.get());
 }
 
 ProfileIOData::AppRequestContext::~AppRequestContext() {
   AssertNoURLRequests();
 }
 
 ProfileIOData::ProfileParams::ProfileParams()
     : io_thread(NULL),
-#if defined(OS_CHROMEOS)
-      use_system_key_slot(false),
-#endif
       profile(NULL) {
 }
 
 ProfileIOData::ProfileParams::~ProfileParams() {}
 
 ProfileIOData::ProfileIOData(Profile::ProfileType profile_type)
     : initialized_(false),
 #if defined(OS_CHROMEOS)
       policy_cert_verifier_(NULL),
-      use_system_key_slot_(false),
 #endif
       resource_context_(new ResourceContext(this)),
       initialized_on_UI_thread_(false),
       profile_type_(profile_type) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 }
 
 ProfileIOData::~ProfileIOData() {
   if (BrowserThread::IsMessageLoopValid(BrowserThread::IO))
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
@@ skipping 297 matching lines @@
   DCHECK(io_data_->initialized_);
   return request_context_;
 }
 
 scoped_ptr<net::ClientCertStore>
 ProfileIOData::ResourceContext::CreateClientCertStore() {
   if (!io_data_->client_cert_store_factory_.is_null())
     return io_data_->client_cert_store_factory_.Run();
 #if defined(OS_CHROMEOS)
   return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreChromeOS(
-      make_scoped_ptr(new chromeos::ClientCertFilterChromeOS(
-          io_data_->use_system_key_slot(), io_data_->username_hash())),
+      make_scoped_ptr(
+          new chromeos::ClientCertFilterChromeOS(io_data_->cert_db_io_)),
       base::Bind(&CreateCryptoModuleBlockingPasswordDelegate,
                  chrome::kCryptoModulePasswordClientAuth)));
 #elif defined(USE_NSS)
   return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreNSS(
       base::Bind(&CreateCryptoModuleBlockingPasswordDelegate,
                  chrome::kCryptoModulePasswordClientAuth)));
 #elif defined(OS_WIN)
   return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreWin());
 #elif defined(OS_MACOSX)
   return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreMac());
@@ skipping 15 matching lines @@
   DCHECK(!callback.is_null());
 #if defined(USE_NSS)
   scoped_ptr<net::KeygenHandler> keygen_handler(
       new net::KeygenHandler(key_size_in_bits, challenge_string, url));
 
   base::Callback<void(scoped_ptr<ChromeNSSCryptoModuleDelegate>)>
       got_delegate_callback = base::Bind(&InitializeAndPassKeygenHandler,
                                          base::Passed(&keygen_handler),
                                          callback);
 
-  ChromeNSSCryptoModuleDelegate::CreateForResourceContext(
+  // If |cert_db_io_| is not available, we're shutting down already. Return the

[mmenke, 2014/11/04 20:02:18]

nit:  Don't use "we" in comments.

[pneubeck (no reviews), 2014/11/05 14:53:38]

Done.

+  // KeygenHandler without ChromeNSSCryptoModuleDelegate.
+  if (!io_data_->cert_db_io_) {
+    got_delegate_callback.Run(scoped_ptr<ChromeNSSCryptoModuleDelegate>());
+    return;
+  }
+
+  ChromeNSSCryptoModuleDelegate::CreateForCertDatabase(
       chrome::kCryptoModulePasswordKeygen,
       net::HostPortPair::FromURL(url),
-      this,
+      io_data_->cert_db_io_.get(),
       got_delegate_callback);
 #else
   callback.Run(make_scoped_ptr(
       new net::KeygenHandler(key_size_in_bits, challenge_string, url)));
 #endif
 }
 
 ResourceContext::SaltCallback
 ProfileIOData::ResourceContext::GetMediaDeviceIDSalt() {
   return io_data_->GetMediaDeviceIDSalt();
@@ skipping 96 matching lines @@
   if (profile_params_->resource_prefetch_predictor_observer_) {
     resource_prefetch_predictor_observer_.reset(
         profile_params_->resource_prefetch_predictor_observer_.release());
   }
 
 #if defined(ENABLE_MANAGED_USERS)
   supervised_user_url_filter_ = profile_params_->supervised_user_url_filter;
 #endif
 
 #if defined(OS_CHROMEOS)
-  username_hash_ = profile_params_->username_hash;
-  use_system_key_slot_ = profile_params_->use_system_key_slot;
-  if (use_system_key_slot_)
-    EnableNSSSystemKeySlotForResourceContext(resource_context_.get());
-
   crypto::ScopedPK11Slot public_slot =
-      crypto::GetPublicSlotForChromeOSUser(username_hash_);
+      crypto::GetPublicSlotForChromeOSUser(profile_params_->username_hash);
   // The private slot won't be ready by this point. It shouldn't be necessary
   // for cert trust purposes anyway.
   scoped_refptr<net::CertVerifyProc> verify_proc(
       new chromeos::CertVerifyProcChromeOS(public_slot.Pass()));
   if (policy_cert_verifier_) {
     DCHECK_EQ(policy_cert_verifier_, cert_verifier_.get());
     policy_cert_verifier_->InitializeOnIOThread(verify_proc);
   } else {
     cert_verifier_.reset(new net::MultiThreadedCertVerifier(verify_proc.get()));
   }
@@ skipping 195 matching lines @@
 void ProfileIOData::SetCookieSettingsForTesting(
     CookieSettings* cookie_settings) {
   DCHECK(!cookie_settings_.get());
   cookie_settings_ = cookie_settings;
 }
 
 void ProfileIOData::set_signin_names_for_testing(
     SigninNamesOnIOThread* signin_names) {
   signin_names_.reset(signin_names);
 }