Index: chrome/browser/profiles/profile_io_data.cc |
diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc |
index 77f00e47c5ce1a804dad24fd0c025e7ba0f08c5a..a8c5e9a61b31562946ad946769c5e3d9596f15e5 100644 |
--- a/chrome/browser/profiles/profile_io_data.cc |
+++ b/chrome/browser/profiles/profile_io_data.cc |
@@ -117,16 +117,13 @@ |
#if defined(OS_CHROMEOS) |
#include "chrome/browser/chromeos/fileapi/external_file_protocol_handler.h" |
#include "chrome/browser/chromeos/login/startup_utils.h" |
+#include "chrome/browser/chromeos/net/cert_profile_filter.h" |
#include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" |
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h" |
#include "chrome/browser/chromeos/policy/policy_cert_service.h" |
#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
#include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
#include "chrome/browser/chromeos/profiles/profile_helper.h" |
#include "chrome/browser/chromeos/settings/cros_settings.h" |
-#include "chrome/browser/net/nss_context.h" |
-#include "chromeos/dbus/cryptohome_client.h" |
-#include "chromeos/dbus/dbus_thread_manager.h" |
#include "chromeos/settings/cros_settings_names.h" |
#include "components/user_manager/user.h" |
#include "components/user_manager/user_manager.h" |
@@ -138,7 +135,10 @@ |
#endif // defined(OS_CHROMEOS) |
#if defined(USE_NSS) |
+#include "chrome/browser/net/cert_database_service_factory.h" |
#include "chrome/browser/ui/crypto_module_delegate_nss.h" |
+#include "components/cert_database/public/cert_database_service.h" |
+#include "components/cert_database/public/cert_database_service_io_part.h" |
#include "net/ssl/client_cert_store_nss.h" |
#endif |
@@ -227,114 +227,6 @@ class DebugDevToolsInterceptor : public net::URLRequestInterceptor { |
}; |
#endif // defined(DEBUG_DEVTOOLS) |
-#if defined(OS_CHROMEOS) |
-// The following four functions are responsible for initializing NSS for each |
-// profile on ChromeOS, which has a separate NSS database and TPM slot |
-// per-profile. |
-// |
-// Initialization basically follows these steps: |
-// 1) Get some info from user_manager::UserManager about the User for this |
-// profile. |
-// 2) Tell nss_util to initialize the software slot for this profile. |
-// 3) Wait for the TPM module to be loaded by nss_util if it isn't already. |
-// 4) Ask CryptohomeClient which TPM slot id corresponds to this profile. |
-// 5) Tell nss_util to use that slot id on the TPM module. |
-// |
-// Some of these steps must happen on the UI thread, others must happen on the |
-// IO thread: |
-// UI thread IO Thread |
-// |
-// ProfileIOData::InitializeOnUIThread |
-// | |
-// ProfileHelper::Get()->GetUserByProfile() |
-// \---------------------------------------v |
-// StartNSSInitOnIOThread |
-// | |
-// crypto::InitializeNSSForChromeOSUser |
-// | |
-// crypto::IsTPMTokenReady |
-// | |
-// StartTPMSlotInitializationOnIOThread |
-// v---------------------------------------/ |
-// GetTPMInfoForUserOnUIThread |
-// | |
-// CryptohomeClient::Pkcs11GetTpmTokenInfoForUser |
-// | |
-// DidGetTPMInfoForUserOnUIThread |
-// \---------------------------------------v |
-// crypto::InitializeTPMForChromeOSUser |
- |
-void DidGetTPMInfoForUserOnUIThread(const std::string& username_hash, |
- chromeos::DBusMethodCallStatus call_status, |
- const std::string& label, |
- const std::string& user_pin, |
- int slot_id) { |
- DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
- if (call_status == chromeos::DBUS_METHOD_CALL_FAILURE) { |
- NOTREACHED() << "dbus error getting TPM info for " << username_hash; |
- return; |
- } |
- DVLOG(1) << "Got TPM slot for " << username_hash << ": " << slot_id; |
- BrowserThread::PostTask( |
- BrowserThread::IO, |
- FROM_HERE, |
- base::Bind( |
- &crypto::InitializeTPMForChromeOSUser, username_hash, slot_id)); |
-} |
- |
-void GetTPMInfoForUserOnUIThread(const std::string& username, |
- const std::string& username_hash) { |
- DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
- DVLOG(1) << "Getting TPM info from cryptohome for " |
- << " " << username << " " << username_hash; |
- chromeos::DBusThreadManager::Get() |
- ->GetCryptohomeClient() |
- ->Pkcs11GetTpmTokenInfoForUser( |
- username, |
- base::Bind(&DidGetTPMInfoForUserOnUIThread, username_hash)); |
-} |
- |
-void StartTPMSlotInitializationOnIOThread(const std::string& username, |
- const std::string& username_hash) { |
- DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); |
- |
- BrowserThread::PostTask( |
- BrowserThread::UI, |
- FROM_HERE, |
- base::Bind(&GetTPMInfoForUserOnUIThread, username, username_hash)); |
-} |
- |
-void StartNSSInitOnIOThread(const std::string& username, |
- const std::string& username_hash, |
- const base::FilePath& path) { |
- DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); |
- DVLOG(1) << "Starting NSS init for " << username |
- << " hash:" << username_hash; |
- |
- // Make sure NSS is initialized for the user. |
- crypto::InitializeNSSForChromeOSUser(username_hash, path); |
- |
- // Check if it's OK to initialize TPM for the user before continuing. This |
- // may not be the case if the TPM slot initialization was previously |
- // requested for the same user. |
- if (!crypto::ShouldInitializeTPMForChromeOSUser(username_hash)) |
- return; |
- |
- crypto::WillInitializeTPMForChromeOSUser(username_hash); |
- |
- if (crypto::IsTPMTokenEnabledForNSS()) { |
- if (crypto::IsTPMTokenReady(base::Bind( |
- &StartTPMSlotInitializationOnIOThread, username, username_hash))) { |
- StartTPMSlotInitializationOnIOThread(username, username_hash); |
- } else { |
- DVLOG(1) << "Waiting for tpm ready ..."; |
- } |
- } else { |
- crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash); |
- } |
-} |
-#endif // defined(OS_CHROMEOS) |
- |
#if defined(USE_NSS) |
void InitializeAndPassKeygenHandler( |
scoped_ptr<net::KeygenHandler> keygen_handler, |
@@ -404,33 +296,15 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) { |
params->supervised_user_url_filter = |
supervised_user_service->GetURLFilterForIOThread(); |
#endif |
+ |
#if defined(OS_CHROMEOS) |
user_manager::UserManager* user_manager = user_manager::UserManager::Get(); |
if (user_manager) { |
user_manager::User* user = |
chromeos::ProfileHelper::Get()->GetUserByProfile(profile); |
- // No need to initialize NSS for users with empty username hash: |
- // Getters for a user's NSS slots always return NULL slot if the user's |
- // username hash is empty, even when the NSS is not initialized for the |
- // user. |
if (user && !user->username_hash().empty()) { |
params->username_hash = user->username_hash(); |
DCHECK(!params->username_hash.empty()); |
- BrowserThread::PostTask(BrowserThread::IO, |
- FROM_HERE, |
- base::Bind(&StartNSSInitOnIOThread, |
- user->email(), |
- user->username_hash(), |
- profile->GetPath())); |
- |
- // Use the device-wide system key slot only if the user is of the same |
- // domain as the device is registered to. |
- policy::BrowserPolicyConnectorChromeOS* connector = |
- g_browser_process->platform_part() |
- ->browser_policy_connector_chromeos(); |
- params->use_system_key_slot = |
- connector->GetUserAffiliation(user->email()) == |
- policy::USER_AFFILIATION_MANAGED; |
} |
} |
#endif |
@@ -498,6 +372,13 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) { |
network_prediction_options_.MoveToThread(io_message_loop_proxy); |
+#if defined(USE_NSS) |
+ cert_database::CertDatabaseService* service = |
+ cert_database::CertDatabaseServiceFactory::GetForBrowserContext(profile); |
+ if (service) |
+ cert_db_io_ = service->GetIOPart(); |
+#endif |
+ |
#if defined(OS_CHROMEOS) |
scoped_ptr<policy::PolicyCertVerifier> verifier = |
policy::PolicyCertServiceFactory::CreateForProfile(profile); |
@@ -587,9 +468,6 @@ ProfileIOData::AppRequestContext::~AppRequestContext() { |
ProfileIOData::ProfileParams::ProfileParams() |
: io_thread(NULL), |
-#if defined(OS_CHROMEOS) |
- use_system_key_slot(false), |
-#endif |
profile(NULL) { |
} |
@@ -599,7 +477,6 @@ ProfileIOData::ProfileIOData(Profile::ProfileType profile_type) |
: initialized_(false), |
#if defined(OS_CHROMEOS) |
policy_cert_verifier_(NULL), |
- use_system_key_slot_(false), |
#endif |
resource_context_(new ResourceContext(this)), |
initialized_on_UI_thread_(false), |
@@ -919,8 +796,7 @@ ProfileIOData::ResourceContext::CreateClientCertStore() { |
return io_data_->client_cert_store_factory_.Run(); |
#if defined(OS_CHROMEOS) |
return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreChromeOS( |
- io_data_->use_system_key_slot(), |
- io_data_->username_hash(), |
+ chromeos::CreateProfileFilterFactory(io_data_->cert_db_io_), |
base::Bind(&CreateCryptoModuleBlockingPasswordDelegate, |
chrome::kCryptoModulePasswordClientAuth))); |
#elif defined(USE_NSS) |
@@ -956,10 +832,17 @@ void ProfileIOData::ResourceContext::CreateKeygenHandler( |
base::Passed(&keygen_handler), |
callback); |
+ // If |cert_db_io_| is not available, we're shutting down already. Return the |
+ // KeygenHandler without ChromeNSSCryptoModuleDelegate. |
+ if (!io_data_->cert_db_io_) { |
+ got_delegate_callback.Run(scoped_ptr<ChromeNSSCryptoModuleDelegate>()); |
+ return; |
+ } |
+ |
ChromeNSSCryptoModuleDelegate::CreateForResourceContext( |
chrome::kCryptoModulePasswordKeygen, |
net::HostPortPair::FromURL(url), |
- this, |
+ io_data_->cert_db_io_.get(), |
got_delegate_callback); |
#else |
callback.Run(make_scoped_ptr( |
@@ -1078,13 +961,8 @@ void ProfileIOData::Init( |
#endif |
#if defined(OS_CHROMEOS) |
- username_hash_ = profile_params_->username_hash; |
- use_system_key_slot_ = profile_params_->use_system_key_slot; |
- if (use_system_key_slot_) |
- EnableNSSSystemKeySlotForResourceContext(resource_context_.get()); |
- |
crypto::ScopedPK11Slot public_slot = |
- crypto::GetPublicSlotForChromeOSUser(username_hash_); |
+ crypto::GetPublicSlotForChromeOSUser(profile_params_->username_hash); |
// The private slot won't be ready by this point. It shouldn't be necessary |
// for cert trust purposes anyway. |
scoped_refptr<net::CertVerifyProc> verify_proc( |