Replace c/b/nss_context by a KeyedService.

chrome/browser/profiles/profile_io_data.cc

Index: chrome/browser/profiles/profile_io_data.cc
diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc
index 1b7979bb0a0aa3e79ca90d4d32c994962a770ea3..06a83cbe8cab3126271ac70f0a59ae87d76a0268 100644
--- a/chrome/browser/profiles/profile_io_data.cc
+++ b/chrome/browser/profiles/profile_io_data.cc
@@ -119,15 +119,11 @@
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
 #include "chrome/browser/chromeos/net/client_cert_filter_chromeos.h"
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
-#include "chrome/browser/net/nss_context.h"
-#include "chromeos/dbus/cryptohome_client.h"
-#include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
@@ -139,7 +135,10 @@
 #endif  // defined(OS_CHROMEOS)
 
 #if defined(USE_NSS)
+#include "chrome/browser/net/cert_database_service_factory.h"
 #include "chrome/browser/ui/crypto_module_delegate_nss.h"
+#include "components/cert_database/public/cert_database_service.h"
+#include "components/cert_database/public/cert_database_service_io_part.h"
 #include "net/ssl/client_cert_store_nss.h"
 #endif
 
@@ -228,114 +227,6 @@ class DebugDevToolsInterceptor : public net::URLRequestInterceptor {
 };
 #endif  // defined(DEBUG_DEVTOOLS)
 
-#if defined(OS_CHROMEOS)
-// The following four functions are responsible for initializing NSS for each
-// profile on ChromeOS, which has a separate NSS database and TPM slot
-// per-profile.
-//
-// Initialization basically follows these steps:
-// 1) Get some info from user_manager::UserManager about the User for this
-// profile.
-// 2) Tell nss_util to initialize the software slot for this profile.
-// 3) Wait for the TPM module to be loaded by nss_util if it isn't already.
-// 4) Ask CryptohomeClient which TPM slot id corresponds to this profile.
-// 5) Tell nss_util to use that slot id on the TPM module.
-//
-// Some of these steps must happen on the UI thread, others must happen on the
-// IO thread:
-//               UI thread                              IO Thread
-//
-//  ProfileIOData::InitializeOnUIThread
-//                   |
-//  ProfileHelper::Get()->GetUserByProfile()
-//                   \---------------------------------------v
-//                                                 StartNSSInitOnIOThread
-//                                                           |
-//                                          crypto::InitializeNSSForChromeOSUser
-//                                                           |
-//                                                crypto::IsTPMTokenReady
-//                                                           |
-//                                          StartTPMSlotInitializationOnIOThread
-//                   v---------------------------------------/
-//     GetTPMInfoForUserOnUIThread
-//                   |
-// CryptohomeClient::Pkcs11GetTpmTokenInfoForUser
-//                   |
-//     DidGetTPMInfoForUserOnUIThread
-//                   \---------------------------------------v
-//                                          crypto::InitializeTPMForChromeOSUser
-
-void DidGetTPMInfoForUserOnUIThread(const std::string& username_hash,
-                                    chromeos::DBusMethodCallStatus call_status,
-                                    const std::string& label,
-                                    const std::string& user_pin,
-                                    int slot_id) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  if (call_status == chromeos::DBUS_METHOD_CALL_FAILURE) {
-    NOTREACHED() << "dbus error getting TPM info for " << username_hash;
-    return;
-  }
-  DVLOG(1) << "Got TPM slot for " << username_hash << ": " << slot_id;
-  BrowserThread::PostTask(
-      BrowserThread::IO,
-      FROM_HERE,
-      base::Bind(
-          &crypto::InitializeTPMForChromeOSUser, username_hash, slot_id));
-}
-
-void GetTPMInfoForUserOnUIThread(const std::string& username,
-                                 const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  DVLOG(1) << "Getting TPM info from cryptohome for "
-           << " " << username << " " << username_hash;
-  chromeos::DBusThreadManager::Get()
-      ->GetCryptohomeClient()
-      ->Pkcs11GetTpmTokenInfoForUser(
-            username,
-            base::Bind(&DidGetTPMInfoForUserOnUIThread, username_hash));
-}
-
-void StartTPMSlotInitializationOnIOThread(const std::string& username,
-                                          const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-
-  BrowserThread::PostTask(
-      BrowserThread::UI,
-      FROM_HERE,
-      base::Bind(&GetTPMInfoForUserOnUIThread, username, username_hash));
-}
-
-void StartNSSInitOnIOThread(const std::string& username,
-                            const std::string& username_hash,
-                            const base::FilePath& path) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-  DVLOG(1) << "Starting NSS init for " << username
-           << "  hash:" << username_hash;
-
-  // Make sure NSS is initialized for the user.
-  crypto::InitializeNSSForChromeOSUser(username_hash, path);
-
-  // Check if it's OK to initialize TPM for the user before continuing. This
-  // may not be the case if the TPM slot initialization was previously
-  // requested for the same user.
-  if (!crypto::ShouldInitializeTPMForChromeOSUser(username_hash))
-    return;
-
-  crypto::WillInitializeTPMForChromeOSUser(username_hash);
-
-  if (crypto::IsTPMTokenEnabledForNSS()) {
-    if (crypto::IsTPMTokenReady(base::Bind(
-            &StartTPMSlotInitializationOnIOThread, username, username_hash))) {
-      StartTPMSlotInitializationOnIOThread(username, username_hash);
-    } else {
-      DVLOG(1) << "Waiting for tpm ready ...";
-    }
-  } else {
-    crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash);
-  }
-}
-#endif  // defined(OS_CHROMEOS)
-
 #if defined(USE_NSS)
 void InitializeAndPassKeygenHandler(
     scoped_ptr<net::KeygenHandler> keygen_handler,
@@ -408,28 +299,9 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
   if (user_manager) {
     user_manager::User* user =
         chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
-    // No need to initialize NSS for users with empty username hash:
-    // Getters for a user's NSS slots always return NULL slot if the user's
-    // username hash is empty, even when the NSS is not initialized for the
-    // user.
     if (user && !user->username_hash().empty()) {
       params->username_hash = user->username_hash();
       DCHECK(!params->username_hash.empty());
-      BrowserThread::PostTask(BrowserThread::IO,
-                              FROM_HERE,
-                              base::Bind(&StartNSSInitOnIOThread,
-                                         user->email(),
-                                         user->username_hash(),
-                                         profile->GetPath()));
-
-      // Use the device-wide system key slot only if the user is of the same
-      // domain as the device is registered to.
-      policy::BrowserPolicyConnectorChromeOS* connector =
-          g_browser_process->platform_part()
-              ->browser_policy_connector_chromeos();
-      params->use_system_key_slot =
-          connector->GetUserAffiliation(user->email()) ==
-          policy::USER_AFFILIATION_MANAGED;
     }
   }
 #endif
@@ -497,6 +369,13 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
 
   network_prediction_options_.MoveToThread(io_message_loop_proxy);
 
+#if defined(USE_NSS)
+  cert_database::CertDatabaseService* service =
+      cert_database::CertDatabaseServiceFactory::GetForBrowserContext(profile);
+  if (service)
+    cert_db_io_ = service->GetIOPart();
+#endif
+
 #if defined(OS_CHROMEOS)
   scoped_ptr<policy::PolicyCertVerifier> verifier =
       policy::PolicyCertServiceFactory::CreateForProfile(profile);
@@ -586,9 +465,6 @@ ProfileIOData::AppRequestContext::~AppRequestContext() {
 
 ProfileIOData::ProfileParams::ProfileParams()
     : io_thread(NULL),
-#if defined(OS_CHROMEOS)
-      use_system_key_slot(false),
-#endif
       profile(NULL) {
 }
 
@@ -598,7 +474,6 @@ ProfileIOData::ProfileIOData(Profile::ProfileType profile_type)
     : initialized_(false),
 #if defined(OS_CHROMEOS)
       policy_cert_verifier_(NULL),
-      use_system_key_slot_(false),
 #endif
       resource_context_(new ResourceContext(this)),
       initialized_on_UI_thread_(false),
@@ -916,8 +791,8 @@ ProfileIOData::ResourceContext::CreateClientCertStore() {
     return io_data_->client_cert_store_factory_.Run();
 #if defined(OS_CHROMEOS)
   return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreChromeOS(
-      make_scoped_ptr(new chromeos::ClientCertFilterChromeOS(
-          io_data_->use_system_key_slot(), io_data_->username_hash())),
+      make_scoped_ptr(
+          new chromeos::ClientCertFilterChromeOS(io_data_->cert_db_io_)),
       base::Bind(&CreateCryptoModuleBlockingPasswordDelegate,
                  chrome::kCryptoModulePasswordClientAuth)));
 #elif defined(USE_NSS)
@@ -953,10 +828,17 @@ void ProfileIOData::ResourceContext::CreateKeygenHandler(
                                          base::Passed(&keygen_handler),
                                          callback);
 
-  ChromeNSSCryptoModuleDelegate::CreateForResourceContext(
+  // If |cert_db_io_| is not available, we're shutting down already. Return the

[mmenke, 2014/11/04 20:02:18]

nit:  Don't use "we" in comments.

[pneubeck (no reviews), 2014/11/05 14:53:38]

Done.

+  // KeygenHandler without ChromeNSSCryptoModuleDelegate.
+  if (!io_data_->cert_db_io_) {
+    got_delegate_callback.Run(scoped_ptr<ChromeNSSCryptoModuleDelegate>());
+    return;
+  }
+
+  ChromeNSSCryptoModuleDelegate::CreateForCertDatabase(
       chrome::kCryptoModulePasswordKeygen,
       net::HostPortPair::FromURL(url),
-      this,
+      io_data_->cert_db_io_.get(),
       got_delegate_callback);
 #else
   callback.Run(make_scoped_ptr(
@@ -1073,13 +955,8 @@ void ProfileIOData::Init(
 #endif
 
 #if defined(OS_CHROMEOS)
-  username_hash_ = profile_params_->username_hash;
-  use_system_key_slot_ = profile_params_->use_system_key_slot;
-  if (use_system_key_slot_)
-    EnableNSSSystemKeySlotForResourceContext(resource_context_.get());
-
   crypto::ScopedPK11Slot public_slot =
-      crypto::GetPublicSlotForChromeOSUser(username_hash_);
+      crypto::GetPublicSlotForChromeOSUser(profile_params_->username_hash);
   // The private slot won't be ready by this point. It shouldn't be necessary
   // for cert trust purposes anyway.
   scoped_refptr<net::CertVerifyProc> verify_proc(