Replace c/b/nss_context by a KeyedService.

chrome/browser/profiles/profile_io_data.cc

Index: chrome/browser/profiles/profile_io_data.cc
diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc
index f949a8ae632efa1dc7065d1c5f1e269ff00c20a3..bbc640048e7f69b0a7df9df7f404c6db4134b4ee 100644
--- a/chrome/browser/profiles/profile_io_data.cc
+++ b/chrome/browser/profiles/profile_io_data.cc
@@ -110,15 +110,12 @@
 #include "chrome/browser/chromeos/drive/drive_protocol_handler.h"
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
-#include "chrome/browser/net/nss_context.h"
-#include "chromeos/dbus/cryptohome_client.h"
-#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/network/client_cert_store_chromeos.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
@@ -126,11 +123,13 @@
 #include "crypto/nss_util_internal.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
-#include "net/ssl/client_cert_store_chromeos.h"
 #endif  // defined(OS_CHROMEOS)
 
 #if defined(USE_NSS)
+#include "chrome/browser/net/cert_database_service_factory.h"
 #include "chrome/browser/ui/crypto_module_delegate_nss.h"
+#include "components/cert_database/public/cert_database_service.h"
+#include "components/cert_database/public/cert_database_service_io_part.h"
 #include "net/ssl/client_cert_store_nss.h"
 #endif
 
@@ -219,113 +218,6 @@ class DebugDevToolsInterceptor : public net::URLRequestInterceptor {
 };
 #endif  // defined(DEBUG_DEVTOOLS)
 
-#if defined(OS_CHROMEOS)
-// The following four functions are responsible for initializing NSS for each
-// profile on ChromeOS, which has a separate NSS database and TPM slot
-// per-profile.
-//
-// Initialization basically follows these steps:
-// 1) Get some info from user_manager::UserManager about the User for this
-// profile.
-// 2) Tell nss_util to initialize the software slot for this profile.
-// 3) Wait for the TPM module to be loaded by nss_util if it isn't already.
-// 4) Ask CryptohomeClient which TPM slot id corresponds to this profile.
-// 5) Tell nss_util to use that slot id on the TPM module.
-//
-// Some of these steps must happen on the UI thread, others must happen on the
-// IO thread:
-//               UI thread                              IO Thread
-//
-//  ProfileIOData::InitializeOnUIThread
-//                   |
-//  ProfileHelper::Get()->GetUserByProfile()
-//                   \---------------------------------------v
-//                                                 StartNSSInitOnIOThread
-//                                                           |
-//                                          crypto::InitializeNSSForChromeOSUser
-//                                                           |
-//                                                crypto::IsTPMTokenReady
-//                                                           |
-//                                          StartTPMSlotInitializationOnIOThread
-//                   v---------------------------------------/
-//     GetTPMInfoForUserOnUIThread
-//                   |
-// CryptohomeClient::Pkcs11GetTpmTokenInfoForUser
-//                   |
-//     DidGetTPMInfoForUserOnUIThread
-//                   \---------------------------------------v
-//                                          crypto::InitializeTPMForChromeOSUser
-
-void DidGetTPMInfoForUserOnUIThread(const std::string& username_hash,
-                                    chromeos::DBusMethodCallStatus call_status,
-                                    const std::string& label,
-                                    const std::string& user_pin,
-                                    int slot_id) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  if (call_status == chromeos::DBUS_METHOD_CALL_FAILURE) {
-    NOTREACHED() << "dbus error getting TPM info for " << username_hash;
-    return;
-  }
-  DVLOG(1) << "Got TPM slot for " << username_hash << ": " << slot_id;
-  BrowserThread::PostTask(
-      BrowserThread::IO,
-      FROM_HERE,
-      base::Bind(
-          &crypto::InitializeTPMForChromeOSUser, username_hash, slot_id));
-}
-
-void GetTPMInfoForUserOnUIThread(const std::string& username,
-                                 const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  DVLOG(1) << "Getting TPM info from cryptohome for "
-           << " " << username << " " << username_hash;
-  chromeos::DBusThreadManager::Get()
-      ->GetCryptohomeClient()
-      ->Pkcs11GetTpmTokenInfoForUser(
-            username,
-            base::Bind(&DidGetTPMInfoForUserOnUIThread, username_hash));
-}
-
-void StartTPMSlotInitializationOnIOThread(const std::string& username,
-                                          const std::string& username_hash) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-
-  BrowserThread::PostTask(
-      BrowserThread::UI,
-      FROM_HERE,
-      base::Bind(&GetTPMInfoForUserOnUIThread, username, username_hash));
-}
-
-void StartNSSInitOnIOThread(const std::string& username,
-                            const std::string& username_hash,
-                            const base::FilePath& path) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-  DVLOG(1) << "Starting NSS init for username hash:" << username_hash;
-
-  // Make sure NSS is initialized for the user.
-  crypto::InitializeNSSForChromeOSUser(username_hash, path);
-
-  // Check if it's OK to initialize TPM for the user before continuing. This
-  // may not be the case if the TPM slot initialization was previously
-  // requested for the same user.
-  if (!crypto::ShouldInitializeTPMForChromeOSUser(username_hash))
-    return;
-
-  crypto::WillInitializeTPMForChromeOSUser(username_hash);
-
-  if (crypto::IsTPMTokenEnabledForNSS()) {
-    if (crypto::IsTPMTokenReady(base::Bind(
-            &StartTPMSlotInitializationOnIOThread, username, username_hash))) {
-      StartTPMSlotInitializationOnIOThread(username, username_hash);
-    } else {
-      DVLOG(1) << "Waiting for tpm ready ...";
-    }
-  } else {
-    crypto::InitializePrivateSoftwareSlotForChromeOSUser(username_hash);
-  }
-}
-#endif  // defined(OS_CHROMEOS)
-
 void InvalidateContextGettersOnIO(
     scoped_ptr<ProfileIOData::ChromeURLRequestContextGetterVector> getters) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
@@ -375,33 +267,15 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
   params->supervised_user_url_filter =
       supervised_user_service->GetURLFilterForIOThread();
 #endif
+
 #if defined(OS_CHROMEOS)
   user_manager::UserManager* user_manager = user_manager::UserManager::Get();
   if (user_manager) {
     user_manager::User* user =
         chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
-    // No need to initialize NSS for users with empty username hash:
-    // Getters for a user's NSS slots always return NULL slot if the user's
-    // username hash is empty, even when the NSS is not initialized for the
-    // user.
     if (user) {
       DCHECK(!user->username_hash().empty());
       params->username_hash = user->username_hash();
-      BrowserThread::PostTask(BrowserThread::IO,
-                              FROM_HERE,
-                              base::Bind(&StartNSSInitOnIOThread,
-                                         user->email(),
-                                         user->username_hash(),
-                                         profile->GetPath()));
-
-      // Use the device-wide system key slot only if the user is of the same
-      // domain as the device is registered to.
-      policy::BrowserPolicyConnectorChromeOS* connector =
-          g_browser_process->platform_part()
-              ->browser_policy_connector_chromeos();
-      params->use_system_key_slot =
-          connector->GetUserAffiliation(user->email()) ==
-          policy::USER_AFFILIATION_MANAGED;
     }
   }
 #endif
@@ -474,6 +348,13 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
 
   network_prediction_options_.MoveToThread(io_message_loop_proxy);
 
+#if defined(USE_NSS)
+  CertDatabaseService* service =
+      CertDatabaseServiceFactory::GetForBrowserContext(profile);
+  if (service)
+    cert_db_io_ = service->GetIOPart();
+#endif
+
 #if defined(OS_CHROMEOS)
   scoped_ptr<policy::PolicyCertVerifier> verifier =
       policy::PolicyCertServiceFactory::CreateForProfile(profile);
@@ -563,9 +444,6 @@ ProfileIOData::AppRequestContext::~AppRequestContext() {
 
 ProfileIOData::ProfileParams::ProfileParams()
     : io_thread(NULL),
-#if defined(OS_CHROMEOS)
-      use_system_key_slot(false),
-#endif
       profile(NULL) {
 }
 
@@ -575,7 +453,6 @@ ProfileIOData::ProfileIOData(Profile::ProfileType profile_type)
     : initialized_(false),
 #if defined(OS_CHROMEOS)
       policy_cert_verifier_(NULL),
-      use_system_key_slot_(false),
 #endif
       resource_context_(new ResourceContext(this)),
       initialized_on_UI_thread_(false),
@@ -900,9 +777,8 @@ ProfileIOData::ResourceContext::CreateClientCertStore() {
   if (!io_data_->client_cert_store_factory_.is_null())
     return io_data_->client_cert_store_factory_.Run();
 #if defined(OS_CHROMEOS)
-  return scoped_ptr<net::ClientCertStore>(new net::ClientCertStoreChromeOS(
-      io_data_->use_system_key_slot(),
-      io_data_->username_hash(),
+  return scoped_ptr<net::ClientCertStore>(new chromeos::ClientCertStoreChromeOS(
+      io_data_->cert_db_io_,
       base::Bind(&CreateCryptoModuleBlockingPasswordDelegate,
                  chrome::kCryptoModulePasswordClientAuth)));
 #elif defined(USE_NSS)
@@ -942,7 +818,9 @@ void ProfileIOData::ResourceContext::CreateKeygenHandler(
 
   base::Closure bound_callback =
       base::Bind(callback, base::Passed(&keygen_handler));
-  if (delegate_ptr->InitializeSlot(this, bound_callback)) {
+  if (io_data_->cert_db_io_ &&
+      delegate_ptr->InitializeSlot(bound_callback,
+                                   io_data_->cert_db_io_.get())) {
     // Initialization complete, run the callback synchronously.
     bound_callback.Run();
     return;
@@ -1081,10 +959,6 @@ void ProfileIOData::Init(
 
 #if defined(OS_CHROMEOS)
   username_hash_ = profile_params_->username_hash;
-  use_system_key_slot_ = profile_params_->use_system_key_slot;
-  if (use_system_key_slot_)
-    EnableNSSSystemKeySlotForResourceContext(resource_context_.get());
-
   crypto::ScopedPK11Slot public_slot =
       crypto::GetPublicSlotForChromeOSUser(username_hash_);
   // The private slot won't be ready by this point. It shouldn't be necessary