search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add kSupportedVersion constant to net::websockets
[chromium-blink-merge.git] / chromeos / cert_loader.cc
blob5752ada71dc0cc361df5c5b8a020ee1f2b16e917
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/cert_loader.h"
6
7 #include <algorithm>
8
9 #include "base/message_loop/message_loop_proxy.h"
10 #include "base/observer_list.h"
11 #include "base/sequenced_task_runner.h"
12 #include "base/strings/string_number_conversions.h"
13 #include "base/sys_info.h"
14 #include "base/task_runner_util.h"
15 #include "base/threading/worker_pool.h"
16 #include "chromeos/dbus/cryptohome_client.h"
17 #include "chromeos/dbus/dbus_thread_manager.h"
18 #include "crypto/encryptor.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/sha2.h"
21 #include "crypto/symmetric_key.h"
22 #include "net/cert/nss_cert_database.h"
23
24 namespace chromeos {
25
26 namespace {
27
28 const int64 kInitialRequestDelayMs = 100;
29 const int64 kMaxRequestDelayMs = 300000; // 5 minutes
30
31 // Calculates the delay before running next attempt to initiatialize the TPM
32 // token, if |last_delay| was the last or initial delay.
33 base::TimeDelta GetNextRequestDelayMs(base::TimeDelta last_delay) {
34 // This implements an exponential backoff, as we don't know in which order of
35 // magnitude the TPM token changes it's state.
36 base::TimeDelta next_delay = last_delay * 2;
37
38 // Cap the delay to prevent an overflow. This threshold is arbitrarily chosen.
39 const base::TimeDelta max_delay =
40 base::TimeDelta::FromMilliseconds(kMaxRequestDelayMs);
41 if (next_delay > max_delay)
42 next_delay = max_delay;
43 return next_delay;
44 }
45
46 void LoadNSSCertificates(net::CertificateList* cert_list) {
47 net::NSSCertDatabase::GetInstance()->ListCerts(cert_list);
48 }
49
50 void CallOpenPersistentNSSDB() {
51 // Called from crypto_task_runner_.
52 VLOG(1) << "CallOpenPersistentNSSDB";
53
54 // Ensure we've opened the user's key/certificate database.
55 if (base::SysInfo::IsRunningOnChromeOS())
56 crypto::OpenPersistentNSSDB();
57 crypto::EnableTPMTokenForNSS();
58 }
59
60 } // namespace
61
62 static CertLoader* g_cert_loader = NULL;
63
64 // static
65 void CertLoader::Initialize() {
66 CHECK(!g_cert_loader);
67 g_cert_loader = new CertLoader();
68 }
69
70 // static
71 void CertLoader::Shutdown() {
72 CHECK(g_cert_loader);
73 delete g_cert_loader;
74 g_cert_loader = NULL;
75 }
76
77 // static
78 CertLoader* CertLoader::Get() {
79 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()";
80 return g_cert_loader;
81 }
82
83 // static
84 bool CertLoader::IsInitialized() {
85 return g_cert_loader;
86 }
87
88 CertLoader::CertLoader()
89 : initialize_tpm_for_test_(false),
90 certificates_requested_(false),
91 certificates_loaded_(false),
92 certificates_update_required_(false),
93 certificates_update_running_(false),
94 tpm_token_state_(TPM_STATE_UNKNOWN),
95 tpm_request_delay_(
96 base::TimeDelta::FromMilliseconds(kInitialRequestDelayMs)),
97 tpm_token_slot_id_(-1),
98 initialize_token_factory_(this),
99 update_certificates_factory_(this) {
100 if (LoginState::IsInitialized())
101 LoginState::Get()->AddObserver(this);
102 }
103
104 void CertLoader::InitializeTPMForTest() {
105 initialize_tpm_for_test_ = true;
106 }
107
108 void CertLoader::SetCryptoTaskRunner(
109 const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner) {
110 crypto_task_runner_ = crypto_task_runner;
111 MaybeRequestCertificates();
112 }
113
114 void CertLoader::SetSlowTaskRunnerForTest(
115 const scoped_refptr<base::TaskRunner>& task_runner) {
116 slow_task_runner_for_test_ = task_runner;
117 }
118
119 CertLoader::~CertLoader() {
120 net::CertDatabase::GetInstance()->RemoveObserver(this);
121 if (LoginState::IsInitialized())
122 LoginState::Get()->RemoveObserver(this);
123 }
124
125 void CertLoader::AddObserver(CertLoader::Observer* observer) {
126 observers_.AddObserver(observer);
127 }
128
129 void CertLoader::RemoveObserver(CertLoader::Observer* observer) {
130 observers_.RemoveObserver(observer);
131 }
132
133 bool CertLoader::CertificatesLoading() const {
134 return certificates_requested_ && !certificates_loaded_;
135 }
136
137 bool CertLoader::IsHardwareBacked() const {
138 return !tpm_token_name_.empty();
139 }
140
141 void CertLoader::MaybeRequestCertificates() {
142 CHECK(thread_checker_.CalledOnValidThread());
143
144 // This is the entry point to the TPM token initialization process,
145 // which we should do at most once.
146 if (certificates_requested_ || !crypto_task_runner_.get())
147 return;
148
149 if (!LoginState::IsInitialized())
150 return;
151
152 bool request_certificates = LoginState::Get()->IsUserLoggedIn() ||
153 LoginState::Get()->IsInSafeMode();
154
155 VLOG(1) << "RequestCertificates: " << request_certificates;
156 if (!request_certificates)
157 return;
158
159 certificates_requested_ = true;
160
161 // Ensure we only initialize the TPM token once.
162 DCHECK_EQ(tpm_token_state_, TPM_STATE_UNKNOWN);
163 if (!initialize_tpm_for_test_ && !base::SysInfo::IsRunningOnChromeOS())
164 tpm_token_state_ = TPM_DISABLED;
165
166 // Treat TPM as disabled for guest users since they do not store certs.
167 if (LoginState::Get()->IsGuestUser())
168 tpm_token_state_ = TPM_DISABLED;
169
170 InitializeTokenAndLoadCertificates();
171 }
172
173 void CertLoader::InitializeTokenAndLoadCertificates() {
174 CHECK(thread_checker_.CalledOnValidThread());
175 VLOG(1) << "InitializeTokenAndLoadCertificates: " << tpm_token_state_;
176
177 switch (tpm_token_state_) {
178 case TPM_STATE_UNKNOWN: {
179 crypto_task_runner_->PostTaskAndReply(
180 FROM_HERE,
181 base::Bind(&CallOpenPersistentNSSDB),
182 base::Bind(&CertLoader::OnPersistentNSSDBOpened,
183 initialize_token_factory_.GetWeakPtr()));
184 return;
185 }
186 case TPM_DB_OPENED: {
187 DBusThreadManager::Get()->GetCryptohomeClient()->TpmIsEnabled(
188 base::Bind(&CertLoader::OnTpmIsEnabled,
189 initialize_token_factory_.GetWeakPtr()));
190 return;
191 }
192 case TPM_DISABLED: {
193 // TPM is disabled, so proceed with empty tpm token name.
194 StartLoadCertificates();
195 return;
196 }
197 case TPM_ENABLED: {
198 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11IsTpmTokenReady(
199 base::Bind(&CertLoader::OnPkcs11IsTpmTokenReady,
200 initialize_token_factory_.GetWeakPtr()));
201 return;
202 }
203 case TPM_TOKEN_READY: {
204 // Retrieve token_name_ and user_pin_ here since they will never change
205 // and CryptohomeClient calls are not thread safe.
206 DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11GetTpmTokenInfo(
207 base::Bind(&CertLoader::OnPkcs11GetTpmTokenInfo,
208 initialize_token_factory_.GetWeakPtr()));
209 return;
210 }
211 case TPM_TOKEN_INFO_RECEIVED: {
212 base::PostTaskAndReplyWithResult(
213 crypto_task_runner_.get(),
214 FROM_HERE,
215 base::Bind(&crypto::InitializeTPMToken,
216 tpm_token_name_,
217 tpm_token_slot_id_,
218 tpm_user_pin_),
219 base::Bind(&CertLoader::OnTPMTokenInitialized,
220 initialize_token_factory_.GetWeakPtr()));
221 return;
222 }
223 case TPM_TOKEN_INITIALIZED: {
224 StartLoadCertificates();
225 return;
226 }
227 }
228 }
229
230 void CertLoader::RetryTokenInitializationLater() {
231 CHECK(thread_checker_.CalledOnValidThread());
232 LOG(WARNING) << "Retry token initialization later.";
233 base::MessageLoop::current()->PostDelayedTask(
234 FROM_HERE,
235 base::Bind(&CertLoader::InitializeTokenAndLoadCertificates,
236 initialize_token_factory_.GetWeakPtr()),
237 tpm_request_delay_);
238 tpm_request_delay_ = GetNextRequestDelayMs(tpm_request_delay_);
239 }
240
241 void CertLoader::OnPersistentNSSDBOpened() {
242 VLOG(1) << "PersistentNSSDBOpened";
243 tpm_token_state_ = TPM_DB_OPENED;
244 InitializeTokenAndLoadCertificates();
245 }
246
247 // This is copied from chrome/common/net/x509_certificate_model_nss.cc.
248 // For background see this discussion on dev-tech-crypto.lists.mozilla.org:
249 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX
250 //
251 // NOTE: This function relies on the convention that the same PKCS#11 ID
252 // is shared between a certificate and its associated private and public
253 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(),
254 // but that always returns NULL on Chrome OS for me.
255
256 // static
257 std::string CertLoader::GetPkcs11IdForCert(const net::X509Certificate& cert) {
258 CERTCertificateStr* cert_handle = cert.os_cert_handle();
259 SECKEYPrivateKey *priv_key =
260 PK11_FindKeyByAnyCert(cert_handle, NULL /* wincx */);
261 if (!priv_key)
262 return std::string();
263
264 // Get the CKA_ID attribute for a key.
265 SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key);
266 std::string pkcs11_id;
267 if (sec_item) {
268 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len);
269 SECITEM_FreeItem(sec_item, PR_TRUE);
270 }
271 SECKEY_DestroyPrivateKey(priv_key);
272
273 return pkcs11_id;
274 }
275
276 void CertLoader::OnTpmIsEnabled(DBusMethodCallStatus call_status,
277 bool tpm_is_enabled) {
278 VLOG(1) << "OnTpmIsEnabled: " << tpm_is_enabled;
279
280 if (call_status == DBUS_METHOD_CALL_SUCCESS && tpm_is_enabled)
281 tpm_token_state_ = TPM_ENABLED;
282 else
283 tpm_token_state_ = TPM_DISABLED;
284
285 InitializeTokenAndLoadCertificates();
286 }
287
288 void CertLoader::OnPkcs11IsTpmTokenReady(DBusMethodCallStatus call_status,
289 bool is_tpm_token_ready) {
290 VLOG(1) << "OnPkcs11IsTpmTokenReady: " << is_tpm_token_ready;
291
292 if (call_status == DBUS_METHOD_CALL_FAILURE || !is_tpm_token_ready) {
293 RetryTokenInitializationLater();
294 return;
295 }
296
297 tpm_token_state_ = TPM_TOKEN_READY;
298 InitializeTokenAndLoadCertificates();
299 }
300
301 void CertLoader::OnPkcs11GetTpmTokenInfo(DBusMethodCallStatus call_status,
302 const std::string& token_name,
303 const std::string& user_pin,
304 int token_slot_id) {
305 VLOG(1) << "OnPkcs11GetTpmTokenInfo: " << token_name;
306
307 if (call_status == DBUS_METHOD_CALL_FAILURE) {
308 RetryTokenInitializationLater();
309 return;
310 }
311
312 tpm_token_name_ = token_name;
313 tpm_token_slot_id_ = token_slot_id;
314 tpm_user_pin_ = user_pin;
315 tpm_token_state_ = TPM_TOKEN_INFO_RECEIVED;
316
317 InitializeTokenAndLoadCertificates();
318 }
319
320 void CertLoader::OnTPMTokenInitialized(bool success) {
321 VLOG(1) << "OnTPMTokenInitialized: " << success;
322 if (!success) {
323 RetryTokenInitializationLater();
324 return;
325 }
326 tpm_token_state_ = TPM_TOKEN_INITIALIZED;
327 InitializeTokenAndLoadCertificates();
328 }
329
330 void CertLoader::StartLoadCertificates() {
331 DCHECK(!certificates_loaded_ && !certificates_update_running_);
332 net::CertDatabase::GetInstance()->AddObserver(this);
333 LoadCertificates();
334 }
335
336 void CertLoader::LoadCertificates() {
337 CHECK(thread_checker_.CalledOnValidThread());
338 VLOG(1) << "LoadCertificates: " << certificates_update_running_;
339
340 if (certificates_update_running_) {
341 certificates_update_required_ = true;
342 return;
343 }
344
345 net::CertificateList* cert_list = new net::CertificateList;
346 certificates_update_running_ = true;
347 certificates_update_required_ = false;
348
349 base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
350 if (!task_runner)
351 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */);
352 task_runner->PostTaskAndReply(
353 FROM_HERE,
354 base::Bind(LoadNSSCertificates, cert_list),
355 base::Bind(&CertLoader::UpdateCertificates,
356 update_certificates_factory_.GetWeakPtr(),
357 base::Owned(cert_list)));
358 }
359
360 void CertLoader::UpdateCertificates(net::CertificateList* cert_list) {
361 CHECK(thread_checker_.CalledOnValidThread());
362 DCHECK(certificates_update_running_);
363 VLOG(1) << "UpdateCertificates: " << cert_list->size();
364
365 // Ignore any existing certificates.
366 cert_list_.swap(*cert_list);
367
368 bool initial_load = !certificates_loaded_;
369 certificates_loaded_ = true;
370 NotifyCertificatesLoaded(initial_load);
371
372 certificates_update_running_ = false;
373 if (certificates_update_required_)
374 LoadCertificates();
375 }
376
377 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
378 FOR_EACH_OBSERVER(Observer, observers_,
379 OnCertificatesLoaded(cert_list_, initial_load));
380 }
381
382 void CertLoader::OnCACertChanged(const net::X509Certificate* cert) {
383 // This is triggered when a CA certificate is modified.
384 VLOG(1) << "OnCACertChanged";
385 LoadCertificates();
386 }
387
388 void CertLoader::OnCertAdded(const net::X509Certificate* cert) {
389 // This is triggered when a client certificate is added.
390 VLOG(1) << "OnCertAdded";
391 LoadCertificates();
392 }
393
394 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
395 VLOG(1) << "OnCertRemoved";
396 LoadCertificates();
397 }
398
399 void CertLoader::LoggedInStateChanged() {
400 VLOG(1) << "LoggedInStateChanged";
401 MaybeRequestCertificates();
402 }
403
404 } // namespace chromeos