1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/cert_loader.h"
10 #include "base/location.h"
11 #include "base/message_loop/message_loop_proxy.h"
12 #include "base/strings/string_number_conversions.h"
13 #include "base/task_runner_util.h"
14 #include "base/threading/worker_pool.h"
15 #include "crypto/nss_util.h"
16 #include "net/cert/nss_cert_database.h"
17 #include "net/cert/nss_cert_database_chromeos.h"
18 #include "net/cert/x509_certificate.h"
22 static CertLoader
* g_cert_loader
= NULL
;
25 void CertLoader::Initialize() {
26 CHECK(!g_cert_loader
);
27 g_cert_loader
= new CertLoader();
31 void CertLoader::Shutdown() {
38 CertLoader
* CertLoader::Get() {
39 CHECK(g_cert_loader
) << "CertLoader::Get() called before Initialize()";
44 bool CertLoader::IsInitialized() {
48 CertLoader::CertLoader()
49 : certificates_loaded_(false),
50 certificates_update_required_(false),
51 certificates_update_running_(false),
53 force_hardware_backed_for_test_(false),
54 cert_list_(new net::CertificateList
),
58 CertLoader::~CertLoader() {
59 net::CertDatabase::GetInstance()->RemoveObserver(this);
62 void CertLoader::StartWithNSSDB(net::NSSCertDatabase
* database
) {
66 // Start observing cert database for changes.
67 // Observing net::CertDatabase is preferred over observing |database_|
68 // directly, as |database_| observers receive only events generated directly
69 // by |database_|, so they may miss a few relevant ones.
70 // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if
71 // it would be OK to observe |database_| directly; or change NSSCertDatabase
72 // to send notification on all relevant changes.
73 net::CertDatabase::GetInstance()->AddObserver(this);
78 void CertLoader::AddObserver(CertLoader::Observer
* observer
) {
79 observers_
.AddObserver(observer
);
82 void CertLoader::RemoveObserver(CertLoader::Observer
* observer
) {
83 observers_
.RemoveObserver(observer
);
86 int CertLoader::TPMTokenSlotID() const {
89 return static_cast<int>(PK11_GetSlotID(database_
->GetPrivateSlot().get()));
92 bool CertLoader::IsHardwareBacked() const {
93 return force_hardware_backed_for_test_
||
94 (database_
&& PK11_IsHW(database_
->GetPrivateSlot().get()));
97 bool CertLoader::IsCertificateHardwareBacked(
98 const net::X509Certificate
* cert
) const {
101 return database_
->IsHardwareBacked(cert
);
104 bool CertLoader::CertificatesLoading() const {
105 return database_
&& !certificates_loaded_
;
108 // This is copied from chrome/common/net/x509_certificate_model_nss.cc.
109 // For background see this discussion on dev-tech-crypto.lists.mozilla.org:
110 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX
112 // NOTE: This function relies on the convention that the same PKCS#11 ID
113 // is shared between a certificate and its associated private and public
114 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(),
115 // but that always returns NULL on Chrome OS for me.
118 std::string
CertLoader::GetPkcs11IdForCert(const net::X509Certificate
& cert
) {
119 CERTCertificateStr
* cert_handle
= cert
.os_cert_handle();
120 SECKEYPrivateKey
*priv_key
=
121 PK11_FindKeyByAnyCert(cert_handle
, NULL
/* wincx */);
123 return std::string();
125 // Get the CKA_ID attribute for a key.
126 SECItem
* sec_item
= PK11_GetLowLevelKeyIDForPrivateKey(priv_key
);
127 std::string pkcs11_id
;
129 pkcs11_id
= base::HexEncode(sec_item
->data
, sec_item
->len
);
130 SECITEM_FreeItem(sec_item
, PR_TRUE
);
132 SECKEY_DestroyPrivateKey(priv_key
);
137 void CertLoader::LoadCertificates() {
138 CHECK(thread_checker_
.CalledOnValidThread());
139 VLOG(1) << "LoadCertificates: " << certificates_update_running_
;
141 if (certificates_update_running_
) {
142 certificates_update_required_
= true;
146 certificates_update_running_
= true;
147 certificates_update_required_
= false;
149 database_
->ListCerts(
150 base::Bind(&CertLoader::UpdateCertificates
, weak_factory_
.GetWeakPtr()));
153 void CertLoader::UpdateCertificates(
154 scoped_ptr
<net::CertificateList
> cert_list
) {
155 CHECK(thread_checker_
.CalledOnValidThread());
156 DCHECK(certificates_update_running_
);
157 VLOG(1) << "UpdateCertificates: " << cert_list
->size();
159 // Ignore any existing certificates.
160 cert_list_
= cert_list
.Pass();
162 bool initial_load
= !certificates_loaded_
;
163 certificates_loaded_
= true;
164 NotifyCertificatesLoaded(initial_load
);
166 certificates_update_running_
= false;
167 if (certificates_update_required_
)
171 void CertLoader::NotifyCertificatesLoaded(bool initial_load
) {
172 FOR_EACH_OBSERVER(Observer
, observers_
,
173 OnCertificatesLoaded(*cert_list_
, initial_load
));
176 void CertLoader::OnCACertChanged(const net::X509Certificate
* cert
) {
177 // This is triggered when a CA certificate is modified.
178 VLOG(1) << "OnCACertChanged";
182 void CertLoader::OnCertAdded(const net::X509Certificate
* cert
) {
183 // This is triggered when a client certificate is added.
184 VLOG(1) << "OnCertAdded";
188 void CertLoader::OnCertRemoved(const net::X509Certificate
* cert
) {
189 VLOG(1) << "OnCertRemoved";
193 } // namespace chromeos