Copy webkit's test_expectations* files over to content.
[chromium-blink-merge.git] / chromeos / cert_loader.cc
blobdc8715bf6b104a90e1a5087226263e92c341d248
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/cert_loader.h"
7 #include <algorithm>
9 #include "base/bind.h"
10 #include "base/location.h"
11 #include "base/message_loop/message_loop_proxy.h"
12 #include "base/strings/string_number_conversions.h"
13 #include "base/task_runner_util.h"
14 #include "base/threading/worker_pool.h"
15 #include "crypto/nss_util.h"
16 #include "crypto/scoped_nss_types.h"
17 #include "net/cert/nss_cert_database.h"
18 #include "net/cert/nss_cert_database_chromeos.h"
19 #include "net/cert/x509_certificate.h"
21 namespace chromeos {
23 static CertLoader* g_cert_loader = NULL;
25 // static
26 void CertLoader::Initialize() {
27 CHECK(!g_cert_loader);
28 g_cert_loader = new CertLoader();
31 // static
32 void CertLoader::Shutdown() {
33 CHECK(g_cert_loader);
34 delete g_cert_loader;
35 g_cert_loader = NULL;
38 // static
39 CertLoader* CertLoader::Get() {
40 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()";
41 return g_cert_loader;
44 // static
45 bool CertLoader::IsInitialized() {
46 return g_cert_loader;
49 CertLoader::CertLoader()
50 : certificates_loaded_(false),
51 certificates_update_required_(false),
52 certificates_update_running_(false),
53 database_(NULL),
54 force_hardware_backed_for_test_(false),
55 cert_list_(new net::CertificateList),
56 weak_factory_(this) {
59 CertLoader::~CertLoader() {
60 net::CertDatabase::GetInstance()->RemoveObserver(this);
63 void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) {
64 CHECK(!database_);
65 database_ = database;
67 // Start observing cert database for changes.
68 // Observing net::CertDatabase is preferred over observing |database_|
69 // directly, as |database_| observers receive only events generated directly
70 // by |database_|, so they may miss a few relevant ones.
71 // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if
72 // it would be OK to observe |database_| directly; or change NSSCertDatabase
73 // to send notification on all relevant changes.
74 net::CertDatabase::GetInstance()->AddObserver(this);
76 LoadCertificates();
79 void CertLoader::AddObserver(CertLoader::Observer* observer) {
80 observers_.AddObserver(observer);
83 void CertLoader::RemoveObserver(CertLoader::Observer* observer) {
84 observers_.RemoveObserver(observer);
87 bool CertLoader::IsHardwareBacked() const {
88 if (force_hardware_backed_for_test_)
89 return true;
90 if (!database_)
91 return false;
92 crypto::ScopedPK11Slot slot(database_->GetPrivateSlot());
93 if (!slot)
94 return false;
95 return PK11_IsHW(slot.get());
98 bool CertLoader::IsCertificateHardwareBacked(
99 const net::X509Certificate* cert) const {
100 if (!database_)
101 return false;
102 return database_->IsHardwareBacked(cert);
105 bool CertLoader::CertificatesLoading() const {
106 return database_ && !certificates_loaded_;
109 // static
111 // For background see this discussion on dev-tech-crypto.lists.mozilla.org:
112 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX
114 // NOTE: This function relies on the convention that the same PKCS#11 ID
115 // is shared between a certificate and its associated private and public
116 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(),
117 // but that always returns NULL on Chrome OS for me.
118 std::string CertLoader::GetPkcs11IdAndSlotForCert(
119 const net::X509Certificate& cert,
120 int* slot_id) {
121 DCHECK(slot_id);
123 CERTCertificateStr* cert_handle = cert.os_cert_handle();
124 SECKEYPrivateKey *priv_key =
125 PK11_FindKeyByAnyCert(cert_handle, NULL /* wincx */);
126 if (!priv_key)
127 return std::string();
129 *slot_id = static_cast<int>(PK11_GetSlotID(priv_key->pkcs11Slot));
131 // Get the CKA_ID attribute for a key.
132 SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key);
133 std::string pkcs11_id;
134 if (sec_item) {
135 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len);
136 SECITEM_FreeItem(sec_item, PR_TRUE);
138 SECKEY_DestroyPrivateKey(priv_key);
140 return pkcs11_id;
143 void CertLoader::LoadCertificates() {
144 CHECK(thread_checker_.CalledOnValidThread());
145 VLOG(1) << "LoadCertificates: " << certificates_update_running_;
147 if (certificates_update_running_) {
148 certificates_update_required_ = true;
149 return;
152 certificates_update_running_ = true;
153 certificates_update_required_ = false;
155 database_->ListCerts(
156 base::Bind(&CertLoader::UpdateCertificates, weak_factory_.GetWeakPtr()));
159 void CertLoader::UpdateCertificates(
160 scoped_ptr<net::CertificateList> cert_list) {
161 CHECK(thread_checker_.CalledOnValidThread());
162 DCHECK(certificates_update_running_);
163 VLOG(1) << "UpdateCertificates: " << cert_list->size();
165 // Ignore any existing certificates.
166 cert_list_ = cert_list.Pass();
168 bool initial_load = !certificates_loaded_;
169 certificates_loaded_ = true;
170 NotifyCertificatesLoaded(initial_load);
172 certificates_update_running_ = false;
173 if (certificates_update_required_)
174 LoadCertificates();
177 void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
178 FOR_EACH_OBSERVER(Observer, observers_,
179 OnCertificatesLoaded(*cert_list_, initial_load));
182 void CertLoader::OnCACertChanged(const net::X509Certificate* cert) {
183 // This is triggered when a CA certificate is modified.
184 VLOG(1) << "OnCACertChanged";
185 LoadCertificates();
188 void CertLoader::OnCertAdded(const net::X509Certificate* cert) {
189 // This is triggered when a client certificate is added.
190 VLOG(1) << "OnCertAdded";
191 LoadCertificates();
194 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
195 VLOG(1) << "OnCertRemoved";
196 LoadCertificates();
199 } // namespace chromeos