Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / chrome / browser / chromeos / certificate_provider / certificate_provider_service.h
blob5fc84ea0f77cb7606bdd0d96b19c7873f99e6911
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_CHROMEOS_CERTIFICATE_PROVIDER_CERTIFICATE_PROVIDER_SERVICE_H_
6 #define CHROME_BROWSER_CHROMEOS_CERTIFICATE_PROVIDER_CERTIFICATE_PROVIDER_SERVICE_H_
8 #include <stdint.h>
10 #include <map>
11 #include <string>
12 #include <vector>
14 #include "base/callback_forward.h"
15 #include "base/macros.h"
16 #include "base/memory/ref_counted.h"
17 #include "base/memory/scoped_ptr.h"
18 #include "base/memory/weak_ptr.h"
19 #include "base/threading/thread_checker.h"
20 #include "chrome/browser/chromeos/certificate_provider/certificate_info.h"
21 #include "chrome/browser/chromeos/certificate_provider/certificate_requests.h"
22 #include "chrome/browser/chromeos/certificate_provider/sign_requests.h"
23 #include "chrome/browser/chromeos/certificate_provider/thread_safe_certificate_map.h"
24 #include "components/keyed_service/core/keyed_service.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/ssl/ssl_private_key.h"
28 namespace chromeos {
30 class CertificateProvider;
32 // A keyed service that manages registrations of extensions as certificate
33 // providers. It exposes all certificates that are provided by extensions
34 // through a |CertificateProvider| object that can be created using
35 // |CreateCertificateProvider()|. Private key handles are exposed through
36 // net::ClientKeyStore. Sign operations are routed to the extension that exposed
37 // the certificate.
39 // The typical order of execution is as follows:
40 // 1. HTTPS server requests client certs or
41 // chrome.platformKeys.selectClientCertificates is called.
42 // 2. This starts the certificate request with ID x.
43 // 3. All extensions registered for the event onClientCertificatesRequested are
44 // notified, the exposed callback is bound to request ID x.
45 // 4. Wait for all extensions to reply to request with ID x
46 // or time out.
47 // 5. Filter all certificates from extensions that replied to request with ID x
48 // and from the platform.
49 // 6. Show the selection dialog, user will select one.
50 // 7. Create private key handle. As this call is not associated with a specific
51 // certificate request it looks at the certificate list obtained by the most
52 // recent certificate request (execution of 3-5), which may or may not have
53 // had ID x.
54 // 8. Sign() function of the key handle is called.
55 // 9. Forward the sign request to the extension that registered the
56 // certificate. This request has a new sign request ID y.
57 // 10. Wait until the extension replies with the signature or fails the sign
58 // request with ID y.
59 // 11. Forward the signature or failure as result of the key handle's Sign()
60 // function.
61 class CertificateProviderService : public KeyedService {
62 public:
63 using CertificateInfo = certificate_provider::CertificateInfo;
64 using CertificateInfoList = certificate_provider::CertificateInfoList;
66 class Delegate {
67 public:
68 Delegate() {}
69 virtual ~Delegate() {}
71 // Returns the ids of the extensions that want to provide certificates and
72 // therefore want to be notified about certificate requests. This is called
73 // once per client certificate request by the net layer.
74 virtual std::vector<std::string> CertificateProviderExtensions() = 0;
76 // Broadcasts a certificate request with |cert_request_id| to all
77 // certificate provider extensions.
78 virtual void BroadcastCertificateRequest(int cert_request_id) = 0;
80 // Dispatches a sign request with the given arguments to the extension with
81 // id |extension_id|. Returns whether that extension is actually a listener
82 // for that event.
83 virtual bool DispatchSignRequestToExtension(
84 const std::string& extension_id,
85 int sign_request_id,
86 net::SSLPrivateKey::Hash hash,
87 const scoped_refptr<net::X509Certificate>& certificate,
88 const std::string& digest) = 0;
90 private:
91 DISALLOW_COPY_AND_ASSIGN(Delegate);
94 // |SetDelegate| must be called exactly once directly after construction.
95 CertificateProviderService();
96 ~CertificateProviderService() override;
98 // Must be called exactly once after construction and before other methods are
99 // called. The delegate will be destroyed in the destructor of the service and
100 // not before, which allows to unregister observers (e.g. for
101 // OnExtensionUnloaded) in the delegate's destructor on behalf of the service.
102 void SetDelegate(scoped_ptr<Delegate> delegate);
104 // Must be called with the reply of an extension to a previous certificate
105 // request. For each request, it is expected that every registered extension
106 // replies exactly once with the latest list of certificates.
107 // |cert_request_id| must refer to a previously broadcast certificate request.
108 // Returns false and ignores the call if the request id is unknown or it was
109 // called before with the same combination of request id and extension id.
110 // E.g. the request could have timed out before an extension replies.
111 bool SetCertificatesProvidedByExtension(
112 const std::string& extension_id,
113 int cert_request_id,
114 const CertificateInfoList& certificate_infos);
116 // Must be called with the reply of an extension to a previous sign request.
117 // |sign_request_id| is provided in the reply of the extension and must refer
118 // to a previous sign request. The extension id must be provided, because
119 // not the sign request id alone but only the pair (extension id, sign request
120 // id) is unambiguous.
121 // If the signature could be calculated by the extension, |signature| is
122 // provided in the reply and should be the signature of the digest sent in the
123 // sign request. Otherwise, in case of a failure, |signature| must be empty.
124 // The call is ignored if |sign_request_id| is not referring to a pending
125 // request.
126 void ReplyToSignRequest(const std::string& extension_id,
127 int sign_request_id,
128 const std::vector<uint8_t>& signature);
130 // Returns a CertificateProvider that always returns the latest list of
131 // certificates that are provided by all registered extensions. Therefore, it
132 // is sufficient to create the CertificateProvider once and then repeatedly
133 // call its |GetCertificates()|. The returned provider is valid even after the
134 // destruction of this service.
135 // The returned provider can be used on any thread.
136 scoped_ptr<CertificateProvider> CreateCertificateProvider();
138 // Must be called if extension with id |extension_id| is unloaded and cannot
139 // serve certificates anymore. This should be called everytime the
140 // corresponding notification of the ExtensionRegistry is triggered.
141 void OnExtensionUnloaded(const std::string& extension_id);
143 private:
144 class CertKeyProviderImpl;
145 class CertificateProviderImpl;
146 class SSLPrivateKey;
148 // Requests the current list of certificates from every registered extension.
149 // Once all extensions replied or a timeout was reached, the internal
150 // |extension_to_certificates_| is updated and |callback| is run with the
151 // retrieved list of certificates.
152 void GetCertificatesFromExtensions(
153 const base::Callback<void(const net::CertificateList&)>& callback);
155 // Copies the given certificates into the internal
156 // |extension_to_certificates_|. Any previously stored certificates are
157 // dropped. Afterwards, passes the list of given certificates to |callback|.
158 void UpdateCertificatesAndRun(
159 const std::map<std::string, CertificateInfoList>&
160 extension_to_certificates,
161 const base::Callback<void(const net::CertificateList&)>& callback);
163 // Terminates the certificate request with id |cert_request_id| by ignoring
164 // pending replies from extensions. Certificates that were already reported
165 // are processed.
166 void TerminateCertificateRequest(int cert_request_id);
168 // Requests extension with |extension_id| to sign |digest| with the private
169 // key certified by |certificate|. |hash| was used to create |digest|.
170 // |callback| will be run with the reply of the extension or an error.
171 void RequestSignatureFromExtension(
172 const std::string& extension_id,
173 const scoped_refptr<net::X509Certificate>& certificate,
174 net::SSLPrivateKey::Hash hash,
175 const std::string& digest,
176 const net::SSLPrivateKey::SignCallback& callback);
178 scoped_ptr<Delegate> delegate_;
180 // An instance of net::ClientKeyStore::CertKeyProvider that is registered at
181 // the net::ClientKeyStore singleton.
182 scoped_ptr<CertKeyProviderImpl> cert_key_provider_;
184 // State about all pending sign requests.
185 certificate_provider::SignRequests sign_requests_;
187 // Contains all pending certificate requests.
188 certificate_provider::CertificateRequests certificate_requests_;
190 // Contains all certificates that the extensions returned in response to the
191 // most recent certificate request.
192 certificate_provider::ThreadSafeCertificateMap certificate_map_;
194 base::ThreadChecker thread_checker_;
195 base::WeakPtrFactory<CertificateProviderService> weak_factory_;
197 DISALLOW_COPY_AND_ASSIGN(CertificateProviderService);
200 } // namespace chromeos
202 #endif // CHROME_BROWSER_CHROMEOS_CERTIFICATE_PROVIDER_CERTIFICATE_PROVIDER_SERVICE_H_