1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chromeos/cert_loader.h" 6 7 #include <algorithm> 8 9 #include "base/bind.h" 10 #include "base/location.h" 11 #include "base/message_loop/message_loop_proxy.h" 12 #include "base/strings/string_number_conversions.h" 13 #include "base/task_runner_util.h" 14 #include "base/threading/worker_pool.h" 15 #include "crypto/nss_util.h" 16 #include "crypto/scoped_nss_types.h" 17 #include "net/cert/nss_cert_database.h" 18 #include "net/cert/nss_cert_database_chromeos.h" 19 #include "net/cert/x509_certificate.h" 20 21 namespace chromeos { 22 23 static CertLoader* g_cert_loader = NULL; 24 25 // static 26 void CertLoader::Initialize() { 27 CHECK(!g_cert_loader); 28 g_cert_loader = new CertLoader(); 29 } 30 31 // static 32 void CertLoader::Shutdown() { 33 CHECK(g_cert_loader); 34 delete g_cert_loader; 35 g_cert_loader = NULL; 36 } 37 38 // static 39 CertLoader* CertLoader::Get() { 40 CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; 41 return g_cert_loader; 42 } 43 44 // static 45 bool CertLoader::IsInitialized() { 46 return g_cert_loader; 47 } 48 49 CertLoader::CertLoader() 50 : certificates_loaded_(false), 51 certificates_update_required_(false), 52 certificates_update_running_(false), 53 database_(NULL), 54 force_hardware_backed_for_test_(false), 55 cert_list_(new net::CertificateList), 56 weak_factory_(this) { 57 } 58 59 CertLoader::~CertLoader() { 60 net::CertDatabase::GetInstance()->RemoveObserver(this); 61 } 62 63 void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) { 64 CHECK(!database_); 65 database_ = database; 66 67 // Start observing cert database for changes. 68 // Observing net::CertDatabase is preferred over observing |database_| 69 // directly, as |database_| observers receive only events generated directly 70 // by |database_|, so they may miss a few relevant ones. 71 // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if 72 // it would be OK to observe |database_| directly; or change NSSCertDatabase 73 // to send notification on all relevant changes. 74 net::CertDatabase::GetInstance()->AddObserver(this); 75 76 LoadCertificates(); 77 } 78 79 void CertLoader::AddObserver(CertLoader::Observer* observer) { 80 observers_.AddObserver(observer); 81 } 82 83 void CertLoader::RemoveObserver(CertLoader::Observer* observer) { 84 observers_.RemoveObserver(observer); 85 } 86 87 bool CertLoader::IsHardwareBacked() const { 88 if (force_hardware_backed_for_test_) 89 return true; 90 if (!database_) 91 return false; 92 crypto::ScopedPK11Slot slot(database_->GetPrivateSlot()); 93 if (!slot) 94 return false; 95 return PK11_IsHW(slot.get()); 96 } 97 98 bool CertLoader::IsCertificateHardwareBacked( 99 const net::X509Certificate* cert) const { 100 if (!database_) 101 return false; 102 return database_->IsHardwareBacked(cert); 103 } 104 105 bool CertLoader::CertificatesLoading() const { 106 return database_ && !certificates_loaded_; 107 } 108 109 // static 110 // 111 // For background see this discussion on dev-tech-crypto.lists.mozilla.org: 112 // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX 113 // 114 // NOTE: This function relies on the convention that the same PKCS#11 ID 115 // is shared between a certificate and its associated private and public 116 // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), 117 // but that always returns NULL on Chrome OS for me. 118 std::string CertLoader::GetPkcs11IdAndSlotForCert( 119 const net::X509Certificate& cert, 120 int* slot_id) { 121 DCHECK(slot_id); 122 123 CERTCertificateStr* cert_handle = cert.os_cert_handle(); 124 SECKEYPrivateKey *priv_key = 125 PK11_FindKeyByAnyCert(cert_handle, NULL /* wincx */); 126 if (!priv_key) 127 return std::string(); 128 129 *slot_id = static_cast<int>(PK11_GetSlotID(priv_key->pkcs11Slot)); 130 131 // Get the CKA_ID attribute for a key. 132 SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key); 133 std::string pkcs11_id; 134 if (sec_item) { 135 pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); 136 SECITEM_FreeItem(sec_item, PR_TRUE); 137 } 138 SECKEY_DestroyPrivateKey(priv_key); 139 140 return pkcs11_id; 141 } 142 143 void CertLoader::LoadCertificates() { 144 CHECK(thread_checker_.CalledOnValidThread()); 145 VLOG(1) << "LoadCertificates: " << certificates_update_running_; 146 147 if (certificates_update_running_) { 148 certificates_update_required_ = true; 149 return; 150 } 151 152 certificates_update_running_ = true; 153 certificates_update_required_ = false; 154 155 database_->ListCerts( 156 base::Bind(&CertLoader::UpdateCertificates, weak_factory_.GetWeakPtr())); 157 } 158 159 void CertLoader::UpdateCertificates( 160 scoped_ptr<net::CertificateList> cert_list) { 161 CHECK(thread_checker_.CalledOnValidThread()); 162 DCHECK(certificates_update_running_); 163 VLOG(1) << "UpdateCertificates: " << cert_list->size(); 164 165 // Ignore any existing certificates. 166 cert_list_ = cert_list.Pass(); 167 168 bool initial_load = !certificates_loaded_; 169 certificates_loaded_ = true; 170 NotifyCertificatesLoaded(initial_load); 171 172 certificates_update_running_ = false; 173 if (certificates_update_required_) 174 LoadCertificates(); 175 } 176 177 void CertLoader::NotifyCertificatesLoaded(bool initial_load) { 178 FOR_EACH_OBSERVER(Observer, observers_, 179 OnCertificatesLoaded(*cert_list_, initial_load)); 180 } 181 182 void CertLoader::OnCACertChanged(const net::X509Certificate* cert) { 183 // This is triggered when a CA certificate is modified. 184 VLOG(1) << "OnCACertChanged"; 185 LoadCertificates(); 186 } 187 188 void CertLoader::OnCertAdded(const net::X509Certificate* cert) { 189 // This is triggered when a client certificate is added. 190 VLOG(1) << "OnCertAdded"; 191 LoadCertificates(); 192 } 193 194 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { 195 VLOG(1) << "OnCertRemoved"; 196 LoadCertificates(); 197 } 198 199 } // namespace chromeos 200
