| // Copyright 2018 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chromeos/network/network_cert_loader.h" |
| |
| #include <algorithm> |
| #include <memory> |
| #include <utility> |
| |
| #include "base/bind.h" |
| #include "base/callback_helpers.h" |
| #include "base/location.h" |
| #include "base/logging.h" |
| #include "base/strings/string_number_conversions.h" |
| #include "base/task/post_task.h" |
| #include "crypto/nss_util.h" |
| #include "crypto/scoped_nss_types.h" |
| #include "net/cert/cert_database.h" |
| #include "net/cert/nss_cert_database.h" |
| #include "net/cert/nss_cert_database_chromeos.h" |
| #include "net/cert/x509_util_nss.h" |
| |
| namespace chromeos { |
| |
| // Caches certificates from a NSSCertDatabase. Handles reloading of certificates |
| // on update notifications and provides status flags (loading / loaded). |
| // NetworkCertLoader can use multiple CertCaches to combine certificates from |
| // multiple sources. |
| class NetworkCertLoader::CertCache : public net::CertDatabase::Observer { |
| public: |
| explicit CertCache(base::RepeatingClosure certificates_updated_callback) |
| : certificates_updated_callback_(certificates_updated_callback), |
| weak_factory_(this) {} |
| |
| ~CertCache() override { |
| net::CertDatabase::GetInstance()->RemoveObserver(this); |
| } |
| |
| void SetNSSDB(net::NSSCertDatabase* nss_database) { |
| CHECK(!nss_database_); |
| nss_database_ = nss_database; |
| |
| // Start observing cert database for changes. |
| // Observing net::CertDatabase is preferred over observing |nss_database_| |
| // directly, as |nss_database_| observers receive only events generated |
| // directly by |nss_database_|, so they may miss a few relevant ones. |
| // TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if |
| // it would be OK to observe |nss_database_| directly; or change |
| // NSSCertDatabase to send notification on all relevant changes. |
| net::CertDatabase::GetInstance()->AddObserver(this); |
| |
| LoadCertificates(); |
| } |
| |
| net::NSSCertDatabase* nss_database() { return nss_database_; } |
| |
| // net::CertDatabase::Observer |
| void OnCertDBChanged() override { |
| VLOG(1) << "OnCertDBChanged"; |
| LoadCertificates(); |
| } |
| |
| const net::ScopedCERTCertificateList& cert_list() const { return cert_list_; } |
| |
| bool initial_load_running() const { |
| return nss_database_ && !initial_load_finished_; |
| } |
| |
| bool initial_load_finished() const { return initial_load_finished_; } |
| |
| // Returns true if the underlying NSSCertDatabase has access to the system |
| // slot. |
| bool has_system_certificates() const { return has_system_certificates_; } |
| |
| private: |
| // Trigger a certificate load. If a certificate loading task is already in |
| // progress, will start a reload once the current task is finished. |
| void LoadCertificates() { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| VLOG(1) << "LoadCertificates: " << certificates_update_running_; |
| |
| if (certificates_update_running_) { |
| certificates_update_required_ = true; |
| return; |
| } |
| |
| certificates_update_running_ = true; |
| certificates_update_required_ = false; |
| |
| if (nss_database_) { |
| has_system_certificates_ = |
| static_cast<bool>(nss_database_->GetSystemSlot()); |
| nss_database_->ListCerts(base::BindOnce(&CertCache::UpdateCertificates, |
| weak_factory_.GetWeakPtr())); |
| } |
| } |
| |
| // Called if a certificate load task is finished. |
| void UpdateCertificates(net::ScopedCERTCertificateList cert_list) { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| DCHECK(certificates_update_running_); |
| VLOG(1) << "UpdateCertificates: " << cert_list.size(); |
| |
| // Ignore any existing certificates. |
| cert_list_ = std::move(cert_list); |
| |
| initial_load_finished_ = true; |
| certificates_updated_callback_.Run(); |
| |
| certificates_update_running_ = false; |
| if (certificates_update_required_) |
| LoadCertificates(); |
| } |
| |
| // To be called when certificates have been updated. |
| base::RepeatingClosure certificates_updated_callback_; |
| |
| bool has_system_certificates_ = false; |
| |
| // This is true after certificates have been loaded initially. |
| bool initial_load_finished_ = false; |
| // This is true if a notification about certificate DB changes arrived while |
| // loading certificates and means that we will have to trigger another |
| // certificates load after that. |
| bool certificates_update_required_ = false; |
| // This is true while certificates are being loaded. |
| bool certificates_update_running_ = false; |
| |
| // The NSS certificate database from which the certificates should be loaded. |
| net::NSSCertDatabase* nss_database_ = nullptr; |
| |
| // Cached Certificates loaded from the database. |
| net::ScopedCERTCertificateList cert_list_; |
| |
| THREAD_CHECKER(thread_checker_); |
| |
| base::WeakPtrFactory<CertCache> weak_factory_; |
| |
| DISALLOW_COPY_AND_ASSIGN(CertCache); |
| }; |
| |
| namespace { |
| |
| // Checks if |certificate| is on the given |slot|. |
| bool IsCertificateOnSlot(CERTCertificate* certificate, PK11SlotInfo* slot) { |
| crypto::ScopedPK11SlotList slots_for_cert( |
| PK11_GetAllSlotsForCert(certificate, nullptr)); |
| if (!slots_for_cert) |
| return false; |
| |
| for (PK11SlotListElement* slot_element = |
| PK11_GetFirstSafe(slots_for_cert.get()); |
| slot_element; slot_element = PK11_GetNextSafe(slots_for_cert.get(), |
| slot_element, PR_FALSE)) { |
| if (slot_element->slot == slot) { |
| // All previously visited elements have been freed by PK11_GetNextSafe, |
| // but we're not calling that for the last one, so free it explicitly. |
| // The slots_for_cert list itself will be freed because ScopedPK11SlotList |
| // is a unique_ptr. |
| PK11_FreeSlotListElement(slots_for_cert.get(), slot_element); |
| return true; |
| } |
| } |
| return false; |
| } |
| |
| // Goes through all certificates in |certs| and copies those certificates |
| // which are on |system_slot| to a new list. |
| net::ScopedCERTCertificateList FilterSystemTokenCertificates( |
| net::ScopedCERTCertificateList certs, |
| crypto::ScopedPK11Slot system_slot) { |
| VLOG(1) << "FilterSystemTokenCertificates"; |
| if (!system_slot) |
| return net::ScopedCERTCertificateList(); |
| |
| PK11SlotInfo* system_slot_ptr = system_slot.get(); |
| // Only keep certificates which are on the |system_slot|. |
| certs.erase( |
| std::remove_if(certs.begin(), certs.end(), |
| [system_slot_ptr](const net::ScopedCERTCertificate& cert) { |
| return !IsCertificateOnSlot(cert.get(), system_slot_ptr); |
| }), |
| certs.end()); |
| return certs; |
| } |
| |
| void AddPolicyProvidedAuthorities( |
| const PolicyCertificateProvider* policy_certificate_provider, |
| net::ScopedCERTCertificateList* out_certs) { |
| DCHECK(out_certs); |
| if (!policy_certificate_provider) |
| return; |
| for (const auto& certificate : |
| policy_certificate_provider->GetAllAuthorityCertificates()) { |
| net::ScopedCERTCertificate x509_cert = |
| net::x509_util::CreateCERTCertificateFromX509Certificate( |
| certificate.get()); |
| if (!x509_cert) { |
| LOG(ERROR) << "Unable to create CERTCertificate"; |
| continue; |
| } |
| |
| out_certs->push_back(std::move(x509_cert)); |
| } |
| } |
| |
| } // namespace |
| |
| static NetworkCertLoader* g_cert_loader = nullptr; |
| static bool g_force_hardware_backed_for_test = false; |
| |
| // static |
| void NetworkCertLoader::Initialize() { |
| CHECK(!g_cert_loader); |
| g_cert_loader = new NetworkCertLoader(); |
| } |
| |
| // static |
| void NetworkCertLoader::Shutdown() { |
| CHECK(g_cert_loader); |
| delete g_cert_loader; |
| g_cert_loader = nullptr; |
| } |
| |
| // static |
| NetworkCertLoader* NetworkCertLoader::Get() { |
| CHECK(g_cert_loader) << "NetworkCertLoader::Get() called before Initialize()"; |
| return g_cert_loader; |
| } |
| |
| // static |
| bool NetworkCertLoader::IsInitialized() { |
| return g_cert_loader; |
| } |
| |
| NetworkCertLoader::NetworkCertLoader() : weak_factory_(this) { |
| system_cert_cache_ = std::make_unique<CertCache>(base::BindRepeating( |
| &NetworkCertLoader::OnCertCacheUpdated, base::Unretained(this))); |
| user_cert_cache_ = std::make_unique<CertCache>(base::BindRepeating( |
| &NetworkCertLoader::OnCertCacheUpdated, base::Unretained(this))); |
| } |
| |
| NetworkCertLoader::~NetworkCertLoader() { |
| DCHECK(policy_certificate_providers_.empty()); |
| } |
| |
| void NetworkCertLoader::SetSystemNSSDB( |
| net::NSSCertDatabase* system_slot_database) { |
| system_cert_cache_->SetNSSDB(system_slot_database); |
| } |
| |
| void NetworkCertLoader::SetUserNSSDB(net::NSSCertDatabase* user_database) { |
| user_cert_cache_->SetNSSDB(user_database); |
| } |
| |
| void NetworkCertLoader::AddPolicyCertificateProvider( |
| PolicyCertificateProvider* policy_certificate_provider) { |
| policy_certificate_provider->AddPolicyProvidedCertsObserver(this); |
| policy_certificate_providers_.push_back(policy_certificate_provider); |
| UpdateCertificates(); |
| } |
| |
| void NetworkCertLoader::RemovePolicyCertificateProvider( |
| PolicyCertificateProvider* policy_certificate_provider) { |
| auto iter = std::find(policy_certificate_providers_.begin(), |
| policy_certificate_providers_.end(), |
| policy_certificate_provider); |
| DCHECK(iter != policy_certificate_providers_.end()); |
| policy_certificate_providers_.erase(iter); |
| policy_certificate_provider->RemovePolicyProvidedCertsObserver(this); |
| UpdateCertificates(); |
| } |
| |
| void NetworkCertLoader::AddObserver(NetworkCertLoader::Observer* observer) { |
| observers_.AddObserver(observer); |
| } |
| |
| void NetworkCertLoader::RemoveObserver(NetworkCertLoader::Observer* observer) { |
| observers_.RemoveObserver(observer); |
| } |
| |
| // static |
| bool NetworkCertLoader::IsCertificateHardwareBacked(CERTCertificate* cert) { |
| if (g_force_hardware_backed_for_test) |
| return true; |
| PK11SlotInfo* slot = cert->slot; |
| return slot && PK11_IsHW(slot); |
| } |
| |
| bool NetworkCertLoader::initial_load_of_any_database_running() const { |
| return system_cert_cache_->initial_load_running() || |
| user_cert_cache_->initial_load_running(); |
| } |
| |
| bool NetworkCertLoader::initial_load_finished() const { |
| return system_cert_cache_->initial_load_finished() || |
| user_cert_cache_->initial_load_finished(); |
| } |
| |
| bool NetworkCertLoader::user_cert_database_load_finished() const { |
| return user_cert_cache_->initial_load_finished(); |
| } |
| |
| // static |
| void NetworkCertLoader::ForceHardwareBackedForTesting() { |
| g_force_hardware_backed_for_test = true; |
| } |
| |
| // static |
| // |
| // For background see this discussion on dev-tech-crypto.lists.mozilla.org: |
| // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX |
| // |
| // NOTE: This function relies on the convention that the same PKCS#11 ID |
| // is shared between a certificate and its associated private and public |
| // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), |
| // but that always returns NULL on Chrome OS for me. |
| std::string NetworkCertLoader::GetPkcs11IdAndSlotForCert(CERTCertificate* cert, |
| int* slot_id) { |
| DCHECK(slot_id); |
| |
| SECKEYPrivateKey* priv_key = PK11_FindKeyByAnyCert(cert, nullptr /* wincx */); |
| if (!priv_key) |
| return std::string(); |
| |
| *slot_id = static_cast<int>(PK11_GetSlotID(priv_key->pkcs11Slot)); |
| |
| // Get the CKA_ID attribute for a key. |
| SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key); |
| std::string pkcs11_id; |
| if (sec_item) { |
| pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); |
| SECITEM_FreeItem(sec_item, PR_TRUE); |
| } |
| SECKEY_DestroyPrivateKey(priv_key); |
| |
| return pkcs11_id; |
| } |
| |
| void NetworkCertLoader::OnCertCacheUpdated() { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| VLOG(1) << "OnCertCacheUpdated"; |
| |
| if (is_shutting_down_) |
| return; |
| |
| // If user_cert_cache_ has access to system certificates and it has already |
| // finished its initial load, it will contain system certificates which we can |
| // filter. |
| if (user_cert_cache_->initial_load_finished() && |
| user_cert_cache_->has_system_certificates()) { |
| crypto::ScopedPK11Slot system_slot = |
| user_cert_cache_->nss_database()->GetSystemSlot(); |
| DCHECK(system_slot); |
| base::PostTaskWithTraitsAndReplyWithResult( |
| FROM_HERE, |
| {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN}, |
| base::BindOnce(&FilterSystemTokenCertificates, |
| net::x509_util::DupCERTCertificateList( |
| user_cert_cache_->cert_list()), |
| std::move(system_slot)), |
| base::BindOnce(&NetworkCertLoader::StoreCertsFromCache, |
| weak_factory_.GetWeakPtr(), |
| net::x509_util::DupCERTCertificateList( |
| user_cert_cache_->cert_list()))); |
| } else { |
| // The user's cert cache does not contain system certificates. |
| net::ScopedCERTCertificateList system_token_client_certs = |
| net::x509_util::DupCERTCertificateList(system_cert_cache_->cert_list()); |
| net::ScopedCERTCertificateList all_certs_from_cache = |
| net::x509_util::DupCERTCertificateList(user_cert_cache_->cert_list()); |
| all_certs_from_cache.reserve(all_certs_from_cache.size() + |
| system_token_client_certs.size()); |
| for (const net::ScopedCERTCertificate& cert : system_token_client_certs) { |
| all_certs_from_cache.push_back( |
| net::x509_util::DupCERTCertificate(cert.get())); |
| } |
| StoreCertsFromCache(std::move(all_certs_from_cache), |
| std::move(system_token_client_certs)); |
| } |
| } |
| |
| void NetworkCertLoader::StoreCertsFromCache( |
| net::ScopedCERTCertificateList all_certs_from_cache, |
| net::ScopedCERTCertificateList system_token_client_certs) { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| |
| VLOG(1) << "StoreCertsFromCache: " << all_certs_from_cache.size() << " (" |
| << system_token_client_certs.size() |
| << " client certs on system slot)"; |
| |
| // Ignore any existing certificates. |
| all_certs_from_cache_ = std::move(all_certs_from_cache); |
| system_token_client_certs_ = std::move(system_token_client_certs); |
| |
| certs_from_cache_loaded_ = true; |
| |
| UpdateCertificates(); |
| } |
| |
| void NetworkCertLoader::UpdateCertificates() { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| |
| if (is_shutting_down_) |
| return; |
| |
| // Only trigger a notification to observers if one of the |CertCache|s has |
| // already loaded certificates. Don't trigger notifications if policy-provided |
| // certificates change before that. |
| // TODO(https://crbug.com/888451): When we handle client and authority |
| // certificates separately in NetworkCertLoader, we could fire different |
| // notifications for policy-provided cert changes instead of holding back |
| // notifications. Note that it is possible that only |system_cert_cache_| has |
| // loaded certificates (e.g. on the ChromeOS sign-in screen), and it is also |
| // possible that only |user_cert_cache_| has loaded certificates (e.g. if the |
| // system slot is not available for some reason, but a primary user has signed |
| // in). |
| if (!certs_from_cache_loaded_) |
| return; |
| |
| // Copy |all_certs_from_cache_| into |all_certs_|, ignoring any existing |
| // certificates. |
| all_certs_.clear(); |
| all_certs_.reserve(all_certs_from_cache_.size()); |
| for (const net::ScopedCERTCertificate& cert : all_certs_from_cache_) |
| all_certs_.push_back(net::x509_util::DupCERTCertificate(cert.get())); |
| |
| // Add policy-provided certificates. |
| // TODO(https://crbug.com/888451): Instead of putting authorities and client |
| // certs into |all_certs_| and then filtering in NetworkCertificateHandler, we |
| // should separate the two categories here in |NetworkCertLoader| already |
| // (pmarko@). |
| for (const PolicyCertificateProvider* policy_certificate_provider : |
| policy_certificate_providers_) { |
| AddPolicyProvidedAuthorities(policy_certificate_provider, &all_certs_); |
| } |
| |
| NotifyCertificatesLoaded(); |
| } |
| |
| void NetworkCertLoader::NotifyCertificatesLoaded() { |
| for (auto& observer : observers_) |
| observer.OnCertificatesLoaded(all_certs_); |
| } |
| |
| void NetworkCertLoader::OnPolicyProvidedCertsChanged( |
| const net::CertificateList& all_server_and_authority_certs, |
| const net::CertificateList& trust_anchors) { |
| DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
| UpdateCertificates(); |
| } |
| |
| } // namespace chromeos |