blob: bf73f57144b3f0c299d08a48a4704a4a489b72e9 [file] [log] [blame]
// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chromeos/network/network_cert_loader.h"
#include <algorithm>
#include <memory>
#include <utility>
#include "base/bind.h"
#include "base/callback_helpers.h"
#include "base/location.h"
#include "base/logging.h"
#include "base/strings/string_number_conversions.h"
#include "base/task/post_task.h"
#include "crypto/nss_util.h"
#include "crypto/scoped_nss_types.h"
#include "net/cert/cert_database.h"
#include "net/cert/nss_cert_database.h"
#include "net/cert/nss_cert_database_chromeos.h"
#include "net/cert/x509_util_nss.h"
namespace chromeos {
// Caches certificates from a NSSCertDatabase. Handles reloading of certificates
// on update notifications and provides status flags (loading / loaded).
// NetworkCertLoader can use multiple CertCaches to combine certificates from
// multiple sources.
class NetworkCertLoader::CertCache : public net::CertDatabase::Observer {
public:
explicit CertCache(base::RepeatingClosure certificates_updated_callback)
: certificates_updated_callback_(certificates_updated_callback),
weak_factory_(this) {}
~CertCache() override {
net::CertDatabase::GetInstance()->RemoveObserver(this);
}
void SetNSSDB(net::NSSCertDatabase* nss_database) {
CHECK(!nss_database_);
nss_database_ = nss_database;
// Start observing cert database for changes.
// Observing net::CertDatabase is preferred over observing |nss_database_|
// directly, as |nss_database_| observers receive only events generated
// directly by |nss_database_|, so they may miss a few relevant ones.
// TODO(tbarzic): Once singleton NSSCertDatabase is removed, investigate if
// it would be OK to observe |nss_database_| directly; or change
// NSSCertDatabase to send notification on all relevant changes.
net::CertDatabase::GetInstance()->AddObserver(this);
LoadCertificates();
}
net::NSSCertDatabase* nss_database() { return nss_database_; }
// net::CertDatabase::Observer
void OnCertDBChanged() override {
VLOG(1) << "OnCertDBChanged";
LoadCertificates();
}
const net::ScopedCERTCertificateList& cert_list() const { return cert_list_; }
bool initial_load_running() const {
return nss_database_ && !initial_load_finished_;
}
bool initial_load_finished() const { return initial_load_finished_; }
// Returns true if the underlying NSSCertDatabase has access to the system
// slot.
bool has_system_certificates() const { return has_system_certificates_; }
private:
// Trigger a certificate load. If a certificate loading task is already in
// progress, will start a reload once the current task is finished.
void LoadCertificates() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
VLOG(1) << "LoadCertificates: " << certificates_update_running_;
if (certificates_update_running_) {
certificates_update_required_ = true;
return;
}
certificates_update_running_ = true;
certificates_update_required_ = false;
if (nss_database_) {
has_system_certificates_ =
static_cast<bool>(nss_database_->GetSystemSlot());
nss_database_->ListCerts(base::AdaptCallbackForRepeating(base::BindOnce(
&CertCache::UpdateCertificates, weak_factory_.GetWeakPtr())));
}
}
// Called if a certificate load task is finished.
void UpdateCertificates(net::ScopedCERTCertificateList cert_list) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
DCHECK(certificates_update_running_);
VLOG(1) << "UpdateCertificates: " << cert_list.size();
// Ignore any existing certificates.
cert_list_ = std::move(cert_list);
initial_load_finished_ = true;
certificates_updated_callback_.Run();
certificates_update_running_ = false;
if (certificates_update_required_)
LoadCertificates();
}
// To be called when certificates have been updated.
base::RepeatingClosure certificates_updated_callback_;
bool has_system_certificates_ = false;
// This is true after certificates have been loaded initially.
bool initial_load_finished_ = false;
// This is true if a notification about certificate DB changes arrived while
// loading certificates and means that we will have to trigger another
// certificates load after that.
bool certificates_update_required_ = false;
// This is true while certificates are being loaded.
bool certificates_update_running_ = false;
// The NSS certificate database from which the certificates should be loaded.
net::NSSCertDatabase* nss_database_ = nullptr;
// Cached Certificates loaded from the database.
net::ScopedCERTCertificateList cert_list_;
THREAD_CHECKER(thread_checker_);
base::WeakPtrFactory<CertCache> weak_factory_;
DISALLOW_COPY_AND_ASSIGN(CertCache);
};
namespace {
// Checks if |certificate| is on the given |slot|.
bool IsCertificateOnSlot(CERTCertificate* certificate, PK11SlotInfo* slot) {
crypto::ScopedPK11SlotList slots_for_cert(
PK11_GetAllSlotsForCert(certificate, nullptr));
if (!slots_for_cert)
return false;
for (PK11SlotListElement* slot_element =
PK11_GetFirstSafe(slots_for_cert.get());
slot_element; slot_element = PK11_GetNextSafe(slots_for_cert.get(),
slot_element, PR_FALSE)) {
if (slot_element->slot == slot) {
// All previously visited elements have been freed by PK11_GetNextSafe,
// but we're not calling that for the last one, so free it explicitly.
// The slots_for_cert list itself will be freed because ScopedPK11SlotList
// is a unique_ptr.
PK11_FreeSlotListElement(slots_for_cert.get(), slot_element);
return true;
}
}
return false;
}
// Goes through all certificates in |certs| and copies those certificates
// which are on |system_slot| to a new list.
net::ScopedCERTCertificateList FilterSystemTokenCertificates(
net::ScopedCERTCertificateList certs,
crypto::ScopedPK11Slot system_slot) {
VLOG(1) << "FilterSystemTokenCertificates";
if (!system_slot)
return net::ScopedCERTCertificateList();
PK11SlotInfo* system_slot_ptr = system_slot.get();
// Only keep certificates which are on the |system_slot|.
certs.erase(
std::remove_if(certs.begin(), certs.end(),
[system_slot_ptr](const net::ScopedCERTCertificate& cert) {
return !IsCertificateOnSlot(cert.get(), system_slot_ptr);
}),
certs.end());
return certs;
}
void AddPolicyProvidedAuthorities(
const PolicyCertificateProvider* policy_certificate_provider,
net::ScopedCERTCertificateList* out_certs) {
DCHECK(out_certs);
if (!policy_certificate_provider)
return;
for (const auto& certificate :
policy_certificate_provider->GetAllAuthorityCertificates()) {
net::ScopedCERTCertificate x509_cert =
net::x509_util::CreateCERTCertificateFromX509Certificate(
certificate.get());
if (!x509_cert) {
LOG(ERROR) << "Unable to create CERTCertificate";
continue;
}
out_certs->push_back(std::move(x509_cert));
}
}
} // namespace
static NetworkCertLoader* g_cert_loader = nullptr;
static bool g_force_hardware_backed_for_test = false;
// static
void NetworkCertLoader::Initialize() {
CHECK(!g_cert_loader);
g_cert_loader = new NetworkCertLoader();
}
// static
void NetworkCertLoader::Shutdown() {
CHECK(g_cert_loader);
delete g_cert_loader;
g_cert_loader = nullptr;
}
// static
NetworkCertLoader* NetworkCertLoader::Get() {
CHECK(g_cert_loader) << "NetworkCertLoader::Get() called before Initialize()";
return g_cert_loader;
}
// static
bool NetworkCertLoader::IsInitialized() {
return g_cert_loader;
}
NetworkCertLoader::NetworkCertLoader() : weak_factory_(this) {
system_cert_cache_ = std::make_unique<CertCache>(base::BindRepeating(
&NetworkCertLoader::OnCertCacheUpdated, base::Unretained(this)));
user_cert_cache_ = std::make_unique<CertCache>(base::BindRepeating(
&NetworkCertLoader::OnCertCacheUpdated, base::Unretained(this)));
}
NetworkCertLoader::~NetworkCertLoader() {
DCHECK(policy_certificate_providers_.empty());
}
void NetworkCertLoader::SetSystemNSSDB(
net::NSSCertDatabase* system_slot_database) {
system_cert_cache_->SetNSSDB(system_slot_database);
}
void NetworkCertLoader::SetUserNSSDB(net::NSSCertDatabase* user_database) {
user_cert_cache_->SetNSSDB(user_database);
}
void NetworkCertLoader::AddPolicyCertificateProvider(
PolicyCertificateProvider* policy_certificate_provider) {
policy_certificate_provider->AddPolicyProvidedCertsObserver(this);
policy_certificate_providers_.push_back(policy_certificate_provider);
UpdateCertificates();
}
void NetworkCertLoader::RemovePolicyCertificateProvider(
PolicyCertificateProvider* policy_certificate_provider) {
auto iter = std::find(policy_certificate_providers_.begin(),
policy_certificate_providers_.end(),
policy_certificate_provider);
DCHECK(iter != policy_certificate_providers_.end());
policy_certificate_providers_.erase(iter);
policy_certificate_provider->RemovePolicyProvidedCertsObserver(this);
UpdateCertificates();
}
void NetworkCertLoader::AddObserver(NetworkCertLoader::Observer* observer) {
observers_.AddObserver(observer);
}
void NetworkCertLoader::RemoveObserver(NetworkCertLoader::Observer* observer) {
observers_.RemoveObserver(observer);
}
// static
bool NetworkCertLoader::IsCertificateHardwareBacked(CERTCertificate* cert) {
if (g_force_hardware_backed_for_test)
return true;
PK11SlotInfo* slot = cert->slot;
return slot && PK11_IsHW(slot);
}
bool NetworkCertLoader::initial_load_of_any_database_running() const {
return system_cert_cache_->initial_load_running() ||
user_cert_cache_->initial_load_running();
}
bool NetworkCertLoader::initial_load_finished() const {
return system_cert_cache_->initial_load_finished() ||
user_cert_cache_->initial_load_finished();
}
bool NetworkCertLoader::user_cert_database_load_finished() const {
return user_cert_cache_->initial_load_finished();
}
// static
void NetworkCertLoader::ForceHardwareBackedForTesting() {
g_force_hardware_backed_for_test = true;
}
// static
//
// For background see this discussion on dev-tech-crypto.lists.mozilla.org:
// http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX
//
// NOTE: This function relies on the convention that the same PKCS#11 ID
// is shared between a certificate and its associated private and public
// keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(),
// but that always returns NULL on Chrome OS for me.
std::string NetworkCertLoader::GetPkcs11IdAndSlotForCert(CERTCertificate* cert,
int* slot_id) {
DCHECK(slot_id);
SECKEYPrivateKey* priv_key = PK11_FindKeyByAnyCert(cert, nullptr /* wincx */);
if (!priv_key)
return std::string();
*slot_id = static_cast<int>(PK11_GetSlotID(priv_key->pkcs11Slot));
// Get the CKA_ID attribute for a key.
SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key);
std::string pkcs11_id;
if (sec_item) {
pkcs11_id = base::HexEncode(sec_item->data, sec_item->len);
SECITEM_FreeItem(sec_item, PR_TRUE);
}
SECKEY_DestroyPrivateKey(priv_key);
return pkcs11_id;
}
void NetworkCertLoader::OnCertCacheUpdated() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
VLOG(1) << "OnCertCacheUpdated";
if (is_shutting_down_)
return;
// If user_cert_cache_ has access to system certificates and it has already
// finished its initial load, it will contain system certificates which we can
// filter.
if (user_cert_cache_->initial_load_finished() &&
user_cert_cache_->has_system_certificates()) {
crypto::ScopedPK11Slot system_slot =
user_cert_cache_->nss_database()->GetSystemSlot();
DCHECK(system_slot);
base::PostTaskWithTraitsAndReplyWithResult(
FROM_HERE,
{base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
base::BindOnce(&FilterSystemTokenCertificates,
net::x509_util::DupCERTCertificateList(
user_cert_cache_->cert_list()),
std::move(system_slot)),
base::BindOnce(&NetworkCertLoader::StoreCertsFromCache,
weak_factory_.GetWeakPtr(),
net::x509_util::DupCERTCertificateList(
user_cert_cache_->cert_list())));
} else {
// The user's cert cache does not contain system certificates.
net::ScopedCERTCertificateList system_token_client_certs =
net::x509_util::DupCERTCertificateList(system_cert_cache_->cert_list());
net::ScopedCERTCertificateList all_certs_from_cache =
net::x509_util::DupCERTCertificateList(user_cert_cache_->cert_list());
all_certs_from_cache.reserve(all_certs_from_cache.size() +
system_token_client_certs.size());
for (const net::ScopedCERTCertificate& cert : system_token_client_certs) {
all_certs_from_cache.push_back(
net::x509_util::DupCERTCertificate(cert.get()));
}
StoreCertsFromCache(std::move(all_certs_from_cache),
std::move(system_token_client_certs));
}
}
void NetworkCertLoader::StoreCertsFromCache(
net::ScopedCERTCertificateList all_certs_from_cache,
net::ScopedCERTCertificateList system_token_client_certs) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
VLOG(1) << "StoreCertsFromCache: " << all_certs_from_cache.size() << " ("
<< system_token_client_certs.size()
<< " client certs on system slot)";
// Ignore any existing certificates.
all_certs_from_cache_ = std::move(all_certs_from_cache);
system_token_client_certs_ = std::move(system_token_client_certs);
certs_from_cache_loaded_ = true;
UpdateCertificates();
}
void NetworkCertLoader::UpdateCertificates() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
if (is_shutting_down_)
return;
// Only trigger a notification to observers if one of the |CertCache|s has
// already loaded certificates. Don't trigger notifications if policy-provided
// certificates change before that.
// TODO(https://crbug.com/888451): When we handle client and authority
// certificates separately in NetworkCertLoader, we could fire different
// notifications for policy-provided cert changes instead of holding back
// notifications. Note that it is possible that only |system_cert_cache_| has
// loaded certificates (e.g. on the ChromeOS sign-in screen), and it is also
// possible that only |user_cert_cache_| has loaded certificates (e.g. if the
// system slot is not available for some reason, but a primary user has signed
// in).
if (!certs_from_cache_loaded_)
return;
// Copy |all_certs_from_cache_| into |all_certs_|, ignoring any existing
// certificates.
all_certs_.clear();
all_certs_.reserve(all_certs_from_cache_.size());
for (const net::ScopedCERTCertificate& cert : all_certs_from_cache_)
all_certs_.push_back(net::x509_util::DupCERTCertificate(cert.get()));
// Add policy-provided certificates.
// TODO(https://crbug.com/888451): Instead of putting authorities and client
// certs into |all_certs_| and then filtering in NetworkCertificateHandler, we
// should separate the two categories here in |NetworkCertLoader| already
// (pmarko@).
for (const PolicyCertificateProvider* policy_certificate_provider :
policy_certificate_providers_) {
AddPolicyProvidedAuthorities(policy_certificate_provider, &all_certs_);
}
NotifyCertificatesLoaded();
}
void NetworkCertLoader::NotifyCertificatesLoaded() {
for (auto& observer : observers_)
observer.OnCertificatesLoaded(all_certs_);
}
void NetworkCertLoader::OnPolicyProvidedCertsChanged(
const net::CertificateList& all_server_and_authority_certs,
const net::CertificateList& trust_anchors) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
UpdateCertificates();
}
} // namespace chromeos