chrome/browser/certificate_manager_model.cc - chromium/src - Git at Google

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "chrome/browser/certificate_manager_model.h"

 #include <utility>

 #include "base/bind.h"
 #include "base/i18n/time_formatting.h"
 #include "base/logging.h"
 #include "base/stl_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/ui/crypto_module_password_dialog_nss.h"
 #include "chrome/common/net/x509_certificate_model_nss.h"
 #include "chrome/grit/generated_resources.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/resource_context.h"
 #include "crypto/nss_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 #include "ui/base/l10n/l10n_util.h"

 // TODO(wychen): ChromeOS headers should only be included when building
 //               ChromeOS, and the following headers should be guarded by
 //               #if defined(OS_CHROMEOS). However, the types are actually
 //               used, and it takes another CL to clean them up.
 //               Reference: crbug.com/720159
 #include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
 #include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
 #include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"

 using content::BrowserThread;

 // CertificateManagerModel is created on the UI thread. It needs a
 // NSSCertDatabase handle (and on ChromeOS it needs to get the TPM status) which
 // needs to be done on the IO thread.
 //
 // The initialization flow is roughly:
 //
 //               UI thread                              IO Thread
 //
 //   CertificateManagerModel::Create
 //                  \--------------------------------------v
 //                                CertificateManagerModel::GetCertDBOnIOThread
 //                                                         |
 //                                     GetNSSCertDatabaseForResourceContext
 //                                                         |
 //                               CertificateManagerModel::DidGetCertDBOnIOThread
 //                                                         |
 //                                       crypto::IsTPMTokenEnabledForNSS
 //                  v--------------------------------------/
 // CertificateManagerModel::DidGetCertDBOnUIThread
 //                  |
 //     new CertificateManagerModel
 //                  |
 //               callback

 namespace {

 std::string GetCertificateOrg(CERTCertificate* cert) {
   std::string org =
       x509_certificate_model::GetSubjectOrgName(cert, std::string());
   if (org.empty())
     org = x509_certificate_model::GetSubjectDisplayName(cert);

   return org;
 }

 }  // namespace

 // static
 void CertificateManagerModel::Create(
     content::BrowserContext* browser_context,
     CertificateManagerModel::Observer* observer,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);

   std::unique_ptr<chromeos::CertificateProvider> extension_certificate_provider;
 #if defined(OS_CHROMEOS)
   chromeos::CertificateProviderService* service =
       chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
           browser_context);
   extension_certificate_provider = service->CreateCertificateProvider();
 #endif

   BrowserThread::PostTask(
       BrowserThread::IO, FROM_HERE,
       base::BindOnce(&CertificateManagerModel::GetCertDBOnIOThread,
                      browser_context->GetResourceContext(), observer,
                      base::Passed(&extension_certificate_provider), callback));
 }

 CertificateManagerModel::CertificateManagerModel(
     net::NSSCertDatabase* nss_cert_database,
     bool is_user_db_available,
     bool is_tpm_available,
     Observer* observer,
     std::unique_ptr<chromeos::CertificateProvider>
         extension_certificate_provider)
     : cert_db_(nss_cert_database),
       is_user_db_available_(is_user_db_available),
       is_tpm_available_(is_tpm_available),
       observer_(observer),
       extension_certificate_provider_(std::move(
                                           extension_certificate_provider)),
       weak_ptr_factory_(this) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 }

 CertificateManagerModel::~CertificateManagerModel() {
 }

 void CertificateManagerModel::Refresh() {
   DVLOG(1) << "refresh started";
   std::vector<crypto::ScopedPK11Slot> modules;
   cert_db_->ListModules(&modules, false);
   DVLOG(1) << "refresh waiting for unlocking...";
   chrome::UnlockSlotsIfNecessary(
       std::move(modules), kCryptoModulePasswordListCerts,
       net::HostPortPair(),  // unused.
       NULL,                 // TODO(mattm): supply parent window.
       base::Bind(&CertificateManagerModel::RefreshSlotsUnlocked,
                  base::Unretained(this)));

 #if defined(OS_CHROMEOS)
   extension_certificate_provider_->GetCertificates(base::Bind(
       &CertificateManagerModel::RefreshExtensionCertificates,
       weak_ptr_factory_.GetWeakPtr()));
 #endif
 }

 void CertificateManagerModel::RefreshSlotsUnlocked() {
   DVLOG(1) << "refresh listing certs...";
   // TODO(tbarzic): Use async |ListCerts|.
   cert_list_ = cert_db_->ListCertsSync();
   observer_->CertificatesRefreshed();
   DVLOG(1) << "refresh finished for platform provided certificates";
 }

 void CertificateManagerModel::RefreshExtensionCertificates(
     net::ClientCertIdentityList new_cert_identities) {
   extension_cert_list_.clear();
   extension_cert_list_.reserve(new_cert_identities.size());
   for (const auto& identity : new_cert_identities) {
     net::ScopedCERTCertificate nss_cert(
         net::x509_util::CreateCERTCertificateFromX509Certificate(
             identity->certificate()));
     if (nss_cert)
       extension_cert_list_.push_back(std::move(nss_cert));
   }
   observer_->CertificatesRefreshed();
   DVLOG(1) << "refresh finished for extension provided certificates";
 }

 void CertificateManagerModel::FilterAndBuildOrgGroupingMap(
     net::CertType filter_type,
     CertificateManagerModel::OrgGroupingMap* map) const {
   for (const net::ScopedCERTCertificate& cert : cert_list_) {
     net::CertType type = x509_certificate_model::GetType(cert.get());
     if (type != filter_type)
       continue;

     std::string org = GetCertificateOrg(cert.get());
     (*map)[org].push_back(net::x509_util::DupCERTCertificate(cert.get()));
   }

   // Display extension provided certificates under the "Your Certificates" tab.
   if (filter_type == net::USER_CERT) {
     for (const auto& cert : extension_cert_list_) {
       std::string org = GetCertificateOrg(cert.get());
       (*map)[org].push_back(net::x509_util::DupCERTCertificate(cert.get()));
     }
   }
 }

 base::string16 CertificateManagerModel::GetColumnText(CERTCertificate* cert,
                                                       Column column) const {
   base::string16 rv;
   switch (column) {
     case COL_SUBJECT_NAME:
       rv = base::UTF8ToUTF16(
           x509_certificate_model::GetCertNameOrNickname(cert));

       // Mark extension provided certificates.
       if (std::find_if(extension_cert_list_.begin(), extension_cert_list_.end(),
                        [cert](const net::ScopedCERTCertificate& element) {
                          return element.get() == cert;
                        }) != extension_cert_list_.end()) {
         rv = l10n_util::GetStringFUTF16(
             IDS_CERT_MANAGER_EXTENSION_PROVIDED_FORMAT,
             rv);
       } else if (IsHardwareBacked(cert)) {
         // TODO(xiyuan): Put this into a column when we have js tree-table.
         rv = l10n_util::GetStringFUTF16(
             IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
             rv,
             l10n_util::GetStringUTF16(IDS_CERT_MANAGER_HARDWARE_BACKED));
       }
       break;
     case COL_CERTIFICATE_STORE:
       rv = base::UTF8ToUTF16(x509_certificate_model::GetTokenName(cert));
       break;
     case COL_SERIAL_NUMBER:
       rv = base::ASCIIToUTF16(
           x509_certificate_model::GetSerialNumberHexified(cert, std::string()));
       break;
     case COL_EXPIRES_ON: {
       base::Time not_after;
       if (net::x509_util::GetValidityTimes(cert, nullptr, &not_after))
         rv = base::TimeFormatShortDateNumeric(not_after);
       break;
     }
     default:
       NOTREACHED();
   }
   return rv;
 }

 int CertificateManagerModel::ImportFromPKCS12(PK11SlotInfo* slot_info,
                                               const std::string& data,
                                               const base::string16& password,
                                               bool is_extractable) {
   int result = cert_db_->ImportFromPKCS12(slot_info, data, password,
                                           is_extractable, nullptr);
   if (result == net::OK)
     Refresh();
   return result;
 }

 int CertificateManagerModel::ImportUserCert(const std::string& data) {
   int result = cert_db_->ImportUserCert(data);
   if (result == net::OK)
     Refresh();
   return result;
 }

 bool CertificateManagerModel::ImportCACerts(
     const net::ScopedCERTCertificateList& certificates,
     net::NSSCertDatabase::TrustBits trust_bits,
     net::NSSCertDatabase::ImportCertFailureList* not_imported) {
   const size_t num_certs = certificates.size();
   bool result = cert_db_->ImportCACerts(certificates, trust_bits, not_imported);
   if (result && not_imported->size() != num_certs)
     Refresh();
   return result;
 }

 bool CertificateManagerModel::ImportServerCert(
     const net::ScopedCERTCertificateList& certificates,
     net::NSSCertDatabase::TrustBits trust_bits,
     net::NSSCertDatabase::ImportCertFailureList* not_imported) {
   const size_t num_certs = certificates.size();
   bool result =
       cert_db_->ImportServerCert(certificates, trust_bits, not_imported);
   if (result && not_imported->size() != num_certs)
     Refresh();
   return result;
 }

 bool CertificateManagerModel::SetCertTrust(
     CERTCertificate* cert,
     net::CertType type,
     net::NSSCertDatabase::TrustBits trust_bits) {
   return cert_db_->SetCertTrust(cert, type, trust_bits);
 }

 bool CertificateManagerModel::Delete(CERTCertificate* cert) {
   bool result = cert_db_->DeleteCertAndKey(cert);
   if (result)
     Refresh();
   return result;
 }

 bool CertificateManagerModel::IsHardwareBacked(CERTCertificate* cert) const {
   return cert_db_->IsHardwareBacked(cert);
 }

 // static
 void CertificateManagerModel::DidGetCertDBOnUIThread(
     net::NSSCertDatabase* cert_db,
     bool is_user_db_available,
     bool is_tpm_available,
     CertificateManagerModel::Observer* observer,
     std::unique_ptr<chromeos::CertificateProvider>
         extension_certificate_provider,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);

   std::unique_ptr<CertificateManagerModel> model(new CertificateManagerModel(
       cert_db, is_user_db_available, is_tpm_available, observer,
       std::move(extension_certificate_provider)));
   callback.Run(std::move(model));
 }

 // static
 void CertificateManagerModel::DidGetCertDBOnIOThread(
     CertificateManagerModel::Observer* observer,
     std::unique_ptr<chromeos::CertificateProvider>
         extension_certificate_provider,
     const CreationCallback& callback,
     net::NSSCertDatabase* cert_db) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);

   bool is_user_db_available = !!cert_db->GetPublicSlot();
   bool is_tpm_available = false;
 #if defined(OS_CHROMEOS)
   is_tpm_available = crypto::IsTPMTokenEnabledForNSS();
 #endif
   BrowserThread::PostTask(
       BrowserThread::UI, FROM_HERE,
       base::BindOnce(&CertificateManagerModel::DidGetCertDBOnUIThread, cert_db,
                      is_user_db_available, is_tpm_available, observer,
                      base::Passed(&extension_certificate_provider), callback));
 }

 // static
 void CertificateManagerModel::GetCertDBOnIOThread(
     content::ResourceContext* context,
     CertificateManagerModel::Observer* observer,
     std::unique_ptr<chromeos::CertificateProvider>
         extension_certificate_provider,
     const CreationCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);

   auto did_get_cert_db_callback = base::Bind(
       &CertificateManagerModel::DidGetCertDBOnIOThread, observer,
       base::Passed(&extension_certificate_provider), callback);

   net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
       context, did_get_cert_db_callback);

   // The callback is run here instead of the actual function call because of
   // extension_certificate_provider ownership semantics, ie. ownership can only
   // be released once. The callback will only be run once (either inside the
   // function above or here).
   if (cert_db)
     did_get_cert_db_callback.Run(cert_db);
 }
	// Copyright (c) 2012 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "chrome/browser/certificate_manager_model.h"

	#include <utility>

	#include "base/bind.h"
	#include "base/i18n/time_formatting.h"
	#include "base/logging.h"
	#include "base/stl_util.h"
	#include "base/strings/utf_string_conversions.h"
	#include "build/build_config.h"
	#include "chrome/browser/net/nss_context.h"
	#include "chrome/browser/ui/crypto_module_password_dialog_nss.h"
	#include "chrome/common/net/x509_certificate_model_nss.h"
	#include "chrome/grit/generated_resources.h"
	#include "content/public/browser/browser_context.h"
	#include "content/public/browser/browser_thread.h"
	#include "content/public/browser/resource_context.h"
	#include "crypto/nss_util.h"
	#include "net/base/net_errors.h"
	#include "net/cert/x509_certificate.h"
	#include "net/cert/x509_util_nss.h"
	#include "ui/base/l10n/l10n_util.h"

	// TODO(wychen): ChromeOS headers should only be included when building
	// ChromeOS, and the following headers should be guarded by
	// #if defined(OS_CHROMEOS). However, the types are actually
	// used, and it takes another CL to clean them up.
	// Reference: crbug.com/720159
	#include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
	#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
	#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"

	using content::BrowserThread;

	// CertificateManagerModel is created on the UI thread. It needs a
	// NSSCertDatabase handle (and on ChromeOS it needs to get the TPM status) which
	// needs to be done on the IO thread.
	//
	// The initialization flow is roughly:
	//
	// UI thread IO Thread
	//
	// CertificateManagerModel::Create
	// \--------------------------------------v
	// CertificateManagerModel::GetCertDBOnIOThread
	// \|
	// GetNSSCertDatabaseForResourceContext
	// \|
	// CertificateManagerModel::DidGetCertDBOnIOThread
	// \|
	// crypto::IsTPMTokenEnabledForNSS
	// v--------------------------------------/
	// CertificateManagerModel::DidGetCertDBOnUIThread
	// \|
	// new CertificateManagerModel
	// \|
	// callback

	namespace {

	std::string GetCertificateOrg(CERTCertificate* cert) {
	std::string org =
	x509_certificate_model::GetSubjectOrgName(cert, std::string());
	if (org.empty())
	org = x509_certificate_model::GetSubjectDisplayName(cert);

	return org;
	}

	} // namespace

	// static
	void CertificateManagerModel::Create(
	content::BrowserContext* browser_context,
	CertificateManagerModel::Observer* observer,
	const CreationCallback& callback) {
	DCHECK_CURRENTLY_ON(BrowserThread::UI);

	std::unique_ptr<chromeos::CertificateProvider> extension_certificate_provider;
	#if defined(OS_CHROMEOS)
	chromeos::CertificateProviderService* service =
	chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
	browser_context);
	extension_certificate_provider = service->CreateCertificateProvider();
	#endif

	BrowserThread::PostTask(
	BrowserThread::IO, FROM_HERE,
	base::BindOnce(&CertificateManagerModel::GetCertDBOnIOThread,
	browser_context->GetResourceContext(), observer,
	base::Passed(&extension_certificate_provider), callback));
	}

	CertificateManagerModel::CertificateManagerModel(
	net::NSSCertDatabase* nss_cert_database,
	bool is_user_db_available,
	bool is_tpm_available,
	Observer* observer,
	std::unique_ptr<chromeos::CertificateProvider>
	extension_certificate_provider)
	: cert_db_(nss_cert_database),
	is_user_db_available_(is_user_db_available),
	is_tpm_available_(is_tpm_available),
	observer_(observer),
	extension_certificate_provider_(std::move(
	extension_certificate_provider)),
	weak_ptr_factory_(this) {
	DCHECK_CURRENTLY_ON(BrowserThread::UI);
	}

	CertificateManagerModel::~CertificateManagerModel() {
	}

	void CertificateManagerModel::Refresh() {
	DVLOG(1) << "refresh started";
	std::vector<crypto::ScopedPK11Slot> modules;
	cert_db_->ListModules(&modules, false);
	DVLOG(1) << "refresh waiting for unlocking...";
	chrome::UnlockSlotsIfNecessary(
	std::move(modules), kCryptoModulePasswordListCerts,
	net::HostPortPair(), // unused.
	NULL, // TODO(mattm): supply parent window.
	base::Bind(&CertificateManagerModel::RefreshSlotsUnlocked,
	base::Unretained(this)));

	#if defined(OS_CHROMEOS)
	extension_certificate_provider_->GetCertificates(base::Bind(
	&CertificateManagerModel::RefreshExtensionCertificates,
	weak_ptr_factory_.GetWeakPtr()));
	#endif
	}

	void CertificateManagerModel::RefreshSlotsUnlocked() {
	DVLOG(1) << "refresh listing certs...";
	// TODO(tbarzic): Use async \|ListCerts\|.
	cert_list_ = cert_db_->ListCertsSync();
	observer_->CertificatesRefreshed();
	DVLOG(1) << "refresh finished for platform provided certificates";
	}

	void CertificateManagerModel::RefreshExtensionCertificates(
	net::ClientCertIdentityList new_cert_identities) {
	extension_cert_list_.clear();
	extension_cert_list_.reserve(new_cert_identities.size());
	for (const auto& identity : new_cert_identities) {
	net::ScopedCERTCertificate nss_cert(
	net::x509_util::CreateCERTCertificateFromX509Certificate(
	identity->certificate()));
	if (nss_cert)
	extension_cert_list_.push_back(std::move(nss_cert));
	}
	observer_->CertificatesRefreshed();
	DVLOG(1) << "refresh finished for extension provided certificates";
	}

	void CertificateManagerModel::FilterAndBuildOrgGroupingMap(
	net::CertType filter_type,
	CertificateManagerModel::OrgGroupingMap* map) const {
	for (const net::ScopedCERTCertificate& cert : cert_list_) {
	net::CertType type = x509_certificate_model::GetType(cert.get());
	if (type != filter_type)
	continue;

	std::string org = GetCertificateOrg(cert.get());
	(*map)[org].push_back(net::x509_util::DupCERTCertificate(cert.get()));
	}

	// Display extension provided certificates under the "Your Certificates" tab.
	if (filter_type == net::USER_CERT) {
	for (const auto& cert : extension_cert_list_) {
	std::string org = GetCertificateOrg(cert.get());
	(*map)[org].push_back(net::x509_util::DupCERTCertificate(cert.get()));
	}
	}
	}

	base::string16 CertificateManagerModel::GetColumnText(CERTCertificate* cert,
	Column column) const {
	base::string16 rv;
	switch (column) {
	case COL_SUBJECT_NAME:
	rv = base::UTF8ToUTF16(
	x509_certificate_model::GetCertNameOrNickname(cert));

	// Mark extension provided certificates.
	if (std::find_if(extension_cert_list_.begin(), extension_cert_list_.end(),
	[cert](const net::ScopedCERTCertificate& element) {
	return element.get() == cert;
	}) != extension_cert_list_.end()) {
	rv = l10n_util::GetStringFUTF16(
	IDS_CERT_MANAGER_EXTENSION_PROVIDED_FORMAT,
	rv);
	} else if (IsHardwareBacked(cert)) {
	// TODO(xiyuan): Put this into a column when we have js tree-table.
	rv = l10n_util::GetStringFUTF16(
	IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
	rv,
	l10n_util::GetStringUTF16(IDS_CERT_MANAGER_HARDWARE_BACKED));
	}
	break;
	case COL_CERTIFICATE_STORE:
	rv = base::UTF8ToUTF16(x509_certificate_model::GetTokenName(cert));
	break;
	case COL_SERIAL_NUMBER:
	rv = base::ASCIIToUTF16(
	x509_certificate_model::GetSerialNumberHexified(cert, std::string()));
	break;
	case COL_EXPIRES_ON: {
	base::Time not_after;
	if (net::x509_util::GetValidityTimes(cert, nullptr, &not_after))
	rv = base::TimeFormatShortDateNumeric(not_after);
	break;
	}
	default:
	NOTREACHED();
	}
	return rv;
	}

	int CertificateManagerModel::ImportFromPKCS12(PK11SlotInfo* slot_info,
	const std::string& data,
	const base::string16& password,
	bool is_extractable) {
	int result = cert_db_->ImportFromPKCS12(slot_info, data, password,
	is_extractable, nullptr);
	if (result == net::OK)
	Refresh();
	return result;
	}

	int CertificateManagerModel::ImportUserCert(const std::string& data) {
	int result = cert_db_->ImportUserCert(data);
	if (result == net::OK)
	Refresh();
	return result;
	}

	bool CertificateManagerModel::ImportCACerts(
	const net::ScopedCERTCertificateList& certificates,
	net::NSSCertDatabase::TrustBits trust_bits,
	net::NSSCertDatabase::ImportCertFailureList* not_imported) {
	const size_t num_certs = certificates.size();
	bool result = cert_db_->ImportCACerts(certificates, trust_bits, not_imported);
	if (result && not_imported->size() != num_certs)
	Refresh();
	return result;
	}

	bool CertificateManagerModel::ImportServerCert(
	const net::ScopedCERTCertificateList& certificates,
	net::NSSCertDatabase::TrustBits trust_bits,
	net::NSSCertDatabase::ImportCertFailureList* not_imported) {
	const size_t num_certs = certificates.size();
	bool result =
	cert_db_->ImportServerCert(certificates, trust_bits, not_imported);
	if (result && not_imported->size() != num_certs)
	Refresh();
	return result;
	}

	bool CertificateManagerModel::SetCertTrust(
	CERTCertificate* cert,
	net::CertType type,
	net::NSSCertDatabase::TrustBits trust_bits) {
	return cert_db_->SetCertTrust(cert, type, trust_bits);
	}

	bool CertificateManagerModel::Delete(CERTCertificate* cert) {
	bool result = cert_db_->DeleteCertAndKey(cert);
	if (result)
	Refresh();
	return result;
	}

	bool CertificateManagerModel::IsHardwareBacked(CERTCertificate* cert) const {
	return cert_db_->IsHardwareBacked(cert);
	}

	// static
	void CertificateManagerModel::DidGetCertDBOnUIThread(
	net::NSSCertDatabase* cert_db,
	bool is_user_db_available,
	bool is_tpm_available,
	CertificateManagerModel::Observer* observer,
	std::unique_ptr<chromeos::CertificateProvider>
	extension_certificate_provider,
	const CreationCallback& callback) {
	DCHECK_CURRENTLY_ON(BrowserThread::UI);

	std::unique_ptr<CertificateManagerModel> model(new CertificateManagerModel(
	cert_db, is_user_db_available, is_tpm_available, observer,
	std::move(extension_certificate_provider)));
	callback.Run(std::move(model));
	}

	// static
	void CertificateManagerModel::DidGetCertDBOnIOThread(
	CertificateManagerModel::Observer* observer,
	std::unique_ptr<chromeos::CertificateProvider>
	extension_certificate_provider,
	const CreationCallback& callback,
	net::NSSCertDatabase* cert_db) {
	DCHECK_CURRENTLY_ON(BrowserThread::IO);

	bool is_user_db_available = !!cert_db->GetPublicSlot();
	bool is_tpm_available = false;
	#if defined(OS_CHROMEOS)
	is_tpm_available = crypto::IsTPMTokenEnabledForNSS();
	#endif
	BrowserThread::PostTask(
	BrowserThread::UI, FROM_HERE,
	base::BindOnce(&CertificateManagerModel::DidGetCertDBOnUIThread, cert_db,
	is_user_db_available, is_tpm_available, observer,
	base::Passed(&extension_certificate_provider), callback));
	}

	// static
	void CertificateManagerModel::GetCertDBOnIOThread(
	content::ResourceContext* context,
	CertificateManagerModel::Observer* observer,
	std::unique_ptr<chromeos::CertificateProvider>
	extension_certificate_provider,
	const CreationCallback& callback) {
	DCHECK_CURRENTLY_ON(BrowserThread::IO);

	auto did_get_cert_db_callback = base::Bind(
	&CertificateManagerModel::DidGetCertDBOnIOThread, observer,
	base::Passed(&extension_certificate_provider), callback);

	net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
	context, did_get_cert_db_callback);

	// The callback is run here instead of the actual function call because of
	// extension_certificate_provider ownership semantics, ie. ownership can only
	// be released once. The callback will only be run once (either inside the
	// function above or here).
	if (cert_db)
	did_get_cert_db_callback.Run(cert_db);
	}