[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 1 | // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "chromeos/network/cert_loader.h" |
| 6 | |
| 7 | #include <algorithm> |
| 8 | |
| 9 | #include "base/chromeos/chromeos_version.h" |
| 10 | #include "base/observer_list.h" |
[email protected] | 5341905 | 2013-05-14 04:37:56 | [diff] [blame] | 11 | #include "base/strings/string_number_conversions.h" |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 12 | #include "base/task_runner_util.h" |
| 13 | #include "base/threading/worker_pool.h" |
| 14 | #include "chromeos/dbus/cryptohome_client.h" |
| 15 | #include "chromeos/dbus/dbus_thread_manager.h" |
| 16 | #include "crypto/encryptor.h" |
| 17 | #include "crypto/nss_util.h" |
| 18 | #include "crypto/sha2.h" |
| 19 | #include "crypto/symmetric_key.h" |
| 20 | #include "net/cert/nss_cert_database.h" |
| 21 | |
| 22 | namespace chromeos { |
| 23 | |
| 24 | namespace { |
| 25 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 26 | const int64 kInitialRequestDelayMs = 100; |
| 27 | const int64 kMaxRequestDelayMs = 300000; // 5 minutes |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 28 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 29 | // Calculates the delay before running next attempt to initiatialize the TPM |
| 30 | // token, if |last_delay| was the last or initial delay. |
| 31 | base::TimeDelta GetNextRequestDelayMs(base::TimeDelta last_delay) { |
| 32 | // This implements an exponential backoff, as we don't know in which order of |
| 33 | // magnitude the TPM token changes it's state. |
| 34 | base::TimeDelta next_delay = last_delay * 2; |
| 35 | |
| 36 | // Cap the delay to prevent an overflow. This threshold is arbitrarily chosen. |
| 37 | const base::TimeDelta max_delay = |
| 38 | base::TimeDelta::FromMilliseconds(kMaxRequestDelayMs); |
| 39 | if (next_delay > max_delay) |
| 40 | next_delay = max_delay; |
| 41 | return next_delay; |
| 42 | } |
| 43 | |
| 44 | void LoadNSSCertificates(net::CertificateList* cert_list) { |
[email protected] | 5341905 | 2013-05-14 04:37:56 | [diff] [blame] | 45 | if (base::chromeos::IsRunningOnChromeOS()) |
| 46 | net::NSSCertDatabase::GetInstance()->ListCerts(cert_list); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 47 | } |
| 48 | |
| 49 | } // namespace |
| 50 | |
| 51 | static CertLoader* g_cert_loader = NULL; |
| 52 | |
| 53 | // static |
| 54 | void CertLoader::Initialize() { |
| 55 | CHECK(!g_cert_loader); |
| 56 | g_cert_loader = new CertLoader(); |
| 57 | } |
| 58 | |
| 59 | // static |
| 60 | void CertLoader::Shutdown() { |
| 61 | CHECK(g_cert_loader); |
| 62 | delete g_cert_loader; |
| 63 | g_cert_loader = NULL; |
| 64 | } |
| 65 | |
| 66 | // static |
| 67 | CertLoader* CertLoader::Get() { |
| 68 | CHECK(g_cert_loader) << "CertLoader::Get() called before Initialize()"; |
| 69 | return g_cert_loader; |
| 70 | } |
| 71 | |
| 72 | // static |
| 73 | bool CertLoader::IsInitialized() { |
| 74 | return g_cert_loader; |
| 75 | } |
| 76 | |
| 77 | CertLoader::CertLoader() |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 78 | : certificates_requested_(false), |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 79 | certificates_loaded_(false), |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 80 | certificates_update_required_(false), |
| 81 | certificates_update_running_(false), |
| 82 | tpm_token_state_(TPM_STATE_UNKNOWN), |
| 83 | tpm_request_delay_( |
| 84 | base::TimeDelta::FromMilliseconds(kInitialRequestDelayMs)), |
| 85 | initialize_token_factory_(this), |
| 86 | update_certificates_factory_(this) { |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 87 | net::CertDatabase::GetInstance()->AddObserver(this); |
| 88 | LoginState::Get()->AddObserver(this); |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 89 | RequestCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 90 | } |
| 91 | |
| 92 | CertLoader::~CertLoader() { |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 93 | net::CertDatabase::GetInstance()->RemoveObserver(this); |
| 94 | LoginState::Get()->RemoveObserver(this); |
| 95 | } |
| 96 | |
| 97 | void CertLoader::AddObserver(CertLoader::Observer* observer) { |
| 98 | observers_.AddObserver(observer); |
| 99 | } |
| 100 | |
| 101 | void CertLoader::RemoveObserver(CertLoader::Observer* observer) { |
| 102 | observers_.RemoveObserver(observer); |
| 103 | } |
| 104 | |
| 105 | bool CertLoader::CertificatesLoading() const { |
| 106 | return certificates_requested_ && !certificates_loaded_; |
| 107 | } |
| 108 | |
| 109 | bool CertLoader::IsHardwareBacked() const { |
| 110 | return !tpm_token_name_.empty(); |
| 111 | } |
| 112 | |
| 113 | void CertLoader::RequestCertificates() { |
| 114 | CHECK(thread_checker_.CalledOnValidThread()); |
| 115 | VLOG(1) << "RequestCertificates: " << LoginState::Get()->IsUserLoggedIn(); |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 116 | if (certificates_requested_ || !LoginState::Get()->IsUserLoggedIn()) |
| 117 | return; |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 118 | |
| 119 | certificates_requested_ = true; |
| 120 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 121 | // Ensure we've opened the user's key/certificate database. |
| 122 | crypto::OpenPersistentNSSDB(); |
| 123 | if (base::chromeos::IsRunningOnChromeOS()) |
| 124 | crypto::EnableTPMTokenForNSS(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 125 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 126 | // This is the entry point to the TPM token initialization process, which we |
| 127 | // should do at most once. |
| 128 | DCHECK(!initialize_token_factory_.HasWeakPtrs()); |
| 129 | InitializeTokenAndLoadCertificates(); |
| 130 | } |
| 131 | |
| 132 | void CertLoader::InitializeTokenAndLoadCertificates() { |
| 133 | CHECK(thread_checker_.CalledOnValidThread()); |
| 134 | VLOG(1) << "InitializeTokenAndLoadCertificates"; |
| 135 | |
| 136 | switch(tpm_token_state_) { |
| 137 | case TPM_STATE_UNKNOWN: { |
| 138 | DBusThreadManager::Get()->GetCryptohomeClient()->TpmIsEnabled( |
| 139 | base::Bind(&CertLoader::OnTpmIsEnabled, |
| 140 | initialize_token_factory_.GetWeakPtr())); |
| 141 | return; |
| 142 | } |
| 143 | case TPM_DISABLED: { |
| 144 | // TPM is disabled, so proceed with empty tpm token name. |
| 145 | StartLoadCertificates(); |
| 146 | return; |
| 147 | } |
| 148 | case TPM_ENABLED: { |
| 149 | DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11IsTpmTokenReady( |
| 150 | base::Bind(&CertLoader::OnPkcs11IsTpmTokenReady, |
| 151 | initialize_token_factory_.GetWeakPtr())); |
| 152 | return; |
| 153 | } |
| 154 | case TPM_TOKEN_READY: { |
| 155 | // Retrieve token_name_ and user_pin_ here since they will never change |
| 156 | // and CryptohomeClient calls are not thread safe. |
| 157 | DBusThreadManager::Get()->GetCryptohomeClient()->Pkcs11GetTpmTokenInfo( |
| 158 | base::Bind(&CertLoader::OnPkcs11GetTpmTokenInfo, |
| 159 | initialize_token_factory_.GetWeakPtr())); |
| 160 | return; |
| 161 | } |
| 162 | case TPM_TOKEN_INFO_RECEIVED: { |
| 163 | InitializeNSSForTPMToken(); |
| 164 | return; |
| 165 | } |
| 166 | case TPM_TOKEN_NSS_INITIALIZED: { |
| 167 | StartLoadCertificates(); |
| 168 | return; |
| 169 | } |
| 170 | } |
| 171 | } |
| 172 | |
| 173 | void CertLoader::RetryTokenInitializationLater() { |
| 174 | LOG(WARNING) << "Re-Requesting Certificates later."; |
| 175 | MessageLoop::current()->PostDelayedTask( |
| 176 | FROM_HERE, |
| 177 | base::Bind(&CertLoader::InitializeTokenAndLoadCertificates, |
| 178 | initialize_token_factory_.GetWeakPtr()), |
| 179 | tpm_request_delay_); |
| 180 | tpm_request_delay_ = GetNextRequestDelayMs(tpm_request_delay_); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 181 | } |
| 182 | |
[email protected] | 5341905 | 2013-05-14 04:37:56 | [diff] [blame] | 183 | // For background see this discussion on dev-tech-crypto.lists.mozilla.org: |
| 184 | // http://web.archiveorange.com/archive/v/6JJW7E40sypfZGtbkzxX |
| 185 | // |
| 186 | // NOTE: This function relies on the convention that the same PKCS#11 ID |
| 187 | // is shared between a certificate and its associated private and public |
| 188 | // keys. I tried to implement this with PK11_GetLowLevelKeyIDForCert(), |
| 189 | // but that always returns NULL on Chrome OS for me. |
| 190 | std::string CertLoader::GetPkcs11IdForCert( |
| 191 | const net::X509Certificate& cert) const { |
| 192 | if (!IsHardwareBacked()) |
| 193 | return std::string(); |
| 194 | |
| 195 | CERTCertificateStr* cert_handle = cert.os_cert_handle(); |
| 196 | SECKEYPrivateKey *priv_key = |
| 197 | PK11_FindKeyByAnyCert(cert_handle, NULL /* wincx */); |
| 198 | if (!priv_key) |
| 199 | return std::string(); |
| 200 | |
| 201 | // Get the CKA_ID attribute for a key. |
| 202 | SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key); |
| 203 | std::string pkcs11_id; |
| 204 | if (sec_item) { |
| 205 | pkcs11_id = base::HexEncode(sec_item->data, sec_item->len); |
| 206 | SECITEM_FreeItem(sec_item, PR_TRUE); |
| 207 | } |
| 208 | SECKEY_DestroyPrivateKey(priv_key); |
| 209 | |
| 210 | return pkcs11_id; |
| 211 | } |
| 212 | |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 213 | void CertLoader::OnTpmIsEnabled(DBusMethodCallStatus call_status, |
| 214 | bool tpm_is_enabled) { |
| 215 | VLOG(1) << "OnTpmIsEnabled: " << tpm_is_enabled; |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 216 | |
| 217 | if (call_status == DBUS_METHOD_CALL_SUCCESS && tpm_is_enabled) |
| 218 | tpm_token_state_ = TPM_ENABLED; |
| 219 | else |
| 220 | tpm_token_state_ = TPM_DISABLED; |
| 221 | |
| 222 | InitializeTokenAndLoadCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 223 | } |
| 224 | |
| 225 | void CertLoader::OnPkcs11IsTpmTokenReady(DBusMethodCallStatus call_status, |
| 226 | bool is_tpm_token_ready) { |
| 227 | VLOG(1) << "OnPkcs11IsTpmTokenReady: " << is_tpm_token_ready; |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 228 | |
| 229 | if (call_status == DBUS_METHOD_CALL_FAILURE || !is_tpm_token_ready) { |
| 230 | RetryTokenInitializationLater(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 231 | return; |
| 232 | } |
| 233 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 234 | tpm_token_state_ = TPM_TOKEN_READY; |
| 235 | InitializeTokenAndLoadCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 236 | } |
| 237 | |
| 238 | void CertLoader::OnPkcs11GetTpmTokenInfo(DBusMethodCallStatus call_status, |
| 239 | const std::string& token_name, |
| 240 | const std::string& user_pin) { |
| 241 | VLOG(1) << "OnPkcs11GetTpmTokenInfo: " << token_name; |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 242 | |
| 243 | if (call_status == DBUS_METHOD_CALL_FAILURE) { |
| 244 | RetryTokenInitializationLater(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 245 | return; |
| 246 | } |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 247 | |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 248 | tpm_token_name_ = token_name; |
| 249 | // TODO(stevenjb): The network code expects a slot ID, not a label. See |
| 250 | // crbug.com/201101. For now, use a hard coded, well known slot instead. |
| 251 | const char kHardcodedTpmSlot[] = "0"; |
| 252 | tpm_token_slot_ = kHardcodedTpmSlot; |
| 253 | tpm_user_pin_ = user_pin; |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 254 | tpm_token_state_ = TPM_TOKEN_INFO_RECEIVED; |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 255 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 256 | InitializeTokenAndLoadCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 257 | } |
| 258 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 259 | void CertLoader::InitializeNSSForTPMToken() { |
| 260 | VLOG(1) << "InitializeNSSForTPMToken"; |
| 261 | |
[email protected] | 5341905 | 2013-05-14 04:37:56 | [diff] [blame] | 262 | if (base::chromeos::IsRunningOnChromeOS() && |
| 263 | !crypto::InitializeTPMToken(tpm_token_name_, tpm_user_pin_)) { |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 264 | RetryTokenInitializationLater(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 265 | return; |
| 266 | } |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 267 | |
| 268 | tpm_token_state_ = TPM_TOKEN_NSS_INITIALIZED; |
| 269 | InitializeTokenAndLoadCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 270 | } |
| 271 | |
| 272 | void CertLoader::StartLoadCertificates() { |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 273 | VLOG(1) << "StartLoadCertificates"; |
| 274 | |
| 275 | if (certificates_update_running_) { |
| 276 | certificates_update_required_ = true; |
| 277 | return; |
| 278 | } |
| 279 | |
| 280 | net::CertificateList* cert_list = new net::CertificateList; |
| 281 | certificates_update_running_ = true; |
| 282 | base::WorkerPool::GetTaskRunner(true /* task_is_slow */)-> |
| 283 | PostTaskAndReply( |
| 284 | FROM_HERE, |
| 285 | base::Bind(LoadNSSCertificates, cert_list), |
| 286 | base::Bind(&CertLoader::UpdateCertificates, |
| 287 | update_certificates_factory_.GetWeakPtr(), |
| 288 | base::Owned(cert_list))); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 289 | } |
| 290 | |
| 291 | void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { |
| 292 | CHECK(thread_checker_.CalledOnValidThread()); |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 293 | DCHECK(certificates_update_running_); |
| 294 | VLOG(1) << "UpdateCertificates: " << cert_list->size(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 295 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 296 | // Ignore any existing certificates. |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 297 | cert_list_.swap(*cert_list); |
| 298 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 299 | NotifyCertificatesLoaded(!certificates_loaded_); |
| 300 | certificates_loaded_ = true; |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 301 | |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 302 | certificates_update_running_ = false; |
| 303 | if (certificates_update_required_) |
| 304 | StartLoadCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 305 | } |
| 306 | |
| 307 | void CertLoader::NotifyCertificatesLoaded(bool initial_load) { |
| 308 | FOR_EACH_OBSERVER(Observer, observers_, |
| 309 | OnCertificatesLoaded(cert_list_, initial_load)); |
| 310 | } |
| 311 | |
| 312 | void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) { |
| 313 | } |
| 314 | |
| 315 | void CertLoader::OnCertAdded(const net::X509Certificate* cert) { |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 316 | VLOG(1) << "OnCertAdded"; |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 317 | StartLoadCertificates(); |
| 318 | } |
| 319 | |
| 320 | void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 321 | VLOG(1) << "OnCertRemoved"; |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 322 | StartLoadCertificates(); |
| 323 | } |
| 324 | |
| 325 | void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) { |
| 326 | VLOG(1) << "LoggedInStateChanged: " << state; |
[email protected] | 7d3d0c0 | 2013-05-22 12:32:13 | [diff] [blame^] | 327 | RequestCertificates(); |
[email protected] | 75d93a8 | 2013-05-06 19:51:56 | [diff] [blame] | 328 | } |
| 329 | |
| 330 | } // namespace chromeos |