1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/chromeos/options/cert_library.h"
6
7 #include <algorithm>
8
9 #include "base/command_line.h"
10 #include "base/i18n/string_compare.h"
11 #include "base/memory/weak_ptr.h"
12 #include "base/observer_list_threadsafe.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/strings/string_util.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "chrome/browser/browser_process.h" // g_browser_process
17 #include "chrome/common/chrome_switches.h"
18 #include "chrome/common/net/x509_certificate_model.h"
19 #include "chrome/grit/generated_resources.h"
20 #include "chromeos/dbus/cryptohome_client.h"
21 #include "chromeos/dbus/dbus_thread_manager.h"
22 #include "chromeos/login/login_state.h"
23 #include "chromeos/network/onc/onc_utils.h"
24 #include "content/public/browser/browser_thread.h"
25 #include "crypto/nss_util.h"
26 #include "net/cert/cert_database.h"
27 #include "net/cert/nss_cert_database.h"
28 #include "third_party/icu/source/i18n/unicode/coll.h" // icu::Collator
29 #include "ui/base/l10n/l10n_util.h"
30 #include "ui/base/l10n/l10n_util_collator.h"
31
32 namespace chromeos {
33
34 namespace {
35
36 // Root CA certificates that are built into Chrome use this token name.
37 const char kRootCertificateTokenName[] = "Builtin Object Token";
38
GetDisplayString(net::X509Certificate * cert,bool hardware_backed)39 base::string16 GetDisplayString(net::X509Certificate* cert,
40 bool hardware_backed) {
41 std::string org;
42 if (!cert->subject().organization_names.empty())
43 org = cert->subject().organization_names[0];
44 if (org.empty())
45 org = cert->subject().GetDisplayName();
46 base::string16 issued_by = base::UTF8ToUTF16(
47 x509_certificate_model::GetIssuerCommonName(cert->os_cert_handle(),
48 org)); // alternative text
49 base::string16 issued_to = base::UTF8ToUTF16(
50 x509_certificate_model::GetCertNameOrNickname(cert->os_cert_handle()));
51
52 if (hardware_backed) {
53 return l10n_util::GetStringFUTF16(
54 IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT_LONG,
55 issued_by,
56 issued_to,
57 l10n_util::GetStringUTF16(IDS_CERT_MANAGER_HARDWARE_BACKED));
58 } else {
59 return l10n_util::GetStringFUTF16(
60 IDS_CERT_MANAGER_KEY_FORMAT_LONG,
61 issued_by,
62 issued_to);
63 }
64 }
65
CertToPEM(const net::X509Certificate & cert)66 std::string CertToPEM(const net::X509Certificate& cert) {
67 std::string pem_encoded_cert;
68 if (!net::X509Certificate::GetPEMEncoded(cert.os_cert_handle(),
69 &pem_encoded_cert)) {
70 LOG(ERROR) << "Couldn't PEM-encode certificate";
71 return std::string();
72 }
73 return pem_encoded_cert;
74 }
75
76 } // namespace
77
78 class CertNameComparator {
79 public:
CertNameComparator(icu::Collator * collator)80 explicit CertNameComparator(icu::Collator* collator)
81 : collator_(collator) {
82 }
83
operator ()(const scoped_refptr<net::X509Certificate> & lhs,const scoped_refptr<net::X509Certificate> & rhs) const84 bool operator()(const scoped_refptr<net::X509Certificate>& lhs,
85 const scoped_refptr<net::X509Certificate>& rhs) const {
86 base::string16 lhs_name = GetDisplayString(lhs.get(), false);
87 base::string16 rhs_name = GetDisplayString(rhs.get(), false);
88 if (collator_ == NULL)
89 return lhs_name < rhs_name;
90 return base::i18n::CompareString16WithCollator(
91 collator_, lhs_name, rhs_name) == UCOL_LESS;
92 }
93
94 private:
95 icu::Collator* collator_;
96 };
97
98 static CertLibrary* g_cert_library = NULL;
99
100 // static
Initialize()101 void CertLibrary::Initialize() {
102 CHECK(!g_cert_library);
103 g_cert_library = new CertLibrary();
104 }
105
106 // static
Shutdown()107 void CertLibrary::Shutdown() {
108 CHECK(g_cert_library);
109 delete g_cert_library;
110 g_cert_library = NULL;
111 }
112
113 // static
Get()114 CertLibrary* CertLibrary::Get() {
115 CHECK(g_cert_library) << "CertLibrary::Get() called before Initialize()";
116 return g_cert_library;
117 }
118
119 // static
IsInitialized()120 bool CertLibrary::IsInitialized() {
121 return g_cert_library;
122 }
123
CertLibrary()124 CertLibrary::CertLibrary() {
125 CertLoader::Get()->AddObserver(this);
126 }
127
~CertLibrary()128 CertLibrary::~CertLibrary() {
129 CertLoader::Get()->RemoveObserver(this);
130 }
131
AddObserver(CertLibrary::Observer * observer)132 void CertLibrary::AddObserver(CertLibrary::Observer* observer) {
133 observer_list_.AddObserver(observer);
134 }
135
RemoveObserver(CertLibrary::Observer * observer)136 void CertLibrary::RemoveObserver(CertLibrary::Observer* observer) {
137 observer_list_.RemoveObserver(observer);
138 }
139
CertificatesLoading() const140 bool CertLibrary::CertificatesLoading() const {
141 return CertLoader::Get()->CertificatesLoading();
142 }
143
CertificatesLoaded() const144 bool CertLibrary::CertificatesLoaded() const {
145 return CertLoader::Get()->certificates_loaded();
146 }
147
IsHardwareBacked() const148 bool CertLibrary::IsHardwareBacked() const {
149 return CertLoader::Get()->IsHardwareBacked();
150 }
151
NumCertificates(CertType type) const152 int CertLibrary::NumCertificates(CertType type) const {
153 const net::CertificateList& cert_list = GetCertificateListForType(type);
154 return static_cast<int>(cert_list.size());
155 }
156
GetCertDisplayStringAt(CertType type,int index) const157 base::string16 CertLibrary::GetCertDisplayStringAt(CertType type,
158 int index) const {
159 net::X509Certificate* cert = GetCertificateAt(type, index);
160 bool hardware_backed = IsCertHardwareBackedAt(type, index);
161 return GetDisplayString(cert, hardware_backed);
162 }
163
GetServerCACertPEMAt(int index) const164 std::string CertLibrary::GetServerCACertPEMAt(int index) const {
165 return CertToPEM(*GetCertificateAt(CERT_TYPE_SERVER_CA, index));
166 }
167
GetUserCertPkcs11IdAt(int index,int * slot_id) const168 std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const {
169 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_USER, index);
170 return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id);
171 }
172
IsCertHardwareBackedAt(CertType type,int index) const173 bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const {
174 net::X509Certificate* cert = GetCertificateAt(type, index);
175 return CertLoader::Get()->IsCertificateHardwareBacked(cert);
176 }
177
GetServerCACertIndexByPEM(const std::string & pem_encoded) const178 int CertLibrary::GetServerCACertIndexByPEM(
179 const std::string& pem_encoded) const {
180 int num_certs = NumCertificates(CERT_TYPE_SERVER_CA);
181 for (int index = 0; index < num_certs; ++index) {
182 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_SERVER_CA, index);
183 if (CertToPEM(*cert) != pem_encoded)
184 continue;
185 return index;
186 }
187 return -1;
188 }
189
GetUserCertIndexByPkcs11Id(const std::string & pkcs11_id) const190 int CertLibrary::GetUserCertIndexByPkcs11Id(
191 const std::string& pkcs11_id) const {
192 int num_certs = NumCertificates(CERT_TYPE_USER);
193 for (int index = 0; index < num_certs; ++index) {
194 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_USER, index);
195 int slot_id = -1;
196 std::string id = CertLoader::GetPkcs11IdAndSlotForCert(*cert, &slot_id);
197 if (id == pkcs11_id)
198 return index;
199 }
200 return -1; // Not found.
201 }
202
OnCertificatesLoaded(const net::CertificateList & cert_list,bool initial_load)203 void CertLibrary::OnCertificatesLoaded(const net::CertificateList& cert_list,
204 bool initial_load) {
205 CHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
206 VLOG(1) << "CertLibrary::OnCertificatesLoaded: " << cert_list.size();
207 certs_.clear();
208 user_certs_.clear();
209 server_certs_.clear();
210 server_ca_certs_.clear();
211
212 // Add certificates to the appropriate list.
213 for (net::CertificateList::const_iterator iter = cert_list.begin();
214 iter != cert_list.end(); ++iter) {
215 certs_.push_back(iter->get());
216 net::X509Certificate::OSCertHandle cert_handle =
217 iter->get()->os_cert_handle();
218 net::CertType type = x509_certificate_model::GetType(cert_handle);
219 switch (type) {
220 case net::USER_CERT:
221 user_certs_.push_back(iter->get());
222 break;
223 case net::SERVER_CERT:
224 server_certs_.push_back(iter->get());
225 break;
226 case net::CA_CERT: {
227 // Exclude root CA certificates that are built into Chrome.
228 std::string token_name =
229 x509_certificate_model::GetTokenName(cert_handle);
230 if (token_name != kRootCertificateTokenName)
231 server_ca_certs_.push_back(iter->get());
232 break;
233 }
234 default:
235 break;
236 }
237 }
238
239 // Perform locale-sensitive sorting by certificate name.
240 UErrorCode error = U_ZERO_ERROR;
241 scoped_ptr<icu::Collator> collator(icu::Collator::createInstance(
242 icu::Locale(g_browser_process->GetApplicationLocale().c_str()), error));
243 if (U_FAILURE(error))
244 collator.reset();
245 CertNameComparator cert_name_comparator(collator.get());
246 std::sort(certs_.begin(), certs_.end(), cert_name_comparator);
247 std::sort(user_certs_.begin(), user_certs_.end(), cert_name_comparator);
248 std::sort(server_certs_.begin(), server_certs_.end(), cert_name_comparator);
249 std::sort(server_ca_certs_.begin(), server_ca_certs_.end(),
250 cert_name_comparator);
251
252 VLOG(1) << "certs_: " << certs_.size();
253 VLOG(1) << "user_certs_: " << user_certs_.size();
254 VLOG(1) << "server_certs_: " << server_certs_.size();
255 VLOG(1) << "server_ca_certs_: " << server_ca_certs_.size();
256
257 FOR_EACH_OBSERVER(CertLibrary::Observer, observer_list_,
258 OnCertificatesLoaded(initial_load));
259 }
260
GetCertificateAt(CertType type,int index) const261 net::X509Certificate* CertLibrary::GetCertificateAt(CertType type,
262 int index) const {
263 const net::CertificateList& cert_list = GetCertificateListForType(type);
264 DCHECK_GE(index, 0);
265 DCHECK_LT(index, static_cast<int>(cert_list.size()));
266 return cert_list[index].get();
267 }
268
GetCertificateListForType(CertType type) const269 const net::CertificateList& CertLibrary::GetCertificateListForType(
270 CertType type) const {
271 if (type == CERT_TYPE_USER)
272 return user_certs_;
273 if (type == CERT_TYPE_SERVER)
274 return server_certs_;
275 if (type == CERT_TYPE_SERVER_CA)
276 return server_ca_certs_;
277 DCHECK(type == CERT_TYPE_DEFAULT);
278 return certs_;
279 }
280
281 } // namespace chromeos
282