Lacros: Implement chrome://settings/certificates
This CL fixes and re-enables chrome://settings/certificates page
in Lacros. The implementation for the settings page itself is mostly
untouched. The main change is to reuse the code of
*CertificateManagementAllowed policies to disable certificates for
secondary profiles. Client certificates are not supported for secondary
profiles at the moment. CA certificates are shared between all profiles
and therefore should only be managed by the main profile (secondary
ones can still see them).
The second half of the CL implements NSSCertDatabase in Lacros. It
required updating the CertDbInitiazer* classes and the CertDatabase
mojo interface that they use.
Under the existing implementation, Ash directs Lacros about the path
to use for the NSS software database and whether to load Chaps via
the GetCertDatabaseInfoResult.
Although Chaps is loaded by Lacros, it does not have knowledge about
the slot associated with the user (the private slot) or whether or not
to explicitly enable management of the system slot; NSS simply loads
all slots into process memory space. Ash is expected to only tell
Lacros to load chaps if both slots should be loaded.
chrome://settings/certificates is disabled because it was never
properly implemented for Lacros. The code inherited would not create
a correct NSSCertDatabase.
With this new implementation, the user's NSS database is passed through
the BrowserInitParams. It is done to enable loading the software NSS
database earlier. The GetCertDatabaseInfoResult is modified to indicate
which slot(s) the main profile can manage and this is used to create an
NSSCertDatabase for it. Secondary profiles are not allowed to manage
any certificates for now.
Because Ash and Lacros update independently, the code needs to account
for (old-Ash, new-Lacros) and (new-Ash, new-Lacros):
- (old-Ash, new-Lacros) will work mostly the same as
(old-Ash, old-Lacros). The only difference is that the
chrome://settings/certificates page will be present, but modifications
won’t work (see Legacy* methods in this CL).
- (new-Ash, new-Lacros) will properly process the new mojo message,
load slots with specified IDs and create a correct NSSCertDatabase that
will allow modification on the chrome://settings/certificates page.
For now Ash will still only tell to load chaps if both slots should be
used. The use case without the system slot will be covered in a
separate CL.
A DD for the change with some additional details:
go/certificatessettingspagelacros
Bug: b:191336664
Test: Manual
Change-Id: Id5ea17ff20f44277fa7219d66ead61da2b436bbc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3185903
Commit-Queue: Michael Ershov <[email protected]>
Reviewed-by: Pavol Marko <[email protected]>
Reviewed-by: dpapad <[email protected]>
Reviewed-by: Roland Bock <[email protected]>
Reviewed-by: Dominic Battré <[email protected]>
Reviewed-by: Ryan Sleevi <[email protected]>
Cr-Commit-Position: refs/heads/main@{#937862}
diff --git a/chrome/browser/prefs/browser_prefs.cc b/chrome/browser/prefs/browser_prefs.cc
index 23ec024..05044d9 100644
--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -261,6 +261,7 @@
#if defined(OS_CHROMEOS)
#include "chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.h"
+#include "chrome/browser/ui/webui/certificates_handler.h"
#if defined(USE_CUPS)
#include "chrome/browser/extensions/api/printing/printing_api_handler.h"
#endif // defined(USE_CUPS)
@@ -364,7 +365,6 @@
#include "chrome/browser/ui/app_list/arc/arc_app_list_prefs.h"
#include "chrome/browser/ui/app_list/search/arc/arc_app_reinstall_search_provider.h"
#include "chrome/browser/ui/ash/shelf/chrome_shelf_prefs.h"
-#include "chrome/browser/ui/webui/certificates_handler.h"
#include "chrome/browser/ui/webui/chromeos/login/enable_debugging_screen_handler.h"
#include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
#include "chrome/browser/ui/webui/settings/chromeos/os_settings_ui.h"
@@ -982,7 +982,7 @@
registry->RegisterIntegerPref(first_run::kTosDialogBehavior, 0);
registry->RegisterBooleanPref(lens::kLensCameraAssistedSearchEnabled, true);
-#else // defined(OS_ANDROID)
+#else // defined(OS_ANDROID)
gcm::RegisterPrefs(registry);
IntranetRedirectDetector::RegisterPrefs(registry);
media_router::RegisterLocalStatePrefs(registry);
@@ -1273,7 +1273,7 @@
video_tutorials::RegisterPrefs(registry);
feed::prefs::RegisterFeedSharedProfilePrefs(registry);
feed::RegisterProfilePrefs(registry);
-#else // defined(OS_ANDROID)
+#else // defined(OS_ANDROID)
AppShortcutManager::RegisterProfilePrefs(registry);
browser_sync::ForeignSessionHandler::RegisterProfilePrefs(registry);
captions::LiveCaptionController::RegisterProfilePrefs(registry);
@@ -1312,6 +1312,7 @@
#if defined(OS_CHROMEOS)
extensions::platform_keys::RegisterProfilePrefs(registry);
+ certificate_manager::CertificatesHandler::RegisterProfilePrefs(registry);
#if defined(USE_CUPS)
extensions::PrintingAPIHandler::RegisterProfilePrefs(registry);
#endif // defined(USE_CUPS)
@@ -1324,7 +1325,6 @@
apps::webapk_prefs::RegisterProfilePrefs(registry);
arc::prefs::RegisterProfilePrefs(registry);
ArcAppListPrefs::RegisterProfilePrefs(registry);
- certificate_manager::CertificatesHandler::RegisterProfilePrefs(registry);
account_manager::AccountManager::RegisterPrefs(registry);
ash::ApkWebAppService::RegisterProfilePrefs(registry);
ash::app_time::AppActivityRegistry::RegisterProfilePrefs(registry);
