blob: 019d8e4007d96d9b65eea0ad7e57a6cf0453964b [file] [log] [blame]
Avi Drissman4a8573c2022-09-09 19:35:541// Copyright 2013 The Chromium Authors
[email protected]24a9f1c92013-11-13 12:33:372// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Michael Ershova7b13be2022-01-13 11:30:405#ifndef CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_
6#define CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_
[email protected]24a9f1c92013-11-13 12:33:377
dcheng24002d02016-04-08 02:42:408#include <memory>
[email protected]bcb94772013-12-19 14:28:589#include <string>
[email protected]24a9f1c92013-11-13 12:33:3710#include <vector>
11
Andrew Williams236157f2025-01-07 15:19:5512#include "base/functional/callback.h"
Keishi Hattori376784e2022-06-28 06:01:4213#include "base/memory/raw_ptr.h"
Lei Zhang25439e72025-04-23 17:19:5414#include "base/memory/scoped_refptr.h"
Yeunjoo Choi34a3ba62022-07-18 02:05:1315#include "chromeos/ash/components/network/policy_certificate_provider.h"
[email protected]12b7af32014-03-13 05:28:2016#include "components/keyed_service/core/keyed_service.h"
[email protected]24a9f1c92013-11-13 12:33:3717
John Abd-El-Malek21bca7c2018-10-26 22:13:3318class Profile;
19
Pavol Marko9d4296f02019-08-12 21:44:1320namespace base {
21class FilePath;
22}
23
[email protected]24a9f1c92013-11-13 12:33:3724namespace net {
25class X509Certificate;
phweiss467b1ac2021-06-04 10:58:3226typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;
27} // namespace net
[email protected]24a9f1c92013-11-13 12:33:3728
John Abd-El-Malek21bca7c2018-10-26 22:13:3329namespace network {
Pavol Markof38cb212018-11-19 20:47:1030class NSSTempCertsCacheChromeOS;
John Abd-El-Malek21bca7c2018-10-26 22:13:3331}
32
[email protected]24a9f1c92013-11-13 12:33:3733namespace policy {
[email protected]24a9f1c92013-11-13 12:33:3734
Pavol Marko9d4296f02019-08-12 21:44:1335// This service is responsible for pushing the current list of policy-provided
36// certificates to ProfileNetworkContextService.
37// This service / its factory keep track of which Profile has used a
38// policy-provided trust anchor.
Pavol Markob429f542018-08-23 06:08:1939class PolicyCertService : public KeyedService,
Yeunjoo Choi427ff7a62022-08-09 06:11:0840 public ash::PolicyCertificateProvider::Observer {
[email protected]24a9f1c92013-11-13 12:33:3741 public:
Pavol Marko9d4296f02019-08-12 21:44:1342 // Constructs a PolicyCertService for |profile| using
43 // |policy_certificate_provider| as the source of certificates.
44 // If |may_use_profile_wide_trust_anchors| is true, certificates from
45 // |policy_certificate_provider| that have requested "Web" trust and have
46 // profile-wide scope will be used for |profile|.
Yeunjoo Choi427ff7a62022-08-09 06:11:0847 PolicyCertService(Profile* profile,
48 ash::PolicyCertificateProvider* policy_certificate_provider,
49 bool may_use_profile_wide_trust_anchors);
Peter Boström53c6c5952021-09-17 09:41:2650
51 PolicyCertService(const PolicyCertService&) = delete;
52 PolicyCertService& operator=(const PolicyCertService&) = delete;
53
dcheng9a7fea82015-01-16 11:38:5754 ~PolicyCertService() override;
[email protected]24a9f1c92013-11-13 12:33:3755
Andrew Williams236157f2025-01-07 15:19:5556 // Starts observing for changes to the policy-provided certificates and sets
57 // a callback to be called when this happens. This should only be called if
58 // the network service is enabled.
59 void StartObservingCertChanges(base::RepeatingClosure callback);
[email protected]24a9f1c92013-11-13 12:33:3760
Andrew Williams3e2bd572025-06-04 16:11:1061 // Clears the callback set by `StartObservingCertChanges()` and stops
62 // observing for changes to the policy-provided certificates.
63 void StopObservingCertChanges();
64
Andrew Williams236157f2025-01-07 15:19:5565 // Returns true if the service is currently observing changes to the
66 // policy-provided certificates.
67 bool IsObservingCertChanges() const {
68 return !!on_policy_provided_certs_changed_callback_;
69 }
70
Pavol Marko9d4296f02019-08-12 21:44:1371 // Returns true if the profile that owns this service has at least one
72 // policy-provided trust anchor configured.
73 bool has_policy_certificates() const {
74 return !profile_wide_trust_anchors_.empty();
Pavol Markof38cb212018-11-19 20:47:1075 }
[email protected]bcb94772013-12-19 14:28:5876
Pavol Marko67556732019-08-05 09:56:3977 // PolicyCertificateProvider::Observer:
78 void OnPolicyProvidedCertsChanged() override;
[email protected]24a9f1c92013-11-13 12:33:3779
Andreea Costinas5b6979c2023-03-02 08:19:5180 // PolicyCertificateProvider::OnDestroying:
81 void OnPolicyCertificateProviderDestroying() override;
82
Pavol Markodd1fbeb2019-09-05 16:50:0083 // Fills *|out_all_server_and_authority_certificates| and *|out_trust_anchors|
84 // with policy-provided certificates that should be used when verifying a
85 // server certificate for Web requests from the StoragePartition identified by
86 // |partition_path|.
Pavol Marko9d4296f02019-08-12 21:44:1387 void GetPolicyCertificatesForStoragePartition(
88 const base::FilePath& partition_path,
89 net::CertificateList* out_all_server_and_authority_certificates,
90 net::CertificateList* out_trust_anchors) const;
[email protected]24a9f1c92013-11-13 12:33:3791
Michael Ershovbbf6ea02021-10-20 09:38:2192 static std::unique_ptr<PolicyCertService> CreateForTesting(Profile* profile);
[email protected]bcb94772013-12-19 14:28:5893
Pavol Marko67556732019-08-05 09:56:3994 // Sets the profile-wide policy-provided trust anchors reported by this
95 // PolicyCertService. This is only callable for instances created through
96 // CreateForTesting.
97 void SetPolicyTrustAnchorsForTesting(
98 const net::CertificateList& trust_anchors);
99
[email protected]24a9f1c92013-11-13 12:33:37100 private:
Pavol Marko9d4296f02019-08-12 21:44:13101 // Constructor used by CreateForTesting.
Michael Ershovbbf6ea02021-10-20 09:38:21102 explicit PolicyCertService(Profile* profile);
[email protected]24a9f1c92013-11-13 12:33:37103
Pavol Marko9d4296f02019-08-12 21:44:13104 // Returns all allowed policy-provided certificates that have requested "Web"
105 // trust and have profile-wide scope. If |may_use_profile_wide_trust_anchors_|
106 // is false, always returns an empty list.
107 net::CertificateList GetAllowedProfileWideTrustAnchors();
John Abd-El-Malek21bca7c2018-10-26 22:13:33108
Keishi Hattori376784e2022-06-28 06:01:42109 const raw_ptr<Profile> profile_;
Pavol Marko9d4296f02019-08-12 21:44:13110
Andrew Williams236157f2025-01-07 15:19:55111 // Callback to be called when the policy-provided certificates change. Set via
112 // `StartObservingForProfile()`.
113 base::RepeatingClosure on_policy_provided_certs_changed_callback_;
114
Pavol Marko9d4296f02019-08-12 21:44:13115 // The source of certificates for this PolicyCertService.
Andreea Costinas5b6979c2023-03-02 08:19:51116 raw_ptr<ash::PolicyCertificateProvider> policy_certificate_provider_;
Pavol Marko9d4296f02019-08-12 21:44:13117
118 // If true, CA certificates |policy_certificate_provider_| that have requested
119 // "Web" trust and have profile-wide scope may be used for |profile_|.
120 const bool may_use_profile_wide_trust_anchors_;
121
Pavol Marko9d4296f02019-08-12 21:44:13122 // Caches all server and CA certificates that have profile-wide scope from
123 // |policy_certificate_provider_|.
124 net::CertificateList profile_wide_all_server_and_authority_certs_;
125 // Caches CA certificates that have requested "Web" trust and have
126 // profile-wide scope from |policy_certificate_provider_|.
127 net::CertificateList profile_wide_trust_anchors_;
[email protected]24a9f1c92013-11-13 12:33:37128
Pavol Marko75282ee12018-08-22 22:35:42129 // Holds all policy-provided server and authority certificates and makes them
130 // available to NSS as temp certificates. This is needed so they can be used
131 // as intermediates when NSS verifies a certificate.
Pavol Markof38cb212018-11-19 20:47:10132 std::unique_ptr<network::NSSTempCertsCacheChromeOS>
133 temp_policy_provided_certs_;
[email protected]24a9f1c92013-11-13 12:33:37134};
135
136} // namespace policy
137
Michael Ershova7b13be2022-01-13 11:30:40138#endif // CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_