Avi Drissman | 4a8573c | 2022-09-09 19:35:54 | [diff] [blame] | 1 | // Copyright 2013 The Chromium Authors |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
Michael Ershov | a7b13be | 2022-01-13 11:30:40 | [diff] [blame] | 5 | #ifndef CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_ |
| 6 | #define CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_ |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 7 | |
dcheng | 24002d0 | 2016-04-08 02:42:40 | [diff] [blame] | 8 | #include <memory> |
[email protected] | bcb9477 | 2013-12-19 14:28:58 | [diff] [blame] | 9 | #include <string> |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 10 | #include <vector> |
| 11 | |
Andrew Williams | 236157f | 2025-01-07 15:19:55 | [diff] [blame] | 12 | #include "base/functional/callback.h" |
Keishi Hattori | 376784e | 2022-06-28 06:01:42 | [diff] [blame] | 13 | #include "base/memory/raw_ptr.h" |
Lei Zhang | 25439e7 | 2025-04-23 17:19:54 | [diff] [blame] | 14 | #include "base/memory/scoped_refptr.h" |
Yeunjoo Choi | 34a3ba6 | 2022-07-18 02:05:13 | [diff] [blame] | 15 | #include "chromeos/ash/components/network/policy_certificate_provider.h" |
[email protected] | 12b7af3 | 2014-03-13 05:28:20 | [diff] [blame] | 16 | #include "components/keyed_service/core/keyed_service.h" |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 17 | |
John Abd-El-Malek | 21bca7c | 2018-10-26 22:13:33 | [diff] [blame] | 18 | class Profile; |
| 19 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 20 | namespace base { |
| 21 | class FilePath; |
| 22 | } |
| 23 | |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 24 | namespace net { |
| 25 | class X509Certificate; |
phweiss | 467b1ac | 2021-06-04 10:58:32 | [diff] [blame] | 26 | typedef std::vector<scoped_refptr<X509Certificate>> CertificateList; |
| 27 | } // namespace net |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 28 | |
John Abd-El-Malek | 21bca7c | 2018-10-26 22:13:33 | [diff] [blame] | 29 | namespace network { |
Pavol Marko | f38cb21 | 2018-11-19 20:47:10 | [diff] [blame] | 30 | class NSSTempCertsCacheChromeOS; |
John Abd-El-Malek | 21bca7c | 2018-10-26 22:13:33 | [diff] [blame] | 31 | } |
| 32 | |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 33 | namespace policy { |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 34 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 35 | // This service is responsible for pushing the current list of policy-provided |
| 36 | // certificates to ProfileNetworkContextService. |
| 37 | // This service / its factory keep track of which Profile has used a |
| 38 | // policy-provided trust anchor. |
Pavol Marko | b429f54 | 2018-08-23 06:08:19 | [diff] [blame] | 39 | class PolicyCertService : public KeyedService, |
Yeunjoo Choi | 427ff7a6 | 2022-08-09 06:11:08 | [diff] [blame] | 40 | public ash::PolicyCertificateProvider::Observer { |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 41 | public: |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 42 | // Constructs a PolicyCertService for |profile| using |
| 43 | // |policy_certificate_provider| as the source of certificates. |
| 44 | // If |may_use_profile_wide_trust_anchors| is true, certificates from |
| 45 | // |policy_certificate_provider| that have requested "Web" trust and have |
| 46 | // profile-wide scope will be used for |profile|. |
Yeunjoo Choi | 427ff7a6 | 2022-08-09 06:11:08 | [diff] [blame] | 47 | PolicyCertService(Profile* profile, |
| 48 | ash::PolicyCertificateProvider* policy_certificate_provider, |
| 49 | bool may_use_profile_wide_trust_anchors); |
Peter Boström | 53c6c595 | 2021-09-17 09:41:26 | [diff] [blame] | 50 | |
| 51 | PolicyCertService(const PolicyCertService&) = delete; |
| 52 | PolicyCertService& operator=(const PolicyCertService&) = delete; |
| 53 | |
dcheng | 9a7fea8 | 2015-01-16 11:38:57 | [diff] [blame] | 54 | ~PolicyCertService() override; |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 55 | |
Andrew Williams | 236157f | 2025-01-07 15:19:55 | [diff] [blame] | 56 | // Starts observing for changes to the policy-provided certificates and sets |
| 57 | // a callback to be called when this happens. This should only be called if |
| 58 | // the network service is enabled. |
| 59 | void StartObservingCertChanges(base::RepeatingClosure callback); |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 60 | |
Andrew Williams | 3e2bd57 | 2025-06-04 16:11:10 | [diff] [blame] | 61 | // Clears the callback set by `StartObservingCertChanges()` and stops |
| 62 | // observing for changes to the policy-provided certificates. |
| 63 | void StopObservingCertChanges(); |
| 64 | |
Andrew Williams | 236157f | 2025-01-07 15:19:55 | [diff] [blame] | 65 | // Returns true if the service is currently observing changes to the |
| 66 | // policy-provided certificates. |
| 67 | bool IsObservingCertChanges() const { |
| 68 | return !!on_policy_provided_certs_changed_callback_; |
| 69 | } |
| 70 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 71 | // Returns true if the profile that owns this service has at least one |
| 72 | // policy-provided trust anchor configured. |
| 73 | bool has_policy_certificates() const { |
| 74 | return !profile_wide_trust_anchors_.empty(); |
Pavol Marko | f38cb21 | 2018-11-19 20:47:10 | [diff] [blame] | 75 | } |
[email protected] | bcb9477 | 2013-12-19 14:28:58 | [diff] [blame] | 76 | |
Pavol Marko | 6755673 | 2019-08-05 09:56:39 | [diff] [blame] | 77 | // PolicyCertificateProvider::Observer: |
| 78 | void OnPolicyProvidedCertsChanged() override; |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 79 | |
Andreea Costinas | 5b6979c | 2023-03-02 08:19:51 | [diff] [blame] | 80 | // PolicyCertificateProvider::OnDestroying: |
| 81 | void OnPolicyCertificateProviderDestroying() override; |
| 82 | |
Pavol Marko | dd1fbeb | 2019-09-05 16:50:00 | [diff] [blame] | 83 | // Fills *|out_all_server_and_authority_certificates| and *|out_trust_anchors| |
| 84 | // with policy-provided certificates that should be used when verifying a |
| 85 | // server certificate for Web requests from the StoragePartition identified by |
| 86 | // |partition_path|. |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 87 | void GetPolicyCertificatesForStoragePartition( |
| 88 | const base::FilePath& partition_path, |
| 89 | net::CertificateList* out_all_server_and_authority_certificates, |
| 90 | net::CertificateList* out_trust_anchors) const; |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 91 | |
Michael Ershov | bbf6ea0 | 2021-10-20 09:38:21 | [diff] [blame] | 92 | static std::unique_ptr<PolicyCertService> CreateForTesting(Profile* profile); |
[email protected] | bcb9477 | 2013-12-19 14:28:58 | [diff] [blame] | 93 | |
Pavol Marko | 6755673 | 2019-08-05 09:56:39 | [diff] [blame] | 94 | // Sets the profile-wide policy-provided trust anchors reported by this |
| 95 | // PolicyCertService. This is only callable for instances created through |
| 96 | // CreateForTesting. |
| 97 | void SetPolicyTrustAnchorsForTesting( |
| 98 | const net::CertificateList& trust_anchors); |
| 99 | |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 100 | private: |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 101 | // Constructor used by CreateForTesting. |
Michael Ershov | bbf6ea0 | 2021-10-20 09:38:21 | [diff] [blame] | 102 | explicit PolicyCertService(Profile* profile); |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 103 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 104 | // Returns all allowed policy-provided certificates that have requested "Web" |
| 105 | // trust and have profile-wide scope. If |may_use_profile_wide_trust_anchors_| |
| 106 | // is false, always returns an empty list. |
| 107 | net::CertificateList GetAllowedProfileWideTrustAnchors(); |
John Abd-El-Malek | 21bca7c | 2018-10-26 22:13:33 | [diff] [blame] | 108 | |
Keishi Hattori | 376784e | 2022-06-28 06:01:42 | [diff] [blame] | 109 | const raw_ptr<Profile> profile_; |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 110 | |
Andrew Williams | 236157f | 2025-01-07 15:19:55 | [diff] [blame] | 111 | // Callback to be called when the policy-provided certificates change. Set via |
| 112 | // `StartObservingForProfile()`. |
| 113 | base::RepeatingClosure on_policy_provided_certs_changed_callback_; |
| 114 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 115 | // The source of certificates for this PolicyCertService. |
Andreea Costinas | 5b6979c | 2023-03-02 08:19:51 | [diff] [blame] | 116 | raw_ptr<ash::PolicyCertificateProvider> policy_certificate_provider_; |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 117 | |
| 118 | // If true, CA certificates |policy_certificate_provider_| that have requested |
| 119 | // "Web" trust and have profile-wide scope may be used for |profile_|. |
| 120 | const bool may_use_profile_wide_trust_anchors_; |
| 121 | |
Pavol Marko | 9d4296f0 | 2019-08-12 21:44:13 | [diff] [blame] | 122 | // Caches all server and CA certificates that have profile-wide scope from |
| 123 | // |policy_certificate_provider_|. |
| 124 | net::CertificateList profile_wide_all_server_and_authority_certs_; |
| 125 | // Caches CA certificates that have requested "Web" trust and have |
| 126 | // profile-wide scope from |policy_certificate_provider_|. |
| 127 | net::CertificateList profile_wide_trust_anchors_; |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 128 | |
Pavol Marko | 75282ee1 | 2018-08-22 22:35:42 | [diff] [blame] | 129 | // Holds all policy-provided server and authority certificates and makes them |
| 130 | // available to NSS as temp certificates. This is needed so they can be used |
| 131 | // as intermediates when NSS verifies a certificate. |
Pavol Marko | f38cb21 | 2018-11-19 20:47:10 | [diff] [blame] | 132 | std::unique_ptr<network::NSSTempCertsCacheChromeOS> |
| 133 | temp_policy_provided_certs_; |
[email protected] | 24a9f1c9 | 2013-11-13 12:33:37 | [diff] [blame] | 134 | }; |
| 135 | |
| 136 | } // namespace policy |
| 137 | |
Michael Ershov | a7b13be | 2022-01-13 11:30:40 | [diff] [blame] | 138 | #endif // CHROME_BROWSER_POLICY_NETWORKING_POLICY_CERT_SERVICE_H_ |