Merge 250624 "Implement client certificate support via SmartCard."

> Implement client certificate support via SmartCard.
> 
> Updates SSLClientCertificateRequest such that certificate can retrieved
> from Android store or external PKCS11 KeyStore
> 
> NOTRY=true
> COLLABORATOR=ppi@chromium.org
> BUG=341500
> 
> Review URL: https://codereview.chromium.org/147573005

TBR=yfriedman@chromium.org

Review URL: https://codereview.chromium.org/159933007

git-svn-id: svn://svn.chromium.org/chrome/branches/1750_77/src@250626 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 398 insertions, 86 deletions

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java b/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java
index d8a594b..c586f2c 100644
--- a/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java
@@ -30,4 +30,8 @@ public abstract class ChromiumApplication extends ContentApplication {
      */
     @CalledByNative
     protected abstract boolean areParentalControlsEnabled();
+
+    // TODO(yfriedman): This is too widely available. Plumb this through ChromeNetworkDelegate
+    // instead.
+    protected abstract PKCS11AuthenticationManager getPKCS11AuthenticationManager();
 }
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java b/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java
new file mode 100644
index 0000000..63820e9
--- /dev/null
+++ b/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java
@@ -0,0 +1,86 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.chrome.browser;
+
+import android.app.AlertDialog;
+import android.app.Dialog;
+import android.app.DialogFragment;
+import android.content.DialogInterface;
+import android.os.Bundle;
+
+import org.chromium.chrome.R;
+
+/**
+ * Client certificate KeyStore selection dialog. When smart card (CAC) support is enabled, this
+ * dialog allows choosing between (the default) system certificate store and the smart card for
+ * client authentication.
+ */
+class KeyStoreSelectionDialog extends DialogFragment {
+    private static final CharSequence SYSTEM_STORE = "Android";
+
+    private final Runnable mSystemCallback;
+    private final Runnable mSmartCardCallback;
+    private final Runnable mCancelCallback;
+
+    private Runnable mSelectedChoice;
+
+    /**
+     * Constructor for KeyStore selection dialog.
+     *
+     * @param systemCallback Runnable that's invoked when the user selects to use the Android
+     *     system store for authentication
+     * @param smartCardCallback Runnable that's invoked when the user selects to use the SmartCard
+     *     store for authentication
+     * @param cancelCallback Runnable that's invoked when the user cancels or closes the dialog.
+     */
+    public KeyStoreSelectionDialog(Runnable systemCallback, Runnable smartCardCallback,
+            Runnable cancelCallback) {
+        mSystemCallback = systemCallback;
+        mSmartCardCallback = smartCardCallback;
+        mCancelCallback = cancelCallback;
+
+        // Default to SmartCard
+        mSelectedChoice = mSmartCardCallback;
+    }
+
+    @Override
+    public Dialog onCreateDialog(Bundle savedInstanceState) {
+        final CharSequence[] choices = {
+            getString(R.string.smartcard_certificate_option),
+            SYSTEM_STORE
+        };
+        AlertDialog.Builder builder = new AlertDialog.Builder(getActivity())
+                .setTitle(R.string.smartcard_dialog_title)
+                .setSingleChoiceItems(choices, 0, new DialogInterface.OnClickListener() {
+                    @Override
+                    public void onClick(DialogInterface dialog, int id) {
+                        if (choices[id] == SYSTEM_STORE) {
+                            mSelectedChoice = mSystemCallback;
+                        } else {
+                            mSelectedChoice = mSmartCardCallback;
+                        }
+                    }
+                })
+                .setPositiveButton(android.R.string.ok, new DialogInterface.OnClickListener() {
+                    @Override
+                    public void onClick(DialogInterface dialog, int id) {
+                        mSelectedChoice.run();
+                    }
+                })
+                .setNegativeButton(R.string.cancel, new DialogInterface.OnClickListener() {
+                    @Override
+                    public void onClick(DialogInterface dialog, int id) {
+                        mCancelCallback.run();
+                    }
+                });
+
+        return builder.create();
+    }
+
+    @Override
+    public void onDismiss(DialogInterface dialog) {
+        super.onDismiss(dialog);
+    }
+}
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java b/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java
new file mode 100644
index 0000000..e3fd436
--- /dev/null
+++ b/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java
@@ -0,0 +1,46 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.chrome.browser;
+
+import android.content.Context;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * Defines API for managing interaction with SmartCard-based certificate storage using PKCS11.
+ */
+public interface PKCS11AuthenticationManager {
+
+    /**
+     * @return true iff SmartCard-based authentication is available.
+     */
+    public boolean isPKCS11AuthEnabled();
+
+    /**
+     * Retrieves the preferred client certificate alias for the given host, port pair, or null if
+     * none can be retrieved.
+     *
+     * @param hostName The host for which to retrieve client certificate.
+     * @param port The port to use in conjunction with host to retrieve client certificate.
+     */
+    public String getClientCertificateAlias(String hostName, int port);
+
+    /**
+     * Returns the X509Certificate chain for the requested alias, or null if no there is no result.
+     */
+    public X509Certificate[] getCertificateChain(String alias);
+
+    /**
+     * Returns the PrivateKey for the requested alias, or null if no there is no result.
+     */
+    public PrivateKey getPrivateKey(String alias);
+
+    /**
+     * Performs necessary initializing for using a PKCS11-based KeysStore. Note that this can
+     * perform expensive operations and cannot be done on the UI thread.
+     */
+    public void initialize(Context context);
+}
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java b/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java
index c22e7dc..31c41fd 100644
--- a/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java
@@ -24,101 +24,187 @@ import java.security.cert.X509Certificate;
 
 import javax.security.auth.x500.X500Principal;
 
+/**
+ * Handles selection of client certificate on the Java side. This class is responsible for selection
+ * of the client certificate to be used for authentication and retrieval of the private key and full
+ * certificate chain.
+ *
+ * The entry point is selectClientCertificate() and it will be called on the UI thread. Then the
+ * class will construct and run an appropriate CertAsyncTask, that will run in background, and
+ * finally pass the results back to the UI thread, which will return to the native code.
+ */
 @JNINamespace("chrome::android")
-class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void>
-        implements KeyChainAliasCallback {
-
+class SSLClientCertificateRequest {
     static final String TAG = "SSLClientCertificateRequest";
 
-    // ClientCertRequest models an asynchronous client certificate request on the Java side. Use
-    // selectClientCertificate() on the UI thread to start/create a new request, this will launch a
-    // system activity through KeyChain.choosePrivateKeyAlias() to let the user select a client
-    // certificate.
-    //
-    // The selected certificate will be sent back as a string alias, which is used to call
-    // KeyChain.getCertificateChain() and KeyChain.getPrivateKey(). Unfortunately, these APIs are
-    // blocking, thus can't be called from the UI thread.
-    //
-    // To solve this, start an AsyncTask when the alias is received. It will retrieve the
-    // certificate chain and private key in the background, then later send the result back to the
-    // UI thread.
-    //
-    private final int mNativePtr;
-    private String mAlias;
-    private byte[][] mEncodedChain;
-    private PrivateKey mPrivateKey;
-
-    private SSLClientCertificateRequest(int nativePtr) {
-        mNativePtr = nativePtr;
-        mAlias = null;
-        mEncodedChain = null;
-        mPrivateKey = null;
-    }
+    /**
+     * Common implementation for anynchronous task of handling the certificate request. This
+     * AsyncTask uses the abstract methods to retrieve the authentication material from a
+     * generalized key store. The key store is accessed in background, as the APIs being exercised
+     * may be blocking. The results are posted back to native on the UI thread.
+     */
+    abstract static class CertAsyncTask extends AsyncTask<Void, Void, Void> {
+        // These fields will store the results computed in doInBackground so that they can be posted
+        // back in onPostExecute.
+        private byte[][] mEncodedChain;
+        private PrivateKey mPrivateKey;
 
-    // KeyChainAliasCallback implementation
-    @Override
-    public void alias(final String alias) {
-        // This is called by KeyChainActivity in a background thread. Post task to handle the
-        // certificate selection on the UI thread.
-        ThreadUtils.runOnUiThread(new Runnable() {
-            @Override
-            public void run() {
-                if (alias == null) {
-                    // No certificate was selected.
-                    onPostExecute(null);
-                } else {
-                    mAlias = alias;
-                    // Launch background thread.
-                    execute();
+        // Pointer to the native certificate request needed to return the results.
+        private final int mNativePtr;
+
+        CertAsyncTask(int nativePtr) {
+            mNativePtr = nativePtr;
+        }
+
+        // These overriden methods will be used to access the key store.
+        abstract String getAlias();
+        abstract PrivateKey getPrivateKey(String alias);
+        abstract X509Certificate[] getCertificateChain(String alias);
+
+        @Override
+        protected Void doInBackground(Void... params) {
+            String alias = getAlias();
+            if (alias == null) return null;
+
+            PrivateKey key = getPrivateKey(alias);
+            X509Certificate[] chain = getCertificateChain(alias);
+            if (key == null || chain == null || chain.length == 0) {
+                Log.w(TAG, "Empty client certificate chain?");
+                return null;
+            }
+
+            // Encode the certificate chain.
+            byte[][] encodedChain = new byte[chain.length][];
+            try {
+                for (int i = 0; i < chain.length; ++i) {
+                    encodedChain[i] = chain[i].getEncoded();
                 }
+            } catch (CertificateEncodingException e) {
+                Log.w(TAG, "Could not retrieve encoded certificate chain: " + e);
+                return null;
             }
-        });
-    }
 
-    @Override
-    protected Void doInBackground(Void... params) {
-        // Executed in a background thread, can call blocking APIs.
-        X509Certificate[] chain = null;
-        PrivateKey key = null;
-        Context context = ActivityStatus.getActivity().getApplicationContext();
-        try {
-            key = KeyChain.getPrivateKey(context, mAlias);
-            chain = KeyChain.getCertificateChain(context, mAlias);
-        } catch (KeyChainException e) {
-            Log.w(TAG, "KeyChainException when looking for '" + mAlias + "' certificate");
-            return null;
-        } catch (InterruptedException e) {
-            Log.w(TAG, "InterruptedException when looking for '" + mAlias + "'certificate");
+            mEncodedChain = encodedChain;
+            mPrivateKey = key;
             return null;
         }
 
-        if (key == null || chain == null || chain.length == 0) {
-            Log.w(TAG, "Empty client certificate chain?");
-            return null;
+        @Override
+        protected void onPostExecute(Void result) {
+            ThreadUtils.assertOnUiThread();
+            nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mPrivateKey);
+        }
+    }
+
+    /** Implementation of CertAsyncTask for the system KeyChain API. */
+    private static class CertAsyncTaskKeyChain extends CertAsyncTask {
+        final Context mContext;
+        final String mAlias;
+
+        CertAsyncTaskKeyChain(Context context, int nativePtr, String alias) {
+            super(nativePtr);
+            mContext = context;
+            assert alias != null;
+            mAlias = alias;
         }
 
-        // Get the encoded certificate chain.
-        byte[][] encodedChain = new byte[chain.length][];
-        try {
-            for (int i = 0; i < chain.length; ++i) {
-                encodedChain[i] = chain[i].getEncoded();
+        @Override
+        String getAlias() {
+            return mAlias;
+        }
+
+        @Override
+        PrivateKey getPrivateKey(String alias) {
+            try {
+                return KeyChain.getPrivateKey(mContext, alias);
+            } catch (KeyChainException e) {
+                Log.w(TAG, "KeyChainException when looking for '" + alias + "' certificate");
+                return null;
+            } catch (InterruptedException e) {
+                Log.w(TAG, "InterruptedException when looking for '" + alias + "'certificate");
+                return null;
             }
-        } catch (CertificateEncodingException e) {
-            Log.w(TAG, "Could not retrieve encoded certificate chain: " + e);
-            return null;
         }
 
-        mEncodedChain = encodedChain;
-        mPrivateKey = key;
-        return null;
+        @Override
+        X509Certificate[] getCertificateChain(String alias) {
+            try {
+                return KeyChain.getCertificateChain(mContext, alias);
+            } catch (KeyChainException e) {
+                Log.w(TAG, "KeyChainException when looking for '" + alias + "' certificate");
+                return null;
+            } catch (InterruptedException e) {
+                Log.w(TAG, "InterruptedException when looking for '" + alias + "'certificate");
+                return null;
+            }
+        }
     }
 
-    @Override
-    protected void onPostExecute(Void result) {
-        // Back to the UI thread.
-        nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mPrivateKey);
+    /** Implementation of CertAsyncTask for use with a PKCS11-backed KeyStore. */
+    private static class CertAsyncTaskPKCS11 extends CertAsyncTask {
+        private final PKCS11AuthenticationManager mPKCS11AuthManager;
+        private final String mHostName;
+        private final int mPort;
+
+        CertAsyncTaskPKCS11(int nativePtr, String hostName, int port,
+                PKCS11AuthenticationManager pkcs11CardAuthManager) {
+            super(nativePtr);
+            mHostName = hostName;
+            mPort = port;
+            mPKCS11AuthManager = pkcs11CardAuthManager;
+        }
+
+        @Override
+        String getAlias() {
+            return mPKCS11AuthManager.getClientCertificateAlias(mHostName, mPort);
+        }
+
+        @Override
+        PrivateKey getPrivateKey(String alias) {
+            return mPKCS11AuthManager.getPrivateKey(alias);
+        }
+
+        @Override
+        X509Certificate[] getCertificateChain(String alias) {
+            return mPKCS11AuthManager.getCertificateChain(alias);
+        }
     }
 
+    /**
+     * The system KeyChain API will call us back on the alias() method, passing the alias of the
+     * certificate selected by the user.
+     */
+    private static class KeyChainCertSelectionCallback implements KeyChainAliasCallback {
+        private final int mNativePtr;
+        private final Context mContext;
+
+        KeyChainCertSelectionCallback(Context context, int nativePtr) {
+            mContext = context;
+            mNativePtr = nativePtr;
+        }
+
+        @Override
+        public void alias(final String alias) {
+            // This is called by KeyChainActivity in a background thread. Post task to
+            // handle the certificate selection on the UI thread.
+            ThreadUtils.runOnUiThread(new Runnable() {
+                @Override
+                public void run() {
+                    if (alias == null) {
+                        // No certificate was selected.
+                        ThreadUtils.runOnUiThread(new Runnable() {
+                            @Override
+                            public void run() {
+                                nativeOnSystemRequestCompletion(mNativePtr, null, null);
+                            }
+                        });
+                    } else {
+                        new CertAsyncTaskKeyChain(mContext, mNativePtr, alias).execute();
+                    }
+                }
+            });
+        }
+    }
 
     /**
      * Create a new asynchronous request to select a client certificate.
@@ -132,11 +218,10 @@ class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void>
      * Note that nativeOnSystemRequestComplete will be called iff this method returns true.
      */
     @CalledByNative
-    private static boolean selectClientCertificate(int nativePtr, String[] keyTypes,
-            byte[][] encodedPrincipals, String hostName, int port) {
+    private static boolean selectClientCertificate(final int nativePtr, final String[] keyTypes,
+            byte[][] encodedPrincipals, final String hostName, final int port) {
         ThreadUtils.assertOnUiThread();
-
-        Activity activity = ActivityStatus.getActivity();
+        final Activity activity = ActivityStatus.getActivity();
         if (activity == null) {
             Log.w(TAG, "No active Chromium main activity!?");
             return false;
@@ -151,18 +236,55 @@ class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void>
                     principals[n] = new X500Principal(encodedPrincipals[n]);
                 }
             } catch (Exception e) {
-                // Bail on error.
                 Log.w(TAG, "Exception while decoding issuers list: " + e);
                 return false;
             }
         }
 
-        // All good, create new request, add it to our list and launch the certificate selection
-        // activity.
-        SSLClientCertificateRequest request = new SSLClientCertificateRequest(nativePtr);
+        final Principal[] principalsForCallback = principals;
+        // Certificate for client authentication can be obtained either from the system store of
+        // from a smart card (if available).
+        Runnable useSystemStore = new Runnable() {
+            @Override
+            public void run() {
+                KeyChainCertSelectionCallback callback =
+                        new KeyChainCertSelectionCallback(activity.getApplicationContext(),
+                            nativePtr);
+                KeyChain.choosePrivateKeyAlias(activity, callback, keyTypes, principalsForCallback,
+                    hostName, port, null);
+            }
+        };
+
+        final Context appContext = activity.getApplicationContext();
+        final PKCS11AuthenticationManager smartCardAuthManager =
+            ((ChromiumApplication) appContext).getPKCS11AuthenticationManager();
+        if (smartCardAuthManager.isPKCS11AuthEnabled()) {
+            // Smart card support is available, prompt the user whether to use it or Android system
+            // store.
+            Runnable useSmartCard = new Runnable() {
+                @Override
+                public void run() {
+                    new CertAsyncTaskPKCS11(nativePtr, hostName, port,
+                            smartCardAuthManager).execute();
+                }
+            };
+            Runnable cancelRunnable = new Runnable() {
+                @Override
+                public void run() {
+                    // We took ownership of the request, need to delete it.
+                    nativeOnSystemRequestCompletion(nativePtr, null, null);
+                }
+            };
+
+            KeyStoreSelectionDialog selectionDialog = new KeyStoreSelectionDialog(
+                    useSystemStore, useSmartCard, cancelRunnable);
+            selectionDialog.show(activity.getFragmentManager(), null);
+        } else {
+            // Smart card support is not available, use the system store unconditionally.
+            useSystemStore.run();
+        }
 
-        KeyChain.choosePrivateKeyAlias(
-                activity, request, keyTypes, principals, hostName, port, null);
+        // We've taken ownership of the native ssl request object.
         return true;
     }
 
diff --git a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java
index d7c43d1..5fcdba7 100644
--- a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java
+++ b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java
@@ -9,6 +9,7 @@ import android.content.Intent;
 import org.chromium.base.CommandLine;
 import org.chromium.base.PathUtils;
 import org.chromium.chrome.browser.ChromiumApplication;
+import org.chromium.chrome.browser.PKCS11AuthenticationManager;
 import org.chromium.chrome.browser.UmaUtils;
 import org.chromium.chrome.browser.invalidation.UniqueIdInvalidationClientNameGenerator;
 import org.chromium.content.browser.ResourceExtractor;
@@ -87,4 +88,9 @@ public class ChromiumTestShellApplication extends ChromiumApplication {
     protected boolean areParentalControlsEnabled() {
         return false;
     }
+
+    @Override
+    protected PKCS11AuthenticationManager getPKCS11AuthenticationManager() {
+        return new TestShellPKCS11AuthenticationManager();
+    }
 }
diff --git a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java
new file mode 100644
index 0000000..691e650
--- /dev/null
+++ b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java
@@ -0,0 +1,42 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.chrome.testshell;
+
+import android.content.Context;
+
+import org.chromium.chrome.browser.PKCS11AuthenticationManager;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * Chromium TestShell stub implementation of PKCS11AuthenticationManager.
+ */
+public class TestShellPKCS11AuthenticationManager implements PKCS11AuthenticationManager {
+    @Override
+    public boolean isPKCS11AuthEnabled() {
+        return false;
+    }
+
+    @Override
+    public String getClientCertificateAlias(String hostName, int port) {
+        return null;
+    }
+
+    @Override
+    public void initialize(Context context) {
+    }
+
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        return null;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        return null;
+    }
+}
diff --git a/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java b/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java
index 3d87b70..232428e 100644
--- a/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java
+++ b/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java
@@ -5,6 +5,7 @@
 package org.chromium.chrome.unit_tests_apk;
 
 import org.chromium.chrome.browser.ChromiumApplication;
+import org.chromium.chrome.browser.PKCS11AuthenticationManager;
 
 /**
  * A stub implementation of the chrome application to be used in chrome unit_tests.
@@ -27,4 +28,9 @@ public class ChromeNativeTestApplication extends ChromiumApplication {
     protected boolean areParentalControlsEnabled() {
         return false;
     }
+
+    @Override
+    protected PKCS11AuthenticationManager getPKCS11AuthenticationManager() {
+        return null;
+    }
 }