Fix certificate and keychain installation on Android.

This patch is necessary to allow Chrome on Android to properly
install CA certificates and PKCS#12 keychains. This feature is
not supported on other platforms, but necessary on mobile.

It does modify the content client API to deal with the new
file types, i.e. the AddNewCertificate() method is renamed
AddCryptoFile(), and its signature changed to receive the
file data directly (along with a file type enum).

It is now the reponsability of the browser / content embedder
to perform certificate verification.

More specifically:

- Modify net/base/mime_util.h to provide two new functions:

    * IsSupportedCertificateMimeType(), which returns true iff
      a mime type corresponds to a supported crypto file
      (only "application/x-x509-user-cert" is supported,
      except on Android, which adds ".../x-x509-ca-cert" and
      ".../x-pkcs12").

    * GetCertificateMimeTypeForMimeType() which translates a
      mime type string into an enum value that is also
      understood from Java (see below), describing the
      type of file.

  Note that "net/base/mime_util_certificate_list.h" is used to hold
  the list of certificate mime type constants, both for C++ and Java
  (i.e. it is used to auto-generate org.chromium.net.CertificateMimeType.java
  at build time, under out/$BUILDTYPE/gen/template/).

- Rename X509UserCertResourceHandler to CertificateResourceHandler
  under content/browser/loader/ in order to deal with
  all certificate mime types. Modify buffered_resource_handler.cc
  appropriately.

- Add net::android::StoreCertificate(), and the Java
  org.chromium.net.AndroidNetworkLibrary.storeCertificate()
  method to send the certificate data for installation through
  the system's CertInstaller activity.

- Add chrome::SSLAddCertificate() to implement the
   platform-specific code that used to be in
   content::ContentBrowserClient::AddNewCertificate().

- Rename content::ContentBrowserClient::AddNewCertificate()
  to ::AddCertificate(), and change its signature to accept
  resource file bytes directly and a net::CertificateMimeType
  (was an X509Certificate pointer).

This change shall not modify the behaviour of Chromium on other
platforms.

BUG=149306
TEST=Manual test with ChromiumTestShell, see internal b/6668254 for details.



Review URL: https://chromiumcodereview.appspot.com/11266008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@172350 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 74 insertions, 64 deletions

diff --git a/content/browser/loader/buffered_resource_handler.cc b/content/browser/loader/buffered_resource_handler.cc
index d588601..47d00df 100644
--- a/content/browser/loader/buffered_resource_handler.cc
+++ b/content/browser/loader/buffered_resource_handler.cc
@@ -12,9 +12,9 @@
 #include "base/string_util.h"
 #include "content/browser/download/download_resource_handler.h"
 #include "content/browser/download/download_stats.h"
+#include "content/browser/loader/certificate_resource_handler.h"
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 #include "content/browser/loader/resource_request_info_impl.h"
-#include "content/browser/loader/x509_user_cert_resource_handler.h"
 #include "content/browser/plugin_service_impl.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/content_browser_client.h"
@@ -303,12 +303,12 @@ bool BufferedResourceHandler::SelectNextHandler(bool* defer) {
   ResourceRequestInfoImpl* info = ResourceRequestInfoImpl::ForRequest(request_);
   const std::string& mime_type = response_->head.mime_type;
 
-  if (mime_type == "application/x-x509-user-cert") {
-    // Install X509 handler.
+  if (net::IsSupportedCertificateMimeType(mime_type)) {
+    // Install certificate file.
     scoped_ptr<ResourceHandler> handler(
-        new X509UserCertResourceHandler(request_,
-                                        info->GetChildID(),
-                                        info->GetRouteID()));
+        new CertificateResourceHandler(request_,
+                                       info->GetChildID(),
+                                       info->GetRouteID()));
     return UseAlternateNextHandler(handler.Pass());
   }
 
diff --git a/content/browser/loader/x509_user_cert_resource_handler.cc b/content/browser/loader/certificate_resource_handler.cc
index 0d37eba..70a38e2 100644
--- a/content/browser/loader/x509_user_cert_resource_handler.cc
+++ b/content/browser/loader/certificate_resource_handler.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "content/browser/loader/x509_user_cert_resource_handler.h"
+#include "content/browser/loader/certificate_resource_handler.h"
 
 #include "base/string_util.h"
 #include "content/browser/loader/resource_request_info_impl.h"
@@ -11,14 +11,13 @@
 #include "net/base/io_buffer.h"
 #include "net/base/mime_sniffer.h"
 #include "net/base/mime_util.h"
-#include "net/base/x509_certificate.h"
 #include "net/http/http_response_headers.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_status.h"
 
 namespace content {
 
-X509UserCertResourceHandler::X509UserCertResourceHandler(
+CertificateResourceHandler::CertificateResourceHandler(
     net::URLRequest* request,
     int render_process_host_id,
     int render_view_id)
@@ -27,42 +26,44 @@ X509UserCertResourceHandler::X509UserCertResourceHandler(
       read_buffer_(NULL),
       resource_buffer_(NULL),
       render_process_host_id_(render_process_host_id),
-      render_view_id_(render_view_id) {
+      render_view_id_(render_view_id),
+      cert_type_(net::CERTIFICATE_MIME_TYPE_UNKNOWN) {
 }
 
-X509UserCertResourceHandler::~X509UserCertResourceHandler() {
+CertificateResourceHandler::~CertificateResourceHandler() {
 }
 
-bool X509UserCertResourceHandler::OnUploadProgress(int request_id,
-                                                   uint64 position,
-                                                   uint64 size) {
+bool CertificateResourceHandler::OnUploadProgress(int request_id,
+                                                 uint64 position,
+                                                 uint64 size) {
   return true;
 }
 
-bool X509UserCertResourceHandler::OnRequestRedirected(int request_id,
-                                                      const GURL& url,
-                                                      ResourceResponse* resp,
-                                                      bool* defer) {
+bool CertificateResourceHandler::OnRequestRedirected(int request_id,
+                                                    const GURL& url,
+                                                    ResourceResponse* resp,
+                                                    bool* defer) {
   url_ = url;
   return true;
 }
 
-bool X509UserCertResourceHandler::OnResponseStarted(int request_id,
-                                                    ResourceResponse* resp,
-                                                    bool* defer) {
-  return (resp->head.mime_type == "application/x-x509-user-cert");
+bool CertificateResourceHandler::OnResponseStarted(int request_id,
+                                                  ResourceResponse* resp,
+                                                  bool* defer) {
+  cert_type_ = net::GetCertificateMimeTypeForMimeType(resp->head.mime_type);
+  return cert_type_ != net::CERTIFICATE_MIME_TYPE_UNKNOWN;
 }
 
-bool X509UserCertResourceHandler::OnWillStart(int request_id,
-                                              const GURL& url,
-                                              bool* defer) {
+bool CertificateResourceHandler::OnWillStart(int request_id,
+                                            const GURL& url,
+                                            bool* defer) {
   return true;
 }
 
-bool X509UserCertResourceHandler::OnWillRead(int request_id,
-                                             net::IOBuffer** buf,
-                                             int* buf_size,
-                                             int min_size) {
+bool CertificateResourceHandler::OnWillRead(int request_id,
+                                           net::IOBuffer** buf,
+                                           int* buf_size,
+                                           int min_size) {
   static const int kReadBufSize = 32768;
 
   // TODO(gauravsh): Should we use 'min_size' here?
@@ -76,9 +77,9 @@ bool X509UserCertResourceHandler::OnWillRead(int request_id,
   return true;
 }
 
-bool X509UserCertResourceHandler::OnReadCompleted(int request_id,
-                                                  int bytes_read,
-                                                  bool* defer) {
+bool CertificateResourceHandler::OnReadCompleted(int request_id,
+                                                int bytes_read,
+                                                bool* defer) {
   if (!bytes_read)
     return true;
 
@@ -96,7 +97,7 @@ bool X509UserCertResourceHandler::OnReadCompleted(int request_id,
   return true;
 }
 
-bool X509UserCertResourceHandler::OnResponseCompleted(
+bool CertificateResourceHandler::OnResponseCompleted(
     int request_id,
     const net::URLRequestStatus& urs,
     const std::string& sec_info) {
@@ -104,17 +105,21 @@ bool X509UserCertResourceHandler::OnResponseCompleted(
     return false;
 
   AssembleResource();
-  scoped_refptr<net::X509Certificate> cert;
-  if (resource_buffer_) {
-      cert = net::X509Certificate::CreateFromBytes(resource_buffer_->data(),
-                                                   content_length_);
-  }
-  GetContentClient()->browser()->AddNewCertificate(
-      request_, cert, render_process_host_id_, render_view_id_);
+
+  const void* content_bytes = NULL;
+  if (resource_buffer_)
+    content_bytes = resource_buffer_->data();
+
+  // Note that it's up to the browser to verify that the certificate
+  // data is well-formed.
+  GetContentClient()->browser()->AddCertificate(
+      request_, cert_type_, content_bytes, content_length_,
+      render_process_host_id_, render_view_id_);
+
   return true;
 }
 
-void X509UserCertResourceHandler::AssembleResource() {
+void CertificateResourceHandler::AssembleResource() {
   // 0-length IOBuffers are not allowed.
   if (content_length_ == 0) {
     resource_buffer_ = NULL;
diff --git a/content/browser/loader/x509_user_cert_resource_handler.h b/content/browser/loader/certificate_resource_handler.h
index cdfc113..ba07bf5 100644
--- a/content/browser/loader/x509_user_cert_resource_handler.h
+++ b/content/browser/loader/certificate_resource_handler.h
@@ -2,18 +2,19 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CONTENT_BROWSER_LOADER_X509_USER_CERT_RESOURCE_HANDLER_H_
-#define CONTENT_BROWSER_LOADER_X509_USER_CERT_RESOURCE_HANDLER_H_
+#ifndef CONTENT_BROWSER_LOADER_CERTIFICATE_RESOURCE_HANDLER_H_
+#define CONTENT_BROWSER_LOADER_CERTIFICATE_RESOURCE_HANDLER_H_
 
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/compiler_specific.h"
-#include "base/memory/scoped_ptr.h"
 #include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
 #include "content/browser/loader/resource_handler.h"
 #include "googleurl/src/gurl.h"
+#include "net/base/mime_util.h"
 
 namespace net {
 class IOBuffer;
@@ -23,16 +24,17 @@ class URLRequestStatus;
 
 namespace content {
 
-// This class handles the "application/x-x509-user-cert" mime-type
-// which is a certificate generated by a CA, typically after a previous
-// <keygen> form post.
-
-class X509UserCertResourceHandler : public ResourceHandler {
+// This class handles certificate mime types such as:
+// - "application/x-x509-user-cert"
+// - "application/x-x509-ca-cert"
+// - "application/x-pkcs12"
+//
+class CertificateResourceHandler : public ResourceHandler {
  public:
-  X509UserCertResourceHandler(net::URLRequest* request,
-                              int render_process_host_id,
-                              int render_view_id);
-  virtual ~X509UserCertResourceHandler();
+  CertificateResourceHandler(net::URLRequest* request,
+                             int render_process_host_id,
+                             int render_view_id);
+  virtual ~CertificateResourceHandler();
 
   virtual bool OnUploadProgress(int request_id,
                                 uint64 position,
@@ -86,10 +88,10 @@ class X509UserCertResourceHandler : public ResourceHandler {
   int render_process_host_id_;
   // The id of the |RenderView| which started the download.
   int render_view_id_;
-
-  DISALLOW_COPY_AND_ASSIGN(X509UserCertResourceHandler);
+  net::CertificateMimeType cert_type_;
+  DISALLOW_COPY_AND_ASSIGN(CertificateResourceHandler);
 };
 
 }  // namespace content
 
-#endif  // CONTENT_BROWSER_LOADER_X509_USER_CERT_RESOURCE_HANDLER_H_
+#endif  // CONTENT_BROWSER_LOADER_CERTIFICATE_RESOURCE_HANDLER_H_
diff --git a/content/content_browser.gypi b/content/content_browser.gypi
index ce16dcd..9ddefdd 100644
--- a/content/content_browser.gypi
+++ b/content/content_browser.gypi
@@ -504,6 +504,8 @@
     'browser/loader/async_resource_handler.h',
     'browser/loader/buffered_resource_handler.cc',
     'browser/loader/buffered_resource_handler.h',
+    'browser/loader/certificate_resource_handler.cc',
+    'browser/loader/certificate_resource_handler.h',
     'browser/loader/cross_site_resource_handler.cc',
     'browser/loader/cross_site_resource_handler.h',
     'browser/loader/doomed_resource_handler.cc',
@@ -531,8 +533,6 @@
     'browser/loader/throttling_resource_handler.h',
     'browser/loader/transfer_navigation_resource_throttle.cc',
     'browser/loader/transfer_navigation_resource_throttle.h',
-    'browser/loader/x509_user_cert_resource_handler.cc',
-    'browser/loader/x509_user_cert_resource_handler.h',
     'browser/mach_broker_mac.cc',
     'browser/mach_broker_mac.h',
     'browser/media_devices_monitor.cc',
diff --git a/content/public/browser/content_browser_client.h b/content/public/browser/content_browser_client.h
index 373ec58..867dad5 100644
--- a/content/public/browser/content_browser_client.h
+++ b/content/public/browser/content_browser_client.h
@@ -14,6 +14,7 @@
 #include "content/public/common/socket_permission_request.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/window_container_type.h"
+#include "net/base/mime_util.h"
 #include "net/cookies/canonical_cookie.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebNotificationPresenter.h"
 
@@ -332,13 +333,15 @@ class CONTENT_EXPORT ContentBrowserClient {
       net::SSLCertRequestInfo* cert_request_info,
       const base::Callback<void(net::X509Certificate*)>& callback) {}
 
-  // Adds a downloaded client cert. The embedder should ensure that there's
-  // a private key for the cert, displays the cert to the user, and adds it upon
-  // user approval. If the downloaded data could not be interpreted as a valid
-  // certificate, |cert| will be NULL.
-  virtual void AddNewCertificate(
+  // Adds a new installable certificate or private key.
+  // Typically used to install an X.509 user certificate.
+  // Note that it's up to the embedder to verify that the data is
+  // well-formed. |cert_data| will be NULL if file_size is 0.
+  virtual void AddCertificate(
       net::URLRequest* request,
-      net::X509Certificate* cert,
+      net::CertificateMimeType cert_type,
+      const void* cert_data,
+      size_t cert_size,
       int render_process_id,
       int render_view_id) {}