Instantiate OriginBoundCertService in relevant places and do plumbing to pass...

Instantiate OriginBoundCertService in relevant places and do plumbing to pass it down to HttpNetworkSession.

BUG=88782
TEST=None

Review URL: http://codereview.chromium.org/7493025

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@96296 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/io_thread.cc

@@ -36,12 +36,14 @@
 #include "content/common/url_fetcher.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
+#include "net/base/default_origin_bound_cert_store.h"
 #include "net/base/dnsrr_resolver.h"
 #include "net/base/host_cache.h"
 #include "net/base/host_resolver.h"
 #include "net/base/host_resolver_impl.h"
 #include "net/base/mapped_host_resolver.h"
 #include "net/base/net_util.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/dns/async_host_resolver.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_auth_filter.h"
@@ -253,8 +255,9 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
       globals->proxy_script_fetcher_http_transaction_factory.get());
   context->set_ftp_transaction_factory(
       globals->proxy_script_fetcher_ftp_transaction_factory.get());
-  // In-memory cookie store.
-  context->set_cookie_store(new net::CookieMonster(NULL, NULL));
+  context->set_cookie_store(globals->system_cookie_store.get());
+  context->set_origin_bound_cert_service(
+      globals->system_origin_bound_cert_service.get());
   context->set_network_delegate(globals->system_network_delegate.get());
   return context;
 }
@@ -275,8 +278,9 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
       globals->system_http_transaction_factory.get());
   context->set_ftp_transaction_factory(
       globals->system_ftp_transaction_factory.get());
-  // In-memory cookie store.
-  context->set_cookie_store(new net::CookieMonster(NULL, NULL));
+  context->set_cookie_store(globals->system_cookie_store.get());
+  context->set_origin_bound_cert_service(
+      globals->system_origin_bound_cert_service.get());
   return context;
 }
 
@@ -468,9 +472,17 @@ void IOThread::Init() {
   // For the ProxyScriptFetcher, we use a direct ProxyService.
   globals_->proxy_script_fetcher_proxy_service.reset(
       net::ProxyService::CreateDirectWithNetLog(net_log_));
+  // In-memory cookie store.
+  globals_->system_cookie_store = new net::CookieMonster(NULL, NULL);
+  // In-memory origin-bound cert store.
+  globals_->system_origin_bound_cert_service.reset(
+      new net::OriginBoundCertService(
+          new net::DefaultOriginBoundCertStore(NULL)));
   net::HttpNetworkSession::Params session_params;
   session_params.host_resolver = globals_->host_resolver.get();
   session_params.cert_verifier = globals_->cert_verifier.get();
+  session_params.origin_bound_cert_service =
+      globals_->system_origin_bound_cert_service.get();
   session_params.proxy_service =
       globals_->proxy_script_fetcher_proxy_service.get();
   session_params.http_auth_handler_factory =
@@ -485,9 +497,8 @@ void IOThread::Init() {
   globals_->proxy_script_fetcher_ftp_transaction_factory.reset(
       new net::FtpNetworkLayer(globals_->host_resolver.get()));
 
-  scoped_refptr<net::URLRequestContext> proxy_script_fetcher_context =
+  globals_->proxy_script_fetcher_context =
       ConstructProxyScriptFetcherContext(globals_, net_log_);
-  globals_->proxy_script_fetcher_context = proxy_script_fetcher_context;
 }
 
 void IOThread::CleanUp() {
@@ -680,6 +691,8 @@ void IOThread::InitSystemRequestContextOnIOThread() {
   net::HttpNetworkSession::Params system_params;
   system_params.host_resolver = globals_->host_resolver.get();
   system_params.cert_verifier = globals_->cert_verifier.get();
+  system_params.origin_bound_cert_service =
+      globals_->system_origin_bound_cert_service.get();
   system_params.dnsrr_resolver = globals_->dnsrr_resolver.get();
   system_params.dns_cert_checker = NULL;
   system_params.ssl_host_info_factory = NULL;

chrome/browser/io_thread.h

@@ -36,12 +36,14 @@ class Predictor;
 
 namespace net {
 class CertVerifier;
+class CookieStore;
 class DnsRRResolver;
 class FtpTransactionFactory;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpTransactionFactory;
 class NetworkDelegate;
+class OriginBoundCertService;
 class ProxyConfigService;
 class ProxyService;
 class SSLConfigService;
@@ -87,6 +89,10 @@ class IOThread : public BrowserProcessSubThread {
     scoped_ptr<net::HttpTransactionFactory> system_http_transaction_factory;
     scoped_ptr<net::FtpTransactionFactory> system_ftp_transaction_factory;
     scoped_refptr<net::URLRequestContext> system_request_context;
+    // |cookie_store| and |origin_bound_cert_service| are shared between
+    // |proxy_script_fetcher_context| and |system_request_context|.
+    scoped_refptr<net::CookieStore> system_cookie_store;
+    scoped_ptr<net::OriginBoundCertService> system_origin_bound_cert_service;
     scoped_refptr<ExtensionEventRouterForwarder>
         extension_event_router_forwarder;
   };

chrome/browser/profiles/off_the_record_profile_io_data.cc

@@ -19,6 +19,8 @@
 #include "chrome/common/url_constants.h"
 #include "content/browser/browser_thread.h"
 #include "content/browser/resource_context.h"
+#include "net/base/default_origin_bound_cert_store.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_cache.h"
 #include "webkit/database/database_tracker.h"
@@ -160,6 +162,13 @@ void OffTheRecordProfileIOData::LazyInitializeInternal(
   main_context->set_dns_cert_checker(dns_cert_checker());
   main_context->set_proxy_service(proxy_service());
 
+  // For incognito, we use a non-persistent origin bound cert store.
+  net::OriginBoundCertService* origin_bound_cert_service =
+      new net::OriginBoundCertService(
+          new net::DefaultOriginBoundCertStore(NULL));
+  set_origin_bound_cert_service(origin_bound_cert_service);
+  main_context->set_origin_bound_cert_service(origin_bound_cert_service);
+
   main_context->set_cookie_store(
       new net::CookieMonster(NULL, profile_params->cookie_monster_delegate));
   // All we care about for extensions is the cookie store. For incognito, we
@@ -178,6 +187,7 @@ void OffTheRecordProfileIOData::LazyInitializeInternal(
   net::HttpCache* cache =
       new net::HttpCache(main_context->host_resolver(),
                          main_context->cert_verifier(),
+                         main_context->origin_bound_cert_service(),
                          main_context->dnsrr_resolver(),
                          main_context->dns_cert_checker(),
                          main_context->proxy_service(),

chrome/browser/profiles/profile_impl.cc

@@ -414,6 +414,9 @@ void ProfileImpl::DoFinalInit() {
 
   FilePath cookie_path = GetPath();
   cookie_path = cookie_path.Append(chrome::kCookieFilename);
+  FilePath origin_bound_cert_path = GetPath();
+  origin_bound_cert_path =
+      origin_bound_cert_path.Append(chrome::kOBCertFilename);
   FilePath cache_path = base_cache_path_;
   int cache_max_size;
   GetCacheParameters(kNormalContext, &cache_path, &cache_max_size);
@@ -432,9 +435,9 @@ void ProfileImpl::DoFinalInit() {
 
   // Make sure we initialize the ProfileIOData after everything else has been
   // initialized that we might be reading from the IO thread.
-  io_data_.Init(cookie_path, cache_path, cache_max_size,
-                media_cache_path, media_cache_max_size, extensions_cookie_path,
-                app_path);
+  io_data_.Init(cookie_path, origin_bound_cert_path, cache_path,
+                cache_max_size, media_cache_path, media_cache_max_size,
+                extensions_cookie_path, app_path);
 
   // Creation has been finished.
   if (delegate_)

chrome/browser/profiles/profile_impl_io_data.cc

@@ -12,6 +12,7 @@
 #include "chrome/browser/io_thread.h"
 #include "chrome/browser/net/chrome_net_log.h"
 #include "chrome/browser/net/chrome_network_delegate.h"
+#include "chrome/browser/net/sqlite_origin_bound_cert_store.h"
 #include "chrome/browser/net/sqlite_persistent_cookie_store.h"
 #include "chrome/browser/prefs/pref_member.h"
 #include "chrome/browser/profiles/profile.h"
@@ -21,6 +22,7 @@
 #include "chrome/common/url_constants.h"
 #include "content/browser/browser_thread.h"
 #include "content/browser/resource_context.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_cache.h"
 
@@ -53,6 +55,7 @@ ProfileImplIOData::Handle::~Handle() {
 }
 
 void ProfileImplIOData::Handle::Init(const FilePath& cookie_path,
+                                     const FilePath& origin_bound_cert_path,
                                      const FilePath& cache_path,
                                      int cache_max_size,
                                      const FilePath& media_cache_path,
@@ -64,6 +67,7 @@ void ProfileImplIOData::Handle::Init(const FilePath& cookie_path,
   LazyParams* lazy_params = new LazyParams;
 
   lazy_params->cookie_path = cookie_path;
+  lazy_params->origin_bound_cert_path = origin_bound_cert_path;
   lazy_params->cache_path = cache_path;
   lazy_params->cache_max_size = cache_max_size;
   lazy_params->media_cache_path = media_cache_path;
@@ -230,40 +234,15 @@ void ProfileImplIOData::LazyInitializeInternal(
   main_context->set_proxy_service(proxy_service());
   media_request_context_->set_proxy_service(proxy_service());
 
-  net::HttpCache::DefaultBackend* main_backend =
-      new net::HttpCache::DefaultBackend(
-          net::DISK_CACHE,
-          lazy_params_->cache_path,
-          lazy_params_->cache_max_size,
-          BrowserThread::GetMessageLoopProxyForThread(BrowserThread::CACHE));
-  net::HttpCache* main_cache = new net::HttpCache(
-      main_context->host_resolver(),
-      main_context->cert_verifier(),
-      main_context->dnsrr_resolver(),
-      main_context->dns_cert_checker(),
-      main_context->proxy_service(),
-      main_context->ssl_config_service(),
-      main_context->http_auth_handler_factory(),
-      main_context->network_delegate(),
-      main_context->net_log(),
-      main_backend);
-
-  net::HttpCache::DefaultBackend* media_backend =
-      new net::HttpCache::DefaultBackend(
-          net::MEDIA_CACHE, lazy_params_->media_cache_path,
-          lazy_params_->media_cache_max_size,
-          BrowserThread::GetMessageLoopProxyForThread(BrowserThread::CACHE));
-  net::HttpNetworkSession* main_network_session = main_cache->GetSession();
-  net::HttpCache* media_cache =
-      new net::HttpCache(main_network_session, media_backend);
-
   scoped_refptr<net::CookieStore> cookie_store = NULL;
+  net::OriginBoundCertService* origin_bound_cert_service = NULL;
   if (record_mode || playback_mode) {
     // Don't use existing cookies and use an in-memory store.
     cookie_store = new net::CookieMonster(
         NULL, profile_params->cookie_monster_delegate);
-    main_cache->set_mode(
-        record_mode ? net::HttpCache::RECORD : net::HttpCache::PLAYBACK);
+    // Don't use existing origin-bound certs and use an in-memory store.
+    origin_bound_cert_service = new net::OriginBoundCertService(
+        new net::DefaultOriginBoundCertStore(NULL));
   }
 
   // setup cookie store
@@ -292,6 +271,56 @@ void ProfileImplIOData::LazyInitializeInternal(
   media_request_context_->set_cookie_store(cookie_store);
   extensions_context->set_cookie_store(extensions_cookie_store);
 
+  // Setup origin bound cert service.
+  if (!origin_bound_cert_service) {
+    DCHECK(!lazy_params_->origin_bound_cert_path.empty());
+
+    scoped_refptr<SQLiteOriginBoundCertStore> origin_bound_cert_db =
+        new SQLiteOriginBoundCertStore(lazy_params_->origin_bound_cert_path);
+    origin_bound_cert_db->SetClearLocalStateOnExit(
+        profile_params->clear_local_state_on_exit);
+    origin_bound_cert_service = new net::OriginBoundCertService(
+        new net::DefaultOriginBoundCertStore(origin_bound_cert_db.get()));
+  }
+
+  set_origin_bound_cert_service(origin_bound_cert_service);
+  main_context->set_origin_bound_cert_service(origin_bound_cert_service);
+  media_request_context_->set_origin_bound_cert_service(
+      origin_bound_cert_service);
+
+  net::HttpCache::DefaultBackend* main_backend =
+      new net::HttpCache::DefaultBackend(
+          net::DISK_CACHE,
+          lazy_params_->cache_path,
+          lazy_params_->cache_max_size,
+          BrowserThread::GetMessageLoopProxyForThread(BrowserThread::CACHE));
+  net::HttpCache* main_cache = new net::HttpCache(
+      main_context->host_resolver(),
+      main_context->cert_verifier(),
+      main_context->origin_bound_cert_service(),
+      main_context->dnsrr_resolver(),
+      main_context->dns_cert_checker(),
+      main_context->proxy_service(),
+      main_context->ssl_config_service(),
+      main_context->http_auth_handler_factory(),
+      main_context->network_delegate(),
+      main_context->net_log(),
+      main_backend);
+
+  net::HttpCache::DefaultBackend* media_backend =
+      new net::HttpCache::DefaultBackend(
+          net::MEDIA_CACHE, lazy_params_->media_cache_path,
+          lazy_params_->media_cache_max_size,
+          BrowserThread::GetMessageLoopProxyForThread(BrowserThread::CACHE));
+  net::HttpNetworkSession* main_network_session = main_cache->GetSession();
+  net::HttpCache* media_cache =
+      new net::HttpCache(main_network_session, media_backend);
+
+  if (record_mode || playback_mode) {
+    main_cache->set_mode(
+        record_mode ? net::HttpCache::RECORD : net::HttpCache::PLAYBACK);
+  }
+
   main_http_factory_.reset(main_cache);
   media_http_factory_.reset(media_cache);
   main_context->set_http_transaction_factory(main_cache);

chrome/browser/profiles/profile_impl_io_data.h

@@ -30,6 +30,7 @@ class ProfileImplIOData : public ProfileIOData {
     // Init() must be called before ~Handle(). It records all the necessary
     // parameters needed to construct a ChromeURLRequestContextGetter.
     void Init(const FilePath& cookie_path,
+              const FilePath& origin_bound_cert_path,
               const FilePath& cache_path,
               int cache_max_size,
               const FilePath& media_cache_path,
@@ -93,6 +94,7 @@ class ProfileImplIOData : public ProfileIOData {
 
     // All of these parameters are intended to be read on the IO thread.
     FilePath cookie_path;
+    FilePath origin_bound_cert_path;
     FilePath cache_path;
     int cache_max_size;
     FilePath media_cache_path;

chrome/browser/profiles/profile_io_data.cc

@@ -45,6 +45,7 @@
 #include "content/browser/renderer_host/resource_dispatcher_host_request_info.h"
 #include "content/browser/resource_context.h"
 #include "content/common/notification_service.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
 #include "net/proxy/proxy_config_service_fixed.h"
@@ -519,3 +520,8 @@ void ProfileIOData::ShutdownOnUIThread() {
   if (!posted)
     delete this;
 }
+
+void ProfileIOData::set_origin_bound_cert_service(
+    net::OriginBoundCertService* origin_bound_cert_service) const {
+  origin_bound_cert_service_.reset(origin_bound_cert_service);
+}

chrome/browser/profiles/profile_io_data.h

@@ -39,6 +39,7 @@ class CookieStore;
 class DnsCertProvenanceChecker;
 class HttpTransactionFactory;
 class NetLog;
+class OriginBoundCertService;
 class ProxyConfigService;
 class ProxyService;
 class SSLConfigService;
@@ -180,6 +181,13 @@ class ProfileIOData {
     return chrome_url_data_manager_backend_.get();
   }
 
+  // An OriginBoundCertService object is created by a derived class of
+  // ProfileIOData, and the derived class calls this method to set the
+  // origin_bound_cert_service_ member and transfers ownership to the base
+  // class.
+  void set_origin_bound_cert_service(
+      net::OriginBoundCertService* origin_bound_cert_service) const;
+
   net::NetworkDelegate* network_delegate() const {
     return network_delegate_.get();
   }
@@ -253,6 +261,7 @@ class ProfileIOData {
   // Pointed to by URLRequestContext.
   mutable scoped_ptr<ChromeURLDataManagerBackend>
       chrome_url_data_manager_backend_;
+  mutable scoped_ptr<net::OriginBoundCertService> origin_bound_cert_service_;
   mutable scoped_ptr<net::NetworkDelegate> network_delegate_;
   mutable scoped_ptr<net::DnsCertProvenanceChecker> dns_cert_checker_;
   mutable scoped_ptr<net::ProxyService> proxy_service_;

net/http/http_cache.cc

@@ -42,6 +42,7 @@ namespace {
 HttpNetworkSession* CreateNetworkSession(
     HostResolver* host_resolver,
     CertVerifier* cert_verifier,
+    OriginBoundCertService* origin_bound_cert_service,
     DnsRRResolver* dnsrr_resolver,
     DnsCertProvenanceChecker* dns_cert_checker,
     ProxyService* proxy_service,
@@ -53,6 +54,7 @@ HttpNetworkSession* CreateNetworkSession(
   HttpNetworkSession::Params params;
   params.host_resolver = host_resolver;
   params.cert_verifier = cert_verifier;
+  params.origin_bound_cert_service = origin_bound_cert_service;
   params.dnsrr_resolver = dnsrr_resolver;
   params.dns_cert_checker = dns_cert_checker;
   params.proxy_service = proxy_service;
@@ -311,6 +313,7 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory {
 //-----------------------------------------------------------------------------
 HttpCache::HttpCache(HostResolver* host_resolver,
                      CertVerifier* cert_verifier,
+                     OriginBoundCertService* origin_bound_cert_service,
                      DnsRRResolver* dnsrr_resolver,
                      DnsCertProvenanceChecker* dns_cert_checker_,
                      ProxyService* proxy_service,
@@ -331,6 +334,7 @@ HttpCache::HttpCache(HostResolver* host_resolver,
               CreateNetworkSession(
                   host_resolver,
                   cert_verifier,
+                  origin_bound_cert_service,
                   dnsrr_resolver,
                   dns_cert_checker_,
                   proxy_service,

net/http/http_cache.h

@@ -53,6 +53,7 @@ class HttpResponseInfo;
 class IOBuffer;
 class NetLog;
 class NetworkDelegate;
+class OriginBoundCertService;
 class ProxyService;
 class SSLConfigService;
 class ViewCacheHelper;
@@ -120,6 +121,7 @@ class NET_API HttpCache : public HttpTransactionFactory,
   // The HttpCache takes ownership of the |backend_factory|.
   HttpCache(HostResolver* host_resolver,
             CertVerifier* cert_verifier,
+            OriginBoundCertService* origin_bound_cert_service,
             DnsRRResolver* dnsrr_resolver,
             DnsCertProvenanceChecker* dns_cert_checker,
             ProxyService* proxy_service,

net/url_request/url_request_context.h

@@ -80,6 +80,7 @@ class NET_API URLRequestContext
   OriginBoundCertService* origin_bound_cert_service() const {
     return origin_bound_cert_service_;
   }
+
   void set_origin_bound_cert_service(
       OriginBoundCertService* origin_bound_cert_service) {
     origin_bound_cert_service_ = origin_bound_cert_service;

net/url_request/url_request_context_storage.cc

@@ -11,6 +11,7 @@
 #include "net/base/host_resolver.h"
 #include "net/base/net_log.h"
 #include "net/base/network_delegate.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/ftp/ftp_transaction_factory.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_transaction_factory.h"
@@ -43,6 +44,12 @@ void URLRequestContextStorage::set_cert_verifier(CertVerifier* cert_verifier) {
   cert_verifier_.reset(cert_verifier);
 }
 
+void URLRequestContextStorage::set_origin_bound_cert_service(
+    OriginBoundCertService* origin_bound_cert_service) {
+  context_->set_origin_bound_cert_service(origin_bound_cert_service);
+  origin_bound_cert_service_.reset(origin_bound_cert_service);
+}
+
 void URLRequestContextStorage::set_dnsrr_resolver(
     DnsRRResolver* dnsrr_resolver) {
   context_->set_dnsrr_resolver(dnsrr_resolver);

net/url_request/url_request_context_storage.h

@@ -23,6 +23,7 @@ class HttpAuthHandlerFactory;
 class HttpTransactionFactory;
 class NetLog;
 class NetworkDelegate;
+class OriginBoundCertService;
 class ProxyService;
 class SSLConfigService;
 class TransportSecurityState;
@@ -45,6 +46,8 @@ class NET_API URLRequestContextStorage {
   void set_net_log(NetLog* net_log);
   void set_host_resolver(HostResolver* host_resolver);
   void set_cert_verifier(CertVerifier* cert_verifier);
+  void set_origin_bound_cert_service(
+      OriginBoundCertService* origin_bound_cert_service);
   void set_dnsrr_resolver(DnsRRResolver* dnsrr_resolver);
   void set_dns_cert_checker(DnsCertProvenanceChecker* dns_cert_checker);
   void set_http_auth_handler_factory(
@@ -71,6 +74,7 @@ class NET_API URLRequestContextStorage {
   scoped_ptr<NetLog> net_log_;
   scoped_ptr<HostResolver> host_resolver_;
   scoped_ptr<CertVerifier> cert_verifier_;
+  scoped_ptr<OriginBoundCertService> origin_bound_cert_service_;
   scoped_ptr<DnsRRResolver> dnsrr_resolver_;
   scoped_ptr<DnsCertProvenanceChecker> dns_cert_checker_;
   scoped_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;

webkit/tools/test_shell/test_shell_request_context.cc

@@ -10,7 +10,9 @@
 #include "base/file_path.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
+#include "net/base/default_origin_bound_cert_store.h"
 #include "net/base/host_resolver.h"
+#include "net/base/origin_bound_cert_service.h"
 #include "net/base/ssl_config_service_defaults.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_auth_handler_factory.h"
@@ -46,6 +48,8 @@ void TestShellRequestContext::Init(
     net::HttpCache::Mode cache_mode,
     bool no_proxy) {
   storage_.set_cookie_store(new net::CookieMonster(NULL, NULL));
+  storage_.set_origin_bound_cert_service(new net::OriginBoundCertService(
+      new net::DefaultOriginBoundCertStore(NULL)));
 
   // hard-code A-L and A-C for test shells
   set_accept_language("en-us,en");
@@ -86,7 +90,8 @@ void TestShellRequestContext::Init(
       cache_path, 0, SimpleResourceLoaderBridge::GetCacheThread());
 
   net::HttpCache* cache =
-      new net::HttpCache(host_resolver(), cert_verifier(), NULL, NULL,
+      new net::HttpCache(host_resolver(), cert_verifier(),
+                         origin_bound_cert_service(), NULL, NULL,
                          proxy_service(), ssl_config_service(),
                          http_auth_handler_factory(), NULL, NULL, backend);