Add GetNetworkCertificates to chromeos.network_config.mojom

This adds GetNetworkCertificates to the mojo API.

A follow-up CL will use the new api in the Settings WebUI.

Bug: 1001598
Change-Id: If754a6955f10ee23264dd2a4e976922928258b33
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1817201
Commit-Queue: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kyle Horimoto <khorimoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#699476}

ash/system/network/tray_network_state_model.cc

@@ -116,6 +116,8 @@ void TrayNetworkStateModel::OnDeviceStateListChanged() {
 
 void TrayNetworkStateModel::OnVpnProvidersChanged() {}
 
+void TrayNetworkStateModel::OnNetworkCertificatesChanged() {}
+
 void TrayNetworkStateModel::GetDeviceStateList() {
   DCHECK(remote_cros_network_config_);
   remote_cros_network_config_->GetDeviceStateList(base::BindOnce(

ash/system/network/tray_network_state_model.h

@@ -77,6 +77,7 @@ class ASH_EXPORT TrayNetworkStateModel
   void OnNetworkStateListChanged() override;
   void OnDeviceStateListChanged() override;
   void OnVpnProvidersChanged() override;
+  void OnNetworkCertificatesChanged() override;
 
   void GetDeviceStateList();
   void OnGetDeviceStateList(

ash/system/network/vpn_list.cc

@@ -58,6 +58,8 @@ void VpnList::OnVpnProvidersChanged() {
       base::BindOnce(&VpnList::OnGetVpnProviders, base::Unretained(this)));
 }
 
+void VpnList::OnNetworkCertificatesChanged() {}
+
 void VpnList::SetVpnProvidersForTest(std::vector<VpnProviderPtr> providers) {
   OnGetVpnProviders(std::move(providers));
 }

ash/system/network/vpn_list.h

@@ -70,6 +70,7 @@ class ASH_EXPORT VpnList
   void OnNetworkStateListChanged() override;
   void OnDeviceStateListChanged() override;
   void OnVpnProvidersChanged() override;
+  void OnNetworkCertificatesChanged() override;
 
   void SetVpnProvidersForTest(std::vector<VpnProviderPtr> providers);
 

chrome/browser/chromeos/printing/cups_printers_manager.cc

@@ -248,20 +248,13 @@ class CupsPrintersManagerImpl
     // detected printers.
     ClearNetworkDetectedPrinters();
   }
-
-  // mojom::CrosNetworkConfigObserver implementation.
   void OnNetworkStateChanged(
       chromeos::network_config::mojom::NetworkStatePropertiesPtr /* network */)
       override {}
-
-  // mojom::CrosNetworkConfigObserver implementation.
   void OnNetworkStateListChanged() override {}
-
-  // mojom::CrosNetworkConfigObserver implementation.
   void OnDeviceStateListChanged() override {}
-
-  // mojom::CrosNetworkConfigObserver implementation.
   void OnVpnProvidersChanged() override {}
+  void OnNetworkCertificatesChanged() override {}
 
   // Callback for PrinterDetectors.
   void OnPrintersFound(

chrome/test/data/webui/chromeos/fake_network_config_mojom.js

@@ -79,7 +79,7 @@ class FakeNetworkConfig {
 
     ['getNetworkState', 'getNetworkStateList', 'getDeviceStateList',
      'getManagedProperties', 'setNetworkTypeEnabledState', 'requestNetworkScan',
-     'getGlobalPolicy', 'getVpnProviders']
+     'getGlobalPolicy', 'getVpnProviders', 'getNetworkCertificates']
         .forEach((methodName) => {
           this.resolverMap_.set(methodName, new PromiseResolver());
         });
@@ -213,7 +213,7 @@ class FakeNetworkConfig {
   // networkConfig methods
 
   /**
-   * @param { !chromeos.networkConfig.mojom.CrosNetworkConfigObserverProxy }
+   * @param {!chromeos.networkConfig.mojom.CrosNetworkConfigObserverProxy }
    *     observer
    */
   addObserver(observer) {
@@ -314,13 +314,13 @@ class FakeNetworkConfig {
     });
   }
 
-  /** @param { !chromeos.networkConfig.mojom.NetworkType } type */
+  /** @param {!chromeos.networkConfig.mojom.NetworkType } type */
   requestNetworkScan(type) {
     this.methodCalled('requestNetworkScan');
   }
 
   /**
-   * @return { !Promise<{result: !chromeos.networkConfig.mojom.GlobalPolicy}>}
+   * @return {!Promise<{result: !chromeos.networkConfig.mojom.GlobalPolicy}>}
    */
   getGlobalPolicy() {
     return new Promise(resolve => {
@@ -330,7 +330,7 @@ class FakeNetworkConfig {
   }
 
   /**
-   * @return { !Promise<{
+   * @return {!Promise<{
    *     result: !Array<!chromeos.networkConfig.mojom.VpnProvider>}>}
    */
   getVpnProviders() {
@@ -339,4 +339,16 @@ class FakeNetworkConfig {
       resolve({providers: this.vpnProviders_});
     });
   }
+
+  /**
+   * @return {!Promise<{
+   *     serverCas: !Array<!chromeos.networkConfig.mojom.NetworkCertificate>,
+   *     userCerts: !Array<!chromeos.networkConfig.mojom.NetworkCertificate>}>}
+   */
+  getNetworkCertificates() {
+    return new Promise(resolve => {
+      this.methodCalled('getNetworkCertificates');
+      resolve({serverCas: [], userCerts: []});
+    });
+  }
 }

chromeos/network/network_certificate_handler.cc

@@ -64,16 +64,18 @@ NetworkCertificateHandler::~NetworkCertificateHandler() {
   NetworkCertLoader::Get()->RemoveObserver(this);
 }
 
-void NetworkCertificateHandler::AddObserver(
-    NetworkCertificateHandler::Observer* observer) {
+void NetworkCertificateHandler::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
 
-void NetworkCertificateHandler::RemoveObserver(
-    NetworkCertificateHandler::Observer* observer) {
+void NetworkCertificateHandler::RemoveObserver(Observer* observer) {
   observer_list_.RemoveObserver(observer);
 }
 
+bool NetworkCertificateHandler::HasObserver(Observer* observer) {
+  return observer_list_.HasObserver(observer);
+}
+
 void NetworkCertificateHandler::AddAuthorityCertificateForTest(
     const std::string& issued_to) {
   Certificate cert;

chromeos/network/network_certificate_handler.h

@@ -69,6 +69,7 @@ class COMPONENT_EXPORT(CHROMEOS_NETWORK) NetworkCertificateHandler
 
   void AddObserver(Observer* observer);
   void RemoveObserver(Observer* observer);
+  bool HasObserver(Observer* observer);
 
   const std::vector<Certificate>& server_ca_certificates() const {
     return server_ca_certificates_;

chromeos/services/assistant/platform/network_provider_impl.h

@@ -35,6 +35,7 @@ class COMPONENT_EXPORT(ASSISTANT_SERVICE) NetworkProviderImpl
   void OnNetworkStateListChanged() override {}
   void OnDeviceStateListChanged() override {}
   void OnVpnProvidersChanged() override {}
+  void OnNetworkCertificatesChanged() override {}
 
  private:
   ConnectionStatus connection_status_;

chromeos/services/network_config/cros_network_config.cc

@@ -1595,6 +1595,23 @@ std::unique_ptr<base::DictionaryValue> GetOncFromConfigProperties(
   return onc;
 }
 
+mojom::NetworkCertificatePtr GetMojoCert(
+    const NetworkCertificateHandler::Certificate& cert,
+    mojom::CertificateType type) {
+  auto result = mojom::NetworkCertificate::New();
+  result->type = type;
+  result->hash = cert.hash;
+  result->issued_by = cert.issued_by;
+  result->issued_to = cert.issued_to;
+  result->hardware_backed = cert.hardware_backed;
+  result->device_wide = cert.device_wide;
+  if (type == mojom::CertificateType::kServerCA)
+    result->pem_or_id = cert.pem;
+  if (type == mojom::CertificateType::kUserCert)
+    result->pem_or_id = cert.pkcs11_id;
+  return result;
+}
+
 }  // namespace
 
 CrosNetworkConfig::CrosNetworkConfig()
@@ -1602,23 +1619,30 @@ CrosNetworkConfig::CrosNetworkConfig()
           NetworkHandler::Get()->network_state_handler(),
           NetworkHandler::Get()->network_device_handler(),
           NetworkHandler::Get()->managed_network_configuration_handler(),
-          NetworkHandler::Get()->network_connection_handler()) {}
+          NetworkHandler::Get()->network_connection_handler(),
+          NetworkHandler::Get()->network_certificate_handler()) {}
 
 CrosNetworkConfig::CrosNetworkConfig(
     NetworkStateHandler* network_state_handler,
     NetworkDeviceHandler* network_device_handler,
     ManagedNetworkConfigurationHandler* network_configuration_handler,
-    NetworkConnectionHandler* network_connection_handler)
+    NetworkConnectionHandler* network_connection_handler,
+    NetworkCertificateHandler* network_certificate_handler)
     : network_state_handler_(network_state_handler),
       network_device_handler_(network_device_handler),
       network_configuration_handler_(network_configuration_handler),
-      network_connection_handler_(network_connection_handler) {
+      network_connection_handler_(network_connection_handler),
+      network_certificate_handler_(network_certificate_handler) {
   CHECK(network_state_handler);
 }
 
 CrosNetworkConfig::~CrosNetworkConfig() {
   if (network_state_handler_->HasObserver(this))
     network_state_handler_->RemoveObserver(this, FROM_HERE);
+  if (network_certificate_handler_ &&
+      network_certificate_handler_->HasObserver(this)) {
+    network_certificate_handler_->RemoveObserver(this);
+  }
 }
 
 void CrosNetworkConfig::BindRequest(mojom::CrosNetworkConfigRequest request) {
@@ -1630,6 +1654,10 @@ void CrosNetworkConfig::AddObserver(
     mojom::CrosNetworkConfigObserverPtr observer) {
   if (!network_state_handler_->HasObserver(this))
     network_state_handler_->AddObserver(this, FROM_HERE);
+  if (network_certificate_handler_ &&
+      !network_certificate_handler_->HasObserver(this)) {
+    network_certificate_handler_->AddObserver(this);
+  }
   observers_.AddPtr(std::move(observer));
 }
 
@@ -2372,6 +2400,24 @@ void CrosNetworkConfig::GetVpnProviders(GetVpnProvidersCallback callback) {
   std::move(callback).Run(mojo::Clone(vpn_providers_));
 }
 
+void CrosNetworkConfig::GetNetworkCertificates(
+    GetNetworkCertificatesCallback callback) {
+  const std::vector<NetworkCertificateHandler::Certificate>&
+      handler_server_cas =
+          network_certificate_handler_->server_ca_certificates();
+  std::vector<mojom::NetworkCertificatePtr> server_cas;
+  for (const auto& cert : handler_server_cas)
+    server_cas.push_back(GetMojoCert(cert, mojom::CertificateType::kServerCA));
+
+  std::vector<mojom::NetworkCertificatePtr> user_certs;
+  const std::vector<NetworkCertificateHandler::Certificate>&
+      handler_user_certs = network_certificate_handler_->client_certificates();
+  for (const auto& cert : handler_user_certs)
+    user_certs.push_back(GetMojoCert(cert, mojom::CertificateType::kUserCert));
+
+  std::move(callback).Run(std::move(server_cas), std::move(user_certs));
+}
+
 // NetworkStateHandlerObserver
 void CrosNetworkConfig::NetworkListChanged() {
   observers_.ForAllPtrs([](mojom::CrosNetworkConfigObserver* observer) {
@@ -2422,6 +2468,12 @@ void CrosNetworkConfig::OnShuttingDown() {
   network_state_handler_ = nullptr;
 }
 
+void CrosNetworkConfig::OnCertificatesChanged() {
+  observers_.ForAllPtrs([](mojom::CrosNetworkConfigObserver* observer) {
+    observer->OnNetworkCertificatesChanged();
+  });
+}
+
 const std::string& CrosNetworkConfig::GetServicePathFromGuid(
     const std::string& guid) {
   const chromeos::NetworkState* network =

chromeos/services/network_config/cros_network_config.h

@@ -7,6 +7,7 @@
 
 #include "base/containers/flat_map.h"
 #include "base/memory/weak_ptr.h"
+#include "chromeos/network/network_certificate_handler.h"
 #include "chromeos/network/network_state_handler_observer.h"
 #include "chromeos/services/network_config/public/mojom/cros_network_config.mojom.h"
 #include "mojo/public/cpp/bindings/binding_set.h"
@@ -26,7 +27,8 @@ class NetworkStateHandler;
 namespace network_config {
 
 class CrosNetworkConfig : public mojom::CrosNetworkConfig,
-                          public NetworkStateHandlerObserver {
+                          public NetworkStateHandlerObserver,
+                          public NetworkCertificateHandler::Observer {
  public:
   // Constructs an instance of CrosNetworkConfig with default network subsystem
   // dependencies appropriate for a production environment.
@@ -38,7 +40,8 @@ class CrosNetworkConfig : public mojom::CrosNetworkConfig,
       NetworkStateHandler* network_state_handler,
       NetworkDeviceHandler* network_device_handler,
       ManagedNetworkConfigurationHandler* network_configuration_handler,
-      NetworkConnectionHandler* network_connection_handler);
+      NetworkConnectionHandler* network_connection_handler,
+      NetworkCertificateHandler* network_certificate_handler);
   ~CrosNetworkConfig() override;
 
   void BindRequest(mojom::CrosNetworkConfigRequest request);
@@ -78,6 +81,7 @@ class CrosNetworkConfig : public mojom::CrosNetworkConfig,
                        StartDisconnectCallback callback) override;
   void SetVpnProviders(std::vector<mojom::VpnProviderPtr> providers) override;
   void GetVpnProviders(GetVpnProvidersCallback callback) override;
+  void GetNetworkCertificates(GetNetworkCertificatesCallback callback) override;
 
  private:
   void GetManagedPropertiesSuccess(int callback_id,
@@ -146,13 +150,17 @@ class CrosNetworkConfig : public mojom::CrosNetworkConfig,
   void DevicePropertiesUpdated(const DeviceState* device) override;
   void OnShuttingDown() override;
 
+  // NetworkCertificateHandler::Observer
+  void OnCertificatesChanged() override;
+
   const std::string& GetServicePathFromGuid(const std::string& guid);
 
   NetworkStateHandler* network_state_handler_;    // Unowned
   NetworkDeviceHandler* network_device_handler_;  // Unowned
   ManagedNetworkConfigurationHandler*
-      network_configuration_handler_;                     // Unowned
-  NetworkConnectionHandler* network_connection_handler_;  // Unowned
+      network_configuration_handler_;                       // Unowned
+  NetworkConnectionHandler* network_connection_handler_;    // Unowned
+  NetworkCertificateHandler* network_certificate_handler_;  // Unowned
 
   mojo::InterfacePtrSet<mojom::CrosNetworkConfigObserver> observers_;
   mojo::BindingSet<mojom::CrosNetworkConfig> bindings_;

chromeos/services/network_config/cros_network_config_unittest.cc

@@ -14,6 +14,8 @@
 #include "chromeos/dbus/shill/fake_shill_device_client.h"
 #include "chromeos/login/login_state/login_state.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
+#include "chromeos/network/network_cert_loader.h"
+#include "chromeos/network/network_certificate_handler.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_connection_handler.h"
 #include "chromeos/network/network_device_handler.h"
@@ -42,6 +44,7 @@ class CrosNetworkConfigTest : public testing::Test {
  public:
   CrosNetworkConfigTest() {
     LoginState::Initialize();
+    NetworkCertLoader::Initialize();
     network_profile_handler_ = NetworkProfileHandler::InitializeForTesting();
     network_device_handler_ = NetworkDeviceHandler::InitializeForTesting(
         helper_.network_state_handler());
@@ -60,20 +63,25 @@ class CrosNetworkConfigTest : public testing::Test {
             helper_.network_state_handler(),
             network_configuration_handler_.get(),
             managed_network_configuration_handler_.get());
+    network_certificate_handler_ =
+        std::make_unique<NetworkCertificateHandler>();
     cros_network_config_ = std::make_unique<CrosNetworkConfig>(
         helper_.network_state_handler(), network_device_handler_.get(),
         managed_network_configuration_handler_.get(),
-        network_connection_handler_.get());
+        network_connection_handler_.get(), network_certificate_handler_.get());
     SetupPolicy();
     SetupNetworks();
   }
 
   ~CrosNetworkConfigTest() override {
     cros_network_config_.reset();
+    network_certificate_handler_.reset();
+    network_connection_handler_.reset();
     managed_network_configuration_handler_.reset();
     network_configuration_handler_.reset();
     network_device_handler_.reset();
     network_profile_handler_.reset();
+    NetworkCertLoader::Shutdown();
     LoginState::Shutdown();
   }
 
@@ -386,6 +394,24 @@ class CrosNetworkConfigTest : public testing::Test {
     return result;
   }
 
+  void GetNetworkCertificates(
+      std::vector<mojom::NetworkCertificatePtr>* server_cas,
+      std::vector<mojom::NetworkCertificatePtr>* user_certs) {
+    base::RunLoop run_loop;
+    cros_network_config()->GetNetworkCertificates(base::BindOnce(
+        [](std::vector<mojom::NetworkCertificatePtr>* server_cas_result,
+           std::vector<mojom::NetworkCertificatePtr>* user_certs_result,
+           base::OnceClosure quit_closure,
+           std::vector<mojom::NetworkCertificatePtr> server_cas,
+           std::vector<mojom::NetworkCertificatePtr> user_certs) {
+          *server_cas_result = std::move(server_cas);
+          *user_certs_result = std::move(user_certs);
+          std::move(quit_closure).Run();
+        },
+        server_cas, user_certs, run_loop.QuitClosure()));
+    run_loop.Run();
+  }
+
   NetworkStateTestHelper& helper() { return helper_; }
   CrosNetworkConfigTestObserver* observer() { return observer_.get(); }
   CrosNetworkConfig* cros_network_config() {
@@ -394,11 +420,15 @@ class CrosNetworkConfigTest : public testing::Test {
   ManagedNetworkConfigurationHandler* managed_network_configuration_handler() {
     return managed_network_configuration_handler_.get();
   }
+  NetworkCertificateHandler* network_certificate_handler() {
+    return network_certificate_handler_.get();
+  }
   std::string wifi1_path() { return wifi1_path_; }
 
  private:
   base::test::SingleThreadTaskEnvironment task_environment_;
   NetworkStateTestHelper helper_{false /* use_default_devices_and_services */};
+  std::unique_ptr<NetworkCertificateHandler> network_certificate_handler_;
   std::unique_ptr<NetworkProfileHandler> network_profile_handler_;
   std::unique_ptr<NetworkDeviceHandler> network_device_handler_;
   std::unique_ptr<NetworkConfigurationHandler> network_configuration_handler_;
@@ -1012,6 +1042,26 @@ TEST_F(CrosNetworkConfigTest, VpnProviders) {
   ASSERT_EQ(1, observer()->vpn_providers_changed());
 }
 
+TEST_F(CrosNetworkConfigTest, NetworkCertificates) {
+  SetupObserver();
+  ASSERT_EQ(0, observer()->network_certificates_changed());
+
+  std::vector<mojom::NetworkCertificatePtr> server_cas;
+  std::vector<mojom::NetworkCertificatePtr> user_certs;
+  GetNetworkCertificates(&server_cas, &user_certs);
+  EXPECT_EQ(0u, server_cas.size());
+  EXPECT_EQ(0u, user_certs.size());
+
+  network_certificate_handler()->AddAuthorityCertificateForTest(
+      "authority_cert");
+  base::RunLoop().RunUntilIdle();  // Ensure observers run.
+  ASSERT_EQ(1, observer()->network_certificates_changed());
+
+  GetNetworkCertificates(&server_cas, &user_certs);
+  EXPECT_EQ(1u, server_cas.size());
+  EXPECT_EQ(0u, user_certs.size());
+}
+
 TEST_F(CrosNetworkConfigTest, NetworkListChanged) {
   SetupObserver();
   base::RunLoop().RunUntilIdle();

chromeos/services/network_config/public/cpp/cros_network_config_test_helper.cc

@@ -20,7 +20,8 @@ CrosNetworkConfigTestHelper::CrosNetworkConfigTestHelper() {
           network_state_helper_.network_state_handler(),
           network_device_handler_.get(),
           /*network_configuration_handler=*/nullptr,
-          /*network_connection_handler=*/nullptr);
+          /*network_connection_handler=*/nullptr,
+          /*network_certificate_handler=*/nullptr);
   OverrideInProcessInstanceForTesting(cros_network_config_impl_.get());
 }
 

chromeos/services/network_config/public/cpp/cros_network_config_test_observer.cc

@@ -50,12 +50,17 @@ void CrosNetworkConfigTestObserver::OnVpnProvidersChanged() {
   vpn_providers_changed_++;
 }
 
+void CrosNetworkConfigTestObserver::OnNetworkCertificatesChanged() {
+  network_certificates_changed_++;
+}
+
 void CrosNetworkConfigTestObserver::ResetNetworkChanges() {
   active_networks_changed_ = 0;
   networks_changed_.clear();
   network_state_list_changed_ = 0;
   device_state_list_changed_ = 0;
   vpn_providers_changed_ = 0;
+  network_certificates_changed_ = 0;
 }
 
 void CrosNetworkConfigTestObserver::FlushForTesting() {

chromeos/services/network_config/public/cpp/cros_network_config_test_observer.h

@@ -31,11 +31,15 @@ class CrosNetworkConfigTestObserver : public mojom::CrosNetworkConfigObserver {
   void OnNetworkStateListChanged() override;
   void OnDeviceStateListChanged() override;
   void OnVpnProvidersChanged() override;
+  void OnNetworkCertificatesChanged() override;
 
   int active_networks_changed() const { return active_networks_changed_; }
   int network_state_list_changed() const { return network_state_list_changed_; }
   int device_state_list_changed() const { return device_state_list_changed_; }
   int vpn_providers_changed() const { return vpn_providers_changed_; }
+  int network_certificates_changed() const {
+    return network_certificates_changed_;
+  }
 
   int GetNetworkChangedCount(const std::string& guid) const;
   void ResetNetworkChanges();
@@ -53,6 +57,7 @@ class CrosNetworkConfigTestObserver : public mojom::CrosNetworkConfigObserver {
   int network_state_list_changed_ = 0;
   int device_state_list_changed_ = 0;
   int vpn_providers_changed_ = 0;
+  int network_certificates_changed_ = 0;
 
   DISALLOW_COPY_AND_ASSIGN(CrosNetworkConfigTestObserver);
 };

chromeos/services/network_config/public/mojom/cros_network_config.mojom

@@ -165,6 +165,11 @@ enum StartConnectResult {
   kUnknown,
 };
 
+enum CertificateType {
+  kServerCA,
+  kUserCert,
+};
+
 struct CaptivePortalProvider {
   // Id used to identify the captive portal provider (i.e. an extension id).
   string id;
@@ -807,6 +812,32 @@ struct VpnProvider {
   mojo_base.mojom.Time last_launch_time;
 };
 
+// Information about a network certificate for the purpose of selecting an
+// available certificate in a UI and providing information in a ConfigProperties
+// struct to SetProperties or ConfigureNetwork. No private information should
+// be included here.
+struct NetworkCertificate {
+  CertificateType type;
+  // Unique hash for the certificate, used to uniquely identify certificates.
+  string hash;
+  // Certificate issuer common name for display in a UI.
+  string issued_by;
+  // Certificate name or nickname for display in a UI.
+  string issued_to;
+  // For server certificate authorities (type == kServerCA), this contains the
+  // public certificate in PEM format.
+  // For user certificates, this contains the  PKCS#11 id to be passed to the
+  // configuration manager (Shill) for retrieving the encrypted certificate.
+  // This will be used in the appropriate ConfigProperties dictionary.
+  // TODO(1006901): Use a union here instead once the issue is fixed.
+  string pem_or_id;
+  // Whether the certificate is hardware backed.
+  bool hardware_backed;
+  // Whether the certificate is device wide (i.e. stored in a shared profile,
+  // not a user specific profile).
+  bool device_wide;
+};
+
 // Interface for fetching and setting network configuration properties, e.g.
 // from Settings WebUI or the SystemTray.
 interface CrosNetworkConfig {
@@ -905,6 +936,11 @@ interface CrosNetworkConfig {
 
   // Returns the list of external VPN providers.
   GetVpnProviders() => (array<VpnProvider> providers);
+
+  // Returns the lists of server certificate authorities and user certificates
+  // available for network configuration. See NetworkCerificate for more info.
+  GetNetworkCertificates() => (array<NetworkCertificate> server_cas,
+                               array<NetworkCertificate> user_certs);
 };
 
 interface CrosNetworkConfigObserver {
@@ -931,4 +967,8 @@ interface CrosNetworkConfigObserver {
   // Fired when the list of VPN providers changes. Use GetVpnProviders if the
   // updated provider list is required.
   OnVpnProvidersChanged();
+
+  // Fired when the server CA or user certificate lists change. Use
+  // GetNetworkCertificates if the updated certificate lists are required.
+  OnNetworkCertificatesChanged();
 };

ui/webui/resources/cr_elements/chromeos/network/cr_network_listener_behavior.js

@@ -25,24 +25,19 @@ const CrNetworkListenerBehavior = {
   // CrosNetworkConfigObserver methods. Override these in the implementation.
 
   /**
-   * CrosNetworkConfigObserver impl
    * @param {!Array<chromeos.networkConfig.mojom.NetworkStateProperties>}
    *     activeNetworks
    */
   onActiveNetworksChanged: function(activeNetworks) {},
 
-  /**
-   * CrosNetworkConfigObserver impl
-   * @param {!chromeos.networkConfig.mojom.NetworkStateProperties} network
-   */
+  /** @param {!chromeos.networkConfig.mojom.NetworkStateProperties} network */
   onNetworkStateChanged: function(network) {},
 
-  /** CrosNetworkConfigObserver impl */
   onNetworkStateListChanged: function() {},
 
-  /** CrosNetworkConfigObserver impl */
   onDeviceStateListChanged: function() {},
 
-  /** CrosNetworkConfigObserver impl */
   onVpnProvidersChanged: function() {},
+
+  onNetworkCertificatesChanged: function() {},
 };