arc: add ArcSmartCardManagerBridge

Add ArcSmartCardManagerBridge that implements SmartCardManagerHost.
ArcSmartCardManagerBridge starts the refresh operation to make smart card
certificates available to ARC.

Bug: b:119914122
Test: plugin smart card reader to the local device, make sure that the certificate is shown
      in a client certificate user dialog launched from the test Android app.
Test: ./out/Default/unit_tests --gtest_filer=ArcSmartCardManagerBridgeTest.*

Change-Id: I175b8863e5f590a2e3d85d9ea6917908b336349b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1724072
Commit-Queue: Polina Bondarenko <pbond@chromium.org>
Auto-Submit: Polina Bondarenko <pbond@chromium.org>
Reviewed-by: Hidehiko Abe <hidehiko@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Edman Anjos <edman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#695220}

chrome/browser/chromeos/BUILD.gn

@@ -487,6 +487,8 @@ source_set("chromeos") {
     "arc/enterprise/cert_store/arc_cert_installer_utils.h",
     "arc/enterprise/cert_store/arc_cert_store_bridge.cc",
     "arc/enterprise/cert_store/arc_cert_store_bridge.h",
+    "arc/enterprise/cert_store/arc_smart_card_manager_bridge.cc",
+    "arc/enterprise/cert_store/arc_smart_card_manager_bridge.h",
     "arc/extensions/arc_support_message_host.cc",
     "arc/extensions/arc_support_message_host.h",
     "arc/file_system_watcher/arc_file_system_watcher_service.cc",
@@ -2410,6 +2412,7 @@ source_set("unit_tests") {
     "arc/boot_phase_monitor/arc_boot_phase_monitor_bridge_unittest.cc",
     "arc/enterprise/cert_store/arc_cert_installer_unittest.cc",
     "arc/enterprise/cert_store/arc_cert_installer_utils_unittest.cc",
+    "arc/enterprise/cert_store/arc_smart_card_manager_bridge_unittest.cc",
     "arc/extensions/arc_support_message_host_unittest.cc",
     "arc/file_system_watcher/arc_file_system_watcher_service_unittest.cc",
     "arc/fileapi/arc_content_file_system_async_file_util_unittest.cc",

chrome/browser/chromeos/arc/arc_service_launcher.cc

@@ -23,6 +23,7 @@
 #include "chrome/browser/chromeos/arc/cast_receiver/arc_cast_receiver_service.h"
 #include "chrome/browser/chromeos/arc/enterprise/arc_enterprise_reporting_service.h"
 #include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge.h"
 #include "chrome/browser/chromeos/arc/file_system_watcher/arc_file_system_watcher_service.h"
 #include "chrome/browser/chromeos/arc/fileapi/arc_file_system_bridge.h"
 #include "chrome/browser/chromeos/arc/fileapi/arc_file_system_mounter.h"
@@ -208,6 +209,7 @@ void ArcServiceLauncher::OnPrimaryUserProfilePrepared(Profile* profile) {
   ArcRotationLockBridge::GetForBrowserContext(profile);
   ArcScreenCaptureBridge::GetForBrowserContext(profile);
   ArcSettingsService::GetForBrowserContext(profile);
+  ArcSmartCardManagerBridge::GetForBrowserContext(profile);
   ArcTimerBridge::GetForBrowserContext(profile);
   ArcTracingBridge::GetForBrowserContext(profile);
   ArcAppPerformanceTracing::GetForBrowserContext(profile);

chrome/browser/chromeos/arc/arc_session_manager_browsertest.cc

@@ -20,6 +20,8 @@
 #include "chrome/browser/chromeos/arc/arc_session_manager.h"
 #include "chrome/browser/chromeos/arc/arc_util.h"
 #include "chrome/browser/chromeos/arc/test/arc_data_removed_waiter.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
 #include "chrome/browser/chromeos/login/test/local_policy_test_server_mixin.h"
 #include "chrome/browser/chromeos/login/users/fake_chrome_user_manager.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
@@ -66,6 +68,11 @@ constexpr char kWellKnownConsumerName[] = "test@gmail.com";
 constexpr char kFakeUserName[] = "test@example.com";
 constexpr char kFakeGaiaId[] = "1234567890";
 
+std::unique_ptr<KeyedService> CreateCertificateProviderService(
+    content::BrowserContext* context) {
+  return std::make_unique<chromeos::CertificateProviderService>();
+}
+
 }  // namespace
 
 namespace arc {
@@ -148,6 +155,13 @@ class ArcSessionManagerTest : public MixinBasedInProcessBrowserTest {
     profile()->GetPrefs()->SetBoolean(prefs::kArcSignedIn, true);
     profile()->GetPrefs()->SetBoolean(prefs::kArcTermsAccepted, true);
 
+    // TestingProfile is not interpreted as a primary profile. Inject factory so
+    // that the instance of CertificateProviderService for the profile can be
+    // created.
+    chromeos::CertificateProviderServiceFactory::GetInstance()
+        ->SetTestingFactory(
+            profile(), base::BindRepeating(&CreateCertificateProviderService));
+
     // Set up ARC for test profile.
     // Currently, ArcSessionManager is singleton and set up with the original
     // Profile instance. This re-initializes the ArcServiceLauncher by

chrome/browser/chromeos/arc/auth/arc_auth_service_browsertest.cc

@@ -25,6 +25,8 @@
 #include "chrome/browser/chromeos/arc/auth/arc_auth_context.h"
 #include "chrome/browser/chromeos/arc/auth/arc_auth_service.h"
 #include "chrome/browser/chromeos/arc/auth/arc_background_auth_code_fetcher.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
 #include "chrome/browser/chromeos/login/demo_mode/demo_session.h"
 #include "chrome/browser/chromeos/login/users/fake_chrome_user_manager.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
@@ -80,6 +82,11 @@ std::string GetFakeAuthTokenResponse() {
   return base::StringPrintf(R"({ "token" : "%s"})", kFakeAuthCode);
 }
 
+std::unique_ptr<KeyedService> CreateCertificateProviderService(
+    content::BrowserContext* context) {
+  return std::make_unique<chromeos::CertificateProviderService>();
+}
+
 }  // namespace
 
 namespace arc {
@@ -287,6 +294,13 @@ class ArcAuthServiceTest : public InProcessBrowserTest {
     profile()->GetPrefs()->SetBoolean(prefs::kArcTermsAccepted, true);
     MigrateSigninScopedDeviceId(profile());
 
+    // TestingProfile is not interpreted as a primary profile. Inject factory so
+    // that the instance of CertificateProviderService for the profile can be
+    // created.
+    chromeos::CertificateProviderServiceFactory::GetInstance()
+        ->SetTestingFactory(
+            profile(), base::BindRepeating(&CreateCertificateProviderService));
+
     ArcServiceLauncher::Get()->OnPrimaryUserProfilePrepared(profile());
 
     auth_service_ = ArcAuthService::GetForBrowserContext(profile());

chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_installer.h

@@ -6,6 +6,7 @@
 #define CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_ARC_CERT_INSTALLER_H_
 
 #include <map>
+#include <memory>
 #include <set>
 #include <string>
 
@@ -29,7 +30,7 @@ namespace arc {
 // ARC remote commands.
 class ArcCertInstaller : public policy::RemoteCommandsQueue::Observer {
  public:
-  ArcCertInstaller(content::BrowserContext* context);
+  explicit ArcCertInstaller(content::BrowserContext* context);
 
   // This constructor should be used only for testing.
   ArcCertInstaller(Profile* profile,
@@ -40,8 +41,10 @@ class ArcCertInstaller : public policy::RemoteCommandsQueue::Observer {
 
   // Install missing certificates via ARC remote commands.
   // Return false via |callback| in case of any error, and true otherwise.
-  void InstallArcCerts(const std::vector<net::ScopedCERTCertificate>& certs,
-                       InstallArcCertsCallback callback);
+  // Made virtual for override in test.
+  virtual void InstallArcCerts(
+      const std::vector<net::ScopedCERTCertificate>& certs,
+      InstallArcCertsCallback callback);
 
  private:
   // Install ARC certificate if not installed yet.

chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge.h"
+
+#include <utility>
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/logging.h"
+#include "base/memory/singleton.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider_service_factory.h"
+#include "components/arc/arc_browser_context_keyed_service_factory_base.h"
+#include "net/cert/x509_util_nss.h"
+
+namespace arc {
+
+namespace {
+
+// Singleton factory for ArcSmartCardManagerBridge.
+class ArcSmartCardManagerBridgeFactory
+    : public internal::ArcBrowserContextKeyedServiceFactoryBase<
+          ArcSmartCardManagerBridge,
+          ArcSmartCardManagerBridgeFactory> {
+ public:
+  // Factory name used by ArcBrowserContextKeyedServiceFactoryBase.
+  static constexpr const char* kName = "ArcSmartCardManagerBridgeFactory";
+
+  static ArcSmartCardManagerBridgeFactory* GetInstance() {
+    return base::Singleton<ArcSmartCardManagerBridgeFactory>::get();
+  }
+
+ private:
+  friend base::DefaultSingletonTraits<ArcSmartCardManagerBridgeFactory>;
+  ArcSmartCardManagerBridgeFactory() {
+    DependsOn(chromeos::CertificateProviderServiceFactory::GetInstance());
+  }
+
+  ~ArcSmartCardManagerBridgeFactory() override = default;
+};
+
+}  // namespace
+
+// static
+ArcSmartCardManagerBridge* ArcSmartCardManagerBridge::GetForBrowserContext(
+    content::BrowserContext* context) {
+  return ArcSmartCardManagerBridgeFactory::GetForBrowserContext(context);
+}
+
+ArcSmartCardManagerBridge::ArcSmartCardManagerBridge(
+    content::BrowserContext* context,
+    ArcBridgeService* bridge_service)
+    : ArcSmartCardManagerBridge(
+          bridge_service,
+          chromeos::CertificateProviderServiceFactory::GetForBrowserContext(
+              context)
+              ->CreateCertificateProvider(),
+          std::make_unique<ArcCertInstaller>(context)) {}
+
+ArcSmartCardManagerBridge::ArcSmartCardManagerBridge(
+    ArcBridgeService* bridge_service,
+    std::unique_ptr<chromeos::CertificateProvider> certificate_provider,
+    std::unique_ptr<ArcCertInstaller> installer)
+    : arc_bridge_service_(bridge_service),
+      certificate_provider_(std::move(certificate_provider)),
+      installer_(std::move(installer)),
+      weak_ptr_factory_(this) {
+  VLOG(1) << "ArcSmartCardManagerBridge::ArcSmartCardManagerBridge";
+  arc_bridge_service_->smart_card_manager()->SetHost(this);
+}
+
+ArcSmartCardManagerBridge::~ArcSmartCardManagerBridge() {
+  VLOG(1) << "ArcSmartCardManagerBridge::~ArcSmartCardManagerBridge";
+
+  arc_bridge_service_->smart_card_manager()->SetHost(nullptr);
+}
+
+void ArcSmartCardManagerBridge::Refresh(RefreshCallback callback) {
+  VLOG(1) << "ArcSmartCardManagerBridge::Refresh";
+
+  certificate_provider_->GetCertificates(
+      base::BindOnce(&ArcSmartCardManagerBridge::DidGetCerts,
+                     weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+}
+
+void ArcSmartCardManagerBridge::DidGetCerts(
+    RefreshCallback callback,
+    net::ClientCertIdentityList cert_identities) {
+  VLOG(1) << "ArcSmartCardManagerBridge::DidGetCerts";
+
+  std::vector<net::ScopedCERTCertificate> certificates;
+  for (const auto& identity : cert_identities) {
+    net::ScopedCERTCertificate nss_cert(
+        net::x509_util::CreateCERTCertificateFromX509Certificate(
+            identity->certificate()));
+    if (!nss_cert) {
+      LOG(ERROR) << "Certificate provider returned an invalid smart card "
+                 << "certificate.";
+      continue;
+    }
+
+    certificates.push_back(std::move(nss_cert));
+  }
+  installer_->InstallArcCerts(std::move(certificates), std::move(callback));
+}
+
+}  // namespace arc

chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_ARC_SMART_CARD_MANAGER_BRIDGE_H_
+#define CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_ARC_SMART_CARD_MANAGER_BRIDGE_H_
+
+#include <memory>
+
+#include "base/memory/weak_ptr.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_installer.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
+#include "components/arc/mojom/cert_store.mojom.h"
+#include "components/arc/session/arc_bridge_service.h"
+#include "components/keyed_service/core/keyed_service.h"
+#include "net/cert/scoped_nss_types.h"
+
+namespace content {
+
+class BrowserContext;
+
+}  // namespace content
+
+namespace arc {
+
+class ArcBridgeService;
+
+class ArcSmartCardManagerBridge : public KeyedService,
+                                  public mojom::SmartCardManagerHost {
+ public:
+  // Returns singleton instance for the given BrowserContext,
+  // or nullptr if the browser |context| is not allowed to use ARC.
+  static ArcSmartCardManagerBridge* GetForBrowserContext(
+      content::BrowserContext* context);
+
+  ArcSmartCardManagerBridge(content::BrowserContext* context,
+                            ArcBridgeService* bridge_service);
+
+  // This constructor is public only for testing.
+  ArcSmartCardManagerBridge(
+      ArcBridgeService* bridge_service,
+      std::unique_ptr<chromeos::CertificateProvider> certificate_provider,
+      std::unique_ptr<ArcCertInstaller> installer);
+
+  ~ArcSmartCardManagerBridge() override;
+
+  // SmartCardManagerHost overrides.
+  void Refresh(RefreshCallback callback) override;
+
+ private:
+  void DidGetCerts(RefreshCallback callback,
+                   net::ClientCertIdentityList cert_identities);
+
+  ArcBridgeService* const arc_bridge_service_;  // Owned by ArcServiceManager.
+
+  std::unique_ptr<chromeos::CertificateProvider> certificate_provider_;
+  std::unique_ptr<ArcCertInstaller> installer_;
+
+  base::WeakPtrFactory<ArcSmartCardManagerBridge> weak_ptr_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(ArcSmartCardManagerBridge);
+};
+
+}  // namespace arc
+
+#endif  // CHROME_BROWSER_CHROMEOS_ARC_ENTERPRISE_CERT_STORE_ARC_SMART_CARD_MANAGER_BRIDGE_H_

chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge_unittest.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+#include <vector>
+
+#include "base/memory/ptr_util.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_installer.h"
+#include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_smart_card_manager_bridge.h"
+#include "chrome/browser/chromeos/certificate_provider/certificate_provider.h"
+#include "chrome/common/net/x509_certificate_model_nss.h"
+#include "chrome/test/base/testing_profile.h"
+#include "components/arc/session/arc_bridge_service.h"
+#include "components/policy/core/common/remote_commands/remote_commands_queue.h"
+#include "content/public/test/browser_task_environment.h"
+#include "crypto/rsa_private_key.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
+#include "net/ssl/client_cert_identity_test_util.h"
+#include "net/ssl/ssl_private_key.h"
+#include "net/ssl/test_ssl_private_key.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace arc {
+
+using testing::_;
+using testing::Invoke;
+using testing::StrictMock;
+using testing::WithArg;
+
+namespace {
+
+MATCHER_P(EqualsClientCertIdentityList, cert_names, "") {
+  if (cert_names.size() != arg.size())
+    return false;
+  for (size_t i = 0; i < arg.size(); ++i) {
+    if (!arg[i])
+      return false;
+
+    std::string cert_name =
+        x509_certificate_model::GetCertNameOrNickname(arg[i].get());
+    if (cert_name != cert_names[i])
+      return false;
+  }
+  return true;
+}
+
+// Fake class for CertificateProvider.
+class FakeCertificateProvider : public chromeos::CertificateProvider {
+ public:
+  void GetCertificates(
+      base::OnceCallback<void(net::ClientCertIdentityList)> callback) override {
+    std::move(callback).Run(std::move(certificates_));
+  }
+
+  // Returns true if the certificates for |cert_names| are created successfully.
+  bool SetCertificates(std::vector<std::string> cert_names) {
+    certificates_ = net::ClientCertIdentityList();
+    for (const auto& cert_name : cert_names) {
+      if (!AddCert(cert_name))
+        return false;
+    }
+    return true;
+  }
+
+  std::unique_ptr<CertificateProvider> Copy() override {
+    NOTREACHED();
+    return nullptr;
+  }
+
+ private:
+  // Returns true if the certificate for |name| is created successfully.
+  bool AddCert(const std::string& name) {
+    if (name.empty())
+      return false;
+    std::unique_ptr<crypto::RSAPrivateKey> key(
+        crypto::RSAPrivateKey::Create(1024));
+    scoped_refptr<net::SSLPrivateKey> ssl_private_key =
+        net::WrapRSAPrivateKey(key.get());
+    if (!ssl_private_key)
+      return false;
+
+    std::string cn = "CN=" + name;
+    std::string der_cert;
+    if (!net::x509_util::CreateSelfSignedCert(
+            key->key(), net::x509_util::DIGEST_SHA256, cn, 1,
+            base::Time::UnixEpoch(), base::Time::UnixEpoch(), {}, &der_cert)) {
+      return false;
+    }
+    scoped_refptr<net::X509Certificate> cert =
+        net::X509Certificate::CreateFromBytes(der_cert.data(), der_cert.size());
+    if (!cert)
+      return false;
+    certificates_.push_back(
+        std::make_unique<net::FakeClientCertIdentity>(cert, ssl_private_key));
+    return true;
+  }
+
+  net::ClientCertIdentityList certificates_;
+};
+
+class MockArcCertInstaller : public ArcCertInstaller {
+ public:
+  MockArcCertInstaller(Profile* profile,
+                       std::unique_ptr<policy::RemoteCommandsQueue> queue)
+      : ArcCertInstaller(profile, std::move(queue)) {}
+  MOCK_METHOD2(InstallArcCerts,
+               void(const std::vector<net::ScopedCERTCertificate>& certs,
+                    InstallArcCertsCallback callback));
+};
+
+}  // namespace
+
+class ArcSmartCardManagerBridgeTest : public testing::Test {
+ public:
+  ArcSmartCardManagerBridgeTest()
+      : bridge_service_(std::make_unique<ArcBridgeService>()) {}
+
+  void SetUp() override {
+    provider_ = new FakeCertificateProvider();
+    installer_ = new StrictMock<MockArcCertInstaller>(
+        &profile_, std::make_unique<policy::RemoteCommandsQueue>());
+    bridge_ = std::make_unique<ArcSmartCardManagerBridge>(
+        bridge_service_.get(), base::WrapUnique(provider_),
+        base::WrapUnique(installer_));
+  }
+
+  void TearDown() override {
+    provider_ = nullptr;
+    installer_ = nullptr;
+    bridge_.reset();
+  }
+
+  FakeCertificateProvider* provider() { return provider_; }
+  MockArcCertInstaller* installer() { return installer_; }
+  ArcSmartCardManagerBridge* bridge() { return bridge_.get(); }
+
+ private:
+  content::BrowserTaskEnvironment browser_task_environment_;
+  TestingProfile profile_;
+
+  std::unique_ptr<ArcBridgeService> bridge_service_;
+
+  FakeCertificateProvider* provider_;  // Owned by |bridge_|.
+  MockArcCertInstaller* installer_;    // Owned by |bridge_|.
+
+  std::unique_ptr<ArcSmartCardManagerBridge> bridge_;
+
+  DISALLOW_COPY_AND_ASSIGN(ArcSmartCardManagerBridgeTest);
+};
+
+// Tests that refreshing smart card certs completes successfully if there is no
+// smart card certs.
+TEST_F(ArcSmartCardManagerBridgeTest, NoSmartCardTest) {
+  const std::vector<std::string> cert_names = {};
+  ASSERT_TRUE(provider()->SetCertificates(cert_names));
+  EXPECT_CALL(*installer(),
+              InstallArcCerts(EqualsClientCertIdentityList(cert_names), _))
+      .WillOnce(
+          WithArg<1>(Invoke([](base::OnceCallback<void(bool result)> callback) {
+            std::move(callback).Run(true);
+          })));
+  bridge()->Refresh(base::BindOnce([](bool result) { EXPECT_TRUE(result); }));
+}
+
+// Tests that refreshing smart card certs completes successfully if there are
+// two smart card certs available.
+TEST_F(ArcSmartCardManagerBridgeTest, BasicSmartCardTest) {
+  const std::vector<std::string> cert_names = {"fake1", "fake2"};
+
+  ASSERT_TRUE(provider()->SetCertificates(cert_names));
+  EXPECT_CALL(*installer(),
+              InstallArcCerts(EqualsClientCertIdentityList(cert_names), _))
+      .WillOnce(
+          WithArg<1>(Invoke([](base::OnceCallback<void(bool result)> callback) {
+            std::move(callback).Run(true);
+          })));
+  bridge()->Refresh(base::BindOnce([](bool result) { EXPECT_TRUE(result); }));
+}
+
+}  // namespace arc

components/arc/mojom/arc_bridge.mojom

@@ -55,9 +55,9 @@ import "components/arc/mojom/volume_mounter.mojom";
 import "components/arc/mojom/wake_lock.mojom";
 import "components/arc/mojom/wallpaper.mojom";
 
-// Next MinVersion: 48
+// Next MinVersion: 49
 // Deprecated method IDs: 101, 105
-// Next method ID: 153
+// Next method ID: 154
 interface ArcBridgeHost {
   // Keep the entries alphabetical. In order to do so without breaking
   // compatibility with the ARC instance, explicitly assign each interface a
@@ -190,6 +190,10 @@ interface ArcBridgeHost {
   // Notifies Chrome that the ScreenCaptureInstance interface is ready.
   [MinVersion=35] OnScreenCaptureInstanceReady@140(ScreenCaptureInstance instance_ptr);
 
+  // Notifies Chrome that the SmartCardManagerInstance interface is ready.
+  [MinVersion=48] OnSmartCardManagerInstanceReady@153(
+      SmartCardManagerInstance instance_ptr);
+
   // Notifies Chrome that the StorageManagerInstance interface is ready.
   [MinVersion=12] OnStorageManagerInstanceReady@118(StorageManagerInstance instance_ptr);
 

components/arc/mojom/cert_store.mojom

@@ -124,3 +124,15 @@ interface CertStoreInstance {
   // CertStoreInstance must call ListCertficates to update its database.
   OnCertificatesChanged@2();
 };
+
+// Next method ID: 1
+interface SmartCardManagerHost {
+  // Refreshes smart card certificates available to Android apps.
+  Refresh@0() => (bool result);
+};
+
+// Next method ID: 1
+interface SmartCardManagerInstance {
+  // Establishes full-duplex communication with the host.
+  Init@0(SmartCardManagerHost host_ptr) => ();
+};

components/arc/session/arc_bridge_host_impl.cc

@@ -293,6 +293,12 @@ void ArcBridgeHostImpl::OnScreenCaptureInstanceReady(
                   std::move(screen_capture_ptr));
 }
 
+void ArcBridgeHostImpl::OnSmartCardManagerInstanceReady(
+    mojom::SmartCardManagerInstancePtr smart_card_manager_ptr) {
+  OnInstanceReady(arc_bridge_service_->smart_card_manager(),
+                  std::move(smart_card_manager_ptr));
+}
+
 void ArcBridgeHostImpl::OnStorageManagerInstanceReady(
     mojom::StorageManagerInstancePtr storage_manager_ptr) {
   OnInstanceReady(arc_bridge_service_->storage_manager(),

components/arc/session/arc_bridge_host_impl.h

@@ -99,6 +99,8 @@ class ArcBridgeHostImpl : public mojom::ArcBridgeHost {
       mojom::RotationLockInstancePtr rotation_lock_ptr) override;
   void OnScreenCaptureInstanceReady(
       mojom::ScreenCaptureInstancePtr screen_capture_ptr) override;
+  void OnSmartCardManagerInstanceReady(
+      mojom::SmartCardManagerInstancePtr smart_card_manager_ptr) override;
   void OnStorageManagerInstanceReady(
       mojom::StorageManagerInstancePtr storage_manager_ptr) override;
   void OnTimerInstanceReady(mojom::TimerInstancePtr timer_ptr) override;

components/arc/session/arc_bridge_service.h

@@ -82,6 +82,8 @@ class PropertyInstance;
 class RotationLockInstance;
 class ScreenCaptureHost;
 class ScreenCaptureInstance;
+class SmartCardManagerHost;
+class SmartCardManagerInstance;
 class StorageManagerInstance;
 class TimerHost;
 class TimerInstance;
@@ -230,6 +232,12 @@ class ArcBridgeService {
   screen_capture() {
     return &screen_capture_;
   }
+  ConnectionHolder<mojom::SmartCardManagerInstance,
+                   mojom::SmartCardManagerHost>*
+  smart_card_manager() {
+    return &smart_card_manager_;
+  }
+
   ConnectionHolder<mojom::StorageManagerInstance>* storage_manager() {
     return &storage_manager_;
   }
@@ -308,6 +316,8 @@ class ArcBridgeService {
   ConnectionHolder<mojom::RotationLockInstance> rotation_lock_;
   ConnectionHolder<mojom::ScreenCaptureInstance, mojom::ScreenCaptureHost>
       screen_capture_;
+  ConnectionHolder<mojom::SmartCardManagerInstance, mojom::SmartCardManagerHost>
+      smart_card_manager_;
   ConnectionHolder<mojom::StorageManagerInstance> storage_manager_;
   ConnectionHolder<mojom::TimerInstance, mojom::TimerHost> timer_;
   ConnectionHolder<mojom::TracingInstance> tracing_;

components/arc/test/fake_arc_bridge_host.cc

@@ -174,6 +174,9 @@ void FakeArcBridgeHost::OnRotationLockInstanceReady(
 void FakeArcBridgeHost::OnScreenCaptureInstanceReady(
     mojom::ScreenCaptureInstancePtr screen_capture_ptr) {}
 
+void FakeArcBridgeHost::OnSmartCardManagerInstanceReady(
+    mojom::SmartCardManagerInstancePtr smart_cardManager_ptr) {}
+
 void FakeArcBridgeHost::OnStorageManagerInstanceReady(
     mojom::StorageManagerInstancePtr storage_manager_ptr) {}
 

components/arc/test/fake_arc_bridge_host.h

@@ -79,6 +79,8 @@ class FakeArcBridgeHost : public mojom::ArcBridgeHost {
       mojom::RotationLockInstancePtr rotation_lock_ptr) override;
   void OnScreenCaptureInstanceReady(
       mojom::ScreenCaptureInstancePtr screen_capture_ptr) override;
+  void OnSmartCardManagerInstanceReady(
+      mojom::SmartCardManagerInstancePtr smart_card_manager_ptr) override;
   void OnStorageManagerInstanceReady(
       mojom::StorageManagerInstancePtr storage_manager_ptr) override;
   void OnTimerInstanceReady(mojom::TimerInstancePtr timer_ptr) override;