Support policy-provided untrusted authorites in OOP network service

Send policy-provided untrusted authority certificates to the network
service along with trust anchors.
Add a browsertest which checks that untrusted authority certificates
provided through user policy are respected.
Also, document certificate-related files in chromeos/test/data/network
and provide a script to generate those.

Bug: 897233
Test: browser_tests --gtest_filter=*PolicyProvided*
Change-Id: I1e66700b14e5d75805f16365e5979e84f278e8ec
Reviewed-on: https://chromium-review.googlesource.com/c/1336132
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609424}

chrome/browser/chromeos/BUILD.gn

@@ -1573,8 +1573,6 @@ source_set("chromeos") {
     "policy/status_uploader.h",
     "policy/system_log_uploader.cc",
     "policy/system_log_uploader.h",
-    "policy/temp_certs_cache_nss.cc",
-    "policy/temp_certs_cache_nss.h",
     "policy/ticl_device_settings_provider.cc",
     "policy/ticl_device_settings_provider.h",
     "policy/upload_job.h",
@@ -2303,7 +2301,6 @@ source_set("unit_tests") {
     "policy/single_app_install_event_log_unittest.cc",
     "policy/status_uploader_unittest.cc",
     "policy/system_log_uploader_unittest.cc",
-    "policy/temp_certs_cache_nss_unittest.cc",
     "policy/upload_job_unittest.cc",
     "policy/user_cloud_policy_manager_chromeos_unittest.cc",
     "policy/user_cloud_policy_store_chromeos_unittest.cc",

chrome/browser/chromeos/DEPS

@@ -15,6 +15,7 @@ include_rules = [
   "+remoting/host/it2me",  # For CRD host in remote command
   "+services/device/public",
   "+services/metrics/public",
+  "+services/network",
   "+services/tracing/public",
   "+services/viz/public/interfaces",
   # Chromeos should not use ozone directly, it must go through mojo as ozone

chrome/browser/chromeos/policy/policy_cert_service.cc

@@ -10,7 +10,6 @@
 #include "base/memory/ptr_util.h"
 #include "base/task/post_task.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
-#include "chrome/browser/chromeos/policy/temp_certs_cache_nss.h"
 #include "chrome/browser/net/profile_network_context_service.h"
 #include "chrome/browser/net/profile_network_context_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
@@ -19,6 +18,7 @@
 #include "content/public/browser/browser_thread.h"
 #include "net/cert/x509_certificate.h"
 #include "services/network/cert_verifier_with_trust_anchors.h"
+#include "services/network/nss_temp_certs_cache_chromeos.h"
 #include "services/network/public/cpp/features.h"
 
 namespace policy {
@@ -110,7 +110,9 @@ void PolicyCertService::OnPolicyProvidedCertsChangedInternal(
   // expecting that the operation of creating in-memory NSS certs is cheap in
   // that case.
   temp_policy_provided_certs_ =
-      std::make_unique<TempCertsCacheNSS>(all_server_and_authority_certs);
+      std::make_unique<network::NSSTempCertsCacheChromeOS>(
+          all_server_and_authority_certs);
+  all_server_and_authority_certs_ = all_server_and_authority_certs;
 
   // Do not use certificates installed via ONC policy if the current session has
   // multiple profiles. This is important to make sure that any possibly tainted
@@ -119,17 +121,18 @@ void PolicyCertService::OnPolicyProvidedCertsChangedInternal(
   if (!trust_anchors.empty() && user_manager_->GetLoggedInUsers().size() > 1u) {
     LOG(ERROR) << "Ignoring ONC-pushed certificates update because multiple "
                << "users are logged in.";
-    return;
+    trust_anchors_.clear();
+  } else {
+    trust_anchors_ = trust_anchors;
   }
 
-  trust_anchors_ = trust_anchors;
-
   if (!notify)
     return;
 
   if (base::FeatureList::IsEnabled(network::features::kNetworkService)) {
     ProfileNetworkContextServiceFactory::GetForContext(profile_)
-        ->UpdateTrustAnchors(trust_anchors_);
+        ->UpdateAdditionalCertificates(all_server_and_authority_certs_,
+                                       trust_anchors_);
     return;
   }
 

chrome/browser/chromeos/policy/policy_cert_service.h

@@ -30,10 +30,10 @@ typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
 
 namespace network {
 class CertVerifierWithTrustAnchors;
+class NSSTempCertsCacheChromeOS;
 }
 
 namespace policy {
-class TempCertsCacheNSS;
 
 // This service is the counterpart of PolicyCertVerifier on the UI thread. It's
 // responsible for pushing the current list of trust anchors to the CertVerifier
@@ -66,6 +66,9 @@ class PolicyCertService : public KeyedService,
 
   bool has_policy_certificates() const { return !trust_anchors_.empty(); }
 
+  const net::CertificateList& all_server_and_authority_certs() const {
+    return all_server_and_authority_certs_;
+  }
   const net::CertificateList& trust_anchors() const { return trust_anchors_; }
 
   // UserNetworkConfigurationUpdater::PolicyProvidedCertsObserver:
@@ -97,12 +100,14 @@ class PolicyCertService : public KeyedService,
   std::string user_id_;
   UserNetworkConfigurationUpdater* net_conf_updater_;
   user_manager::UserManager* user_manager_;
+  net::CertificateList all_server_and_authority_certs_;
   net::CertificateList trust_anchors_;
 
   // Holds all policy-provided server and authority certificates and makes them
   // available to NSS as temp certificates. This is needed so they can be used
   // as intermediates when NSS verifies a certificate.
-  std::unique_ptr<TempCertsCacheNSS> temp_policy_provided_certs_;
+  std::unique_ptr<network::NSSTempCertsCacheChromeOS>
+      temp_policy_provided_certs_;
 
   // Weak pointers to handle callbacks from PolicyCertVerifier on the IO thread.
   // The factory and the created WeakPtrs must only be used on the UI thread.

chrome/browser/net/profile_network_context_service.cc

@@ -200,17 +200,24 @@ void ProfileNetworkContextService::SetUpProfileIODataNetworkContext(
 }
 
 #if defined(OS_CHROMEOS)
-void ProfileNetworkContextService::UpdateTrustAnchors(
+void ProfileNetworkContextService::UpdateAdditionalCertificates(
+    const net::CertificateList& all_additional_certificates,
     const net::CertificateList& trust_anchors) {
   content::BrowserContext::ForEachStoragePartition(
-      profile_,
-      base::BindRepeating(
-          [](const net::CertificateList& trust_anchors,
-             content::StoragePartition* storage_partition) {
-            storage_partition->GetNetworkContext()->UpdateTrustAnchors(
-                trust_anchors);
-          },
-          trust_anchors));
+      profile_, base::BindRepeating(
+                    [](const net::CertificateList& all_additional_certificates,
+                       const net::CertificateList& trust_anchors,
+                       content::StoragePartition* storage_partition) {
+                      auto additional_certificates =
+                          network::mojom::AdditionalCertificates::New();
+                      additional_certificates->all_certificates =
+                          all_additional_certificates;
+                      additional_certificates->trust_anchors = trust_anchors;
+                      storage_partition->GetNetworkContext()
+                          ->UpdateAdditionalCertificates(
+                              std::move(additional_certificates));
+                    },
+                    all_additional_certificates, trust_anchors));
 }
 #endif
 
@@ -469,7 +476,12 @@ ProfileNetworkContextService::CreateNetworkContextParams(
 
       policy::PolicyCertService* service =
           policy::PolicyCertServiceFactory::GetForProfile(profile_);
-      network_context_params->initial_trust_anchors = service->trust_anchors();
+      network_context_params->initial_additional_certificates =
+          network::mojom::AdditionalCertificates::New();
+      network_context_params->initial_additional_certificates
+          ->all_certificates = service->all_server_and_authority_certs();
+      network_context_params->initial_additional_certificates->trust_anchors =
+          service->trust_anchors();
     }
   }
 #endif

chrome/browser/net/profile_network_context_service.h

@@ -67,7 +67,9 @@ class ProfileNetworkContextService : public KeyedService,
       network::mojom::NetworkContextParamsPtr* network_context_params);
 
 #if defined(OS_CHROMEOS)
-  void UpdateTrustAnchors(const net::CertificateList& trust_anchors);
+  void UpdateAdditionalCertificates(
+      const net::CertificateList& all_additional_certificates,
+      const net::CertificateList& trust_anchors);
 #endif
 
   static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);

chrome/browser/ui/webui/chromeos/DEPS

 include_rules = [
   "+media/audio/sounds",
   "+services/device/public/mojom",
+  "+services/network",
 ]
 
 specific_include_rules = {

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc

@@ -35,7 +35,6 @@
 #include "chrome/browser/chromeos/net/network_portal_detector_impl.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
-#include "chrome/browser/chromeos/policy/temp_certs_cache_nss.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/lifetime/browser_shutdown.h"
@@ -71,6 +70,7 @@
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "mojo/public/cpp/bindings/callback_helpers.h"
+#include "services/network/nss_temp_certs_cache_chromeos.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 #include "ui/base/ime/chromeos/input_method_manager.h"
 #include "ui/base/ime/chromeos/input_method_util.h"
@@ -1195,7 +1195,7 @@ void GaiaScreenHandler::ShowGaiaScreenIfReady() {
     // When the WebUI is destroyed, |untrusted_authority_certs_cache_| will go
     // out of scope and the certificates will not be held in memory anymore.
     untrusted_authority_certs_cache_ =
-        std::make_unique<policy::TempCertsCacheNSS>(
+        std::make_unique<network::NSSTempCertsCacheChromeOS>(
             g_browser_process->platform_part()
                 ->browser_policy_connector_chromeos()
                 ->GetDeviceNetworkConfigurationUpdater()

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h

@@ -24,8 +24,8 @@ namespace net {
 class CanonicalCookie;
 }
 
-namespace policy {
-class TempCertsCacheNSS;
+namespace network {
+class NSSTempCertsCacheChromeOS;
 }
 
 namespace chromeos {
@@ -302,7 +302,8 @@ class GaiaScreenHandler : public BaseScreenHandler,
 
   // Makes untrusted authority certificates from device policy available for
   // client certificate discovery.
-  std::unique_ptr<policy::TempCertsCacheNSS> untrusted_authority_certs_cache_;
+  std::unique_ptr<network::NSSTempCertsCacheChromeOS>
+      untrusted_authority_certs_cache_;
 
   base::WeakPtrFactory<GaiaScreenHandler> weak_factory_;
 

chromeos/test/data/network/README

+This directory contains test data for ChromeOS-specific network configuration
+tests.
+
+==== Certificates ====
+The certificates in here are extracted from /net/data/ssl/certificates using the
+script setup-certificates.sh.
+The script produces:
+(*) root_ca_cert.pem: An Authority certificate that is the root of the hierarchy.
+(*) root-ca-cert.onc: ONC policy for specifying root_ca_cert.pem as an
+    additional trust anchor for Web navigations.
+(*) ok_cert.pem: A Server certificate that is signed by root_ca_cert.pem.
+(*) intermediate_ca_cert.pem: An Authority certificate that is signed by
+    root_ca_cert.pem
+(*) root-and-intermediate-ca-certs.onc: ONC policy for specifying
+    root_ca_cert.pem as an additional trust anchor for Web navigations, and
+    intermediate_ca_cert.pem as an untrusted Authority.
+(*) ok_cert_by_intermediate.pem: A Server certificate that is signed by
+    intermediate_ca_cert.pem.
+
+Run
+The script takes two arguments: Input directory, output directory.
+./setup-certificates.sh ${chromium_dir}/src/net/data/ssl/certificates .
+in this directory to sync the certificates.

chromeos/test/data/network/intermediate_ca_cert.pem

+-----BEGIN CERTIFICATE-----
+MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MDYwNTE3
+MTA0NVoXDTI3MDYwMzE3MTA0NVowazELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg
+Q0ExHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAnem95D1KL/vC+eYiKkIVRhyMj0dM6cVXlR9mcJMi
+8JTDu7Vb76RvyMeJlXW6DDa/TmupNUcIQ54pauLD+wO3H7bhUWvtexnH+c473GXp
+ZseDlMTRTu7tZEuB8RrqWmQYG2pOk9ATbJBgytJOtyQW+LIIWJ2NpzNFFTSBrS0t
+nGDv+SuY/nnTjSxI2xKR9C76v/UmwYIFgN1MqHC/p7wQNHc520cED+1EsmVGIiCI
+WSgPxwyitJGloqrKBZ+Km26jy9Sk6CR1nSCBIltfdz7J8R6u64ozjCdbHr5tIRtC
+cpXjnhMDdadY1L5oEv5jjksRejTno2vdc64+GZrskYtzrwIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXXEXz0KwcEEyLQ0QgxN2TxcUZOzAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAD711/2COx40jGai814Y4fGp
+dZ+1k+cKjs8KM+1Jzc7Oyl+jHWR204QW/p2IrPTR+DYrIIBSCu/gD2QnVTWje8aK
+fKXEKRex+tKJXRNruAPL1xLWziTwr0gXA1SZr+nL/UREGCNhkPa9VWUGwzaYjep9
+D3nvtrsiKAOm7NnUG0esLCXe7xoCaUwYuylI9J3hUkJkbIhGaIaD/ST1fQXXGn4i
+vEl1nIpN6POi65uDcKfW3S8FLaq+1+57jnVEO9rfhWG/6TsTQE6LUgjZ5IxU2kHb
+eywFXpkGDQKMjhmOVbA6MxgwA6ftSuT4WMwSuK/WZlUp7AEfku09TcNxO+AvcJA=
+-----END CERTIFICATE-----

chromeos/test/data/network/ok_cert.pem

 -----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IFJvb3QgQ0EwHhcNMTQwODE0MDMwNTI5WhcNMjQwODExMDMwNTI5WjBgMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
-VmlldzEQMA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtfj0Mtj19GXK6dDL3emXoW6Q4vSy
-shbQm+KZV+17xltvScGUAKkNXbU19Dp7PBgGo3haaP+mBR99EAiuCWzc7924l55s
-zsug3DMrHpXvHfvT2vg+V+2Ljp6GTRKmDDAj7whFTyESQoiHAdilMp+3OO9grbdH
-aztLplwrVnJc0bU4h5nsO//GAu+GOO7iBcbwZuIYkVDlVyMnmbvbSSSIZqgUln4a
-bSrh/xj1ajfSiKh5yblQ9ZpoCwSeaAIdoXHgiRW6KkgGenjT0Qx3g5iD+LniYCCS
-B5vUyMD6WlqdJkDCNWUA86Di0yFNpcSRiJAUp173E7fqK6K914QYGrd7XQIDAQAB
-o4GAMH4wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUggQdvQVxg2/2mBlNTxFGiE2b
-v6gwHwYDVR0jBBgwFoAUvPcw0TzA8nn675/JbFyT84poq4MwHQYDVR0lBBYwFAYI
-KwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQEL
-BQADggEBAITcEASNvT/BPvtoSz815F0C63PmDnQW5MUwawWUTpxpEF56r6R2xiin
-GsFcfh1eHF6Hl/5cWyhHMbF5Svg29rFSuNWra4bv7D3tUAtAN2ULIjq3r9QENvDw
-0poWaV2LJQP2BYdeSL0lFcQ7au1j2IdVjj4cRN7rG93Ec8emahJtSNXlEmqoVSYm
-DX68zXGFsYp25FoaxZwmv9deVxT6tlLPhZAK6H9p4bCUG6xkWuk4zFOe/cbU4V6c
-NyIuS9mBX1nhQ6d77acjIP0EkfAdTmzA3quaGStPAKMdWHTJMm7uNbYzTGSNbuyo
-jtczxzPGkorOtfZdjhJS7J0Kz0s73fM=
+MIIDvzCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MDYwNTE3
+MTA0NloXDTI3MDYwMzE3MTA0NlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
+bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg
+Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALS/0pcz5RNbd2W9cxp1KJtHWea3MOhGM21YW9ofCv/k5C3yHfiJ6GQu
+9sPN16OO1/fN59gOEMPnVtL85ebTTuL/gk0YY4ewo97a7wo3e6y1t0PO8gc53xTp
+w6RBPn5oRzSbe2HEGOYTzrO0puC6A+7k6+eq9G2+l1uqBpdQAdB4uNaSsOTiuUOI
+ta4UZH1ScNQFHAkl1eJPyaiC20Exw75EbwvU/b/B7tlivzuPtQDI0d9dShOtceRL
+X9HZckyD2JNAv2zNL2YOBNa5QygkySX9WXD+PfKpCk7Cm8TenldeXRYl5ni2REkp
+nfa/dPuF1g3xZVjyK9aPEEnIAC2I4i0CAwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAw
+HQYDVR0OBBYEFODc4C8HiHQ6n9Mwo3GK+dal5aZTMB8GA1UdIwQYMBaAFJsmC4qY
+qbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAP
+BgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB6FEQuUDRcC5jkX3aZ
+uuTeZEqMVL7JXgvgFqzXsPb8zIdmxr/tEDfwXx2qDf2Dpxts7Fq4vqUwimK4qV3K
+7heLnWV2+FBvV1eeSfZ7AQj+SURkdlyo42r41+t13QUf+Z0ftR9266LSWLKrukeI
+Mxk73hOkm/u8enhTd00dy/FN9dOFBFHseVMspWNxIkdRILgOmiyfQNRgxNYdOf0e
+EfELR8Hn6WjZ8wAbvO4p7RTrzu1c/RZ0M+NLkID56Brbl70GC2h5681LPwAOaZ7/
+mWQ5kekSyJjmLfF12b+h9RVAt5MrXZgk2vNujssgGf4nbWh4KZyQ6qrs778ZdDLm
+yfUn
 -----END CERTIFICATE-----

chromeos/test/data/network/ok_cert_by_intermediate.pem

+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHVGVzdCBDQTEdMBsGA1UEAwwUVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcN
+MTcwNjA1MTcxMDQ2WhcNMjcwNjAzMTcxMDQ2WjBgMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UE
+CgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAtL/SlzPlE1t3Zb1zGnUom0dZ5rcw6EYzbVhb2h8K/+Tk
+LfId+InoZC72w83Xo47X983n2A4Qw+dW0vzl5tNO4v+CTRhjh7Cj3trvCjd7rLW3
+Q87yBznfFOnDpEE+fmhHNJt7YcQY5hPOs7Sm4LoD7uTr56r0bb6XW6oGl1AB0Hi4
+1pKw5OK5Q4i1rhRkfVJw1AUcCSXV4k/JqILbQTHDvkRvC9T9v8Hu2WK/O4+1AMjR
+311KE61x5Etf0dlyTIPYk0C/bM0vZg4E1rlDKCTJJf1ZcP498qkKTsKbxN6eV15d
+FiXmeLZESSmd9r90+4XWDfFlWPIr1o8QScgALYjiLQIDAQABo4GAMH4wDAYDVR0T
+AQH/BAIwADAdBgNVHQ4EFgQU4NzgLweIdDqf0zCjcYr51qXlplMwHwYDVR0jBBgw
+FoAUF1xF89CsHBBMi0NEIMTdk8XFGTswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEP3Yzij
+MD+r5mxCod3/jfatsuu2nku9kPzY9PBaQvy+W8zHJC+RSKahu6K3GWEhrNOB7m67
+BC0WtX7L5qMXjz5lTR2Nwdo9O62hs+j14xYTFwqjReDPhLI96DhpMUbojBBjD15r
+9BAlI5i4XNkGeIMYcAmm74/p9f+zRIU19mlhCyqN3occ7NxQx2fviCwo3sDbbiEg
+AMVbXe82xgrpBqMlPk0T+vA/vP6caEj/7BvnLDmsiCugiJYRPvAg4in8vdPTyiRj
+WBcVw6wZIcshKfxT5zvPwgpe9M7xnnc41MaQTpT+LpfLGpQqHow72zZlxhm61wsD
+IuWS4vY+35nOa0k=
+-----END CERTIFICATE-----

chromeos/test/data/network/root-and-intermediate-ca-certs.onc

+{
+  "Certificates": [
+    {
+      "GUID": "{b3aae353-cfa9-4093-9aff-9f8ee2bf8c29}",
+      "TrustBits": [
+        "Web"
+      ],
+      "Type": "Authority",
+      "X509": "-----BEGIN CERTIFICATE-----\nMIIDizCCAnOgAwIBAgIJAJRTRMx4iMvZMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\naWV3MRAwDgYDVQQKDAdUZXN0IENBMRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0EwHhcN\nMTcwNjA1MTcxMDQ0WhcNMjcwNjAzMTcxMDQ0WjBjMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UE\nCgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAxoEfknO2WIXZjay3IP3Hv0Cy6vrlC1IBj5rB63qA\nwfOJpD7VG2HMtc+AsRrbuyXgGL+SaSZQzec//w08tB8UEqtnN94HA2wSdII2rMPU\n02Sfke1b9ql6pJyY6GVslOHLVXOu+B1QsHjldP+xNyzLGT2kjOd2ToZcP9+z7UUj\nT1SbM8aJXhMd3X1ZpQc0KIYnH/qeU08qtkKtNxJi9XI2tgISQET+x56ViUNRXrRu\nx2eAWEO+zAcovVn/HEyNkEL0z/1UAE9IcivhZzyEF2iVv8oHe9+GnVbjMuNwh7f4\nOvfjbmUUfLt2txfxQoxvKjRkEDUUjIX2V7/zXFWdrQMQ8wIDAQABo0IwQDAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSbJguKmKm7HbkfHOMaQDPtjheIqzAOBgNV\nHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAFtT/23VCkOlD9R9xl2I45id\nZ+sygrMP9cF4+AVKv7whBe4hCCyyFaG4svajFWHkwa2EpKdADIcJXysb+U1skn3L\nfiuwAQrtQOVOrxrxDewdnpbH1GFkOSP6XynEKjq47YpyUGqsRQR2Cag9V9fwS65G\ntIPBFFAqGVlTsk2u/C9AScitTZ3IIo2MAdsxM1r0vEyb7dfjQ9noHVOLMNiBnnKr\nns649YOT8nLb3s2wUppFTc/nIdjOFmSPQq/Bh6j51eID3bprG3x9oDgzYTm03Vxp\nF3kCOuwdb167E/umgl0HIPyG/m6LrOHCGKL+P5Vm02mKAAYsVjc0ubYx3g/2RDk=\n-----END CERTIFICATE-----\n"
+    },
+    {
+      "GUID": "{ac861420-3342-4537-a20e-3c2ec0809b7a}",
+      "TrustBits": [ ],
+      "Type": "Authority",
+      "X509": "-----BEGIN CERTIFICATE-----\nMIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G\nA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE3MDYwNTE3\nMTA0NVoXDTI3MDYwMzE3MTA0NVowazELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh\nbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg\nQ0ExHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAnem95D1KL/vC+eYiKkIVRhyMj0dM6cVXlR9mcJMi\n8JTDu7Vb76RvyMeJlXW6DDa/TmupNUcIQ54pauLD+wO3H7bhUWvtexnH+c473GXp\nZseDlMTRTu7tZEuB8RrqWmQYG2pOk9ATbJBgytJOtyQW+LIIWJ2NpzNFFTSBrS0t\nnGDv+SuY/nnTjSxI2xKR9C76v/UmwYIFgN1MqHC/p7wQNHc520cED+1EsmVGIiCI\nWSgPxwyitJGloqrKBZ+Km26jy9Sk6CR1nSCBIltfdz7J8R6u64ozjCdbHr5tIRtC\ncpXjnhMDdadY1L5oEv5jjksRejTno2vdc64+GZrskYtzrwIDAQABo0IwQDAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXXEXz0KwcEEyLQ0QgxN2TxcUZOzAOBgNV\nHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAD711/2COx40jGai814Y4fGp\ndZ+1k+cKjs8KM+1Jzc7Oyl+jHWR204QW/p2IrPTR+DYrIIBSCu/gD2QnVTWje8aK\nfKXEKRex+tKJXRNruAPL1xLWziTwr0gXA1SZr+nL/UREGCNhkPa9VWUGwzaYjep9\nD3nvtrsiKAOm7NnUG0esLCXe7xoCaUwYuylI9J3hUkJkbIhGaIaD/ST1fQXXGn4i\nvEl1nIpN6POi65uDcKfW3S8FLaq+1+57jnVEO9rfhWG/6TsTQE6LUgjZ5IxU2kHb\neywFXpkGDQKMjhmOVbA6MxgwA6ftSuT4WMwSuK/WZlUp7AEfku09TcNxO+AvcJA=\n-----END CERTIFICATE-----\n"
+    }
+  ],
+  "Type": "UnencryptedConfiguration"
+}

chromeos/test/data/network/root-ca-cert.onc

@@ -6,7 +6,7 @@
         "Web"
       ],
       "Type": "Authority",
-      "X509": "-----BEGIN CERTIFICATE-----\nMIIC8zCCAdugAwIBAgIJALF9qhLor0+aMA0GCSqGSIb3DQEBBQUAMBcxFTATBgNV\nBAMMDFRlc3QgUm9vdCBDQTAeFw0xNDA4MTQwMzA1MjlaFw0yNDA4MTEwMzA1Mjla\nMBcxFTATBgNVBAMMDFRlc3QgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBALZJQeNCAVGofzx6cdP7zZE1F4QajvY2x9FwHfqG8267dm/oMi43\n/TiSPWjkin1CMxRGG9wE9pFuVEDECgn97C1i4l7huiycwbFgTNrH+CJcgiBlQh5W\nd3VP65AsSupXDiKNbJWsEerM1+72cA0J3aY1YV3Jdm2w8h6/MIbYd1I2lZcO0UbF\n7YE9G7DyYZU8wUA4719dumGf7yucn4WJdHBj1XboNX7OAeHzERGQHA31/Y3OEGyt\nfFUaIW/XLfR4FeovOL2RnjwdB0b1Q8GCi68SU2UZimlpZgay2gv6KgChKhWESfEB\nv5swBtAVoB+dUZFH4VNf717swmF5whSfxOMCAwEAAaNCMEAwDwYDVR0TAQH/BAUw\nAwEB/zAdBgNVHQ4EFgQUvPcw0TzA8nn675/JbFyT84poq4MwDgYDVR0PAQH/BAQD\nAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBXByn7f+j/sObYWGrDkKE4HLTzaLHs6Ikj\nJNeo8iHDYOSkSVwAv9/HgniAKxj3rd3QYl6nsMzwqrTOcBJZZWd2BQAYmv/EKhfj\n8VXYvlxe68rLU4cQ1QkyNqdeQfRT2n5WYNJ+TpqlCF9ddennMMsi6e8ZSYOlI6H4\nYEzlNtU5eBjxXr/OqgtTgSx4qQpr2xMQIRR/G3A9iRpAigYsXVAZYvnHRYnyPWYF\nPX11W1UegEJyoZp8bQp09u6mIWw6mPt3gl/ya1bm3ZuOUPDGrv3qpgUHqSYGVrOy\n2bI3oCE+eQYfuVG+9LFJTZC1M+UOx15bQMVqBNFDepRqpE9h/ILg\n-----END CERTIFICATE-----"
+      "X509": "-----BEGIN CERTIFICATE-----\nMIIDizCCAnOgAwIBAgIJAJRTRMx4iMvZMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\naWV3MRAwDgYDVQQKDAdUZXN0IENBMRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0EwHhcN\nMTcwNjA1MTcxMDQ0WhcNMjcwNjAzMTcxMDQ0WjBjMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UE\nCgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAxoEfknO2WIXZjay3IP3Hv0Cy6vrlC1IBj5rB63qA\nwfOJpD7VG2HMtc+AsRrbuyXgGL+SaSZQzec//w08tB8UEqtnN94HA2wSdII2rMPU\n02Sfke1b9ql6pJyY6GVslOHLVXOu+B1QsHjldP+xNyzLGT2kjOd2ToZcP9+z7UUj\nT1SbM8aJXhMd3X1ZpQc0KIYnH/qeU08qtkKtNxJi9XI2tgISQET+x56ViUNRXrRu\nx2eAWEO+zAcovVn/HEyNkEL0z/1UAE9IcivhZzyEF2iVv8oHe9+GnVbjMuNwh7f4\nOvfjbmUUfLt2txfxQoxvKjRkEDUUjIX2V7/zXFWdrQMQ8wIDAQABo0IwQDAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSbJguKmKm7HbkfHOMaQDPtjheIqzAOBgNV\nHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAFtT/23VCkOlD9R9xl2I45id\nZ+sygrMP9cF4+AVKv7whBe4hCCyyFaG4svajFWHkwa2EpKdADIcJXysb+U1skn3L\nfiuwAQrtQOVOrxrxDewdnpbH1GFkOSP6XynEKjq47YpyUGqsRQR2Cag9V9fwS65G\ntIPBFFAqGVlTsk2u/C9AScitTZ3IIo2MAdsxM1r0vEyb7dfjQ9noHVOLMNiBnnKr\nns649YOT8nLb3s2wUppFTc/nIdjOFmSPQq/Bh6j51eID3bprG3x9oDgzYTm03Vxp\nF3kCOuwdb167E/umgl0HIPyG/m6LrOHCGKL+P5Vm02mKAAYsVjc0ubYx3g/2RDk=\n-----END CERTIFICATE-----\n"
     }
   ],
   "Type": "UnencryptedConfiguration"

chromeos/test/data/network/root_ca_cert.pem

 -----BEGIN CERTIFICATE-----
-MIIC8zCCAdugAwIBAgIJALF9qhLor0+aMA0GCSqGSIb3DQEBBQUAMBcxFTATBgNV
-BAMMDFRlc3QgUm9vdCBDQTAeFw0xNDA4MTQwMzA1MjlaFw0yNDA4MTEwMzA1Mjla
-MBcxFTATBgNVBAMMDFRlc3QgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALZJQeNCAVGofzx6cdP7zZE1F4QajvY2x9FwHfqG8267dm/oMi43
-/TiSPWjkin1CMxRGG9wE9pFuVEDECgn97C1i4l7huiycwbFgTNrH+CJcgiBlQh5W
-d3VP65AsSupXDiKNbJWsEerM1+72cA0J3aY1YV3Jdm2w8h6/MIbYd1I2lZcO0UbF
-7YE9G7DyYZU8wUA4719dumGf7yucn4WJdHBj1XboNX7OAeHzERGQHA31/Y3OEGyt
-fFUaIW/XLfR4FeovOL2RnjwdB0b1Q8GCi68SU2UZimlpZgay2gv6KgChKhWESfEB
-v5swBtAVoB+dUZFH4VNf717swmF5whSfxOMCAwEAAaNCMEAwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUvPcw0TzA8nn675/JbFyT84poq4MwDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBXByn7f+j/sObYWGrDkKE4HLTzaLHs6Ikj
-JNeo8iHDYOSkSVwAv9/HgniAKxj3rd3QYl6nsMzwqrTOcBJZZWd2BQAYmv/EKhfj
-8VXYvlxe68rLU4cQ1QkyNqdeQfRT2n5WYNJ+TpqlCF9ddennMMsi6e8ZSYOlI6H4
-YEzlNtU5eBjxXr/OqgtTgSx4qQpr2xMQIRR/G3A9iRpAigYsXVAZYvnHRYnyPWYF
-PX11W1UegEJyoZp8bQp09u6mIWw6mPt3gl/ya1bm3ZuOUPDGrv3qpgUHqSYGVrOy
-2bI3oCE+eQYfuVG+9LFJTZC1M+UOx15bQMVqBNFDepRqpE9h/ILg
+MIIDizCCAnOgAwIBAgIJAJRTRMx4iMvZMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRAwDgYDVQQKDAdUZXN0IENBMRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0EwHhcN
+MTcwNjA1MTcxMDQ0WhcNMjcwNjAzMTcxMDQ0WjBjMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UE
+CgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAxoEfknO2WIXZjay3IP3Hv0Cy6vrlC1IBj5rB63qA
+wfOJpD7VG2HMtc+AsRrbuyXgGL+SaSZQzec//w08tB8UEqtnN94HA2wSdII2rMPU
+02Sfke1b9ql6pJyY6GVslOHLVXOu+B1QsHjldP+xNyzLGT2kjOd2ToZcP9+z7UUj
+T1SbM8aJXhMd3X1ZpQc0KIYnH/qeU08qtkKtNxJi9XI2tgISQET+x56ViUNRXrRu
+x2eAWEO+zAcovVn/HEyNkEL0z/1UAE9IcivhZzyEF2iVv8oHe9+GnVbjMuNwh7f4
+OvfjbmUUfLt2txfxQoxvKjRkEDUUjIX2V7/zXFWdrQMQ8wIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBSbJguKmKm7HbkfHOMaQDPtjheIqzAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAFtT/23VCkOlD9R9xl2I45id
+Z+sygrMP9cF4+AVKv7whBe4hCCyyFaG4svajFWHkwa2EpKdADIcJXysb+U1skn3L
+fiuwAQrtQOVOrxrxDewdnpbH1GFkOSP6XynEKjq47YpyUGqsRQR2Cag9V9fwS65G
+tIPBFFAqGVlTsk2u/C9AScitTZ3IIo2MAdsxM1r0vEyb7dfjQ9noHVOLMNiBnnKr
+ns649YOT8nLb3s2wUppFTc/nIdjOFmSPQq/Bh6j51eID3bprG3x9oDgzYTm03Vxp
+F3kCOuwdb167E/umgl0HIPyG/m6LrOHCGKL+P5Vm02mKAAYsVjc0ubYx3g/2RDk=
 -----END CERTIFICATE-----
-

chromeos/test/data/network/setup-certificates.sh

+#!/bin/bash
+
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+INPUT_DIR=${1?first param missing - input directory}
+OUTPUT_DIR=${2?second param missing - output directory}
+
+# This script grabs certain certificates from ${INPUT_DIR} and places them under
+# ${OUTPUT_DIR}. It uses openssl's x509 command to only take the certificate
+# sections (and not e.g. private keys).
+# Additionally, this script creates ONC files which contain some of the
+# certificates to be used by tests.
+
+openssl x509 -in "${INPUT_DIR}/root_ca_cert.pem" -inform PEM \
+  > "${OUTPUT_DIR}/root_ca_cert.pem"
+openssl x509 -in "${INPUT_DIR}/ok_cert.pem" -inform PEM \
+  > "${OUTPUT_DIR}/ok_cert.pem"
+openssl x509 -in "${INPUT_DIR}/intermediate_ca_cert.pem" -inform PEM \
+  > "${OUTPUT_DIR}/intermediate_ca_cert.pem"
+openssl x509 -in "${INPUT_DIR}/ok_cert_by_intermediate.pem" -inform PEM \
+  > "${OUTPUT_DIR}/ok_cert_by_intermediate.pem"
+
+# Read the root CA cert and interemdiate CA cert PEM files and replace newlines
+# with \n literals. This is needed because the ONC JSON does not support
+# multi-line strings. Note that replacement is done in two steps, using ',' as
+# intermediate character. PEM files will not contain commas.
+ROOT_CA_CERT_CONTENTS=$(cat root_ca_cert.pem \
+  | tr '\n' ',' | sed 's/,/\\n/g')
+INTERMEDIATE_CA_CERT_CONTENTS=$(cat intermediate_ca_cert.pem \
+  | tr '\n' ',' | sed 's/,/\\n/g')
+
+cat > "${OUTPUT_DIR}/root-ca-cert.onc" << EOL
+{
+  "Certificates": [
+    {
+      "GUID": "{b3aae353-cfa9-4093-9aff-9f8ee2bf8c29}",
+      "TrustBits": [
+        "Web"
+      ],
+      "Type": "Authority",
+      "X509": "${ROOT_CA_CERT_CONTENTS}"
+    }
+  ],
+  "Type": "UnencryptedConfiguration"
+}
+EOL
+
+cat > "${OUTPUT_DIR}/root-and-intermediate-ca-certs.onc" << EOL
+{
+  "Certificates": [
+    {
+      "GUID": "{b3aae353-cfa9-4093-9aff-9f8ee2bf8c29}",
+      "TrustBits": [
+        "Web"
+      ],
+      "Type": "Authority",
+      "X509": "${ROOT_CA_CERT_CONTENTS}"
+    },
+    {
+      "GUID": "{ac861420-3342-4537-a20e-3c2ec0809b7a}",
+      "TrustBits": [ ],
+      "Type": "Authority",
+      "X509": "${INTERMEDIATE_CA_CERT_CONTENTS}"
+    }
+  ],
+  "Type": "UnencryptedConfiguration"
+}
+EOL

services/network/BUILD.gn

@@ -193,6 +193,8 @@ jumbo_component("network_service") {
       "cert_verifier_with_trust_anchors.h",
       "cert_verify_proc_chromeos.cc",
       "cert_verify_proc_chromeos.h",
+      "nss_temp_certs_cache_chromeos.cc",
+      "nss_temp_certs_cache_chromeos.h",
     ]
   }
 
@@ -338,6 +340,7 @@ source_set("tests") {
     sources += [
       "cert_verifier_with_trust_anchors_unittest.cc",
       "cert_verify_proc_chromeos_unittest.cc",
+      "nss_temp_certs_cache_chromeos_unittest.cc",
     ]
   }
 

services/network/network_context.cc

@@ -104,6 +104,7 @@
 #include "net/cert/multi_threaded_cert_verifier.h"
 #include "services/network/cert_verifier_with_trust_anchors.h"
 #include "services/network/cert_verify_proc_chromeos.h"
+#include "services/network/nss_temp_certs_cache_chromeos.h"
 #endif
 
 #if !defined(OS_IOS)
@@ -993,9 +994,17 @@ void NetworkContext::SetEnableReferrers(bool enable_referrers) {
 }
 
 #if defined(OS_CHROMEOS)
-void NetworkContext::UpdateTrustAnchors(
-    const net::CertificateList& trust_anchors) {
-  cert_verifier_with_trust_anchors_->SetTrustAnchors(trust_anchors);
+void NetworkContext::UpdateAdditionalCertificates(
+    mojom::AdditionalCertificatesPtr additional_certificates) {
+  if (!additional_certificates) {
+    nss_temp_certs_cache_.reset();
+    cert_verifier_with_trust_anchors_->SetTrustAnchors(net::CertificateList());
+    return;
+  }
+  nss_temp_certs_cache_ = std::make_unique<network::NSSTempCertsCacheChromeOS>(
+      additional_certificates->all_certificates);
+  cert_verifier_with_trust_anchors_->SetTrustAnchors(
+      additional_certificates->trust_anchors);
 }
 #endif
 
@@ -1980,8 +1989,8 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext() {
 
       cert_verifier_with_trust_anchors_ = new CertVerifierWithTrustAnchors(
           base::Bind(&NetworkContext::TrustAnchorUsed, base::Unretained(this)));
-      cert_verifier_with_trust_anchors_->SetTrustAnchors(
-          params_->initial_trust_anchors);
+      UpdateAdditionalCertificates(
+          std::move(params_->initial_additional_certificates));
       cert_verifier_with_trust_anchors_->InitializeOnIOThread(verify_proc);
       cert_verifier = base::WrapUnique(cert_verifier_with_trust_anchors_);
     }

services/network/network_context.h

@@ -76,6 +76,7 @@ class HostResolver;
 class NetworkService;
 class NetworkServiceProxyDelegate;
 class MdnsResponderManager;
+class NSSTempCertsCacheChromeOS;
 class P2PSocketManager;
 class ProxyLookupRequest;
 class ResourceScheduler;
@@ -210,7 +211,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
   void SetAcceptLanguage(const std::string& new_accept_language) override;
   void SetEnableReferrers(bool enable_referrers) override;
 #if defined(OS_CHROMEOS)
-  void UpdateTrustAnchors(const net::CertificateList& trust_anchors) override;
+  void UpdateAdditionalCertificates(
+      mojom::AdditionalCertificatesPtr additional_certificates) override;
 #endif
 #if BUILDFLAG(IS_CT_SUPPORTED)
   void SetCTPolicy(
@@ -499,6 +501,9 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
 
 #if defined(OS_CHROMEOS)
   CertVerifierWithTrustAnchors* cert_verifier_with_trust_anchors_ = nullptr;
+  // Additional certificates made available to NSS cert validation as temporary
+  // certificates.
+  std::unique_ptr<network::NSSTempCertsCacheChromeOS> nss_temp_certs_cache_;
 #endif
 
   // Created on-demand. Null if unused.

chrome/browser/chromeos/policy/temp_certs_cache_nss.cc → services/network/nss_temp_certs_cache_chromeos.cc

@@ -2,17 +2,14 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/chromeos/policy/temp_certs_cache_nss.h"
+#include "services/network/nss_temp_certs_cache_chromeos.h"
 
-#include "chrome/browser/browser_process.h"
-#include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
-#include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
-#include "chromeos/network/onc/onc_utils.h"
 #include "net/cert/x509_util_nss.h"
 
-namespace policy {
+namespace network {
 
-TempCertsCacheNSS::TempCertsCacheNSS(const net::CertificateList& certificates) {
+NSSTempCertsCacheChromeOS::NSSTempCertsCacheChromeOS(
+    const net::CertificateList& certificates) {
   for (const auto& certificate : certificates) {
     net::ScopedCERTCertificate x509_cert =
         net::x509_util::CreateCERTCertificateFromX509Certificate(
@@ -26,6 +23,6 @@ TempCertsCacheNSS::TempCertsCacheNSS(const net::CertificateList& certificates) {
   }
 }
 
-TempCertsCacheNSS::~TempCertsCacheNSS() {}
+NSSTempCertsCacheChromeOS::~NSSTempCertsCacheChromeOS() {}
 
-}  // namespace policy
+}  // namespace network

chrome/browser/chromeos/policy/temp_certs_cache_nss.h → services/network/nss_temp_certs_cache_chromeos.h

@@ -2,21 +2,22 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_CHROMEOS_POLICY_TEMP_CERTS_CACHE_NSS_H_
-#define CHROME_BROWSER_CHROMEOS_POLICY_TEMP_CERTS_CACHE_NSS_H_
+#ifndef SERVICES_NETWORK_NSS_TEMP_CERTS_CACHE_CHROMEOS_H_
+#define SERVICES_NETWORK_NSS_TEMP_CERTS_CACHE_CHROMEOS_H_
 
+#include "base/component_export.h"
 #include "base/macros.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/x509_certificate.h"
 
-namespace policy {
+namespace network {
 
 // Holds NSS temporary certificates in memory as ScopedCERTCertificates, making
 // them available e.g. for client certificate discovery.
-class TempCertsCacheNSS {
+class COMPONENT_EXPORT(NETWORK_SERVICE) NSSTempCertsCacheChromeOS {
  public:
-  explicit TempCertsCacheNSS(const net::CertificateList& certificates);
-  ~TempCertsCacheNSS();
+  explicit NSSTempCertsCacheChromeOS(const net::CertificateList& certificates);
+  ~NSSTempCertsCacheChromeOS();
 
  private:
   // The actual cache of NSS temporary certificates.
@@ -30,9 +31,9 @@ class TempCertsCacheNSS {
   // permanent databases, nor are the trust settings mutated to trust them.
   net::ScopedCERTCertificateList temp_certs_;
 
-  DISALLOW_COPY_AND_ASSIGN(TempCertsCacheNSS);
+  DISALLOW_COPY_AND_ASSIGN(NSSTempCertsCacheChromeOS);
 };
 
-}  // namespace policy
+}  // namespace network
 
-#endif  // CHROME_BROWSER_CHROMEOS_POLICY_TEMP_CERTS_CACHE_NSS_H_
+#endif  // SERVICES_NETWORK_NSS_TEMP_CERTS_CACHE_CHROMEOS_H_

chrome/browser/chromeos/policy/temp_certs_cache_nss_unittest.cc → services/network/nss_temp_certs_cache_chromeos_unittest.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/chromeos/policy/temp_certs_cache_nss.h"
+#include "services/network/nss_temp_certs_cache_chromeos.h"
 
 #include <cert.h>
 #include <certdb.h>
@@ -23,14 +23,14 @@
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-namespace policy {
+namespace network {
 
 namespace {
 
-class TempCertsCacheNSSTest : public testing::Test {
+class NSSTempCertsCacheChromeOSTest : public testing::Test {
  public:
-  TempCertsCacheNSSTest() {}
-  ~TempCertsCacheNSSTest() override {}
+  NSSTempCertsCacheChromeOSTest() {}
+  ~NSSTempCertsCacheChromeOSTest() override {}
 
  protected:
   // Checks if the certificate stored in |pem_cert_file| can be found in the
@@ -92,17 +92,17 @@ class TempCertsCacheNSSTest : public testing::Test {
   }
 
  private:
-  DISALLOW_COPY_AND_ASSIGN(TempCertsCacheNSSTest);
+  DISALLOW_COPY_AND_ASSIGN(NSSTempCertsCacheChromeOSTest);
 };
 
 // Checks that a certificate made available through the
-// TempCertsCacheNSS can be found by NSS. We specifically check for
+// NSSTempCertsCacheChromeOS can be found by NSS. We specifically check for
 // lookup through the CERT_FindCertByName function, as this is what is used in
 // client certificate matching (see MatchClientCertificateIssuers in
 // net/third_party/nss/ssl/cmpcert.cc). Additionally, checks that the
-// certificate is not available after the TempCertsCacheNSS goes out of
+// certificate is not available after the NSSTempCertsCacheChromeOS goes out of
 // scope.
-TEST_F(TempCertsCacheNSSTest, CertMadeAvailable) {
+TEST_F(NSSTempCertsCacheChromeOSTest, CertMadeAvailable) {
   base::FilePath cert_file_path =
       net::GetTestCertsDirectory().AppendASCII("client_1_ca.pem");
   {
@@ -113,7 +113,7 @@ TEST_F(TempCertsCacheNSSTest, CertMadeAvailable) {
             x509_authority_cert.data(), x509_authority_cert.length(),
             net::X509Certificate::Format::FORMAT_AUTO);
 
-    TempCertsCacheNSS cache(x509_authority_certs);
+    NSSTempCertsCacheChromeOS cache(x509_authority_certs);
 
     bool cert_available = false;
     ASSERT_NO_FATAL_FAILURE(
@@ -128,4 +128,4 @@ TEST_F(TempCertsCacheNSSTest, CertMadeAvailable) {
 }
 
 }  // namespace
-}  // namespace policy
+}  // namespace network

services/network/public/mojom/network_context.mojom

@@ -81,6 +81,15 @@ interface CustomProxyConfigClient {
                    ProxyList bad_proxies) => ();
 };
 
+[EnableIf=is_chromeos]
+struct AdditionalCertificates {
+  // List of all additional certificates.
+  array<X509Certificate> all_certificates;
+
+  // List of additional trust anchors.
+  array<X509Certificate> trust_anchors;
+};
+
 // Parameters for constructing a network context.
 struct NetworkContextParams {
   // Name used by memory tools to identify the context.
@@ -244,9 +253,10 @@ struct NetworkContextParams {
   [EnableIf=is_chromeos]
   string username_hash;
 
-  // Initial list of additional trust anchors.
+  // Initial additional certificates that will be used for certificate
+  // validation.
   [EnableIf=is_chromeos]
-  array<X509Certificate> initial_trust_anchors;
+  AdditionalCertificates? initial_additional_certificates;
 
   // Parameters for constructing the cookie manager.
   CookieManagerParams? cookie_manager_params;
@@ -523,7 +533,7 @@ interface NetworkContext {
 
   // Updates the additional trust anchors for certificate verification.
   [EnableIf=is_chromeos]
-  UpdateTrustAnchors(array<X509Certificate> trust_anchors);
+  UpdateAdditionalCertificates(AdditionalCertificates? additional_certificates);
 
   // Updates the CT policy to be used for requests. Only applies if the
   // NetworkContextParams set enforce_chrome_ct_policy to true.

services/network/test/test_network_context.h

@@ -89,7 +89,8 @@ class TestNetworkContext : public mojom::NetworkContext {
   void SetAcceptLanguage(const std::string& new_accept_language) override {}
   void SetEnableReferrers(bool enable_referrers) override {}
 #if defined(OS_CHROMEOS)
-  void UpdateTrustAnchors(const net::CertificateList& trust_anchors) override {}
+  void UpdateAdditionalCertificates(
+      mojom::AdditionalCertificatesPtr additional_certificates) override {}
 #endif
 #if BUILDFLAG(IS_CT_SUPPORTED)
   void SetCTPolicy(