xref: /aosp_15_r20/external/cronet/net/cert/cert_database_mac.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_database.h"
6*6777b538SAndroid Build Coastguard Worker 
7*6777b538SAndroid Build Coastguard Worker #include <Security/Security.h>
8*6777b538SAndroid Build Coastguard Worker 
9*6777b538SAndroid Build Coastguard Worker #include "base/apple/osstatus_logging.h"
10*6777b538SAndroid Build Coastguard Worker #include "base/check.h"
11*6777b538SAndroid Build Coastguard Worker #include "base/functional/bind.h"
12*6777b538SAndroid Build Coastguard Worker #include "base/location.h"
13*6777b538SAndroid Build Coastguard Worker #include "base/notreached.h"
14*6777b538SAndroid Build Coastguard Worker #include "base/process/process_handle.h"
15*6777b538SAndroid Build Coastguard Worker #include "net/base/network_notification_thread_mac.h"
16*6777b538SAndroid Build Coastguard Worker 
17*6777b538SAndroid Build Coastguard Worker namespace net {
18*6777b538SAndroid Build Coastguard Worker 
19*6777b538SAndroid Build Coastguard Worker namespace {
20*6777b538SAndroid Build Coastguard Worker 
21*6777b538SAndroid Build Coastguard Worker // Helper that observes events from the Keychain and forwards them to the
22*6777b538SAndroid Build Coastguard Worker // CertDatabase.
23*6777b538SAndroid Build Coastguard Worker class Notifier {
24*6777b538SAndroid Build Coastguard Worker  public:
Notifier()25*6777b538SAndroid Build Coastguard Worker   Notifier() {
26*6777b538SAndroid Build Coastguard Worker     GetNetworkNotificationThreadMac()->PostTask(
27*6777b538SAndroid Build Coastguard Worker         FROM_HERE, base::BindOnce(&Notifier::Init, base::Unretained(this)));
28*6777b538SAndroid Build Coastguard Worker   }
29*6777b538SAndroid Build Coastguard Worker 
30*6777b538SAndroid Build Coastguard Worker   ~Notifier() = delete;
31*6777b538SAndroid Build Coastguard Worker 
32*6777b538SAndroid Build Coastguard Worker // Much of the Keychain API was marked deprecated as of the macOS 13 SDK.
33*6777b538SAndroid Build Coastguard Worker // Removal of its use is tracked in https://crbug.com/1348251 but deprecation
34*6777b538SAndroid Build Coastguard Worker // warnings are disabled in the meanwhile.
35*6777b538SAndroid Build Coastguard Worker #pragma clang diagnostic push
36*6777b538SAndroid Build Coastguard Worker #pragma clang diagnostic ignored "-Wdeprecated-declarations"
37*6777b538SAndroid Build Coastguard Worker 
38*6777b538SAndroid Build Coastguard Worker  private:
Init()39*6777b538SAndroid Build Coastguard Worker   void Init() {
40*6777b538SAndroid Build Coastguard Worker     SecKeychainEventMask event_mask =
41*6777b538SAndroid Build Coastguard Worker         kSecKeychainListChangedMask | kSecTrustSettingsChangedEventMask;
42*6777b538SAndroid Build Coastguard Worker     SecKeychainAddCallback(&Notifier::KeychainCallback, event_mask, nullptr);
43*6777b538SAndroid Build Coastguard Worker   }
44*6777b538SAndroid Build Coastguard Worker 
45*6777b538SAndroid Build Coastguard Worker #pragma clang diagnostic pop
46*6777b538SAndroid Build Coastguard Worker 
47*6777b538SAndroid Build Coastguard Worker   // SecKeychainCallback function that receives notifications from securityd
48*6777b538SAndroid Build Coastguard Worker   // and forwards them to the |cert_db_|.
49*6777b538SAndroid Build Coastguard Worker   static OSStatus KeychainCallback(SecKeychainEvent keychain_event,
50*6777b538SAndroid Build Coastguard Worker                                    SecKeychainCallbackInfo* info,
51*6777b538SAndroid Build Coastguard Worker                                    void* context);
52*6777b538SAndroid Build Coastguard Worker };
53*6777b538SAndroid Build Coastguard Worker 
54*6777b538SAndroid Build Coastguard Worker // static
KeychainCallback(SecKeychainEvent keychain_event,SecKeychainCallbackInfo * info,void * context)55*6777b538SAndroid Build Coastguard Worker OSStatus Notifier::KeychainCallback(SecKeychainEvent keychain_event,
56*6777b538SAndroid Build Coastguard Worker                                     SecKeychainCallbackInfo* info,
57*6777b538SAndroid Build Coastguard Worker                                     void* context) {
58*6777b538SAndroid Build Coastguard Worker   if (info->version > SEC_KEYCHAIN_SETTINGS_VERS1) {
59*6777b538SAndroid Build Coastguard Worker     NOTREACHED();
60*6777b538SAndroid Build Coastguard Worker     return errSecWrongSecVersion;
61*6777b538SAndroid Build Coastguard Worker   }
62*6777b538SAndroid Build Coastguard Worker 
63*6777b538SAndroid Build Coastguard Worker   if (info->pid == base::GetCurrentProcId()) {
64*6777b538SAndroid Build Coastguard Worker     // Ignore events generated by the current process, as the assumption is
65*6777b538SAndroid Build Coastguard Worker     // that they have already been handled. This may miss events that
66*6777b538SAndroid Build Coastguard Worker     // originated as a result of spawning native dialogs that allow the user
67*6777b538SAndroid Build Coastguard Worker     // to modify Keychain settings. However, err on the side of missing
68*6777b538SAndroid Build Coastguard Worker     // events rather than sending too many events.
69*6777b538SAndroid Build Coastguard Worker     return errSecSuccess;
70*6777b538SAndroid Build Coastguard Worker   }
71*6777b538SAndroid Build Coastguard Worker 
72*6777b538SAndroid Build Coastguard Worker   switch (keychain_event) {
73*6777b538SAndroid Build Coastguard Worker     case kSecKeychainListChangedEvent:
74*6777b538SAndroid Build Coastguard Worker       CertDatabase::GetInstance()->NotifyObserversClientCertStoreChanged();
75*6777b538SAndroid Build Coastguard Worker       break;
76*6777b538SAndroid Build Coastguard Worker     case kSecTrustSettingsChangedEvent:
77*6777b538SAndroid Build Coastguard Worker       CertDatabase::GetInstance()->NotifyObserversTrustStoreChanged();
78*6777b538SAndroid Build Coastguard Worker       break;
79*6777b538SAndroid Build Coastguard Worker 
80*6777b538SAndroid Build Coastguard Worker     default:
81*6777b538SAndroid Build Coastguard Worker       break;
82*6777b538SAndroid Build Coastguard Worker   }
83*6777b538SAndroid Build Coastguard Worker 
84*6777b538SAndroid Build Coastguard Worker   return errSecSuccess;
85*6777b538SAndroid Build Coastguard Worker }
86*6777b538SAndroid Build Coastguard Worker 
87*6777b538SAndroid Build Coastguard Worker }  // namespace
88*6777b538SAndroid Build Coastguard Worker 
StartListeningForKeychainEvents()89*6777b538SAndroid Build Coastguard Worker void CertDatabase::StartListeningForKeychainEvents() {
90*6777b538SAndroid Build Coastguard Worker   static base::NoDestructor<Notifier> notifier;
91*6777b538SAndroid Build Coastguard Worker }
92*6777b538SAndroid Build Coastguard Worker 
93*6777b538SAndroid Build Coastguard Worker }  // namespace net
94