From d0506dd8ce985c439d0904b6862fd66dfe48c5b0 Mon Sep 17 00:00:00 2001
From: Matt Mueller <mattm@chromium.org>
Date: Thu, 17 Dec 2020 02:25:24 +0000
Subject: [PATCH] Initialize TrustStoreMac cache earlier in startup rather than
 waiting until the first verification

This should reduce the impact of cache initialization on the first page load.

Bug: 1159560
Change-Id: Ib21e9c9736e3dd1d81b194e59fcd1fb26fba6e09
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2595971
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#837881}
---
 chrome/browser/chrome_browser_main_mac.mm |  9 +++++++++
 net/cert/internal/system_trust_store.cc   | 15 ++++++++++++++-
 net/cert/internal/system_trust_store.h    |  6 ++++++
 net/cert/internal/trust_store_mac.cc      | 10 ++++++++++
 net/cert/internal/trust_store_mac.h       |  3 +++
 services/network/network_service.cc       | 10 ++++++++++
 6 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/chrome/browser/chrome_browser_main_mac.mm b/chrome/browser/chrome_browser_main_mac.mm
index e3f9e3626bba49..c30b73c2575fd3 100644
--- a/chrome/browser/chrome_browser_main_mac.mm
+++ b/chrome/browser/chrome_browser_main_mac.mm
@@ -38,6 +38,9 @@
 #include "components/version_info/channel.h"
 #include "content/public/common/main_function_params.h"
 #include "content/public/common/result_codes.h"
+#include "net/base/features.h"
+#include "net/cert/internal/system_trust_store.h"
+#include "services/network/public/cpp/features.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/resource/resource_handle.h"
@@ -135,6 +138,12 @@
   MacStartupProfiler::GetInstance()->Profile(
       MacStartupProfiler::POST_MAIN_MESSAGE_LOOP_START);
   ChromeBrowserMainPartsPosix::PostMainMessageLoopStart();
+
+  if (base::FeatureList::IsEnabled(network::features::kCertVerifierService) &&
+      base::FeatureList::IsEnabled(
+          net::features::kCertVerifierBuiltinFeature)) {
+    net::InitializeTrustStoreMacCache();
+  }
 }
 
 void ChromeBrowserMainPartsMac::PreProfileInit() {
diff --git a/net/cert/internal/system_trust_store.cc b/net/cert/internal/system_trust_store.cc
index d2345316ab36b0..646ea2f321e6e1 100644
--- a/net/cert/internal/system_trust_store.cc
+++ b/net/cert/internal/system_trust_store.cc
@@ -21,6 +21,8 @@
 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/no_destructor.h"
+#include "base/task/task_traits.h"
+#include "base/task/thread_pool.h"
 #include "build/build_config.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
@@ -176,8 +178,12 @@ class SystemTrustStoreMac : public BaseSystemTrustStore {
     return GetGlobalTrustStoreMac()->IsKnownRoot(trust_anchor);
   }
 
+  static void InitializeTrustCacheOnWorkerThread() {
+    GetGlobalTrustStoreMac()->InitializeTrustCache();
+  }
+
  private:
-  TrustStoreMac* GetGlobalTrustStoreMac() const {
+  static TrustStoreMac* GetGlobalTrustStoreMac() {
     static base::NoDestructor<TrustStoreMac> static_trust_store_mac(
         kSecPolicyAppleSSL);
     return static_trust_store_mac.get();
@@ -188,6 +194,13 @@ std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
   return std::make_unique<SystemTrustStoreMac>();
 }
 
+void InitializeTrustStoreMacCache() {
+  base::ThreadPool::PostTask(
+      FROM_HERE,
+      {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
+      base::BindOnce(&SystemTrustStoreMac::InitializeTrustCacheOnWorkerThread));
+}
+
 #elif defined(OS_FUCHSIA)
 
 namespace {
diff --git a/net/cert/internal/system_trust_store.h b/net/cert/internal/system_trust_store.h
index 498b23d4344058..7bb1d4be508e7e 100644
--- a/net/cert/internal/system_trust_store.h
+++ b/net/cert/internal/system_trust_store.h
@@ -8,6 +8,7 @@
 #include <vector>
 
 #include "base/memory/ref_counted.h"
+#include "build/build_config.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/parsed_certificate.h"
 
@@ -71,6 +72,11 @@ NET_EXPORT std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore();
 // store integration is not supported.)
 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateEmptySystemTrustStore();
 
+#if defined(OS_MAC)
+// Initializes trust cache on a worker thread.
+NET_EXPORT void InitializeTrustStoreMacCache();
+#endif
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_
diff --git a/net/cert/internal/trust_store_mac.cc b/net/cert/internal/trust_store_mac.cc
index 7bd923563bd22d..33407e2f1d4f87 100644
--- a/net/cert/internal/trust_store_mac.cc
+++ b/net/cert/internal/trust_store_mac.cc
@@ -516,6 +516,12 @@ class TrustStoreMac::TrustCache {
     return TrustStatus::UNSPECIFIED;
   }
 
+  // Initializes the cache, if it isn't already initialized.
+  void InitializeTrustCache() {
+    base::AutoLock lock(cache_lock_);
+    MaybeInitializeCache();
+  }
+
  private:
   // (Re-)Initialize the cache if necessary. Must be called after acquiring
   // |cache_lock_| and before accessing any of the |*_domain_cache_| members.
@@ -555,6 +561,10 @@ TrustStoreMac::TrustStoreMac(CFStringRef policy_oid)
 
 TrustStoreMac::~TrustStoreMac() = default;
 
+void TrustStoreMac::InitializeTrustCache() const {
+  trust_cache_->InitializeTrustCache();
+}
+
 bool TrustStoreMac::IsKnownRoot(const ParsedCertificate* cert) const {
   return trust_cache_->IsKnownRoot(cert);
 }
diff --git a/net/cert/internal/trust_store_mac.h b/net/cert/internal/trust_store_mac.h
index b88323709b2833..c3f227d40a305d 100644
--- a/net/cert/internal/trust_store_mac.h
+++ b/net/cert/internal/trust_store_mac.h
@@ -95,6 +95,9 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   explicit TrustStoreMac(CFStringRef policy_oid);
   ~TrustStoreMac() override;
 
+  // Initializes the trust cache, if it isn't already initialized.
+  void InitializeTrustCache() const;
+
   // Returns true if the given certificate is present in the system trust
   // domain.
   bool IsKnownRoot(const ParsedCertificate* cert) const;
diff --git a/services/network/network_service.cc b/services/network/network_service.cc
index 1c1161dd8c5046..a1374cdcdfd55a 100644
--- a/services/network/network_service.cc
+++ b/services/network/network_service.cc
@@ -29,12 +29,14 @@
 #include "components/os_crypt/os_crypt.h"
 #include "mojo/public/cpp/bindings/scoped_message_error_crash_key.h"
 #include "mojo/public/cpp/system/functions.h"
+#include "net/base/features.h"
 #include "net/base/logging_network_change_observer.h"
 #include "net/base/network_change_notifier.h"
 #include "net/base/network_change_notifier_posix.h"
 #include "net/base/port_util.h"
 #include "net/cert/cert_database.h"
 #include "net/cert/ct_log_response_parser.h"
+#include "net/cert/internal/system_trust_store.h"
 #include "net/cert/signed_tree_head.h"
 #include "net/cookies/cookie_util.h"
 #include "net/dns/host_resolver.h"
@@ -323,6 +325,14 @@ void NetworkService::Initialize(mojom::NetworkServiceParamsPtr params,
 
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
 
+#if defined(OS_MAC)
+  if (!base::FeatureList::IsEnabled(network::features::kCertVerifierService) &&
+      base::FeatureList::IsEnabled(
+          net::features::kCertVerifierBuiltinFeature)) {
+    net::InitializeTrustStoreMacCache();
+  }
+#endif
+
   // Set-up the global port overrides.
   if (command_line->HasSwitch(switches::kExplicitlyAllowedPorts)) {
     std::string allowed_ports =