feat: introduce os_crypt_async in safeStorage (#49054)

* feat: support Freedesktop Secret Service OSCrypt client Refs https://issues.chromium.org/issues/40086962 Refs https://issues.chromium.org/issues/447372315 * chore: rework to async interface * refactor: allow customizing freedesktop config * docs: add more async impl info * refactor: reject when temporarily unavailable * chore: feedback from review * chore: push_back => emplace_back
2026-04-10 03:01:51 -04:00 · 2026-02-15 19:54:50 +01:00
parent dcdbb0397e
commit eb29568e45
19 changed files with 970 additions and 875 deletions
--- a/shell/browser/net/network_context_service.cc
+++ b/shell/browser/net/network_context_service.cc
@@ -14,6 +14,7 @@
 #include "net/http/http_util.h"
 #include "net/net_buildflags.h"
 #include "services/network/network_service.h"
+#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
 #include "services/network/public/cpp/cors/origin_access_list.h"
 #include "shell/browser/browser_process_impl.h"
 #include "shell/browser/electron_browser_client.h"
@@ -114,6 +115,18 @@ void NetworkContextService::ConfigureNetworkContextParams(
    network_context_params->enable_encrypted_cookies =
        electron::fuses::IsCookieEncryptionEnabled();

+    // If cookie encryption is enabled, we need to provide a cookie encryption
+    // provider for the network service to use.
+    if (network_context_params->enable_encrypted_cookies) {
+      if (!cookie_encryption_provider_) {
+        cookie_encryption_provider_ =
+            std::make_unique<CookieEncryptionProviderImpl>(
+                g_browser_process->os_crypt_async());
+      }
+      network_context_params->cookie_encryption_provider =
+          cookie_encryption_provider_->BindNewRemote();
+    }
+
    network_context_params->file_paths->transport_security_persister_file_name =
        base::FilePath(chrome::kTransportSecurityPersisterFilename);
  }
--- a/shell/browser/net/network_context_service.h
+++ b/shell/browser/net/network_context_service.h
@@ -5,12 +5,16 @@
 #ifndef ELECTRON_SHELL_BROWSER_NET_NETWORK_CONTEXT_SERVICE_H_
 #define ELECTRON_SHELL_BROWSER_NET_NETWORK_CONTEXT_SERVICE_H_

+#include <memory>
+
 #include "base/memory/raw_ptr.h"
 #include "chrome/browser/net/proxy_config_monitor.h"
 #include "components/keyed_service/core/keyed_service.h"
 #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h"
 #include "services/network/public/mojom/network_context.mojom-forward.h"

+class CookieEncryptionProviderImpl;
+
 namespace base {
 class FilePath;
 }  // namespace base
@@ -46,6 +50,7 @@ class NetworkContextService : public KeyedService {

  raw_ptr<ElectronBrowserContext> browser_context_;
  ProxyConfigMonitor proxy_config_monitor_;
+  std::unique_ptr<CookieEncryptionProviderImpl> cookie_encryption_provider_;
 };

 }  // namespace electron
--- a/shell/browser/net/system_network_context_manager.cc
+++ b/shell/browser/net/system_network_context_manager.cc
@@ -280,7 +280,12 @@ void SystemNetworkContextManager::OnNetworkServiceCreated(
  // process, send it the required key.
  if (content::IsOutOfProcessNetworkService() &&
      electron::fuses::IsCookieEncryptionEnabled()) {
+    // On Windows, OSCrypt Async manages the encryption key via the DPAPI key
+    // provider, and there is no need to send the key separately to OSCrypt
+    // sync.
+#if !BUILDFLAG(IS_WIN)
    network_service->SetEncryptionKey(OSCrypt::GetRawEncryptionKey());
+#endif
  }
 }