Assigning to dskaram@ to triage ChromeOS system startup issues. Perhaps ordering changed with how tokens are loaded and initialized and/or how policies are applied. The application of ChromeOS enterprise policies around trusted certs is not really owned by Internals>Network>Certificate, but I'm not sure what the better component is.

+pmarko who made some changes in this area recently. Any ideas what might have broken this?

Does this happen on first sign-in only, or also on a subsequent sign-in?

I'm not sure we have a mechanism to delay start page loading until policy-pushed CA certs are applied; I'll check.

I'll check with customer regarding subsequent sign-ins.

Customer replied the issue happens every single sign in

Thanks for confirming. And the start-up pages are set through the "RestoreOnStartupURLs" policy?

Yes, the customer has set up the pages on the Admin Console using the "Pages to Load on Startup" policy. I hope this helps

+Drew FYI

I couldn't reproduce this locally despite several attempts, but fact is that we have no logic delaying user session start until CA certificate import is finished. We are probably lucky in most cases and it's fast enough to finish before anyone notices, but in this case, the sign-in and start page load is so fast that it hasn't finished yet. This case also has two certificates which are not valid Authority certificates in the ONC policy, but this doesn't seem to change timing on my device.

Anyway we should make sure to delay user session start until  UserNetworkConfigurationUpdater::pending_certificates_onc_ is empty and there's no started certificate_importer_->ImportCertificates(..) task which hasn't finished yet.

I'll investigate options to  do thison monday; wiring this up into UserCloudPolicyManagerChromeOS::IsInitializationComplete / ConfigurationPolicyPrefStore::IsInitializationComplete does not seem like a good design.

@pmarko

Is there any update for this issue?

I'm working on a CL at the moment, it should be in review today/tomorrow.

FYI, I'm still actively working on this, I ran into some implementation issues. I'll keep you updated.

Note to self:
New approach (using NSS temp certs - not waiting for private slot at all): https://chromium-review.googlesource.com/c/chromium/src/+/873810

Previous, probably obsolete approach (using permanently imported NSS certs, but not waiting for private slot on subsequent sign-ins):
https://chromium-review.googlesource.com/c/chromium/src/+/866500

This is my issue that I originally encountered and raised to the Google Enterprise support group who then escalated it to your team.  I'm glad to see you guys are working on it and seemingly close to a resolution!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5b4d4fbd50b83a04787141b62aae417efdf4e03b

commit 5b4d4fbd50b83a04787141b62aae417efdf4e03b
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Feb 05 10:08:46 2018

Rename UntrustedAuthorityCertsCache to TempCertsCacheNSS

TempCertsCacheNSS is a better name, because
(*) the class is NSS-specific
(*) it makes certificates available to NSS as NSS "temp certificates"
(*) it can not only be used for authority certificates, but also for
server certificates.

TempCertsCacheNSS will be used in a follow-up CL to make policy-set
server and authority certificates available without permanently
importing them.

Bug:  787602 
Change-Id: I2f889c275a8e24cc15b91a9c348e3273ffd8566a
Reviewed-on: https://chromium-review.googlesource.com/899062
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534357}
[modify] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/chromeos/BUILD.gn
[add] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/chromeos/policy/temp_certs_cache_nss.cc
[add] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/chromeos/policy/temp_certs_cache_nss.h
[rename] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/chromeos/policy/temp_certs_cache_nss_unittest.cc
[delete] https://crrev.com/b247fdd9263f6bf166b330ef875845d65f696992/chrome/browser/chromeos/policy/untrusted_authority_certs_cache.cc
[delete] https://crrev.com/b247fdd9263f6bf166b330ef875845d65f696992/chrome/browser/chromeos/policy/untrusted_authority_certs_cache.h
[modify] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/5b4d4fbd50b83a04787141b62aae417efdf4e03b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a69b546a122ea276d510e9f61b7f48c8d930f761

commit a69b546a122ea276d510e9f61b7f48c8d930f761
Author: Pavol Marko <pmarko@chromium.org>
Date: Tue Feb 06 18:11:57 2018

Split ONC certificate parsing from certificate import

Move parsing of the 'Certificates' section of ONC to the new class
OncParsedCertificates. CertificateImporter uses this as its input.
This is a preparation for not importing policy-provided server and
authority certificates into the NSS database anymore, but only making
them available as temporary NSS certificates.

      chromeos_unittests --gtest_filter=*CertificateImporter* &&
      chromeos_unittests --gtest_filter=OncParsedCertificatesTest*

Bug:  787602 
Test: unit_tests --gtest_filter=*NetworkConfigurationUpdater* &&
Change-Id: Id42f512c9b2287eb582ef3f6ade6b31f32eaf024
Reviewed-on: https://chromium-review.googlesource.com/898963
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534719}
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chrome/browser/chromeos/policy/user_network_configuration_updater.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chrome/browser/ui/webui/net_internals/net_internals_ui.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/BUILD.gn
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_certificate_importer.h
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_certificate_importer_impl.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_certificate_importer_impl.h
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_certificate_importer_impl_unittest.cc
[add] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_parsed_certificates.cc
[add] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_parsed_certificates.h
[add] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_parsed_certificates_unittest.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_utils.cc
[modify] https://crrev.com/a69b546a122ea276d510e9f61b7f48c8d930f761/chromeos/network/onc/onc_utils.h

Are there any updates on this issue?  Is it still being worked on?  It's been over 2 months seemingly without progress now.

Sorry for the delay, we're still actively working on this. We had to decide which direction to take for the further work. I'll keep you updated.

Our school year is about to begin in 2 weeks.  It's amazing to me that an issue that I reported October 30th of last year is still outstanding.  What is the current status?  Do we have any hope of this getting resolved anytime soon?

It is unfortunate that this takes such a long while - that is because we have to do big changes in the policy-set certificate handling to fix this issue.

The code changes are almost ready to be submitted; if you'd like to follow along:
https://chromium-review.googlesource.com/c/chromium/src/+/873810
https://chromium-review.googlesource.com/c/chromium/src/+/916681
https://chromium-review.googlesource.com/c/chromium/src/+/1124853

Realistically, I'd hope that these will land in the next 2..3 weeks, which would mean that this fix would reach Chrome M-70.

+Brennan as this probably the same issue seen in the Web Authorities for Kiosk/{P,M}S Trusted Tester Campaign.

+emaxx@ for context on the CLs :-)

Targetting M-70 now which branches on Aug 30th. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75282ee158fd2f99e79dbc59343a0988d396644d

commit 75282ee158fd2f99e79dbc59343a0988d396644d
Author: Pavol Marko <pmarko@chromium.org>
Date: Wed Aug 22 22:35:42 2018

Make policy-set trust anchors available early on session start

The goal is to make policy-set trust anchors available as early
as possible, instead of waiting for the user's private slot to be
initialized.

The following changes were made to achieve this:
- UserNetworkConfigurationUpdater makes server and CA certificates
  available to observers as soon as ONC policy comes in.
- UserNetworkConfigurationUpdater does not pass server and CA
  certificates to CertificateImporter for permanent import anymore.
  Only Client certificates are permanently imported from user policy.
- PolicyCertService (which observes for user-policy-set cert changes)
  makes all user-policy-set server and authority certificates available
  to NSS as temp certificates through TempCertsCacheNSS.

Planned follow-up work:
The policy-set certs are not displayed in the Certificates settings
view. A follow-up CL (CL:916681) will add support for that.

      browser_tests --gtest_filter=*PolicyProvided*

Bug:  787602 
Test: unit_tests --gtest_filter=*NetworkConfigurationUpdater* &&
Change-Id: I71aa8f1f91849b0b0ad24eb81ce3d1863fe7959c
Reviewed-on: https://chromium-review.googlesource.com/873810
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585286}
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/login/users/multi_profile_user_controller_unittest.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/device_network_configuration_updater.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/device_network_configuration_updater.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/policy_cert_service.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/policy_cert_service.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/temp_certs_cache_nss.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/temp_certs_cache_nss.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/temp_certs_cache_nss_unittest.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/user_network_configuration_updater.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/user_network_configuration_updater.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/ui/ash/session_controller_client_unittest.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/ui/webui/certificates_handler.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chrome/browser/ui/webui/net_internals/net_internals_ui.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chromeos/network/onc/onc_certificate_importer.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chromeos/network/onc/onc_certificate_importer_impl.cc
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chromeos/network/onc/onc_certificate_importer_impl.h
[modify] https://crrev.com/75282ee158fd2f99e79dbc59343a0988d396644d/chromeos/network/onc/onc_certificate_importer_impl_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b429f54e6c9be6a420d01e82e07c93a6912cbe9f

commit b429f54e6c9be6a420d01e82e07c93a6912cbe9f
Author: Pavol Marko <pmarko@chromium.org>
Date: Thu Aug 23 06:08:19 2018

certificate_manager_model: Properly support policy and extension provided certs

Refactor CertificateManagerModel to internally use one or more "CertsSource"s
to retrieve certificates to be listed.
The main "CertsSource" is tied to the user's NSSCertDatabase.
On Chrome OS, there are additionaly PolicyCertsSource and ExtensionCertsSource,
which list certificates provided by user policy and extensions, respectively.

There is a pre-defined priority handling:
PolicyCertsSource > PlatformCertsSourceNSS > ExtensionCertsSource.
This means that if e.g. a CA certificate is provided by policy and is also
present in the user's NSS Database, the certificate manager will display
the policy version (e.g. the cert will not be deletable, trust settings can
not be changed).

BUG:  787602 ,720159
Test: unit_tests --gtest_filter=*CertificateManagerModel*

Cq-Include-Trybots: luci.chromium.try:closure_compilation
Change-Id: I73ff91070b1362afee37bff2413fb56cf4bc06ae
Reviewed-on: https://chromium-review.googlesource.com/916681
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585411}
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/certificate_manager_model.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/certificate_manager_model.h
[add] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/certificate_manager_model_unittest.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/policy_cert_service.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/policy_cert_service_factory.cc
[add] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/policy_certificate_provider.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/user_network_configuration_updater.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/user_network_configuration_updater.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/user_network_configuration_updater_factory.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/user_network_configuration_updater_factory.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/ui/webui/certificates_handler.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/browser/ui/webui/certificates_handler.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/chrome/test/BUILD.gn
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/net/cert/nss_cert_database.cc
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/net/cert/nss_cert_database.h
[modify] https://crrev.com/b429f54e6c9be6a420d01e82e07c93a6912cbe9f/ui/webui/resources/cr_components/certificate_manager/certificates_browser_proxy.js

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af8230d617d143c02e7be5918d548a5d5e83f6d6

commit af8230d617d143c02e7be5918d548a5d5e83f6d6
Author: Pavol Marko <pmarko@chromium.org>
Date: Thu Aug 23 08:34:27 2018

Display policy indicator on certificates UI

Mark policy-provided certificates using a policy indicator on the
certificates UI (chrome://settings/certificates).

UI Preview: https://screenshot.googleplex.com/fnM5QZLjBe5

Bug: 859950,  787602 
Cq-Include-Trybots: luci.chromium.try:closure_compilation
Change-Id: Iad7bf5e5862bb2a5965db65302e10fe8bb14735f
Reviewed-on: https://chromium-review.googlesource.com/1124853
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585428}
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/chrome/browser/ui/webui/certificates_handler.cc
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/chrome/test/data/webui/settings/certificate_manager_test.js
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/BUILD.gn
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_entry.html
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_entry.js
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_list.js
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_manager.js
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_subentry.html
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificate_subentry.js
[modify] https://crrev.com/af8230d617d143c02e7be5918d548a5d5e83f6d6/ui/webui/resources/cr_components/certificate_manager/certificates_browser_proxy.js

This should be fixed with the CLs mentioned above.
I'll update this bug when a revision is published on Canary/Dev channel which contains the changes.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33cde1119cd69130c1a30b0da433a34a40b0a64c

commit 33cde1119cd69130c1a30b0da433a34a40b0a64c
Author: Pavol Marko <pmarko@chromium.org>
Date: Thu Aug 23 13:19:25 2018

Temporarily disable CertificateManagerModelTest.ListsCertsFromPlatform

Instead of reverting the original CL. See CL:1186501 for details.

TBR=mattm@chromium.org

Bug:  787602 
Change-Id: I71e48d675268c64fe989e3fea60c999ec74b37c3
Reviewed-on: https://chromium-review.googlesource.com/1186581
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585464}
[modify] https://crrev.com/33cde1119cd69130c1a30b0da433a34a40b0a64c/chrome/browser/certificate_manager_model_unittest.cc

Tracking flakiness of CertificateManagerModelTest.ListsCertsFromPlatform in bug 877416 now to decouple from this.

Quick update: The changes above are included in 70.0.3531.0 which is not yet in dev channel (but should get there soon).

verified using M70 11012.0.0 70.0.3532.0

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3bab3afdf6aaa15977e6041948c4432cdde1ebdc

commit 3bab3afdf6aaa15977e6041948c4432cdde1ebdc
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Sep 24 14:42:17 2018

Make CertLoader aware of policy-provided authority certificates

Make CertLoader explicitly aware of authority certificates provided by
device and user policy.
Rationale: Since the refactoring in  https://crbug.com/787602 ,
policy-provided certificates are not imported into the user's NSS
Database anymore. As a bonus, this also makes device policy proivded CA
certificates available to CertLoader (and thus the chromeos network UI).

To do this in a clean way,
(*) The PolicyCertificateProvider interface has been moved from
    chrome/browser/chromeos/policy/ to chromeos/ so it is accessible
    from chromeos/cert_loader.{h,cc}.
(*) Implementation of the PolicyCertificateProvider has been pushed from
    UserNetworkConfigurationUpdater into the base class
    NetworkConfigurationUpdater, so DeviceNetworkConfigurationUpdater
    also implements the interface now.
(*) CertLoader can now accept a PolicyCertificateProvider for device and
    user policy.
(*) The chromeos-specific code in chrome/browser/chromeos now passes the
    global DeviceNetworkConfigurationUpdater and the primary profile's
    UserNetworkConfigurationUpdater to CertLoader.

      browser_test --gtest_filter=PolicyProvidedTrustAnchorsRegularUserTest.AuthorityAvailableThroughCertLoader

Bug:  882641 ,  787602 
Test: chromeos_unittests --gtest_filter=*CertLoader* &&
Change-Id: Iafb213150f3c9dbfdfe1ecd1a1f9d2a0099a30f2
Reviewed-on: https://chromium-review.googlesource.com/1231937
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Alexander Hendrich <hendrich@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593534}
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/certificate_manager_model_unittest.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/device_network_configuration_updater.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/device_network_configuration_updater.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/policy_cert_service.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/BUILD.gn
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader.h
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/cert_loader_unittest.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/network/client_cert_resolver_unittest.cc
[rename] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/policy_certificate_provider.h
[add] https://crrev.com/3bab3afdf6aaa15977e6041948c4432cdde1ebdc/chromeos/test/data/network/root_ca_cert.pem

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4492101680e841bd69b31cd87b6949b229dc05a

commit e4492101680e841bd69b31cd87b6949b229dc05a
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Oct 01 21:58:39 2018

[Merge to M70] Make CertLoader aware of policy-provided authority certificates

Make CertLoader explicitly aware of authority certificates provided by
device and user policy.
Rationale: Since the refactoring in  https://crbug.com/787602 ,
policy-provided certificates are not imported into the user's NSS
Database anymore. As a bonus, this also makes device policy proivded CA
certificates available to CertLoader (and thus the chromeos network UI).

To do this in a clean way,
(*) The PolicyCertificateProvider interface has been moved from
    chrome/browser/chromeos/policy/ to chromeos/ so it is accessible
    from chromeos/cert_loader.{h,cc}.
(*) Implementation of the PolicyCertificateProvider has been pushed from
    UserNetworkConfigurationUpdater into the base class
    NetworkConfigurationUpdater, so DeviceNetworkConfigurationUpdater
    also implements the interface now.
(*) CertLoader can now accept a PolicyCertificateProvider for device and
    user policy.
(*) The chromeos-specific code in chrome/browser/chromeos now passes the
    global DeviceNetworkConfigurationUpdater and the primary profile's
    UserNetworkConfigurationUpdater to CertLoader.

      browser_test --gtest_filter=PolicyProvidedTrustAnchorsRegularUserTest.AuthorityAvailableThroughCertLoader

TBR=pmarko@chromium.org

(cherry picked from commit 3bab3afdf6aaa15977e6041948c4432cdde1ebdc)

Bug:  882641 ,  787602 
Test: chromeos_unittests --gtest_filter=*CertLoader* &&
Change-Id: Iafb213150f3c9dbfdfe1ecd1a1f9d2a0099a30f2
Reviewed-on: https://chromium-review.googlesource.com/1231937
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Alexander Hendrich <hendrich@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#593534}
Reviewed-on: https://chromium-review.googlesource.com/1253625
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#792}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/certificate_manager_model_unittest.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/device_network_configuration_updater.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/device_network_configuration_updater.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/policy_cert_service.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/BUILD.gn
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader.h
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/cert_loader_unittest.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/network/client_cert_resolver_unittest.cc
[rename] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/policy_certificate_provider.h
[add] https://crrev.com/e4492101680e841bd69b31cd87b6949b229dc05a/chromeos/test/data/network/root_ca_cert.pem

FYI, merge approval for the CL mentioned in Comment #37 has been granted on  https://crbug.com/882641  .

Awesome!  Thank you all so very much!  I can't wait for this to be rolled
out to us now.

Now that M70 is in Stable, would you mind confirming if this has indeed fixed your issue?

I've verified with about 20% of my devices so far that once upgraded to 70,
the issue does not occur.  Thank you all so much for working so long and
diligently to solve this!

Cool, that's good to hear!

No need to thank us, this should work :-) I was surprised the issue wasn't more widespread. Apologies that it took so long to fix.