Commit 49631886 authored by mattm@chromium.org's avatar mattm@chromium.org

Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.

GetSystemNSSKeySlot returns the ChromeOS system-wide TPM slot.

ChromeOS has separate slots for each user and linux doesn't have a public/private split, so GetPrivateNSSKeySlot no longer makes sense.

BUG=210525
TBR=stevenjb@chromium.org

Review URL: https://codereview.chromium.org/383593002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282862 0039d316-1c4b-4281-b951-d872f2087c98
parent c493c551
......@@ -46,7 +46,7 @@ class PolicyCertVerifierTest : public testing::Test {
cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
&PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot())));
crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));
test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
ASSERT_TRUE(test_ca_cert_);
......
......@@ -11,14 +11,14 @@
crypto::ScopedPK11Slot GetPublicNSSKeySlotForResourceContext(
content::ResourceContext* context) {
DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
}
crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
content::ResourceContext* context,
const base::Callback<void(crypto::ScopedPK11Slot)>& callback) {
DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
}
net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
......
......@@ -195,7 +195,7 @@ void TPMTokenLoader::ContinueTokenInitialization() {
crypto_task_runner_->PostTask(
FROM_HERE,
base::Bind(
&crypto::InitializeTPMToken,
&crypto::InitializeTPMTokenAndSystemSlot,
tpm_token_slot_id_,
base::Bind(&PostResultToTaskRunner,
base::MessageLoopProxy::current(),
......
......@@ -316,8 +316,9 @@ class NSSInitSingleton {
return tpm_token_enabled_for_nss_;
}
void InitializeTPMToken(int token_slot_id,
const base::Callback<void(bool)>& callback) {
void InitializeTPMTokenAndSystemSlot(
int system_slot_id,
const base::Callback<void(bool)>& callback) {
DCHECK(thread_checker_.CalledOnValidThread());
// Should not be called while there is already an initialization in
// progress.
......@@ -345,9 +346,9 @@ class NSSInitSingleton {
if (base::WorkerPool::PostTaskAndReply(
FROM_HERE,
base::Bind(&NSSInitSingleton::InitializeTPMTokenOnWorkerThread,
token_slot_id,
system_slot_id,
tpm_args_ptr),
base::Bind(&NSSInitSingleton::OnInitializedTPMToken,
base::Bind(&NSSInitSingleton::OnInitializedTPMTokenAndSystemSlot,
base::Unretained(this), // NSSInitSingleton is leaky
callback,
base::Passed(&tpm_args)),
......@@ -382,8 +383,9 @@ class NSSInitSingleton {
}
}
void OnInitializedTPMToken(const base::Callback<void(bool)>& callback,
scoped_ptr<TPMModuleAndSlot> tpm_args) {
void OnInitializedTPMTokenAndSystemSlot(
const base::Callback<void(bool)>& callback,
scoped_ptr<TPMModuleAndSlot> tpm_args) {
DCHECK(thread_checker_.CalledOnValidThread());
DVLOG(2) << "Loaded chaps: " << !!tpm_args->chaps_module
<< ", got tpm slot: " << !!tpm_args->tpm_slot;
......@@ -624,7 +626,7 @@ class NSSInitSingleton {
ignore_result(g_test_nss_db_dir.Get().Delete());
}
PK11SlotInfo* GetPublicNSSKeySlot() {
PK11SlotInfo* GetPersistentNSSKeySlot() {
// TODO(mattm): Change to DCHECK when callers have been fixed.
if (!thread_checker_.CalledOnValidThread()) {
DVLOG(1) << "Called on wrong thread.\n"
......@@ -636,29 +638,24 @@ class NSSInitSingleton {
return PK11_GetInternalKeySlot();
}
PK11SlotInfo* GetPrivateNSSKeySlot() {
// TODO(mattm): Change to DCHECK when callers have been fixed.
if (!thread_checker_.CalledOnValidThread()) {
DVLOG(1) << "Called on wrong thread.\n"
<< base::debug::StackTrace().ToString();
}
#if defined(OS_CHROMEOS)
PK11SlotInfo* GetSystemNSSKeySlot() {
DCHECK(thread_checker_.CalledOnValidThread());
if (test_slot_)
return PK11_ReferenceSlot(test_slot_);
#if defined(OS_CHROMEOS)
if (tpm_token_enabled_for_nss_) {
if (IsTPMTokenReady(base::Closure())) {
return PK11_ReferenceSlot(tpm_slot_);
} else {
// If we were supposed to get the hardware token, but were
// unable to, return NULL rather than fall back to sofware.
return NULL;
}
}
#endif
return PK11_GetInternalKeySlot();
// TODO(mattm): chromeos::TPMTokenloader always calls
// InitializeTPMTokenAndSystemSlot with slot 0. If the system slot is
// disabled, tpm_slot_ will be the first user's slot instead. Can that be
// detected and return NULL instead?
if (tpm_token_enabled_for_nss_ && IsTPMTokenReady(base::Closure()))
return PK11_ReferenceSlot(tpm_slot_);
// If we were supposed to get the hardware token, but were
// unable to, return NULL rather than fall back to sofware.
return NULL;
}
#endif
#if defined(USE_NSS)
base::Lock* write_lock() {
......@@ -1069,6 +1066,10 @@ AutoSECMODListReadLock::~AutoSECMODListReadLock() {
#endif // defined(USE_NSS)
#if defined(OS_CHROMEOS)
PK11SlotInfo* GetSystemNSSKeySlot() {
return g_nss_singleton.Get().GetSystemNSSKeySlot();
}
void EnableTPMTokenForNSS() {
g_nss_singleton.Get().EnableTPMTokenForNSS();
}
......@@ -1081,9 +1082,11 @@ bool IsTPMTokenReady(const base::Closure& callback) {
return g_nss_singleton.Get().IsTPMTokenReady(callback);
}
void InitializeTPMToken(int token_slot_id,
const base::Callback<void(bool)>& callback) {
g_nss_singleton.Get().InitializeTPMToken(token_slot_id, callback);
void InitializeTPMTokenAndSystemSlot(
int token_slot_id,
const base::Callback<void(bool)>& callback) {
g_nss_singleton.Get().InitializeTPMTokenAndSystemSlot(token_slot_id,
callback);
}
ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
......@@ -1157,12 +1160,8 @@ PRTime BaseTimeToPRTime(base::Time time) {
return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
}
PK11SlotInfo* GetPublicNSSKeySlot() {
return g_nss_singleton.Get().GetPublicNSSKeySlot();
}
PK11SlotInfo* GetPrivateNSSKeySlot() {
return g_nss_singleton.Get().GetPrivateNSSKeySlot();
PK11SlotInfo* GetPersistentNSSKeySlot() {
return g_nss_singleton.Get().GetPersistentNSSKeySlot();
}
} // namespace crypto
......@@ -95,9 +95,9 @@ CRYPTO_EXPORT void LoadNSSLibraries();
bool CheckNSSVersion(const char* version);
#if defined(OS_CHROMEOS)
// Indicates that NSS should load the Chaps library so that we
// can access the TPM through NSS. Once this is called,
// GetPrivateNSSKeySlot() will return the TPM slot if one was found.
// Indicates that NSS should use the Chaps library so that we
// can access the TPM through NSS. InitializeTPMTokenAndSystemSlot and
// InitializeTPMForChromeOSUser must still be called to load the slots.
CRYPTO_EXPORT void EnableTPMTokenForNSS();
// Returns true if EnableTPMTokenForNSS has been called.
......@@ -113,13 +113,13 @@ CRYPTO_EXPORT bool IsTPMTokenEnabledForNSS();
CRYPTO_EXPORT bool IsTPMTokenReady(const base::Closure& callback)
WARN_UNUSED_RESULT;
// Initialize the TPM token. The |callback| will run on the same thread with
// true if the token and slot were successfully loaded or were already
// initialized. |callback| will be passed false if loading failed.
// Once called, InitializeTPMToken must not be called again until the |callback|
// has been run.
CRYPTO_EXPORT void InitializeTPMToken(
int token_slot_id,
// Initialize the TPM token and system slot. The |callback| will run on the same
// thread with true if the token and slot were successfully loaded or were
// already initialized. |callback| will be passed false if loading failed. Once
// called, InitializeTPMTokenAndSystemSlot must not be called again until the
// |callback| has been run.
CRYPTO_EXPORT void InitializeTPMTokenAndSystemSlot(
int system_slot_id,
const base::Callback<void(bool)>& callback);
// Exposed for unittests only.
......
......@@ -21,17 +21,11 @@ class FilePath;
namespace crypto {
// Returns a reference to the default NSS key slot for storing
// public-key data only (e.g. server certs). Caller must release
// returned reference with PK11_FreeSlot.
CRYPTO_EXPORT PK11SlotInfo* GetPublicNSSKeySlot() WARN_UNUSED_RESULT;
// Returns a reference to the default slot for storing private-key and
// mixed private-key/public-key data. Returns a hardware (TPM) NSS
// key slot if on ChromeOS and EnableTPMForNSS() has been called
// successfully. Caller must release returned reference with
// PK11_FreeSlot.
CRYPTO_EXPORT PK11SlotInfo* GetPrivateNSSKeySlot() WARN_UNUSED_RESULT;
// Returns a reference to the default NSS key slot for storing persistent data.
// Caller must release returned reference with PK11_FreeSlot.
// TODO(mattm): this should be if !defined(OS_CHROMEOS), but some tests need to
// be fixed first.
CRYPTO_EXPORT PK11SlotInfo* GetPersistentNSSKeySlot() WARN_UNUSED_RESULT;
// A helper class that acquires the SECMOD list read lock while the
// AutoSECMODListReadLock is in scope.
......@@ -46,6 +40,10 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
};
#if defined(OS_CHROMEOS)
// Returns a reference to the system-wide TPM slot. Caller must release
// returned reference with PK11_FreeSlot.
CRYPTO_EXPORT PK11SlotInfo* GetSystemNSSKeySlot() WARN_UNUSED_RESULT;
// Prepare per-user NSS slot mapping. It is safe to call this function multiple
// times. Returns true if the user was added, or false if it already existed.
CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(
......
......@@ -24,7 +24,7 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
if (crypto_module_delegate_)
slot = crypto_module_delegate_->RequestSlot().Pass();
else
slot.reset(crypto::GetPrivateNSSKeySlot());
slot.reset(crypto::GetPersistentNSSKeySlot());
if (!slot.get()) {
LOG(ERROR) << "Couldn't get private key slot from NSS!";
return std::string();
......
......@@ -140,11 +140,11 @@ void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback,
}
crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
}
crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
}
CryptoModule* NSSCertDatabase::GetPublicModule() const {
......
......@@ -446,7 +446,7 @@ int SSLServerSocketNSS::InitializeSSLOptions() {
}
SECKEYPrivateKeyStr* private_key = NULL;
PK11SlotInfo* slot = crypto::GetPrivateNSSKeySlot();
PK11SlotInfo* slot = PK11_GetInternalSlot();
if (!slot) {
CERT_DestroyCertificate(cert);
return ERR_UNEXPECTED;
......
......@@ -16,27 +16,6 @@
namespace net {
class ClientCertStoreChromeOSTestDelegate {
public:
ClientCertStoreChromeOSTestDelegate()
: store_("usernamehash",
ClientCertStoreChromeOS::PasswordDelegateFactory()) {
store_.InitForTesting(
crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot()),
crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot()));
}
bool SelectClientCerts(const CertificateList& input_certs,
const SSLCertRequestInfo& cert_request_info,
CertificateList* selected_certs) {
return store_.SelectClientCertsForTesting(
input_certs, cert_request_info, selected_certs);
}
private:
ClientCertStoreChromeOS store_;
};
class ClientCertStoreChromeOSTest : public ::testing::Test {
public:
scoped_refptr<X509Certificate> ImportCertForUser(
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment