Remove the deprecated NSSCertDatabase::GetInstance() .

The NSSCertDatabase singleton for Linux is now maintained by nss_context_linux.cc . BUG=329735 Review URL: https://codereview.chromium.org/405973003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285551 0039d316-1c4b-4281-b951-d872f2087c98

Remove the deprecated NSSCertDatabase::GetInstance() .
The NSSCertDatabase singleton for Linux is now maintained by nss_context_linux.cc . BUG=329735 Review URL: https://codereview.chromium.org/405973003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285551 0039d316-1c4b-4281-b951-d872f2087c98
30bb2810 · pneubeck@chromium.org · e9c8d3aa · 30bb2810 · 30bb2810 · 30bb2810
Commit 30bb2810 authored Jul 25, 2014 by pneubeck@chromium.org
10 changed files
--- a/chrome/browser/net/nss_context.h
+++ b/chrome/browser/net/nss_context.h
@@ -40,7 +40,7 @@ crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
 // |callback| will be run once the DB is initialized. Ownership is not
 // transferred, but the caller may save the pointer, which will remain valid for
 // the lifetime of the ResourceContext.
-// Should be called only on the IO thread.
+// Must be called only on the IO thread.
 net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
    content::ResourceContext* context,
    const base::Callback<void(net::NSSCertDatabase*)>& callback)

--- a/chrome/browser/net/nss_context_linux.cc
+++ b/chrome/browser/net/nss_context_linux.cc
@@ -8,6 +8,10 @@
 #include "crypto/nss_util_internal.h"
 #include "net/cert/nss_cert_database.h"
+namespace {
+net::NSSCertDatabase* g_nss_cert_database = NULL;
+}  // namespace
 crypto::ScopedPK11Slot GetPublicNSSKeySlotForResourceContext(
    content::ResourceContext* context) {
  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
@@ -24,6 +28,18 @@ crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
 net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
    content::ResourceContext* context,
    const base::Callback<void(net::NSSCertDatabase*)>& callback) {
-  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  // This initialization is not thread safe. This CHECK ensures that this code
-  return net::NSSCertDatabase::GetInstance();
+  // is only run on a single thread.
+  CHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  if (!g_nss_cert_database) {
+    // Linux has only a single persistent slot compared to ChromeOS's separate
+    // public and private slot.
+    // Redirect any slot usage to this persistent slot on Linux.
+    g_nss_cert_database = new net::NSSCertDatabase(
+        crypto::ScopedPK11Slot(
+            crypto::GetPersistentNSSKeySlot()) /* public slot */,
+        crypto::ScopedPK11Slot(
+            crypto::GetPersistentNSSKeySlot()) /* private slot */);
+  }
+  return g_nss_cert_database;
 }
--- a/chrome/common/net/x509_certificate_model_unittest.cc
+++ b/chrome/common/net/x509_certificate_model_unittest.cc
@@ -11,6 +11,7 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #if defined(USE_NSS)
+#include "crypto/nss_util_internal.h"
 #include "net/cert/nss_cert_database.h"
 #endif
@@ -223,9 +224,16 @@ TEST(X509CertificateModelTest, GetTypeCA) {
  EXPECT_EQ(net::CA_CERT,
            x509_certificate_model::GetType(cert->os_cert_handle()));
+  // Additional parantheses required to disambiguate from function declaration.
+  net::NSSCertDatabase db(
+      (crypto::ScopedPK11Slot(
+          crypto::GetPersistentNSSKeySlot())) /* public slot */,
+      crypto::ScopedPK11Slot(
+          crypto::GetPersistentNSSKeySlot()) /* private lot */);
  // Test that explicitly distrusted CA certs are still returned as CA_CERT
  // type. See http://crbug.com/96654.
-  EXPECT_TRUE(net::NSSCertDatabase::GetInstance()->SetCertTrust(
+  EXPECT_TRUE(db.SetCertTrust(
      cert.get(), net::CA_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
  EXPECT_EQ(net::CA_CERT,
@@ -251,16 +259,22 @@ TEST(X509CertificateModelTest, GetTypeServer) {
  EXPECT_EQ(net::OTHER_CERT,
            x509_certificate_model::GetType(cert->os_cert_handle()));
-  net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
+  // Additional parantheses required to disambiguate from function declaration.
+  net::NSSCertDatabase db(
+      (crypto::ScopedPK11Slot(
+          crypto::GetPersistentNSSKeySlot())) /* public slot */,
+      crypto::ScopedPK11Slot(
+          crypto::GetPersistentNSSKeySlot()) /* private lot */);
  // Test GetCertType with server certs and explicit trust.
-  EXPECT_TRUE(cert_db->SetCertTrust(
+  EXPECT_TRUE(db.SetCertTrust(
      cert.get(), net::SERVER_CERT, net::NSSCertDatabase::TRUSTED_SSL));
  EXPECT_EQ(net::SERVER_CERT,
            x509_certificate_model::GetType(cert->os_cert_handle()));
  // Test GetCertType with server certs and explicit distrust.
-  EXPECT_TRUE(cert_db->SetCertTrust(
+  EXPECT_TRUE(db.SetCertTrust(
      cert.get(), net::SERVER_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
  EXPECT_EQ(net::SERVER_CERT,

--- a/chromeos/cert_loader.cc
+++ b/chromeos/cert_loader.cc
@@ -88,8 +88,7 @@ int CertLoader::TPMTokenSlotID() const {
  if (!database_)
    return -1;
  crypto::ScopedPK11Slot slot(database_->GetPrivateSlot());
-  if (!slot)
+  DCHECK(slot);
-    return -1;
  return static_cast<int>(PK11_GetSlotID(slot.get()));
 }
@@ -99,8 +98,7 @@ bool CertLoader::IsHardwareBacked() const {
  if (!database_)
    return false;
  crypto::ScopedPK11Slot slot(database_->GetPrivateSlot());
-  if (!slot)
+  DCHECK(slot);
-    return false;
  return PK11_IsHW(slot.get());
 }

--- a/chromeos/cert_loader_unittest.cc
+++ b/chromeos/cert_loader_unittest.cc
@@ -305,19 +305,5 @@ TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 }
-TEST_F(CertLoaderTest, DatabaseWithUnsetSlots) {
-  primary_db_.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(),
-                                                     crypto::ScopedPK11Slot()));
-  primary_db_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
-  cert_loader_->StartWithNSSDB(primary_db_.get());
-  base::RunLoop().RunUntilIdle();
-  EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount());
-  EXPECT_TRUE(cert_loader_->certificates_loaded());
-  EXPECT_EQ(-1, cert_loader_->TPMTokenSlotID());
-  EXPECT_FALSE(cert_loader_->IsHardwareBacked());
-}
 }  // namespace
 }  // namespace chromeos
--- a/net/cert/nss_cert_database.cc
+++ b/net/cert/nss_cert_database.cc
@@ -12,15 +12,12 @@
 #include "base/bind.h"
 #include "base/callback.h"
-#include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/observer_list_threadsafe.h"
 #include "base/task_runner.h"
 #include "base/task_runner_util.h"
 #include "base/threading/worker_pool.h"
-#include "crypto/nss_util.h"
-#include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
@@ -42,6 +39,8 @@ namespace net {
 namespace {
+// TODO(pneubeck): Move this class out of NSSCertDatabase and to the caller of
+// the c'tor of NSSCertDatabase, see https://crbug.com/395983 .
 // Helper that observes events from the NSSCertDatabase and forwards them to
 // the given CertDatabase.
 class CertNotificationForwarder : public NSSCertDatabase::Observer {
@@ -70,9 +69,6 @@ class CertNotificationForwarder : public NSSCertDatabase::Observer {
  DISALLOW_COPY_AND_ASSIGN(CertNotificationForwarder);
 };
-base::LazyInstance<NSSCertDatabase>::Leaky
-    g_nss_cert_database = LAZY_INSTANCE_INITIALIZER;
 }  // namespace
 NSSCertDatabase::ImportCertFailure::ImportCertFailure(
@@ -82,20 +78,15 @@ NSSCertDatabase::ImportCertFailure::ImportCertFailure(
 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}
-// static
+NSSCertDatabase::NSSCertDatabase(crypto::ScopedPK11Slot public_slot,
-NSSCertDatabase* NSSCertDatabase::GetInstance() {
+                                 crypto::ScopedPK11Slot private_slot)
-  // TODO(mattm): Remove this ifdef guard once the linux impl of
+    : public_slot_(public_slot.Pass()),
-  // GetNSSCertDatabaseForResourceContext does not call GetInstance.
+      private_slot_(private_slot.Pass()),
-#if defined(OS_CHROMEOS)
+      observer_list_(new ObserverListThreadSafe<Observer>),
-  LOG(ERROR) << "NSSCertDatabase::GetInstance() is deprecated."
-             << "See http://crbug.com/329735.";
-#endif
-  return &g_nss_cert_database.Get();
-}
-NSSCertDatabase::NSSCertDatabase()
-    : observer_list_(new ObserverListThreadSafe<Observer>),
      weak_factory_(this) {
+  DCHECK(public_slot_);
+  DCHECK(private_slot_);
  // This also makes sure that NSS has been initialized.
  CertDatabase* cert_db = CertDatabase::GetInstance();
  cert_notification_forwarder_.reset(new CertNotificationForwarder(cert_db));
@@ -140,11 +131,11 @@ void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback,
 }
 crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
-  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
+  return crypto::ScopedPK11Slot(PK11_ReferenceSlot(public_slot_.get()));
 }
 crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
-  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
+  return crypto::ScopedPK11Slot(PK11_ReferenceSlot(private_slot_.get()));
 }
 CryptoModule* NSSCertDatabase::GetPublicModule() const {

--- a/net/cert/nss_cert_database.h
+++ b/net/cert/nss_cert_database.h
@@ -20,7 +20,6 @@
 #include "net/cert/x509_certificate.h"
 namespace base {
-template <typename T> struct DefaultLazyInstanceTraits;
 class TaskRunner;
 }
 template <class ObserverType> class ObserverListThreadSafe;
@@ -35,7 +34,6 @@ typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList;
 // singleton.
 class NET_EXPORT NSSCertDatabase {
 public:
  class NET_EXPORT Observer {
   public:
    virtual ~Observer() {}
@@ -102,8 +100,17 @@ class NET_EXPORT NSSCertDatabase {
  typedef base::Callback<void(bool)> DeleteCertCallback;
-  // DEPRECATED: See http://crbug.com/329735.
+  // Creates a NSSCertDatabase that will store public information (such as
-  static NSSCertDatabase* GetInstance();
+  // certificates and trust records) in |public_slot|, and private information
+  // (such as keys) in |private_slot|.
+  // In general, code should avoid creating an NSSCertDatabase directly,
+  // as doing so requires making opinionated decisions about where to store
+  // data, and instead prefer to be passed an existing NSSCertDatabase
+  // instance.
+  // Both slots must not be NULL but can be identical.
+  NSSCertDatabase(crypto::ScopedPK11Slot public_slot,
+                  crypto::ScopedPK11Slot private_slot);
+  virtual ~NSSCertDatabase();
  // Get a list of unique certificates in the certificate database (one
  // instance of all certificates).
@@ -124,10 +131,10 @@ class NET_EXPORT NSSCertDatabase {
                               PK11SlotInfo* slot);
  // Get the default slot for public key data.
-  virtual crypto::ScopedPK11Slot GetPublicSlot() const;
+  crypto::ScopedPK11Slot GetPublicSlot() const;
  // Get the default slot for private key or mixed private/public key data.
-  virtual crypto::ScopedPK11Slot GetPrivateSlot() const;
+  crypto::ScopedPK11Slot GetPrivateSlot() const;
  // Get the default module for public key data.
  // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
@@ -232,9 +239,6 @@ class NET_EXPORT NSSCertDatabase {
      const scoped_refptr<base::TaskRunner>& task_runner);
 protected:
-  NSSCertDatabase();
-  virtual ~NSSCertDatabase();
  // Certificate listing implementation used by |ListCerts*| and
  // |ListCertsSync|. Static so it may safely be used on the worker thread.
  // If |slot| is NULL, obtains the certs of all slots, otherwise only of
@@ -248,8 +252,6 @@ class NET_EXPORT NSSCertDatabase {
  scoped_refptr<base::TaskRunner> GetSlowTaskRunner() const;
 private:
-  friend struct base::DefaultLazyInstanceTraits<NSSCertDatabase>;
  // Registers |observer| to receive notifications of certificate changes.  The
  // thread on which this is called is the thread on which |observer| will be
  // called back with notifications.
@@ -277,6 +279,9 @@ class NET_EXPORT NSSCertDatabase {
  // it may safely be used on the worker thread.
  static bool DeleteCertAndKeyImpl(scoped_refptr<X509Certificate> cert);
+  crypto::ScopedPK11Slot public_slot_;
+  crypto::ScopedPK11Slot private_slot_;
  // A helper observer that forwards events from this database to CertDatabase.
  scoped_ptr<Observer> cert_notification_forwarder_;

--- a/net/cert/nss_cert_database_chromeos.cc
+++ b/net/cert/nss_cert_database_chromeos.cc
@@ -21,8 +21,7 @@ namespace net {
 NSSCertDatabaseChromeOS::NSSCertDatabaseChromeOS(
    crypto::ScopedPK11Slot public_slot,
    crypto::ScopedPK11Slot private_slot)
-    : public_slot_(public_slot.Pass()),
+    : NSSCertDatabase(public_slot.Pass(), private_slot.Pass()) {
-      private_slot_(private_slot.Pass()) {
  profile_filter_.Init(GetPublicSlot(), GetPrivateSlot());
 }
@@ -46,16 +45,6 @@ void NSSCertDatabaseChromeOS::ListCerts(
      base::Bind(callback, base::Passed(&certs)));
 }
-crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPublicSlot() const {
-  return crypto::ScopedPK11Slot(
-      public_slot_ ? PK11_ReferenceSlot(public_slot_.get()) : NULL);
-}
-crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPrivateSlot() const {
-  return crypto::ScopedPK11Slot(
-      private_slot_ ? PK11_ReferenceSlot(private_slot_.get()) : NULL);
-}
 void NSSCertDatabaseChromeOS::ListModules(CryptoModuleList* modules,
                                          bool need_rw) const {
  NSSCertDatabase::ListModules(modules, need_rw);

--- a/net/cert/nss_cert_database_chromeos.h
+++ b/net/cert/nss_cert_database_chromeos.h
@@ -24,8 +24,6 @@ class NET_EXPORT NSSCertDatabaseChromeOS : public NSSCertDatabase {
  virtual void ListCertsSync(CertificateList* certs) OVERRIDE;
  virtual void ListCerts(const NSSCertDatabase::ListCertsCallback& callback)
      OVERRIDE;
-  virtual crypto::ScopedPK11Slot GetPublicSlot() const OVERRIDE;
-  virtual crypto::ScopedPK11Slot GetPrivateSlot() const OVERRIDE;
  virtual void ListModules(CryptoModuleList* modules, bool need_rw) const
      OVERRIDE;
@@ -41,8 +39,6 @@ class NET_EXPORT NSSCertDatabaseChromeOS : public NSSCertDatabase {
  static void ListCertsImpl(const NSSProfileFilterChromeOS& profile_filter,
                            CertificateList* certs);
-  crypto::ScopedPK11Slot public_slot_;
-  crypto::ScopedPK11Slot private_slot_;
  NSSProfileFilterChromeOS profile_filter_;
  DISALLOW_COPY_AND_ASSIGN(NSSCertDatabaseChromeOS);

--- a/net/cert/nss_cert_database_unittest.cc
+++ b/net/cert/nss_cert_database_unittest.cc
@@ -58,28 +58,27 @@ class CertDatabaseNSSTest : public testing::Test {
 public:
  virtual void SetUp() {
    ASSERT_TRUE(test_nssdb_.is_open());
-    cert_db_ = NSSCertDatabase::GetInstance();
+    cert_db_.reset(new NSSCertDatabase(
-    slot_ = cert_db_->GetPublicModule();
+        crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()),
+        crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));
+    public_module_ = cert_db_->GetPublicModule();
    // Test db should be empty at start of test.
-    EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+    EXPECT_EQ(0U, ListCerts().size());
  }
  virtual void TearDown() {
-    // Don't try to cleanup if the setup failed.
-    ASSERT_TRUE(slot_->os_module_handle());
-    EXPECT_TRUE(CleanupSlotContents());
    // Run the message loop to process any observer callbacks (e.g. for the
    // ClientSocketFactory singleton) so that the scoped ref ptrs created in
    // NSSCertDatabase::NotifyObservers* get released.
    base::MessageLoop::current()->RunUntilIdle();
-    EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
  }
 protected:
+  net::CryptoModule* GetPublicModule() {
+    return public_module_.get();
+  }
  static std::string ReadTestFile(const std::string& name) {
    std::string result;
    base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
@@ -98,9 +97,11 @@ class CertDatabaseNSSTest : public testing::Test {
    return true;
  }
-  static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
+  CertificateList ListCerts() {
    CertificateList result;
-    CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
+    CERTCertList* cert_list =
+        PK11_ListCertsInSlot(cert_db_->GetPublicSlot().get());
    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
         !CERT_LIST_END(node, cert_list);
         node = CERT_LIST_NEXT(node)) {
@@ -114,30 +115,10 @@ class CertDatabaseNSSTest : public testing::Test {
    return result;
  }
-  scoped_refptr<CryptoModule> slot_;
+  scoped_ptr<NSSCertDatabase> cert_db_;
-  NSSCertDatabase* cert_db_;
  const CertificateList empty_cert_list_;
- private:
-  bool CleanupSlotContents() {
-    bool ok = true;
-    CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
-    CERTCertTrust default_trust = {0};
-    for (size_t i = 0; i < certs.size(); ++i) {
-      // Reset cert trust values to defaults before deleting.  Otherwise NSS
-      // somehow seems to remember the trust which can break following tests.
-      SECStatus srv = CERT_ChangeCertTrust(
-          CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
-      if (srv != SECSuccess)
-        ok = false;
-      if (!cert_db_->DeleteCertAndKey(certs[i].get()))
-        ok = false;
-    }
-    return ok;
-  }
  crypto::ScopedTestNSSDB test_nssdb_;
+  scoped_refptr<net::CryptoModule> public_module_;
 };
 TEST_F(CertDatabaseNSSTest, ListCertsSync) {
@@ -169,27 +150,27 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
  std::string pkcs12_data = ReadTestFile("client.p12");
  EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       base::string16(),
                                       true,  // is_extractable
                                       NULL));
  // Test db should still be empty.
-  EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(0U, ListCerts().size());
 }
 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
  std::string pkcs12_data = ReadTestFile("client.p12");
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       true,  // is_extractable
                                       NULL));
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> cert(cert_list[0]);
@@ -208,35 +189,35 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
  std::string pkcs12_data = ReadTestFile("client.p12");
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       true,  // is_extractable
                                       NULL));
-  EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(1U, ListCerts().size());
  // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
  // it's ever used.  This test verifies that.
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       true,  // is_extractable
                                       NULL));
-  EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(1U, ListCerts().size());
 }
 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
  std::string pkcs12_data = ReadTestFile("client.p12");
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       false,  // is_extractable
                                       NULL));
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> cert(cert_list[0]);
@@ -253,25 +234,25 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
  std::string pkcs12_data = ReadTestFile("client.p12");
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       true,  // is_extractable
                                       NULL));
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  // Now import a PKCS#12 file with just a certificate but no private key.
  pkcs12_data = ReadTestFile("client-nokey.p12");
  EXPECT_EQ(OK,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       ASCIIToUTF16("12345"),
                                       false,  // is_extractable
                                       NULL));
-  cert_list = ListCertsInSlot(slot_->os_module_handle());
+  cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  // Make sure the imported private key is still extractable.
@@ -285,14 +266,14 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
  std::string pkcs12_data = "Foobarbaz";
  EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
-            cert_db_->ImportFromPKCS12(slot_.get(),
+            cert_db_->ImportFromPKCS12(GetPublicModule(),
                                       pkcs12_data,
                                       base::string16(),
                                       true,  // is_extractable
                                       NULL));
  // Test db should still be empty.
-  EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(0U, ListCerts().size());
 }
 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
@@ -309,7 +290,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> cert(cert_list[0]);
  EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -340,7 +321,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> cert(cert_list[0]);
  EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -371,7 +352,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> cert(cert_list[0]);
  EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -406,7 +387,7 @@ TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
  EXPECT_EQ(certs[0], failed[0].certificate);
  EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
-  EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(0U, ListCerts().size());
 }
 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
@@ -431,7 +412,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
  EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
  EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
 }
@@ -447,7 +428,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
      &failed));
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
@@ -469,7 +450,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
  EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
  EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
-  cert_list = ListCertsInSlot(slot_->os_module_handle());
+  cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
 }
@@ -490,7 +471,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
  // SEC_ERROR_UNTRUSTED_ISSUER
  EXPECT_EQ(ERR_FAILED, failed[0].net_error);
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
 }
@@ -513,7 +494,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
  EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
  EXPECT_EQ(ERR_FAILED, failed[1].net_error);  // The certificate expired.
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
 }
@@ -540,7 +521,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
  EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
  EXPECT_EQ(ERR_FAILED, failed[1].net_error);
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
 }
@@ -562,7 +543,7 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(2U, cert_list.size());
  scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
  scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
@@ -597,7 +578,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
@@ -628,7 +609,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
  EXPECT_EQ(0U, failed.size());
-  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList cert_list = ListCerts();
  ASSERT_EQ(1U, cert_list.size());
  scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
@@ -1011,7 +992,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
                                    X509Certificate::FORMAT_AUTO);
  ASSERT_EQ(1U, certs.size());
-  EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+  EXPECT_EQ(0U, ListCerts().size());
  // Import server cert with default trust.
  NSSCertDatabase::ImportCertFailureList failed;
@@ -1021,7 +1002,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
  EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
            cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
-  CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
+  CertificateList new_certs = ListCerts();
  ASSERT_EQ(1U, new_certs.size());
  // Now attempt to import a different certificate with the same common name.
@@ -1038,7 +1019,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
  EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
            cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
-  new_certs = ListCertsInSlot(slot_->os_module_handle());
+  new_certs = ListCerts();
  ASSERT_EQ(2U, new_certs.size());
  EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
               new_certs[1]->os_cert_handle()->nickname);