Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.

GetSystemNSSKeySlot returns the ChromeOS system-wide TPM slot. ChromeOS has separate slots for each user and linux doesn't have a public/private split, so GetPrivateNSSKeySlot no longer makes sense. BUG=210525 TBR=stevenjb@chromium.org Review URL: https://codereview.chromium.org/383593002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282862 0039d316-1c4b-4281-b951-d872f2087c98

Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.
GetSystemNSSKeySlot returns the ChromeOS system-wide TPM slot. ChromeOS has separate slots for each user and linux doesn't have a public/private split, so GetPrivateNSSKeySlot no longer makes sense. BUG=210525 TBR=stevenjb@chromium.org Review URL: https://codereview.chromium.org/383593002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282862 0039d316-1c4b-4281-b951-d872f2087c98
49631886 · mattm@chromium.org · c493c551 · 49631886 · 49631886 · 49631886
Commit 49631886 authored Jul 13, 2014 by mattm@chromium.org
10 changed files
--- a/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
+++ b/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
@@ -46,7 +46,7 @@ class PolicyCertVerifierTest : public testing::Test {
    cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
        &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
    cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
-        crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot())));
+        crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));

    test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
    ASSERT_TRUE(test_ca_cert_);

--- a/chrome/browser/net/nss_context_linux.cc
+++ b/chrome/browser/net/nss_context_linux.cc
@@ -11,14 +11,14 @@
 crypto::ScopedPK11Slot GetPublicNSSKeySlotForResourceContext(
    content::ResourceContext* context) {
  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
-  return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
+  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
 }

 crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
    content::ResourceContext* context,
    const base::Callback<void(crypto::ScopedPK11Slot)>& callback) {
  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
-  return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
+  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
 }

 net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(

--- a/chromeos/tpm_token_loader.cc
+++ b/chromeos/tpm_token_loader.cc
@@ -195,7 +195,7 @@ void TPMTokenLoader::ContinueTokenInitialization() {
      crypto_task_runner_->PostTask(
          FROM_HERE,
          base::Bind(
-              &crypto::InitializeTPMToken,
+              &crypto::InitializeTPMTokenAndSystemSlot,
              tpm_token_slot_id_,
              base::Bind(&PostResultToTaskRunner,
                         base::MessageLoopProxy::current(),

--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -316,8 +316,9 @@ class NSSInitSingleton {
    return tpm_token_enabled_for_nss_;
  }

-  void InitializeTPMToken(int token_slot_id,
-                          const base::Callback<void(bool)>& callback) {
+  void InitializeTPMTokenAndSystemSlot(
+      int system_slot_id,
+      const base::Callback<void(bool)>& callback) {
    DCHECK(thread_checker_.CalledOnValidThread());
    // Should not be called while there is already an initialization in
    // progress.
@@ -345,9 +346,9 @@ class NSSInitSingleton {
    if (base::WorkerPool::PostTaskAndReply(
            FROM_HERE,
            base::Bind(&NSSInitSingleton::InitializeTPMTokenOnWorkerThread,
-                       token_slot_id,
+                       system_slot_id,
                       tpm_args_ptr),
-            base::Bind(&NSSInitSingleton::OnInitializedTPMToken,
+            base::Bind(&NSSInitSingleton::OnInitializedTPMTokenAndSystemSlot,
                       base::Unretained(this),  // NSSInitSingleton is leaky
                       callback,
                       base::Passed(&tpm_args)),
@@ -382,8 +383,9 @@ class NSSInitSingleton {
    }
  }

-  void OnInitializedTPMToken(const base::Callback<void(bool)>& callback,
-                             scoped_ptr<TPMModuleAndSlot> tpm_args) {
+  void OnInitializedTPMTokenAndSystemSlot(
+      const base::Callback<void(bool)>& callback,
+      scoped_ptr<TPMModuleAndSlot> tpm_args) {
    DCHECK(thread_checker_.CalledOnValidThread());
    DVLOG(2) << "Loaded chaps: " << !!tpm_args->chaps_module
             << ", got tpm slot: " << !!tpm_args->tpm_slot;
@@ -624,7 +626,7 @@ class NSSInitSingleton {
    ignore_result(g_test_nss_db_dir.Get().Delete());
  }

-  PK11SlotInfo* GetPublicNSSKeySlot() {
+  PK11SlotInfo* GetPersistentNSSKeySlot() {
    // TODO(mattm): Change to DCHECK when callers have been fixed.
    if (!thread_checker_.CalledOnValidThread()) {
      DVLOG(1) << "Called on wrong thread.\n"
@@ -636,29 +638,24 @@ class NSSInitSingleton {
    return PK11_GetInternalKeySlot();
  }

-  PK11SlotInfo* GetPrivateNSSKeySlot() {
-    // TODO(mattm): Change to DCHECK when callers have been fixed.
-    if (!thread_checker_.CalledOnValidThread()) {
-      DVLOG(1) << "Called on wrong thread.\n"
-               << base::debug::StackTrace().ToString();
-    }
+#if defined(OS_CHROMEOS)
+  PK11SlotInfo* GetSystemNSSKeySlot() {
+    DCHECK(thread_checker_.CalledOnValidThread());

    if (test_slot_)
      return PK11_ReferenceSlot(test_slot_);

-#if defined(OS_CHROMEOS)
-    if (tpm_token_enabled_for_nss_) {
-      if (IsTPMTokenReady(base::Closure())) {
-        return PK11_ReferenceSlot(tpm_slot_);
-      } else {
-        // If we were supposed to get the hardware token, but were
-        // unable to, return NULL rather than fall back to sofware.
-        return NULL;
-      }
-    }
-#endif
-    return PK11_GetInternalKeySlot();
+    // TODO(mattm): chromeos::TPMTokenloader always calls
+    // InitializeTPMTokenAndSystemSlot with slot 0.  If the system slot is
+    // disabled, tpm_slot_ will be the first user's slot instead. Can that be
+    // detected and return NULL instead?
+    if (tpm_token_enabled_for_nss_ && IsTPMTokenReady(base::Closure()))
+      return PK11_ReferenceSlot(tpm_slot_);
+    // If we were supposed to get the hardware token, but were
+    // unable to, return NULL rather than fall back to sofware.
+    return NULL;
  }
+#endif

 #if defined(USE_NSS)
  base::Lock* write_lock() {
@@ -1069,6 +1066,10 @@ AutoSECMODListReadLock::~AutoSECMODListReadLock() {
 #endif  // defined(USE_NSS)

 #if defined(OS_CHROMEOS)
+PK11SlotInfo* GetSystemNSSKeySlot() {
+  return g_nss_singleton.Get().GetSystemNSSKeySlot();
+}
+
 void EnableTPMTokenForNSS() {
  g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
@@ -1081,9 +1082,11 @@ bool IsTPMTokenReady(const base::Closure& callback) {
  return g_nss_singleton.Get().IsTPMTokenReady(callback);
 }

-void InitializeTPMToken(int token_slot_id,
-                        const base::Callback<void(bool)>& callback) {
-  g_nss_singleton.Get().InitializeTPMToken(token_slot_id, callback);
+void InitializeTPMTokenAndSystemSlot(
+    int token_slot_id,
+    const base::Callback<void(bool)>& callback) {
+  g_nss_singleton.Get().InitializeTPMTokenAndSystemSlot(token_slot_id,
+                                                        callback);
 }

 ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
@@ -1157,12 +1160,8 @@ PRTime BaseTimeToPRTime(base::Time time) {
  return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }

-PK11SlotInfo* GetPublicNSSKeySlot() {
-  return g_nss_singleton.Get().GetPublicNSSKeySlot();
-}
-
-PK11SlotInfo* GetPrivateNSSKeySlot() {
-  return g_nss_singleton.Get().GetPrivateNSSKeySlot();
+PK11SlotInfo* GetPersistentNSSKeySlot() {
+  return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }

 }  // namespace crypto
--- a/crypto/nss_util.h
+++ b/crypto/nss_util.h
@@ -95,9 +95,9 @@ CRYPTO_EXPORT void LoadNSSLibraries();
 bool CheckNSSVersion(const char* version);

 #if defined(OS_CHROMEOS)
-// Indicates that NSS should load the Chaps library so that we
-// can access the TPM through NSS.  Once this is called,
-// GetPrivateNSSKeySlot() will return the TPM slot if one was found.
+// Indicates that NSS should use the Chaps library so that we
+// can access the TPM through NSS.  InitializeTPMTokenAndSystemSlot and
+// InitializeTPMForChromeOSUser must still be called to load the slots.
 CRYPTO_EXPORT void EnableTPMTokenForNSS();

 // Returns true if EnableTPMTokenForNSS has been called.
@@ -113,13 +113,13 @@ CRYPTO_EXPORT bool IsTPMTokenEnabledForNSS();
 CRYPTO_EXPORT bool IsTPMTokenReady(const base::Closure& callback)
    WARN_UNUSED_RESULT;

-// Initialize the TPM token. The |callback| will run on the same thread with
-// true if the token and slot were successfully loaded or were already
-// initialized. |callback| will be passed false if loading failed.
-// Once called, InitializeTPMToken must not be called again until the |callback|
-// has been run.
-CRYPTO_EXPORT void InitializeTPMToken(
-    int token_slot_id,
+// Initialize the TPM token and system slot. The |callback| will run on the same
+// thread with true if the token and slot were successfully loaded or were
+// already initialized. |callback| will be passed false if loading failed.  Once
+// called, InitializeTPMTokenAndSystemSlot must not be called again until the
+// |callback| has been run.
+CRYPTO_EXPORT void InitializeTPMTokenAndSystemSlot(
+    int system_slot_id,
    const base::Callback<void(bool)>& callback);

 // Exposed for unittests only.

--- a/crypto/nss_util_internal.h
+++ b/crypto/nss_util_internal.h
@@ -21,17 +21,11 @@ class FilePath;

 namespace crypto {

-// Returns a reference to the default NSS key slot for storing
-// public-key data only (e.g. server certs). Caller must release
-// returned reference with PK11_FreeSlot.
-CRYPTO_EXPORT PK11SlotInfo* GetPublicNSSKeySlot() WARN_UNUSED_RESULT;
-
-// Returns a reference to the default slot for storing private-key and
-// mixed private-key/public-key data.  Returns a hardware (TPM) NSS
-// key slot if on ChromeOS and EnableTPMForNSS() has been called
-// successfully. Caller must release returned reference with
-// PK11_FreeSlot.
-CRYPTO_EXPORT PK11SlotInfo* GetPrivateNSSKeySlot() WARN_UNUSED_RESULT;
+// Returns a reference to the default NSS key slot for storing persistent data.
+// Caller must release returned reference with PK11_FreeSlot.
+// TODO(mattm): this should be if !defined(OS_CHROMEOS), but some tests need to
+// be fixed first.
+CRYPTO_EXPORT PK11SlotInfo* GetPersistentNSSKeySlot() WARN_UNUSED_RESULT;

 // A helper class that acquires the SECMOD list read lock while the
 // AutoSECMODListReadLock is in scope.
@@ -46,6 +40,10 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
 };

 #if defined(OS_CHROMEOS)
+// Returns a reference to the system-wide TPM slot.  Caller must release
+// returned reference with PK11_FreeSlot.
+CRYPTO_EXPORT PK11SlotInfo* GetSystemNSSKeySlot() WARN_UNUSED_RESULT;
+
 // Prepare per-user NSS slot mapping. It is safe to call this function multiple
 // times. Returns true if the user was added, or false if it already existed.
 CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(

--- a/net/base/keygen_handler_nss.cc
+++ b/net/base/keygen_handler_nss.cc
@@ -24,7 +24,7 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
  if (crypto_module_delegate_)
    slot = crypto_module_delegate_->RequestSlot().Pass();
  else
-    slot.reset(crypto::GetPrivateNSSKeySlot());
+    slot.reset(crypto::GetPersistentNSSKeySlot());
  if (!slot.get()) {
    LOG(ERROR) << "Couldn't get private key slot from NSS!";
    return std::string();

--- a/net/cert/nss_cert_database.cc
+++ b/net/cert/nss_cert_database.cc
@@ -140,11 +140,11 @@ void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback,
 }

 crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
-  return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
+  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
 }

 crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
-  return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
+  return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
 }

 CryptoModule* NSSCertDatabase::GetPublicModule() const {

--- a/net/socket/ssl_server_socket_nss.cc
+++ b/net/socket/ssl_server_socket_nss.cc
@@ -446,7 +446,7 @@ int SSLServerSocketNSS::InitializeSSLOptions() {
  }

  SECKEYPrivateKeyStr* private_key = NULL;
-  PK11SlotInfo* slot = crypto::GetPrivateNSSKeySlot();
+  PK11SlotInfo* slot = PK11_GetInternalSlot();
  if (!slot) {
    CERT_DestroyCertificate(cert);
    return ERR_UNEXPECTED;

--- a/net/ssl/client_cert_store_chromeos_unittest.cc
+++ b/net/ssl/client_cert_store_chromeos_unittest.cc
@@ -16,27 +16,6 @@

 namespace net {

-class ClientCertStoreChromeOSTestDelegate {
- public:
-  ClientCertStoreChromeOSTestDelegate()
-      : store_("usernamehash",
-               ClientCertStoreChromeOS::PasswordDelegateFactory()) {
-    store_.InitForTesting(
-        crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot()),
-        crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot()));
-  }
-
-  bool SelectClientCerts(const CertificateList& input_certs,
-                         const SSLCertRequestInfo& cert_request_info,
-                         CertificateList* selected_certs) {
-    return store_.SelectClientCertsForTesting(
-        input_certs, cert_request_info, selected_certs);
-  }
-
- private:
-  ClientCertStoreChromeOS store_;
-};
-
 class ClientCertStoreChromeOSTest : public ::testing::Test {
 public:
  scoped_refptr<X509Certificate> ImportCertForUser(