OLD | NEW |
---|---|
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/nss_util.h" | 5 #include "base/nss_util.h" |
6 #include "base/nss_util_internal.h" | 6 #include "base/nss_util_internal.h" |
7 | 7 |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <plarena.h> | 9 #include <plarena.h> |
10 #include <prerror.h> | 10 #include <prerror.h> |
11 #include <prinit.h> | 11 #include <prinit.h> |
12 #include <prtime.h> | 12 #include <prtime.h> |
13 #include <pk11pub.h> | 13 #include <pk11pub.h> |
14 #include <secmod.h> | 14 #include <secmod.h> |
15 | 15 |
16 #if defined(OS_LINUX) | 16 #if defined(OS_LINUX) |
17 #include <linux/nfs_fs.h> | 17 #include <linux/nfs_fs.h> |
18 #include <sys/vfs.h> | 18 #include <sys/vfs.h> |
19 #endif | 19 #endif |
20 | 20 |
21 #include "base/environment.h" | 21 #include "base/environment.h" |
wtc
2011/03/18 18:36:32
Nit: list "base/environment.h" after "base/crypto/
Greg Spencer (Chromium)
2011/03/18 20:43:11
Sorry, bad merge. Fixed.
| |
22 #include "base/crypto/scoped_nss_types.h" | |
22 #include "base/file_util.h" | 23 #include "base/file_util.h" |
23 #include "base/lazy_instance.h" | 24 #include "base/lazy_instance.h" |
24 #include "base/logging.h" | 25 #include "base/logging.h" |
25 #include "base/scoped_ptr.h" | 26 #include "base/scoped_ptr.h" |
26 #include "base/stringprintf.h" | 27 #include "base/stringprintf.h" |
27 #include "base/threading/thread_restrictions.h" | 28 #include "base/threading/thread_restrictions.h" |
28 | 29 |
29 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not | 30 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not |
30 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't | 31 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't |
31 // use NSS for crypto or certificate verification, and we don't use the NSS | 32 // use NSS for crypto or certificate verification, and we don't use the NSS |
32 // certificate and key databases. | 33 // certificate and key databases. |
33 #if defined(USE_NSS) | 34 #if defined(USE_NSS) |
34 #include "base/crypto/crypto_module_blocking_password_delegate.h" | 35 #include "base/crypto/crypto_module_blocking_password_delegate.h" |
35 #include "base/synchronization/lock.h" | 36 #include "base/synchronization/lock.h" |
36 #endif // defined(USE_NSS) | 37 #endif // defined(USE_NSS) |
37 | 38 |
38 namespace base { | 39 namespace base { |
39 | 40 |
40 namespace { | 41 namespace { |
41 | 42 |
43 #if defined(OS_CHROMEOS) | |
44 static const char kNSSDatabaseName[] = "Real NSS database"; | |
45 | |
46 // TODO(gspencer): Get these values from cryptohomed's dbus API when | |
47 // we ask if it has initialized the TPM yet. These should not be | |
48 // hard-coded here. | |
49 static const char kTPMTokenName[] = "Initialized by CrOS"; | |
50 static const char kTPMUserPIN[] = "111111"; | |
51 static const char kTPMSecurityOfficerPIN[] = "000000"; | |
52 | |
53 // Fake certificate authority database used for testing. | |
54 static const FilePath::CharType kReadOnlyCertDB[] = | |
55 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
56 #endif // defined(OS_CHROMEOS) | |
57 | |
58 std::string GetNSSErrorMessage() { | |
59 std::string result; | |
60 if (PR_GetErrorTextLength()) { | |
61 scoped_array<char> error_text(new char[PR_GetErrorTextLength() + 1]); | |
62 PRInt32 copied = PR_GetErrorText(error_text.get()); | |
63 result = std::string(error_text.get(), copied); | |
64 } else { | |
65 result = StringPrintf("NSS error code: %d", PR_GetError()); | |
66 } | |
67 return result; | |
68 } | |
69 | |
42 #if defined(USE_NSS) | 70 #if defined(USE_NSS) |
43 FilePath GetDefaultConfigDirectory() { | 71 FilePath GetDefaultConfigDirectory() { |
44 FilePath dir = file_util::GetHomeDir(); | 72 FilePath dir = file_util::GetHomeDir(); |
45 if (dir.empty()) { | 73 if (dir.empty()) { |
46 LOG(ERROR) << "Failed to get home directory."; | 74 LOG(ERROR) << "Failed to get home directory."; |
47 return dir; | 75 return dir; |
48 } | 76 } |
49 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); | 77 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); |
50 if (!file_util::CreateDirectory(dir)) { | 78 if (!file_util::CreateDirectory(dir)) { |
51 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; | 79 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; |
52 dir.clear(); | 80 dir.clear(); |
53 } | 81 } |
54 return dir; | 82 return dir; |
55 } | 83 } |
56 | 84 |
57 // On non-chromeos platforms, return the default config directory. | 85 // On non-chromeos platforms, return the default config directory. |
58 // On chromeos, return a read-only directory with fake root CA certs for testing | 86 // On chromeos, return a read-only directory with fake root CA certs for testing |
59 // (which will not exist on non-testing images). These root CA certs are used | 87 // (which will not exist on non-testing images). These root CA certs are used |
60 // by the local Google Accounts server mock we use when testing our login code. | 88 // by the local Google Accounts server mock we use when testing our login code. |
61 // If this directory is not present, NSS_Init() will fail. It is up to the | 89 // If this directory is not present, NSS_Init() will fail. It is up to the |
62 // caller to failover to NSS_NoDB_Init() at that point. | 90 // caller to failover to NSS_NoDB_Init() at that point. |
63 FilePath GetInitialConfigDirectory() { | 91 FilePath GetInitialConfigDirectory() { |
64 #if defined(OS_CHROMEOS) | 92 #if defined(OS_CHROMEOS) |
65 static const FilePath::CharType kReadOnlyCertDB[] = | |
66 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
67 return FilePath(kReadOnlyCertDB); | 93 return FilePath(kReadOnlyCertDB); |
68 #else | 94 #else |
69 return GetDefaultConfigDirectory(); | 95 return GetDefaultConfigDirectory(); |
70 #endif // defined(OS_CHROMEOS) | 96 #endif // defined(OS_CHROMEOS) |
71 } | 97 } |
72 | 98 |
73 // This callback for NSS forwards all requests to a caller-specified | 99 // This callback for NSS forwards all requests to a caller-specified |
74 // CryptoModuleBlockingPasswordDelegate object. | 100 // CryptoModuleBlockingPasswordDelegate object. |
75 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { | 101 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
102 #if defined(OS_CHROMEOS) | |
103 // If we get asked for a password for the TPM, then return the | |
104 // static password we use. | |
105 if (PK11_GetTokenName(slot) == base::GetTPMTokenName()) | |
106 return PORT_Strdup(kTPMUserPIN); | |
107 #endif | |
76 base::CryptoModuleBlockingPasswordDelegate* delegate = | 108 base::CryptoModuleBlockingPasswordDelegate* delegate = |
77 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); | 109 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
78 if (delegate) { | 110 if (delegate) { |
79 bool cancelled = false; | 111 bool cancelled = false; |
80 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), | 112 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), |
81 retry != PR_FALSE, | 113 retry != PR_FALSE, |
82 &cancelled); | 114 &cancelled); |
83 if (cancelled) | 115 if (cancelled) |
84 return NULL; | 116 return NULL; |
85 char* result = PORT_Strdup(password.c_str()); | 117 char* result = PORT_Strdup(password.c_str()); |
(...skipping 23 matching lines...) Expand all Loading... | |
109 if (buf.f_type == NFS_SUPER_MAGIC) { | 141 if (buf.f_type == NFS_SUPER_MAGIC) { |
110 scoped_ptr<Environment> env(Environment::Create()); | 142 scoped_ptr<Environment> env(Environment::Create()); |
111 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; | 143 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; |
112 if (!env->HasVar(use_cache_env_var)) | 144 if (!env->HasVar(use_cache_env_var)) |
113 env->SetVar(use_cache_env_var, "yes"); | 145 env->SetVar(use_cache_env_var, "yes"); |
114 } | 146 } |
115 } | 147 } |
116 #endif // defined(OS_LINUX) | 148 #endif // defined(OS_LINUX) |
117 } | 149 } |
118 | 150 |
119 // Load nss's built-in root certs. | 151 // A helper class that acquires the SECMOD list read lock while the |
120 SECMODModule *InitDefaultRootCerts() { | 152 // AutoSECMODListReadLock is in scope. |
121 const char* kModulePath = "libnssckbi.so"; | 153 class AutoSECMODListReadLock { |
122 char modparams[1024]; | 154 public: |
123 snprintf(modparams, sizeof(modparams), | 155 AutoSECMODListReadLock() |
124 "name=\"Root Certs\" library=\"%s\"", kModulePath); | 156 : lock_(SECMOD_GetDefaultModuleListLock()) { |
125 SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); | 157 SECMOD_GetReadLock(lock_); |
126 if (root) | 158 } |
127 return root; | |
128 | 159 |
129 // Aw, snap. Can't find/load root cert shared library. | 160 ~AutoSECMODListReadLock() { |
130 // This will make it hard to talk to anybody via https. | 161 SECMOD_ReleaseReadLock(lock_); |
131 NOTREACHED(); | 162 } |
163 | |
164 private: | |
165 SECMODListLock* lock_; | |
166 DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock); | |
167 }; | |
168 | |
169 PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { | |
170 AutoSECMODListReadLock auto_lock; | |
171 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
172 for (SECMODModuleList* item = head; item != NULL; item = item->next) { | |
173 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
174 for (int i = 0; i < slot_count; i++) { | |
175 PK11SlotInfo* slot = item->module->slots[i]; | |
176 if (PK11_GetTokenName(slot) == token_name) | |
177 return PK11_ReferenceSlot(slot); | |
178 } | |
179 } | |
132 return NULL; | 180 return NULL; |
133 } | 181 } |
182 | |
134 #endif // defined(USE_NSS) | 183 #endif // defined(USE_NSS) |
135 | 184 |
136 // A singleton to initialize/deinitialize NSPR. | 185 // A singleton to initialize/deinitialize NSPR. |
137 // Separate from the NSS singleton because we initialize NSPR on the UI thread. | 186 // Separate from the NSS singleton because we initialize NSPR on the UI thread. |
138 // Now that we're leaking the singleton, we could merge back with the NSS | 187 // Now that we're leaking the singleton, we could merge back with the NSS |
139 // singleton. | 188 // singleton. |
140 class NSPRInitSingleton { | 189 class NSPRInitSingleton { |
141 private: | 190 private: |
142 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; | 191 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; |
143 | 192 |
(...skipping 15 matching lines...) Expand all Loading... | |
159 | 208 |
160 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > | 209 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > |
161 g_nspr_singleton(LINKER_INITIALIZED); | 210 g_nspr_singleton(LINKER_INITIALIZED); |
162 | 211 |
163 class NSSInitSingleton { | 212 class NSSInitSingleton { |
164 public: | 213 public: |
165 #if defined(OS_CHROMEOS) | 214 #if defined(OS_CHROMEOS) |
166 void OpenPersistentNSSDB() { | 215 void OpenPersistentNSSDB() { |
167 if (!chromeos_user_logged_in_) { | 216 if (!chromeos_user_logged_in_) { |
168 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. | 217 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
169 // Temporarily allow it until we fix http://crbug.com.70119 | 218 // Temporarily allow it until we fix http://crbug.com/70119 |
170 ThreadRestrictions::ScopedAllowIO allow_io; | 219 ThreadRestrictions::ScopedAllowIO allow_io; |
171 chromeos_user_logged_in_ = true; | 220 chromeos_user_logged_in_ = true; |
172 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), | 221 |
173 "Real NSS database"); | 222 // This creates a new DB slot in NSS that is read/write, unlike |
223 // the fake root CA cert DB and the "default" crypto key | |
224 // provider, which are still read-only (because we initialized | |
225 // NSS before we had a cryptohome mounted). | |
226 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNSSDatabaseName); | |
227 | |
228 // This loads the opencryptoki module so we can talk to the | |
229 // hardware TPM. | |
230 opencryptoki_module_ = LoadModule( | |
231 "opencryptoki", | |
232 "/usr/lib/opencryptoki/libopencryptoki.so", | |
233 // trustOrder=100 -- means it'll select this as the most | |
234 // trusted slot for the mechanisms it provides. | |
235 // slotParams=... -- selects RSA as only mechanism, and only | |
236 // asks for the password when necessary (instead of every | |
237 // time, or after a timeout). | |
238 "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); | |
239 if (opencryptoki_module_) { | |
240 // We shouldn't need to initialize the TPM PIN here because | |
241 // it'll be taken care of by cryptohomed, but we have to make | |
242 // sure that it is initialized. | |
243 | |
244 // TODO(gspencer): replace this with a dbus call to check and | |
245 // see that cryptohomed has initialized the PINs already. | |
246 EnsureTPMInit(); | |
247 } | |
174 } | 248 } |
175 } | 249 } |
250 | |
251 std::string GetTPMTokenName() { | |
252 // TODO(gspencer): This should come from the dbus interchange with | |
253 // cryptohomed instead of being hard-coded. | |
254 return std::string(kTPMTokenName); | |
255 } | |
256 | |
257 PK11SlotInfo* GetTPMSlot() { | |
258 return FindSlotWithTokenName(GetTPMTokenName()); | |
259 } | |
176 #endif // defined(OS_CHROMEOS) | 260 #endif // defined(OS_CHROMEOS) |
177 | 261 |
262 | |
178 bool OpenTestNSSDB(const FilePath& path, const char* description) { | 263 bool OpenTestNSSDB(const FilePath& path, const char* description) { |
179 test_db_slot_ = OpenUserDB(path, description); | 264 test_db_slot_ = OpenUserDB(path, description); |
180 return !!test_db_slot_; | 265 return !!test_db_slot_; |
181 } | 266 } |
182 | 267 |
183 void CloseTestNSSDB() { | 268 void CloseTestNSSDB() { |
184 if (test_db_slot_) { | 269 if (test_db_slot_) { |
185 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); | 270 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); |
186 if (status != SECSuccess) | 271 if (status != SECSuccess) |
187 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); | 272 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); |
188 PK11_FreeSlot(test_db_slot_); | 273 PK11_FreeSlot(test_db_slot_); |
189 test_db_slot_ = NULL; | 274 test_db_slot_ = NULL; |
190 } | 275 } |
191 } | 276 } |
192 | 277 |
193 PK11SlotInfo* GetDefaultKeySlot() { | 278 PK11SlotInfo* GetDefaultNSSKeySlot() { |
194 if (test_db_slot_) | 279 if (test_db_slot_) |
195 return PK11_ReferenceSlot(test_db_slot_); | 280 return PK11_ReferenceSlot(test_db_slot_); |
196 if (real_db_slot_) | 281 if (real_db_slot_) |
197 return PK11_ReferenceSlot(real_db_slot_); | 282 return PK11_ReferenceSlot(real_db_slot_); |
198 return PK11_GetInternalKeySlot(); | 283 return PK11_GetInternalKeySlot(); |
199 } | 284 } |
200 | 285 |
201 #if defined(USE_NSS) | 286 #if defined(USE_NSS) |
202 Lock* write_lock() { | 287 Lock* write_lock() { |
203 return &write_lock_; | 288 return &write_lock_; |
204 } | 289 } |
205 #endif // defined(USE_NSS) | 290 #endif // defined(USE_NSS) |
206 | 291 |
207 // This method is used to force NSS to be initialized without a DB. | 292 // This method is used to force NSS to be initialized without a DB. |
208 // Call this method before NSSInitSingleton() is constructed. | 293 // Call this method before NSSInitSingleton() is constructed. |
209 static void ForceNoDBInit() { | 294 static void ForceNoDBInit() { |
210 force_nodb_init_ = true; | 295 force_nodb_init_ = true; |
211 } | 296 } |
212 | 297 |
213 private: | 298 private: |
214 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; | 299 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; |
215 | 300 |
216 NSSInitSingleton() | 301 NSSInitSingleton() |
217 : real_db_slot_(NULL), | 302 : real_db_slot_(NULL), |
218 test_db_slot_(NULL), | 303 test_db_slot_(NULL), |
219 root_(NULL), | 304 root_(NULL), |
305 opencryptoki_module_(NULL), | |
220 chromeos_user_logged_in_(false) { | 306 chromeos_user_logged_in_(false) { |
221 EnsureNSPRInit(); | 307 EnsureNSPRInit(); |
222 | 308 |
223 // We *must* have NSS >= 3.12.3. See bug 26448. | 309 // We *must* have NSS >= 3.12.3. See bug 26448. |
224 COMPILE_ASSERT( | 310 COMPILE_ASSERT( |
225 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || | 311 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || |
226 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || | 312 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || |
227 (NSS_VMAJOR > 3), | 313 (NSS_VMAJOR > 3), |
228 nss_version_check_failed); | 314 nss_version_check_failed); |
229 // Also check the run-time NSS version. | 315 // Also check the run-time NSS version. |
(...skipping 12 matching lines...) Expand all Loading... | |
242 } | 328 } |
243 | 329 |
244 SECStatus status = SECFailure; | 330 SECStatus status = SECFailure; |
245 bool nodb_init = force_nodb_init_; | 331 bool nodb_init = force_nodb_init_; |
246 | 332 |
247 #if !defined(USE_NSS) | 333 #if !defined(USE_NSS) |
248 // Use the system certificate store, so initialize NSS without database. | 334 // Use the system certificate store, so initialize NSS without database. |
249 nodb_init = true; | 335 nodb_init = true; |
250 #endif | 336 #endif |
251 | 337 |
252 if (nodb_init) { | 338 if (nodb_init) { |
Greg Spencer (Chromium)
2011/03/17 22:50:10
FYI: Rietveld's diff algorithm got very confused h
| |
253 status = NSS_NoDB_Init(NULL); | 339 status = NSS_NoDB_Init(NULL); |
254 if (status != SECSuccess) { | 340 if (status != SECSuccess) { |
255 LOG(ERROR) << "Error initializing NSS without a persistent " | 341 LOG(ERROR) << "Error initializing NSS without a persistent " |
256 "database: NSS error code " << PR_GetError(); | 342 "database: " << GetNSSErrorMessage(); |
257 } | 343 } |
258 } else { | 344 } else { |
259 #if defined(USE_NSS) | 345 #if defined(USE_NSS) |
260 FilePath database_dir = GetInitialConfigDirectory(); | 346 FilePath database_dir = GetInitialConfigDirectory(); |
261 if (!database_dir.empty()) { | 347 if (!database_dir.empty()) { |
262 // This duplicates the work which should have been done in | 348 // This duplicates the work which should have been done in |
263 // EarlySetupForNSSInit. However, this function is idempotent so | 349 // EarlySetupForNSSInit. However, this function is idempotent so |
264 // there's no harm done. | 350 // there's no harm done. |
265 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); | 351 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); |
266 | 352 |
267 // Initialize with a persistent database (likely, ~/.pki/nssdb). | 353 // Initialize with a persistent database (likely, ~/.pki/nssdb). |
268 // Use "sql:" which can be shared by multiple processes safely. | 354 // Use "sql:" which can be shared by multiple processes safely. |
269 std::string nss_config_dir = | 355 std::string nss_config_dir = |
270 StringPrintf("sql:%s", database_dir.value().c_str()); | 356 StringPrintf("sql:%s", database_dir.value().c_str()); |
271 #if defined(OS_CHROMEOS) | 357 #if defined(OS_CHROMEOS) |
272 status = NSS_Init(nss_config_dir.c_str()); | 358 status = NSS_Init(nss_config_dir.c_str()); |
273 #else | 359 #else |
274 status = NSS_InitReadWrite(nss_config_dir.c_str()); | 360 status = NSS_InitReadWrite(nss_config_dir.c_str()); |
275 #endif | 361 #endif |
276 if (status != SECSuccess) { | 362 if (status != SECSuccess) { |
277 LOG(ERROR) << "Error initializing NSS with a persistent " | 363 LOG(ERROR) << "Error initializing NSS with a persistent " |
278 "database (" << nss_config_dir | 364 "database (" << nss_config_dir |
279 << "): NSS error code " << PR_GetError(); | 365 << "): " << GetNSSErrorMessage(); |
280 } | 366 } |
281 } | 367 } |
282 if (status != SECSuccess) { | 368 if (status != SECSuccess) { |
283 LOG(WARNING) << "Initialize NSS without a persistent database " | 369 VLOG(1) << "Initializing NSS without a persistent database."; |
wtc
2011/03/18 18:36:32
LOG(WARNING) seems appropriate for this log messag
Greg Spencer (Chromium)
2011/03/18 20:43:11
Well, I had that, but this happens every time Chro
| |
284 "(~/.pki/nssdb)."; | |
285 status = NSS_NoDB_Init(NULL); | 370 status = NSS_NoDB_Init(NULL); |
286 if (status != SECSuccess) { | 371 if (status != SECSuccess) { |
287 LOG(ERROR) << "Error initializing NSS without a persistent " | 372 LOG(ERROR) << "Error initializing NSS without a persistent " |
288 "database: NSS error code " << PR_GetError(); | 373 "database: " << GetNSSErrorMessage(); |
289 return; | 374 return; |
290 } | 375 } |
291 } | 376 } |
292 | 377 |
293 PK11_SetPasswordFunc(PKCS11PasswordFunc); | 378 PK11_SetPasswordFunc(PKCS11PasswordFunc); |
294 | 379 |
295 // If we haven't initialized the password for the NSS databases, | 380 // If we haven't initialized the password for the NSS databases, |
296 // initialize an empty-string password so that we don't need to | 381 // initialize an empty-string password so that we don't need to |
297 // log in. | 382 // log in. |
298 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); | 383 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); |
(...skipping 18 matching lines...) Expand all Loading... | |
317 SECMOD_CloseUserDB(real_db_slot_); | 402 SECMOD_CloseUserDB(real_db_slot_); |
318 PK11_FreeSlot(real_db_slot_); | 403 PK11_FreeSlot(real_db_slot_); |
319 real_db_slot_ = NULL; | 404 real_db_slot_ = NULL; |
320 } | 405 } |
321 CloseTestNSSDB(); | 406 CloseTestNSSDB(); |
322 if (root_) { | 407 if (root_) { |
323 SECMOD_UnloadUserModule(root_); | 408 SECMOD_UnloadUserModule(root_); |
324 SECMOD_DestroyModule(root_); | 409 SECMOD_DestroyModule(root_); |
325 root_ = NULL; | 410 root_ = NULL; |
326 } | 411 } |
412 if (opencryptoki_module_) { | |
413 SECMOD_UnloadUserModule(opencryptoki_module_); | |
414 SECMOD_DestroyModule(opencryptoki_module_); | |
415 opencryptoki_module_ = NULL; | |
416 } | |
327 | 417 |
328 SECStatus status = NSS_Shutdown(); | 418 SECStatus status = NSS_Shutdown(); |
329 if (status != SECSuccess) { | 419 if (status != SECSuccess) { |
330 // We VLOG(1) because this failure is relatively harmless (leaking, but | 420 // We VLOG(1) because this failure is relatively harmless (leaking, but |
331 // we're shutting down anyway). | 421 // we're shutting down anyway). |
332 VLOG(1) << "NSS_Shutdown failed; see " | 422 VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609"; |
333 "http://code.google.com/p/chromium/issues/detail?id=4609"; | |
334 } | 423 } |
335 } | 424 } |
336 | 425 |
426 #if defined(USE_NSS) | |
427 // Load nss's built-in root certs. | |
428 SECMODModule* InitDefaultRootCerts() { | |
429 SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL); | |
430 if (root) | |
431 return root; | |
432 | |
433 // Aw, snap. Can't find/load root cert shared library. | |
434 // This will make it hard to talk to anybody via https. | |
435 NOTREACHED(); | |
436 return NULL; | |
437 } | |
438 | |
439 // Load the given module for this NSS session. | |
440 SECMODModule* LoadModule(const char* name, | |
441 const char* library_path, | |
442 const char* params) { | |
443 std::string modparams = StringPrintf( | |
444 "name=\"%s\" library=\"%s\" %s", | |
445 name, library_path, params ? params : ""); | |
446 | |
447 // Shouldn't need to const_cast here, but SECMOD doesn't have a | |
448 // const interface for this. Bug | |
wtc
2011/03/18 18:36:32
Nit: SECMOD is a C API, so function overloading is
Greg Spencer (Chromium)
2011/03/18 20:43:11
OK, done. I wasn't thinking it would be an overlo
| |
449 // https://bugzilla.mozilla.org/show_bug.cgi?id=642546 filed on | |
450 // NSS code to address this. | |
451 SECMODModule* module = SECMOD_LoadUserModule( | |
452 const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); | |
453 if (!module) { | |
454 LOG(ERROR) << "Error loading " << name << " module into NSS: " | |
455 << GetNSSErrorMessage(); | |
456 return NULL; | |
457 } | |
458 return module; | |
459 } | |
460 #endif | |
461 | |
462 #if defined(OS_CHROMEOS) | |
463 void EnsureTPMInit() { | |
464 base::ScopedPK11Slot tpm_slot(GetTPMSlot()); | |
465 if (tpm_slot.get()) { | |
466 // TODO(gspencer): Remove this in favor of the dbus API for | |
467 // cryptohomed when that is available. | |
468 if (PK11_NeedUserInit(tpm_slot.get())) { | |
469 PK11_InitPin(tpm_slot.get(), | |
470 kTPMSecurityOfficerPIN, | |
471 kTPMUserPIN); | |
472 } | |
473 } | |
474 } | |
475 #endif | |
476 | |
337 static PK11SlotInfo* OpenUserDB(const FilePath& path, | 477 static PK11SlotInfo* OpenUserDB(const FilePath& path, |
338 const char* description) { | 478 const char* description) { |
339 const std::string modspec = | 479 const std::string modspec = |
340 StringPrintf("configDir='sql:%s' tokenDescription='%s'", | 480 StringPrintf("configDir='sql:%s' tokenDescription='%s'", |
341 path.value().c_str(), description); | 481 path.value().c_str(), description); |
342 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); | 482 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); |
343 if (db_slot) { | 483 if (db_slot) { |
344 if (PK11_NeedUserInit(db_slot)) | 484 if (PK11_NeedUserInit(db_slot)) |
345 PK11_InitPin(db_slot, NULL, NULL); | 485 PK11_InitPin(db_slot, NULL, NULL); |
346 } | 486 } |
347 else { | 487 else { |
348 LOG(ERROR) << "Error opening persistent database (" << modspec | 488 LOG(ERROR) << "Error opening persistent database (" << modspec |
349 << "): NSS error code " << PR_GetError(); | 489 << "): " << GetNSSErrorMessage(); |
350 } | 490 } |
351 return db_slot; | 491 return db_slot; |
352 } | 492 } |
353 | 493 |
354 // If this is set to true NSS is forced to be initialized without a DB. | 494 // If this is set to true NSS is forced to be initialized without a DB. |
355 static bool force_nodb_init_; | 495 static bool force_nodb_init_; |
356 | 496 |
357 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. | 497 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
358 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ | 498 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
359 SECMODModule *root_; | 499 SECMODModule* root_; |
500 SECMODModule* opencryptoki_module_; | |
360 bool chromeos_user_logged_in_; | 501 bool chromeos_user_logged_in_; |
361 #if defined(USE_NSS) | 502 #if defined(USE_NSS) |
362 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 | 503 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
363 // is fixed, we will no longer need the lock. | 504 // is fixed, we will no longer need the lock. |
364 Lock write_lock_; | 505 Lock write_lock_; |
365 #endif // defined(USE_NSS) | 506 #endif // defined(USE_NSS) |
366 }; | 507 }; |
367 | 508 |
368 // static | 509 // static |
369 bool NSSInitSingleton::force_nodb_init_ = false; | 510 bool NSSInitSingleton::force_nodb_init_ = false; |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
430 lock_->AssertAcquired(); | 571 lock_->AssertAcquired(); |
431 lock_->Release(); | 572 lock_->Release(); |
432 } | 573 } |
433 } | 574 } |
434 #endif // defined(USE_NSS) | 575 #endif // defined(USE_NSS) |
435 | 576 |
436 #if defined(OS_CHROMEOS) | 577 #if defined(OS_CHROMEOS) |
437 void OpenPersistentNSSDB() { | 578 void OpenPersistentNSSDB() { |
438 g_nss_singleton.Get().OpenPersistentNSSDB(); | 579 g_nss_singleton.Get().OpenPersistentNSSDB(); |
439 } | 580 } |
440 #endif | 581 |
582 std::string GetTPMTokenName() { | |
583 return g_nss_singleton.Get().GetTPMTokenName(); | |
584 } | |
585 #endif // defined(OS_CHROMEOS) | |
441 | 586 |
442 // TODO(port): Implement this more simply. We can convert by subtracting an | 587 // TODO(port): Implement this more simply. We can convert by subtracting an |
443 // offset (the difference between NSPR's and base::Time's epochs). | 588 // offset (the difference between NSPR's and base::Time's epochs). |
444 Time PRTimeToBaseTime(PRTime prtime) { | 589 Time PRTimeToBaseTime(PRTime prtime) { |
445 PRExplodedTime prxtime; | 590 PRExplodedTime prxtime; |
446 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); | 591 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); |
447 | 592 |
448 Time::Exploded exploded; | 593 Time::Exploded exploded; |
449 exploded.year = prxtime.tm_year; | 594 exploded.year = prxtime.tm_year; |
450 exploded.month = prxtime.tm_month + 1; | 595 exploded.month = prxtime.tm_month + 1; |
451 exploded.day_of_week = prxtime.tm_wday; | 596 exploded.day_of_week = prxtime.tm_wday; |
452 exploded.day_of_month = prxtime.tm_mday; | 597 exploded.day_of_month = prxtime.tm_mday; |
453 exploded.hour = prxtime.tm_hour; | 598 exploded.hour = prxtime.tm_hour; |
454 exploded.minute = prxtime.tm_min; | 599 exploded.minute = prxtime.tm_min; |
455 exploded.second = prxtime.tm_sec; | 600 exploded.second = prxtime.tm_sec; |
456 exploded.millisecond = prxtime.tm_usec / 1000; | 601 exploded.millisecond = prxtime.tm_usec / 1000; |
457 | 602 |
458 return Time::FromUTCExploded(exploded); | 603 return Time::FromUTCExploded(exploded); |
459 } | 604 } |
460 | 605 |
461 PK11SlotInfo* GetDefaultNSSKeySlot() { | 606 PK11SlotInfo* GetDefaultNSSKeySlot() { |
462 return g_nss_singleton.Get().GetDefaultKeySlot(); | 607 return g_nss_singleton.Get().GetDefaultNSSKeySlot(); |
608 } | |
609 | |
610 PK11SlotInfo* GetPreferredKeySlot() { | |
611 #if defined(OS_CHROMEOS) | |
612 return g_nss_singleton.Get().GetTPMSlot(); | |
613 #else | |
614 return GetDefaultNSSKeySlot(); | |
615 #endif | |
463 } | 616 } |
464 | 617 |
465 } // namespace base | 618 } // namespace base |
OLD | NEW |