| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "crypto/nss_util.h" | 5 #include "crypto/nss_util.h" |
| 6 #include "crypto/nss_util_internal.h" | 6 #include "crypto/nss_util_internal.h" |
| 7 | 7 |
| 8 #include <nss.h> | 8 #include <nss.h> |
| 9 #include <plarena.h> | 9 #include <plarena.h> |
| 10 #include <prerror.h> | 10 #include <prerror.h> |
| (...skipping 13 matching lines...) Expand all Loading... |
| 24 #include "base/file_path.h" | 24 #include "base/file_path.h" |
| 25 #include "base/file_util.h" | 25 #include "base/file_util.h" |
| 26 #include "base/lazy_instance.h" | 26 #include "base/lazy_instance.h" |
| 27 #include "base/logging.h" | 27 #include "base/logging.h" |
| 28 #include "base/memory/scoped_ptr.h" | 28 #include "base/memory/scoped_ptr.h" |
| 29 #include "base/native_library.h" | 29 #include "base/native_library.h" |
| 30 #include "base/stringprintf.h" | 30 #include "base/stringprintf.h" |
| 31 #include "base/threading/thread_restrictions.h" | 31 #include "base/threading/thread_restrictions.h" |
| 32 #include "crypto/scoped_nss_types.h" | 32 #include "crypto/scoped_nss_types.h" |
| 33 | 33 |
| 34 #if defined(OS_CHROMEOS) |
| 35 #include "crypto/symmetric_key.h" |
| 36 #endif |
| 37 |
| 34 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not | 38 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not |
| 35 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't | 39 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't |
| 36 // use NSS for crypto or certificate verification, and we don't use the NSS | 40 // use NSS for crypto or certificate verification, and we don't use the NSS |
| 37 // certificate and key databases. | 41 // certificate and key databases. |
| 38 #if defined(USE_NSS) | 42 #if defined(USE_NSS) |
| 39 #include "base/synchronization/lock.h" | 43 #include "base/synchronization/lock.h" |
| 40 #include "crypto/crypto_module_blocking_password_delegate.h" | 44 #include "crypto/crypto_module_blocking_password_delegate.h" |
| 41 #endif // defined(USE_NSS) | 45 #endif // defined(USE_NSS) |
| 42 | 46 |
| 43 namespace crypto { | 47 namespace crypto { |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 76 return dir; | 80 return dir; |
| 77 } | 81 } |
| 78 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); | 82 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); |
| 79 if (!file_util::CreateDirectory(dir)) { | 83 if (!file_util::CreateDirectory(dir)) { |
| 80 LOG(ERROR) << "Failed to create " << dir.value() << " directory."; | 84 LOG(ERROR) << "Failed to create " << dir.value() << " directory."; |
| 81 dir.clear(); | 85 dir.clear(); |
| 82 } | 86 } |
| 83 return dir; | 87 return dir; |
| 84 } | 88 } |
| 85 | 89 |
| 90 #if defined(OS_CHROMEOS) |
| 91 // Supplemental user key id. |
| 92 unsigned char kSupplementalUserKeyId[] = { |
| 93 0xCC, 0x13, 0x19, 0xDE, 0x75, 0x5E, 0xFE, 0xFA, |
| 94 0x5E, 0x71, 0xD4, 0xA6, 0xFB, 0x00, 0x00, 0xCC |
| 95 }; |
| 96 #endif // defined(OS_CHROMEOS) |
| 97 |
| 98 |
| 86 // On non-chromeos platforms, return the default config directory. | 99 // On non-chromeos platforms, return the default config directory. |
| 87 // On chromeos, return a read-only directory with fake root CA certs for testing | 100 // On chromeos, return a read-only directory with fake root CA certs for testing |
| 88 // (which will not exist on non-testing images). These root CA certs are used | 101 // (which will not exist on non-testing images). These root CA certs are used |
| 89 // by the local Google Accounts server mock we use when testing our login code. | 102 // by the local Google Accounts server mock we use when testing our login code. |
| 90 // If this directory is not present, NSS_Init() will fail. It is up to the | 103 // If this directory is not present, NSS_Init() will fail. It is up to the |
| 91 // caller to failover to NSS_NoDB_Init() at that point. | 104 // caller to failover to NSS_NoDB_Init() at that point. |
| 92 FilePath GetInitialConfigDirectory() { | 105 FilePath GetInitialConfigDirectory() { |
| 93 #if defined(OS_CHROMEOS) | 106 #if defined(OS_CHROMEOS) |
| 94 return FilePath(kReadOnlyCertDB); | 107 return FilePath(kReadOnlyCertDB); |
| 95 #else | 108 #else |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 281 bool IsTPMTokenReady() { | 294 bool IsTPMTokenReady() { |
| 282 return tpm_slot_ != NULL; | 295 return tpm_slot_ != NULL; |
| 283 } | 296 } |
| 284 | 297 |
| 285 PK11SlotInfo* GetTPMSlot() { | 298 PK11SlotInfo* GetTPMSlot() { |
| 286 std::string token_name; | 299 std::string token_name; |
| 287 GetTPMTokenInfo(&token_name, NULL); | 300 GetTPMTokenInfo(&token_name, NULL); |
| 288 return FindSlotWithTokenName(token_name); | 301 return FindSlotWithTokenName(token_name); |
| 289 } | 302 } |
| 290 | 303 |
| 304 SymmetricKey* GetSupplementalUserKey() { |
| 305 DCHECK(chromeos_user_logged_in_); |
| 306 |
| 307 PK11SlotInfo* slot = NULL; |
| 308 PK11SymKey* key = NULL; |
| 309 SECItem keyID; |
| 310 CK_MECHANISM_TYPE type = CKM_AES_ECB; |
| 311 |
| 312 slot = GetPublicNSSKeySlot(); |
| 313 if (!slot) |
| 314 goto done; |
| 315 |
| 316 if (PK11_Authenticate(slot, PR_TRUE, NULL) != SECSuccess) |
| 317 goto done; |
| 318 |
| 319 keyID.type = siBuffer; |
| 320 keyID.data = kSupplementalUserKeyId; |
| 321 keyID.len = static_cast<int>(sizeof(kSupplementalUserKeyId)); |
| 322 |
| 323 // Find/generate AES key. |
| 324 key = PK11_FindFixedKey(slot, type, &keyID, NULL); |
| 325 if (!key) { |
| 326 const int kKeySizeInBytes = 32; |
| 327 key = PK11_TokenKeyGen(slot, type, NULL, |
| 328 kKeySizeInBytes, |
| 329 &keyID, PR_TRUE, NULL); |
| 330 } |
| 331 |
| 332 done: |
| 333 if (slot) |
| 334 PK11_FreeSlot(slot); |
| 335 |
| 336 return key ? SymmetricKey::CreateFromKey(key) : NULL; |
| 337 } |
| 291 #endif // defined(OS_CHROMEOS) | 338 #endif // defined(OS_CHROMEOS) |
| 292 | 339 |
| 293 | 340 |
| 294 bool OpenTestNSSDB(const FilePath& path, const char* description) { | 341 bool OpenTestNSSDB(const FilePath& path, const char* description) { |
| 295 test_slot_ = OpenUserDB(path, description); | 342 test_slot_ = OpenUserDB(path, description); |
| 296 return !!test_slot_; | 343 return !!test_slot_; |
| 297 } | 344 } |
| 298 | 345 |
| 299 void CloseTestNSSDB() { | 346 void CloseTestNSSDB() { |
| 300 if (test_slot_) { | 347 if (test_slot_) { |
| (...skipping 394 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 695 } | 742 } |
| 696 | 743 |
| 697 bool IsTPMTokenReady() { | 744 bool IsTPMTokenReady() { |
| 698 return g_nss_singleton.Get().IsTPMTokenReady(); | 745 return g_nss_singleton.Get().IsTPMTokenReady(); |
| 699 } | 746 } |
| 700 | 747 |
| 701 bool EnsureTPMTokenReady() { | 748 bool EnsureTPMTokenReady() { |
| 702 return g_nss_singleton.Get().EnsureTPMTokenReady(); | 749 return g_nss_singleton.Get().EnsureTPMTokenReady(); |
| 703 } | 750 } |
| 704 | 751 |
| 752 SymmetricKey* GetSupplementalUserKey() { |
| 753 return g_nss_singleton.Get().GetSupplementalUserKey(); |
| 754 } |
| 705 #endif // defined(OS_CHROMEOS) | 755 #endif // defined(OS_CHROMEOS) |
| 706 | 756 |
| 707 // TODO(port): Implement this more simply. We can convert by subtracting an | 757 // TODO(port): Implement this more simply. We can convert by subtracting an |
| 708 // offset (the difference between NSPR's and base::Time's epochs). | 758 // offset (the difference between NSPR's and base::Time's epochs). |
| 709 base::Time PRTimeToBaseTime(PRTime prtime) { | 759 base::Time PRTimeToBaseTime(PRTime prtime) { |
| 710 PRExplodedTime prxtime; | 760 PRExplodedTime prxtime; |
| 711 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); | 761 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); |
| 712 | 762 |
| 713 base::Time::Exploded exploded; | 763 base::Time::Exploded exploded; |
| 714 exploded.year = prxtime.tm_year; | 764 exploded.year = prxtime.tm_year; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 725 | 775 |
| 726 PK11SlotInfo* GetPublicNSSKeySlot() { | 776 PK11SlotInfo* GetPublicNSSKeySlot() { |
| 727 return g_nss_singleton.Get().GetPublicNSSKeySlot(); | 777 return g_nss_singleton.Get().GetPublicNSSKeySlot(); |
| 728 } | 778 } |
| 729 | 779 |
| 730 PK11SlotInfo* GetPrivateNSSKeySlot() { | 780 PK11SlotInfo* GetPrivateNSSKeySlot() { |
| 731 return g_nss_singleton.Get().GetPrivateNSSKeySlot(); | 781 return g_nss_singleton.Get().GetPrivateNSSKeySlot(); |
| 732 } | 782 } |
| 733 | 783 |
| 734 } // namespace crypto | 784 } // namespace crypto |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7756025:
Changed OAuth token+secret encryption to use supplemental user key. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/