chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc - Issue 1128153003: Reland "Don't use RSAPrivateKey in NSS integration code."

Side by Side Diff: chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc

Issue 1128153003: Reland "Don't use RSAPrivateKey in NSS integration code." (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: fix crash Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h ('K') | « chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h ('k') | chrome/browser/chromeos/platform_keys/platform_keys_nss.cc » ('j') | chrome/browser/chromeos/platform_keys/platform_keys_nss.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"	5 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"

6	6

	7 #include <keyhi.h>

	8

7 #include <algorithm>	9 #include <algorithm>

8 #include <string>	10 #include <string>

9	11

10 #include "base/bind.h"	12 #include "base/bind.h"

11 #include "base/bind_helpers.h"	13 #include "base/bind_helpers.h"

12 #include "base/callback.h"	14 #include "base/callback.h"

13 #include "base/command_line.h"	15 #include "base/command_line.h"

14 #include "base/prefs/pref_service.h"	16 #include "base/prefs/pref_service.h"

15 #include "base/threading/thread_checker.h"	17 #include "base/threading/thread_checker.h"

16 #include "chrome/browser/chrome_notification_types.h"	18 #include "chrome/browser/chrome_notification_types.h"

17 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_fact ory.h"	19 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_fact ory.h"

18 #include "chrome/browser/chromeos/profiles/profile_helper.h"	20 #include "chrome/browser/chromeos/profiles/profile_helper.h"

19 #include "chrome/browser/chromeos/settings/cros_settings.h"	21 #include "chrome/browser/chromeos/settings/cros_settings.h"

20 #include "chrome/browser/chromeos/settings/device_settings_provider.h"	22 #include "chrome/browser/chromeos/settings/device_settings_provider.h"

21 #include "chrome/browser/chromeos/settings/session_manager_operation.h"	23 #include "chrome/browser/chromeos/settings/session_manager_operation.h"

22 #include "chrome/browser/profiles/profile.h"	24 #include "chrome/browser/profiles/profile.h"

23 #include "chromeos/dbus/dbus_thread_manager.h"	25 #include "chromeos/dbus/dbus_thread_manager.h"

24 #include "chromeos/tpm/tpm_token_loader.h"	26 #include "chromeos/tpm/tpm_token_loader.h"

25 #include "components/ownership/owner_key_util.h"	27 #include "components/ownership/owner_key_util.h"

26 #include "components/user_manager/user.h"	28 #include "components/user_manager/user.h"

27 #include "content/public/browser/browser_thread.h"	29 #include "content/public/browser/browser_thread.h"

28 #include "content/public/browser/notification_details.h"	30 #include "content/public/browser/notification_details.h"

29 #include "content/public/browser/notification_service.h"	31 #include "content/public/browser/notification_service.h"

30 #include "content/public/browser/notification_source.h"	32 #include "content/public/browser/notification_source.h"

31 #include "content/public/common/content_switches.h"	33 #include "content/public/common/content_switches.h"

	34 #include "crypto/nss_key_util.h"

32 #include "crypto/nss_util.h"	35 #include "crypto/nss_util.h"

33 #include "crypto/nss_util_internal.h"	36 #include "crypto/nss_util_internal.h"

34 #include "crypto/rsa_private_key.h"

35 #include "crypto/scoped_nss_types.h"	37 #include "crypto/scoped_nss_types.h"

36 #include "crypto/signature_creator.h"	38 #include "crypto/signature_creator.h"

37	39

38 namespace em = enterprise_management;	40 namespace em = enterprise_management;

39	41

40 using content::BrowserThread;	42 using content::BrowserThread;

41 using ownership::OwnerKeyUtil;	43 using ownership::OwnerKeyUtil;

42 using ownership::PrivateKey;	44 using ownership::PrivateKey;

43 using ownership::PublicKey;	45 using ownership::PublicKey;

44	46

(...skipping 20 matching lines...) Expand all Loading...
65 const std::string& username_hash,	67 const std::string& username_hash,

66 const base::Callback<void(const scoped_refptr<PublicKey>& public_key,	68 const base::Callback<void(const scoped_refptr<PublicKey>& public_key,

67 const scoped_refptr<PrivateKey>& private_key)>&	69 const scoped_refptr<PrivateKey>& private_key)>&

68 callback) {	70 callback) {

69 crypto::EnsureNSSInit();	71 crypto::EnsureNSSInit();

70 crypto::ScopedPK11Slot public_slot =	72 crypto::ScopedPK11Slot public_slot =

71 crypto::GetPublicSlotForChromeOSUser(username_hash);	73 crypto::GetPublicSlotForChromeOSUser(username_hash);

72 crypto::ScopedPK11Slot private_slot = crypto::GetPrivateSlotForChromeOSUser(	74 crypto::ScopedPK11Slot private_slot = crypto::GetPrivateSlotForChromeOSUser(

73 username_hash, base::Callback<void(crypto::ScopedPK11Slot)>());	75 username_hash, base::Callback<void(crypto::ScopedPK11Slot)>());

74	76

75 // If private slot is already available, this will check it. If not,	77 crypto::RSAPrivateKey* private_key = nullptr;

76 // we'll get called again later when the TPM Token is ready, and the	78 if (private_slot) {

77 // slot will be available then.	79 // If private slot is already available, this will check it. If not, we'll

78 scoped_refptr<PrivateKey> private_key(	80 // get called again later when the TPM Token is ready, and the slot will be

79 new PrivateKey(owner_key_util->FindPrivateKeyInSlot(public_key->data(),	81 // available then.

80 private_slot.get())));	82 private_key = owner_key_util->FindPrivateKeyInSlot(public_key->data(),

81 if (!private_key->key()) {	83 private_slot.get());

82 private_key = new PrivateKey(owner_key_util->FindPrivateKeyInSlot(

83 public_key->data(), public_slot.get()));

84 }	84 }

85 BrowserThread::PostTask(BrowserThread::UI,	85 if (!private_key && public_slot) {

86 FROM_HERE,	86 private_key = owner_key_util->FindPrivateKeyInSlot(public_key->data(),

87 base::Bind(callback, public_key, private_key));	87 public_slot.get());
	Ryan Sleevi 2015/05/06 23:46:03 This shouldn't have a private key. I have no clue This shouldn't have a private key. I have no clue what's going on here. pneubeck@, please tell me you can make sense of this :) Dmitry Polukhin 2015/05/07 10:59:16 The code was added here https://codereview.chromiu Show quoted text On 2015/05/06 23:46:03, Ryan Sleevi wrote: > This shouldn't have a private key. I have no clue what's going on here. > pneubeck@, please tell me you can make sense of this :) The code was added here https://codereview.chromium.org/660343002 pneubeck (no reviews) 2015/05/07 12:19:16 This was added by Chris Masone here https://codere Show quoted text On 2015/05/06 23:46:03, Ryan Sleevi wrote: > This shouldn't have a private key. I have no clue what's going on here. > pneubeck@, please tell me you can make sense of this :) This was added by Chris Masone here https://codereview.chromium.org/660343002, explicitly to find both legacy owner keys (stored in the software NSSDB) and new owner keys (stored in Chaps/TPM). Rational behind this was discussed in this thread: https://code.google.com/p/chromium/issues/detail?id=396439 So, I think this is fine. davidben 2015/05/07 20:51:44 Unfortunately, I had to switch this back anyway be Show quoted text On 2015/05/07 12:19:16, pneubeck wrote: > On 2015/05/06 23:46:03, Ryan Sleevi wrote: > > This shouldn't have a private key. I have no clue what's going on here. > > pneubeck@, please tell me you can make sense of this :) > > This was added by Chris Masone here https://codereview.chromium.org/660343002, > explicitly to find both legacy owner keys (stored in the software NSSDB) and new > owner keys (stored in Chaps/TPM). > > Rational behind this was discussed in this thread: > https://code.google.com/p/chromium/issues/detail?id=396439 > > So, I think this is fine. Unfortunately, I had to switch this back anyway because the tests depended on it being called with null slot. I left a TODO and moved the null check to OwnerKeyUtilImpl.
	88 }

	89 // Note: Whether or not \|private_key\| is nullptr, the callback receives a

	90 // PrivateKey wrapper.

	91 BrowserThread::PostTask(

	92 BrowserThread::UI, FROM_HERE,

	93 base::Bind(callback, public_key,

	94 make_scoped_refptr(new PrivateKey(private_key))));

88 }	95 }

89	96

90 void LoadPrivateKey(	97 void LoadPrivateKey(

91 const scoped_refptr<OwnerKeyUtil>& owner_key_util,	98 const scoped_refptr<OwnerKeyUtil>& owner_key_util,

92 const std::string username_hash,	99 const std::string username_hash,

93 const base::Callback<void(const scoped_refptr<PublicKey>& public_key,	100 const base::Callback<void(const scoped_refptr<PublicKey>& public_key,

94 const scoped_refptr<PrivateKey>& private_key)>&	101 const scoped_refptr<PrivateKey>& private_key)>&

95 callback) {	102 callback) {

96 std::vector<uint8> public_key_data;	103 std::vector<uint8> public_key_data;

97 scoped_refptr<PublicKey> public_key;	104 scoped_refptr<PublicKey> public_key;

(...skipping 19 matching lines...) Expand all Loading...
117 LoadPrivateKeyByPublicKey(	124 LoadPrivateKeyByPublicKey(

118 owner_key_util, public_key, username_hash, callback);	125 owner_key_util, public_key, username_hash, callback);

119 }	126 }

120 }	127 }

121	128

122 bool DoesPrivateKeyExistAsyncHelper(	129 bool DoesPrivateKeyExistAsyncHelper(

123 const scoped_refptr<OwnerKeyUtil>& owner_key_util) {	130 const scoped_refptr<OwnerKeyUtil>& owner_key_util) {

124 std::vector<uint8> public_key;	131 std::vector<uint8> public_key;

125 if (!owner_key_util->ImportPublicKey(&public_key))	132 if (!owner_key_util->ImportPublicKey(&public_key))

126 return false;	133 return false;

127 scoped_ptr<crypto::RSAPrivateKey> key(	134 crypto::ScopedSECKEYPrivateKey key =

128 crypto::RSAPrivateKey::FindFromPublicKeyInfo(public_key));	135 crypto::FindNSSKeyFromPublicKeyInfo(public_key);

129 bool is_owner = key.get() != NULL;	136 return key && SECKEY_GetPrivateKeyType(key.get()) == rsaKey;

130 return is_owner;

131 }	137 }

132	138

133 // Checks whether NSS slots with private key are mounted or	139 // Checks whether NSS slots with private key are mounted or

134 // not. Responds via \|callback\|.	140 // not. Responds via \|callback\|.

135 void DoesPrivateKeyExistAsync(	141 void DoesPrivateKeyExistAsync(

136 const scoped_refptr<OwnerKeyUtil>& owner_key_util,	142 const scoped_refptr<OwnerKeyUtil>& owner_key_util,

137 const OwnerSettingsServiceChromeOS::IsOwnerCallback& callback) {	143 const OwnerSettingsServiceChromeOS::IsOwnerCallback& callback) {

138 if (!owner_key_util.get()) {	144 if (!owner_key_util.get()) {

139 callback.Run(false);	145 callback.Run(false);

140 return;	146 return;

(...skipping 662 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
803 std::vector<OnManagementSettingsSetCallback> callbacks;	809 std::vector<OnManagementSettingsSetCallback> callbacks;

804 pending_management_settings_callbacks_.swap(callbacks);	810 pending_management_settings_callbacks_.swap(callbacks);

805 for (const auto& callback : callbacks) {	811 for (const auto& callback : callbacks) {

806 if (!callback.is_null())	812 if (!callback.is_null())

807 callback.Run(success);	813 callback.Run(success);

808 }	814 }

809 StorePendingChanges();	815 StorePendingChanges();

810 }	816 }

811	817

812 } // namespace chromeos	818 } // namespace chromeos

OLD	NEW