*WIP* Store NSS slots per profile. Move keygen to chrome.

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
 #include <prerror.h>
 #include <prinit.h>
 #include <prtime.h>
 #include <secmod.h>
 
 #if defined(OS_LINUX)
 #include <linux/nfs_fs.h>
 #include <sys/vfs.h>
 #elif defined(OS_OPENBSD)
 #include <sys/mount.h>
 #include <sys/param.h>
 #endif
 
 #include <vector>
 
+#include "base/callback.h"
 #include "base/debug/alias.h"
 #include "base/environment.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/histogram.h"
 #include "base/native_library.h"
@@ skipping 43 matching lines @@
   base::FilePath dir = file_util::GetHomeDir();
   if (dir.empty()) {
     LOG(ERROR) << "Failed to get home directory.";
     return dir;
   }
   dir = dir.AppendASCII(".pki").AppendASCII("nssdb");
   if (!file_util::CreateDirectory(dir)) {
     LOG(ERROR) << "Failed to create " << dir.value() << " directory.";
     dir.clear();
   }
+  LOG(WARNING) << "GetDefaultConfigDirectory: " << dir.value();
   return dir;
 }
 
 // On non-Chrome OS platforms, return the default config directory. On Chrome OS
 // test images, return a read-only directory with fake root CA certs (which are
 // used by the local Google Accounts server mock we use when testing our login
 // code). On Chrome OS non-test images (where the read-only directory doesn't
 // exist), return an empty path.
 base::FilePath GetInitialConfigDirectory() {
 #if defined(OS_CHROMEOS)
@@ skipping 140 matching lines @@
 
       // This creates another DB slot in NSS that is read/write, unlike
       // the fake root CA cert DB and the "default" crypto key
       // provider, which are still read-only (because we initialized
       // NSS before we had a cryptohome mounted).
       software_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
                                   kNSSDatabaseName);
     }
   }
 
+  PK11SlotInfo* OpenPersistentNSSDBForPath(const base::FilePath& path) {
+    LOG(WARNING) << __func__ << " " << path.AsUTF8Unsafe();
+    // We do NSS file io on the IO thread.
+    base::ThreadRestrictions::ScopedAllowIO allow_io;
+
+    if (force_nodb_init_) {
+      // XXX probably unneccessary
+      LOG(WARNING) << "force_nodb_init_, returning NULL";
+      return NULL;
+    }
+    base::FilePath nssdb_path = path.AppendASCII(".pki").AppendASCII("nssdb");
+    // XXX shoud we be doing this?
+    if (!file_util::CreateDirectory(nssdb_path)) {
+      LOG(ERROR) << "Failed to create " << nssdb_path.value() << " directory.";
+      return NULL;
+    }
+    return OpenUserDB(nssdb_path, kNSSDatabaseName);
+  }
+
   void EnableTPMTokenForNSS() {
+    // If this gets set, then we'll use the TPM for certs with
+    // private keys, otherwise we'll fall back to the software
+    // implementation.
     tpm_token_enabled_for_nss_ = true;
   }
 
+  bool IsTPMTokenEnabledForNSS() {
+    return tpm_token_enabled_for_nss_;
+  }
+
   bool InitializeTPMToken(const std::string& token_name,
-                          const std::string& user_pin) {
+                          const std::string& user_pin,
+                          int token_slot_id) {
     // If EnableTPMTokenForNSS hasn't been called, return false.
     if (!tpm_token_enabled_for_nss_)
       return false;
 
     // If everything is already initialized, then return true.
     if (chaps_module_ && tpm_slot_)
       return true;
 
     tpm_token_name_ = token_name;
     tpm_user_pin_ = user_pin;
 
     // This tries to load the Chaps module so NSS can talk to the hardware
     // TPM.
     if (!chaps_module_) {
       chaps_module_ = LoadModule(
           kChapsModuleName,
           kChapsPath,
           // For more details on these parameters, see:
           // https://developer.mozilla.org/en/PKCS11_Module_Specs
           // slotFlags=[PublicCerts] -- Certificates and public keys can be
           //   read from this slot without requiring a call to C_Login.
           // askpw=only -- Only authenticate to the token when necessary.
           "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
     }
     if (chaps_module_){
-      // If this gets set, then we'll use the TPM for certs with
-      // private keys, otherwise we'll fall back to the software
-      // implementation.
-      tpm_slot_ = GetTPMSlot();
+      tpm_slot_ = GetTPMSlotForId(token_slot_id);
+
+      if (tpm_slot_) {
+        for (std::vector<base::Closure>::iterator i =
+                 tpm_ready_callback_list_.begin();
+             i != tpm_ready_callback_list_.end();
+             ++i) {
+          (*i).Run();
+        }
+        tpm_ready_callback_list_.clear();
+      }
 
       return tpm_slot_ != NULL;
     }
     return false;
   }
 
   void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
     if (!tpm_token_enabled_for_nss_) {
       LOG(ERROR) << "GetTPMTokenInfo called before TPM Token is ready.";
       return;
     }
     if (token_name)
       *token_name = tpm_token_name_;
     if (user_pin)
       *user_pin = tpm_user_pin_;
   }
 
   bool IsTPMTokenReady() {
     return tpm_slot_ != NULL;
   }
 
-  PK11SlotInfo* GetTPMSlot() {
-    std::string token_name;
-    GetTPMTokenInfo(&token_name, NULL);
-    return FindSlotWithTokenName(token_name);
+  void OnTPMReady(const base::Closure& callback) {
+    if (IsTPMTokenReady())
+      callback.Run();
+    else
+      tpm_ready_callback_list_.push_back(callback);
+  }
+
+  PK11SlotInfo* GetTPMSlotForId(CK_SLOT_ID slot_id) {
+    if (!chaps_module_)
+      return NULL;
+
+    VLOG(1) << "Poking chaps module.";
+    SECStatus rv = SECMOD_UpdateSlotList(chaps_module_);
+    if (rv != SECSuccess)
+      PLOG(ERROR) << "SECMOD_UpdateSlotList failed: " << PORT_GetError();
+
+    PK11SlotInfo* slot = SECMOD_LookupSlot(chaps_module_->moduleID, slot_id);
+    if (!slot)
+      LOG(ERROR) << "TPM slot " << slot_id << " not found.";
+    return slot;
   }
 #endif  // defined(OS_CHROMEOS)
 
 
   bool OpenTestNSSDB() {
     if (test_slot_)
       return true;
     if (!g_test_nss_db_dir.Get().CreateUniqueTempDir())
       return false;
     test_slot_ = OpenUserDB(g_test_nss_db_dir.Get().path(), kTestTPMTokenName);
@@ skipping 250 matching lines @@
     }
     return db_slot;
   }
 
   // If this is set to true NSS is forced to be initialized without a DB.
   static bool force_nodb_init_;
 
   bool tpm_token_enabled_for_nss_;
   std::string tpm_token_name_;
   std::string tpm_user_pin_;
+  std::vector<base::Closure> tpm_ready_callback_list_;
   SECMODModule* chaps_module_;
   PK11SlotInfo* software_slot_;
   PK11SlotInfo* test_slot_;
   PK11SlotInfo* tpm_slot_;
   SECMODModule* root_;
   bool chromeos_user_logged_in_;
 #if defined(USE_NSS)
   // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
@@ skipping 147 matching lines @@
 
 #if defined(OS_CHROMEOS)
 void OpenPersistentNSSDB() {
   g_nss_singleton.Get().OpenPersistentNSSDB();
 }
 
 void EnableTPMTokenForNSS() {
   g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
 
+bool IsTPMTokenEnabledForNSS() {
+  return g_nss_singleton.Get().IsTPMTokenEnabledForNSS();
+}
+
 void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
   g_nss_singleton.Get().GetTPMTokenInfo(token_name, user_pin);
 }
 
 bool IsTPMTokenReady() {
   return g_nss_singleton.Get().IsTPMTokenReady();
 }
 
+void OnTPMReady(const base::Closure& callback) {
+   g_nss_singleton.Get().OnTPMReady(callback);
+}
+
 bool InitializeTPMToken(const std::string& token_name,
-                        const std::string& user_pin) {
-  return g_nss_singleton.Get().InitializeTPMToken(token_name, user_pin);
+                        const std::string& user_pin,
+                        int token_slot_id) {
+  return g_nss_singleton.Get().InitializeTPMToken(
+      token_name, user_pin, token_slot_id);
+}
+
+PK11SlotInfo* OpenPersistentNSSDBForPath(const base::FilePath& path) {
+  return g_nss_singleton.Get().OpenPersistentNSSDBForPath(path);
+}
+
+PK11SlotInfo* GetTPMSlotForId(CK_SLOT_ID slot_id) {
+  return g_nss_singleton.Get().GetTPMSlotForId(slot_id);
 }
 #endif  // defined(OS_CHROMEOS)
 
 base::Time PRTimeToBaseTime(PRTime prtime) {
   return base::Time::FromInternalValue(
       prtime + base::Time::UnixEpoch().ToInternalValue());
 }
 
 PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 PK11SlotInfo* GetPublicNSSKeySlot() {
   return g_nss_singleton.Get().GetPublicNSSKeySlot();
 }
 
 PK11SlotInfo* GetPrivateNSSKeySlot() {
   return g_nss_singleton.Get().GetPrivateNSSKeySlot();
 }
 
+void DumpNSSSlotInfos() {
+  AutoSECMODListReadLock auto_lock;
+  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+  LOG(WARNING) << "DumpNSSSlotInfos:";
+  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+    int slot_count = item->module->loaded ? item->module->slotCount : 0;
+    LOG(WARNING) << item->module->moduleID
+                 << " module " << item->module->commonName
+                 << "  loaded:" << item->module->loaded;
+    for (int i = 0; i < slot_count; i++) {
+      PK11SlotInfo* slot = item->module->slots[i];
+      LOG(WARNING) << "  " << PK11_GetSlotID(slot)
+                   << "  tok:" << PK11_GetTokenName(slot)
+                   << "  slot:" << PK11_GetSlotName(slot)
+                   << (PK11_IsInternal(slot) ? "  internal" : "")
+                   << (PK11_IsInternalKeySlot(slot) ? "  internalkeyslot" : "")
+                   << (PK11_IsReadOnly(slot) ? "  readonly" : "");
+    }
+  }
+  LOG(WARNING) << "";
+}
+
 }  // namespace crypto