*WIP* Store NSS slots per profile. Move keygen to chrome.

net/cert/nss_cert_database_chromeos.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/nss_cert_database_chromeos.h"
+
+#include <map>
+
+#include <cert.h>
+#include <pk11pub.h>
+
+#include "base/bind.h"
+#include "base/lazy_instance.h"
+#include "base/stl_util.h"
+#include "crypto/nss_util.h"
+#include "crypto/nss_util_internal.h"
+#include "net/base/crypto_module.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util_nss.h"
+
+namespace net {
+
+namespace {
+
+scoped_refptr<const X509Certificate> FindCertInSlot(const X509Certificate* cert,
+                                                    PK11SlotInfo* slot) {
+  CERTCertificate* slot_cert_handle = PK11_FindCertFromDERCert(
+      slot, cert->os_cert_handle(), NULL);
+  if (slot_cert_handle) {
+    scoped_refptr<X509Certificate> slot_cert(
+        X509Certificate::CreateFromHandle(slot_cert_handle,
+                                          X509Certificate::OSCertHandles()));
+    CERT_DestroyCertificate(slot_cert_handle);
+    return slot_cert;
+  }
+  return NULL;
+}
+
+}  // namespace
+
+class NSSCertDatabaseChromeOS::Manager {
+ public:
+  ~Manager() {
+    STLDeleteValues(&user_db_map_);
+  }
+
+  NSSCertDatabase* GetPrimaryDB() {
+    LOG(WARNING)
+        << "Using primary NSSCertDatabase. Consider using GetForUser instead.";
+    return primary_db_;
+  }
+
+  void GetForUser(const std::string& username_hash,
+                  const base::Callback<void(NSSCertDatabase*)>& callback) {
+    UserDBMap::iterator it = user_db_map_.find(username_hash);
+    if (it != user_db_map_.end()) {
+      // DB already exists for this user.
+      it->second->OnReady(callback);
+      return;
+    }
+
+    crypto::ScopedPK11Slot public_slot(
+        crypto::GetPublicSlotForChromeOSUser(username_hash));
+    if (!public_slot) {
+      // Invalid user, or someone called us before InitializeNSSForChromeOSUser
+      // got called for the user.
+      callback.Run(NULL);
+      return;
+    }
+
+    NSSCertDatabaseChromeOS* db = NULL;
+    if (primary_db_owner_) {
+      crypto::ScopedPK11Slot primary_public_slot(primary_db_->GetPublicSlot());
+      if (public_slot.get() == primary_public_slot.get()) {
+        VLOG(1) << "Got username for primary: " << username_hash;
+        // We now know what username corrosponds to the primary user. Put the
+        // primary_db_ into the user_db_map_, which will now own it.
+        db = primary_db_owner_.release();
+      }
+    }
+
+    if (!db) {
+      // Create DB for new user.
+      VLOG(1) << "Create DB for: " << username_hash;
+      db = new NSSCertDatabaseChromeOS(public_slot.Pass());
+      crypto::OnPrivateSlotReadyForChromeOSUser(
+          username_hash,
+          base::Bind(&NSSCertDatabaseChromeOS::SetPrivateSlot,
+                     base::Unretained(db)));
+    }
+
+    user_db_map_[username_hash] = db;
+    db->OnReady(callback);
+  }
+ private:
+  friend struct base::DefaultLazyInstanceTraits<Manager>;
+
+  Manager()
+      : primary_db_(new NSSCertDatabaseChromeOS(
+            crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot()))) {
+    primary_db_owner_.reset(primary_db_);
+    crypto::OnTPMReady(base::Bind(&Manager::SetPrimaryPrivateSlot,
+                                  base::Unretained(primary_db_)));
+  }
+
+  static void SetPrimaryPrivateSlot(NSSCertDatabaseChromeOS* db) {
+    db->SetPrivateSlot(crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot()));
+  }
+
+  NSSCertDatabaseChromeOS* primary_db_;
+  scoped_ptr<NSSCertDatabaseChromeOS> primary_db_owner_;
+  typedef std::map<std::string, NSSCertDatabaseChromeOS*> UserDBMap;
+  UserDBMap user_db_map_;
+};
+
+namespace {
+base::LazyInstance<NSSCertDatabaseChromeOS::Manager>::Leaky
+    g_nss_cert_database_chromeos_manager = LAZY_INSTANCE_INITIALIZER;
+}  // namespace
+
+// On ChromeOS NSSCertDatabase::GetInstance is defined to return the primary
+// user's NSSCertDatabaseChromeOS object.
+// static
+NSSCertDatabase* NSSCertDatabase::GetInstance() {
+  return g_nss_cert_database_chromeos_manager.Get().GetPrimaryDB();
+}
+
+// static
+void NSSCertDatabaseChromeOS::GetForUser(
+    const std::string& username_hash,
+    const base::Callback<void(NSSCertDatabase*)>& callback) {
+  g_nss_cert_database_chromeos_manager.Get().GetForUser(username_hash,
+                                                        callback);
+}
+
+NSSCertDatabaseChromeOS::NSSCertDatabaseChromeOS(
+    crypto::ScopedPK11Slot public_slot)
+    : ready_(false), public_slot_(public_slot.Pass()) {
+  VLOG(1) << __func__ << " pub:" << PK11_GetModuleID(public_slot_.get()) << ":"
+          << PK11_GetSlotID(public_slot_.get());
+}
+
+NSSCertDatabaseChromeOS::~NSSCertDatabaseChromeOS() {}
+
+void NSSCertDatabaseChromeOS::ListCerts(CertificateList* certs) {
+  if (!ready_) {
+    LOG(WARNING) << __func__ << " called before initialization complete";
+    certs->clear();
+    return;
+  }
+  NSSCertDatabase::ListCerts(certs);
+
+  size_t pre_size = certs->size();
+  certs->erase(
+      std::remove_if(certs->begin(), certs->end(),
+                     NSSProfileFilterChromeOS::Predicate(profile_filter_)),
+      certs->end());
+  VLOG(1) << "filtered " << pre_size - certs->size() << " of " << pre_size
+          << " certs";
+}
+
+crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPublicSlot() const {
+  return crypto::ScopedPK11Slot(
+      public_slot_ ? PK11_ReferenceSlot(public_slot_.get()) : NULL);
+}
+
+crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPrivateSlot() const {
+  return crypto::ScopedPK11Slot(
+      private_slot_ ? PK11_ReferenceSlot(private_slot_.get()) : NULL);
+}
+
+void NSSCertDatabaseChromeOS::ListModules(CryptoModuleList* modules,
+                                          bool need_rw) const {
+  if (!ready_) {
+    LOG(WARNING) << __func__ << " called before initialization complete";
+    modules->clear();
+    return;
+  }
+  NSSCertDatabase::ListModules(modules, need_rw);
+
+  size_t pre_size = modules->size();
+  modules->erase(
+      std::remove_if(modules->begin(), modules->end(),
+                     NSSProfileFilterChromeOS::Predicate(profile_filter_)),
+      modules->end());
+  VLOG(1) << "filtered " << pre_size - modules->size() << " of " << pre_size
+          << " modules";
+}
+
+NSSCertDatabase::TrustBits NSSCertDatabaseChromeOS::GetCertTrust(
+    const X509Certificate* cert,
+    CertType type) const {
+  return NSSCertDatabase::GetCertTrust(ResolveCert(cert, false), type);
+}
+
+bool NSSCertDatabaseChromeOS::IsUntrusted(const X509Certificate* cert) const {
+  return NSSCertDatabase::IsUntrusted(ResolveCert(cert, false));
+}
+
+#if 0
+bool NSSCertDatabaseChromeOS::SetCertTrust(const X509Certificate* cert,
+                                           CertType type,
+                                           TrustBits trust_bits) {
+  // XXX handle case of cert not existing in any of this profile's rw slots
+  if (!FindCertInSlot(cert, public_slot_.get())) {
+    // Copy cert to our slot so we can set trust  . . .
+    // XXX this doesn't actually help.
+    SECStatus srv = PK11_ImportCert(
+        public_slot_.get(),
+        cert->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        x509_util::GetUniqueNicknameForSlot(cert->GetDefaultNickname(type),
+                                            &cert->os_cert_handle()->derSubject,
+                                            public_slot_.get()).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
+    if (srv != SECSuccess) {
+      LOG(ERROR) << "copying cert to our slot failed with error "
+                 << PORT_GetError();
+      return false;
+    }
+    VLOG(1) << "copied cert to our slot";
+  }
+  //
+  // XXX this doesn't work: if cert is in multiple rw slots nss will just set
+  // the trust on the "first" one - we could return false instead of setting
+  // trust in wrong slot? (but how do we know which slot nss would have felt
+  // like setting the trust in? is it always the lowest numbered slotid?)
+  return NSSCertDatabase::SetCertTrust(
+      ResolveCert(cert, true), type, trust_bits);
+}
+#endif
+
+void NSSCertDatabaseChromeOS::SetPrivateSlot(
+    crypto::ScopedPK11Slot private_slot) {
+  DCHECK(!ready_);
+  if (!private_slot)
+    LOG(WARNING) << "initializing with NULL private_slot.";
+  private_slot_ = private_slot.Pass();
+  profile_filter_.Init(GetPublicSlot(), GetPrivateSlot());
+  ready_ = true;
+
+  for (ReadyCallbackList::iterator i = ready_callback_list_.begin();
+       i != ready_callback_list_.end();
+       ++i) {
+    (*i).Run(this);
+  }
+  ready_callback_list_.clear();
+}
+
+void NSSCertDatabaseChromeOS::OnReady(
+    const base::Callback<void(NSSCertDatabase*)>& callback) {
+  if (ready_)
+    callback.Run(this);
+  else
+    ready_callback_list_.push_back(callback);
+}
+
+scoped_refptr<const X509Certificate> NSSCertDatabaseChromeOS::ResolveCert(
+    const X509Certificate* cert, bool need_rw) const {
+  // If we have a copy in our slot, use that.
+  scoped_refptr<const X509Certificate> pub_slot_cert(
+      FindCertInSlot(cert, public_slot_.get()));
+  if (pub_slot_cert) {
+    VLOG(1) << "found pub slot cert";
+    return pub_slot_cert;
+  }
+
+  CryptoModuleList module_list;
+  ListModules(&module_list, need_rw);
+  for (CryptoModuleList::iterator i = module_list.begin();
+       i != module_list.end();
+       ++i) {
+    if ((*i)->os_module_handle() == public_slot_.get())
+      continue;  // We already checked this slot above.
+    scoped_refptr<const X509Certificate> slot_cert(
+        FindCertInSlot(cert, (*i)->os_module_handle()));
+    if (slot_cert) {
+      VLOG(1) << "found cert in other slot: "
+              << PK11_GetModuleID((*i)->os_module_handle()) << ":"
+              << PK11_GetSlotID((*i)->os_module_handle());
+      return slot_cert;
+    }
+  }
+
+  // Otherwise, use whatever NSS decides as the default.
+  // XXX should we return NULL here? NOTREACHED?
+  LOG(WARNING) << "using default slot cert";
+  return cert;
+}
+
+}  // namespace net