*WIP* Store NSS slots per profile. Move keygen to chrome.

net/cert/nss_cert_database.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/nss_cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
 
+#include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "base/memory/singleton.h"
 #include "base/observer_list_threadsafe.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_database.h"
 #include "net/cert/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
 // the new name of the macro.
 #if !defined(CERTDB_TERMINAL_RECORD)
 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
 #endif
 
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
 
 namespace net {
 
+namespace {
+base::LazyInstance<NSSCertDatabase>::Leaky
+    g_nss_cert_database = LAZY_INSTANCE_INITIALIZER;
+}  // namespace
+
+
 NSSCertDatabase::ImportCertFailure::ImportCertFailure(
     const scoped_refptr<X509Certificate>& cert,
     int err)
     : certificate(cert), net_error(err) {}
 
 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}
 
+// Helper that observes events from a CertDatabaseSource and forwards them to
+// the given CertDatabase.
+class NSSCertDatabase::Notifier : public CertDatabaseSource::Observer {
+ public:
+  Notifier(NSSCertDatabase* cert_db) : cert_db_(cert_db) {}
+
+  virtual ~Notifier() {}
+
+  // CertDatabaseSource::Observer implementation:
+  virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
+    cert_db_->NotifyObserversOfCertAdded(cert);
+  }
+
+  virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {
+    cert_db_->NotifyObserversOfCertRemoved(cert);
+  }
+
+  virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
+    cert_db_->NotifyObserversOfCACertChanged(cert);
+  }
+
+ private:
+  NSSCertDatabase* cert_db_;
+
+  DISALLOW_COPY_AND_ASSIGN(Notifier);
+};
+
+// static
+NSSCertDatabase* NSSCertDatabase::GetInstanceNoWarn() {
+  return &g_nss_cert_database.Get();
+  //return Singleton<NSSCertDatabase,
+   //                LeakySingletonTraits<NSSCertDatabase> >::get();
+}
+
 // static
 NSSCertDatabase* NSSCertDatabase::GetInstance() {
-  return Singleton<NSSCertDatabase,
-                   LeakySingletonTraits<NSSCertDatabase> >::get();
+#if defined(OS_CHROMEOS)
+  LOG(WARNING) << "Using global NSSCertDatabase. Consider using "
+               << "NSSCertDatabaseChromeOS::GetForUser instead.";
+#endif
+  return NSSCertDatabase::GetInstanceNoWarn();
 }
 
 NSSCertDatabase::NSSCertDatabase()
-    : observer_list_(new ObserverListThreadSafe<Observer>) {
-  crypto::EnsureNSSInit();
+    : observer_list_(new ObserverListThreadSafe<Observer>),
+      notifier_(new Notifier(this)) {
+  // This also makes sure that NSS has been initialized.
+  CertDatabase::GetInstance()->AddSource(this);
+
   psm::EnsurePKCS12Init();
 }
 
 NSSCertDatabase::~NSSCertDatabase() {}
 
 void NSSCertDatabase::ListCerts(CertificateList* certs) {
   certs->clear();
 
   CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
   CERTCertListNode* node;
   for (node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     certs->push_back(X509Certificate::CreateFromHandle(
         node->cert, X509Certificate::OSCertHandles()));
   }
   CERT_DestroyCertList(cert_list);
 }
 
 CryptoModule* NSSCertDatabase::GetPublicModule() const {
-  CryptoModule* module =
-      CryptoModule::CreateFromHandle(crypto::GetPublicNSSKeySlot());
-  // The module is already referenced when returned from
-  // GetPublicNSSKeySlot, so we need to deref it once.
-  PK11_FreeSlot(module->os_module_handle());
+  crypto::ScopedPK11Slot slot(GetPublicSlot());
+  CryptoModule* module = CryptoModule::CreateFromHandle(slot.get());
 
   return module;
 }
 
 CryptoModule* NSSCertDatabase::GetPrivateModule() const {
-  CryptoModule* module =
-      CryptoModule::CreateFromHandle(crypto::GetPrivateNSSKeySlot());
-  // The module is already referenced when returned from
-  // GetPrivateNSSKeySlot, so we need to deref it once.
-  PK11_FreeSlot(module->os_module_handle());
+  crypto::ScopedPK11Slot slot(GetPrivateSlot());
+  CryptoModule* module = CryptoModule::CreateFromHandle(slot.get());
 
   return module;
 }
 
+crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
+  return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
+}
+
+crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
+  return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
+}
+
 void NSSCertDatabase::ListModules(CryptoModuleList* modules,
                                   bool need_rw) const {
   modules->clear();
 
   // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc.
   crypto::ScopedPK11SlotList slot_list(
       PK11_GetAllTokens(CKM_INVALID_MECHANISM,
                         need_rw ? PR_TRUE : PR_FALSE,  // needRW
                         PR_TRUE,                       // loadCerts (unused)
                         NULL));                        // wincx
   if (!slot_list) {
     LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError();
     return;
   }
 
   PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list.get());
   while (slot_element) {
     modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot));
     slot_element = PK11_GetNextSafe(slot_list.get(), slot_element,
                                     PR_FALSE);  // restart
   }
 }
 
 int NSSCertDatabase::ImportFromPKCS12(
     CryptoModule* module,
     const std::string& data,
     const base::string16& password,
     bool is_extractable,
     net::CertificateList* imported_certs) {
+  DVLOG(1) << __func__ << " "
+           << PK11_GetModuleID(module->os_module_handle()) << ":"
+           << PK11_GetSlotID(module->os_module_handle());
   int result = psm::nsPKCS12Blob_Import(module->os_module_handle(),
                                         data.data(), data.size(),
                                         password,
                                         is_extractable,
                                         imported_certs);
   if (result == net::OK)
     NotifyObserversOfCertAdded(NULL);
 
   return result;
 }
@@ skipping 17 matching lines @@
   X509Certificate* certn_2 = certificates[certificates.size() - 2].get();
   X509Certificate* certn_1 = certificates[certificates.size() - 1].get();
 
   if (CERT_CompareName(&cert1->os_cert_handle()->issuer,
                        &cert0->os_cert_handle()->subject) == SECEqual)
     return cert0;
   if (CERT_CompareName(&certn_2->os_cert_handle()->issuer,
                        &certn_1->os_cert_handle()->subject) == SECEqual)
     return certn_1;
 
-  VLOG(1) << "certificate list is not a hierarchy";
+  DVLOG(1) << "certificate list is not a hierarchy";
   return cert0;
 }
 
 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates,
                                     TrustBits trust_bits,
                                     ImportCertFailureList* not_imported) {
   X509Certificate* root = FindRootInList(certificates);
-  bool success = psm::ImportCACerts(certificates, root, trust_bits,
-                                    not_imported);
+  bool success = psm::ImportCACerts(
+      GetPublicSlot(),
+      certificates,
+      root,
+      trust_bits,
+      not_imported);
   if (success)
     NotifyObserversOfCACertChanged(NULL);
 
   return success;
 }
 
 bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates,
                                        TrustBits trust_bits,
                                        ImportCertFailureList* not_imported) {
-  return psm::ImportServerCert(certificates, trust_bits, not_imported);
+  return psm::ImportServerCert(
+      GetPublicSlot(),
+      certificates,
+      trust_bits,
+      not_imported);
 }
 
 NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust(
     const X509Certificate* cert,
     CertType type) const {
   CERTCertTrust trust;
   SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
   if (srv != SECSuccess) {
     LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
     return TRUST_DEFAULT;
@@ skipping 135 matching lines @@
 }
 
 void NSSCertDatabase::AddObserver(Observer* observer) {
   observer_list_->AddObserver(observer);
 }
 
 void NSSCertDatabase::RemoveObserver(Observer* observer) {
   observer_list_->RemoveObserver(observer);
 }
 
+void NSSCertDatabase::AddSource(CertDatabaseSource* source) {
+  source->AddObserver(this->notifier_.get());
+}
+
 void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) {
   observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert));
 }
 
 void NSSCertDatabase::NotifyObserversOfCertRemoved(
     const X509Certificate* cert) {
   observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));
 }
 
 void NSSCertDatabase::NotifyObserversOfCACertChanged(
     const X509Certificate* cert) {
   observer_list_->Notify(
       &Observer::OnCACertChanged, make_scoped_refptr(cert));
 }
 
 }  // namespace net