*wip* NSS: handle chromeos system slot.

chromeos/cert_loader.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/cert_loader.h"
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/location.h"
@@ skipping 117 matching lines @@
   CERTCertificateStr* cert_handle = cert.os_cert_handle();
   SECKEYPrivateKey *priv_key =
       PK11_FindKeyByAnyCert(cert_handle, NULL /* wincx */);
   if (!priv_key)
     return std::string();
 
   // Get the CKA_ID attribute for a key.
   SECItem* sec_item = PK11_GetLowLevelKeyIDForPrivateKey(priv_key);
   std::string pkcs11_id;
   if (sec_item) {
-    pkcs11_id = base::HexEncode(sec_item->data, sec_item->len);
+    PK11SlotInfo* slot = PK11_GetSlotFromPrivateKey(priv_key);
+    // If the key is on the TPM, include the TPM slot id.

[pneubeck (no reviews), 2014/06/13 12:40:42]

Does that mean, that in tests and in fake non-ChromeOS environments (e.g. Linux
chromeos=1 builds) will not be able to distinguish a system and user slot?
Not a good idea, I'd guess.

+    if (PK11_IsHW(slot)) {
+      pkcs11_id = base::IntToString(PK11_GetSlotID(slot));
+      pkcs11_id += ':';
+    }
+    PK11_FreeSlot(slot);
+    pkcs11_id += base::HexEncode(sec_item->data, sec_item->len);
     SECITEM_FreeItem(sec_item, PR_TRUE);
   }
   SECKEY_DestroyPrivateKey(priv_key);
 
   return pkcs11_id;
 }
 
 void CertLoader::LoadCertificates() {
   CHECK(thread_checker_.CalledOnValidThread());
   VLOG(1) << "LoadCertificates: " << certificates_update_running_;
@@ skipping 44 matching lines @@
   VLOG(1) << "OnCertAdded";
   LoadCertificates();
 }
 
 void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
   VLOG(1) << "OnCertRemoved";
   LoadCertificates();
 }
 
 }  // namespace chromeos