crypto/nss_util: Get TPM slot id, do lookup by id instead of by name.

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
@@ skipping 150 matching lines @@
 #endif
       scoped_ptr<base::Environment> env(base::Environment::Create());
       const char* use_cache_env_var = "NSS_SDB_USE_CACHE";
       if (!env->HasVar(use_cache_env_var))
         env->SetVar(use_cache_env_var, "yes");
     }
   }
 #endif  // defined(OS_LINUX) || defined(OS_OPENBSD)
 }
 
-PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
-  AutoSECMODListReadLock auto_lock;
-  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
-  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
-    int slot_count = item->module->loaded ? item->module->slotCount : 0;
-    for (int i = 0; i < slot_count; i++) {
-      PK11SlotInfo* slot = item->module->slots[i];
-      if (PK11_GetTokenName(slot) == token_name)
-        return PK11_ReferenceSlot(slot);
-    }
-  }
-  return NULL;
-}
-
 #endif  // defined(USE_NSS)
 
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
 // singleton.
 class NSPRInitSingleton {
  private:
   friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
 
@@ skipping 45 matching lines @@
       // This creates another DB slot in NSS that is read/write, unlike
       // the fake root CA cert DB and the "default" crypto key
       // provider, which are still read-only (because we initialized
       // NSS before we had a cryptohome mounted).
       software_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
                                   kNSSDatabaseName);
     }
   }
 
   void EnableTPMTokenForNSS() {
+    // If this gets set, then we'll use the TPM for certs with
+    // private keys, otherwise we'll fall back to the software
+    // implementation.
     tpm_token_enabled_for_nss_ = true;
   }
 
   bool InitializeTPMToken(const std::string& token_name,
-                          const std::string& user_pin) {
+                          const std::string& user_pin,
+                          int token_slot_id) {
     // If EnableTPMTokenForNSS hasn't been called, return false.
     if (!tpm_token_enabled_for_nss_)
       return false;
 
     // If everything is already initialized, then return true.
     if (chaps_module_ && tpm_slot_)
       return true;
 
     tpm_token_name_ = token_name;
     tpm_user_pin_ = user_pin;
 
     // This tries to load the Chaps module so NSS can talk to the hardware
     // TPM.
     if (!chaps_module_) {
       chaps_module_ = LoadModule(
           kChapsModuleName,
           kChapsPath,
           // For more details on these parameters, see:
           // https://developer.mozilla.org/en/PKCS11_Module_Specs
           // slotFlags=[PublicCerts] -- Certificates and public keys can be
           //   read from this slot without requiring a call to C_Login.
           // askpw=only -- Only authenticate to the token when necessary.
           "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
+      if (!chaps_module_ && test_slot_) {
+        // chromeos_unittests try to test the TPM initialization process. If we
+        // have a test DB open, pretend that it is the TPM slot.
+        tpm_slot_ = PK11_ReferenceSlot(test_slot_);
+        return true;
+      }
     }
     if (chaps_module_){
-      // If this gets set, then we'll use the TPM for certs with
-      // private keys, otherwise we'll fall back to the software
-      // implementation.
-      tpm_slot_ = GetTPMSlot();
+      tpm_slot_ = GetTPMSlotForId(token_slot_id);
 
       return tpm_slot_ != NULL;
     }
     return false;
   }
 
   void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
     if (!tpm_token_enabled_for_nss_) {
       LOG(ERROR) << "GetTPMTokenInfo called before TPM Token is ready.";
       return;
     }
     if (token_name)
       *token_name = tpm_token_name_;
     if (user_pin)
       *user_pin = tpm_user_pin_;
   }
 
   bool IsTPMTokenReady() {
     return tpm_slot_ != NULL;
   }
 
-  PK11SlotInfo* GetTPMSlot() {
-    std::string token_name;
-    GetTPMTokenInfo(&token_name, NULL);
-    return FindSlotWithTokenName(token_name);
+  // Note that CK_SLOT_ID is an unsigned long, but cryptohome gives us the slot
+  // id as an int. This should be safe since this is only used with chaps, which
+  // we also control.
+  PK11SlotInfo* GetTPMSlotForId(CK_SLOT_ID slot_id) {
+    if (!chaps_module_)
+      return NULL;
+
+    VLOG(1) << "Poking chaps module.";
+    SECStatus rv = SECMOD_UpdateSlotList(chaps_module_);
+    if (rv != SECSuccess)
+      PLOG(ERROR) << "SECMOD_UpdateSlotList failed: " << PORT_GetError();
+
+    PK11SlotInfo* slot = SECMOD_LookupSlot(chaps_module_->moduleID, slot_id);
+    if (!slot)
+      LOG(ERROR) << "TPM slot " << slot_id << " not found.";
+    return slot;
   }
 #endif  // defined(OS_CHROMEOS)
 
 
   bool OpenTestNSSDB() {
     if (test_slot_)
       return true;
     if (!g_test_nss_db_dir.Get().CreateUniqueTempDir())
       return false;
     test_slot_ = OpenUserDB(g_test_nss_db_dir.Get().path(), kTestTPMTokenName);
@@ skipping 200 matching lines @@
 
 #if defined(USE_NSS) || defined(OS_IOS)
   // Load nss's built-in root certs.
   SECMODModule* InitDefaultRootCerts() {
     SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL);
     if (root)
       return root;
 
     // Aw, snap.  Can't find/load root cert shared library.
     // This will make it hard to talk to anybody via https.
-    NOTREACHED();
+    // TODO(mattm): Re-add the NOTREACHED here when crbug.com/310972 is fixed.
     return NULL;
   }
 
   // Load the given module for this NSS session.
   SECMODModule* LoadModule(const char* name,
                            const char* library_path,
                            const char* params) {
     std::string modparams = base::StringPrintf(
         "name=\"%s\" library=\"%s\" %s",
         name, library_path, params ? params : "");
 
     // Shouldn't need to const_cast here, but SECMOD doesn't properly
     // declare input string arguments as const.  Bug
     // https://bugzilla.mozilla.org/show_bug.cgi?id=642546 was filed
     // on NSS codebase to address this.
     SECMODModule* module = SECMOD_LoadUserModule(
         const_cast<char*>(modparams.c_str()), NULL, PR_FALSE);
     if (!module) {
       LOG(ERROR) << "Error loading " << name << " module into NSS: "
                  << GetNSSErrorMessage();
       return NULL;
     }
+    if (!module->loaded) {
+      LOG(ERROR) << "After loading " << name << ", loaded==false: "
+                 << GetNSSErrorMessage();
+      SECMOD_DestroyModule(module);
+      return NULL;
+    }
     return module;
   }
 #endif
 
   static PK11SlotInfo* OpenUserDB(const base::FilePath& path,
                                   const char* description) {
     const std::string modspec =
         base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
                            path.value().c_str(), description);
     PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
@@ skipping 183 matching lines @@
 
 void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
   g_nss_singleton.Get().GetTPMTokenInfo(token_name, user_pin);
 }
 
 bool IsTPMTokenReady() {
   return g_nss_singleton.Get().IsTPMTokenReady();
 }
 
 bool InitializeTPMToken(const std::string& token_name,
-                        const std::string& user_pin) {
-  return g_nss_singleton.Get().InitializeTPMToken(token_name, user_pin);
+                        const std::string& user_pin,
+                        int token_slot_id) {
+  return g_nss_singleton.Get().InitializeTPMToken(
+      token_name, user_pin, token_slot_id);
 }
 #endif  // defined(OS_CHROMEOS)
 
 base::Time PRTimeToBaseTime(PRTime prtime) {
   return base::Time::FromInternalValue(
       prtime + base::Time::UnixEpoch().ToInternalValue());
 }
 
 PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 PK11SlotInfo* GetPublicNSSKeySlot() {
   return g_nss_singleton.Get().GetPublicNSSKeySlot();
 }
 
 PK11SlotInfo* GetPrivateNSSKeySlot() {
   return g_nss_singleton.Get().GetPrivateNSSKeySlot();
 }
 
 }  // namespace crypto