Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
@@ skipping 298 matching lines @@
     // private keys, otherwise we'll fall back to the software
     // implementation.
     tpm_token_enabled_for_nss_ = true;
   }
 
   bool IsTPMTokenEnabledForNSS() {
     DCHECK(thread_checker_.CalledOnValidThread());
     return tpm_token_enabled_for_nss_;
   }
 
-  void InitializeTPMToken(int token_slot_id,
-                          const base::Callback<void(bool)>& callback) {
+  void InitializeTPMTokenAndSystemSlot(
+      int system_slot_id,
+      const base::Callback<void(bool)>& callback) {
     DCHECK(thread_checker_.CalledOnValidThread());
     // Should not be called while there is already an initialization in
     // progress.
     DCHECK(!initializing_tpm_token_);
     // If EnableTPMTokenForNSS hasn't been called, return false.
     if (!tpm_token_enabled_for_nss_) {
       base::MessageLoop::current()->PostTask(FROM_HERE,
                                              base::Bind(callback, false));
       return;
     }
 
     // If everything is already initialized, then return true.
     // Note that only |tpm_slot_| is checked, since |chaps_module_| could be
     // NULL in tests while |tpm_slot_| has been set to the test DB.
     if (tpm_slot_) {
       base::MessageLoop::current()->PostTask(FROM_HERE,
                                              base::Bind(callback, true));
       return;
     }
 
     // Note that a reference is not taken to chaps_module_. This is safe since
     // NSSInitSingleton is Leaky, so the reference it holds is never released.
     scoped_ptr<TPMModuleAndSlot> tpm_args(new TPMModuleAndSlot(chaps_module_));
     TPMModuleAndSlot* tpm_args_ptr = tpm_args.get();
     if (base::WorkerPool::PostTaskAndReply(
             FROM_HERE,
             base::Bind(&NSSInitSingleton::InitializeTPMTokenOnWorkerThread,
-                       token_slot_id,
+                       system_slot_id,
                        tpm_args_ptr),
-            base::Bind(&NSSInitSingleton::OnInitializedTPMToken,
+            base::Bind(&NSSInitSingleton::OnInitializedTPMTokenAndSystemSlot,
                        base::Unretained(this),  // NSSInitSingleton is leaky
                        callback,
                        base::Passed(&tpm_args)),
             true /* task_is_slow */
             )) {
       initializing_tpm_token_ = true;
     } else {
       base::MessageLoop::current()->PostTask(FROM_HERE,
                                              base::Bind(callback, false));
     }
@@ skipping 14 matching lines @@
           //   read from this slot without requiring a call to C_Login.
           // askpw=only -- Only authenticate to the token when necessary.
           "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
     }
     if (tpm_args->chaps_module) {
       tpm_args->tpm_slot =
           GetTPMSlotForIdOnWorkerThread(tpm_args->chaps_module, token_slot_id);
     }
   }
 
-  void OnInitializedTPMToken(const base::Callback<void(bool)>& callback,
-                             scoped_ptr<TPMModuleAndSlot> tpm_args) {
+  void OnInitializedTPMTokenAndSystemSlot(
+      const base::Callback<void(bool)>& callback,
+      scoped_ptr<TPMModuleAndSlot> tpm_args) {
     DCHECK(thread_checker_.CalledOnValidThread());
     DVLOG(2) << "Loaded chaps: " << !!tpm_args->chaps_module
              << ", got tpm slot: " << !!tpm_args->tpm_slot;
 
     chaps_module_ = tpm_args->chaps_module;
     tpm_slot_ = tpm_args->tpm_slot;
     if (!chaps_module_ && test_slot_) {
       // chromeos_unittests try to test the TPM initialization process. If we
       // have a test DB open, pretend that it is the TPM slot.
       tpm_slot_ = PK11_ReferenceSlot(test_slot_);
@@ skipping 220 matching lines @@
     if (!test_slot_)
       return;
     SECStatus status = SECMOD_CloseUserDB(test_slot_);
     if (status != SECSuccess)
       PLOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError();
     PK11_FreeSlot(test_slot_);
     test_slot_ = NULL;
     ignore_result(g_test_nss_db_dir.Get().Delete());
   }
 
-  PK11SlotInfo* GetPublicNSSKeySlot() {
+  PK11SlotInfo* GetPersistentNSSKeySlot() {
     // TODO(mattm): Change to DCHECK when callers have been fixed.
     if (!thread_checker_.CalledOnValidThread()) {
       DVLOG(1) << "Called on wrong thread.\n"
                << base::debug::StackTrace().ToString();
     }
 
     if (test_slot_)
       return PK11_ReferenceSlot(test_slot_);
     return PK11_GetInternalKeySlot();
   }
 
-  PK11SlotInfo* GetPrivateNSSKeySlot() {
-    // TODO(mattm): Change to DCHECK when callers have been fixed.
-    if (!thread_checker_.CalledOnValidThread()) {
-      DVLOG(1) << "Called on wrong thread.\n"
-               << base::debug::StackTrace().ToString();
-    }
+#if defined(OS_CHROMEOS)
+  PK11SlotInfo* GetSystemNSSKeySlot() {
+    DCHECK(thread_checker_.CalledOnValidThread());
 
     if (test_slot_)
       return PK11_ReferenceSlot(test_slot_);
 
-#if defined(OS_CHROMEOS)
-    if (tpm_token_enabled_for_nss_) {
-      if (IsTPMTokenReady(base::Closure())) {
-        return PK11_ReferenceSlot(tpm_slot_);
-      } else {
-        // If we were supposed to get the hardware token, but were
-        // unable to, return NULL rather than fall back to sofware.
-        return NULL;
-      }
-    }
+    // TODO(mattm): chromeos::TPMTokenloader always calls
+    // InitializeTPMTokenAndSystemSlot with slot 0.  If the system slot is
+    // disabled, tpm_slot_ will be the first user's slot instead. Can that be
+    // detected and return NULL instead?
+    if (tpm_token_enabled_for_nss_ && IsTPMTokenReady(base::Closure()))
+      return PK11_ReferenceSlot(tpm_slot_);
+    // If we were supposed to get the hardware token, but were
+    // unable to, return NULL rather than fall back to sofware.
+    return NULL;
+  }
 #endif
-    return PK11_GetInternalKeySlot();
-  }
 
 #if defined(USE_NSS)
   base::Lock* write_lock() {
     return &write_lock_;
   }
 #endif  // defined(USE_NSS)
 
   // This method is used to force NSS to be initialized without a DB.
   // Call this method before NSSInitSingleton() is constructed.
   static void ForceNoDBInit() {
@@ skipping 390 matching lines @@
     SECMOD_GetReadLock(lock_);
   }
 
 AutoSECMODListReadLock::~AutoSECMODListReadLock() {
   SECMOD_ReleaseReadLock(lock_);
 }
 
 #endif  // defined(USE_NSS)
 
 #if defined(OS_CHROMEOS)
+PK11SlotInfo* GetSystemNSSKeySlot() {
+  return g_nss_singleton.Get().GetSystemNSSKeySlot();
+}
+
 void EnableTPMTokenForNSS() {
   g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
 
 bool IsTPMTokenEnabledForNSS() {
   return g_nss_singleton.Get().IsTPMTokenEnabledForNSS();
 }
 
 bool IsTPMTokenReady(const base::Closure& callback) {
   return g_nss_singleton.Get().IsTPMTokenReady(callback);
 }
 
-void InitializeTPMToken(int token_slot_id,
-                        const base::Callback<void(bool)>& callback) {
-  g_nss_singleton.Get().InitializeTPMToken(token_slot_id, callback);
+void InitializeTPMTokenAndSystemSlot(
+    int token_slot_id,
+    const base::Callback<void(bool)>& callback) {
+  g_nss_singleton.Get().InitializeTPMTokenAndSystemSlot(token_slot_id,
+                                                        callback);
 }
 
 ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
     const std::string& username_hash)
     : username_hash_(username_hash), constructed_successfully_(false) {
   if (!temp_dir_.CreateUniqueTempDir())
     return;
   constructed_successfully_ =
       InitializeNSSForChromeOSUser(username_hash,
                                    username_hash,
@@ skipping 53 matching lines @@
 
 base::Time PRTimeToBaseTime(PRTime prtime) {
   return base::Time::FromInternalValue(
       prtime + base::Time::UnixEpoch().ToInternalValue());
 }
 
 PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
-PK11SlotInfo* GetPublicNSSKeySlot() {
-  return g_nss_singleton.Get().GetPublicNSSKeySlot();
-}
-
-PK11SlotInfo* GetPrivateNSSKeySlot() {
-  return g_nss_singleton.Get().GetPrivateNSSKeySlot();
+PK11SlotInfo* GetPersistentNSSKeySlot() {
+  return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 
 }  // namespace crypto