Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.

crypto/nss_util.cc

Index: crypto/nss_util.cc
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 1598ba907bff34cfa389bc228afb31e67c1297ce..e3a983c90480b91e355ce3259e5e4c8758687e39 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -624,7 +624,7 @@ class NSSInitSingleton {
     ignore_result(g_test_nss_db_dir.Get().Delete());
   }
 
-  PK11SlotInfo* GetPublicNSSKeySlot() {
+  PK11SlotInfo* GetPersistentNSSKeySlot() {
     // TODO(mattm): Change to DCHECK when callers have been fixed.
     if (!thread_checker_.CalledOnValidThread()) {
       DVLOG(1) << "Called on wrong thread.\n"
@@ -636,29 +636,23 @@ class NSSInitSingleton {
     return PK11_GetInternalKeySlot();
   }
 
-  PK11SlotInfo* GetPrivateNSSKeySlot() {
-    // TODO(mattm): Change to DCHECK when callers have been fixed.
-    if (!thread_checker_.CalledOnValidThread()) {
-      DVLOG(1) << "Called on wrong thread.\n"
-               << base::debug::StackTrace().ToString();
-    }
+#if defined(OS_CHROMEOS)
+  PK11SlotInfo* GetSystemNSSKeySlot() {
+    DCHECK(thread_checker_.CalledOnValidThread());
 
     if (test_slot_)
       return PK11_ReferenceSlot(test_slot_);
 
-#if defined(OS_CHROMEOS)
-    if (tpm_token_enabled_for_nss_) {
-      if (IsTPMTokenReady(base::Closure())) {
-        return PK11_ReferenceSlot(tpm_slot_);
-      } else {
-        // If we were supposed to get the hardware token, but were
-        // unable to, return NULL rather than fall back to sofware.
-        return NULL;
-      }
-    }
-#endif
-    return PK11_GetInternalKeySlot();
+    // TODO(mattm): If the system slot is disabled, InitializeTPMToken would

[pneubeck (no reviews), 2014/07/10 09:44:11]

I looked for the cause of this.
IIUC, then TPMTokenLoader is now responsible to initialize the system token.
I'll write a CL to update the class comment there.

Since TPMTokenLoader always uses the kDefaultSlot = 0, the behavior that you
describe appears. Could you mention that here?

[mattm, 2014/07/10 22:20:45]

Done.

+    // have been called with the first user's slot instead. Can that be
+    // detected and return NULL instead?
+    if (tpm_token_enabled_for_nss_ && IsTPMTokenReady(base::Closure()))
+      return PK11_ReferenceSlot(tpm_slot_);
+    // If we were supposed to get the hardware token, but were
+    // unable to, return NULL rather than fall back to sofware.
+    return NULL;
   }
+#endif
 
 #if defined(USE_NSS)
   base::Lock* write_lock() {
@@ -1069,6 +1063,10 @@ AutoSECMODListReadLock::~AutoSECMODListReadLock() {
 #endif  // defined(USE_NSS)
 
 #if defined(OS_CHROMEOS)
+PK11SlotInfo* GetSystemNSSKeySlot() {
+  return g_nss_singleton.Get().GetSystemNSSKeySlot();
+}
+
 void EnableTPMTokenForNSS() {
   g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
@@ -1157,12 +1155,8 @@ PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
-PK11SlotInfo* GetPublicNSSKeySlot() {
-  return g_nss_singleton.Get().GetPublicNSSKeySlot();
-}
-
-PK11SlotInfo* GetPrivateNSSKeySlot() {
-  return g_nss_singleton.Get().GetPrivateNSSKeySlot();
+PK11SlotInfo* GetPersistentNSSKeySlot() {
+  return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 
 }  // namespace crypto