Enable system NSS key slot.

crypto/nss_util_internal.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CRYPTO_NSS_UTIL_INTERNAL_H_
 #define CRYPTO_NSS_UTIL_INTERNAL_H_
 
 #include <secmodt.h>
 
 #include "base/callback.h"
@@ skipping 35 matching lines @@
   DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock);
 };
 
 #if defined(OS_CHROMEOS)
 // Returns a reference to the system-wide TPM slot if is loaded. If it is not
 // laoded and |callback| is non-null, the |callback| will be run once the slot
 // is loaded.
 CRYPTO_EXPORT ScopedPK11Slot GetSystemNSSKeySlot(
     const base::Callback<void(ScopedPK11Slot)>& callback) WARN_UNUSED_RESULT;
 
-// Sets the test system slot. If this was called before
-// InitializeTPMTokenAndSystemSlot and no system token is provided by the Chaps
+// Sets the test system slot.
+// If |skip_tpm_initialization| is true, the TPM initialization that is usually
+// triggered by InitializeTPMTokenAndSystemSlot is skipped and instead the
+// |slot| is directly exposed through |GetSystemNSSKeySlot| and
+// |IsTPMTokenReady| will return true.
+// If |skip_tpm_initialization| is false, InitializeTPMTokenAndSystemSlot must
+// be called afterwards. If then no system token is provided by the Chaps
 // module, then this test slot will be used and the initialization continues as

[Ryan Sleevi, 2014/07/29 00:23:16]

English-wise, this reads a little weird (namely "IfThen")

You can probably nuke the "then"? "If no system token ..."

This |skip_tpm_initialization| really doesn't make sense to me, even after
having read all of the code.

[pneubeck (no reviews), 2014/07/29 16:00:15]

Yes, the 'then' was a typo.
The idea was to allow for two kinds of tests:

1) In a unit test one would use skip_tpm_init=true. Without the TPMTokenLoader
being used in the test (which would usually call
InitializeTPMTokenAndSystemSlot), all GetSystemNSSKeySlot calls would still
succeed.

2) In a browser test one would use skip_tpm_init=false. As in a real run on
ChromeOS, TPMTokenLoader would initialize the TPM by calling
InitializeTPMTokenAndSystemSlot and only after the initialization in
nss_utils.cc finds no chaps module, it instead uses the test slot. That way, all
callbacks and callback lists would be tested as well.

However, after I now tried to write such a browser test, I found  that there are
several places that do some special handling if the browser is not running in a
ChromeOS environment (which is in particular true in tests) and skip the TPM
initialization all together. Also, it is currently impossible to set the test
system slot before the EnableNSSSystemKeySlot* function in profile_io_data is
called. To allow that, we either have to drop the IO thread restriction on the
ScopedTestSystemNSSKeySlot helper or add some other testing code.

Thus, I would suggest to punt such tests that cover the TPM initialization to
the larger refactoring/cleanup in 39 and
for now keep only the simple flow 1) with skip_tpm_initialization=true.
I removed the flag in the patch set #3 already.

Actually, once I got rid of more of the global accessors (e.g.
GetSystemNSSKeySlot, GetPublicSlotForChromeOSUser, ...) in net/ and crypto/
several test problems should be solved at the same time.

-// if Chaps had provided this test slot. In particular, |slot| will be exposed
+// if Chaps had provided this test slot. Again, |slot| will be exposed
 // by |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
 // This must must not be called consecutively with a |slot| != NULL. If |slot|
 // is NULL, the test system slot is unset.
-CRYPTO_EXPORT_PRIVATE void SetSystemKeySlotForTesting(ScopedPK11Slot slot);
+CRYPTO_EXPORT_PRIVATE void SetSystemKeySlotForTesting(
+    bool skip_tpm_initialization,
+    ScopedPK11Slot slot);
 
 // Prepare per-user NSS slot mapping. It is safe to call this function multiple
 // times. Returns true if the user was added, or false if it already existed.
 CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(
     const std::string& email,
     const std::string& username_hash,
     const base::FilePath& path);
 
 // Returns whether TPM for ChromeOS user still needs initialization. If
 // true is returned, the caller can proceed to initialize TPM slot for the
@@ skipping 32 matching lines @@
 
 // Closes the NSS DB for |username_hash| that was previously opened by the
 // *Initialize*ForChromeOSUser functions.
 CRYPTO_EXPORT_PRIVATE void CloseChromeOSUserForTesting(
     const std::string& username_hash);
 #endif  // defined(OS_CHROMEOS)
 
 }  // namespace crypto
 
 #endif  // CRYPTO_NSS_UTIL_INTERNAL_H_