Enable system NSS key slot.

net/cert/nss_cert_database_chromeos.cc

Index: net/cert/nss_cert_database_chromeos.cc
diff --git a/net/cert/nss_cert_database_chromeos.cc b/net/cert/nss_cert_database_chromeos.cc
index 60f7f2ee64a8b4cdc49f9e2ada25d1996dbbc1d6..63d969cd7ea291ae2f152c189f4cb971f575721f 100644
--- a/net/cert/nss_cert_database_chromeos.cc
+++ b/net/cert/nss_cert_database_chromeos.cc
@@ -22,11 +22,21 @@ NSSCertDatabaseChromeOS::NSSCertDatabaseChromeOS(
     crypto::ScopedPK11Slot public_slot,
     crypto::ScopedPK11Slot private_slot)
     : NSSCertDatabase(public_slot.Pass(), private_slot.Pass()) {
-  profile_filter_.Init(GetPublicSlot(), GetPrivateSlot());
+  // By default, don't use a system slot. Only if explicitly set by
+  // SetSystemSlot, the system slot will be used.
+  profile_filter_.Init(GetPublicSlot(),
+                       GetPrivateSlot(),
+                       crypto::ScopedPK11Slot() /* no system slot */);
 }
 
 NSSCertDatabaseChromeOS::~NSSCertDatabaseChromeOS() {}
 
+void NSSCertDatabaseChromeOS::SetSystemSlot(
+    crypto::ScopedPK11Slot system_slot) {

[mattm, 2014/07/30 22:57:34]

Seems a little iffy that initializing the system slot is asynchronous but done
after the NSSCertDatabaseChromeOS is created, if anything uses it during that
time they wouldn't get results from the system slot. Is there a reason the
system slot isn't just another parameter to the constructor?

[pneubeck (no reviews), 2014/07/31 06:31:25]

Yes, full ack.
That's why originally I tried to make the initialization of NSSCertDB explicit.
I tried to do that in user_session_manager, where we already have some cert db
code (and initialize CertTokenLoader). However, when I tried to write tests for
it, I realized that this is the totally wrong place to do it. The login flow and
user session manager are usually modified/mocked in browser tests and the
initialization didn't work as expected.

Instead, I started writing a CL to add a CertDBService, a KeyedService, which
will take care of most initialization on top of nss_util (also replacing
nss_context).
See https://codereview.chromium.org/419013003/

However, this change will not be small and not making it into 38.

Therefore, this not ideal, short-term solution of setting the system slot from
profile_io_data.
According to the current usage, it should never occur that someone access the
NSSCertDB before this setter was called (if it ever get's called).

[mattm, 2014/07/31 10:29:30]

Okay, sounds reasonable. And thinking about the initialization order more it
does seem reasonably safe.

+  system_slot_ = system_slot.Pass();
+  profile_filter_.Init(GetPublicSlot(), GetPrivateSlot(), GetSystemSlot());
+}
+
 void NSSCertDatabaseChromeOS::ListCertsSync(CertificateList* certs) {
   ListCertsImpl(profile_filter_, certs);
 }
@@ -45,6 +55,12 @@ void NSSCertDatabaseChromeOS::ListCerts(
       base::Bind(callback, base::Passed(&certs)));
 }
 
+crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetSystemSlot() const {
+  if (system_slot_)
+    return crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot_.get()));
+  return crypto::ScopedPK11Slot();
+}
+
 void NSSCertDatabaseChromeOS::ListModules(CryptoModuleList* modules,
                                           bool need_rw) const {
   NSSCertDatabase::ListModules(modules, need_rw);