Enable system token in platformKeys api.

chrome/browser/chromeos/platform_keys/platform_keys_nss.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 
 #include <cryptohi.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 54 matching lines @@
   // The task runner on which the NSS operation was called. Any reply must be
   // posted to this runner.
   scoped_refptr<base::SingleThreadTaskRunner> origin_task_runner_;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(NSSOperationState);
 };
 
 typedef base::Callback<void(net::NSSCertDatabase* cert_db)> GetCertDBCallback;
 
-// Called back with the NSSCertDatabase associated to the given |token_id|.
-// Calls |callback| if the database was successfully retrieved. Used by
+// Called back with the NSSCertDatabase associated to the given |context|.

[Joao da Silva, 2014/07/30 08:46:38]

There is no |context| here

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+// If |token_id| is not empty, sets |slot_| of the state accordingly and calls
+// |callback| if the database was successfully retrieved. Used by
 // GetCertDatabaseOnIOThread.
-void DidGetCertDBOnIOThread(const GetCertDBCallback& callback,
+void DidGetCertDBOnIOThread(const std::string& token_id,
+                            const GetCertDBCallback& callback,
                             NSSOperationState* state,
                             net::NSSCertDatabase* cert_db) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   if (!cert_db) {
     LOG(ERROR) << "Couldn't get NSSCertDatabase.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
   }
 
-  state->slot_ = cert_db->GetPrivateSlot();
-  if (!state->slot_) {
-    LOG(ERROR) << "No private slot";
-    state->OnError(FROM_HERE, kErrorInternal);
-    return;
+  if (!token_id.empty()) {
+    if (token_id == kTokenIdUser)
+      state->slot_ = cert_db->GetPrivateSlot();
+    else if (token_id == kTokenIdSystem)

[Joao da Silva, 2014/07/30 08:46:38]

Why isn't kTokenIdUser and kTokenIdSystem an enum?

[pneubeck (no reviews), 2014/07/30 13:53:45]

Explained now at the declaration comment.

+      state->slot_ = cert_db->GetSystemSlot();
+
+    if (!state->slot_) {
+      LOG(ERROR) << "Slot for token id '" << token_id << "' not available.";
+      state->OnError(FROM_HERE, kErrorInternal);
+      return;
+    }
   }
 
   callback.Run(cert_db);
 }
 
-// Retrieves the NSSCertDatabase from |context|. Must be called on the IO
-// thread.
-void GetCertDatabaseOnIOThread(content::ResourceContext* context,
+// Retrieves the NSSCertDatabase from |context| and, if |token_id| is not empty,
+// the slot for |token_id|.
+// Must be called on the IO thread.
+void GetCertDatabaseOnIOThread(const std::string& token_id,
                                const GetCertDBCallback& callback,
+                               content::ResourceContext* context,
                                NSSOperationState* state) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
-      context, base::Bind(&DidGetCertDBOnIOThread, callback, state));
+      context, base::Bind(&DidGetCertDBOnIOThread, token_id, callback, state));
 
   if (cert_db)
-    DidGetCertDBOnIOThread(callback, state, cert_db);
+    DidGetCertDBOnIOThread(token_id, callback, state, cert_db);
 }
 
-// Asynchronously fetches the NSSCertDatabase and PK11Slot for |token_id|.
-// Stores the slot in |state| and passes the database to |callback|. Will run
-// |callback| on the IO thread.
+// Asynchronously fetches the NSSCertDatabase for |browser_context| and, if
+// |token| is not empty, the slot for |token_id|. Stores the slot in |state|

[Joao da Silva, 2014/07/30 08:46:39]

|token| -> |token_id|

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+// and passes the database to |callback|. Will run |callback| on the IO thread.
 void GetCertDatabase(const std::string& token_id,
                      const GetCertDBCallback& callback,
                      BrowserContext* browser_context,
                      NSSOperationState* state) {
-  // TODO(pneubeck): Decide which DB to retrieve depending on |token_id|.
   BrowserThread::PostTask(BrowserThread::IO,
                           FROM_HERE,
                           base::Bind(&GetCertDatabaseOnIOThread,
+                                     token_id,
+                                     callback,
                                      browser_context->GetResourceContext(),
-                                     callback,
                                      state));
 }
 
 class GenerateRSAKeyState : public NSSOperationState {
  public:
   GenerateRSAKeyState(unsigned int modulus_length_bits,
                       const subtle::GenerateKeyCallback& callback);
   virtual ~GenerateRSAKeyState() {}
 
   virtual void OnError(const tracked_objects::Location& from,
@@ skipping 109 matching lines @@
     origin_task_runner_->PostTask(from, base::Bind(callback_, error_message));
   }
 
   scoped_refptr<net::X509Certificate> certificate_;
 
  private:
   // Must be called on origin thread, use CallBack() therefore.
   RemoveCertificateCallback callback_;
 };
 
+class GetTokensState : public NSSOperationState {
+ public:
+  explicit GetTokensState(const GetTokensCallback& callback);
+  virtual ~GetTokensState() {}
+
+  virtual void OnError(const tracked_objects::Location& from,
+                       const std::string& error_message) OVERRIDE {
+    CallBack(from,
+             scoped_ptr<std::vector<std::string> >() /* no token ids */,
+             error_message);
+  }
+
+  void CallBack(const tracked_objects::Location& from,
+                scoped_ptr<std::vector<std::string> > token_ids,
+                const std::string& error_message) {
+    origin_task_runner_->PostTask(
+        from, base::Bind(callback_, base::Passed(&token_ids), error_message));
+  }
+
+ private:
+  // Must be called on origin thread, use CallBack() therefore.

[Joao da Silva, 2014/07/30 08:46:38]

, therefore use Callback().

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+  GetTokensCallback callback_;
+};
+
 NSSOperationState::NSSOperationState()
     : origin_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
 }
 
 GenerateRSAKeyState::GenerateRSAKeyState(
     unsigned int modulus_length_bits,
     const subtle::GenerateKeyCallback& callback)
     : modulus_length_bits_(modulus_length_bits), callback_(callback) {
 }
 
@@ skipping 17 matching lines @@
     const ImportCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
 RemoveCertificateState::RemoveCertificateState(
     scoped_refptr<net::X509Certificate> certificate,
     const RemoveCertificateCallback& callback)
     : certificate_(certificate), callback_(callback) {
 }
 
+GetTokensState::GetTokensState(const GetTokensCallback& callback)
+    : callback_(callback) {
+}
+
 // Does the actual key generation on a worker thread. Used by
 // GenerateRSAKeyWithDB().
 void GenerateRSAKeyOnWorkerThread(scoped_ptr<GenerateRSAKeyState> state) {
   scoped_ptr<crypto::RSAPrivateKey> rsa_key(
       crypto::RSAPrivateKey::CreateSensitive(state->slot_.get(),
                                              state->modulus_length_bits_));
   if (!rsa_key) {
     LOG(ERROR) << "Couldn't create key.";
     state->OnError(FROM_HERE, kErrorInternal);
     return;
@@ skipping 140 matching lines @@
   const net::Error cert_status =
       static_cast<net::Error>(db->CheckUserCert(state->certificate_));
   if (cert_status == net::ERR_NO_PRIVATE_KEY_FOR_CERT) {
     state->OnError(FROM_HERE, kErrorKeyNotFound);
     return;
   } else if (cert_status != net::OK) {
     state->OnError(FROM_HERE, net::ErrorToString(cert_status));
     return;
   }
 
+  // Check that the private key is in the correct slot.
+  PK11SlotInfo* slot =
+      PK11_KeyForCertExists(state->certificate_->os_cert_handle(), NULL, NULL);
+  if (slot != state->slot_) {
+    state->OnError(FROM_HERE, kErrorKeyNotFound);
+    return;
+  }
+
   const net::Error import_status =
       static_cast<net::Error>(db->AddUserCert(state->certificate_.get()));
   if (import_status != net::OK) {
     LOG(ERROR) << "Could not import certificate.";
     state->OnError(FROM_HERE, net::ErrorToString(import_status));
     return;
   }
 
   state->CallBack(FROM_HERE, std::string() /* no error */);
 }
@@ skipping 23 matching lines @@
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
   // Get the pointer before base::Passed clears |state|.
   scoped_refptr<net::X509Certificate> certificate = state->certificate_;
   bool certificate_found = certificate->os_cert_handle()->isperm;
   cert_db->DeleteCertAndKeyAsync(
       certificate,
       base::Bind(
           &DidRemoveCertificate, base::Passed(&state), certificate_found));
 }
 
+// Does the actual work to determine which tokens are available.
+void GetTokensWithDB(scoped_ptr<GetTokensState> state,
+                     net::NSSCertDatabase* cert_db) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+  scoped_ptr<std::vector<std::string> > token_ids(new std::vector<std::string>);
+
+  // The user's token is always available.
+  token_ids->push_back(kTokenIdUser);
+  if (cert_db->GetSystemSlot())
+    token_ids->push_back(kTokenIdSystem);

[Joao da Silva, 2014/07/30 08:46:39]

Doesn't this depend on state->slot_, based on what DidGetCertDBOnIOThread is
doing?

[pneubeck (no reviews), 2014/07/30 13:53:45]

GetCertDatabase always gets the DB for the browser context.
|token_id| (in case of the other functions) determines which slot of the DB to
use.

Here, we have to get the list of available slots of DB.

+
+  state->CallBack(FROM_HERE, token_ids.Pass(), std::string() /* no error */);
+}
+
 }  // namespace
 
 namespace subtle {
 
 void GenerateRSAKey(const std::string& token_id,
                     unsigned int modulus_length_bits,
                     const GenerateKeyCallback& callback,
                     BrowserContext* browser_context) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   scoped_ptr<GenerateRSAKeyState> state(
@@ skipping 78 matching lines @@
   NSSOperationState* state_ptr = state.get();
 
   // The NSSCertDatabase object is not required. But in case it's not available
   // we would get more informative error messages.
   GetCertDatabase(token_id,
                   base::Bind(&RemoveCertificateWithDB, base::Passed(&state)),
                   browser_context,
                   state_ptr);
 }
 
+void GetTokens(const GetTokensCallback& callback,
+               content::BrowserContext* browser_context) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  scoped_ptr<GetTokensState> state(new GetTokensState(callback));
+  // Get the pointer to |state| before base::Passed releases |state|.
+  NSSOperationState* state_ptr = state.get();
+  GetCertDatabase(std::string() /* don't get any specific slot */,
+                  base::Bind(&GetTokensWithDB, base::Passed(&state)),
+                  browser_context,
+                  state_ptr);
+}
+
 }  // namespace platform_keys
 
 }  // namespace chromeos