Initialize per-ChromeOS-user NSS slots and provide the functions to access them.

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
 #include <prerror.h>
 #include <prinit.h>
 #include <prtime.h>
 #include <secmod.h>
 
 #if defined(OS_LINUX)
 #include <linux/nfs_fs.h>
 #include <sys/vfs.h>
 #elif defined(OS_OPENBSD)
 #include <sys/mount.h>
 #include <sys/param.h>
 #endif
 
+#include <map>
 #include <vector>
 
+#include "base/callback.h"
 #include "base/debug/alias.h"
 #include "base/debug/stack_trace.h"
 #include "base/environment.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/histogram.h"
 #include "base/native_library.h"
+#include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_checker.h"
 #include "base/threading/thread_restrictions.h"
 #include "build/build_config.h"
 
 // USE_NSS means we use NSS for everything crypto-related.  If USE_NSS is not
 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
 // use NSS for crypto or certificate verification, and we don't use the NSS
 // certificate and key databases.
 #if defined(USE_NSS)
@@ skipping 34 matching lines @@
   base::FilePath dir = file_util::GetHomeDir();
   if (dir.empty()) {
     LOG(ERROR) << "Failed to get home directory.";
     return dir;
   }
   dir = dir.AppendASCII(".pki").AppendASCII("nssdb");
   if (!file_util::CreateDirectory(dir)) {
     LOG(ERROR) << "Failed to create " << dir.value() << " directory.";
     dir.clear();
   }
+  VLOG(1) << "DefaultConfigDirectory: " << dir.value();
   return dir;
 }
 
 // On non-Chrome OS platforms, return the default config directory. On Chrome OS
 // test images, return a read-only directory with fake root CA certs (which are
 // used by the local Google Accounts server mock we use when testing our login
 // code). On Chrome OS non-test images (where the read-only directory doesn't
 // exist), return an empty path.
 base::FilePath GetInitialConfigDirectory() {
 #if defined(OS_CHROMEOS)
@@ skipping 107 matching lines @@
 void CrashOnNSSInitFailure() {
   int nss_error = PR_GetError();
   int os_error = PR_GetOSError();
   base::debug::Alias(&nss_error);
   base::debug::Alias(&os_error);
   LOG(ERROR) << "Error initializing NSS without a persistent database: "
              << GetNSSErrorMessage();
   LOG(FATAL) << "nss_error=" << nss_error << ", os_error=" << os_error;
 }
 
+#if defined(OS_CHROMEOS)
+class ChromeOSUserData {
+ public:
+  ChromeOSUserData(ScopedPK11Slot public_slot, bool is_primary_user)
+      : public_slot_(public_slot.Pass()), is_primary_user_(is_primary_user) {}
+  ~ChromeOSUserData() {
+    // Don't close when NSS is < 3.15.1, because it would require an additional
+    // sleep for 1 second after closing the database, due to
+    // http://bugzil.la/875601.
+    if (NSS_VersionCheck("3.15.1")) {
+      if (public_slot_ && !is_primary_user_) {
+        SECStatus status = SECMOD_CloseUserDB(public_slot_.get());
+        if (status != SECSuccess)
+          PLOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError();

[Ryan Sleevi, 2013/11/27 00:24:11]

ChromeOS is always at 3.15.1 now, soon to be at 3.15.3

You can remove this check :)

[mattm, 2013/11/27 04:12:23]

Done.

+      }
+    }
+  }
+
+  ScopedPK11Slot GetPublicSlot() {
+    return ScopedPK11Slot(public_slot_ ? PK11_ReferenceSlot(public_slot_.get())
+                                       : NULL);
+  }
+
+  ScopedPK11Slot GetPrivateSlot() {
+    return ScopedPK11Slot(
+        private_slot_ ? PK11_ReferenceSlot(private_slot_.get()) : NULL);

[Ryan Sleevi, 2013/11/27 00:24:11]

Why the differing indent style compared with 241?

[mattm, 2013/11/27 04:12:23]

That's what clang-format decided to do, this one was too long for the other
format. Changed 241 to match.

+  }
+
+  void OnPrivateSlotReady(
+      const base::Callback<void(ScopedPK11Slot)>& callback) {
+    if (private_slot_)
+      callback.Run(GetPrivateSlot());
+    else
+      tpm_ready_callback_list_.push_back(callback);
+  }
+
+  void SetPrivateSlot(ScopedPK11Slot private_slot) {
+    DCHECK(!private_slot_);
+    private_slot_ = private_slot.Pass();
+
+    for (SlotReadyCallbackList::iterator i = tpm_ready_callback_list_.begin();
+         i != tpm_ready_callback_list_.end();
+         ++i) {
+      (*i).Run(GetPrivateSlot());
+    }
+    tpm_ready_callback_list_.clear();

[Ryan Sleevi, 2013/11/27 00:24:11]

DANGER: This strikes me as a dangerous pattern, in that one of the callbacks may
end up calling OnPrivateSlotReady, invalidating the iterator.

Use a stack variable and swap? Explicitly forbid this (good luck with that - it
asks way too much of developers to understand the full implementation details of
anything that might be called)

[mattm, 2013/11/27 04:12:23]

Good call. Done.

+  }
+
+ private:
+  ScopedPK11Slot public_slot_;
+  ScopedPK11Slot private_slot_;
+  bool is_primary_user_;
+
+  typedef std::vector<base::Callback<void(ScopedPK11Slot)> >
+      SlotReadyCallbackList;
+  SlotReadyCallbackList tpm_ready_callback_list_;
+};
+#endif  // defined(OS_CHROMEOS)
+
 class NSSInitSingleton {
  public:
 #if defined(OS_CHROMEOS)
   void OpenPersistentNSSDB() {
     DCHECK(thread_checker_.CalledOnValidThread());
 
     if (!chromeos_user_logged_in_) {
       // GetDefaultConfigDirectory causes us to do blocking IO on UI thread.
       // Temporarily allow it until we fix http://crbug.com/70119
       base::ThreadRestrictions::ScopedAllowIO allow_io;
       chromeos_user_logged_in_ = true;
 
       // This creates another DB slot in NSS that is read/write, unlike
       // the fake root CA cert DB and the "default" crypto key
       // provider, which are still read-only (because we initialized
       // NSS before we had a cryptohome mounted).
       software_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
                                   kNSSDatabaseName);
     }
   }
 
+  PK11SlotInfo* OpenPersistentNSSDBForPath(const base::FilePath& path) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    VLOG(1) << __func__ << " " << path.value();
+    // We do NSS file io on the IO thread.
+    base::ThreadRestrictions::ScopedAllowIO allow_io;
+
+    base::FilePath nssdb_path = path.AppendASCII(".pki").AppendASCII("nssdb");
+    if (!file_util::CreateDirectory(nssdb_path)) {
+      LOG(ERROR) << "Failed to create " << nssdb_path.value() << " directory.";
+      return NULL;
+    }
+    return OpenUserDB(nssdb_path, kNSSDatabaseName);
+  }
+
   void EnableTPMTokenForNSS() {
     DCHECK(thread_checker_.CalledOnValidThread());
 
     // If this gets set, then we'll use the TPM for certs with
     // private keys, otherwise we'll fall back to the software
     // implementation.
     tpm_token_enabled_for_nss_ = true;
   }
 
+  bool IsTPMTokenEnabledForNSS() {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    return tpm_token_enabled_for_nss_;
+  }
+
   bool InitializeTPMToken(const std::string& token_name,
                           int token_slot_id,
                           const std::string& user_pin) {
     DCHECK(thread_checker_.CalledOnValidThread());
 
     // If EnableTPMTokenForNSS hasn't been called, return false.
     if (!tpm_token_enabled_for_nss_)
       return false;
 
     // If everything is already initialized, then return true.
@@ skipping 18 matching lines @@
       if (!chaps_module_ && test_slot_) {
         // chromeos_unittests try to test the TPM initialization process. If we
         // have a test DB open, pretend that it is the TPM slot.
         tpm_slot_ = PK11_ReferenceSlot(test_slot_);
         return true;
       }
     }
     if (chaps_module_){
       tpm_slot_ = GetTPMSlotForId(token_slot_id);
 
+      if (tpm_slot_) {
+        for (TPMReadyCallbackList::iterator i =
+                 tpm_ready_callback_list_.begin();
+             i != tpm_ready_callback_list_.end();
+             ++i) {
+          (*i).Run();
+        }
+        tpm_ready_callback_list_.clear();

[Ryan Sleevi, 2013/11/27 00:24:11]

Ditto RE: danger.

I'm also not thrilled with the duplication of 262-267

[mattm, 2013/11/27 04:12:23]

Done.

+      }
+
       return tpm_slot_ != NULL;
     }
     return false;
   }
 
   void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
     // TODO(mattm): Change to DCHECK when callers have been fixed.
     if (!thread_checker_.CalledOnValidThread()) {
       DVLOG(1) << "Called on wrong thread.\n"
                << base::debug::StackTrace().ToString();
@@ skipping 12 matching lines @@
   bool IsTPMTokenReady() {
     // TODO(mattm): Change to DCHECK when callers have been fixed.
     if (!thread_checker_.CalledOnValidThread()) {
       DVLOG(1) << "Called on wrong thread.\n"
                << base::debug::StackTrace().ToString();
     }
 
     return tpm_slot_ != NULL;
   }
 
+  void OnTPMReady(const base::Closure& callback) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    if (IsTPMTokenReady())
+      callback.Run();
+    else
+      tpm_ready_callback_list_.push_back(callback);
+  }
+
   // Note that CK_SLOT_ID is an unsigned long, but cryptohome gives us the slot
   // id as an int. This should be safe since this is only used with chaps, which
   // we also control.
   PK11SlotInfo* GetTPMSlotForId(CK_SLOT_ID slot_id) {
     DCHECK(thread_checker_.CalledOnValidThread());
 
     if (!chaps_module_)
       return NULL;
 
     VLOG(1) << "Poking chaps module.";
     SECStatus rv = SECMOD_UpdateSlotList(chaps_module_);
     if (rv != SECSuccess)
       PLOG(ERROR) << "SECMOD_UpdateSlotList failed: " << PORT_GetError();
 
     PK11SlotInfo* slot = SECMOD_LookupSlot(chaps_module_->moduleID, slot_id);
     if (!slot)
       LOG(ERROR) << "TPM slot " << slot_id << " not found.";
     return slot;
   }
+
+  bool InitializeNSSForChromeOSUser(
+      const std::string& email,
+      const std::string& username_hash,
+      bool is_primary_user,
+      const base::FilePath& path) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    if (chromeos_user_map_.find(username_hash) != chromeos_user_map_.end()) {
+      // This user already exists in our mapping.
+      VLOG(1) << username_hash << " already initialized.";

[Ryan Sleevi, 2013/11/27 00:24:11]

Way too chatty logging

[mattm, 2013/11/27 04:12:23]

Changed things to DVLOG(2). These ones shouldn't actually get triggered much
(once per profile creation, this particular one when you open the first
incognito window).

+      return false;
+    }
+    ScopedPK11Slot public_slot;
+    if (is_primary_user) {
+      VLOG(1) << "Primary user, using GetPublicNSSKeySlot()";
+      public_slot.reset(GetPublicNSSKeySlot());
+    } else {
+      VLOG(1) << "Opening NSS DB";
+      public_slot.reset(OpenPersistentNSSDBForPath(path));
+    }
+    chromeos_user_map_[username_hash] =
+        new ChromeOSUserData(public_slot.Pass(), is_primary_user);
+    return true;
+  }
+
+  void InitializeTPMForChromeOSUser(const std::string& username_hash,
+                                    CK_SLOT_ID slot_id) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    DCHECK(chromeos_user_map_.find(username_hash) != chromeos_user_map_.end());
+    chromeos_user_map_[username_hash]
+        ->SetPrivateSlot(ScopedPK11Slot(GetTPMSlotForId(slot_id)));
+  }
+
+  void InitializePrivateSoftwareSlotForChromeOSUser(
+      const std::string& username_hash) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    LOG(WARNING) << "using software private slot for " << username_hash;
+    DCHECK(chromeos_user_map_.find(username_hash) != chromeos_user_map_.end());
+    chromeos_user_map_[username_hash]->SetPrivateSlot(
+        chromeos_user_map_[username_hash]->GetPublicSlot());
+  }
+
+  ScopedPK11Slot GetPublicSlotForChromeOSUser(
+      const std::string& username_hash) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    if (test_slot_) {
+      VLOG(1) << "returning test_slot_ for " << username_hash;
+      return ScopedPK11Slot(PK11_ReferenceSlot(test_slot_));
+    }
+
+    if (chromeos_user_map_.find(username_hash) == chromeos_user_map_.end()) {
+      LOG(ERROR) << username_hash << " not initialized.";
+      return ScopedPK11Slot();
+    }
+    return chromeos_user_map_[username_hash]->GetPublicSlot();
+  }
+
+  void OnPrivateSlotReadyForChromeOSUser(
+      const std::string& username_hash,
+      const base::Callback<void(ScopedPK11Slot)>& callback) {
+    DCHECK(thread_checker_.CalledOnValidThread());
+    if (test_slot_) {
+      VLOG(1) << "returning test_slot_ for " << username_hash;
+      callback.Run(ScopedPK11Slot(PK11_ReferenceSlot(test_slot_)));
+      return;
+    }
+
+    if (chromeos_user_map_.find(username_hash) == chromeos_user_map_.end()) {
+      LOG(ERROR) << username_hash << " not initialized.";
+      callback.Run(ScopedPK11Slot());
+      return;
+    }
+    chromeos_user_map_[username_hash]->OnPrivateSlotReady(callback);
+  }
 #endif  // defined(OS_CHROMEOS)
 
 
   bool OpenTestNSSDB() {
     DCHECK(thread_checker_.CalledOnValidThread());
 
     if (test_slot_)
       return true;
     if (!g_test_nss_db_dir.Get().CreateUniqueTempDir())
       return false;
@@ skipping 182 matching lines @@
                            base::TimeTicks::Now() - start_time,
                            base::TimeDelta::FromMilliseconds(10),
                            base::TimeDelta::FromHours(1),
                            50);
   }
 
   // NOTE(willchan): We don't actually execute this code since we leak NSS to
   // prevent non-joinable threads from using NSS after it's already been shut
   // down.
   ~NSSInitSingleton() {
+#if defined(OS_CHROMEOS)
+    STLDeleteValues(&chromeos_user_map_);
+#endif
     if (tpm_slot_) {
       PK11_FreeSlot(tpm_slot_);
       tpm_slot_ = NULL;
     }
     if (software_slot_) {
       SECMOD_CloseUserDB(software_slot_);
       PK11_FreeSlot(software_slot_);
       software_slot_ = NULL;
     }
     CloseTestNSSDB();
@@ skipping 74 matching lines @@
     }
     return db_slot;
   }
 
   // If this is set to true NSS is forced to be initialized without a DB.
   static bool force_nodb_init_;
 
   bool tpm_token_enabled_for_nss_;
   std::string tpm_token_name_;
   std::string tpm_user_pin_;
+  typedef std::vector<base::Closure> TPMReadyCallbackList;
+  TPMReadyCallbackList tpm_ready_callback_list_;
   SECMODModule* chaps_module_;
   PK11SlotInfo* software_slot_;
   PK11SlotInfo* test_slot_;
   PK11SlotInfo* tpm_slot_;
   SECMODModule* root_;
   bool chromeos_user_logged_in_;
+#if defined(OS_CHROMEOS)
+  typedef std::map<std::string, ChromeOSUserData*> ChromeOSUserMap;
+  ChromeOSUserMap chromeos_user_map_;
+#endif
 #if defined(USE_NSS)
   // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
 #endif  // defined(USE_NSS)
 
   base::ThreadChecker thread_checker_;
 };
 
 // static
@@ skipping 143 matching lines @@
 
 #if defined(OS_CHROMEOS)
 void OpenPersistentNSSDB() {
   g_nss_singleton.Get().OpenPersistentNSSDB();
 }
 
 void EnableTPMTokenForNSS() {
   g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
 
+bool IsTPMTokenEnabledForNSS() {
+  return g_nss_singleton.Get().IsTPMTokenEnabledForNSS();
+}
+
 void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
   g_nss_singleton.Get().GetTPMTokenInfo(token_name, user_pin);
 }
 
 bool IsTPMTokenReady() {
   return g_nss_singleton.Get().IsTPMTokenReady();
 }
 
+void OnTPMReady(const base::Closure& callback) {
+   g_nss_singleton.Get().OnTPMReady(callback);
+}
+
 bool InitializeTPMToken(const std::string& token_name,
                         int token_slot_id,
                         const std::string& user_pin) {
   return g_nss_singleton.Get().InitializeTPMToken(
       token_name, token_slot_id, user_pin);
 }
+
+bool InitializeNSSForChromeOSUser(
+    const std::string& email,
+    const std::string& username_hash,
+    bool is_primary_user,
+    const base::FilePath& path) {
+  return g_nss_singleton.Get().InitializeNSSForChromeOSUser(
+      email, username_hash, is_primary_user, path);
+}
+void InitializeTPMForChromeOSUser(
+    const std::string& username_hash,
+    CK_SLOT_ID slot_id) {
+  g_nss_singleton.Get().InitializeTPMForChromeOSUser(username_hash, slot_id);
+}
+void InitializePrivateSoftwareSlotForChromeOSUser(
+    const std::string& username_hash) {
+  g_nss_singleton.Get().InitializePrivateSoftwareSlotForChromeOSUser(
+      username_hash);
+}
+ScopedPK11Slot GetPublicSlotForChromeOSUser(const std::string& username_hash) {
+  return g_nss_singleton.Get().GetPublicSlotForChromeOSUser(username_hash);
+}
+void OnPrivateSlotReadyForChromeOSUser(
+    const std::string& username_hash,
+    const base::Callback<void(ScopedPK11Slot)>& callback) {
+  g_nss_singleton.Get().OnPrivateSlotReadyForChromeOSUser(username_hash,
+                                                          callback);
+}
 #endif  // defined(OS_CHROMEOS)
 
 base::Time PRTimeToBaseTime(PRTime prtime) {
   return base::Time::FromInternalValue(
       prtime + base::Time::UnixEpoch().ToInternalValue());
 }
 
 PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 PK11SlotInfo* GetPublicNSSKeySlot() {
   return g_nss_singleton.Get().GetPublicNSSKeySlot();
 }
 
 PK11SlotInfo* GetPrivateNSSKeySlot() {
   return g_nss_singleton.Get().GetPrivateNSSKeySlot();
 }
 
 }  // namespace crypto