OLD | NEW |
---|---|
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/nss_util.h" | 5 #include "base/nss_util.h" |
6 #include "base/nss_util_internal.h" | 6 #include "base/nss_util_internal.h" |
7 | 7 |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <plarena.h> | 9 #include <plarena.h> |
10 #include <prerror.h> | 10 #include <prerror.h> |
11 #include <prinit.h> | 11 #include <prinit.h> |
12 #include <prtime.h> | 12 #include <prtime.h> |
13 #include <pk11pub.h> | 13 #include <pk11pub.h> |
14 #include <secmod.h> | 14 #include <secmod.h> |
15 | 15 |
16 #if defined(OS_LINUX) | 16 #if defined(OS_LINUX) |
17 #include <linux/nfs_fs.h> | 17 #include <linux/nfs_fs.h> |
18 #include <sys/vfs.h> | 18 #include <sys/vfs.h> |
19 #endif | 19 #endif |
20 | 20 |
21 #include "base/crypto/scoped_nss_types.h" | |
21 #include "base/file_util.h" | 22 #include "base/file_util.h" |
22 #include "base/lazy_instance.h" | 23 #include "base/lazy_instance.h" |
23 #include "base/logging.h" | 24 #include "base/logging.h" |
24 #include "base/stringprintf.h" | 25 #include "base/stringprintf.h" |
25 #include "base/threading/thread_restrictions.h" | 26 #include "base/threading/thread_restrictions.h" |
26 | 27 |
27 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not | 28 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not |
28 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't | 29 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't |
29 // use NSS for crypto or certificate verification, and we don't use the NSS | 30 // use NSS for crypto or certificate verification, and we don't use the NSS |
30 // certificate and key databases. | 31 // certificate and key databases. |
31 #if defined(USE_NSS) | 32 #if defined(USE_NSS) |
32 #include "base/crypto/crypto_module_blocking_password_delegate.h" | 33 #include "base/crypto/crypto_module_blocking_password_delegate.h" |
33 #include "base/environment.h" | 34 #include "base/environment.h" |
34 #include "base/scoped_ptr.h" | 35 #include "base/scoped_ptr.h" |
35 #include "base/synchronization/lock.h" | 36 #include "base/synchronization/lock.h" |
36 #endif // defined(USE_NSS) | 37 #endif // defined(USE_NSS) |
37 | 38 |
38 namespace base { | 39 namespace base { |
39 | 40 |
40 namespace { | 41 namespace { |
41 | 42 |
43 #if defined(OS_CHROMEOS) | |
44 static const char kNSSDatabaseName[] = "Real NSS database"; | |
wtc
2011/03/17 19:34:22
Nit: some of these constants, such as kNSSDatabase
Greg Spencer (Chromium)
2011/03/17 22:41:09
I think I prefer all the constants in one place.
| |
45 | |
46 // TODO(gspencer): Get these values from cryptohomed's dbus API when | |
47 // we ask if it has initialized the TPM yet. These should not be | |
48 // hard-coded here. | |
49 static const char kTPMTokenName[] = "Initialized by CrOS"; | |
50 static const char kTPMUserPin[] = "111111"; | |
51 static const char kTPMSecurityOfficerPin[] = "000000"; | |
wtc
2011/03/17 19:34:22
Nit: Pin => PIN
in lines 50 and 51.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done, although "Pin" is consistent with PK11_InitP
| |
52 | |
53 // Fake certificate authority database used for testing. | |
54 static const FilePath::CharType kReadOnlyCertDB[] = | |
55 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
56 #endif // defined(OS_CHROMEOS) | |
57 | |
58 std::string GetNSSErrorMessage() { | |
59 std::string result; | |
60 if (PR_GetErrorTextLength()) { | |
61 scoped_ptr<char> error_text(new char[PR_GetErrorTextLength() + 1]); | |
wtc
2011/03/17 19:34:22
BUG: scoped_ptr => scoped_array
The scoped_ptr de
Greg Spencer (Chromium)
2011/03/17 22:41:09
Whoa. Good catch, thanks. I knew that already, I
| |
62 PRInt32 copied = PR_GetErrorText(error_text.get()); | |
63 result = std::string(error_text.get(), copied); | |
64 } else { | |
65 result = StringPrintf("NSS Error code: %d", PR_GetError()); | |
wtc
2011/03/17 19:34:22
Nit: Error => error
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
| |
66 } | |
67 return result; | |
68 } | |
69 | |
42 #if defined(USE_NSS) | 70 #if defined(USE_NSS) |
43 FilePath GetDefaultConfigDirectory() { | 71 FilePath GetDefaultConfigDirectory() { |
44 FilePath dir = file_util::GetHomeDir(); | 72 FilePath dir = file_util::GetHomeDir(); |
45 if (dir.empty()) { | 73 if (dir.empty()) { |
46 LOG(ERROR) << "Failed to get home directory."; | 74 LOG(ERROR) << "Failed to get home directory."; |
47 return dir; | 75 return dir; |
48 } | 76 } |
49 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); | 77 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); |
50 if (!file_util::CreateDirectory(dir)) { | 78 if (!file_util::CreateDirectory(dir)) { |
51 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; | 79 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; |
52 dir.clear(); | 80 dir.clear(); |
53 } | 81 } |
54 return dir; | 82 return dir; |
55 } | 83 } |
56 | 84 |
57 // On non-chromeos platforms, return the default config directory. | 85 // On non-chromeos platforms, return the default config directory. |
58 // On chromeos, return a read-only directory with fake root CA certs for testing | 86 // On chromeos, return a read-only directory with fake root CA certs for testing |
59 // (which will not exist on non-testing images). These root CA certs are used | 87 // (which will not exist on non-testing images). These root CA certs are used |
60 // by the local Google Accounts server mock we use when testing our login code. | 88 // by the local Google Accounts server mock we use when testing our login code. |
61 // If this directory is not present, NSS_Init() will fail. It is up to the | 89 // If this directory is not present, NSS_Init() will fail. It is up to the |
62 // caller to failover to NSS_NoDB_Init() at that point. | 90 // caller to failover to NSS_NoDB_Init() at that point. |
63 FilePath GetInitialConfigDirectory() { | 91 FilePath GetInitialConfigDirectory() { |
64 #if defined(OS_CHROMEOS) | 92 #if defined(OS_CHROMEOS) |
65 static const FilePath::CharType kReadOnlyCertDB[] = | |
66 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
67 return FilePath(kReadOnlyCertDB); | 93 return FilePath(kReadOnlyCertDB); |
68 #else | 94 #else |
69 return GetDefaultConfigDirectory(); | 95 return GetDefaultConfigDirectory(); |
70 #endif // defined(OS_CHROMEOS) | 96 #endif // defined(OS_CHROMEOS) |
71 } | 97 } |
72 | 98 |
73 // This callback for NSS forwards all requests to a caller-specified | 99 // This callback for NSS forwards all requests to a caller-specified |
74 // CryptoModuleBlockingPasswordDelegate object. | 100 // CryptoModuleBlockingPasswordDelegate object. |
75 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { | 101 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
102 #if defined(OS_CHROMEOS) | |
103 // If we get asked for a password for the TPM, then return the | |
104 // static password we use. | |
105 if (PK11_GetTokenName(slot) == base::GetTPMTokenName()) | |
106 return PORT_Strdup(kTPMUserPin); | |
107 #endif | |
76 base::CryptoModuleBlockingPasswordDelegate* delegate = | 108 base::CryptoModuleBlockingPasswordDelegate* delegate = |
77 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); | 109 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
78 if (delegate) { | 110 if (delegate) { |
79 bool cancelled = false; | 111 bool cancelled = false; |
80 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), | 112 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), |
81 retry != PR_FALSE, | 113 retry != PR_FALSE, |
82 &cancelled); | 114 &cancelled); |
83 if (cancelled) | 115 if (cancelled) |
84 return NULL; | 116 return NULL; |
85 char* result = PORT_Strdup(password.c_str()); | 117 char* result = PORT_Strdup(password.c_str()); |
(...skipping 23 matching lines...) Expand all Loading... | |
109 if (buf.f_type == NFS_SUPER_MAGIC) { | 141 if (buf.f_type == NFS_SUPER_MAGIC) { |
110 scoped_ptr<Environment> env(Environment::Create()); | 142 scoped_ptr<Environment> env(Environment::Create()); |
111 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; | 143 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; |
112 if (!env->HasVar(use_cache_env_var)) | 144 if (!env->HasVar(use_cache_env_var)) |
113 env->SetVar(use_cache_env_var, "yes"); | 145 env->SetVar(use_cache_env_var, "yes"); |
114 } | 146 } |
115 } | 147 } |
116 #endif // defined(OS_LINUX) | 148 #endif // defined(OS_LINUX) |
117 } | 149 } |
118 | 150 |
119 // Load nss's built-in root certs. | 151 // A helper class that acquires the SECMOD list read lock while the |
120 SECMODModule *InitDefaultRootCerts() { | 152 // AutoSECMODListReadLock is in scope. |
121 const char* kModulePath = "libnssckbi.so"; | 153 class AutoSECMODListReadLock { |
122 char modparams[1024]; | 154 public: |
123 snprintf(modparams, sizeof(modparams), | 155 AutoSECMODListReadLock() |
124 "name=\"Root Certs\" library=\"%s\"", kModulePath); | 156 : lock_(SECMOD_GetDefaultModuleListLock()) { |
125 SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); | 157 SECMOD_GetReadLock(lock_); |
126 if (root) | 158 } |
127 return root; | |
128 | 159 |
129 // Aw, snap. Can't find/load root cert shared library. | 160 ~AutoSECMODListReadLock() { |
130 // This will make it hard to talk to anybody via https. | 161 if (lock_) |
wtc
2011/03/17 19:34:22
Nit: delete the if (lock_) test because it's also
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
| |
131 NOTREACHED(); | 162 SECMOD_ReleaseReadLock(lock_); |
163 } | |
164 | |
165 private: | |
166 SECMODListLock* lock_; | |
167 DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock); | |
168 }; | |
169 | |
170 PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { | |
171 AutoSECMODListReadLock auto_lock; | |
172 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
173 for(SECMODModuleList* item = head; item != NULL; item = item->next) { | |
wtc
2011/03/17 19:34:22
Nit: add a space after 'for'.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
| |
174 DCHECK(item); | |
175 DCHECK(item->module); // This shouldn't happen or NSS would crash anyhow. | |
wtc
2011/03/17 19:34:22
Defintely remove DCHECK(item) on line 174 because
Greg Spencer (Chromium)
2011/03/17 22:41:09
Yeah, I think I agree with you. I didn't have thi
| |
176 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
177 for (int i = 0; i < slot_count; i++) { | |
178 PK11SlotInfo* slot = item->module->slots[i]; | |
179 if (PK11_GetTokenName(slot) == token_name) { | |
180 return PK11_ReferenceSlot(slot); | |
181 } | |
wtc
2011/03/17 19:34:22
Nit: omit curly braces around one-liner if bodies.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Sorry, long standing habit.
| |
182 } | |
183 } | |
132 return NULL; | 184 return NULL; |
133 } | 185 } |
186 | |
134 #endif // defined(USE_NSS) | 187 #endif // defined(USE_NSS) |
135 | 188 |
136 // A singleton to initialize/deinitialize NSPR. | 189 // A singleton to initialize/deinitialize NSPR. |
137 // Separate from the NSS singleton because we initialize NSPR on the UI thread. | 190 // Separate from the NSS singleton because we initialize NSPR on the UI thread. |
138 // Now that we're leaking the singleton, we could merge back with the NSS | 191 // Now that we're leaking the singleton, we could merge back with the NSS |
139 // singleton. | 192 // singleton. |
140 class NSPRInitSingleton { | 193 class NSPRInitSingleton { |
141 private: | 194 private: |
142 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; | 195 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; |
143 | 196 |
(...skipping 15 matching lines...) Expand all Loading... | |
159 | 212 |
160 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > | 213 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > |
161 g_nspr_singleton(LINKER_INITIALIZED); | 214 g_nspr_singleton(LINKER_INITIALIZED); |
162 | 215 |
163 class NSSInitSingleton { | 216 class NSSInitSingleton { |
164 public: | 217 public: |
165 #if defined(OS_CHROMEOS) | 218 #if defined(OS_CHROMEOS) |
166 void OpenPersistentNSSDB() { | 219 void OpenPersistentNSSDB() { |
167 if (!chromeos_user_logged_in_) { | 220 if (!chromeos_user_logged_in_) { |
168 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. | 221 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
169 // Temporarily allow it until we fix http://crbug.com.70119 | 222 // Temporarily allow it until we fix http://crbug.com/70119 |
170 ThreadRestrictions::ScopedAllowIO allow_io; | 223 ThreadRestrictions::ScopedAllowIO allow_io; |
171 chromeos_user_logged_in_ = true; | 224 chromeos_user_logged_in_ = true; |
172 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), | 225 |
173 "Real NSS database"); | 226 // This creates a new DB slot in NSS that is read/write, unlike |
227 // the cert DB and the "default" crypto key provider, which are | |
wtc
2011/03/17 19:34:22
Nit: "the cert DB" here is the fake root CA cert D
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
| |
228 // still read-only (because we initialized NSS before we had a | |
229 // cryptohome mounted). | |
230 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNSSDatabaseName); | |
231 | |
232 // This loads the opencryptoki module so we can talk to the | |
233 // hardware TPM. | |
234 opencryptoki_module_ = LoadModule( | |
235 "opencryptoki", | |
236 "/usr/lib/opencryptoki/libopencryptoki.so", | |
237 // trustOrder=100 -- means it'll select this as the most | |
238 // trusted slot for the mechanisms it provides. | |
239 // slotParams=... -- selects RSA as only mechanism, and only | |
240 // asks for the password when necessary (instead of every | |
241 // time, or after a timeout). | |
242 "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); | |
243 if (opencryptoki_module_) { | |
244 // We shouldn't need to initialize the TPM PIN here because | |
245 // it'll be taken care of by cryptohomed, but we have to make | |
246 // sure that it is initialized. | |
247 | |
248 // TODO(gspencer): replace this with a dbus call to check and | |
249 // see that cryptohomed has initialized the PINs already. | |
250 EnsureTPMInit(); | |
251 } | |
174 } | 252 } |
175 } | 253 } |
254 | |
255 std::string GetTPMTokenName() { | |
256 // TODO(gspencer): This should come from the dbus interchange with | |
257 // cryptohomed instead of being hard-coded. | |
258 return std::string(kTPMTokenName); | |
259 } | |
260 | |
261 PK11SlotInfo* GetTPMSlot() { | |
262 return FindSlotWithTokenName(GetTPMTokenName()); | |
263 } | |
176 #endif // defined(OS_CHROMEOS) | 264 #endif // defined(OS_CHROMEOS) |
177 | 265 |
266 | |
178 bool OpenTestNSSDB(const FilePath& path, const char* description) { | 267 bool OpenTestNSSDB(const FilePath& path, const char* description) { |
179 test_db_slot_ = OpenUserDB(path, description); | 268 test_db_slot_ = OpenUserDB(path, description); |
180 return !!test_db_slot_; | 269 return !!test_db_slot_; |
181 } | 270 } |
182 | 271 |
183 void CloseTestNSSDB() { | 272 void CloseTestNSSDB() { |
184 if (test_db_slot_) { | 273 if (test_db_slot_) { |
185 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); | 274 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); |
186 if (status != SECSuccess) | 275 if (status != SECSuccess) |
187 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); | 276 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); |
188 PK11_FreeSlot(test_db_slot_); | 277 PK11_FreeSlot(test_db_slot_); |
189 test_db_slot_ = NULL; | 278 test_db_slot_ = NULL; |
190 } | 279 } |
191 } | 280 } |
192 | 281 |
193 PK11SlotInfo* GetDefaultKeySlot() { | 282 PK11SlotInfo* GetDefaultKeySlot() { |
wtc
2011/03/17 19:34:22
We should rename this method to point out that thi
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done. Renamed to GetDefaultNSSKeySlot.
| |
194 if (test_db_slot_) | 283 if (test_db_slot_) |
195 return PK11_ReferenceSlot(test_db_slot_); | 284 return PK11_ReferenceSlot(test_db_slot_); |
196 if (real_db_slot_) | 285 if (real_db_slot_) |
197 return PK11_ReferenceSlot(real_db_slot_); | 286 return PK11_ReferenceSlot(real_db_slot_); |
198 return PK11_GetInternalKeySlot(); | 287 return PK11_GetInternalKeySlot(); |
199 } | 288 } |
200 | 289 |
201 #if defined(USE_NSS) | 290 #if defined(USE_NSS) |
202 Lock* write_lock() { | 291 Lock* write_lock() { |
203 return &write_lock_; | 292 return &write_lock_; |
204 } | 293 } |
205 #endif // defined(USE_NSS) | 294 #endif // defined(USE_NSS) |
206 | 295 |
207 private: | 296 private: |
208 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; | 297 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; |
209 | 298 |
210 NSSInitSingleton() | 299 NSSInitSingleton() |
211 : real_db_slot_(NULL), | 300 : real_db_slot_(NULL), |
212 test_db_slot_(NULL), | 301 test_db_slot_(NULL), |
213 root_(NULL), | 302 root_(NULL), |
303 opencryptoki_module_(NULL), | |
214 chromeos_user_logged_in_(false) { | 304 chromeos_user_logged_in_(false) { |
215 EnsureNSPRInit(); | 305 EnsureNSPRInit(); |
216 | 306 |
217 // We *must* have NSS >= 3.12.3. See bug 26448. | 307 // We *must* have NSS >= 3.12.3. See bug 26448. |
218 COMPILE_ASSERT( | 308 COMPILE_ASSERT( |
219 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || | 309 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || |
220 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || | 310 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || |
221 (NSS_VMAJOR > 3), | 311 (NSS_VMAJOR > 3), |
222 nss_version_check_failed); | 312 nss_version_check_failed); |
223 // Also check the run-time NSS version. | 313 // Also check the run-time NSS version. |
(...skipping 10 matching lines...) Expand all Loading... | |
234 "still get this error, contact your distribution " | 324 "still get this error, contact your distribution " |
235 "maintainer."; | 325 "maintainer."; |
236 } | 326 } |
237 | 327 |
238 SECStatus status = SECFailure; | 328 SECStatus status = SECFailure; |
239 #if !defined(USE_NSS) | 329 #if !defined(USE_NSS) |
240 // Use the system certificate store, so initialize NSS without database. | 330 // Use the system certificate store, so initialize NSS without database. |
241 status = NSS_NoDB_Init(NULL); | 331 status = NSS_NoDB_Init(NULL); |
242 if (status != SECSuccess) { | 332 if (status != SECSuccess) { |
243 LOG(ERROR) << "Error initializing NSS without a persistent " | 333 LOG(ERROR) << "Error initializing NSS without a persistent " |
244 "database: NSS error code " << PR_GetError(); | 334 "database: " << GetNSSErrorMessage(); |
245 } | 335 } |
246 #else | 336 #else |
247 FilePath database_dir = GetInitialConfigDirectory(); | 337 FilePath database_dir = GetInitialConfigDirectory(); |
248 if (!database_dir.empty()) { | 338 if (!database_dir.empty()) { |
249 // This duplicates the work which should have been done in | 339 // This duplicates the work which should have been done in |
250 // EarlySetupForNSSInit. However, this function is idempotent so there's | 340 // EarlySetupForNSSInit. However, this function is idempotent so there's |
251 // no harm done. | 341 // no harm done. |
252 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); | 342 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); |
253 | 343 |
254 // Initialize with a persistent database (likely, ~/.pki/nssdb). | 344 // Initialize with a persistent database (likely, ~/.pki/nssdb). |
255 // Use "sql:" which can be shared by multiple processes safely. | 345 // Use "sql:" which can be shared by multiple processes safely. |
256 std::string nss_config_dir = | 346 std::string nss_config_dir = |
257 StringPrintf("sql:%s", database_dir.value().c_str()); | 347 StringPrintf("sql:%s", database_dir.value().c_str()); |
258 #if defined(OS_CHROMEOS) | 348 #if defined(OS_CHROMEOS) |
259 status = NSS_Init(nss_config_dir.c_str()); | 349 status = NSS_Init(nss_config_dir.c_str()); |
260 #else | 350 #else |
261 status = NSS_InitReadWrite(nss_config_dir.c_str()); | 351 status = NSS_InitReadWrite(nss_config_dir.c_str()); |
262 #endif | 352 #endif |
263 if (status != SECSuccess) { | 353 if (status != SECSuccess) { |
264 LOG(ERROR) << "Error initializing NSS with a persistent " | 354 LOG(ERROR) << "Error initializing NSS with a persistent " |
265 "database (" << nss_config_dir | 355 "database (" << nss_config_dir |
266 << "): NSS error code " << PR_GetError(); | 356 << "): " << GetNSSErrorMessage(); |
267 } | 357 } |
268 } | 358 } |
269 if (status != SECSuccess) { | 359 if (status != SECSuccess) { |
270 LOG(WARNING) << "Initialize NSS without a persistent database " | 360 VLOG(1) << "Initializing NSS without a persistent database."; |
271 "(~/.pki/nssdb)."; | |
272 status = NSS_NoDB_Init(NULL); | 361 status = NSS_NoDB_Init(NULL); |
273 if (status != SECSuccess) { | 362 if (status != SECSuccess) { |
274 LOG(ERROR) << "Error initializing NSS without a persistent " | 363 LOG(ERROR) << "Error initializing NSS without a persistent " |
275 "database: NSS error code " << PR_GetError(); | 364 "database: " << GetNSSErrorMessage(); |
276 return; | 365 return; |
277 } | 366 } |
278 } | 367 } |
279 | 368 |
280 PK11_SetPasswordFunc(PKCS11PasswordFunc); | 369 PK11_SetPasswordFunc(PKCS11PasswordFunc); |
281 | 370 |
282 // If we haven't initialized the password for the NSS databases, | 371 // If we haven't initialized the password for the NSS databases, |
283 // initialize an empty-string password so that we don't need to | 372 // initialize an empty-string password so that we don't need to |
284 // log in. | 373 // log in. |
285 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); | 374 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); |
(...skipping 17 matching lines...) Expand all Loading... | |
303 SECMOD_CloseUserDB(real_db_slot_); | 392 SECMOD_CloseUserDB(real_db_slot_); |
304 PK11_FreeSlot(real_db_slot_); | 393 PK11_FreeSlot(real_db_slot_); |
305 real_db_slot_ = NULL; | 394 real_db_slot_ = NULL; |
306 } | 395 } |
307 CloseTestNSSDB(); | 396 CloseTestNSSDB(); |
308 if (root_) { | 397 if (root_) { |
309 SECMOD_UnloadUserModule(root_); | 398 SECMOD_UnloadUserModule(root_); |
310 SECMOD_DestroyModule(root_); | 399 SECMOD_DestroyModule(root_); |
311 root_ = NULL; | 400 root_ = NULL; |
312 } | 401 } |
402 if (opencryptoki_module_) { | |
403 SECMOD_UnloadUserModule(opencryptoki_module_); | |
404 SECMOD_DestroyModule(opencryptoki_module_); | |
405 opencryptoki_module_ = NULL; | |
406 } | |
313 | 407 |
314 SECStatus status = NSS_Shutdown(); | 408 SECStatus status = NSS_Shutdown(); |
315 if (status != SECSuccess) { | 409 if (status != SECSuccess) { |
316 // We VLOG(1) because this failure is relatively harmless (leaking, but | 410 // We VLOG(1) because this failure is relatively harmless (leaking, but |
317 // we're shutting down anyway). | 411 // we're shutting down anyway). |
318 VLOG(1) << "NSS_Shutdown failed; see " | 412 VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609"; |
319 "http://code.google.com/p/chromium/issues/detail?id=4609"; | |
320 } | 413 } |
321 } | 414 } |
322 | 415 |
416 #if defined(USE_NSS) | |
417 // Load nss's built-in root certs. | |
418 SECMODModule* InitDefaultRootCerts() { | |
419 SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL); | |
420 if (root) | |
421 return root; | |
422 | |
423 // Aw, snap. Can't find/load root cert shared library. | |
424 // This will make it hard to talk to anybody via https. | |
425 NOTREACHED(); | |
426 return NULL; | |
427 } | |
428 | |
429 // Load the given module for this NSS session. | |
430 SECMODModule* LoadModule(const char* name, | |
431 const char* library_path, | |
432 const char* params) { | |
433 std::string modparams = StringPrintf( | |
434 "name=\"%s\" library=\"%s\" %s", | |
435 name, library_path, params ? params : ""); | |
436 | |
437 // Shouldn't need to const_cast here, but SECMOD doesn't believe | |
438 // in const interfaces. | |
wtc
2011/03/17 19:34:22
This is an oversight. I just filed NSS bug 642546
| |
439 SECMODModule* module = SECMOD_LoadUserModule( | |
440 const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); | |
441 if (!module) { | |
442 LOG(ERROR) << "Error loading " << name << " module into NSS: " | |
443 << GetNSSErrorMessage(); | |
444 return NULL; | |
445 } | |
446 return module; | |
447 } | |
448 #endif | |
449 | |
450 #if defined(OS_CHROMEOS) | |
451 void EnsureTPMInit() { | |
452 base::ScopedPK11Slot tpm_slot(GetTPMSlot()); | |
453 if (tpm_slot.get()) { | |
454 // TODO(gspencer): Remove this in favor of the dbus API for | |
455 // cryptohomed when that is available. | |
456 if (PK11_NeedUserInit(tpm_slot.get())) { | |
457 AutoNSSWriteLock lock; | |
wtc
2011/03/17 19:34:22
BUG: the NSSWriteLock is not necessary here becaus
Greg Spencer (Chromium)
2011/03/17 22:41:09
OK, Removed. It wasn't clear to me what parts of
| |
458 PK11_InitPin(tpm_slot.get(), | |
459 kTPMSecurityOfficerPin, | |
460 kTPMUserPin); | |
461 } | |
462 } | |
463 } | |
464 #endif | |
465 | |
323 static PK11SlotInfo* OpenUserDB(const FilePath& path, | 466 static PK11SlotInfo* OpenUserDB(const FilePath& path, |
324 const char* description) { | 467 const char* description) { |
325 const std::string modspec = | 468 const std::string modspec = |
326 StringPrintf("configDir='sql:%s' tokenDescription='%s'", | 469 StringPrintf("configDir='sql:%s' tokenDescription='%s'", |
327 path.value().c_str(), description); | 470 path.value().c_str(), description); |
328 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); | 471 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); |
329 if (db_slot) { | 472 if (db_slot) { |
330 if (PK11_NeedUserInit(db_slot)) | 473 if (PK11_NeedUserInit(db_slot)) |
331 PK11_InitPin(db_slot, NULL, NULL); | 474 PK11_InitPin(db_slot, NULL, NULL); |
332 } | 475 } |
333 else { | 476 else { |
334 LOG(ERROR) << "Error opening persistent database (" << modspec | 477 LOG(ERROR) << "Error opening persistent database (" << modspec |
335 << "): NSS error code " << PR_GetError(); | 478 << "): " << GetNSSErrorMessage(); |
336 } | 479 } |
337 return db_slot; | 480 return db_slot; |
338 } | 481 } |
339 | 482 |
340 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. | 483 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
341 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ | 484 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
342 SECMODModule *root_; | 485 SECMODModule* root_; |
486 SECMODModule* opencryptoki_module_; | |
343 bool chromeos_user_logged_in_; | 487 bool chromeos_user_logged_in_; |
344 #if defined(USE_NSS) | 488 #if defined(USE_NSS) |
345 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 | 489 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
346 // is fixed, we will no longer need the lock. | 490 // is fixed, we will no longer need the lock. |
347 Lock write_lock_; | 491 Lock write_lock_; |
348 #endif // defined(USE_NSS) | 492 #endif // defined(USE_NSS) |
349 }; | 493 }; |
350 | 494 |
351 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > | 495 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > |
352 g_nss_singleton(LINKER_INITIALIZED); | 496 g_nss_singleton(LINKER_INITIALIZED); |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
401 lock_->AssertAcquired(); | 545 lock_->AssertAcquired(); |
402 lock_->Release(); | 546 lock_->Release(); |
403 } | 547 } |
404 } | 548 } |
405 #endif // defined(USE_NSS) | 549 #endif // defined(USE_NSS) |
406 | 550 |
407 #if defined(OS_CHROMEOS) | 551 #if defined(OS_CHROMEOS) |
408 void OpenPersistentNSSDB() { | 552 void OpenPersistentNSSDB() { |
409 g_nss_singleton.Get().OpenPersistentNSSDB(); | 553 g_nss_singleton.Get().OpenPersistentNSSDB(); |
410 } | 554 } |
411 #endif | 555 |
556 std::string GetTPMTokenName() { | |
557 return g_nss_singleton.Get().GetTPMTokenName(); | |
558 } | |
559 #endif // defined(OS_CHROMEOS) | |
412 | 560 |
413 // TODO(port): Implement this more simply. We can convert by subtracting an | 561 // TODO(port): Implement this more simply. We can convert by subtracting an |
414 // offset (the difference between NSPR's and base::Time's epochs). | 562 // offset (the difference between NSPR's and base::Time's epochs). |
415 Time PRTimeToBaseTime(PRTime prtime) { | 563 Time PRTimeToBaseTime(PRTime prtime) { |
416 PRExplodedTime prxtime; | 564 PRExplodedTime prxtime; |
417 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); | 565 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); |
418 | 566 |
419 Time::Exploded exploded; | 567 Time::Exploded exploded; |
420 exploded.year = prxtime.tm_year; | 568 exploded.year = prxtime.tm_year; |
421 exploded.month = prxtime.tm_month + 1; | 569 exploded.month = prxtime.tm_month + 1; |
422 exploded.day_of_week = prxtime.tm_wday; | 570 exploded.day_of_week = prxtime.tm_wday; |
423 exploded.day_of_month = prxtime.tm_mday; | 571 exploded.day_of_month = prxtime.tm_mday; |
424 exploded.hour = prxtime.tm_hour; | 572 exploded.hour = prxtime.tm_hour; |
425 exploded.minute = prxtime.tm_min; | 573 exploded.minute = prxtime.tm_min; |
426 exploded.second = prxtime.tm_sec; | 574 exploded.second = prxtime.tm_sec; |
427 exploded.millisecond = prxtime.tm_usec / 1000; | 575 exploded.millisecond = prxtime.tm_usec / 1000; |
428 | 576 |
429 return Time::FromUTCExploded(exploded); | 577 return Time::FromUTCExploded(exploded); |
430 } | 578 } |
431 | 579 |
432 PK11SlotInfo* GetDefaultNSSKeySlot() { | 580 PK11SlotInfo* GetDefaultNSSKeySlot() { |
433 return g_nss_singleton.Get().GetDefaultKeySlot(); | 581 return g_nss_singleton.Get().GetDefaultKeySlot(); |
434 } | 582 } |
435 | 583 |
584 PK11SlotInfo* GetPreferredKeySlot() { | |
585 #if defined(OS_CHROMEOS) | |
586 return g_nss_singleton.Get().GetTPMSlot(); | |
587 #else | |
588 return g_nss_singleton.Get().GetDefaultKeySlot(); | |
wtc
2011/03/17 19:34:22
Nit: just call GetDefaultNSSKeySlot()?
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
| |
589 #endif | |
590 } | |
591 | |
436 } // namespace base | 592 } // namespace base |
OLD | NEW |