OLD | NEW |
---|---|
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/nss_util.h" | 5 #include "base/nss_util.h" |
6 #include "base/nss_util_internal.h" | 6 #include "base/nss_util_internal.h" |
7 | 7 |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <plarena.h> | 9 #include <plarena.h> |
10 #include <prerror.h> | 10 #include <prerror.h> |
11 #include <prinit.h> | 11 #include <prinit.h> |
12 #include <prtime.h> | 12 #include <prtime.h> |
13 #include <pk11pub.h> | 13 #include <pk11pub.h> |
14 #include <secmod.h> | 14 #include <secmod.h> |
15 | 15 |
16 #if defined(OS_LINUX) | 16 #if defined(OS_LINUX) |
17 #include <linux/nfs_fs.h> | 17 #include <linux/nfs_fs.h> |
18 #include <sys/vfs.h> | 18 #include <sys/vfs.h> |
19 #endif | 19 #endif |
20 | 20 |
21 #include "base/crypto/scoped_nss_types.h" | |
21 #include "base/file_util.h" | 22 #include "base/file_util.h" |
22 #include "base/lazy_instance.h" | 23 #include "base/lazy_instance.h" |
23 #include "base/logging.h" | 24 #include "base/logging.h" |
24 #include "base/stringprintf.h" | 25 #include "base/stringprintf.h" |
25 #include "base/threading/thread_restrictions.h" | 26 #include "base/threading/thread_restrictions.h" |
26 | 27 |
27 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not | 28 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not |
28 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't | 29 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't |
29 // use NSS for crypto or certificate verification, and we don't use the NSS | 30 // use NSS for crypto or certificate verification, and we don't use the NSS |
30 // certificate and key databases. | 31 // certificate and key databases. |
31 #if defined(USE_NSS) | 32 #if defined(USE_NSS) |
32 #include "base/crypto/crypto_module_blocking_password_delegate.h" | 33 #include "base/crypto/crypto_module_blocking_password_delegate.h" |
33 #include "base/environment.h" | 34 #include "base/environment.h" |
34 #include "base/scoped_ptr.h" | 35 #include "base/scoped_ptr.h" |
35 #include "base/synchronization/lock.h" | 36 #include "base/synchronization/lock.h" |
36 #endif // defined(USE_NSS) | 37 #endif // defined(USE_NSS) |
37 | 38 |
38 namespace base { | 39 namespace base { |
39 | 40 |
40 namespace { | 41 namespace { |
42 #if defined(OS_CHROMEOS) | |
43 static const char kNssDatabaseName[] = "Real NSS database"; | |
44 static const char kHardwareTokenName[] = "Initialized by CrOS"; | |
45 static const char kHardwareTokenUserPin[] = "111111"; | |
46 static const char kHardwareTokenSecurityOfficerPin[] = "000000"; | |
47 | |
48 // Fake certificate authority database used for testing. | |
49 static const FilePath::CharType kReadOnlyCertDB[] = | |
50 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
51 #endif // defined(OS_CHROMEOS) | |
52 | |
53 std::string GetNssError() { | |
54 std::string result; | |
55 if (PR_GetErrorTextLength()) { | |
56 char *error_text = new char[PR_GetErrorTextLength() + 1]; | |
57 PRInt32 copied = 0; | |
58 copied = PR_GetErrorText(error_text); | |
stevenjb
2011/03/14 18:41:21
nit: combine above two lines?
Greg Spencer (Chromium)
2011/03/14 18:48:09
Done.
| |
59 result = std::string(error_text, copied); | |
60 delete [] error_text; | |
61 } else { | |
62 result = StringPrintf("NSS Error code: %d", PR_GetError()); | |
63 } | |
64 return result; | |
65 } | |
41 | 66 |
42 #if defined(USE_NSS) | 67 #if defined(USE_NSS) |
43 FilePath GetDefaultConfigDirectory() { | 68 FilePath GetDefaultConfigDirectory() { |
44 FilePath dir = file_util::GetHomeDir(); | 69 FilePath dir = file_util::GetHomeDir(); |
45 if (dir.empty()) { | 70 if (dir.empty()) { |
46 LOG(ERROR) << "Failed to get home directory."; | 71 LOG(ERROR) << "Failed to get home directory."; |
47 return dir; | 72 return dir; |
48 } | 73 } |
49 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); | 74 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); |
50 if (!file_util::CreateDirectory(dir)) { | 75 if (!file_util::CreateDirectory(dir)) { |
51 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; | 76 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; |
52 dir.clear(); | 77 dir.clear(); |
53 } | 78 } |
54 return dir; | 79 return dir; |
55 } | 80 } |
56 | 81 |
57 // On non-chromeos platforms, return the default config directory. | 82 // On non-chromeos platforms, return the default config directory. |
58 // On chromeos, return a read-only directory with fake root CA certs for testing | 83 // On chromeos, return a read-only directory with fake root CA certs for testing |
59 // (which will not exist on non-testing images). These root CA certs are used | 84 // (which will not exist on non-testing images). These root CA certs are used |
60 // by the local Google Accounts server mock we use when testing our login code. | 85 // by the local Google Accounts server mock we use when testing our login code. |
61 // If this directory is not present, NSS_Init() will fail. It is up to the | 86 // If this directory is not present, NSS_Init() will fail. It is up to the |
62 // caller to failover to NSS_NoDB_Init() at that point. | 87 // caller to failover to NSS_NoDB_Init() at that point. |
63 FilePath GetInitialConfigDirectory() { | 88 FilePath GetInitialConfigDirectory() { |
64 #if defined(OS_CHROMEOS) | 89 #if defined(OS_CHROMEOS) |
65 static const FilePath::CharType kReadOnlyCertDB[] = | |
66 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
67 return FilePath(kReadOnlyCertDB); | 90 return FilePath(kReadOnlyCertDB); |
68 #else | 91 #else |
69 return GetDefaultConfigDirectory(); | 92 return GetDefaultConfigDirectory(); |
70 #endif // defined(OS_CHROMEOS) | 93 #endif // defined(OS_CHROMEOS) |
71 } | 94 } |
72 | 95 |
73 // This callback for NSS forwards all requests to a caller-specified | 96 // This callback for NSS forwards all requests to a caller-specified |
74 // CryptoModuleBlockingPasswordDelegate object. | 97 // CryptoModuleBlockingPasswordDelegate object. |
75 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { | 98 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
99 #if defined(OS_CHROMEOS) | |
100 // If we get asked for a password for the hardware token, then | |
101 // return the static password we use. | |
102 if (std::string(PK11_GetTokenName(slot)) == std::string(kHardwareTokenName)) | |
103 return PORT_Strdup(kHardwareTokenUserPin); | |
104 #endif | |
76 base::CryptoModuleBlockingPasswordDelegate* delegate = | 105 base::CryptoModuleBlockingPasswordDelegate* delegate = |
77 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); | 106 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
78 if (delegate) { | 107 if (delegate) { |
79 bool cancelled = false; | 108 bool cancelled = false; |
80 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), | 109 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), |
81 retry != PR_FALSE, | 110 retry != PR_FALSE, |
82 &cancelled); | 111 &cancelled); |
83 if (cancelled) | 112 if (cancelled) |
84 return NULL; | 113 return NULL; |
85 char* result = PORT_Strdup(password.c_str()); | 114 char* result = PORT_Strdup(password.c_str()); |
(...skipping 23 matching lines...) Expand all Loading... | |
109 if (buf.f_type == NFS_SUPER_MAGIC) { | 138 if (buf.f_type == NFS_SUPER_MAGIC) { |
110 scoped_ptr<Environment> env(Environment::Create()); | 139 scoped_ptr<Environment> env(Environment::Create()); |
111 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; | 140 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; |
112 if (!env->HasVar(use_cache_env_var)) | 141 if (!env->HasVar(use_cache_env_var)) |
113 env->SetVar(use_cache_env_var, "yes"); | 142 env->SetVar(use_cache_env_var, "yes"); |
114 } | 143 } |
115 } | 144 } |
116 #endif // defined(OS_LINUX) | 145 #endif // defined(OS_LINUX) |
117 } | 146 } |
118 | 147 |
119 // Load nss's built-in root certs. | 148 #endif // defined(USE_NSS) |
120 SECMODModule *InitDefaultRootCerts() { | |
121 const char* kModulePath = "libnssckbi.so"; | |
122 char modparams[1024]; | |
123 snprintf(modparams, sizeof(modparams), | |
124 "name=\"Root Certs\" library=\"%s\"", kModulePath); | |
125 SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); | |
126 if (root) | |
127 return root; | |
128 | 149 |
129 // Aw, snap. Can't find/load root cert shared library. | 150 // A helper class that acquires the SECMOD list read lock while the |
130 // This will make it hard to talk to anybody via https. | 151 // AutoSECMODListLock is in scope. |
131 NOTREACHED(); | 152 class AutoSECMODListLock { |
153 public: | |
154 AutoSECMODListLock() | |
155 : lock_(SECMOD_GetDefaultModuleListLock()) { | |
156 if (!lock_) { | |
157 LOG(ERROR) << "AutoSECMODListLock: Unable to obtain lock."; | |
158 return; | |
159 } | |
160 SECMOD_GetReadLock(lock_); | |
161 } | |
162 | |
163 ~AutoSECMODListLock() { | |
164 if (lock_) | |
165 SECMOD_ReleaseReadLock(lock_); | |
166 } | |
167 | |
168 bool has_lock() { return lock_ != NULL; } | |
169 private: | |
170 SECMODListLock* lock_; | |
171 DISALLOW_COPY_AND_ASSIGN(AutoSECMODListLock); | |
172 }; | |
173 | |
174 PK11SlotInfo* FindTokenByName(const std::string& token_name) { | |
175 AutoSECMODListLock auto_lock; | |
176 if (!auto_lock.has_lock()) | |
177 return NULL; | |
178 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
179 for(SECMODModuleList* item = head; item != NULL; item = item->next) { | |
180 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
181 for (int i = 0; i < slot_count; i++) { | |
182 PK11SlotInfo* slot = item->module->slots[i]; | |
183 if (std::string(PK11_GetTokenName(slot)) == token_name) { | |
184 return PK11_ReferenceSlot(slot); | |
185 } | |
186 } | |
187 } | |
132 return NULL; | 188 return NULL; |
133 } | 189 } |
134 #endif // defined(USE_NSS) | |
135 | 190 |
136 // A singleton to initialize/deinitialize NSPR. | 191 // A singleton to initialize/deinitialize NSPR. |
137 // Separate from the NSS singleton because we initialize NSPR on the UI thread. | 192 // Separate from the NSS singleton because we initialize NSPR on the UI thread. |
138 // Now that we're leaking the singleton, we could merge back with the NSS | 193 // Now that we're leaking the singleton, we could merge back with the NSS |
139 // singleton. | 194 // singleton. |
140 class NSPRInitSingleton { | 195 class NSPRInitSingleton { |
141 private: | 196 private: |
142 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; | 197 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; |
143 | 198 |
144 NSPRInitSingleton() { | 199 NSPRInitSingleton() { |
(...skipping 14 matching lines...) Expand all Loading... | |
159 | 214 |
160 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > | 215 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > |
161 g_nspr_singleton(LINKER_INITIALIZED); | 216 g_nspr_singleton(LINKER_INITIALIZED); |
162 | 217 |
163 class NSSInitSingleton { | 218 class NSSInitSingleton { |
164 public: | 219 public: |
165 #if defined(OS_CHROMEOS) | 220 #if defined(OS_CHROMEOS) |
166 void OpenPersistentNSSDB() { | 221 void OpenPersistentNSSDB() { |
167 if (!chromeos_user_logged_in_) { | 222 if (!chromeos_user_logged_in_) { |
168 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. | 223 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
169 // Temporarily allow it until we fix http://crbug.com.70119 | 224 // Temporarily allow it until we fix http://crbug.com/70119 |
170 ThreadRestrictions::ScopedAllowIO allow_io; | 225 ThreadRestrictions::ScopedAllowIO allow_io; |
171 chromeos_user_logged_in_ = true; | 226 chromeos_user_logged_in_ = true; |
172 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), | 227 |
173 "Real NSS database"); | 228 // This creates a new DB slot in NSS that is read/write, unlike |
229 // the cert DB and the "default" crypto key provider, which are | |
230 // still read-only (because we initialized NSS before we had a | |
231 // cryptohome mounted). | |
232 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNssDatabaseName); | |
233 | |
234 // This loads the opencryptoki module so we can talk to the | |
235 // hardware TPM. | |
236 opencryptoki_module_ = LoadModule( | |
237 "opencryptoki", | |
238 "/usr/lib/opencryptoki/libopencryptoki.so", | |
239 // trustOrder=100 -- means it'll select this as the most | |
240 // trusted slot for the mechanisms it provides. | |
241 // slotParams=... -- selects RSA as only mechanism, and only | |
242 // asks for the password when necessary (instead of every | |
243 // time, or after a timeout). | |
244 "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); | |
245 if (opencryptoki_module_) { | |
246 // We shouldn't need to initialize the RSA PIN here because | |
247 // it'll be taken care of by cryptohomed, but we have to make | |
248 // sure that it is initialized. | |
249 | |
250 // TODO(gspencer): replace this with a dbus call to check and | |
251 // see that cryptohomed has initialized the PINs already. | |
252 EnsureRsaPinInit(); | |
253 } | |
174 } | 254 } |
175 } | 255 } |
256 | |
257 PK11SlotInfo* GetRsaSlot() { | |
258 return FindTokenByName(kHardwareTokenName); | |
259 } | |
176 #endif // defined(OS_CHROMEOS) | 260 #endif // defined(OS_CHROMEOS) |
177 | 261 |
262 | |
178 bool OpenTestNSSDB(const FilePath& path, const char* description) { | 263 bool OpenTestNSSDB(const FilePath& path, const char* description) { |
179 test_db_slot_ = OpenUserDB(path, description); | 264 test_db_slot_ = OpenUserDB(path, description); |
180 return !!test_db_slot_; | 265 return !!test_db_slot_; |
181 } | 266 } |
182 | 267 |
183 void CloseTestNSSDB() { | 268 void CloseTestNSSDB() { |
184 if (test_db_slot_) { | 269 if (test_db_slot_) { |
185 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); | 270 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); |
186 if (status != SECSuccess) | 271 if (status != SECSuccess) |
187 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); | 272 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); |
(...skipping 16 matching lines...) Expand all Loading... | |
204 } | 289 } |
205 #endif // defined(USE_NSS) | 290 #endif // defined(USE_NSS) |
206 | 291 |
207 private: | 292 private: |
208 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; | 293 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; |
209 | 294 |
210 NSSInitSingleton() | 295 NSSInitSingleton() |
211 : real_db_slot_(NULL), | 296 : real_db_slot_(NULL), |
212 test_db_slot_(NULL), | 297 test_db_slot_(NULL), |
213 root_(NULL), | 298 root_(NULL), |
299 opencryptoki_module_(NULL), | |
214 chromeos_user_logged_in_(false) { | 300 chromeos_user_logged_in_(false) { |
215 EnsureNSPRInit(); | 301 EnsureNSPRInit(); |
216 | 302 |
217 // We *must* have NSS >= 3.12.3. See bug 26448. | 303 // We *must* have NSS >= 3.12.3. See bug 26448. |
218 COMPILE_ASSERT( | 304 COMPILE_ASSERT( |
219 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || | 305 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || |
220 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || | 306 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || |
221 (NSS_VMAJOR > 3), | 307 (NSS_VMAJOR > 3), |
222 nss_version_check_failed); | 308 nss_version_check_failed); |
223 // Also check the run-time NSS version. | 309 // Also check the run-time NSS version. |
(...skipping 10 matching lines...) Expand all Loading... | |
234 "still get this error, contact your distribution " | 320 "still get this error, contact your distribution " |
235 "maintainer."; | 321 "maintainer."; |
236 } | 322 } |
237 | 323 |
238 SECStatus status = SECFailure; | 324 SECStatus status = SECFailure; |
239 #if !defined(USE_NSS) | 325 #if !defined(USE_NSS) |
240 // Use the system certificate store, so initialize NSS without database. | 326 // Use the system certificate store, so initialize NSS without database. |
241 status = NSS_NoDB_Init(NULL); | 327 status = NSS_NoDB_Init(NULL); |
242 if (status != SECSuccess) { | 328 if (status != SECSuccess) { |
243 LOG(ERROR) << "Error initializing NSS without a persistent " | 329 LOG(ERROR) << "Error initializing NSS without a persistent " |
244 "database: NSS error code " << PR_GetError(); | 330 "database: " << GetNssError(); |
245 } | 331 } |
246 #else | 332 #else |
247 FilePath database_dir = GetInitialConfigDirectory(); | 333 FilePath database_dir = GetInitialConfigDirectory(); |
248 if (!database_dir.empty()) { | 334 if (!database_dir.empty()) { |
249 // This duplicates the work which should have been done in | 335 // This duplicates the work which should have been done in |
250 // EarlySetupForNSSInit. However, this function is idempotent so there's | 336 // EarlySetupForNSSInit. However, this function is idempotent so there's |
251 // no harm done. | 337 // no harm done. |
252 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); | 338 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); |
253 | 339 |
254 // Initialize with a persistent database (likely, ~/.pki/nssdb). | 340 // Initialize with a persistent database (likely, ~/.pki/nssdb). |
255 // Use "sql:" which can be shared by multiple processes safely. | 341 // Use "sql:" which can be shared by multiple processes safely. |
256 std::string nss_config_dir = | 342 std::string nss_config_dir = |
257 StringPrintf("sql:%s", database_dir.value().c_str()); | 343 StringPrintf("sql:%s", database_dir.value().c_str()); |
258 #if defined(OS_CHROMEOS) | 344 #if defined(OS_CHROMEOS) |
259 status = NSS_Init(nss_config_dir.c_str()); | 345 status = NSS_Init(nss_config_dir.c_str()); |
260 #else | 346 #else |
261 status = NSS_InitReadWrite(nss_config_dir.c_str()); | 347 status = NSS_InitReadWrite(nss_config_dir.c_str()); |
262 #endif | 348 #endif |
263 if (status != SECSuccess) { | 349 if (status != SECSuccess) { |
264 LOG(ERROR) << "Error initializing NSS with a persistent " | 350 LOG(ERROR) << "Error initializing NSS with a persistent " |
265 "database (" << nss_config_dir | 351 "database (" << nss_config_dir |
266 << "): NSS error code " << PR_GetError(); | 352 << "): " << GetNssError(); |
267 } | 353 } |
268 } | 354 } |
269 if (status != SECSuccess) { | 355 if (status != SECSuccess) { |
270 LOG(WARNING) << "Initialize NSS without a persistent database " | 356 VLOG(1) << "Initializing NSS without a persistent database."; |
271 "(~/.pki/nssdb)."; | |
272 status = NSS_NoDB_Init(NULL); | 357 status = NSS_NoDB_Init(NULL); |
273 if (status != SECSuccess) { | 358 if (status != SECSuccess) { |
274 LOG(ERROR) << "Error initializing NSS without a persistent " | 359 LOG(ERROR) << "Error initializing NSS without a persistent " |
275 "database: NSS error code " << PR_GetError(); | 360 "database: " << GetNssError(); |
276 return; | 361 return; |
277 } | 362 } |
278 } | 363 } |
279 | 364 |
280 PK11_SetPasswordFunc(PKCS11PasswordFunc); | 365 PK11_SetPasswordFunc(PKCS11PasswordFunc); |
281 | 366 |
282 // If we haven't initialized the password for the NSS databases, | 367 // If we haven't initialized the password for the NSS databases, |
283 // initialize an empty-string password so that we don't need to | 368 // initialize an empty-string password so that we don't need to |
284 // log in. | 369 // log in. |
285 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); | 370 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); |
(...skipping 17 matching lines...) Expand all Loading... | |
303 SECMOD_CloseUserDB(real_db_slot_); | 388 SECMOD_CloseUserDB(real_db_slot_); |
304 PK11_FreeSlot(real_db_slot_); | 389 PK11_FreeSlot(real_db_slot_); |
305 real_db_slot_ = NULL; | 390 real_db_slot_ = NULL; |
306 } | 391 } |
307 CloseTestNSSDB(); | 392 CloseTestNSSDB(); |
308 if (root_) { | 393 if (root_) { |
309 SECMOD_UnloadUserModule(root_); | 394 SECMOD_UnloadUserModule(root_); |
310 SECMOD_DestroyModule(root_); | 395 SECMOD_DestroyModule(root_); |
311 root_ = NULL; | 396 root_ = NULL; |
312 } | 397 } |
398 if (opencryptoki_module_) { | |
399 SECMOD_UnloadUserModule(opencryptoki_module_); | |
400 SECMOD_DestroyModule(opencryptoki_module_); | |
401 opencryptoki_module_ = NULL; | |
402 } | |
313 | 403 |
314 SECStatus status = NSS_Shutdown(); | 404 SECStatus status = NSS_Shutdown(); |
315 if (status != SECSuccess) { | 405 if (status != SECSuccess) { |
316 // We VLOG(1) because this failure is relatively harmless (leaking, but | 406 // We VLOG(1) because this failure is relatively harmless (leaking, but |
317 // we're shutting down anyway). | 407 // we're shutting down anyway). |
318 VLOG(1) << "NSS_Shutdown failed; see " | 408 VLOG(1) << "NSS_Shutdown failed; see http://crosbug.com/4609"; |
319 "http://code.google.com/p/chromium/issues/detail?id=4609"; | |
320 } | 409 } |
321 } | 410 } |
322 | 411 |
412 #if defined(USE_NSS) | |
413 // Load nss's built-in root certs. | |
414 SECMODModule *InitDefaultRootCerts() { | |
415 SECMODModule *root = LoadModule("Root Certs", "libnssckbi.so", NULL); | |
416 if (root) | |
417 return root; | |
418 | |
419 // Aw, snap. Can't find/load root cert shared library. | |
420 // This will make it hard to talk to anybody via https. | |
421 NOTREACHED(); | |
422 return NULL; | |
423 } | |
424 #endif | |
425 | |
426 // Load the given module for this NSS session. | |
427 SECMODModule* LoadModule(const char* name, | |
428 const char* library_path, | |
429 const char* params) { | |
430 std::string modparams = StringPrintf( | |
431 "name=\"%s\" library=\"%s\" %s", | |
432 name, library_path, params ? params : ""); | |
433 | |
434 // Shouldn't need to const_cast here, but SECMOD doesn't believe | |
435 // in const interfaces. | |
436 SECMODModule* module = SECMOD_LoadUserModule( | |
437 const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); | |
438 if (!module) { | |
439 LOG(ERROR) << "Error loading " << name << " module into NSS: " | |
440 << GetNssError(); | |
441 return NULL; | |
442 } | |
443 return module; | |
444 } | |
445 | |
446 #if defined(OS_CHROMEOS) | |
447 void EnsureRsaPinInit() { | |
448 base::ScopedPK11Slot rsa_slot(GetRsaSlot()); | |
449 if (rsa_slot.get()) { | |
450 if (PK11_NeedUserInit(rsa_slot.get())) { | |
451 AutoNSSWriteLock lock; | |
452 PK11_InitPin(rsa_slot.get(), | |
453 kHardwareTokenSecurityOfficerPin, | |
454 kHardwareTokenUserPin); | |
455 } | |
456 } | |
457 } | |
458 #endif | |
459 | |
323 static PK11SlotInfo* OpenUserDB(const FilePath& path, | 460 static PK11SlotInfo* OpenUserDB(const FilePath& path, |
324 const char* description) { | 461 const char* description) { |
325 const std::string modspec = | 462 const std::string modspec = |
326 StringPrintf("configDir='sql:%s' tokenDescription='%s'", | 463 StringPrintf("configDir='sql:%s' tokenDescription='%s'", |
327 path.value().c_str(), description); | 464 path.value().c_str(), description); |
328 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); | 465 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); |
329 if (db_slot) { | 466 if (db_slot) { |
330 if (PK11_NeedUserInit(db_slot)) | 467 if (PK11_NeedUserInit(db_slot)) |
331 PK11_InitPin(db_slot, NULL, NULL); | 468 PK11_InitPin(db_slot, NULL, NULL); |
332 } | 469 } |
333 else { | 470 else { |
334 LOG(ERROR) << "Error opening persistent database (" << modspec | 471 LOG(ERROR) << "Error opening persistent database (" << modspec |
335 << "): NSS error code " << PR_GetError(); | 472 << "): " << GetNssError(); |
336 } | 473 } |
337 return db_slot; | 474 return db_slot; |
338 } | 475 } |
339 | 476 |
340 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. | 477 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
341 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ | 478 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
342 SECMODModule *root_; | 479 SECMODModule* root_; |
480 SECMODModule* opencryptoki_module_; | |
343 bool chromeos_user_logged_in_; | 481 bool chromeos_user_logged_in_; |
344 #if defined(USE_NSS) | 482 #if defined(USE_NSS) |
345 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 | 483 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
346 // is fixed, we will no longer need the lock. | 484 // is fixed, we will no longer need the lock. |
347 Lock write_lock_; | 485 Lock write_lock_; |
348 #endif // defined(USE_NSS) | 486 #endif // defined(USE_NSS) |
349 }; | 487 }; |
350 | 488 |
351 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > | 489 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > |
352 g_nss_singleton(LINKER_INITIALIZED); | 490 g_nss_singleton(LINKER_INITIALIZED); |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
401 lock_->AssertAcquired(); | 539 lock_->AssertAcquired(); |
402 lock_->Release(); | 540 lock_->Release(); |
403 } | 541 } |
404 } | 542 } |
405 #endif // defined(USE_NSS) | 543 #endif // defined(USE_NSS) |
406 | 544 |
407 #if defined(OS_CHROMEOS) | 545 #if defined(OS_CHROMEOS) |
408 void OpenPersistentNSSDB() { | 546 void OpenPersistentNSSDB() { |
409 g_nss_singleton.Get().OpenPersistentNSSDB(); | 547 g_nss_singleton.Get().OpenPersistentNSSDB(); |
410 } | 548 } |
411 #endif | 549 #endif // defined(OS_CHROMEOS) |
412 | 550 |
413 // TODO(port): Implement this more simply. We can convert by subtracting an | 551 // TODO(port): Implement this more simply. We can convert by subtracting an |
414 // offset (the difference between NSPR's and base::Time's epochs). | 552 // offset (the difference between NSPR's and base::Time's epochs). |
415 Time PRTimeToBaseTime(PRTime prtime) { | 553 Time PRTimeToBaseTime(PRTime prtime) { |
416 PRExplodedTime prxtime; | 554 PRExplodedTime prxtime; |
417 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); | 555 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); |
418 | 556 |
419 Time::Exploded exploded; | 557 Time::Exploded exploded; |
420 exploded.year = prxtime.tm_year; | 558 exploded.year = prxtime.tm_year; |
421 exploded.month = prxtime.tm_month + 1; | 559 exploded.month = prxtime.tm_month + 1; |
422 exploded.day_of_week = prxtime.tm_wday; | 560 exploded.day_of_week = prxtime.tm_wday; |
423 exploded.day_of_month = prxtime.tm_mday; | 561 exploded.day_of_month = prxtime.tm_mday; |
424 exploded.hour = prxtime.tm_hour; | 562 exploded.hour = prxtime.tm_hour; |
425 exploded.minute = prxtime.tm_min; | 563 exploded.minute = prxtime.tm_min; |
426 exploded.second = prxtime.tm_sec; | 564 exploded.second = prxtime.tm_sec; |
427 exploded.millisecond = prxtime.tm_usec / 1000; | 565 exploded.millisecond = prxtime.tm_usec / 1000; |
428 | 566 |
429 return Time::FromUTCExploded(exploded); | 567 return Time::FromUTCExploded(exploded); |
430 } | 568 } |
431 | 569 |
432 PK11SlotInfo* GetDefaultNSSKeySlot() { | 570 PK11SlotInfo* GetDefaultNSSKeySlot() { |
433 return g_nss_singleton.Get().GetDefaultKeySlot(); | 571 return g_nss_singleton.Get().GetDefaultKeySlot(); |
434 } | 572 } |
435 | 573 |
574 PK11SlotInfo* GetRsaKeySlot() { | |
575 #if defined(OS_CHROMEOS) | |
576 return g_nss_singleton.Get().GetRsaSlot(); | |
577 #else | |
578 return g_nss_singleton.Get().GetDefaultKeySlot(); | |
579 #endif | |
580 } | |
581 | |
436 } // namespace base | 582 } // namespace base |
OLD | NEW |