OLD | NEW |
---|---|
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/nss_util.h" | 5 #include "base/nss_util.h" |
6 #include "base/nss_util_internal.h" | 6 #include "base/nss_util_internal.h" |
7 | 7 |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <plarena.h> | 9 #include <plarena.h> |
10 #include <prerror.h> | 10 #include <prerror.h> |
11 #include <prinit.h> | 11 #include <prinit.h> |
12 #include <prtime.h> | 12 #include <prtime.h> |
13 #include <pk11pub.h> | 13 #include <pk11pub.h> |
14 #include <secmod.h> | 14 #include <secmod.h> |
15 | 15 |
16 #if defined(OS_LINUX) | 16 #if defined(OS_LINUX) |
17 #include <linux/nfs_fs.h> | 17 #include <linux/nfs_fs.h> |
18 #include <sys/vfs.h> | 18 #include <sys/vfs.h> |
19 #endif | 19 #endif |
20 | 20 |
21 #include "base/crypto/scoped_nss_types.h" | |
21 #include "base/file_util.h" | 22 #include "base/file_util.h" |
22 #include "base/lazy_instance.h" | 23 #include "base/lazy_instance.h" |
23 #include "base/logging.h" | 24 #include "base/logging.h" |
24 #include "base/stringprintf.h" | 25 #include "base/stringprintf.h" |
25 #include "base/threading/thread_restrictions.h" | 26 #include "base/threading/thread_restrictions.h" |
26 | 27 |
27 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not | 28 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not |
28 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't | 29 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't |
29 // use NSS for crypto or certificate verification, and we don't use the NSS | 30 // use NSS for crypto or certificate verification, and we don't use the NSS |
30 // certificate and key databases. | 31 // certificate and key databases. |
31 #if defined(USE_NSS) | 32 #if defined(USE_NSS) |
32 #include "base/crypto/crypto_module_blocking_password_delegate.h" | 33 #include "base/crypto/crypto_module_blocking_password_delegate.h" |
33 #include "base/environment.h" | 34 #include "base/environment.h" |
34 #include "base/scoped_ptr.h" | 35 #include "base/scoped_ptr.h" |
35 #include "base/synchronization/lock.h" | 36 #include "base/synchronization/lock.h" |
36 #endif // defined(USE_NSS) | 37 #endif // defined(USE_NSS) |
37 | 38 |
38 namespace base { | 39 namespace base { |
39 | 40 |
40 namespace { | 41 namespace { |
wtc
2011/03/16 18:41:44
Nit: please add a blank line after this line.
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
42 #if defined(OS_CHROMEOS) | |
43 static const char kNssDatabaseName[] = "Real NSS database"; | |
wtc
2011/03/16 18:41:44
Why do you need "Real"? Is there a "Fake NSS data
Greg Spencer (Chromium)
2011/03/16 21:37:51
This is what it was always called, I just moved it
| |
44 | |
45 // TODO(gspencer): Get these values from cryptohomed's dbus API when | |
46 // we ask if it has initialized the TPM yet. These should not be | |
47 // hard-coded here. | |
48 static const char kHardwareTokenName[] = "Initialized by CrOS"; | |
kmixter1
2011/03/16 06:33:18
If we support real hardware tokens this may seem c
rginda
2011/03/16 17:09:37
s/Name/Label/ would be more PKCS11'y.
wtc
2011/03/16 18:41:44
I agree with kmixter1 that these should be named "
Greg Spencer (Chromium)
2011/03/16 21:37:51
Changed the names to the ones wtc suggests.
| |
49 static const char kHardwareTokenUserPin[] = "111111"; | |
50 static const char kHardwareTokenSecurityOfficerPin[] = "000000"; | |
wtc
2011/03/16 18:41:44
Nit: in the crypto and net code we usually use all
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done: changed to mirror other crypto code. Note t
| |
51 | |
52 // Fake certificate authority database used for testing. | |
53 static const FilePath::CharType kReadOnlyCertDB[] = | |
kmixter1
2011/03/16 06:33:18
I don't understand what this does - is this only f
Greg Spencer (Chromium)
2011/03/16 21:37:51
Yes, it's only for testing, it's the location wher
| |
54 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
55 #endif // defined(OS_CHROMEOS) | |
56 | |
57 std::string GetNssError() { | |
wtc
2011/03/16 18:41:44
Nit: please rename this function GetNSSErrorMessag
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
58 std::string result; | |
59 if (PR_GetErrorTextLength()) { | |
60 scoped_ptr<char> error_text(new char[PR_GetErrorTextLength() + 1]); | |
61 PRInt32 copied = PR_GetErrorText(error_text.get()); | |
62 result = std::string(error_text.get(), copied); | |
63 } else { | |
64 result = StringPrintf("NSS Error code: %d", PR_GetError()); | |
65 } | |
66 return result; | |
67 } | |
41 | 68 |
42 #if defined(USE_NSS) | 69 #if defined(USE_NSS) |
43 FilePath GetDefaultConfigDirectory() { | 70 FilePath GetDefaultConfigDirectory() { |
44 FilePath dir = file_util::GetHomeDir(); | 71 FilePath dir = file_util::GetHomeDir(); |
45 if (dir.empty()) { | 72 if (dir.empty()) { |
46 LOG(ERROR) << "Failed to get home directory."; | 73 LOG(ERROR) << "Failed to get home directory."; |
47 return dir; | 74 return dir; |
48 } | 75 } |
49 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); | 76 dir = dir.AppendASCII(".pki").AppendASCII("nssdb"); |
50 if (!file_util::CreateDirectory(dir)) { | 77 if (!file_util::CreateDirectory(dir)) { |
51 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; | 78 LOG(ERROR) << "Failed to create ~/.pki/nssdb directory."; |
52 dir.clear(); | 79 dir.clear(); |
53 } | 80 } |
54 return dir; | 81 return dir; |
55 } | 82 } |
56 | 83 |
57 // On non-chromeos platforms, return the default config directory. | 84 // On non-chromeos platforms, return the default config directory. |
58 // On chromeos, return a read-only directory with fake root CA certs for testing | 85 // On chromeos, return a read-only directory with fake root CA certs for testing |
59 // (which will not exist on non-testing images). These root CA certs are used | 86 // (which will not exist on non-testing images). These root CA certs are used |
60 // by the local Google Accounts server mock we use when testing our login code. | 87 // by the local Google Accounts server mock we use when testing our login code. |
61 // If this directory is not present, NSS_Init() will fail. It is up to the | 88 // If this directory is not present, NSS_Init() will fail. It is up to the |
62 // caller to failover to NSS_NoDB_Init() at that point. | 89 // caller to failover to NSS_NoDB_Init() at that point. |
63 FilePath GetInitialConfigDirectory() { | 90 FilePath GetInitialConfigDirectory() { |
64 #if defined(OS_CHROMEOS) | 91 #if defined(OS_CHROMEOS) |
65 static const FilePath::CharType kReadOnlyCertDB[] = | |
66 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); | |
67 return FilePath(kReadOnlyCertDB); | 92 return FilePath(kReadOnlyCertDB); |
68 #else | 93 #else |
69 return GetDefaultConfigDirectory(); | 94 return GetDefaultConfigDirectory(); |
70 #endif // defined(OS_CHROMEOS) | 95 #endif // defined(OS_CHROMEOS) |
71 } | 96 } |
72 | 97 |
73 // This callback for NSS forwards all requests to a caller-specified | 98 // This callback for NSS forwards all requests to a caller-specified |
74 // CryptoModuleBlockingPasswordDelegate object. | 99 // CryptoModuleBlockingPasswordDelegate object. |
75 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { | 100 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
101 #if defined(OS_CHROMEOS) | |
102 // If we get asked for a password for the hardware token, then | |
wtc
2011/03/16 18:41:44
Nit: hardware token => TPM
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
103 // return the static password we use. | |
104 if (std::string(PK11_GetTokenName(slot)) == std::string(kHardwareTokenName)) | |
kmixter1
2011/03/16 06:33:18
nit: constructing to std::string on rhs isn't nece
wtc
2011/03/16 18:41:44
Just use strcmp() to compare the two C strings her
Greg Spencer (Chromium)
2011/03/16 21:37:51
I'm going to continue to use std::string operator=
| |
105 return PORT_Strdup(kHardwareTokenUserPin); | |
106 #endif | |
76 base::CryptoModuleBlockingPasswordDelegate* delegate = | 107 base::CryptoModuleBlockingPasswordDelegate* delegate = |
77 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); | 108 reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
78 if (delegate) { | 109 if (delegate) { |
79 bool cancelled = false; | 110 bool cancelled = false; |
80 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), | 111 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot), |
81 retry != PR_FALSE, | 112 retry != PR_FALSE, |
82 &cancelled); | 113 &cancelled); |
83 if (cancelled) | 114 if (cancelled) |
84 return NULL; | 115 return NULL; |
85 char* result = PORT_Strdup(password.c_str()); | 116 char* result = PORT_Strdup(password.c_str()); |
(...skipping 23 matching lines...) Expand all Loading... | |
109 if (buf.f_type == NFS_SUPER_MAGIC) { | 140 if (buf.f_type == NFS_SUPER_MAGIC) { |
110 scoped_ptr<Environment> env(Environment::Create()); | 141 scoped_ptr<Environment> env(Environment::Create()); |
111 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; | 142 const char* use_cache_env_var = "NSS_SDB_USE_CACHE"; |
112 if (!env->HasVar(use_cache_env_var)) | 143 if (!env->HasVar(use_cache_env_var)) |
113 env->SetVar(use_cache_env_var, "yes"); | 144 env->SetVar(use_cache_env_var, "yes"); |
114 } | 145 } |
115 } | 146 } |
116 #endif // defined(OS_LINUX) | 147 #endif // defined(OS_LINUX) |
117 } | 148 } |
118 | 149 |
119 // Load nss's built-in root certs. | 150 #endif // defined(USE_NSS) |
wtc
2011/03/16 18:41:44
Please move this #endif to include AutoSECMODListL
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
120 SECMODModule *InitDefaultRootCerts() { | |
121 const char* kModulePath = "libnssckbi.so"; | |
122 char modparams[1024]; | |
123 snprintf(modparams, sizeof(modparams), | |
124 "name=\"Root Certs\" library=\"%s\"", kModulePath); | |
125 SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); | |
126 if (root) | |
127 return root; | |
128 | 151 |
129 // Aw, snap. Can't find/load root cert shared library. | 152 // A helper class that acquires the SECMOD list read lock while the |
130 // This will make it hard to talk to anybody via https. | 153 // AutoSECMODListLock is in scope. |
kmixter1
2011/03/16 06:33:18
Should the name of the class contain "read" since
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
131 NOTREACHED(); | 154 class AutoSECMODListLock { |
155 public: | |
156 AutoSECMODListLock() | |
157 : lock_(SECMOD_GetDefaultModuleListLock()) { | |
158 if (!lock_) { | |
159 LOG(ERROR) << "AutoSECMODListLock: Unable to obtain lock."; | |
wtc
2011/03/16 18:41:44
Nit: "obtain lock" could be misinterpreted to mean
| |
160 return; | |
161 } | |
162 SECMOD_GetReadLock(lock_); | |
163 } | |
164 | |
165 ~AutoSECMODListLock() { | |
166 if (lock_) | |
167 SECMOD_ReleaseReadLock(lock_); | |
168 } | |
169 | |
170 bool has_lock() { return lock_ != NULL; } | |
kmixter1
2011/03/16 06:33:18
nit: const function
wtc
2011/03/16 18:41:44
Is the has_lock function useful? "lock_initialize
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
171 private: | |
kmixter1
2011/03/16 06:33:18
nit: One line above private according to style gui
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
172 SECMODListLock* lock_; | |
173 DISALLOW_COPY_AND_ASSIGN(AutoSECMODListLock); | |
174 }; | |
175 | |
176 PK11SlotInfo* FindTokenByName(const std::string& token_name) { | |
177 AutoSECMODListLock auto_lock; | |
178 if (!auto_lock.has_lock()) | |
179 return NULL; | |
180 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
181 for(SECMODModuleList* item = head; item != NULL; item = item->next) { | |
182 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
kmixter1
2011/03/16 06:33:18
My brief reading of NSS says that it internally wi
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
183 for (int i = 0; i < slot_count; i++) { | |
184 PK11SlotInfo* slot = item->module->slots[i]; | |
185 if (std::string(PK11_GetTokenName(slot)) == token_name) { | |
186 return PK11_ReferenceSlot(slot); | |
187 } | |
188 } | |
189 } | |
132 return NULL; | 190 return NULL; |
133 } | 191 } |
134 #endif // defined(USE_NSS) | |
135 | 192 |
136 // A singleton to initialize/deinitialize NSPR. | 193 // A singleton to initialize/deinitialize NSPR. |
137 // Separate from the NSS singleton because we initialize NSPR on the UI thread. | 194 // Separate from the NSS singleton because we initialize NSPR on the UI thread. |
138 // Now that we're leaking the singleton, we could merge back with the NSS | 195 // Now that we're leaking the singleton, we could merge back with the NSS |
139 // singleton. | 196 // singleton. |
140 class NSPRInitSingleton { | 197 class NSPRInitSingleton { |
141 private: | 198 private: |
142 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; | 199 friend struct DefaultLazyInstanceTraits<NSPRInitSingleton>; |
143 | 200 |
144 NSPRInitSingleton() { | 201 NSPRInitSingleton() { |
(...skipping 14 matching lines...) Expand all Loading... | |
159 | 216 |
160 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > | 217 LazyInstance<NSPRInitSingleton, LeakyLazyInstanceTraits<NSPRInitSingleton> > |
161 g_nspr_singleton(LINKER_INITIALIZED); | 218 g_nspr_singleton(LINKER_INITIALIZED); |
162 | 219 |
163 class NSSInitSingleton { | 220 class NSSInitSingleton { |
164 public: | 221 public: |
165 #if defined(OS_CHROMEOS) | 222 #if defined(OS_CHROMEOS) |
166 void OpenPersistentNSSDB() { | 223 void OpenPersistentNSSDB() { |
167 if (!chromeos_user_logged_in_) { | 224 if (!chromeos_user_logged_in_) { |
168 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. | 225 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
169 // Temporarily allow it until we fix http://crbug.com.70119 | 226 // Temporarily allow it until we fix http://crbug.com/70119 |
170 ThreadRestrictions::ScopedAllowIO allow_io; | 227 ThreadRestrictions::ScopedAllowIO allow_io; |
171 chromeos_user_logged_in_ = true; | 228 chromeos_user_logged_in_ = true; |
172 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), | 229 |
173 "Real NSS database"); | 230 // This creates a new DB slot in NSS that is read/write, unlike |
231 // the cert DB and the "default" crypto key provider, which are | |
232 // still read-only (because we initialized NSS before we had a | |
233 // cryptohome mounted). | |
234 real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNssDatabaseName); | |
235 | |
236 // This loads the opencryptoki module so we can talk to the | |
237 // hardware TPM. | |
238 opencryptoki_module_ = LoadModule( | |
239 "opencryptoki", | |
240 "/usr/lib/opencryptoki/libopencryptoki.so", | |
241 // trustOrder=100 -- means it'll select this as the most | |
242 // trusted slot for the mechanisms it provides. | |
243 // slotParams=... -- selects RSA as only mechanism, and only | |
244 // asks for the password when necessary (instead of every | |
245 // time, or after a timeout). | |
246 "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); | |
247 if (opencryptoki_module_) { | |
248 // We shouldn't need to initialize the RSA PIN here because | |
249 // it'll be taken care of by cryptohomed, but we have to make | |
250 // sure that it is initialized. | |
251 | |
252 // TODO(gspencer): replace this with a dbus call to check and | |
253 // see that cryptohomed has initialized the PINs already. | |
254 EnsureRsaPinInit(); | |
wtc
2011/03/16 18:41:44
This function should be renamed EnsureTPMPINInit,
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
255 } | |
174 } | 256 } |
175 } | 257 } |
258 | |
259 PK11SlotInfo* GetRsaSlot() { | |
kmixter1
2011/03/16 06:33:18
Seems like "RSA" applies to a software slot as wel
Greg Spencer (Chromium)
2011/03/16 21:37:51
Renamed to GetTPMSlot
| |
260 return FindTokenByName(kHardwareTokenName); | |
261 } | |
176 #endif // defined(OS_CHROMEOS) | 262 #endif // defined(OS_CHROMEOS) |
177 | 263 |
264 | |
178 bool OpenTestNSSDB(const FilePath& path, const char* description) { | 265 bool OpenTestNSSDB(const FilePath& path, const char* description) { |
179 test_db_slot_ = OpenUserDB(path, description); | 266 test_db_slot_ = OpenUserDB(path, description); |
180 return !!test_db_slot_; | 267 return !!test_db_slot_; |
181 } | 268 } |
182 | 269 |
183 void CloseTestNSSDB() { | 270 void CloseTestNSSDB() { |
184 if (test_db_slot_) { | 271 if (test_db_slot_) { |
185 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); | 272 SECStatus status = SECMOD_CloseUserDB(test_db_slot_); |
186 if (status != SECSuccess) | 273 if (status != SECSuccess) |
187 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); | 274 LOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError(); |
(...skipping 16 matching lines...) Expand all Loading... | |
204 } | 291 } |
205 #endif // defined(USE_NSS) | 292 #endif // defined(USE_NSS) |
206 | 293 |
207 private: | 294 private: |
208 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; | 295 friend struct DefaultLazyInstanceTraits<NSSInitSingleton>; |
209 | 296 |
210 NSSInitSingleton() | 297 NSSInitSingleton() |
211 : real_db_slot_(NULL), | 298 : real_db_slot_(NULL), |
212 test_db_slot_(NULL), | 299 test_db_slot_(NULL), |
213 root_(NULL), | 300 root_(NULL), |
301 opencryptoki_module_(NULL), | |
214 chromeos_user_logged_in_(false) { | 302 chromeos_user_logged_in_(false) { |
215 EnsureNSPRInit(); | 303 EnsureNSPRInit(); |
216 | 304 |
217 // We *must* have NSS >= 3.12.3. See bug 26448. | 305 // We *must* have NSS >= 3.12.3. See bug 26448. |
218 COMPILE_ASSERT( | 306 COMPILE_ASSERT( |
219 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || | 307 (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || |
220 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || | 308 (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || |
221 (NSS_VMAJOR > 3), | 309 (NSS_VMAJOR > 3), |
222 nss_version_check_failed); | 310 nss_version_check_failed); |
223 // Also check the run-time NSS version. | 311 // Also check the run-time NSS version. |
(...skipping 10 matching lines...) Expand all Loading... | |
234 "still get this error, contact your distribution " | 322 "still get this error, contact your distribution " |
235 "maintainer."; | 323 "maintainer."; |
236 } | 324 } |
237 | 325 |
238 SECStatus status = SECFailure; | 326 SECStatus status = SECFailure; |
239 #if !defined(USE_NSS) | 327 #if !defined(USE_NSS) |
240 // Use the system certificate store, so initialize NSS without database. | 328 // Use the system certificate store, so initialize NSS without database. |
241 status = NSS_NoDB_Init(NULL); | 329 status = NSS_NoDB_Init(NULL); |
242 if (status != SECSuccess) { | 330 if (status != SECSuccess) { |
243 LOG(ERROR) << "Error initializing NSS without a persistent " | 331 LOG(ERROR) << "Error initializing NSS without a persistent " |
244 "database: NSS error code " << PR_GetError(); | 332 "database: " << GetNssError(); |
kmixter1
2011/03/16 06:33:18
nice
| |
245 } | 333 } |
246 #else | 334 #else |
247 FilePath database_dir = GetInitialConfigDirectory(); | 335 FilePath database_dir = GetInitialConfigDirectory(); |
248 if (!database_dir.empty()) { | 336 if (!database_dir.empty()) { |
249 // This duplicates the work which should have been done in | 337 // This duplicates the work which should have been done in |
250 // EarlySetupForNSSInit. However, this function is idempotent so there's | 338 // EarlySetupForNSSInit. However, this function is idempotent so there's |
251 // no harm done. | 339 // no harm done. |
252 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); | 340 UseLocalCacheOfNSSDatabaseIfNFS(database_dir); |
253 | 341 |
254 // Initialize with a persistent database (likely, ~/.pki/nssdb). | 342 // Initialize with a persistent database (likely, ~/.pki/nssdb). |
255 // Use "sql:" which can be shared by multiple processes safely. | 343 // Use "sql:" which can be shared by multiple processes safely. |
256 std::string nss_config_dir = | 344 std::string nss_config_dir = |
257 StringPrintf("sql:%s", database_dir.value().c_str()); | 345 StringPrintf("sql:%s", database_dir.value().c_str()); |
258 #if defined(OS_CHROMEOS) | 346 #if defined(OS_CHROMEOS) |
259 status = NSS_Init(nss_config_dir.c_str()); | 347 status = NSS_Init(nss_config_dir.c_str()); |
260 #else | 348 #else |
261 status = NSS_InitReadWrite(nss_config_dir.c_str()); | 349 status = NSS_InitReadWrite(nss_config_dir.c_str()); |
262 #endif | 350 #endif |
263 if (status != SECSuccess) { | 351 if (status != SECSuccess) { |
264 LOG(ERROR) << "Error initializing NSS with a persistent " | 352 LOG(ERROR) << "Error initializing NSS with a persistent " |
265 "database (" << nss_config_dir | 353 "database (" << nss_config_dir |
266 << "): NSS error code " << PR_GetError(); | 354 << "): " << GetNssError(); |
267 } | 355 } |
268 } | 356 } |
269 if (status != SECSuccess) { | 357 if (status != SECSuccess) { |
270 LOG(WARNING) << "Initialize NSS without a persistent database " | 358 VLOG(1) << "Initializing NSS without a persistent database."; |
271 "(~/.pki/nssdb)."; | |
272 status = NSS_NoDB_Init(NULL); | 359 status = NSS_NoDB_Init(NULL); |
273 if (status != SECSuccess) { | 360 if (status != SECSuccess) { |
274 LOG(ERROR) << "Error initializing NSS without a persistent " | 361 LOG(ERROR) << "Error initializing NSS without a persistent " |
275 "database: NSS error code " << PR_GetError(); | 362 "database: " << GetNssError(); |
276 return; | 363 return; |
277 } | 364 } |
278 } | 365 } |
279 | 366 |
280 PK11_SetPasswordFunc(PKCS11PasswordFunc); | 367 PK11_SetPasswordFunc(PKCS11PasswordFunc); |
281 | 368 |
282 // If we haven't initialized the password for the NSS databases, | 369 // If we haven't initialized the password for the NSS databases, |
283 // initialize an empty-string password so that we don't need to | 370 // initialize an empty-string password so that we don't need to |
284 // log in. | 371 // log in. |
285 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); | 372 PK11SlotInfo* slot = PK11_GetInternalKeySlot(); |
(...skipping 17 matching lines...) Expand all Loading... | |
303 SECMOD_CloseUserDB(real_db_slot_); | 390 SECMOD_CloseUserDB(real_db_slot_); |
304 PK11_FreeSlot(real_db_slot_); | 391 PK11_FreeSlot(real_db_slot_); |
305 real_db_slot_ = NULL; | 392 real_db_slot_ = NULL; |
306 } | 393 } |
307 CloseTestNSSDB(); | 394 CloseTestNSSDB(); |
308 if (root_) { | 395 if (root_) { |
309 SECMOD_UnloadUserModule(root_); | 396 SECMOD_UnloadUserModule(root_); |
310 SECMOD_DestroyModule(root_); | 397 SECMOD_DestroyModule(root_); |
311 root_ = NULL; | 398 root_ = NULL; |
312 } | 399 } |
400 if (opencryptoki_module_) { | |
401 SECMOD_UnloadUserModule(opencryptoki_module_); | |
402 SECMOD_DestroyModule(opencryptoki_module_); | |
403 opencryptoki_module_ = NULL; | |
404 } | |
313 | 405 |
314 SECStatus status = NSS_Shutdown(); | 406 SECStatus status = NSS_Shutdown(); |
315 if (status != SECSuccess) { | 407 if (status != SECSuccess) { |
316 // We VLOG(1) because this failure is relatively harmless (leaking, but | 408 // We VLOG(1) because this failure is relatively harmless (leaking, but |
317 // we're shutting down anyway). | 409 // we're shutting down anyway). |
318 VLOG(1) << "NSS_Shutdown failed; see " | 410 VLOG(1) << "NSS_Shutdown failed; see http://crosbug.com/4609"; |
kmixter1
2011/03/16 06:33:18
crbug.com/4609
Greg Spencer (Chromium)
2011/03/16 21:37:51
Whoops! Nice catch. Done.
| |
319 "http://code.google.com/p/chromium/issues/detail?id=4609"; | |
320 } | 411 } |
321 } | 412 } |
322 | 413 |
414 #if defined(USE_NSS) | |
415 // Load nss's built-in root certs. | |
416 SECMODModule *InitDefaultRootCerts() { | |
kmixter1
2011/03/16 06:33:18
nit: star in wrong place (even though you just mov
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
417 SECMODModule *root = LoadModule("Root Certs", "libnssckbi.so", NULL); | |
418 if (root) | |
419 return root; | |
420 | |
421 // Aw, snap. Can't find/load root cert shared library. | |
422 // This will make it hard to talk to anybody via https. | |
423 NOTREACHED(); | |
424 return NULL; | |
425 } | |
426 #endif | |
427 | |
428 // Load the given module for this NSS session. | |
429 SECMODModule* LoadModule(const char* name, | |
wtc
2011/03/16 18:41:44
Put the LoadModule function inside the USE_NSS blo
Greg Spencer (Chromium)
2011/03/16 21:37:51
Done.
| |
430 const char* library_path, | |
431 const char* params) { | |
432 std::string modparams = StringPrintf( | |
433 "name=\"%s\" library=\"%s\" %s", | |
434 name, library_path, params ? params : ""); | |
435 | |
436 // Shouldn't need to const_cast here, but SECMOD doesn't believe | |
437 // in const interfaces. | |
438 SECMODModule* module = SECMOD_LoadUserModule( | |
439 const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); | |
440 if (!module) { | |
441 LOG(ERROR) << "Error loading " << name << " module into NSS: " | |
442 << GetNssError(); | |
443 return NULL; | |
444 } | |
445 return module; | |
446 } | |
447 | |
448 #if defined(OS_CHROMEOS) | |
449 void EnsureRsaPinInit() { | |
450 base::ScopedPK11Slot rsa_slot(GetRsaSlot()); | |
451 if (rsa_slot.get()) { | |
452 if (PK11_NeedUserInit(rsa_slot.get())) { | |
453 AutoNSSWriteLock lock; | |
454 PK11_InitPin(rsa_slot.get(), | |
kmixter1
2011/03/16 06:33:18
If we incorrectly get here, executing this means w
Greg Spencer (Chromium)
2011/03/16 21:37:51
So, this will be removed as soon as we can ask cry
| |
455 kHardwareTokenSecurityOfficerPin, | |
456 kHardwareTokenUserPin); | |
457 } | |
458 } | |
459 } | |
460 #endif | |
461 | |
323 static PK11SlotInfo* OpenUserDB(const FilePath& path, | 462 static PK11SlotInfo* OpenUserDB(const FilePath& path, |
324 const char* description) { | 463 const char* description) { |
325 const std::string modspec = | 464 const std::string modspec = |
326 StringPrintf("configDir='sql:%s' tokenDescription='%s'", | 465 StringPrintf("configDir='sql:%s' tokenDescription='%s'", |
327 path.value().c_str(), description); | 466 path.value().c_str(), description); |
328 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); | 467 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); |
329 if (db_slot) { | 468 if (db_slot) { |
330 if (PK11_NeedUserInit(db_slot)) | 469 if (PK11_NeedUserInit(db_slot)) |
331 PK11_InitPin(db_slot, NULL, NULL); | 470 PK11_InitPin(db_slot, NULL, NULL); |
332 } | 471 } |
333 else { | 472 else { |
334 LOG(ERROR) << "Error opening persistent database (" << modspec | 473 LOG(ERROR) << "Error opening persistent database (" << modspec |
335 << "): NSS error code " << PR_GetError(); | 474 << "): " << GetNssError(); |
336 } | 475 } |
337 return db_slot; | 476 return db_slot; |
338 } | 477 } |
339 | 478 |
340 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. | 479 PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
341 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ | 480 PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
342 SECMODModule *root_; | 481 SECMODModule* root_; |
482 SECMODModule* opencryptoki_module_; | |
343 bool chromeos_user_logged_in_; | 483 bool chromeos_user_logged_in_; |
344 #if defined(USE_NSS) | 484 #if defined(USE_NSS) |
345 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 | 485 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
346 // is fixed, we will no longer need the lock. | 486 // is fixed, we will no longer need the lock. |
347 Lock write_lock_; | 487 Lock write_lock_; |
348 #endif // defined(USE_NSS) | 488 #endif // defined(USE_NSS) |
349 }; | 489 }; |
350 | 490 |
351 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > | 491 LazyInstance<NSSInitSingleton, LeakyLazyInstanceTraits<NSSInitSingleton> > |
352 g_nss_singleton(LINKER_INITIALIZED); | 492 g_nss_singleton(LINKER_INITIALIZED); |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
401 lock_->AssertAcquired(); | 541 lock_->AssertAcquired(); |
402 lock_->Release(); | 542 lock_->Release(); |
403 } | 543 } |
404 } | 544 } |
405 #endif // defined(USE_NSS) | 545 #endif // defined(USE_NSS) |
406 | 546 |
407 #if defined(OS_CHROMEOS) | 547 #if defined(OS_CHROMEOS) |
408 void OpenPersistentNSSDB() { | 548 void OpenPersistentNSSDB() { |
409 g_nss_singleton.Get().OpenPersistentNSSDB(); | 549 g_nss_singleton.Get().OpenPersistentNSSDB(); |
410 } | 550 } |
411 #endif | 551 #endif // defined(OS_CHROMEOS) |
412 | 552 |
413 // TODO(port): Implement this more simply. We can convert by subtracting an | 553 // TODO(port): Implement this more simply. We can convert by subtracting an |
414 // offset (the difference between NSPR's and base::Time's epochs). | 554 // offset (the difference between NSPR's and base::Time's epochs). |
415 Time PRTimeToBaseTime(PRTime prtime) { | 555 Time PRTimeToBaseTime(PRTime prtime) { |
416 PRExplodedTime prxtime; | 556 PRExplodedTime prxtime; |
417 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); | 557 PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime); |
418 | 558 |
419 Time::Exploded exploded; | 559 Time::Exploded exploded; |
420 exploded.year = prxtime.tm_year; | 560 exploded.year = prxtime.tm_year; |
421 exploded.month = prxtime.tm_month + 1; | 561 exploded.month = prxtime.tm_month + 1; |
422 exploded.day_of_week = prxtime.tm_wday; | 562 exploded.day_of_week = prxtime.tm_wday; |
423 exploded.day_of_month = prxtime.tm_mday; | 563 exploded.day_of_month = prxtime.tm_mday; |
424 exploded.hour = prxtime.tm_hour; | 564 exploded.hour = prxtime.tm_hour; |
425 exploded.minute = prxtime.tm_min; | 565 exploded.minute = prxtime.tm_min; |
426 exploded.second = prxtime.tm_sec; | 566 exploded.second = prxtime.tm_sec; |
427 exploded.millisecond = prxtime.tm_usec / 1000; | 567 exploded.millisecond = prxtime.tm_usec / 1000; |
428 | 568 |
429 return Time::FromUTCExploded(exploded); | 569 return Time::FromUTCExploded(exploded); |
430 } | 570 } |
431 | 571 |
432 PK11SlotInfo* GetDefaultNSSKeySlot() { | 572 PK11SlotInfo* GetDefaultNSSKeySlot() { |
433 return g_nss_singleton.Get().GetDefaultKeySlot(); | 573 return g_nss_singleton.Get().GetDefaultKeySlot(); |
434 } | 574 } |
435 | 575 |
576 PK11SlotInfo* GetRsaKeySlot() { | |
wtc
2011/03/16 18:41:44
This function should be named GetPreferredKeySlot
Greg Spencer (Chromium)
2011/03/16 21:37:51
Yeah, I used RSA because I was trying to imply tha
| |
577 #if defined(OS_CHROMEOS) | |
578 return g_nss_singleton.Get().GetRsaSlot(); | |
579 #else | |
580 return g_nss_singleton.Get().GetDefaultKeySlot(); | |
581 #endif | |
582 } | |
583 | |
436 } // namespace base | 584 } // namespace base |
OLD | NEW |