Index: base/nss_util.cc |
diff --git a/base/nss_util.cc b/base/nss_util.cc |
index fe78fe0c218bfb37162702f2cf6b5815b52cbe41..c891b0820864cfbe51b5ec3a0b88398b15cfe9e6 100644 |
--- a/base/nss_util.cc |
+++ b/base/nss_util.cc |
@@ -18,6 +18,7 @@ |
#include <sys/vfs.h> |
#endif |
+#include "base/crypto/scoped_nss_types.h" |
#include "base/file_util.h" |
#include "base/lazy_instance.h" |
#include "base/logging.h" |
@@ -39,6 +40,33 @@ namespace base { |
namespace { |
+#if defined(OS_CHROMEOS) |
+static const char kNSSDatabaseName[] = "Real NSS database"; |
wtc
2011/03/17 19:34:22
Nit: some of these constants, such as kNSSDatabase
Greg Spencer (Chromium)
2011/03/17 22:41:09
I think I prefer all the constants in one place.
|
+ |
+// TODO(gspencer): Get these values from cryptohomed's dbus API when |
+// we ask if it has initialized the TPM yet. These should not be |
+// hard-coded here. |
+static const char kTPMTokenName[] = "Initialized by CrOS"; |
+static const char kTPMUserPin[] = "111111"; |
+static const char kTPMSecurityOfficerPin[] = "000000"; |
wtc
2011/03/17 19:34:22
Nit: Pin => PIN
in lines 50 and 51.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done, although "Pin" is consistent with PK11_InitP
|
+ |
+// Fake certificate authority database used for testing. |
+static const FilePath::CharType kReadOnlyCertDB[] = |
+ FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); |
+#endif // defined(OS_CHROMEOS) |
+ |
+std::string GetNSSErrorMessage() { |
+ std::string result; |
+ if (PR_GetErrorTextLength()) { |
+ scoped_ptr<char> error_text(new char[PR_GetErrorTextLength() + 1]); |
wtc
2011/03/17 19:34:22
BUG: scoped_ptr => scoped_array
The scoped_ptr de
Greg Spencer (Chromium)
2011/03/17 22:41:09
Whoa. Good catch, thanks. I knew that already, I
|
+ PRInt32 copied = PR_GetErrorText(error_text.get()); |
+ result = std::string(error_text.get(), copied); |
+ } else { |
+ result = StringPrintf("NSS Error code: %d", PR_GetError()); |
wtc
2011/03/17 19:34:22
Nit: Error => error
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
|
+ } |
+ return result; |
+} |
+ |
#if defined(USE_NSS) |
FilePath GetDefaultConfigDirectory() { |
FilePath dir = file_util::GetHomeDir(); |
@@ -62,8 +90,6 @@ FilePath GetDefaultConfigDirectory() { |
// caller to failover to NSS_NoDB_Init() at that point. |
FilePath GetInitialConfigDirectory() { |
#if defined(OS_CHROMEOS) |
- static const FilePath::CharType kReadOnlyCertDB[] = |
- FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); |
return FilePath(kReadOnlyCertDB); |
#else |
return GetDefaultConfigDirectory(); |
@@ -73,6 +99,12 @@ FilePath GetInitialConfigDirectory() { |
// This callback for NSS forwards all requests to a caller-specified |
// CryptoModuleBlockingPasswordDelegate object. |
char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
+#if defined(OS_CHROMEOS) |
+ // If we get asked for a password for the TPM, then return the |
+ // static password we use. |
+ if (PK11_GetTokenName(slot) == base::GetTPMTokenName()) |
+ return PORT_Strdup(kTPMUserPin); |
+#endif |
base::CryptoModuleBlockingPasswordDelegate* delegate = |
reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
if (delegate) { |
@@ -116,21 +148,42 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const FilePath& database_dir) { |
#endif // defined(OS_LINUX) |
} |
-// Load nss's built-in root certs. |
-SECMODModule *InitDefaultRootCerts() { |
- const char* kModulePath = "libnssckbi.so"; |
- char modparams[1024]; |
- snprintf(modparams, sizeof(modparams), |
- "name=\"Root Certs\" library=\"%s\"", kModulePath); |
- SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); |
- if (root) |
- return root; |
- |
- // Aw, snap. Can't find/load root cert shared library. |
- // This will make it hard to talk to anybody via https. |
- NOTREACHED(); |
+// A helper class that acquires the SECMOD list read lock while the |
+// AutoSECMODListReadLock is in scope. |
+class AutoSECMODListReadLock { |
+ public: |
+ AutoSECMODListReadLock() |
+ : lock_(SECMOD_GetDefaultModuleListLock()) { |
+ SECMOD_GetReadLock(lock_); |
+ } |
+ |
+ ~AutoSECMODListReadLock() { |
+ if (lock_) |
wtc
2011/03/17 19:34:22
Nit: delete the if (lock_) test because it's also
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
|
+ SECMOD_ReleaseReadLock(lock_); |
+ } |
+ |
+ private: |
+ SECMODListLock* lock_; |
+ DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock); |
+}; |
+ |
+PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { |
+ AutoSECMODListReadLock auto_lock; |
+ SECMODModuleList* head = SECMOD_GetDefaultModuleList(); |
+ for(SECMODModuleList* item = head; item != NULL; item = item->next) { |
wtc
2011/03/17 19:34:22
Nit: add a space after 'for'.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
|
+ DCHECK(item); |
+ DCHECK(item->module); // This shouldn't happen or NSS would crash anyhow. |
wtc
2011/03/17 19:34:22
Defintely remove DCHECK(item) on line 174 because
Greg Spencer (Chromium)
2011/03/17 22:41:09
Yeah, I think I agree with you. I didn't have thi
|
+ int slot_count = item->module->loaded ? item->module->slotCount : 0; |
+ for (int i = 0; i < slot_count; i++) { |
+ PK11SlotInfo* slot = item->module->slots[i]; |
+ if (PK11_GetTokenName(slot) == token_name) { |
+ return PK11_ReferenceSlot(slot); |
+ } |
wtc
2011/03/17 19:34:22
Nit: omit curly braces around one-liner if bodies.
Greg Spencer (Chromium)
2011/03/17 22:41:09
Sorry, long standing habit.
|
+ } |
+ } |
return NULL; |
} |
+ |
#endif // defined(USE_NSS) |
// A singleton to initialize/deinitialize NSPR. |
@@ -166,15 +219,51 @@ class NSSInitSingleton { |
void OpenPersistentNSSDB() { |
if (!chromeos_user_logged_in_) { |
// GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
- // Temporarily allow it until we fix http://crbug.com.70119 |
+ // Temporarily allow it until we fix http://crbug.com/70119 |
ThreadRestrictions::ScopedAllowIO allow_io; |
chromeos_user_logged_in_ = true; |
- real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), |
- "Real NSS database"); |
+ |
+ // This creates a new DB slot in NSS that is read/write, unlike |
+ // the cert DB and the "default" crypto key provider, which are |
wtc
2011/03/17 19:34:22
Nit: "the cert DB" here is the fake root CA cert D
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
|
+ // still read-only (because we initialized NSS before we had a |
+ // cryptohome mounted). |
+ real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNSSDatabaseName); |
+ |
+ // This loads the opencryptoki module so we can talk to the |
+ // hardware TPM. |
+ opencryptoki_module_ = LoadModule( |
+ "opencryptoki", |
+ "/usr/lib/opencryptoki/libopencryptoki.so", |
+ // trustOrder=100 -- means it'll select this as the most |
+ // trusted slot for the mechanisms it provides. |
+ // slotParams=... -- selects RSA as only mechanism, and only |
+ // asks for the password when necessary (instead of every |
+ // time, or after a timeout). |
+ "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); |
+ if (opencryptoki_module_) { |
+ // We shouldn't need to initialize the TPM PIN here because |
+ // it'll be taken care of by cryptohomed, but we have to make |
+ // sure that it is initialized. |
+ |
+ // TODO(gspencer): replace this with a dbus call to check and |
+ // see that cryptohomed has initialized the PINs already. |
+ EnsureTPMInit(); |
+ } |
} |
} |
+ |
+ std::string GetTPMTokenName() { |
+ // TODO(gspencer): This should come from the dbus interchange with |
+ // cryptohomed instead of being hard-coded. |
+ return std::string(kTPMTokenName); |
+ } |
+ |
+ PK11SlotInfo* GetTPMSlot() { |
+ return FindSlotWithTokenName(GetTPMTokenName()); |
+ } |
#endif // defined(OS_CHROMEOS) |
+ |
bool OpenTestNSSDB(const FilePath& path, const char* description) { |
test_db_slot_ = OpenUserDB(path, description); |
return !!test_db_slot_; |
@@ -211,6 +300,7 @@ class NSSInitSingleton { |
: real_db_slot_(NULL), |
test_db_slot_(NULL), |
root_(NULL), |
+ opencryptoki_module_(NULL), |
chromeos_user_logged_in_(false) { |
EnsureNSPRInit(); |
@@ -241,7 +331,7 @@ class NSSInitSingleton { |
status = NSS_NoDB_Init(NULL); |
if (status != SECSuccess) { |
LOG(ERROR) << "Error initializing NSS without a persistent " |
- "database: NSS error code " << PR_GetError(); |
+ "database: " << GetNSSErrorMessage(); |
} |
#else |
FilePath database_dir = GetInitialConfigDirectory(); |
@@ -263,16 +353,15 @@ class NSSInitSingleton { |
if (status != SECSuccess) { |
LOG(ERROR) << "Error initializing NSS with a persistent " |
"database (" << nss_config_dir |
- << "): NSS error code " << PR_GetError(); |
+ << "): " << GetNSSErrorMessage(); |
} |
} |
if (status != SECSuccess) { |
- LOG(WARNING) << "Initialize NSS without a persistent database " |
- "(~/.pki/nssdb)."; |
+ VLOG(1) << "Initializing NSS without a persistent database."; |
status = NSS_NoDB_Init(NULL); |
if (status != SECSuccess) { |
LOG(ERROR) << "Error initializing NSS without a persistent " |
- "database: NSS error code " << PR_GetError(); |
+ "database: " << GetNSSErrorMessage(); |
return; |
} |
} |
@@ -310,15 +399,69 @@ class NSSInitSingleton { |
SECMOD_DestroyModule(root_); |
root_ = NULL; |
} |
+ if (opencryptoki_module_) { |
+ SECMOD_UnloadUserModule(opencryptoki_module_); |
+ SECMOD_DestroyModule(opencryptoki_module_); |
+ opencryptoki_module_ = NULL; |
+ } |
SECStatus status = NSS_Shutdown(); |
if (status != SECSuccess) { |
// We VLOG(1) because this failure is relatively harmless (leaking, but |
// we're shutting down anyway). |
- VLOG(1) << "NSS_Shutdown failed; see " |
- "http://code.google.com/p/chromium/issues/detail?id=4609"; |
+ VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609"; |
+ } |
+ } |
+ |
+#if defined(USE_NSS) |
+ // Load nss's built-in root certs. |
+ SECMODModule* InitDefaultRootCerts() { |
+ SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL); |
+ if (root) |
+ return root; |
+ |
+ // Aw, snap. Can't find/load root cert shared library. |
+ // This will make it hard to talk to anybody via https. |
+ NOTREACHED(); |
+ return NULL; |
+ } |
+ |
+ // Load the given module for this NSS session. |
+ SECMODModule* LoadModule(const char* name, |
+ const char* library_path, |
+ const char* params) { |
+ std::string modparams = StringPrintf( |
+ "name=\"%s\" library=\"%s\" %s", |
+ name, library_path, params ? params : ""); |
+ |
+ // Shouldn't need to const_cast here, but SECMOD doesn't believe |
+ // in const interfaces. |
wtc
2011/03/17 19:34:22
This is an oversight. I just filed NSS bug 642546
|
+ SECMODModule* module = SECMOD_LoadUserModule( |
+ const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); |
+ if (!module) { |
+ LOG(ERROR) << "Error loading " << name << " module into NSS: " |
+ << GetNSSErrorMessage(); |
+ return NULL; |
+ } |
+ return module; |
+ } |
+#endif |
+ |
+#if defined(OS_CHROMEOS) |
+ void EnsureTPMInit() { |
+ base::ScopedPK11Slot tpm_slot(GetTPMSlot()); |
+ if (tpm_slot.get()) { |
+ // TODO(gspencer): Remove this in favor of the dbus API for |
+ // cryptohomed when that is available. |
+ if (PK11_NeedUserInit(tpm_slot.get())) { |
+ AutoNSSWriteLock lock; |
wtc
2011/03/17 19:34:22
BUG: the NSSWriteLock is not necessary here becaus
Greg Spencer (Chromium)
2011/03/17 22:41:09
OK, Removed. It wasn't clear to me what parts of
|
+ PK11_InitPin(tpm_slot.get(), |
+ kTPMSecurityOfficerPin, |
+ kTPMUserPin); |
+ } |
} |
} |
+#endif |
static PK11SlotInfo* OpenUserDB(const FilePath& path, |
const char* description) { |
@@ -332,14 +475,15 @@ class NSSInitSingleton { |
} |
else { |
LOG(ERROR) << "Error opening persistent database (" << modspec |
- << "): NSS error code " << PR_GetError(); |
+ << "): " << GetNSSErrorMessage(); |
} |
return db_slot; |
} |
PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
- SECMODModule *root_; |
+ SECMODModule* root_; |
+ SECMODModule* opencryptoki_module_; |
bool chromeos_user_logged_in_; |
#if defined(USE_NSS) |
// TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
@@ -408,7 +552,11 @@ AutoNSSWriteLock::~AutoNSSWriteLock() { |
void OpenPersistentNSSDB() { |
g_nss_singleton.Get().OpenPersistentNSSDB(); |
} |
-#endif |
+ |
+std::string GetTPMTokenName() { |
+ return g_nss_singleton.Get().GetTPMTokenName(); |
+} |
+#endif // defined(OS_CHROMEOS) |
// TODO(port): Implement this more simply. We can convert by subtracting an |
// offset (the difference between NSPR's and base::Time's epochs). |
@@ -433,4 +581,12 @@ PK11SlotInfo* GetDefaultNSSKeySlot() { |
return g_nss_singleton.Get().GetDefaultKeySlot(); |
} |
+PK11SlotInfo* GetPreferredKeySlot() { |
+#if defined(OS_CHROMEOS) |
+ return g_nss_singleton.Get().GetTPMSlot(); |
+#else |
+ return g_nss_singleton.Get().GetDefaultKeySlot(); |
wtc
2011/03/17 19:34:22
Nit: just call GetDefaultNSSKeySlot()?
Greg Spencer (Chromium)
2011/03/17 22:41:09
Done.
|
+#endif |
+} |
+ |
} // namespace base |