Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3149)

Unified Diff: base/nss_util.cc

Issue 6667020: This change loads opencryptoki and uses the TPM for keygen tags. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: cleaning up Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: base/nss_util.cc
diff --git a/base/nss_util.cc b/base/nss_util.cc
index c78c6d584e51ff680436574b151571e9751f5768..78f4bedc9bb8bc4cc38f118d61de202a8fd3e970 100644
--- a/base/nss_util.cc
+++ b/base/nss_util.cc
@@ -20,6 +20,7 @@
#include <vector>
+#include "base/crypto/scoped_nss_types.h"
#include "base/environment.h"
#include "base/file_path.h"
#include "base/file_util.h"
@@ -43,6 +44,37 @@ namespace base {
namespace {
+#if defined(OS_CHROMEOS)
+const char kNSSDatabaseName[] = "Real NSS database";
+
+// Constants for loading opencryptoki.
+const char kOpencryptokiModuleName[] = "opencryptoki";
+const char kOpencryptokiPath[] = "/usr/lib/opencryptoki/libopencryptoki.so";
+
+// TODO(gspencer): Get these values from cryptohomed's dbus API when
+// we ask if it has initialized the TPM yet. These should not be
+// hard-coded here.
+const char kTPMTokenName[] = "Initialized by CrOS";
+const char kTPMUserPIN[] = "111111";
+const char kTPMSecurityOfficerPIN[] = "000000";
+
+// Fake certificate authority database used for testing.
+static const FilePath::CharType kReadOnlyCertDB[] =
+ FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
+#endif // defined(OS_CHROMEOS)
+
+std::string GetNSSErrorMessage() {
+ std::string result;
+ if (PR_GetErrorTextLength()) {
+ scoped_array<char> error_text(new char[PR_GetErrorTextLength() + 1]);
+ PRInt32 copied = PR_GetErrorText(error_text.get());
+ result = std::string(error_text.get(), copied);
+ } else {
+ result = StringPrintf("NSS error code: %d", PR_GetError());
+ }
+ return result;
+}
+
#if defined(USE_NSS)
FilePath GetDefaultConfigDirectory() {
FilePath dir = file_util::GetHomeDir();
@@ -66,8 +98,6 @@ FilePath GetDefaultConfigDirectory() {
// caller to failover to NSS_NoDB_Init() at that point.
FilePath GetInitialConfigDirectory() {
#if defined(OS_CHROMEOS)
- static const FilePath::CharType kReadOnlyCertDB[] =
- FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
return FilePath(kReadOnlyCertDB);
#else
return GetDefaultConfigDirectory();
@@ -77,6 +107,12 @@ FilePath GetInitialConfigDirectory() {
// This callback for NSS forwards all requests to a caller-specified
// CryptoModuleBlockingPasswordDelegate object.
char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) {
+#if defined(OS_CHROMEOS)
+ // If we get asked for a password for the TPM, then return the
+ // static password we use.
+ if (PK11_GetTokenName(slot) == base::GetTPMTokenName())
+ return PORT_Strdup(kTPMUserPIN);
+#endif
base::CryptoModuleBlockingPasswordDelegate* delegate =
reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg);
if (delegate) {
@@ -120,21 +156,38 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const FilePath& database_dir) {
#endif // defined(OS_LINUX)
}
-// Load nss's built-in root certs.
-SECMODModule *InitDefaultRootCerts() {
- const char* kModulePath = "libnssckbi.so";
- char modparams[1024];
- snprintf(modparams, sizeof(modparams),
- "name=\"Root Certs\" library=\"%s\"", kModulePath);
- SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE);
- if (root)
- return root;
-
- // Aw, snap. Can't find/load root cert shared library.
- // This will make it hard to talk to anybody via https.
- NOTREACHED();
+// A helper class that acquires the SECMOD list read lock while the
+// AutoSECMODListReadLock is in scope.
+class AutoSECMODListReadLock {
+ public:
+ AutoSECMODListReadLock()
+ : lock_(SECMOD_GetDefaultModuleListLock()) {
+ SECMOD_GetReadLock(lock_);
+ }
+
+ ~AutoSECMODListReadLock() {
+ SECMOD_ReleaseReadLock(lock_);
+ }
+
+ private:
+ SECMODListLock* lock_;
+ DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock);
+};
+
+PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
+ AutoSECMODListReadLock auto_lock;
+ SECMODModuleList* head = SECMOD_GetDefaultModuleList();
+ for (SECMODModuleList* item = head; item != NULL; item = item->next) {
+ int slot_count = item->module->loaded ? item->module->slotCount : 0;
+ for (int i = 0; i < slot_count; i++) {
+ PK11SlotInfo* slot = item->module->slots[i];
+ if (PK11_GetTokenName(slot) == token_name)
+ return PK11_ReferenceSlot(slot);
+ }
+ }
return NULL;
}
+
#endif // defined(USE_NSS)
// A singleton to initialize/deinitialize NSPR.
@@ -170,15 +223,62 @@ class NSSInitSingleton {
void OpenPersistentNSSDB() {
if (!chromeos_user_logged_in_) {
// GetDefaultConfigDirectory causes us to do blocking IO on UI thread.
- // Temporarily allow it until we fix http://crbug.com.70119
+ // Temporarily allow it until we fix http://crbug.com/70119
ThreadRestrictions::ScopedAllowIO allow_io;
chromeos_user_logged_in_ = true;
- real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
- "Real NSS database");
+
+ // This creates another DB slot in NSS that is read/write, unlike
+ // the fake root CA cert DB and the "default" crypto key
+ // provider, which are still read-only (because we initialized
+ // NSS before we had a cryptohome mounted).
+ software_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
+ kNSSDatabaseName);
}
}
+
+ bool EnableTPMForNSS() {
+ if (!opencryptoki_module_) {
+ // This loads the opencryptoki module so we can talk to the
+ // hardware TPM.
+ opencryptoki_module_ = LoadModule(
+ kOpencryptokiModuleName,
+ kOpencryptokiPath,
+ // trustOrder=100 -- means it'll select this as the most
+ // trusted slot for the mechanisms it provides.
+ // slotParams=... -- selects RSA as only mechanism, and only
+ // asks for the password when necessary (instead of every
+ // time, or after a timeout).
+ "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
+ if (opencryptoki_module_) {
+ // We shouldn't need to initialize the TPM PIN here because
+ // it'll be taken care of by cryptohomed, but we have to make
+ // sure that it is initialized.
+
+ // TODO(gspencer): replace this with a dbus call that will
+ // check to see that cryptohomed has initialized the PINs, and
+ // will fetch the token name and PINs for accessing the TPM.
+ EnsureTPMInit();
+
+ // If this is set, then we'll use the TPM by default.
+ tpm_db_slot_ = GetTPMSlot();
+ return true;
+ }
+ }
+ return false;
+ }
+
+ std::string GetTPMTokenName() {
+ // TODO(gspencer): This should come from the dbus interchange with
+ // cryptohomed instead of being hard-coded.
+ return std::string(kTPMTokenName);
+ }
+
+ PK11SlotInfo* GetTPMSlot() {
+ return FindSlotWithTokenName(GetTPMTokenName());
+ }
#endif // defined(OS_CHROMEOS)
+
bool OpenTestNSSDB(const FilePath& path, const char* description) {
test_db_slot_ = OpenUserDB(path, description);
return !!test_db_slot_;
@@ -194,11 +294,23 @@ class NSSInitSingleton {
}
}
- PK11SlotInfo* GetDefaultKeySlot() {
+ PK11SlotInfo* GetPublicNSSKeySlot() {
if (test_db_slot_)
return PK11_ReferenceSlot(test_db_slot_);
- if (real_db_slot_)
- return PK11_ReferenceSlot(real_db_slot_);
+ if (software_db_slot_)
+ return PK11_ReferenceSlot(software_db_slot_);
+ return PK11_GetInternalKeySlot();
+ }
+
+ PK11SlotInfo* GetPrivateNSSKeySlot() {
+ if (test_db_slot_)
+ return PK11_ReferenceSlot(test_db_slot_);
+ // If the TPM slot has been opened, then return that one.
+ if (tpm_db_slot_)
+ return PK11_ReferenceSlot(tpm_db_slot_);
+ // If it hasn't, then return the software slot.
+ if (software_db_slot_)
+ return PK11_ReferenceSlot(software_db_slot_);
return PK11_GetInternalKeySlot();
}
@@ -218,8 +330,10 @@ class NSSInitSingleton {
friend struct DefaultLazyInstanceTraits<NSSInitSingleton>;
NSSInitSingleton()
- : real_db_slot_(NULL),
+ : opencryptoki_module_(NULL),
+ software_db_slot_(NULL),
test_db_slot_(NULL),
+ tpm_db_slot_(NULL),
root_(NULL),
chromeos_user_logged_in_(false) {
EnsureNSPRInit();
@@ -257,7 +371,7 @@ class NSSInitSingleton {
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
LOG(ERROR) << "Error initializing NSS without a persistent "
- "database: NSS error code " << PR_GetError();
+ "database: " << GetNSSErrorMessage();
}
} else {
#if defined(USE_NSS)
@@ -280,16 +394,15 @@ class NSSInitSingleton {
if (status != SECSuccess) {
LOG(ERROR) << "Error initializing NSS with a persistent "
"database (" << nss_config_dir
- << "): NSS error code " << PR_GetError();
+ << "): " << GetNSSErrorMessage();
}
}
if (status != SECSuccess) {
- LOG(WARNING) << "Initialize NSS without a persistent database "
- "(~/.pki/nssdb).";
+ VLOG(1) << "Initializing NSS without a persistent database.";
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
LOG(ERROR) << "Error initializing NSS without a persistent "
- "database: NSS error code " << PR_GetError();
+ "database: " << GetNSSErrorMessage();
return;
}
}
@@ -317,10 +430,14 @@ class NSSInitSingleton {
// prevent non-joinable threads from using NSS after it's already been shut
// down.
~NSSInitSingleton() {
- if (real_db_slot_) {
- SECMOD_CloseUserDB(real_db_slot_);
- PK11_FreeSlot(real_db_slot_);
- real_db_slot_ = NULL;
+ if (tpm_db_slot_) {
+ PK11_FreeSlot(tpm_db_slot_);
+ tpm_db_slot_ = NULL;
+ }
+ if (software_db_slot_) {
+ SECMOD_CloseUserDB(software_db_slot_);
+ PK11_FreeSlot(software_db_slot_);
+ software_db_slot_ = NULL;
}
CloseTestNSSDB();
if (root_) {
@@ -328,16 +445,71 @@ class NSSInitSingleton {
SECMOD_DestroyModule(root_);
root_ = NULL;
}
+ if (opencryptoki_module_) {
+ SECMOD_UnloadUserModule(opencryptoki_module_);
+ SECMOD_DestroyModule(opencryptoki_module_);
+ opencryptoki_module_ = NULL;
+ }
SECStatus status = NSS_Shutdown();
if (status != SECSuccess) {
// We VLOG(1) because this failure is relatively harmless (leaking, but
// we're shutting down anyway).
- VLOG(1) << "NSS_Shutdown failed; see "
- "http://code.google.com/p/chromium/issues/detail?id=4609";
+ VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609";
}
}
+#if defined(USE_NSS)
+ // Load nss's built-in root certs.
+ SECMODModule* InitDefaultRootCerts() {
+ SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL);
+ if (root)
+ return root;
+
+ // Aw, snap. Can't find/load root cert shared library.
+ // This will make it hard to talk to anybody via https.
+ NOTREACHED();
+ return NULL;
+ }
+
+ // Load the given module for this NSS session.
+ SECMODModule* LoadModule(const char* name,
+ const char* library_path,
+ const char* params) {
+ std::string modparams = StringPrintf(
+ "name=\"%s\" library=\"%s\" %s",
+ name, library_path, params ? params : "");
+
+ // Shouldn't need to const_cast here, but SECMOD doesn't properly
+ // declare input string arguments as const. Bug
+ // https://bugzilla.mozilla.org/show_bug.cgi?id=642546 was filed
+ // on NSS codebase to address this.
+ SECMODModule* module = SECMOD_LoadUserModule(
+ const_cast<char*>(modparams.c_str()), NULL, PR_FALSE);
+ if (!module) {
+ LOG(ERROR) << "Error loading " << name << " module into NSS: "
+ << GetNSSErrorMessage();
+ return NULL;
+ }
+ return module;
+ }
+#endif
+
+#if defined(OS_CHROMEOS)
+ void EnsureTPMInit() {
+ base::ScopedPK11Slot tpm_slot(GetTPMSlot());
+ if (tpm_slot.get()) {
+ // TODO(gspencer): Remove this in favor of the dbus API for
+ // cryptohomed when that is available.
+ if (PK11_NeedUserInit(tpm_slot.get())) {
+ PK11_InitPin(tpm_slot.get(),
+ kTPMSecurityOfficerPIN,
+ kTPMUserPIN);
+ }
+ }
+ }
+#endif
+
static PK11SlotInfo* OpenUserDB(const FilePath& path,
const char* description) {
const std::string modspec =
@@ -350,7 +522,7 @@ class NSSInitSingleton {
}
else {
LOG(ERROR) << "Error opening persistent database (" << modspec
- << "): NSS error code " << PR_GetError();
+ << "): " << GetNSSErrorMessage();
}
return db_slot;
}
@@ -358,9 +530,11 @@ class NSSInitSingleton {
// If this is set to true NSS is forced to be initialized without a DB.
static bool force_nodb_init_;
- PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL.
- PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_
- SECMODModule *root_;
+ SECMODModule* opencryptoki_module_;
+ PK11SlotInfo* software_db_slot_;
+ PK11SlotInfo* test_db_slot_;
+ PK11SlotInfo* tpm_db_slot_;
wtc 2011/04/07 05:56:33 This should be just tpm_slot_. TPM is not a datab
Greg Spencer (Chromium) 2011/04/07 16:46:28 removed _db from both. I agree that they are not
+ SECMODModule* root_;
bool chromeos_user_logged_in_;
#if defined(USE_NSS)
// TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
@@ -482,7 +656,15 @@ AutoNSSWriteLock::~AutoNSSWriteLock() {
void OpenPersistentNSSDB() {
g_nss_singleton.Get().OpenPersistentNSSDB();
}
-#endif
+
+bool EnableTPMForNSS() {
+ return g_nss_singleton.Get().EnableTPMForNSS();
+}
+
+std::string GetTPMTokenName() {
+ return g_nss_singleton.Get().GetTPMTokenName();
+}
+#endif // defined(OS_CHROMEOS)
// TODO(port): Implement this more simply. We can convert by subtracting an
// offset (the difference between NSPR's and base::Time's epochs).
@@ -503,8 +685,12 @@ Time PRTimeToBaseTime(PRTime prtime) {
return Time::FromUTCExploded(exploded);
}
-PK11SlotInfo* GetDefaultNSSKeySlot() {
- return g_nss_singleton.Get().GetDefaultKeySlot();
+PK11SlotInfo* GetPublicNSSKeySlot() {
+ return g_nss_singleton.Get().GetPublicNSSKeySlot();
+}
+
+PK11SlotInfo* GetPrivateNSSKeySlot() {
+ return g_nss_singleton.Get().GetPrivateNSSKeySlot();
}
} // namespace base
« no previous file with comments | « base/nss_util.h ('k') | base/nss_util_internal.h » ('j') | base/nss_util_internal.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698