Chromium Code Reviews Chromium Code Reviews
Issue 6667020:
This change loads opencryptoki and uses the TPM for keygen tags. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: base/nss_util.cc |
| diff --git a/base/nss_util.cc b/base/nss_util.cc |
| index fe78fe0c218bfb37162702f2cf6b5815b52cbe41..33ad5176352273647b50954788891e01057f9dcb 100644 |
| --- a/base/nss_util.cc |
| +++ b/base/nss_util.cc |
| @@ -18,6 +18,7 @@ |
| #include <sys/vfs.h> |
| #endif |
| +#include "base/crypto/scoped_nss_types.h" |
| #include "base/file_util.h" |
| #include "base/lazy_instance.h" |
| #include "base/logging.h" |
| @@ -38,6 +39,30 @@ |
| namespace base { |
| namespace { |
| +#if defined(OS_CHROMEOS) |
| +static const char kNssDatabaseName[] = "Real NSS database"; |
| +static const char kHardwareTokenName[] = "Initialized by CrOS"; |
| +static const char kHardwareTokenUserPin[] = "111111"; |
| +static const char kHardwareTokenSecurityOfficerPin[] = "000000"; |
| + |
| +// Fake certificate authority database used for testing. |
| +static const FilePath::CharType kReadOnlyCertDB[] = |
| + FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); |
| +#endif // defined(OS_CHROMEOS) |
| + |
| +std::string GetNssError() { |
| + std::string result; |
| + if (PR_GetErrorTextLength()) { |
| + char *error_text = new char[PR_GetErrorTextLength() + 1]; |
| + PRInt32 copied = 0; |
| + copied = PR_GetErrorText(error_text); |
|
stevenjb
2011/03/14 18:41:21
nit: combine above two lines?
Greg Spencer (Chromium)
2011/03/14 18:48:09
Done.
|
| + result = std::string(error_text, copied); |
| + delete [] error_text; |
| + } else { |
| + result = StringPrintf("NSS Error code: %d", PR_GetError()); |
| + } |
| + return result; |
| +} |
| #if defined(USE_NSS) |
| FilePath GetDefaultConfigDirectory() { |
| @@ -62,8 +87,6 @@ FilePath GetDefaultConfigDirectory() { |
| // caller to failover to NSS_NoDB_Init() at that point. |
| FilePath GetInitialConfigDirectory() { |
| #if defined(OS_CHROMEOS) |
| - static const FilePath::CharType kReadOnlyCertDB[] = |
| - FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb"); |
| return FilePath(kReadOnlyCertDB); |
| #else |
| return GetDefaultConfigDirectory(); |
| @@ -73,6 +96,12 @@ FilePath GetInitialConfigDirectory() { |
| // This callback for NSS forwards all requests to a caller-specified |
| // CryptoModuleBlockingPasswordDelegate object. |
| char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) { |
| +#if defined(OS_CHROMEOS) |
| + // If we get asked for a password for the hardware token, then |
| + // return the static password we use. |
| + if (std::string(PK11_GetTokenName(slot)) == std::string(kHardwareTokenName)) |
| + return PORT_Strdup(kHardwareTokenUserPin); |
| +#endif |
| base::CryptoModuleBlockingPasswordDelegate* delegate = |
| reinterpret_cast<base::CryptoModuleBlockingPasswordDelegate*>(arg); |
| if (delegate) { |
| @@ -116,22 +145,48 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const FilePath& database_dir) { |
| #endif // defined(OS_LINUX) |
| } |
| -// Load nss's built-in root certs. |
| -SECMODModule *InitDefaultRootCerts() { |
| - const char* kModulePath = "libnssckbi.so"; |
| - char modparams[1024]; |
| - snprintf(modparams, sizeof(modparams), |
| - "name=\"Root Certs\" library=\"%s\"", kModulePath); |
| - SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); |
| - if (root) |
| - return root; |
| - |
| - // Aw, snap. Can't find/load root cert shared library. |
| - // This will make it hard to talk to anybody via https. |
| - NOTREACHED(); |
| +#endif // defined(USE_NSS) |
| + |
| +// A helper class that acquires the SECMOD list read lock while the |
| +// AutoSECMODListLock is in scope. |
| +class AutoSECMODListLock { |
| + public: |
| + AutoSECMODListLock() |
| + : lock_(SECMOD_GetDefaultModuleListLock()) { |
| + if (!lock_) { |
| + LOG(ERROR) << "AutoSECMODListLock: Unable to obtain lock."; |
| + return; |
| + } |
| + SECMOD_GetReadLock(lock_); |
| + } |
| + |
| + ~AutoSECMODListLock() { |
| + if (lock_) |
| + SECMOD_ReleaseReadLock(lock_); |
| + } |
| + |
| + bool has_lock() { return lock_ != NULL; } |
| + private: |
| + SECMODListLock* lock_; |
| + DISALLOW_COPY_AND_ASSIGN(AutoSECMODListLock); |
| +}; |
| + |
| +PK11SlotInfo* FindTokenByName(const std::string& token_name) { |
| + AutoSECMODListLock auto_lock; |
| + if (!auto_lock.has_lock()) |
| + return NULL; |
| + SECMODModuleList* head = SECMOD_GetDefaultModuleList(); |
| + for(SECMODModuleList* item = head; item != NULL; item = item->next) { |
| + int slot_count = item->module->loaded ? item->module->slotCount : 0; |
| + for (int i = 0; i < slot_count; i++) { |
| + PK11SlotInfo* slot = item->module->slots[i]; |
| + if (std::string(PK11_GetTokenName(slot)) == token_name) { |
| + return PK11_ReferenceSlot(slot); |
| + } |
| + } |
| + } |
| return NULL; |
| } |
| -#endif // defined(USE_NSS) |
| // A singleton to initialize/deinitialize NSPR. |
| // Separate from the NSS singleton because we initialize NSPR on the UI thread. |
| @@ -166,15 +221,45 @@ class NSSInitSingleton { |
| void OpenPersistentNSSDB() { |
| if (!chromeos_user_logged_in_) { |
| // GetDefaultConfigDirectory causes us to do blocking IO on UI thread. |
| - // Temporarily allow it until we fix http://crbug.com.70119 |
| + // Temporarily allow it until we fix http://crbug.com/70119 |
| ThreadRestrictions::ScopedAllowIO allow_io; |
| chromeos_user_logged_in_ = true; |
| - real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), |
| - "Real NSS database"); |
| + |
| + // This creates a new DB slot in NSS that is read/write, unlike |
| + // the cert DB and the "default" crypto key provider, which are |
| + // still read-only (because we initialized NSS before we had a |
| + // cryptohome mounted). |
| + real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), kNssDatabaseName); |
| + |
| + // This loads the opencryptoki module so we can talk to the |
| + // hardware TPM. |
| + opencryptoki_module_ = LoadModule( |
| + "opencryptoki", |
| + "/usr/lib/opencryptoki/libopencryptoki.so", |
| + // trustOrder=100 -- means it'll select this as the most |
| + // trusted slot for the mechanisms it provides. |
| + // slotParams=... -- selects RSA as only mechanism, and only |
| + // asks for the password when necessary (instead of every |
| + // time, or after a timeout). |
| + "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); |
| + if (opencryptoki_module_) { |
| + // We shouldn't need to initialize the RSA PIN here because |
| + // it'll be taken care of by cryptohomed, but we have to make |
| + // sure that it is initialized. |
| + |
| + // TODO(gspencer): replace this with a dbus call to check and |
| + // see that cryptohomed has initialized the PINs already. |
| + EnsureRsaPinInit(); |
| + } |
| } |
| } |
| + |
| + PK11SlotInfo* GetRsaSlot() { |
| + return FindTokenByName(kHardwareTokenName); |
| + } |
| #endif // defined(OS_CHROMEOS) |
| + |
| bool OpenTestNSSDB(const FilePath& path, const char* description) { |
| test_db_slot_ = OpenUserDB(path, description); |
| return !!test_db_slot_; |
| @@ -211,6 +296,7 @@ class NSSInitSingleton { |
| : real_db_slot_(NULL), |
| test_db_slot_(NULL), |
| root_(NULL), |
| + opencryptoki_module_(NULL), |
| chromeos_user_logged_in_(false) { |
| EnsureNSPRInit(); |
| @@ -241,7 +327,7 @@ class NSSInitSingleton { |
| status = NSS_NoDB_Init(NULL); |
| if (status != SECSuccess) { |
| LOG(ERROR) << "Error initializing NSS without a persistent " |
| - "database: NSS error code " << PR_GetError(); |
| + "database: " << GetNssError(); |
| } |
| #else |
| FilePath database_dir = GetInitialConfigDirectory(); |
| @@ -263,16 +349,15 @@ class NSSInitSingleton { |
| if (status != SECSuccess) { |
| LOG(ERROR) << "Error initializing NSS with a persistent " |
| "database (" << nss_config_dir |
| - << "): NSS error code " << PR_GetError(); |
| + << "): " << GetNssError(); |
| } |
| } |
| if (status != SECSuccess) { |
| - LOG(WARNING) << "Initialize NSS without a persistent database " |
| - "(~/.pki/nssdb)."; |
| + VLOG(1) << "Initializing NSS without a persistent database."; |
| status = NSS_NoDB_Init(NULL); |
| if (status != SECSuccess) { |
| LOG(ERROR) << "Error initializing NSS without a persistent " |
| - "database: NSS error code " << PR_GetError(); |
| + "database: " << GetNssError(); |
| return; |
| } |
| } |
| @@ -310,16 +395,68 @@ class NSSInitSingleton { |
| SECMOD_DestroyModule(root_); |
| root_ = NULL; |
| } |
| + if (opencryptoki_module_) { |
| + SECMOD_UnloadUserModule(opencryptoki_module_); |
| + SECMOD_DestroyModule(opencryptoki_module_); |
| + opencryptoki_module_ = NULL; |
| + } |
| SECStatus status = NSS_Shutdown(); |
| if (status != SECSuccess) { |
| // We VLOG(1) because this failure is relatively harmless (leaking, but |
| // we're shutting down anyway). |
| - VLOG(1) << "NSS_Shutdown failed; see " |
| - "http://code.google.com/p/chromium/issues/detail?id=4609"; |
| + VLOG(1) << "NSS_Shutdown failed; see http://crosbug.com/4609"; |
| } |
| } |
| +#if defined(USE_NSS) |
| + // Load nss's built-in root certs. |
| + SECMODModule *InitDefaultRootCerts() { |
| + SECMODModule *root = LoadModule("Root Certs", "libnssckbi.so", NULL); |
| + if (root) |
| + return root; |
| + |
| + // Aw, snap. Can't find/load root cert shared library. |
| + // This will make it hard to talk to anybody via https. |
| + NOTREACHED(); |
| + return NULL; |
| + } |
| +#endif |
| + |
| + // Load the given module for this NSS session. |
| + SECMODModule* LoadModule(const char* name, |
| + const char* library_path, |
| + const char* params) { |
| + std::string modparams = StringPrintf( |
| + "name=\"%s\" library=\"%s\" %s", |
| + name, library_path, params ? params : ""); |
| + |
| + // Shouldn't need to const_cast here, but SECMOD doesn't believe |
| + // in const interfaces. |
| + SECMODModule* module = SECMOD_LoadUserModule( |
| + const_cast<char*>(modparams.c_str()), NULL, PR_FALSE); |
| + if (!module) { |
| + LOG(ERROR) << "Error loading " << name << " module into NSS: " |
| + << GetNssError(); |
| + return NULL; |
| + } |
| + return module; |
| + } |
| + |
| +#if defined(OS_CHROMEOS) |
| + void EnsureRsaPinInit() { |
| + base::ScopedPK11Slot rsa_slot(GetRsaSlot()); |
| + if (rsa_slot.get()) { |
| + if (PK11_NeedUserInit(rsa_slot.get())) { |
| + AutoNSSWriteLock lock; |
| + PK11_InitPin(rsa_slot.get(), |
| + kHardwareTokenSecurityOfficerPin, |
| + kHardwareTokenUserPin); |
| + } |
| + } |
| + } |
| +#endif |
| + |
| static PK11SlotInfo* OpenUserDB(const FilePath& path, |
| const char* description) { |
| const std::string modspec = |
| @@ -332,14 +469,15 @@ class NSSInitSingleton { |
| } |
| else { |
| LOG(ERROR) << "Error opening persistent database (" << modspec |
| - << "): NSS error code " << PR_GetError(); |
| + << "): " << GetNssError(); |
| } |
| return db_slot; |
| } |
| PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. |
| PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ |
| - SECMODModule *root_; |
| + SECMODModule* root_; |
| + SECMODModule* opencryptoki_module_; |
| bool chromeos_user_logged_in_; |
| #if defined(USE_NSS) |
| // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
| @@ -408,7 +546,7 @@ AutoNSSWriteLock::~AutoNSSWriteLock() { |
| void OpenPersistentNSSDB() { |
| g_nss_singleton.Get().OpenPersistentNSSDB(); |
| } |
| -#endif |
| +#endif // defined(OS_CHROMEOS) |
| // TODO(port): Implement this more simply. We can convert by subtracting an |
| // offset (the difference between NSPR's and base::Time's epochs). |
| @@ -433,4 +571,12 @@ PK11SlotInfo* GetDefaultNSSKeySlot() { |
| return g_nss_singleton.Get().GetDefaultKeySlot(); |
| } |
| +PK11SlotInfo* GetRsaKeySlot() { |
| +#if defined(OS_CHROMEOS) |
| + return g_nss_singleton.Get().GetRsaSlot(); |
| +#else |
| + return g_nss_singleton.Get().GetDefaultKeySlot(); |
| +#endif |
| +} |
| + |
| } // namespace base |
