OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef CRYPTO_NSS_UTIL_H_ |
| 6 #define CRYPTO_NSS_UTIL_H_ |
| 7 #pragma once |
| 8 |
| 9 #include <string> |
| 10 #include "base/basictypes.h" |
| 11 |
| 12 #if defined(USE_NSS) |
| 13 class FilePath; |
| 14 #endif // defined(USE_NSS) |
| 15 |
| 16 namespace base { |
| 17 class Lock; |
| 18 class Time; |
| 19 } // namespace base |
| 20 |
| 21 // This file specifically doesn't depend on any NSS or NSPR headers because it |
| 22 // is included by various (non-crypto) parts of chrome to call the |
| 23 // initialization functions. |
| 24 namespace crypto { |
| 25 |
| 26 #if defined(USE_NSS) |
| 27 // EarlySetupForNSSInit performs lightweight setup which must occur before the |
| 28 // process goes multithreaded. This does not initialise NSS. For test, see |
| 29 // EnsureNSSInit. |
| 30 void EarlySetupForNSSInit(); |
| 31 #endif |
| 32 |
| 33 // Initialize NRPR if it isn't already initialized. This function is |
| 34 // thread-safe, and NSPR will only ever be initialized once. |
| 35 void EnsureNSPRInit(); |
| 36 |
| 37 // Initialize NSS if it isn't already initialized. This must be called before |
| 38 // any other NSS functions. This function is thread-safe, and NSS will only |
| 39 // ever be initialized once. |
| 40 void EnsureNSSInit(); |
| 41 |
| 42 // Call this before calling EnsureNSSInit() will force NSS to initialize |
| 43 // without a persistent DB. This is used for the special case where access of |
| 44 // persistent DB is prohibited. |
| 45 // |
| 46 // TODO(hclam): Isolate loading default root certs. |
| 47 // |
| 48 // NSS will be initialized without loading any user security modules, including |
| 49 // the built-in root certificates module. User security modules need to be |
| 50 // loaded manually after NSS initialization. |
| 51 // |
| 52 // If EnsureNSSInit() is called before then this function has no effect. |
| 53 // |
| 54 // Calling this method only has effect on Linux. |
| 55 // |
| 56 // WARNING: Use this with caution. |
| 57 void ForceNSSNoDBInit(); |
| 58 |
| 59 // This methods is used to disable checks in NSS when used in a forked process. |
| 60 // NSS checks whether it is running a forked process to avoid problems when |
| 61 // using user security modules in a forked process. However if we are sure |
| 62 // there are no modules loaded before the process is forked then there is no |
| 63 // harm disabling the check. |
| 64 // |
| 65 // This method must be called before EnsureNSSInit() to take effect. |
| 66 // |
| 67 // WARNING: Use this with caution. |
| 68 void DisableNSSForkCheck(); |
| 69 |
| 70 // Load NSS library files. This function has no effect on Mac and Windows. |
| 71 // This loads the necessary NSS library files so that NSS can be initialized |
| 72 // after loading additional library files is disallowed, for example when the |
| 73 // sandbox is active. |
| 74 // |
| 75 // Note that this does not load libnssckbi.so which contains the root |
| 76 // certificates. |
| 77 void LoadNSSLibraries(); |
| 78 |
| 79 // Check if the current NSS version is greater than or equals to |version|. |
| 80 // A sample version string is "3.12.3". |
| 81 bool CheckNSSVersion(const char* version); |
| 82 |
| 83 #if defined(OS_CHROMEOS) |
| 84 // Open the r/w nssdb that's stored inside the user's encrypted home |
| 85 // directory. This is the default slot returned by |
| 86 // GetPublicNSSKeySlot(). |
| 87 void OpenPersistentNSSDB(); |
| 88 |
| 89 // Load the opencryptoki library into NSS so that we can access the |
| 90 // TPM through NSS. Once this is called, GetPrivateNSSKeySlot() will |
| 91 // return the TPM slot if one was found. Returns false if it was |
| 92 // unable to load opencryptoki or open the TPM slot. |
| 93 bool EnableTPMForNSS(); |
| 94 |
| 95 // Get name for the built-in TPM token on ChromeOS. |
| 96 std::string GetTPMTokenName(); |
| 97 |
| 98 // Get the user PIN for the built-in TPM token on ChromeOS. |
| 99 std::string GetTPMUserPIN(); |
| 100 #endif |
| 101 |
| 102 // Convert a NSS PRTime value into a base::Time object. |
| 103 // We use a int64 instead of PRTime here to avoid depending on NSPR headers. |
| 104 base::Time PRTimeToBaseTime(int64 prtime); |
| 105 |
| 106 #if defined(USE_NSS) |
| 107 // Exposed for unittests only. |path| should be an existing directory under |
| 108 // which the DB files will be placed. |description| is a user-visible name for |
| 109 // the DB, as a utf8 string, which will be truncated at 32 bytes. |
| 110 bool OpenTestNSSDB(const FilePath& path, const char* description); |
| 111 void CloseTestNSSDB(); |
| 112 |
| 113 // NSS has a bug which can cause a deadlock or stall in some cases when writing |
| 114 // to the certDB and keyDB. It also has a bug which causes concurrent key pair |
| 115 // generations to scribble over each other. To work around this, we synchronize |
| 116 // writes to the NSS databases with a global lock. The lock is hidden beneath a |
| 117 // function for easy disabling when the bug is fixed. Callers should allow for |
| 118 // it to return NULL in the future. |
| 119 // |
| 120 // See https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
| 121 base::Lock* GetNSSWriteLock(); |
| 122 |
| 123 // A helper class that acquires the NSS write Lock while the AutoNSSWriteLock |
| 124 // is in scope. |
| 125 class AutoNSSWriteLock { |
| 126 public: |
| 127 AutoNSSWriteLock(); |
| 128 ~AutoNSSWriteLock(); |
| 129 private: |
| 130 base::Lock *lock_; |
| 131 DISALLOW_COPY_AND_ASSIGN(AutoNSSWriteLock); |
| 132 }; |
| 133 |
| 134 #endif // defined(USE_NSS) |
| 135 |
| 136 } // namespace crypto |
| 137 |
| 138 #endif // CRYPTO_NSS_UTIL_H_ |
OLD | NEW |