OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CRYPTO_NSS_UTIL_H_ | 5 #ifndef CRYPTO_NSS_UTIL_H_ |
6 #define CRYPTO_NSS_UTIL_H_ | 6 #define CRYPTO_NSS_UTIL_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <string> | 9 #include <string> |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "crypto/crypto_api.h" | 11 #include "crypto/crypto_export.h" |
12 | 12 |
13 #if defined(USE_NSS) | 13 #if defined(USE_NSS) |
14 class FilePath; | 14 class FilePath; |
15 #endif // defined(USE_NSS) | 15 #endif // defined(USE_NSS) |
16 | 16 |
17 namespace base { | 17 namespace base { |
18 class Lock; | 18 class Lock; |
19 class Time; | 19 class Time; |
20 } // namespace base | 20 } // namespace base |
21 | 21 |
22 // This file specifically doesn't depend on any NSS or NSPR headers because it | 22 // This file specifically doesn't depend on any NSS or NSPR headers because it |
23 // is included by various (non-crypto) parts of chrome to call the | 23 // is included by various (non-crypto) parts of chrome to call the |
24 // initialization functions. | 24 // initialization functions. |
25 namespace crypto { | 25 namespace crypto { |
26 | 26 |
27 #if defined(USE_NSS) | 27 #if defined(USE_NSS) |
28 // EarlySetupForNSSInit performs lightweight setup which must occur before the | 28 // EarlySetupForNSSInit performs lightweight setup which must occur before the |
29 // process goes multithreaded. This does not initialise NSS. For test, see | 29 // process goes multithreaded. This does not initialise NSS. For test, see |
30 // EnsureNSSInit. | 30 // EnsureNSSInit. |
31 CRYPTO_API void EarlySetupForNSSInit(); | 31 CRYPTO_EXPORT void EarlySetupForNSSInit(); |
32 #endif | 32 #endif |
33 | 33 |
34 // Initialize NRPR if it isn't already initialized. This function is | 34 // Initialize NRPR if it isn't already initialized. This function is |
35 // thread-safe, and NSPR will only ever be initialized once. | 35 // thread-safe, and NSPR will only ever be initialized once. |
36 void CRYPTO_API EnsureNSPRInit(); | 36 CRYPTO_EXPORT void EnsureNSPRInit(); |
37 | 37 |
38 // Initialize NSS if it isn't already initialized. This must be called before | 38 // Initialize NSS if it isn't already initialized. This must be called before |
39 // any other NSS functions. This function is thread-safe, and NSS will only | 39 // any other NSS functions. This function is thread-safe, and NSS will only |
40 // ever be initialized once. | 40 // ever be initialized once. |
41 void CRYPTO_API EnsureNSSInit(); | 41 CRYPTO_EXPORT void EnsureNSSInit(); |
42 | 42 |
43 // Call this before calling EnsureNSSInit() will force NSS to initialize | 43 // Call this before calling EnsureNSSInit() will force NSS to initialize |
44 // without a persistent DB. This is used for the special case where access of | 44 // without a persistent DB. This is used for the special case where access of |
45 // persistent DB is prohibited. | 45 // persistent DB is prohibited. |
46 // | 46 // |
47 // TODO(hclam): Isolate loading default root certs. | 47 // TODO(hclam): Isolate loading default root certs. |
48 // | 48 // |
49 // NSS will be initialized without loading any user security modules, including | 49 // NSS will be initialized without loading any user security modules, including |
50 // the built-in root certificates module. User security modules need to be | 50 // the built-in root certificates module. User security modules need to be |
51 // loaded manually after NSS initialization. | 51 // loaded manually after NSS initialization. |
52 // | 52 // |
53 // If EnsureNSSInit() is called before then this function has no effect. | 53 // If EnsureNSSInit() is called before then this function has no effect. |
54 // | 54 // |
55 // Calling this method only has effect on Linux. | 55 // Calling this method only has effect on Linux. |
56 // | 56 // |
57 // WARNING: Use this with caution. | 57 // WARNING: Use this with caution. |
58 CRYPTO_API void ForceNSSNoDBInit(); | 58 CRYPTO_EXPORT void ForceNSSNoDBInit(); |
59 | 59 |
60 // This methods is used to disable checks in NSS when used in a forked process. | 60 // This methods is used to disable checks in NSS when used in a forked process. |
61 // NSS checks whether it is running a forked process to avoid problems when | 61 // NSS checks whether it is running a forked process to avoid problems when |
62 // using user security modules in a forked process. However if we are sure | 62 // using user security modules in a forked process. However if we are sure |
63 // there are no modules loaded before the process is forked then there is no | 63 // there are no modules loaded before the process is forked then there is no |
64 // harm disabling the check. | 64 // harm disabling the check. |
65 // | 65 // |
66 // This method must be called before EnsureNSSInit() to take effect. | 66 // This method must be called before EnsureNSSInit() to take effect. |
67 // | 67 // |
68 // WARNING: Use this with caution. | 68 // WARNING: Use this with caution. |
69 CRYPTO_API void DisableNSSForkCheck(); | 69 CRYPTO_EXPORT void DisableNSSForkCheck(); |
70 | 70 |
71 // Load NSS library files. This function has no effect on Mac and Windows. | 71 // Load NSS library files. This function has no effect on Mac and Windows. |
72 // This loads the necessary NSS library files so that NSS can be initialized | 72 // This loads the necessary NSS library files so that NSS can be initialized |
73 // after loading additional library files is disallowed, for example when the | 73 // after loading additional library files is disallowed, for example when the |
74 // sandbox is active. | 74 // sandbox is active. |
75 // | 75 // |
76 // Note that this does not load libnssckbi.so which contains the root | 76 // Note that this does not load libnssckbi.so which contains the root |
77 // certificates. | 77 // certificates. |
78 CRYPTO_API void LoadNSSLibraries(); | 78 CRYPTO_EXPORT void LoadNSSLibraries(); |
79 | 79 |
80 // Check if the current NSS version is greater than or equals to |version|. | 80 // Check if the current NSS version is greater than or equals to |version|. |
81 // A sample version string is "3.12.3". | 81 // A sample version string is "3.12.3". |
82 bool CheckNSSVersion(const char* version); | 82 bool CheckNSSVersion(const char* version); |
83 | 83 |
84 #if defined(OS_CHROMEOS) | 84 #if defined(OS_CHROMEOS) |
85 // Open the r/w nssdb that's stored inside the user's encrypted home | 85 // Open the r/w nssdb that's stored inside the user's encrypted home |
86 // directory. This is the default slot returned by | 86 // directory. This is the default slot returned by |
87 // GetPublicNSSKeySlot(). | 87 // GetPublicNSSKeySlot(). |
88 CRYPTO_API void OpenPersistentNSSDB(); | 88 CRYPTO_EXPORT void OpenPersistentNSSDB(); |
89 | 89 |
90 // A delegate class that we can use to access the cros API for | 90 // A delegate class that we can use to access the cros API for |
91 // communication with cryptohomed and the TPM. | 91 // communication with cryptohomed and the TPM. |
92 class CRYPTO_API TPMTokenInfoDelegate { | 92 class CRYPTO_EXPORT TPMTokenInfoDelegate { |
93 public: | 93 public: |
94 TPMTokenInfoDelegate(); | 94 TPMTokenInfoDelegate(); |
95 virtual ~TPMTokenInfoDelegate(); | 95 virtual ~TPMTokenInfoDelegate(); |
96 | 96 |
97 // Returns true if the hardware supports a TPM Token and the TPM is enabled. | 97 // Returns true if the hardware supports a TPM Token and the TPM is enabled. |
98 virtual bool IsTokenAvailable() const = 0; | 98 virtual bool IsTokenAvailable() const = 0; |
99 | 99 |
100 // Returns true if the TPM and PKCS#11 token slot is ready to be used. | 100 // Returns true if the TPM and PKCS#11 token slot is ready to be used. |
101 // If IsTokenAvailable() is false this should return false. | 101 // If IsTokenAvailable() is false this should return false. |
102 // If IsTokenAvailable() is true, this should eventually return true. | 102 // If IsTokenAvailable() is true, this should eventually return true. |
103 virtual bool IsTokenReady() const = 0; | 103 virtual bool IsTokenReady() const = 0; |
104 | 104 |
105 // Fetches token properties. TODO(stevenjb): make this interface asynchronous | 105 // Fetches token properties. TODO(stevenjb): make this interface asynchronous |
106 // so that the implementation does not have to be blocking. | 106 // so that the implementation does not have to be blocking. |
107 virtual void GetTokenInfo(std::string* token_name, | 107 virtual void GetTokenInfo(std::string* token_name, |
108 std::string* user_pin) const = 0; | 108 std::string* user_pin) const = 0; |
109 }; | 109 }; |
110 | 110 |
111 // Indicates that NSS should load the opencryptoki library so that we | 111 // Indicates that NSS should load the opencryptoki library so that we |
112 // can access the TPM through NSS. Once this is called, | 112 // can access the TPM through NSS. Once this is called, |
113 // GetPrivateNSSKeySlot() will return the TPM slot if one was found. | 113 // GetPrivateNSSKeySlot() will return the TPM slot if one was found. |
114 // Takes ownership of the passed-in delegate object so it can access | 114 // Takes ownership of the passed-in delegate object so it can access |
115 // the cros library to talk to cryptohomed. | 115 // the cros library to talk to cryptohomed. |
116 CRYPTO_API void EnableTPMTokenForNSS(TPMTokenInfoDelegate* delegate); | 116 CRYPTO_EXPORT void EnableTPMTokenForNSS(TPMTokenInfoDelegate* delegate); |
117 | 117 |
118 // Get name and user PIN for the built-in TPM token on ChromeOS. | 118 // Get name and user PIN for the built-in TPM token on ChromeOS. |
119 // Either one can safely be NULL. Should only be called after | 119 // Either one can safely be NULL. Should only be called after |
120 // EnableTPMTokenForNSS has been called with a non-null delegate. | 120 // EnableTPMTokenForNSS has been called with a non-null delegate. |
121 CRYPTO_API void GetTPMTokenInfo(std::string* token_name, std::string* user_pin); | 121 CRYPTO_EXPORT void GetTPMTokenInfo(std::string* token_name, |
| 122 std::string* user_pin); |
122 | 123 |
123 // Returns true if the machine has a TPM and it can be used to store tokens. | 124 // Returns true if the machine has a TPM and it can be used to store tokens. |
124 CRYPTO_API bool IsTPMTokenAvailable(); | 125 CRYPTO_EXPORT bool IsTPMTokenAvailable(); |
125 | 126 |
126 // Returns true if the TPM is owned and PKCS#11 initialized with the | 127 // Returns true if the TPM is owned and PKCS#11 initialized with the |
127 // user and security officer PINs, and has been enabled in NSS by | 128 // user and security officer PINs, and has been enabled in NSS by |
128 // calling EnableTPMForNSS, and opencryptoki has been successfully | 129 // calling EnableTPMForNSS, and opencryptoki has been successfully |
129 // loaded into NSS. | 130 // loaded into NSS. |
130 CRYPTO_API bool IsTPMTokenReady(); | 131 CRYPTO_EXPORT bool IsTPMTokenReady(); |
131 | 132 |
132 // Same as IsTPMTokenReady() except this attempts to initialize the token | 133 // Same as IsTPMTokenReady() except this attempts to initialize the token |
133 // if necessary. | 134 // if necessary. |
134 CRYPTO_API bool EnsureTPMTokenReady(); | 135 CRYPTO_EXPORT bool EnsureTPMTokenReady(); |
135 #endif | 136 #endif |
136 | 137 |
137 // Convert a NSS PRTime value into a base::Time object. | 138 // Convert a NSS PRTime value into a base::Time object. |
138 // We use a int64 instead of PRTime here to avoid depending on NSPR headers. | 139 // We use a int64 instead of PRTime here to avoid depending on NSPR headers. |
139 CRYPTO_API base::Time PRTimeToBaseTime(int64 prtime); | 140 CRYPTO_EXPORT base::Time PRTimeToBaseTime(int64 prtime); |
140 | 141 |
141 #if defined(USE_NSS) | 142 #if defined(USE_NSS) |
142 // Exposed for unittests only. |path| should be an existing directory under | 143 // Exposed for unittests only. |path| should be an existing directory under |
143 // which the DB files will be placed. |description| is a user-visible name for | 144 // which the DB files will be placed. |description| is a user-visible name for |
144 // the DB, as a utf8 string, which will be truncated at 32 bytes. | 145 // the DB, as a utf8 string, which will be truncated at 32 bytes. |
145 CRYPTO_API bool OpenTestNSSDB(const FilePath& path, const char* description); | 146 CRYPTO_EXPORT bool OpenTestNSSDB(const FilePath& path, const char* description); |
146 CRYPTO_API void CloseTestNSSDB(); | 147 CRYPTO_EXPORT void CloseTestNSSDB(); |
147 | 148 |
148 // NSS has a bug which can cause a deadlock or stall in some cases when writing | 149 // NSS has a bug which can cause a deadlock or stall in some cases when writing |
149 // to the certDB and keyDB. It also has a bug which causes concurrent key pair | 150 // to the certDB and keyDB. It also has a bug which causes concurrent key pair |
150 // generations to scribble over each other. To work around this, we synchronize | 151 // generations to scribble over each other. To work around this, we synchronize |
151 // writes to the NSS databases with a global lock. The lock is hidden beneath a | 152 // writes to the NSS databases with a global lock. The lock is hidden beneath a |
152 // function for easy disabling when the bug is fixed. Callers should allow for | 153 // function for easy disabling when the bug is fixed. Callers should allow for |
153 // it to return NULL in the future. | 154 // it to return NULL in the future. |
154 // | 155 // |
155 // See https://bugzilla.mozilla.org/show_bug.cgi?id=564011 | 156 // See https://bugzilla.mozilla.org/show_bug.cgi?id=564011 |
156 base::Lock* GetNSSWriteLock(); | 157 base::Lock* GetNSSWriteLock(); |
157 | 158 |
158 // A helper class that acquires the NSS write Lock while the AutoNSSWriteLock | 159 // A helper class that acquires the NSS write Lock while the AutoNSSWriteLock |
159 // is in scope. | 160 // is in scope. |
160 class CRYPTO_API AutoNSSWriteLock { | 161 class CRYPTO_EXPORT AutoNSSWriteLock { |
161 public: | 162 public: |
162 AutoNSSWriteLock(); | 163 AutoNSSWriteLock(); |
163 ~AutoNSSWriteLock(); | 164 ~AutoNSSWriteLock(); |
164 private: | 165 private: |
165 base::Lock *lock_; | 166 base::Lock *lock_; |
166 DISALLOW_COPY_AND_ASSIGN(AutoNSSWriteLock); | 167 DISALLOW_COPY_AND_ASSIGN(AutoNSSWriteLock); |
167 }; | 168 }; |
168 | 169 |
169 #endif // defined(USE_NSS) | 170 #endif // defined(USE_NSS) |
170 | 171 |
171 } // namespace crypto | 172 } // namespace crypto |
172 | 173 |
173 #endif // CRYPTO_NSS_UTIL_H_ | 174 #endif // CRYPTO_NSS_UTIL_H_ |
OLD | NEW |