NSS: {EC,RSA}PrivateKey shouldn't call crypto::GetPublicNSSKeySlot or GetPrivateNSSKeySlot.

Make ECPrivateKey use PK11_GetInternalKeySlot for temporary keys. Make ECPrivateKey and RSAPrivateKey "sensitive" functions take slot as parameter. This avoids calling non-thread-safe functions in nss_util on arbitrary threads. Also removes the ANNOTATE_SCOPED_MEMORY_LEAK from RSAPrivateKey which should no longer be necessary. BUG=125848,34742 Review URL: https://codereview.chromium.org/66213002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@234726 0039d316-1c4b-4281-b951-d872f2087c98
author: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-11-13 03:29:22 +0000
committer: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-11-13 03:29:22 +0000
commit: 6e7da44d1c6183f65db77ee7ba0e4769cce7801f (patch)
tree: 97d9ecc5480b1356f8a286e51efdb485a9529d42 /crypto/ec_private_key_nss.cc
parent: ae72d81219fa0a2dc2fc48857160d3117bd56523 (diff)
download: chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.zip
chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.tar.gz
chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.tar.bz2
1 files changed, 37 insertions, 39 deletions
diff --git a/crypto/ec_private_key_nss.cc b/crypto/ec_private_key_nss.cc
index 9bb9df1..1d3bf88 100644
--- a/crypto/ec_private_key_nss.cc
+++ b/crypto/ec_private_key_nss.cc
@@ -25,8 +25,8 @@ extern "C" {
 
 namespace {
 
-PK11SlotInfo* GetKeySlot() {
-  return crypto::GetPublicNSSKeySlot();
+PK11SlotInfo* GetTempKeySlot() {
+  return PK11_GetInternalSlot();
 }
 
 class EllipticCurveSupportChecker {
@@ -37,7 +37,7 @@ class EllipticCurveSupportChecker {
     // support ECDSA may block NSS, and the value may also change as devices are
     // inserted/removed, so we would need to re-check on every use.
     crypto::EnsureNSSInit();
-    crypto::ScopedPK11Slot slot(GetKeySlot());
+    crypto::ScopedPK11Slot slot(GetTempKeySlot());
     supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) &&
         PK11_DoesMechanism(slot.get(), CKM_ECDSA);
   }
@@ -88,58 +88,59 @@ bool ECPrivateKey::IsSupported() {
 
 // static
 ECPrivateKey* ECPrivateKey::Create() {
-  return CreateWithParams(PR_FALSE /* not permanent */,
-                          PR_FALSE /* not sensitive */);
+  EnsureNSSInit();
+
+  ScopedPK11Slot slot(GetTempKeySlot());
+  return CreateWithParams(slot.get(),
+                          false /* not permanent */,
+                          false /* not sensitive */);
 }
 
-// static
-ECPrivateKey* ECPrivateKey::CreateSensitive() {
 #if defined(USE_NSS)
-  return CreateWithParams(PR_TRUE /* permanent */,
-                          PR_TRUE /* sensitive */);
-#else
-  // If USE_NSS is not defined, we initialize NSS with no databases, so we can't
-  // create permanent keys.
-  NOTREACHED();
-  return NULL;
-#endif
+// static
+ECPrivateKey* ECPrivateKey::CreateSensitive(PK11SlotInfo* slot) {
+  return CreateWithParams(
+      slot, true /* permanent */, true /* sensitive */);
 }
+#endif
 
 // static
 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
     const std::string& password,
     const std::vector<uint8>& encrypted_private_key_info,
     const std::vector<uint8>& subject_public_key_info) {
+  EnsureNSSInit();
+
+  ScopedPK11Slot slot(GetTempKeySlot());
   return CreateFromEncryptedPrivateKeyInfoWithParams(
+      slot.get(),
       password,
       encrypted_private_key_info,
       subject_public_key_info,
-      PR_FALSE /* not permanent */,
-      PR_FALSE /* not sensitive */);
+      false /* not permanent */,
+      false /* not sensitive */);
 }
 
+#if defined(USE_NSS)
 // static
 ECPrivateKey* ECPrivateKey::CreateSensitiveFromEncryptedPrivateKeyInfo(
+    PK11SlotInfo* slot,
     const std::string& password,
     const std::vector<uint8>& encrypted_private_key_info,
     const std::vector<uint8>& subject_public_key_info) {
-#if defined(USE_NSS)
   return CreateFromEncryptedPrivateKeyInfoWithParams(
+      slot,
       password,
       encrypted_private_key_info,
       subject_public_key_info,
-      PR_TRUE /* permanent */,
-      PR_TRUE /* sensitive */);
-#else
-  // If USE_NSS is not defined, we initialize NSS with no databases, so we can't
-  // create permanent keys.
-  NOTREACHED();
-  return NULL;
-#endif
+      true /* permanent */,
+      true /* sensitive */);
 }
+#endif
 
 // static
 bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+    PK11SlotInfo* slot,
     const std::string& password,
     const uint8* encrypted_private_key_info,
     size_t encrypted_private_key_info_len,
@@ -148,8 +149,7 @@ bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
     bool sensitive,
     SECKEYPrivateKey** key,
     SECKEYPublicKey** public_key) {
-  ScopedPK11Slot slot(GetKeySlot());
-  if (!slot.get())
+  if (!slot)
     return false;
 
   *public_key = SECKEY_ExtractPublicKey(decoded_spki);
@@ -188,7 +188,7 @@ bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
   };
 
   rv = ImportEncryptedECPrivateKeyInfoAndReturnKey(
-      slot.get(),
+      slot,
       &epki,
       &password_item,
       NULL,  // nickname
@@ -275,16 +275,14 @@ bool ECPrivateKey::ExportECParams(std::vector<uint8>* output) {
 ECPrivateKey::ECPrivateKey() : key_(NULL), public_key_(NULL) {}
 
 // static
-ECPrivateKey* ECPrivateKey::CreateWithParams(bool permanent,
+ECPrivateKey* ECPrivateKey::CreateWithParams(PK11SlotInfo* slot,
+                                             bool permanent,
                                              bool sensitive) {
-  EnsureNSSInit();
+  if (!slot)
+    return NULL;
 
   scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
 
-  ScopedPK11Slot slot(GetKeySlot());
-  if (!slot.get())
-    return NULL;
-
   SECOidData* oid_data = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
   if (!oid_data) {
     DLOG(ERROR) << "SECOID_FindOIDByTag: " << PORT_GetError();
@@ -306,7 +304,7 @@ ECPrivateKey* ECPrivateKey::CreateWithParams(bool permanent,
   ec_parameters.data[1] = oid_data->oid.len;
   memcpy(ec_parameters.data + 2, oid_data->oid.data, oid_data->oid.len);
 
-  result->key_ = PK11_GenerateKeyPair(slot.get(),
+  result->key_ = PK11_GenerateKeyPair(slot,
                                       CKM_EC_KEY_PAIR_GEN,
                                       &ec_parameters,
                                       &result->public_key_,
@@ -323,13 +321,12 @@ ECPrivateKey* ECPrivateKey::CreateWithParams(bool permanent,
 
 // static
 ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfoWithParams(
+    PK11SlotInfo* slot,
     const std::string& password,
     const std::vector<uint8>& encrypted_private_key_info,
     const std::vector<uint8>& subject_public_key_info,
     bool permanent,
     bool sensitive) {
-  EnsureNSSInit();
-
   scoped_ptr<ECPrivateKey> result(new ECPrivateKey);
 
   SECItem encoded_spki = {
@@ -344,7 +341,8 @@ ECPrivateKey* ECPrivateKey::CreateFromEncryptedPrivateKeyInfoWithParams(
     return NULL;
   }
 
-  bool success = ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+  bool success = ImportFromEncryptedPrivateKeyInfo(
+      slot,
       password,
       &encrypted_private_key_info[0],
       encrypted_private_key_info.size(),
author	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-11-13 03:29:22 +0000
committer	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-11-13 03:29:22 +0000
commit	6e7da44d1c6183f65db77ee7ba0e4769cce7801f (patch)
tree	97d9ecc5480b1356f8a286e51efdb485a9529d42 /crypto/ec_private_key_nss.cc
parent	ae72d81219fa0a2dc2fc48857160d3117bd56523 (diff)
download	chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.zip chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.tar.gz chromium_src-6e7da44d1c6183f65db77ee7ba0e4769cce7801f.tar.bz2