crypto/nss_util: Get TPM slot id, do lookup by id instead of by name.

chromeos/cert_loader: store slot id as int. BUG=302124 Review URL: https://codereview.chromium.org/36593002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@231126 0039d316-1c4b-4281-b951-d872f2087c98
author: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-25 22:03:26 +0000
committer: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-10-25 22:03:26 +0000
commit: 3f3b9b18150a554f25266ea128c00e7099b44dab (patch)
tree: 0a09cff50617d47ee2c331f1f9b1eeb230548b10 /crypto/nss_util.cc
parent: e5d506af10531be07634ff375e0aea4bd975dbce (diff)
download: chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.zip
chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.tar.gz
chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.tar.bz2
1 files changed, 37 insertions, 24 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 80191b3..04080ed 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -168,20 +168,6 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) {
 #endif  // defined(OS_LINUX) || defined(OS_OPENBSD)
 }
 
-PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
-  AutoSECMODListReadLock auto_lock;
-  SECMODModuleList* head = SECMOD_GetDefaultModuleList();
-  for (SECMODModuleList* item = head; item != NULL; item = item->next) {
-    int slot_count = item->module->loaded ? item->module->slotCount : 0;
-    for (int i = 0; i < slot_count; i++) {
-      PK11SlotInfo* slot = item->module->slots[i];
-      if (PK11_GetTokenName(slot) == token_name)
-        return PK11_ReferenceSlot(slot);
-    }
-  }
-  return NULL;
-}
-
 #endif  // defined(USE_NSS)
 
 // A singleton to initialize/deinitialize NSPR.
@@ -247,10 +233,14 @@ class NSSInitSingleton {
   }
 
   void EnableTPMTokenForNSS() {
+    // If this gets set, then we'll use the TPM for certs with
+    // private keys, otherwise we'll fall back to the software
+    // implementation.
     tpm_token_enabled_for_nss_ = true;
   }
 
   bool InitializeTPMToken(const std::string& token_name,
+                          int token_slot_id,
                           const std::string& user_pin) {
     // If EnableTPMTokenForNSS hasn't been called, return false.
     if (!tpm_token_enabled_for_nss_)
@@ -275,12 +265,15 @@ class NSSInitSingleton {
           //   read from this slot without requiring a call to C_Login.
           // askpw=only -- Only authenticate to the token when necessary.
           "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
+      if (!chaps_module_ && test_slot_) {
+        // chromeos_unittests try to test the TPM initialization process. If we
+        // have a test DB open, pretend that it is the TPM slot.
+        tpm_slot_ = PK11_ReferenceSlot(test_slot_);
+        return true;
+      }
     }
     if (chaps_module_){
-      // If this gets set, then we'll use the TPM for certs with
-      // private keys, otherwise we'll fall back to the software
-      // implementation.
-      tpm_slot_ = GetTPMSlot();
+      tpm_slot_ = GetTPMSlotForId(token_slot_id);
 
       return tpm_slot_ != NULL;
     }
@@ -302,10 +295,22 @@ class NSSInitSingleton {
     return tpm_slot_ != NULL;
   }
 
-  PK11SlotInfo* GetTPMSlot() {
-    std::string token_name;
-    GetTPMTokenInfo(&token_name, NULL);
-    return FindSlotWithTokenName(token_name);
+  // Note that CK_SLOT_ID is an unsigned long, but cryptohome gives us the slot
+  // id as an int. This should be safe since this is only used with chaps, which
+  // we also control.
+  PK11SlotInfo* GetTPMSlotForId(CK_SLOT_ID slot_id) {
+    if (!chaps_module_)
+      return NULL;
+
+    VLOG(1) << "Poking chaps module.";
+    SECStatus rv = SECMOD_UpdateSlotList(chaps_module_);
+    if (rv != SECSuccess)
+      PLOG(ERROR) << "SECMOD_UpdateSlotList failed: " << PORT_GetError();
+
+    PK11SlotInfo* slot = SECMOD_LookupSlot(chaps_module_->moduleID, slot_id);
+    if (!slot)
+      LOG(ERROR) << "TPM slot " << slot_id << " not found.";
+    return slot;
   }
 #endif  // defined(OS_CHROMEOS)
 
@@ -526,7 +531,7 @@ class NSSInitSingleton {
 
     // Aw, snap.  Can't find/load root cert shared library.
     // This will make it hard to talk to anybody via https.
-    NOTREACHED();
+    // TODO(mattm): Re-add the NOTREACHED here when crbug.com/310972 is fixed.
     return NULL;
   }
 
@@ -549,6 +554,12 @@ class NSSInitSingleton {
                  << GetNSSErrorMessage();
       return NULL;
     }
+    if (!module->loaded) {
+      LOG(ERROR) << "After loading " << name << ", loaded==false: "
+                 << GetNSSErrorMessage();
+      SECMOD_DestroyModule(module);
+      return NULL;
+    }
     return module;
   }
 #endif
@@ -752,8 +763,10 @@ bool IsTPMTokenReady() {
 }
 
 bool InitializeTPMToken(const std::string& token_name,
+                        int token_slot_id,
                         const std::string& user_pin) {
-  return g_nss_singleton.Get().InitializeTPMToken(token_name, user_pin);
+  return g_nss_singleton.Get().InitializeTPMToken(
+      token_name, token_slot_id, user_pin);
 }
 #endif  // defined(OS_CHROMEOS)
author	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-25 22:03:26 +0000
committer	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-10-25 22:03:26 +0000
commit	3f3b9b18150a554f25266ea128c00e7099b44dab (patch)
tree	0a09cff50617d47ee2c331f1f9b1eeb230548b10 /crypto/nss_util.cc
parent	e5d506af10531be07634ff375e0aea4bd975dbce (diff)
download	chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.zip chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.tar.gz chromium_src-3f3b9b18150a554f25266ea128c00e7099b44dab.tar.bz2