summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-04-06 02:37:21 +0000
committerrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-04-06 02:37:21 +0000
commit922899fd889ae914220123b768e14eed79ea9409 (patch)
tree8ccc26814a2ef63358aac0a8bed73e111b32c278 /crypto
parent0a311f79eb90987f2cb418be304705f7262d9de5 (diff)
downloadchromium_src-922899fd889ae914220123b768e14eed79ea9409.zip
chromium_src-922899fd889ae914220123b768e14eed79ea9409.tar.gz
chromium_src-922899fd889ae914220123b768e14eed79ea9409.tar.bz2
Properly pass NSS parameters when initializing the PKCS#11 module on CrOS
When initializing the CHAPS PKCS#11 module in CrOS, properly pass the NSS parameters to SECMOD_LoadUserModule. This ensures that the default flags for the default slot to mark the slot as friendly, which means it is not necessary to call C_Login before calling any read-only operations. Any actions that fail in read-only mode will still call C_Login. BUG=118206, chromium-os:28842 TEST=See bug Review URL: http://codereview.chromium.org/9963127 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131075 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'crypto')
-rw-r--r--crypto/nss_util.cc59
1 files changed, 7 insertions, 52 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 43912c2..5b9a387 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -196,32 +196,6 @@ PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
#endif // defined(USE_NSS)
-#if defined(OS_CHROMEOS)
-void LogSlotInfo() {
- AutoSECMODListReadLock auto_lock;
- SECMODModuleList* head = SECMOD_GetDefaultModuleList();
- VLOG(1) << "Current PK11 Slot Status:";
- for (SECMODModuleList* item = head; item != NULL; item = item->next) {
- int slot_count = item->module->loaded ? item->module->slotCount : 0;
- for (int i = 0; i < slot_count; i++) {
- PK11SlotInfo* slot = item->module->slots[i];
- if (slot) {
- VLOG(1) << " ###############################";
- VLOG(1) << " Token Name : " << PK11_GetTokenName(slot);
- VLOG(1) << " Slot Name : " << PK11_GetSlotName(slot);
- VLOG(1) << " Slot ID : " << PK11_GetSlotID(slot);
- VLOG(1) << " Is Friendly : "
- << (PK11_IsFriendly(slot) ? "True" : "False");
- VLOG(1) << " Default Flags: " << PK11_GetDefaultFlags(slot);
- VLOG(1) << " Need Login : "
- << (PK11_NeedLogin(slot) ? "Yes" : "No");
- VLOG(1) << " Is Hardware :" << (PK11_IsHW(slot) ? "Yes" : "No");
- }
- }
- }
-}
-#endif
-
// A singleton to initialize/deinitialize NSPR.
// Separate from the NSS singleton because we initialize NSPR on the UI thread.
// Now that we're leaking the singleton, we could merge back with the NSS
@@ -564,38 +538,19 @@ class NSSInitSingleton {
chaps_module_ = LoadModule(
kChapsModuleName,
kChapsPath,
- // trustOrder=100 -- means it'll select this as the most
- // trusted slot for the mechanisms it provides.
- // slotParams=... -- selects RSA as the only mechanism, and only
- // asks for the password when necessary (instead of every
- // time, or after a timeout).
- "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
+ // For more details on these parameters, see:
+ // https://developer.mozilla.org/en/PKCS11_Module_Specs
+ // slotFlags=[PublicCerts] -- Certificates and public keys can be
+ // read from this slot without requiring a call to C_Login.
+ // askpw=only -- Only authenticate to the token when necessary.
+ "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
}
- if (chaps_module_ && chaps_module_->loaded) {
- int size = 0;
- PK11DefaultArrayEntry* entries = PK11_GetDefaultArray(&size);
- PK11DefaultArrayEntry* friendly_entry = NULL;
- for (int i = 0; i < size; ++i) {
- if (entries[i].flag == SECMOD_FRIENDLY_FLAG) {
- friendly_entry = &entries[i];
- break;
- }
- }
-
+ if (chaps_module_) {
// If this gets set, then we'll use the TPM for certs with
// private keys, otherwise we'll fall back to the software
// implementation.
tpm_slot_ = GetTPMSlot();
- // Force the TPM slot to be "Friendly", since it seems to ignore setting
- // "PublicCerts" above, and otherwise NSS does some unnecessary locking,
- // and slows things down.
- if (tpm_slot_ && friendly_entry)
- PK11_UpdateSlotAttribute(tpm_slot_, friendly_entry, PR_TRUE);
-
- if (VLOG_IS_ON(1))
- LogSlotInfo();
-
callback.Run(tpm_slot_ != NULL);
return;
}