diff options
author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-06 02:37:21 +0000 |
---|---|---|
committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-06 02:37:21 +0000 |
commit | 922899fd889ae914220123b768e14eed79ea9409 (patch) | |
tree | 8ccc26814a2ef63358aac0a8bed73e111b32c278 /crypto | |
parent | 0a311f79eb90987f2cb418be304705f7262d9de5 (diff) | |
download | chromium_src-922899fd889ae914220123b768e14eed79ea9409.zip chromium_src-922899fd889ae914220123b768e14eed79ea9409.tar.gz chromium_src-922899fd889ae914220123b768e14eed79ea9409.tar.bz2 |
Properly pass NSS parameters when initializing the PKCS#11 module on CrOS
When initializing the CHAPS PKCS#11 module in CrOS, properly
pass the NSS parameters to SECMOD_LoadUserModule. This
ensures that the default flags for the default slot to mark
the slot as friendly, which means it is not necessary to
call C_Login before calling any read-only operations. Any
actions that fail in read-only mode will still call C_Login.
BUG=118206, chromium-os:28842
TEST=See bug
Review URL: http://codereview.chromium.org/9963127
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131075 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/nss_util.cc | 59 |
1 files changed, 7 insertions, 52 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 43912c2..5b9a387 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -196,32 +196,6 @@ PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { #endif // defined(USE_NSS) -#if defined(OS_CHROMEOS) -void LogSlotInfo() { - AutoSECMODListReadLock auto_lock; - SECMODModuleList* head = SECMOD_GetDefaultModuleList(); - VLOG(1) << "Current PK11 Slot Status:"; - for (SECMODModuleList* item = head; item != NULL; item = item->next) { - int slot_count = item->module->loaded ? item->module->slotCount : 0; - for (int i = 0; i < slot_count; i++) { - PK11SlotInfo* slot = item->module->slots[i]; - if (slot) { - VLOG(1) << " ###############################"; - VLOG(1) << " Token Name : " << PK11_GetTokenName(slot); - VLOG(1) << " Slot Name : " << PK11_GetSlotName(slot); - VLOG(1) << " Slot ID : " << PK11_GetSlotID(slot); - VLOG(1) << " Is Friendly : " - << (PK11_IsFriendly(slot) ? "True" : "False"); - VLOG(1) << " Default Flags: " << PK11_GetDefaultFlags(slot); - VLOG(1) << " Need Login : " - << (PK11_NeedLogin(slot) ? "Yes" : "No"); - VLOG(1) << " Is Hardware :" << (PK11_IsHW(slot) ? "Yes" : "No"); - } - } - } -} -#endif - // A singleton to initialize/deinitialize NSPR. // Separate from the NSS singleton because we initialize NSPR on the UI thread. // Now that we're leaking the singleton, we could merge back with the NSS @@ -564,38 +538,19 @@ class NSSInitSingleton { chaps_module_ = LoadModule( kChapsModuleName, kChapsPath, - // trustOrder=100 -- means it'll select this as the most - // trusted slot for the mechanisms it provides. - // slotParams=... -- selects RSA as the only mechanism, and only - // asks for the password when necessary (instead of every - // time, or after a timeout). - "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); + // For more details on these parameters, see: + // https://developer.mozilla.org/en/PKCS11_Module_Specs + // slotFlags=[PublicCerts] -- Certificates and public keys can be + // read from this slot without requiring a call to C_Login. + // askpw=only -- Only authenticate to the token when necessary. + "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\""); } - if (chaps_module_ && chaps_module_->loaded) { - int size = 0; - PK11DefaultArrayEntry* entries = PK11_GetDefaultArray(&size); - PK11DefaultArrayEntry* friendly_entry = NULL; - for (int i = 0; i < size; ++i) { - if (entries[i].flag == SECMOD_FRIENDLY_FLAG) { - friendly_entry = &entries[i]; - break; - } - } - + if (chaps_module_) { // If this gets set, then we'll use the TPM for certs with // private keys, otherwise we'll fall back to the software // implementation. tpm_slot_ = GetTPMSlot(); - // Force the TPM slot to be "Friendly", since it seems to ignore setting - // "PublicCerts" above, and otherwise NSS does some unnecessary locking, - // and slows things down. - if (tpm_slot_ && friendly_entry) - PK11_UpdateSlotAttribute(tpm_slot_, friendly_entry, PR_TRUE); - - if (VLOG_IS_ON(1)) - LogSlotInfo(); - callback.Run(tpm_slot_ != NULL); return; } |