Enable system NSS key slot.

This only affects users of domains that the device is registered to for policy.
All other users are unaffected (EnableNSSSystemKeySlotForResourceContext is only called for USER_AFFILIATION_MANAGED)

For the affected users, this enables and uses the slot for
- client authentication for TSL (see ClientCertStoreChromeOS)
- client authentication for 802.1x networks
- listing/removing certificates on the settings page (see CertificateManager)

In a follow up, also the enterprise.platformKeys API will be updated.

Depends on:
https://codereview.chromium.org/426983002/
https://codereview.chromium.org/428933002/

BUG=210525
R=mattm@chromium.org, rsleevi@chromium.org, willchan@chromium.org, xiyuan@chromium.org

Review URL: https://codereview.chromium.org/424523002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287175 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 38 insertions, 22 deletions

diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 29a0b66..062bcb5 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -394,19 +394,22 @@ class NSSInitSingleton {
     }
     initializing_tpm_token_ = false;
 
-    if (tpm_slot_) {
-      TPMReadyCallbackList callback_list;
-      callback_list.swap(tpm_ready_callback_list_);
-      for (TPMReadyCallbackList::iterator i = callback_list.begin();
-           i != callback_list.end();
-           ++i) {
-        (*i).Run();
-      }
-    }
+    if (tpm_slot_)
+      RunAndClearTPMReadyCallbackList();
 
     callback.Run(!!tpm_slot_);
   }
 
+  void RunAndClearTPMReadyCallbackList() {
+    TPMReadyCallbackList callback_list;
+    callback_list.swap(tpm_ready_callback_list_);
+    for (TPMReadyCallbackList::iterator i = callback_list.begin();
+         i != callback_list.end();
+         ++i) {
+      i->Run();
+    }
+  }
+
   bool IsTPMTokenReady(const base::Closure& callback) {
     if (!callback.is_null()) {
       // Cannot DCHECK in the general case yet, but since the callback is
@@ -579,6 +582,12 @@ class NSSInitSingleton {
     // Unsetting, i.e. setting a NULL, however is allowed.
     DCHECK(!slot || !test_system_slot_);
     test_system_slot_ = slot.Pass();
+    if (test_system_slot_) {
+      tpm_slot_.reset(PK11_ReferenceSlot(test_system_slot_.get()));
+      RunAndClearTPMReadyCallbackList();
+    } else {
+      tpm_slot_.reset();
+    }
   }
 #endif  // defined(OS_CHROMEOS)
 
@@ -1014,7 +1023,7 @@ ScopedPK11Slot GetSystemNSSKeySlot(
 }
 
 void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
-  g_nss_singleton.Get().SetSystemKeySlotForTesting(ScopedPK11Slot());
+  g_nss_singleton.Get().SetSystemKeySlotForTesting(slot.Pass());
 }
 
 void EnableTPMTokenForNSS() {
diff --git a/crypto/nss_util_internal.h b/crypto/nss_util_internal.h
index cb1b9bd..839d7ba7 100644
--- a/crypto/nss_util_internal.h
+++ b/crypto/nss_util_internal.h
@@ -53,11 +53,10 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
 CRYPTO_EXPORT ScopedPK11Slot GetSystemNSSKeySlot(
     const base::Callback<void(ScopedPK11Slot)>& callback) WARN_UNUSED_RESULT;
 
-// Sets the test system slot. If this was called before
-// InitializeTPMTokenAndSystemSlot and no system token is provided by the Chaps
-// module, then this test slot will be used and the initialization continues as
-// if Chaps had provided this test slot. In particular, |slot| will be exposed
-// by |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
+// Sets the test system slot to |slot|, which means that |slot| will be exposed
+// through |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
+// |InitializeTPMTokenAndSystemSlot|, which triggers the TPM initialization,
+// does not have to be called if the test system slot is set.
 // This must must not be called consecutively with a |slot| != NULL. If |slot|
 // is NULL, the test system slot is unset.
 CRYPTO_EXPORT_PRIVATE void SetSystemKeySlotForTesting(ScopedPK11Slot slot);
diff --git a/crypto/scoped_test_nss_db.h b/crypto/scoped_test_nss_db.h
index cc6996d..88c2d55 100644
--- a/crypto/scoped_test_nss_db.h
+++ b/crypto/scoped_test_nss_db.h
@@ -20,8 +20,8 @@ class CRYPTO_EXPORT_PRIVATE ScopedTestNSSDB {
   ScopedTestNSSDB();
   ~ScopedTestNSSDB();
 
-  bool is_open() { return slot_; }
-  PK11SlotInfo* slot() { return slot_.get(); }
+  bool is_open() const { return slot_; }
+  PK11SlotInfo* slot() const { return slot_.get(); }
 
  private:
   base::ScopedTempDir temp_dir_;
diff --git a/crypto/scoped_test_system_nss_key_slot.cc b/crypto/scoped_test_system_nss_key_slot.cc
index ee5e1df..53fbbff 100644
--- a/crypto/scoped_test_system_nss_key_slot.cc
+++ b/crypto/scoped_test_system_nss_key_slot.cc
@@ -25,4 +25,8 @@ bool ScopedTestSystemNSSKeySlot::ConstructedSuccessfully() const {
   return test_db_->is_open();
 }
 
+PK11SlotInfo* ScopedTestSystemNSSKeySlot::slot() const {
+  return test_db_->slot();
+}
+
 }  // namespace crypto
diff --git a/crypto/scoped_test_system_nss_key_slot.h b/crypto/scoped_test_system_nss_key_slot.h
index 1565047..ac3b72c 100644
--- a/crypto/scoped_test_system_nss_key_slot.h
+++ b/crypto/scoped_test_system_nss_key_slot.h
@@ -9,17 +9,20 @@
 #include "base/memory/scoped_ptr.h"
 #include "crypto/crypto_export.h"
 
+// Forward declaration, from <pk11pub.h>
+typedef struct PK11SlotInfoStr PK11SlotInfo;
+
 namespace crypto {
 
 class ScopedTestNSSDB;
 
 // Opens a persistent NSS software database in a temporary directory and sets
 // the test system slot to the opened database. This helper should be created in
-// tests where no system token is provided by the Chaps module and before
-// InitializeTPMTokenAndSystemSlot is called. Then the opened test database will
-// be used and the initialization continues as if Chaps had provided this test
-// database. In particular, the DB will be exposed by |GetSystemNSSKeySlot| and
-// |IsTPMTokenReady| will return true.
+// tests to fake the system token that is usually provided by the Chaps module.
+// |slot| is exposed through |GetSystemNSSKeySlot| and |IsTPMTokenReady| will
+// return true.
+// |InitializeTPMTokenAndSystemSlot|, which triggers the TPM initialization,
+// does not have to be called if this helper is used.
 // At most one instance of this helper must be used at a time.
 class CRYPTO_EXPORT_PRIVATE ScopedTestSystemNSSKeySlot {
  public:
@@ -27,6 +30,7 @@ class CRYPTO_EXPORT_PRIVATE ScopedTestSystemNSSKeySlot {
   ~ScopedTestSystemNSSKeySlot();
 
   bool ConstructedSuccessfully() const;
+  PK11SlotInfo* slot() const;
 
  private:
   scoped_ptr<ScopedTestNSSDB> test_db_;