Add GetSystemNSSKeySlot, merge GetPrivateNSSKeySlot/GetPublicNSSKeySlot to GetPersistentNSSKeySlot.

GetSystemNSSKeySlot returns the ChromeOS system-wide TPM slot.

ChromeOS has separate slots for each user and linux doesn't have a public/private split, so GetPrivateNSSKeySlot no longer makes sense.

BUG=210525
TBR=stevenjb@chromium.org

Review URL: https://codereview.chromium.org/383593002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282862 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 52 insertions, 55 deletions

diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 1598ba9..ea4b59c 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -316,8 +316,9 @@ class NSSInitSingleton {
     return tpm_token_enabled_for_nss_;
   }
 
-  void InitializeTPMToken(int token_slot_id,
-                          const base::Callback<void(bool)>& callback) {
+  void InitializeTPMTokenAndSystemSlot(
+      int system_slot_id,
+      const base::Callback<void(bool)>& callback) {
     DCHECK(thread_checker_.CalledOnValidThread());
     // Should not be called while there is already an initialization in
     // progress.
@@ -345,9 +346,9 @@ class NSSInitSingleton {
     if (base::WorkerPool::PostTaskAndReply(
             FROM_HERE,
             base::Bind(&NSSInitSingleton::InitializeTPMTokenOnWorkerThread,
-                       token_slot_id,
+                       system_slot_id,
                        tpm_args_ptr),
-            base::Bind(&NSSInitSingleton::OnInitializedTPMToken,
+            base::Bind(&NSSInitSingleton::OnInitializedTPMTokenAndSystemSlot,
                        base::Unretained(this),  // NSSInitSingleton is leaky
                        callback,
                        base::Passed(&tpm_args)),
@@ -382,8 +383,9 @@ class NSSInitSingleton {
     }
   }
 
-  void OnInitializedTPMToken(const base::Callback<void(bool)>& callback,
-                             scoped_ptr<TPMModuleAndSlot> tpm_args) {
+  void OnInitializedTPMTokenAndSystemSlot(
+      const base::Callback<void(bool)>& callback,
+      scoped_ptr<TPMModuleAndSlot> tpm_args) {
     DCHECK(thread_checker_.CalledOnValidThread());
     DVLOG(2) << "Loaded chaps: " << !!tpm_args->chaps_module
              << ", got tpm slot: " << !!tpm_args->tpm_slot;
@@ -624,7 +626,7 @@ class NSSInitSingleton {
     ignore_result(g_test_nss_db_dir.Get().Delete());
   }
 
-  PK11SlotInfo* GetPublicNSSKeySlot() {
+  PK11SlotInfo* GetPersistentNSSKeySlot() {
     // TODO(mattm): Change to DCHECK when callers have been fixed.
     if (!thread_checker_.CalledOnValidThread()) {
       DVLOG(1) << "Called on wrong thread.\n"
@@ -636,29 +638,24 @@ class NSSInitSingleton {
     return PK11_GetInternalKeySlot();
   }
 
-  PK11SlotInfo* GetPrivateNSSKeySlot() {
-    // TODO(mattm): Change to DCHECK when callers have been fixed.
-    if (!thread_checker_.CalledOnValidThread()) {
-      DVLOG(1) << "Called on wrong thread.\n"
-               << base::debug::StackTrace().ToString();
-    }
+#if defined(OS_CHROMEOS)
+  PK11SlotInfo* GetSystemNSSKeySlot() {
+    DCHECK(thread_checker_.CalledOnValidThread());
 
     if (test_slot_)
       return PK11_ReferenceSlot(test_slot_);
 
-#if defined(OS_CHROMEOS)
-    if (tpm_token_enabled_for_nss_) {
-      if (IsTPMTokenReady(base::Closure())) {
-        return PK11_ReferenceSlot(tpm_slot_);
-      } else {
-        // If we were supposed to get the hardware token, but were
-        // unable to, return NULL rather than fall back to sofware.
-        return NULL;
-      }
-    }
-#endif
-    return PK11_GetInternalKeySlot();
+    // TODO(mattm): chromeos::TPMTokenloader always calls
+    // InitializeTPMTokenAndSystemSlot with slot 0.  If the system slot is
+    // disabled, tpm_slot_ will be the first user's slot instead. Can that be
+    // detected and return NULL instead?
+    if (tpm_token_enabled_for_nss_ && IsTPMTokenReady(base::Closure()))
+      return PK11_ReferenceSlot(tpm_slot_);
+    // If we were supposed to get the hardware token, but were
+    // unable to, return NULL rather than fall back to sofware.
+    return NULL;
   }
+#endif
 
 #if defined(USE_NSS)
   base::Lock* write_lock() {
@@ -1069,6 +1066,10 @@ AutoSECMODListReadLock::~AutoSECMODListReadLock() {
 #endif  // defined(USE_NSS)
 
 #if defined(OS_CHROMEOS)
+PK11SlotInfo* GetSystemNSSKeySlot() {
+  return g_nss_singleton.Get().GetSystemNSSKeySlot();
+}
+
 void EnableTPMTokenForNSS() {
   g_nss_singleton.Get().EnableTPMTokenForNSS();
 }
@@ -1081,9 +1082,11 @@ bool IsTPMTokenReady(const base::Closure& callback) {
   return g_nss_singleton.Get().IsTPMTokenReady(callback);
 }
 
-void InitializeTPMToken(int token_slot_id,
-                        const base::Callback<void(bool)>& callback) {
-  g_nss_singleton.Get().InitializeTPMToken(token_slot_id, callback);
+void InitializeTPMTokenAndSystemSlot(
+    int token_slot_id,
+    const base::Callback<void(bool)>& callback) {
+  g_nss_singleton.Get().InitializeTPMTokenAndSystemSlot(token_slot_id,
+                                                        callback);
 }
 
 ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
@@ -1157,12 +1160,8 @@ PRTime BaseTimeToPRTime(base::Time time) {
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
-PK11SlotInfo* GetPublicNSSKeySlot() {
-  return g_nss_singleton.Get().GetPublicNSSKeySlot();
-}
-
-PK11SlotInfo* GetPrivateNSSKeySlot() {
-  return g_nss_singleton.Get().GetPrivateNSSKeySlot();
+PK11SlotInfo* GetPersistentNSSKeySlot() {
+  return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 
 }  // namespace crypto
diff --git a/crypto/nss_util.h b/crypto/nss_util.h
index 4f8a1d6..0efdbc2 100644
--- a/crypto/nss_util.h
+++ b/crypto/nss_util.h
@@ -95,9 +95,9 @@ CRYPTO_EXPORT void LoadNSSLibraries();
 bool CheckNSSVersion(const char* version);
 
 #if defined(OS_CHROMEOS)
-// Indicates that NSS should load the Chaps library so that we
-// can access the TPM through NSS.  Once this is called,
-// GetPrivateNSSKeySlot() will return the TPM slot if one was found.
+// Indicates that NSS should use the Chaps library so that we
+// can access the TPM through NSS.  InitializeTPMTokenAndSystemSlot and
+// InitializeTPMForChromeOSUser must still be called to load the slots.
 CRYPTO_EXPORT void EnableTPMTokenForNSS();
 
 // Returns true if EnableTPMTokenForNSS has been called.
@@ -113,13 +113,13 @@ CRYPTO_EXPORT bool IsTPMTokenEnabledForNSS();
 CRYPTO_EXPORT bool IsTPMTokenReady(const base::Closure& callback)
     WARN_UNUSED_RESULT;
 
-// Initialize the TPM token. The |callback| will run on the same thread with
-// true if the token and slot were successfully loaded or were already
-// initialized. |callback| will be passed false if loading failed.
-// Once called, InitializeTPMToken must not be called again until the |callback|
-// has been run.
-CRYPTO_EXPORT void InitializeTPMToken(
-    int token_slot_id,
+// Initialize the TPM token and system slot. The |callback| will run on the same
+// thread with true if the token and slot were successfully loaded or were
+// already initialized. |callback| will be passed false if loading failed.  Once
+// called, InitializeTPMTokenAndSystemSlot must not be called again until the
+// |callback| has been run.
+CRYPTO_EXPORT void InitializeTPMTokenAndSystemSlot(
+    int system_slot_id,
     const base::Callback<void(bool)>& callback);
 
 // Exposed for unittests only.
diff --git a/crypto/nss_util_internal.h b/crypto/nss_util_internal.h
index 8175604..e9d4870 100644
--- a/crypto/nss_util_internal.h
+++ b/crypto/nss_util_internal.h
@@ -21,17 +21,11 @@ class FilePath;
 
 namespace crypto {
 
-// Returns a reference to the default NSS key slot for storing
-// public-key data only (e.g. server certs). Caller must release
-// returned reference with PK11_FreeSlot.
-CRYPTO_EXPORT PK11SlotInfo* GetPublicNSSKeySlot() WARN_UNUSED_RESULT;
-
-// Returns a reference to the default slot for storing private-key and
-// mixed private-key/public-key data.  Returns a hardware (TPM) NSS
-// key slot if on ChromeOS and EnableTPMForNSS() has been called
-// successfully. Caller must release returned reference with
-// PK11_FreeSlot.
-CRYPTO_EXPORT PK11SlotInfo* GetPrivateNSSKeySlot() WARN_UNUSED_RESULT;
+// Returns a reference to the default NSS key slot for storing persistent data.
+// Caller must release returned reference with PK11_FreeSlot.
+// TODO(mattm): this should be if !defined(OS_CHROMEOS), but some tests need to
+// be fixed first.
+CRYPTO_EXPORT PK11SlotInfo* GetPersistentNSSKeySlot() WARN_UNUSED_RESULT;
 
 // A helper class that acquires the SECMOD list read lock while the
 // AutoSECMODListReadLock is in scope.
@@ -46,6 +40,10 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
 };
 
 #if defined(OS_CHROMEOS)
+// Returns a reference to the system-wide TPM slot.  Caller must release
+// returned reference with PK11_FreeSlot.
+CRYPTO_EXPORT PK11SlotInfo* GetSystemNSSKeySlot() WARN_UNUSED_RESULT;
+
 // Prepare per-user NSS slot mapping. It is safe to call this function multiple
 // times. Returns true if the user was added, or false if it already existed.
 CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(