From 84e4772b1fa55875f44d13e3f82092eb6c948fe1 Mon Sep 17 00:00:00 2001 From: "dkrahn@chromium.org" Date: Thu, 17 Nov 2011 05:12:02 +0000 Subject: Change the Chrome OS PKCS #11 module from libopencryptoki.so to libchaps.so. This CL is part of a larger effort to replace opencryptoki as the PKCS #11 layer in Chrome OS. In this first phase, libchaps.so forwards requests to a daemon (chapsd) which loads opencryptoki to service the requests. You can find the Chaps design doc here: https://docs.google.com/a/google.com/document/d/1TQFc6GABKa1JgwUx2hIcxAHQ329fkd03yYlGxhfHQlQ/edit Change-Id: I42962c4703413039641b6ede40caaf0c97ab900e BUG=chromium-os:21005 TEST=* Ensure previously existing certs still exist. * Import new cert and private key from PKCS12 file. Review URL: http://codereview.chromium.org/8527006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@110435 0039d316-1c4b-4281-b951-d872f2087c98 --- crypto/nss_util.cc | 38 +++++++++++++++++++------------------- crypto/nss_util.h | 4 ++-- 2 files changed, 21 insertions(+), 21 deletions(-) (limited to 'crypto') diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 6bebd0d..53602c3 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -55,9 +55,9 @@ namespace { #if defined(OS_CHROMEOS) const char kNSSDatabaseName[] = "Real NSS database"; -// Constants for loading opencryptoki. -const char kOpencryptokiModuleName[] = "opencryptoki"; -const char kOpencryptokiPath[] = "/usr/lib/opencryptoki/libopencryptoki.so"; +// Constants for loading the Chrome OS TPM-backed PKCS #11 library. +const char kChapsModuleName[] = "Chaps"; +const char kChapsPath[] = "libchaps.so"; // Fake certificate authority database used for testing. static const FilePath::CharType kReadOnlyCertDB[] = @@ -245,7 +245,7 @@ class NSSInitSingleton { tpm_token_info_delegate_.reset(info_delegate); } - // This is called whenever we want to make sure opencryptoki is + // This is called whenever we want to make sure Chaps is // properly loaded, because it can fail shortly after the initial // login while the PINs are being initialized, and we want to retry // if this happens. @@ -255,16 +255,16 @@ class NSSInitSingleton { return false; // If everything is already initialized, then return true. - if (opencryptoki_module_ && tpm_slot_) + if (chaps_module_ && tpm_slot_) return true; if (tpm_token_info_delegate_->IsTokenReady()) { - // This tries to load the opencryptoki module so NSS can talk to - // the hardware TPM. - if (!opencryptoki_module_) { - opencryptoki_module_ = LoadModule( - kOpencryptokiModuleName, - kOpencryptokiPath, + // This tries to load the Chaps module so NSS can talk to the hardware + // TPM. + if (!chaps_module_) { + chaps_module_ = LoadModule( + kChapsModuleName, + kChapsPath, // trustOrder=100 -- means it'll select this as the most // trusted slot for the mechanisms it provides. // slotParams=... -- selects RSA as the only mechanism, and only @@ -272,7 +272,7 @@ class NSSInitSingleton { // time, or after a timeout). "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); } - if (opencryptoki_module_) { + if (chaps_module_) { // If this gets set, then we'll use the TPM for certs with // private keys, otherwise we'll fall back to the software // implementation. @@ -373,7 +373,7 @@ class NSSInitSingleton { #if defined(OS_CHROMEOS) // Make sure that if EnableTPMTokenForNSS has been called that we - // have successfully loaded opencryptoki. + // have successfully loaded Chaps. if (tpm_token_info_delegate_.get() != NULL) { if (EnsureTPMTokenReady()) { return PK11_ReferenceSlot(tpm_slot_); @@ -407,7 +407,7 @@ class NSSInitSingleton { friend struct base::DefaultLazyInstanceTraits; NSSInitSingleton() - : opencryptoki_module_(NULL), + : chaps_module_(NULL), software_slot_(NULL), test_slot_(NULL), tpm_slot_(NULL), @@ -522,10 +522,10 @@ class NSSInitSingleton { SECMOD_DestroyModule(root_); root_ = NULL; } - if (opencryptoki_module_) { - SECMOD_UnloadUserModule(opencryptoki_module_); - SECMOD_DestroyModule(opencryptoki_module_); - opencryptoki_module_ = NULL; + if (chaps_module_) { + SECMOD_UnloadUserModule(chaps_module_); + SECMOD_DestroyModule(chaps_module_); + chaps_module_ = NULL; } SECStatus status = NSS_Shutdown(); @@ -596,7 +596,7 @@ class NSSInitSingleton { scoped_ptr tpm_token_info_delegate_; #endif - SECMODModule* opencryptoki_module_; + SECMODModule* chaps_module_; PK11SlotInfo* software_slot_; PK11SlotInfo* test_slot_; PK11SlotInfo* tpm_slot_; diff --git a/crypto/nss_util.h b/crypto/nss_util.h index b87b4a0..a617224 100644 --- a/crypto/nss_util.h +++ b/crypto/nss_util.h @@ -110,7 +110,7 @@ class CRYPTO_EXPORT TPMTokenInfoDelegate { std::string* user_pin) const = 0; }; -// Indicates that NSS should load the opencryptoki library so that we +// Indicates that NSS should load the Chaps library so that we // can access the TPM through NSS. Once this is called, // GetPrivateNSSKeySlot() will return the TPM slot if one was found. // Takes ownership of the passed-in delegate object so it can access @@ -128,7 +128,7 @@ CRYPTO_EXPORT bool IsTPMTokenAvailable(); // Returns true if the TPM is owned and PKCS#11 initialized with the // user and security officer PINs, and has been enabled in NSS by -// calling EnableTPMForNSS, and opencryptoki has been successfully +// calling EnableTPMForNSS, and Chaps has been successfully // loaded into NSS. CRYPTO_EXPORT bool IsTPMTokenReady(); -- cgit v1.1