From c175cdb75905a3145675c20884888e6348784b62 Mon Sep 17 00:00:00 2001 From: "stevenjb@google.com" Date: Tue, 28 Jun 2011 20:41:55 +0000 Subject: Replace WifiConfigModel with async CertLibrary Update WifiConfigView and VpnConfigView to use CertLibrary. Includes changes to crypto:nss_util.cc BUG=chromium-os:15829 TEST=Test wifi/other + certificates and VPN + certificates. UI should not block. Review URL: http://codereview.chromium.org/7244012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@90833 0039d316-1c4b-4281-b951-d872f2087c98 --- crypto/nss_util.cc | 89 ++++++++++++++++++++++++++++++------------------------ crypto/nss_util.h | 17 +++++++++++ 2 files changed, 67 insertions(+), 39 deletions(-) (limited to 'crypto') diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index e484abe..3b393fc 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -226,6 +226,47 @@ class NSSInitSingleton { EnsureTPMTokenReady(); } + // This is called whenever we want to make sure opencryptoki is + // properly loaded, because it can fail shortly after the initial + // login while the PINs are being initialized, and we want to retry + // if this happens. + bool EnsureTPMTokenReady() { + // If EnableTPMTokenForNSS hasn't been called, or if everything is + // already initialized, then this call succeeds. + if (tpm_token_info_delegate_.get() == NULL || + (opencryptoki_module_ && tpm_slot_)) { + return true; + } + + if (tpm_token_info_delegate_->IsTokenReady()) { + // This tries to load the opencryptoki module so NSS can talk to + // the hardware TPM. + if (!opencryptoki_module_) { + opencryptoki_module_ = LoadModule( + kOpencryptokiModuleName, + kOpencryptokiPath, + // trustOrder=100 -- means it'll select this as the most + // trusted slot for the mechanisms it provides. + // slotParams=... -- selects RSA as the only mechanism, and only + // asks for the password when necessary (instead of every + // time, or after a timeout). + "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); + } + if (opencryptoki_module_) { + // If this gets set, then we'll use the TPM for certs with + // private keys, otherwise we'll fall back to the software + // implementation. + tpm_slot_ = GetTPMSlot(); + return tpm_slot_ != NULL; + } + } + return false; + } + + bool IsTPMTokenAvailable() { + return tpm_token_info_delegate_->IsTokenAvailable(); + } + void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) { tpm_token_info_delegate_->GetTokenInfo(token_name, user_pin); } @@ -239,6 +280,7 @@ class NSSInitSingleton { GetTPMTokenInfo(&token_name, NULL); return FindSlotWithTokenName(token_name); } + #endif // defined(OS_CHROMEOS) @@ -487,45 +529,6 @@ class NSSInitSingleton { return db_slot; } -#if defined(OS_CHROMEOS) - // This is called whenever we want to make sure opencryptoki is - // properly loaded, because it can fail shortly after the initial - // login while the PINs are being initialized, and we want to retry - // if this happens. - bool EnsureTPMTokenReady() { - // If EnableTPMTokenForNSS hasn't been called, or if everything is - // already initialized, then this call succeeds. - if (tpm_token_info_delegate_.get() == NULL || - (opencryptoki_module_ && tpm_slot_)) { - return true; - } - - if (tpm_token_info_delegate_->IsTokenReady()) { - // This tries to load the opencryptoki module so NSS can talk to - // the hardware TPM. - if (!opencryptoki_module_) { - opencryptoki_module_ = LoadModule( - kOpencryptokiModuleName, - kOpencryptokiPath, - // trustOrder=100 -- means it'll select this as the most - // trusted slot for the mechanisms it provides. - // slotParams=... -- selects RSA as the only mechanism, and only - // asks for the password when necessary (instead of every - // time, or after a timeout). - "trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})"); - } - if (opencryptoki_module_) { - // If this gets set, then we'll use the TPM for certs with - // private keys, otherwise we'll fall back to the software - // implementation. - tpm_slot_ = GetTPMSlot(); - return tpm_slot_ != NULL; - } - } - return false; - } -#endif - // If this is set to true NSS is forced to be initialized without a DB. static bool force_nodb_init_; @@ -680,10 +683,18 @@ void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) { g_nss_singleton.Get().GetTPMTokenInfo(token_name, user_pin); } +bool IsTPMTokenAvailable() { + return g_nss_singleton.Get().IsTPMTokenAvailable(); +} + bool IsTPMTokenReady() { return g_nss_singleton.Get().IsTPMTokenReady(); } +bool EnsureTPMTokenReady() { + return g_nss_singleton.Get().EnsureTPMTokenReady(); +} + #endif // defined(OS_CHROMEOS) // TODO(port): Implement this more simply. We can convert by subtracting an diff --git a/crypto/nss_util.h b/crypto/nss_util.h index 1244db9..19298ca 100644 --- a/crypto/nss_util.h +++ b/crypto/nss_util.h @@ -93,7 +93,17 @@ class TPMTokenInfoDelegate { public: TPMTokenInfoDelegate(); virtual ~TPMTokenInfoDelegate(); + + // Returns true if the hardware supports a TPM Token and the TPM is enabled. + virtual bool IsTokenAvailable() const = 0; + + // Returns true if the TPM and PKCS#11 token slot is ready to be used. + // If IsTokenAvailable() is false this should return false. + // If IsTokenAvailable() is true, this should eventually return true. virtual bool IsTokenReady() const = 0; + + // Fetches token properties. TODO(stevenjb): make this interface asynchronous + // so that the implementation does not have to be blocking. virtual void GetTokenInfo(std::string* token_name, std::string* user_pin) const = 0; }; @@ -110,11 +120,18 @@ void EnableTPMTokenForNSS(TPMTokenInfoDelegate* delegate); // EnableTPMTokenForNSS has been called with a non-null delegate. void GetTPMTokenInfo(std::string* token_name, std::string* user_pin); +// Returns true if the machine has a TPM and it can be used to store tokens. +bool IsTPMTokenAvailable(); + // Returns true if the TPM is owned and PKCS#11 initialized with the // user and security officer PINs, and has been enabled in NSS by // calling EnableTPMForNSS, and opencryptoki has been successfully // loaded into NSS. bool IsTPMTokenReady(); + +// Same as IsTPMTokenReady() except this attempts to initialize the token +// if necessary. +bool EnsureTPMTokenReady(); #endif // Convert a NSS PRTime value into a base::Time object. -- cgit v1.1