From dd24ffcb6086d6ac46e46353007a80bf9f46831c Mon Sep 17 00:00:00 2001 From: "gspencer@google.com" Date: Wed, 8 Jun 2011 19:46:42 +0000 Subject: Search all slots when looking for a key in NSS This should make it possible to run on a VM, and still find the private key created for the owner in the software slot. BUG=chromium-os:15817 TEST=Built an image and tried it on a VM and a device. Both showed restricted users list. Review URL: http://codereview.chromium.org/7066070 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@88380 0039d316-1c4b-4281-b951-d872f2087c98 --- crypto/nss_util.cc | 28 ++++++++++------------------ crypto/nss_util_internal.h | 12 ++++++++++++ crypto/rsa_private_key_nss.cc | 36 ++++++++++++++---------------------- 3 files changed, 36 insertions(+), 40 deletions(-) (limited to 'crypto') diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 9901e3a..e484abe 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -155,24 +155,6 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const FilePath& database_dir) { #endif // defined(OS_LINUX) } -// A helper class that acquires the SECMOD list read lock while the -// AutoSECMODListReadLock is in scope. -class AutoSECMODListReadLock { - public: - AutoSECMODListReadLock() - : lock_(SECMOD_GetDefaultModuleListLock()) { - SECMOD_GetReadLock(lock_); - } - - ~AutoSECMODListReadLock() { - SECMOD_ReleaseReadLock(lock_); - } - - private: - SECMODListLock* lock_; - DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock); -}; - PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) { AutoSECMODListReadLock auto_lock; SECMODModuleList* head = SECMOD_GetDefaultModuleList(); @@ -670,6 +652,16 @@ AutoNSSWriteLock::~AutoNSSWriteLock() { lock_->Release(); } } + +AutoSECMODListReadLock::AutoSECMODListReadLock() + : lock_(SECMOD_GetDefaultModuleListLock()) { + SECMOD_GetReadLock(lock_); + } + +AutoSECMODListReadLock::~AutoSECMODListReadLock() { + SECMOD_ReleaseReadLock(lock_); +} + #endif // defined(USE_NSS) #if defined(OS_CHROMEOS) diff --git a/crypto/nss_util_internal.h b/crypto/nss_util_internal.h index ea40fdb..e90e4c4 100644 --- a/crypto/nss_util_internal.h +++ b/crypto/nss_util_internal.h @@ -25,6 +25,18 @@ PK11SlotInfo* GetPublicNSSKeySlot(); // PK11_FreeSlot. PK11SlotInfo* GetPrivateNSSKeySlot(); +// A helper class that acquires the SECMOD list read lock while the +// AutoSECMODListReadLock is in scope. +class AutoSECMODListReadLock { + public: + AutoSECMODListReadLock(); + ~AutoSECMODListReadLock(); + + private: + SECMODListLock* lock_; + DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock); +}; + } // namespace crypto #endif // CRYPTO_NSS_UTIL_INTERNAL_H_ diff --git a/crypto/rsa_private_key_nss.cc b/crypto/rsa_private_key_nss.cc index 8157de2..0d79dbe 100644 --- a/crypto/rsa_private_key_nss.cc +++ b/crypto/rsa_private_key_nss.cc @@ -7,6 +7,7 @@ #include #include #include +#include #include @@ -119,31 +120,22 @@ RSAPrivateKey* RSAPrivateKey::FindFromPublicKeyInfo( return NULL; } - ScopedPK11Slot slot(GetPrivateNSSKeySlot()); - if (!slot.get()) { - NOTREACHED(); - return NULL; - } - - // Finally...Look for the key! - result->key_ = PK11_FindKeyByKeyID(slot.get(), ck_id.get(), NULL); - - // If we don't find the matching key in the private slot, then we - // look in the public slot. - if (!result->key_) { - slot.reset(GetPublicNSSKeySlot()); - if (!slot.get()) { - NOTREACHED(); - return NULL; + // Search all slots in all modules for the key with the given ID. + AutoSECMODListReadLock auto_lock; + SECMODModuleList* head = SECMOD_GetDefaultModuleList(); + for (SECMODModuleList* item = head; item != NULL; item = item->next) { + int slot_count = item->module->loaded ? item->module->slotCount : 0; + for (int i = 0; i < slot_count; i++) { + // Finally...Look for the key! + result->key_ = PK11_FindKeyByKeyID(item->module->slots[i], + ck_id.get(), NULL); + if (result->key_) + return result.release(); } - result->key_ = PK11_FindKeyByKeyID(slot.get(), ck_id.get(), NULL); } - // If we didn't find it, that's ok. - if (!result->key_) - return NULL; - - return result.release(); + // We didn't find the key. + return NULL; } -- cgit v1.1