1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CRYPTO_NSS_UTIL_INTERNAL_H_ 6 #define CRYPTO_NSS_UTIL_INTERNAL_H_ 7 8 #include <secmodt.h> 9 10 #include <string> 11 12 #include "base/functional/callback.h" 13 #include "base/memory/raw_ptr.h" 14 #include "build/chromeos_buildflags.h" 15 #include "components/nacl/common/buildflags.h" 16 #include "crypto/crypto_export.h" 17 #include "crypto/scoped_nss_types.h" 18 19 namespace base { 20 class FilePath; 21 } 22 23 // These functions return a type defined in an NSS header, and so cannot be 24 // declared in nss_util.h. Hence, they are declared here. 25 26 namespace crypto { 27 28 // Opens an NSS software database in folder `path`, with the (potentially) 29 // user-visible description `description`. Returns the slot for the opened 30 // database, or nullptr if the database could not be opened. Can be called 31 // multiple times for the same `path`, thread-safe. 32 CRYPTO_EXPORT ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path, 33 const std::string& description); 34 35 // Closes the underlying database for the `slot`. All remaining slots 36 // referencing the same database will remain valid objects, but won't be able to 37 // successfully retrieve certificates, etc. Should be used for all databases 38 // that were opened with `OpenSoftwareNSSDB` (instead of `SECMOD_CloseUserDB`). 39 // Can be called multiple times. Returns `SECSuccess` if the database was 40 // successfully closed, returns `SECFailure` if it was never opened, was already 41 // closed by an earlier call, or failed to close. Thread-safe. 42 CRYPTO_EXPORT SECStatus CloseSoftwareNSSDB(PK11SlotInfo* slot); 43 44 // A helper class that acquires the SECMOD list read lock while the 45 // AutoSECMODListReadLock is in scope. 46 class CRYPTO_EXPORT AutoSECMODListReadLock { 47 public: 48 AutoSECMODListReadLock(); 49 50 AutoSECMODListReadLock(const AutoSECMODListReadLock&) = delete; 51 AutoSECMODListReadLock& operator=(const AutoSECMODListReadLock&) = delete; 52 53 ~AutoSECMODListReadLock(); 54 55 private: 56 raw_ptr<SECMODListLock> lock_; 57 }; 58 59 #if BUILDFLAG(IS_CHROMEOS_ASH) && !BUILDFLAG(IS_MINIMAL_TOOLCHAIN) 60 // Returns path to the NSS database file in the provided profile 61 // directory. 62 CRYPTO_EXPORT base::FilePath GetSoftwareNSSDBPath( 63 const base::FilePath& profile_directory_path); 64 65 // Returns a reference to the system-wide TPM slot (or nullptr if it will never 66 // be loaded). 67 CRYPTO_EXPORT void GetSystemNSSKeySlot( 68 base::OnceCallback<void(ScopedPK11Slot)> callback); 69 70 // Injects the given |slot| as a system slot set by the future 71 // |InitializeTPMTokenAndSystemSlot| call. 72 CRYPTO_EXPORT void PrepareSystemSlotForTesting(ScopedPK11Slot slot); 73 74 // Attempt to unset the testing system slot. 75 // Note: After this method is called, the system is in an undefined state; it is 76 // NOT possible to call `PrepareSystemSlotForTesting()` and have it return to a 77 // known-good state. The primary purpose is to attempt to release system 78 // resources, such as file handles, to allow the cleanup of files on disk, but 79 // because of the process-wide effect, it's not possible to unwind any/all 80 // initialization that depended on this previously-configured system slot. 81 CRYPTO_EXPORT void ResetSystemSlotForTesting(); 82 83 // Reset the global ChromeOSTokenManager. This is used between tests, so 84 // tests that run in the same process won't hit DCHECKS because they have 85 // different BrowserIO threads. 86 CRYPTO_EXPORT void ResetTokenManagerForTesting(); 87 88 // Prepare per-user NSS slot mapping. It is safe to call this function multiple 89 // times. Returns true if the user was added, or false if it already existed. 90 // Loads the database from `path` to use as a public slot. 91 CRYPTO_EXPORT bool InitializeNSSForChromeOSUser( 92 const std::string& username_hash, 93 const base::FilePath& path); 94 95 // Prepare per-user NSS slot mapping. It is safe to call this function multiple 96 // times. Returns true if the user was added, or false if it already existed. 97 CRYPTO_EXPORT bool InitializeNSSForChromeOSUserWithSlot( 98 const std::string& username_hash, 99 ScopedPK11Slot public_slot); 100 101 // Returns whether TPM for ChromeOS user still needs initialization. If 102 // true is returned, the caller can proceed to initialize TPM slot for the 103 // user, but should call |WillInitializeTPMForChromeOSUser| first. 104 // |InitializeNSSForChromeOSUser| must have been called first. 105 [[nodiscard]] CRYPTO_EXPORT bool ShouldInitializeTPMForChromeOSUser( 106 const std::string& username_hash); 107 108 // Makes |ShouldInitializeTPMForChromeOSUser| start returning false. 109 // Should be called before starting TPM initialization for the user. 110 // Assumes |InitializeNSSForChromeOSUser| had already been called. 111 CRYPTO_EXPORT void WillInitializeTPMForChromeOSUser( 112 const std::string& username_hash); 113 114 // Use TPM slot |slot_id| for user. InitializeNSSForChromeOSUser must have been 115 // called first. 116 CRYPTO_EXPORT void InitializeTPMForChromeOSUser( 117 const std::string& username_hash, 118 CK_SLOT_ID slot_id); 119 120 // Use the software slot as the private slot for user. 121 // InitializeNSSForChromeOSUser must have been called first. 122 CRYPTO_EXPORT void InitializePrivateSoftwareSlotForChromeOSUser( 123 const std::string& username_hash); 124 125 // Returns a reference to the public slot for user. 126 [[nodiscard]] CRYPTO_EXPORT ScopedPK11Slot 127 GetPublicSlotForChromeOSUser(const std::string& username_hash); 128 129 // Returns the private slot for |username_hash| if it is loaded. If it is not 130 // loaded and |callback| is non-null, the |callback| will be run once the slot 131 // is loaded. 132 [[nodiscard]] CRYPTO_EXPORT ScopedPK11Slot GetPrivateSlotForChromeOSUser( 133 const std::string& username_hash, 134 base::OnceCallback<void(ScopedPK11Slot)> callback); 135 136 // Closes the NSS DB for |username_hash| that was previously opened by the 137 // *Initialize*ForChromeOSUser functions. 138 CRYPTO_EXPORT void CloseChromeOSUserForTesting( 139 const std::string& username_hash); 140 141 // Sets the slot which should be used as private slot for the next 142 // |InitializePrivateSoftwareSlotForChromeOSUser| called. This is intended for 143 // simulating a separate private slot in Chrome OS browser tests. 144 // As a sanity check, it is recommended to check that the private slot of the 145 // profile's certificate database is set to |slot| when the profile is 146 // available, because |slot| will be used as private slot for whichever profile 147 // is initialized next. 148 CRYPTO_EXPORT void SetPrivateSoftwareSlotForChromeOSUserForTesting( 149 ScopedPK11Slot slot); 150 151 #endif // BUILDFLAG(IS_CHROMEOS_ASH) && !BUILDFLAG(IS_MINIMAL_TOOLCHAIN) 152 153 // Loads the given module for this NSS session. 154 SECMODModule* LoadNSSModule(const char* name, 155 const char* library_path, 156 const char* params); 157 158 // Returns the current NSS error message. 159 std::string GetNSSErrorMessage(); 160 161 } // namespace crypto 162 163 #endif // CRYPTO_NSS_UTIL_INTERNAL_H_ 164