File: nss_util_internal.h

package info (click to toggle)
chromium 120.0.6099.224-1~deb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 6,112,112 kB
  • sloc: cpp: 32,907,025; ansic: 8,148,123; javascript: 3,679,536; python: 2,031,248; asm: 959,718; java: 804,675; xml: 617,256; sh: 111,417; objc: 100,835; perl: 88,443; cs: 53,032; makefile: 29,579; fortran: 24,137; php: 21,162; tcl: 21,147; sql: 20,809; ruby: 17,735; pascal: 12,864; yacc: 8,045; lisp: 3,388; lex: 1,323; ada: 727; awk: 329; jsp: 267; csh: 117; exp: 43; sed: 37
file content (156 lines) | stat: -rw-r--r-- 6,591 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CRYPTO_NSS_UTIL_INTERNAL_H_
#define CRYPTO_NSS_UTIL_INTERNAL_H_

#include <secmodt.h>

#include <string>

#include "base/functional/callback.h"
#include "base/memory/raw_ptr.h"
#include "build/chromeos_buildflags.h"
#include "components/nacl/common/buildflags.h"
#include "crypto/crypto_export.h"
#include "crypto/scoped_nss_types.h"

namespace base {
class FilePath;
}

// These functions return a type defined in an NSS header, and so cannot be
// declared in nss_util.h.  Hence, they are declared here.

namespace crypto {

// Opens an NSS software database in folder `path`, with the (potentially)
// user-visible description `description`. Returns the slot for the opened
// database, or nullptr if the database could not be opened. Can be called
// multiple times for the same `path`, thread-safe.
CRYPTO_EXPORT ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
                                               const std::string& description);

// Closes the underlying database for the `slot`. All remaining slots
// referencing the same database will remain valid objects, but won't be able to
// successfully retrieve certificates, etc. Should be used for all databases
// that were opened with `OpenSoftwareNSSDB` (instead of `SECMOD_CloseUserDB`).
// Can be called multiple times. Returns `SECSuccess` if the database was
// successfully closed, returns `SECFailure` if it was never opened, was already
// closed by an earlier call, or failed to close. Thread-safe.
CRYPTO_EXPORT SECStatus CloseSoftwareNSSDB(PK11SlotInfo* slot);

// A helper class that acquires the SECMOD list read lock while the
// AutoSECMODListReadLock is in scope.
class CRYPTO_EXPORT AutoSECMODListReadLock {
 public:
  AutoSECMODListReadLock();

  AutoSECMODListReadLock(const AutoSECMODListReadLock&) = delete;
  AutoSECMODListReadLock& operator=(const AutoSECMODListReadLock&) = delete;

  ~AutoSECMODListReadLock();

 private:
  raw_ptr<SECMODListLock> lock_;
};

#if BUILDFLAG(IS_CHROMEOS_ASH) && !BUILDFLAG(IS_MINIMAL_TOOLCHAIN)
// Returns path to the NSS database file in the provided profile
// directory.
CRYPTO_EXPORT base::FilePath GetSoftwareNSSDBPath(
    const base::FilePath& profile_directory_path);

// Returns a reference to the system-wide TPM slot (or nullptr if it will never
// be loaded).
CRYPTO_EXPORT void GetSystemNSSKeySlot(
    base::OnceCallback<void(ScopedPK11Slot)> callback);

// Injects the given |slot| as a system slot set by the future
// |InitializeTPMTokenAndSystemSlot| call.
CRYPTO_EXPORT void PrepareSystemSlotForTesting(ScopedPK11Slot slot);

// Attempt to unset the testing system slot.
// Note: After this method is called, the system is in an undefined state; it is
// NOT possible to call `PrepareSystemSlotForTesting()` and have it return to a
// known-good state. The primary purpose is to attempt to release system
// resources, such as file handles, to allow the cleanup of files on disk, but
// because of the process-wide effect, it's not possible to unwind any/all
// initialization that depended on this previously-configured system slot.
CRYPTO_EXPORT void ResetSystemSlotForTesting();

// Reset the global ChromeOSTokenManager. This is used between tests, so
// tests that run in the same process won't hit DCHECKS because they have
// different BrowserIO threads.
CRYPTO_EXPORT void ResetTokenManagerForTesting();

// Prepare per-user NSS slot mapping. It is safe to call this function multiple
// times. Returns true if the user was added, or false if it already existed.
CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(
    const std::string& username_hash,
    const base::FilePath& path);

// Returns whether TPM for ChromeOS user still needs initialization. If
// true is returned, the caller can proceed to initialize TPM slot for the
// user, but should call |WillInitializeTPMForChromeOSUser| first.
// |InitializeNSSForChromeOSUser| must have been called first.
[[nodiscard]] CRYPTO_EXPORT bool ShouldInitializeTPMForChromeOSUser(
    const std::string& username_hash);

// Makes |ShouldInitializeTPMForChromeOSUser| start returning false.
// Should be called before starting TPM initialization for the user.
// Assumes |InitializeNSSForChromeOSUser| had already been called.
CRYPTO_EXPORT void WillInitializeTPMForChromeOSUser(
    const std::string& username_hash);

// Use TPM slot |slot_id| for user.  InitializeNSSForChromeOSUser must have been
// called first.
CRYPTO_EXPORT void InitializeTPMForChromeOSUser(
    const std::string& username_hash,
    CK_SLOT_ID slot_id);

// Use the software slot as the private slot for user.
// InitializeNSSForChromeOSUser must have been called first.
CRYPTO_EXPORT void InitializePrivateSoftwareSlotForChromeOSUser(
    const std::string& username_hash);

// Returns a reference to the public slot for user.
[[nodiscard]] CRYPTO_EXPORT ScopedPK11Slot
GetPublicSlotForChromeOSUser(const std::string& username_hash);

// Returns the private slot for |username_hash| if it is loaded. If it is not
// loaded and |callback| is non-null, the |callback| will be run once the slot
// is loaded.
[[nodiscard]] CRYPTO_EXPORT ScopedPK11Slot GetPrivateSlotForChromeOSUser(
    const std::string& username_hash,
    base::OnceCallback<void(ScopedPK11Slot)> callback);

// Closes the NSS DB for |username_hash| that was previously opened by the
// *Initialize*ForChromeOSUser functions.
CRYPTO_EXPORT void CloseChromeOSUserForTesting(
    const std::string& username_hash);

// Sets the slot which should be used as private slot for the next
// |InitializePrivateSoftwareSlotForChromeOSUser| called. This is intended for
// simulating a separate private slot in Chrome OS browser tests.
// As a sanity check, it is recommended to check that the private slot of the
// profile's certificate database is set to |slot| when the profile is
// available, because |slot| will be used as private slot for whichever profile
// is initialized next.
CRYPTO_EXPORT void SetPrivateSoftwareSlotForChromeOSUserForTesting(
    ScopedPK11Slot slot);

#endif  // BUILDFLAG(IS_CHROMEOS_ASH) && !BUILDFLAG(IS_MINIMAL_TOOLCHAIN)

// Loads the given module for this NSS session.
SECMODModule* LoadNSSModule(const char* name,
                            const char* library_path,
                            const char* params);

// Returns the current NSS error message.
std::string GetNSSErrorMessage();

}  // namespace crypto

#endif  // CRYPTO_NSS_UTIL_INTERNAL_H_