1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CRYPTO_NSS_UTIL_INTERNAL_H_
6 #define CRYPTO_NSS_UTIL_INTERNAL_H_
12 #include "base/callback.h"
13 #include "base/compiler_specific.h"
14 #include "base/macros.h"
15 #include "build/chromeos_buildflags.h"
16 #include "crypto/crypto_export.h"
17 #include "crypto/scoped_nss_types.h"
23 // These functions return a type defined in an NSS header, and so cannot be
24 // declared in nss_util.h. Hence, they are declared here.
28 // Opens an NSS software database in folder |path|, with the (potentially)
29 // user-visible description |description|. Returns the slot for the opened
30 // database, or nullptr if the database could not be opened.
31 CRYPTO_EXPORT ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
32 const std::string& description);
34 // A helper class that acquires the SECMOD list read lock while the
35 // AutoSECMODListReadLock is in scope.
36 class CRYPTO_EXPORT AutoSECMODListReadLock {
38 AutoSECMODListReadLock();
39 ~AutoSECMODListReadLock();
42 SECMODListLock* lock_;
43 DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock);
46 #if BUILDFLAG(IS_CHROMEOS_ASH)
47 // Returns path to the NSS database file in the provided profile
49 CRYPTO_EXPORT base::FilePath GetSoftwareNSSDBPath(
50 const base::FilePath& profile_directory_path);
52 // Returns a reference to the system-wide TPM slot if it is loaded. If it is not
53 // loaded and |callback| is non-null, the |callback| will be run once the slot
55 CRYPTO_EXPORT ScopedPK11Slot GetSystemNSSKeySlot(
56 base::OnceCallback<void(ScopedPK11Slot)> callback) WARN_UNUSED_RESULT;
58 // Sets the test system slot to |slot|, which means that |slot| will be exposed
59 // through |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
60 // |InitializeTPMTokenAndSystemSlot|, which triggers the TPM initialization,
61 // does not have to be called if the test system slot is set.
62 // This must must not be called consecutively with a |slot| != nullptr. If
63 // |slot| is nullptr, the test system slot is unset.
64 CRYPTO_EXPORT void SetSystemKeySlotForTesting(ScopedPK11Slot slot);
66 // Injects the given |slot| as a system slot set by the future
67 // |InitializeTPMTokenAndSystemSlot| call.
68 // This must must not be called consecutively with a |slot| != nullptr. If
69 // |slot| is nullptr and the system slot is already initialized to the
70 // previously passed test value, the system slot is unset.
71 CRYPTO_EXPORT void SetSystemKeySlotWithoutInitializingTPMForTesting(
74 // Prepare per-user NSS slot mapping. It is safe to call this function multiple
75 // times. Returns true if the user was added, or false if it already existed.
76 CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(
77 const std::string& username_hash,
78 const base::FilePath& path);
80 // Returns whether TPM for ChromeOS user still needs initialization. If
81 // true is returned, the caller can proceed to initialize TPM slot for the
82 // user, but should call |WillInitializeTPMForChromeOSUser| first.
83 // |InitializeNSSForChromeOSUser| must have been called first.
84 CRYPTO_EXPORT bool ShouldInitializeTPMForChromeOSUser(
85 const std::string& username_hash) WARN_UNUSED_RESULT;
87 // Makes |ShouldInitializeTPMForChromeOSUser| start returning false.
88 // Should be called before starting TPM initialization for the user.
89 // Assumes |InitializeNSSForChromeOSUser| had already been called.
90 CRYPTO_EXPORT void WillInitializeTPMForChromeOSUser(
91 const std::string& username_hash);
93 // Use TPM slot |slot_id| for user. InitializeNSSForChromeOSUser must have been
95 CRYPTO_EXPORT void InitializeTPMForChromeOSUser(
96 const std::string& username_hash,
99 // Use the software slot as the private slot for user.
100 // InitializeNSSForChromeOSUser must have been called first.
101 CRYPTO_EXPORT void InitializePrivateSoftwareSlotForChromeOSUser(
102 const std::string& username_hash);
104 // Returns a reference to the public slot for user.
105 CRYPTO_EXPORT ScopedPK11Slot GetPublicSlotForChromeOSUser(
106 const std::string& username_hash) WARN_UNUSED_RESULT;
108 // Returns the private slot for |username_hash| if it is loaded. If it is not
109 // loaded and |callback| is non-null, the |callback| will be run once the slot
111 CRYPTO_EXPORT ScopedPK11Slot GetPrivateSlotForChromeOSUser(
112 const std::string& username_hash,
113 base::OnceCallback<void(ScopedPK11Slot)> callback) WARN_UNUSED_RESULT;
115 // Closes the NSS DB for |username_hash| that was previously opened by the
116 // *Initialize*ForChromeOSUser functions.
117 CRYPTO_EXPORT void CloseChromeOSUserForTesting(
118 const std::string& username_hash);
120 // Sets the slot which should be used as private slot for the next
121 // |InitializePrivateSoftwareSlotForChromeOSUser| called. This is intended for
122 // simulating a separate private slot in Chrome OS browser tests.
123 // As a sanity check, it is recommended to check that the private slot of the
124 // profile's certificate database is set to |slot| when the profile is
125 // available, because |slot| will be used as private slot for whichever profile
126 // is initialized next.
127 CRYPTO_EXPORT void SetPrivateSoftwareSlotForChromeOSUserForTesting(
128 ScopedPK11Slot slot);
130 #endif // BUILDFLAG(IS_CHROMEOS_ASH)
132 // Loads the given module for this NSS session.
133 SECMODModule* LoadNSSModule(const char* name,
134 const char* library_path,
137 // Returns the current NSS error message.
138 std::string GetNSSErrorMessage();
140 } // namespace crypto
142 #endif // CRYPTO_NSS_UTIL_INTERNAL_H_