chromium/src
0
Fork 0
Code Activity

Extract ScopedTestNSSDB from nss_util.

Browse Source 
Before ScopedTestNSSDB affected several slot getters from nss_util.h .
This change reduces ScopedTestNSSDB to solely setup a temporary test DB and not influencing the global state in nss_util anymore.

As a replacement for some of its old behavior, a new ScopedTestSystemNSSKeySlot is added, which allows to override the slot returned by GetSystemNSSKeySlot().

With this change it's now possible to write tests that need both a user and system NSS DB by using ScopedTestSystemNSSKeySlot.

As a side-effect, GetPersistentNSSKeySlot() is now compiled on !OS_CHROMEOS only.

BUG=210525
(For include changes:)

R=rsleevi@chromium.org
TBR=nkostylev@chromium.org, stevenjb@chromium.org

Review URL: https://codereview.chromium.org/401623006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285881 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
pneubeck@chromium.org
2014-07-28 09:56:51 +00:00
parent a017c66088
commit 190933f291
32 changed files with 425 additions and 209 deletions

2
chrome/browser/chromeos/login/auth/parallel_authenticator_unittest.cc

@ -37,8 +37,8 @@
#include "chromeos/login/auth/user_context.h"
#include "components/user_manager/user.h"
#include "content/public/test/test_browser_thread_bundle.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "google_apis/gaia/mock_url_fetcher_factory.h"
#include "net/base/net_errors.h"
#include "net/url_request/url_request_status.h"

2
chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc

@ -4,8 +4,8 @@
#include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/cert_verify_proc.h"

2
chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc

@ -13,8 +13,8 @@
#include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/test/test_browser_thread_bundle.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/net_log.h"
#include "net/base/test_completion_callback.h"
#include "net/base/test_data_directory.h"

9
chrome/chrome_browser.gypi

@ -1835,8 +1835,8 @@
'browser/certificate_manager_model.cc',
'browser/certificate_manager_model.h',
'browser/net/nss_context.cc',
'browser/net/nss_context_chromeos.cc',
'browser/net/nss_context.h',
'browser/net/nss_context_chromeos.cc',
'browser/net/nss_context_linux.cc',
'third_party/mozilla_security_manager/nsNSSCertHelper.cpp',
'third_party/mozilla_security_manager/nsNSSCertHelper.h',
@ -3234,6 +3234,13 @@
}],
['use_nss==1', {
'sources': [ '<@(chrome_browser_nss_sources)' ],
'conditions': [
['chromeos==1', {
'sources!': [ 'browser/net/nss_context_linux.cc' ],
}, { # chromeos==0
'sources!': [ 'browser/net/nss_context_chromeos.cc' ],
}],
],
}],
['notifications==1', {
'sources': [ '<@(chrome_browser_notifications_sources)' ],

1
chrome/chrome_tests.gypi

@ -796,6 +796,7 @@
'../components/components.gyp:translate_core_common',
'../components/components_resources.gyp:components_resources',
'../components/components_strings.gyp:components_strings',
'../crypto/crypto.gyp:crypto_test_support',
'../device/bluetooth/bluetooth.gyp:device_bluetooth_mocks',
'../device/serial/serial.gyp:device_serial_test_util',
'../extensions/common/api/api.gyp:extensions_api',

1
chrome/chrome_tests_unit.gypi

@ -490,6 +490,7 @@
'../components/components_resources.gyp:components_resources',
'../content/content_shell_and_tests.gyp:test_support_content',
'../content/content.gyp:content_app_both',
'../crypto/crypto.gyp:crypto_test_support',
'../net/net.gyp:net',
'../net/net.gyp:net_test_support',
'../sync/sync.gyp:test_support_sync_api',

24
chrome/common/net/x509_certificate_model_unittest.cc

@ -11,7 +11,7 @@
#include "testing/gtest/include/gtest/gtest.h"
#if defined(USE_NSS)
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_db.h"
#include "net/cert/nss_cert_database.h"
#endif
@ -224,12 +224,11 @@ TEST(X509CertificateModelTest, GetTypeCA) {
EXPECT_EQ(net::CA_CERT,
x509_certificate_model::GetType(cert->os_cert_handle()));
// Additional parantheses required to disambiguate from function declaration.
net::NSSCertDatabase db(
(crypto::ScopedPK11Slot(
crypto::GetPersistentNSSKeySlot())) /* public slot */,
crypto::ScopedPK11Slot(
crypto::GetPersistentNSSKeySlot()) /* private lot */);
crypto::ScopedTestNSSDB test_nssdb;
net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot(
test_nssdb.slot())) /* public slot */,
crypto::ScopedPK11Slot(PK11_ReferenceSlot(
test_nssdb.slot())) /* private slot */);
// Test that explicitly distrusted CA certs are still returned as CA_CERT
// type. See http://crbug.com/96654.
@ -259,12 +258,11 @@ TEST(X509CertificateModelTest, GetTypeServer) {
EXPECT_EQ(net::OTHER_CERT,
x509_certificate_model::GetType(cert->os_cert_handle()));
// Additional parantheses required to disambiguate from function declaration.
net::NSSCertDatabase db(
(crypto::ScopedPK11Slot(
crypto::GetPersistentNSSKeySlot())) /* public slot */,
crypto::ScopedPK11Slot(
crypto::GetPersistentNSSKeySlot()) /* private lot */);
crypto::ScopedTestNSSDB test_nssdb;
net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot(
test_nssdb.slot())) /* public slot */,
crypto::ScopedPK11Slot(PK11_ReferenceSlot(
test_nssdb.slot())) /* private slot */);
// Test GetCertType with server certs and explicit trust.
EXPECT_TRUE(db.SetCertTrust(

2
chromeos/cert_loader_unittest.cc

@ -9,9 +9,9 @@
#include "base/memory/scoped_ptr.h"
#include "base/message_loop/message_loop.h"
#include "base/run_loop.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/nss_cert_database_chromeos.h"

1
chromeos/chromeos.gyp

@ -511,6 +511,7 @@
'../build/linux/system.gyp:ssl',
'../components/components.gyp:onc_component',
'../crypto/crypto.gyp:crypto',
'../crypto/crypto.gyp:crypto_test_support',
'../dbus/dbus.gyp:dbus_test_support',
'../net/net.gyp:net',
'../net/net.gyp:net_test_support',

2
chromeos/network/client_cert_resolver_unittest.cc

@ -23,8 +23,8 @@
#include "chromeos/network/network_state_handler.h"
#include "chromeos/tpm_token_loader.h"
#include "components/onc/onc_constants.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"

2
chromeos/network/network_cert_migrator_unittest.cc

@ -14,8 +14,8 @@
#include "chromeos/dbus/shill_service_client.h"
#include "chromeos/network/network_state_handler.h"
#include "chromeos/tpm_token_loader.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"

2
chromeos/network/network_connection_handler_unittest.cc

@ -25,8 +25,8 @@
#include "chromeos/network/onc/onc_utils.h"
#include "chromeos/tpm_token_loader.h"
#include "components/onc/onc_constants.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/nss_cert_database_chromeos.h"

2
chromeos/network/onc/onc_certificate_importer_impl_unittest.cc

@ -16,8 +16,8 @@
#include "base/values.h"
#include "chromeos/network/onc/onc_test_utils.h"
#include "components/onc/onc_constants.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/crypto_module.h"
#include "net/cert/cert_type.h"
#include "net/cert/nss_cert_database_chromeos.h"

34
crypto/BUILD.gn

@ -131,6 +131,7 @@ component("crypto") {
"hmac_nss.cc",
"nss_util.cc",
"nss_util.h",
"nss_util_internal.h",
"rsa_private_key_nss.cc",
"secure_hash_default.cc",
"signature_creator_nss.cc",
@ -229,6 +230,7 @@ test("crypto_unittests") {
deps = [
":crypto",
":platform",
":test_support",
"//base",
"//base/test:run_all_unittests",
"//base/test:test_support",
@ -237,6 +239,38 @@ test("crypto_unittests") {
]
}
source_set("test_support") {
sources = [
"scoped_test_nss_db.cc",
"scoped_test_nss_db.h",
"scoped_test_nss_chromeos_user.cc",
"scoped_test_nss_chromeos_user.h",
"scoped_test_system_nss_key_slot.cc",
"scoped_test_system_nss_key_slot.h",
]
deps = [
":crypto",
":platform",
"//base",
]
if (!use_nss_certs) {
sources -= [
"scoped_test_nss_db.cc",
"scoped_test_nss_db.h",
]
}
if (!is_chromeos) {
sources -= [
"scoped_test_nss_chromeos_user.cc",
"scoped_test_nss_chromeos_user.h",
"scoped_test_system_nss_key_slot.cc",
"scoped_test_system_nss_key_slot.h",
]
}
}
# This is a meta-target that forwards to NSS's SSL library or OpenSSL,
# according to the state of the crypto flags. A target just wanting to depend
# on the current SSL library should just depend on this.

44
crypto/crypto.gyp

@ -111,6 +111,7 @@
'hmac_nss.cc',
'nss_util.cc',
'nss_util.h',
'nss_util_internal.h',
'rsa_private_key_nss.cc',
'secure_hash_default.cc',
'signature_creator_nss.cc',
@ -174,6 +175,7 @@
],
'dependencies': [
'crypto',
'crypto_test_support',
'../base/base.gyp:base',
'../base/base.gyp:run_all_unittests',
'../base/base.gyp:test_support_base',
@ -254,5 +256,47 @@
},
],
}],
['use_nss==1', {
'targets': [
{
'target_name': 'crypto_test_support',
'type': 'static_library',
'dependencies': [
'../base/base.gyp:base',
'crypto',
],
'sources': [
'scoped_test_nss_db.cc',
'scoped_test_nss_db.h',
'scoped_test_nss_chromeos_user.cc',
'scoped_test_nss_chromeos_user.h',
'scoped_test_system_nss_key_slot.cc',
'scoped_test_system_nss_key_slot.h',
],
'conditions': [
['use_nss==0', {
'sources!': [
'scoped_test_nss_db.cc',
'scoped_test_nss_db.h',
],
}],
[ 'chromeos==0', {
'sources!': [
'scoped_test_nss_chromeos_user.cc',
'scoped_test_nss_chromeos_user.h',
'scoped_test_system_nss_key_slot.cc',
'scoped_test_system_nss_key_slot.h',
],
}],
],
}
]}, { # use_nss==0
'targets': [
{
'target_name': 'crypto_test_support',
'type': 'none',
'sources': [],
}
]}],
],
}

174
crypto/nss_util.cc

@ -198,12 +198,6 @@ class NSPRInitSingleton {
base::LazyInstance<NSPRInitSingleton>::Leaky
g_nspr_singleton = LAZY_INSTANCE_INITIALIZER;
// This is a LazyInstance so that it will be deleted automatically when the
// unittest exits. NSSInitSingleton is a LeakySingleton, so it would not be
// deleted if it were a regular member.
base::LazyInstance<base::ScopedTempDir> g_test_nss_db_dir =
LAZY_INSTANCE_INITIALIZER;
// Force a crash with error info on NSS_NoDB_Init failure.
void CrashOnNSSInitFailure() {
int nss_error = PR_GetError();
@ -287,8 +281,8 @@ class NSSInitSingleton {
PK11SlotInfo* tpm_slot;
};
PK11SlotInfo* OpenPersistentNSSDBForPath(const std::string& db_name,
const base::FilePath& path) {
ScopedPK11Slot OpenPersistentNSSDBForPath(const std::string& db_name,
const base::FilePath& path) {
DCHECK(thread_checker_.CalledOnValidThread());
// NSS is allowed to do IO on the current thread since dispatching
// to a dedicated thread would still have the affect of blocking
@ -298,9 +292,9 @@ class NSSInitSingleton {
base::FilePath nssdb_path = path.AppendASCII(".pki").AppendASCII("nssdb");
if (!base::CreateDirectory(nssdb_path)) {
LOG(ERROR) << "Failed to create " << nssdb_path.value() << " directory.";
return NULL;
return ScopedPK11Slot();
}
return OpenUserDB(nssdb_path, db_name);
return OpenSoftwareNSSDB(nssdb_path, db_name);
}
void EnableTPMTokenForNSS() {
@ -393,10 +387,10 @@ class NSSInitSingleton {
chaps_module_ = tpm_args->chaps_module;
tpm_slot_ = tpm_args->tpm_slot;
if (!chaps_module_ && test_slot_) {
if (!chaps_module_ && test_system_slot_) {
// chromeos_unittests try to test the TPM initialization process. If we
// have a test DB open, pretend that it is the TPM slot.
tpm_slot_ = PK11_ReferenceSlot(test_slot_);
tpm_slot_ = PK11_ReferenceSlot(test_system_slot_.get());
}
initializing_tpm_token_ = false;
@ -463,12 +457,6 @@ class NSSInitSingleton {
return false;
}
// If test slot is set, slot getter methods will short circuit
// checking |chromeos_user_map_|, so there is nothing left to be
// initialized.
if (test_slot_)
return false;
DVLOG(2) << "Opening NSS DB " << path.value();
std::string db_name = base::StringPrintf(
"%s %s", kUserNSSDatabaseName, username_hash.c_str());
@ -551,11 +539,6 @@ class NSSInitSingleton {
return ScopedPK11Slot();
}
if (test_slot_) {
DVLOG(2) << "returning test_slot_ for " << username_hash;
return ScopedPK11Slot(PK11_ReferenceSlot(test_slot_));
}
if (chromeos_user_map_.find(username_hash) == chromeos_user_map_.end()) {
LOG(ERROR) << username_hash << " not initialized.";
return ScopedPK11Slot();
@ -579,56 +562,26 @@ class NSSInitSingleton {
DCHECK(chromeos_user_map_.find(username_hash) != chromeos_user_map_.end());
if (test_slot_) {
DVLOG(2) << "returning test_slot_ for " << username_hash;
return ScopedPK11Slot(PK11_ReferenceSlot(test_slot_));
}
return chromeos_user_map_[username_hash]->GetPrivateSlot(callback);
}
void CloseTestChromeOSUser(const std::string& username_hash) {
void CloseChromeOSUserForTesting(const std::string& username_hash) {
DCHECK(thread_checker_.CalledOnValidThread());
ChromeOSUserMap::iterator i = chromeos_user_map_.find(username_hash);
DCHECK(i != chromeos_user_map_.end());
delete i->second;
chromeos_user_map_.erase(i);
}
void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
// Ensure that a previous value of test_system_slot_ is not overwritten.
// Unsetting, i.e. setting a NULL, however is allowed.
DCHECK(!slot || !test_system_slot_);
test_system_slot_ = slot.Pass();
}
#endif // defined(OS_CHROMEOS)
bool OpenTestNSSDB() {
DCHECK(thread_checker_.CalledOnValidThread());
// NSS is allowed to do IO on the current thread since dispatching
// to a dedicated thread would still have the affect of blocking
// the current thread, due to NSS's internal locking requirements
base::ThreadRestrictions::ScopedAllowIO allow_io;
if (test_slot_)
return true;
if (!g_test_nss_db_dir.Get().CreateUniqueTempDir())
return false;
test_slot_ = OpenUserDB(g_test_nss_db_dir.Get().path(), kTestTPMTokenName);
return !!test_slot_;
}
void CloseTestNSSDB() {
DCHECK(thread_checker_.CalledOnValidThread());
// NSS is allowed to do IO on the current thread since dispatching
// to a dedicated thread would still have the affect of blocking
// the current thread, due to NSS's internal locking requirements
base::ThreadRestrictions::ScopedAllowIO allow_io;
if (!test_slot_)
return;
SECStatus status = SECMOD_CloseUserDB(test_slot_);
if (status != SECSuccess)
PLOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError();
PK11_FreeSlot(test_slot_);
test_slot_ = NULL;
ignore_result(g_test_nss_db_dir.Get().Delete());
}
#if !defined(OS_CHROMEOS)
PK11SlotInfo* GetPersistentNSSKeySlot() {
// TODO(mattm): Change to DCHECK when callers have been fixed.
if (!thread_checker_.CalledOnValidThread()) {
@ -636,18 +589,14 @@ class NSSInitSingleton {
<< base::debug::StackTrace().ToString();
}
if (test_slot_)
return PK11_ReferenceSlot(test_slot_);
return PK11_GetInternalKeySlot();
}
#endif
#if defined(OS_CHROMEOS)
PK11SlotInfo* GetSystemNSSKeySlot() {
DCHECK(thread_checker_.CalledOnValidThread());
if (test_slot_)
return PK11_ReferenceSlot(test_slot_);
// TODO(mattm): chromeos::TPMTokenloader always calls
// InitializeTPMTokenAndSystemSlot with slot 0. If the system slot is
// disabled, tpm_slot_ will be the first user's slot instead. Can that be
@ -679,7 +628,6 @@ class NSSInitSingleton {
: tpm_token_enabled_for_nss_(false),
initializing_tpm_token_(false),
chaps_module_(NULL),
test_slot_(NULL),
tpm_slot_(NULL),
root_(NULL) {
base::TimeTicks start_time = base::TimeTicks::Now();
@ -801,7 +749,6 @@ class NSSInitSingleton {
PK11_FreeSlot(tpm_slot_);
tpm_slot_ = NULL;
}
CloseTestNSSDB();
if (root_) {
SECMOD_UnloadUserModule(root_);
SECMOD_DestroyModule(root_);
@ -863,23 +810,6 @@ class NSSInitSingleton {
}
#endif
static PK11SlotInfo* OpenUserDB(const base::FilePath& path,
const std::string& description) {
const std::string modspec =
base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
path.value().c_str(),
description.c_str());
PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
if (db_slot) {
if (PK11_NeedUserInit(db_slot))
PK11_InitPin(db_slot, NULL, NULL);
} else {
LOG(ERROR) << "Error opening persistent database (" << modspec
<< "): " << GetNSSErrorMessage();
}
return db_slot;
}
static void DisableAESNIIfNeeded() {
if (NSS_VersionCheck("3.15") && !NSS_VersionCheck("3.15.4")) {
// Some versions of NSS have a bug that causes AVX instructions to be
@ -903,12 +833,12 @@ class NSSInitSingleton {
typedef std::vector<base::Closure> TPMReadyCallbackList;
TPMReadyCallbackList tpm_ready_callback_list_;
SECMODModule* chaps_module_;
PK11SlotInfo* test_slot_;
PK11SlotInfo* tpm_slot_;
SECMODModule* root_;
#if defined(OS_CHROMEOS)
typedef std::map<std::string, ChromeOSUserData*> ChromeOSUserMap;
ChromeOSUserMap chromeos_user_map_;
ScopedPK11Slot test_system_slot_;
#endif
#if defined(USE_NSS)
// TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
@ -926,9 +856,24 @@ base::LazyInstance<NSSInitSingleton>::Leaky
g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
} // namespace
const char kTestTPMTokenName[] = "Test DB";
#if defined(USE_NSS)
ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
const std::string& description) {
const std::string modspec =
base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
path.value().c_str(),
description.c_str());
PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
if (db_slot) {
if (PK11_NeedUserInit(db_slot))
PK11_InitPin(db_slot, NULL, NULL);
} else {
LOG(ERROR) << "Error opening persistent database (" << modspec
<< "): " << GetNSSErrorMessage();
}
return ScopedPK11Slot(db_slot);
}
void EarlySetupForNSSInit() {
base::FilePath database_dir = GetInitialConfigDirectory();
if (!database_dir.empty())
@ -1027,19 +972,6 @@ bool CheckNSSVersion(const char* version) {
}
#if defined(USE_NSS)
ScopedTestNSSDB::ScopedTestNSSDB()
: is_open_(g_nss_singleton.Get().OpenTestNSSDB()) {
}
ScopedTestNSSDB::~ScopedTestNSSDB() {
// Don't close when NSS is < 3.15.1, because it would require an additional
// sleep for 1 second after closing the database, due to
// http://bugzil.la/875601.
if (NSS_VersionCheck("3.15.1")) {
g_nss_singleton.Get().CloseTestNSSDB();
}
}
base::Lock* GetNSSWriteLock() {
return g_nss_singleton.Get().write_lock();
}
@ -1065,7 +997,6 @@ AutoSECMODListReadLock::AutoSECMODListReadLock()
AutoSECMODListReadLock::~AutoSECMODListReadLock() {
SECMOD_ReleaseReadLock(lock_);
}
#endif // defined(USE_NSS)
#if defined(OS_CHROMEOS)
@ -1073,6 +1004,10 @@ PK11SlotInfo* GetSystemNSSKeySlot() {
return g_nss_singleton.Get().GetSystemNSSKeySlot();
}
void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
g_nss_singleton.Get().SetSystemKeySlotForTesting(ScopedPK11Slot());
}
void EnableTPMTokenForNSS() {
g_nss_singleton.Get().EnableTPMTokenForNSS();
}
@ -1092,30 +1027,6 @@ void InitializeTPMTokenAndSystemSlot(
callback);
}
ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
const std::string& username_hash)
: username_hash_(username_hash), constructed_successfully_(false) {
if (!temp_dir_.CreateUniqueTempDir())
return;
constructed_successfully_ =
InitializeNSSForChromeOSUser(username_hash,
username_hash,
temp_dir_.path());
}
ScopedTestNSSChromeOSUser::~ScopedTestNSSChromeOSUser() {
if (constructed_successfully_)
g_nss_singleton.Get().CloseTestChromeOSUser(username_hash_);
}
void ScopedTestNSSChromeOSUser::FinishInit() {
DCHECK(constructed_successfully_);
if (!ShouldInitializeTPMForChromeOSUser(username_hash_))
return;
WillInitializeTPMForChromeOSUser(username_hash_);
InitializePrivateSoftwareSlotForChromeOSUser(username_hash_);
}
bool InitializeNSSForChromeOSUser(
const std::string& email,
const std::string& username_hash,
@ -1138,20 +1049,27 @@ void InitializeTPMForChromeOSUser(
CK_SLOT_ID slot_id) {
g_nss_singleton.Get().InitializeTPMForChromeOSUser(username_hash, slot_id);
}
void InitializePrivateSoftwareSlotForChromeOSUser(
const std::string& username_hash) {
g_nss_singleton.Get().InitializePrivateSoftwareSlotForChromeOSUser(
username_hash);
}
ScopedPK11Slot GetPublicSlotForChromeOSUser(const std::string& username_hash) {
return g_nss_singleton.Get().GetPublicSlotForChromeOSUser(username_hash);
}
ScopedPK11Slot GetPrivateSlotForChromeOSUser(
const std::string& username_hash,
const base::Callback<void(ScopedPK11Slot)>& callback) {
return g_nss_singleton.Get().GetPrivateSlotForChromeOSUser(username_hash,
callback);
}
void CloseChromeOSUserForTesting(const std::string& username_hash) {
g_nss_singleton.Get().CloseChromeOSUserForTesting(username_hash);
}
#endif // defined(OS_CHROMEOS)
base::Time PRTimeToBaseTime(PRTime prtime) {
@ -1163,8 +1081,10 @@ PRTime BaseTimeToPRTime(base::Time time) {
return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
}
#if !defined(OS_CHROMEOS)
PK11SlotInfo* GetPersistentNSSKeySlot() {
return g_nss_singleton.Get().GetPersistentNSSKeySlot();
}
#endif
} // namespace crypto

42
crypto/nss_util.h

@ -9,7 +9,6 @@
#include "base/basictypes.h"
#include "base/callback.h"
#include "base/compiler_specific.h"
#include "base/files/scoped_temp_dir.h"
#include "crypto/crypto_export.h"
namespace base {
@ -23,9 +22,6 @@ class Time;
// initialization functions.
namespace crypto {
// The TPMToken name used for the NSS slot opened by ScopedTestNSSDB.
CRYPTO_EXPORT extern const char kTestTPMTokenName[];
#if defined(USE_NSS)
// EarlySetupForNSSInit performs lightweight setup which must occur before the
// process goes multithreaded. This does not initialise NSS. For test, see
@ -121,26 +117,6 @@ CRYPTO_EXPORT bool IsTPMTokenReady(const base::Closure& callback)
CRYPTO_EXPORT void InitializeTPMTokenAndSystemSlot(
int system_slot_id,
const base::Callback<void(bool)>& callback);
// Exposed for unittests only.
class CRYPTO_EXPORT_PRIVATE ScopedTestNSSChromeOSUser {
public:
explicit ScopedTestNSSChromeOSUser(const std::string& username_hash);
~ScopedTestNSSChromeOSUser();
std::string username_hash() const { return username_hash_; }
bool constructed_successfully() const { return constructed_successfully_; }
// Completes initialization of user. Causes any waiting private slot callbacks
// to run.
void FinishInit();
private:
const std::string username_hash_;
base::ScopedTempDir temp_dir_;
bool constructed_successfully_;
DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSChromeOSUser);
};
#endif
// Convert a NSS PRTime value into a base::Time object.
@ -152,23 +128,6 @@ CRYPTO_EXPORT base::Time PRTimeToBaseTime(int64 prtime);
CRYPTO_EXPORT int64 BaseTimeToPRTime(base::Time time);
#if defined(USE_NSS)
// Exposed for unittests only.
// TODO(mattm): When NSS 3.14 is the minimum version required,
// switch back to using a separate user DB for each test.
// Because of https://bugzilla.mozilla.org/show_bug.cgi?id=588269 , the
// opened user DB is not automatically closed.
class CRYPTO_EXPORT_PRIVATE ScopedTestNSSDB {
public:
ScopedTestNSSDB();
~ScopedTestNSSDB();
bool is_open() { return is_open_; }
private:
bool is_open_;
DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSDB);
};
// NSS has a bug which can cause a deadlock or stall in some cases when writing
// to the certDB and keyDB. It also has a bug which causes concurrent key pair
// generations to scribble over each other. To work around this, we synchronize
@ -189,7 +148,6 @@ class CRYPTO_EXPORT AutoNSSWriteLock {
base::Lock *lock_;
DISALLOW_COPY_AND_ASSIGN(AutoNSSWriteLock);
};
#endif // defined(USE_NSS)
} // namespace crypto

29
crypto/nss_util_internal.h

@ -21,11 +21,18 @@ class FilePath;
namespace crypto {
// Opens an NSS software database in folder |path|, with the (potentially)
// user-visible description |description|. Returns the slot for the opened
// database, or NULL if the database could not be opened.
CRYPTO_EXPORT_PRIVATE ScopedPK11Slot
OpenSoftwareNSSDB(const base::FilePath& path,
const std::string& description);
#if !defined(OS_CHROMEOS)
// Returns a reference to the default NSS key slot for storing persistent data.
// Caller must release returned reference with PK11_FreeSlot.
// TODO(mattm): this should be if !defined(OS_CHROMEOS), but some tests need to
// be fixed first.
CRYPTO_EXPORT PK11SlotInfo* GetPersistentNSSKeySlot() WARN_UNUSED_RESULT;
#endif
// A helper class that acquires the SECMOD list read lock while the
// AutoSECMODListReadLock is in scope.
@ -40,10 +47,19 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
};
#if defined(OS_CHROMEOS)
// Returns a reference to the system-wide TPM slot. Caller must release
// returned reference with PK11_FreeSlot.
// Returns a reference to the system-wide TPM slot. Caller must release returned
// reference with PK11_FreeSlot.
CRYPTO_EXPORT PK11SlotInfo* GetSystemNSSKeySlot() WARN_UNUSED_RESULT;
// Sets the test system slot. If this was called before
// InitializeTPMTokenAndSystemSlot and no system token is provided by the Chaps
// module, then this test slot will be used and the initialization continues as
// if Chaps had provided this test slot. In particular, |slot| will be exposed
// by |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
// This must must not be called consecutively with a |slot| != NULL. If |slot|
// is NULL, the test system slot is unset.
CRYPTO_EXPORT_PRIVATE void SetSystemKeySlotForTesting(ScopedPK11Slot slot);
// Prepare per-user NSS slot mapping. It is safe to call this function multiple
// times. Returns true if the user was added, or false if it already existed.
CRYPTO_EXPORT bool InitializeNSSForChromeOSUser(
@ -85,6 +101,11 @@ CRYPTO_EXPORT ScopedPK11Slot GetPublicSlotForChromeOSUser(
CRYPTO_EXPORT ScopedPK11Slot GetPrivateSlotForChromeOSUser(
const std::string& username_hash,
const base::Callback<void(ScopedPK11Slot)>& callback) WARN_UNUSED_RESULT;
// Closes the NSS DB for |username_hash| that was previously opened by the
// *Initialize*ForChromeOSUser functions.
CRYPTO_EXPORT_PRIVATE void CloseChromeOSUserForTesting(
const std::string& username_hash);
#endif // defined(OS_CHROMEOS)
} // namespace crypto

2
crypto/rsa_private_key_nss_unittest.cc

@ -8,7 +8,7 @@
#include <pk11pub.h>
#include "base/memory/scoped_ptr.h"
#include "crypto/nss_util.h"
#include "crypto/scoped_test_nss_db.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace crypto {

37
crypto/scoped_test_nss_chromeos_user.cc Normal file

@ -0,0 +1,37 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "base/logging.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
namespace crypto {
ScopedTestNSSChromeOSUser::ScopedTestNSSChromeOSUser(
const std::string& username_hash)
: username_hash_(username_hash), constructed_successfully_(false) {
if (!temp_dir_.CreateUniqueTempDir())
return;
// This opens a software DB in the given folder. In production code that is in
// the home folder, but for testing the temp folder is used.
constructed_successfully_ = InitializeNSSForChromeOSUser(
username_hash, username_hash, temp_dir_.path());
}
ScopedTestNSSChromeOSUser::~ScopedTestNSSChromeOSUser() {
if (constructed_successfully_)
CloseChromeOSUserForTesting(username_hash_);
}
void ScopedTestNSSChromeOSUser::FinishInit() {
DCHECK(constructed_successfully_);
if (!ShouldInitializeTPMForChromeOSUser(username_hash_))
return;
WillInitializeTPMForChromeOSUser(username_hash_);
InitializePrivateSoftwareSlotForChromeOSUser(username_hash_);
}
} // namespace crypto

43
crypto/scoped_test_nss_chromeos_user.h Normal file

@ -0,0 +1,43 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_SCOPED_TEST_NSS_CHROMEOS_USER_H_
#define CRYPTO_SCOPED_TEST_NSS_CHROMEOS_USER_H_
#include <string>
#include "base/files/scoped_temp_dir.h"
#include "base/macros.h"
#include "crypto/crypto_export.h"
namespace crypto {
// Opens a persistent NSS software database in a temporary directory for the
// user with |username_hash|. This database will be used for both the user's
// public and private slot.
class CRYPTO_EXPORT_PRIVATE ScopedTestNSSChromeOSUser {
public:
// Opens the software database and sets the public slot for the user. The
// private slot will not be initialized until FinishInit() is called.
explicit ScopedTestNSSChromeOSUser(const std::string& username_hash);
~ScopedTestNSSChromeOSUser();
std::string username_hash() const { return username_hash_; }
bool constructed_successfully() const { return constructed_successfully_; }
// Completes initialization of user. Causes any waiting private slot callbacks
// to run, see GetPrivateSlotForChromeOSUser().
void FinishInit();
private:
const std::string username_hash_;
base::ScopedTempDir temp_dir_;
bool constructed_successfully_;
DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSChromeOSUser);
};
} // namespace crypto
#endif // CRYPTO_SCOPED_TEST_NSS_CHROMEOS_USER_H_

48
crypto/scoped_test_nss_db.cc Normal file

@ -0,0 +1,48 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crypto/scoped_test_nss_db.h"
#include "base/logging.h"
#include "base/threading/thread_restrictions.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
namespace crypto {
ScopedTestNSSDB::ScopedTestNSSDB() {
EnsureNSSInit();
// NSS is allowed to do IO on the current thread since dispatching
// to a dedicated thread would still have the affect of blocking
// the current thread, due to NSS's internal locking requirements
base::ThreadRestrictions::ScopedAllowIO allow_io;
if (!temp_dir_.CreateUniqueTempDir())
return;
const char kTestDescription[] = "Test DB";
slot_ = OpenSoftwareNSSDB(temp_dir_.path(), kTestDescription);
}
ScopedTestNSSDB::~ScopedTestNSSDB() {
// Don't close when NSS is < 3.15.1, because it would require an additional
// sleep for 1 second after closing the database, due to
// http://bugzil.la/875601.
if (!NSS_VersionCheck("3.15.1") || !slot_)
return;
// NSS is allowed to do IO on the current thread since dispatching
// to a dedicated thread would still have the affect of blocking
// the current thread, due to NSS's internal locking requirements
base::ThreadRestrictions::ScopedAllowIO allow_io;
SECStatus status = SECMOD_CloseUserDB(slot_.get());
if (status != SECSuccess)
PLOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError();
if (!temp_dir_.Delete())
LOG(ERROR) << "Could not delete temporary directory.";
}
} // namespace crypto

35
crypto/scoped_test_nss_db.h Normal file

@ -0,0 +1,35 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_SCOPED_TEST_NSS_DB_H_
#define CRYPTO_SCOPED_TEST_NSS_DB_H_
#include "base/files/scoped_temp_dir.h"
#include "base/macros.h"
#include "crypto/crypto_export.h"
#include "crypto/scoped_nss_types.h"
namespace crypto {
// Opens a persistent NSS database in a temporary directory.
// Prior NSS version 3.15.1, because of http://bugzil.la/875601 , the opened DB
// will not be closed automatically.
class CRYPTO_EXPORT_PRIVATE ScopedTestNSSDB {
public:
ScopedTestNSSDB();
~ScopedTestNSSDB();
bool is_open() { return slot_; }
PK11SlotInfo* slot() { return slot_.get(); }
private:
base::ScopedTempDir temp_dir_;
ScopedPK11Slot slot_;
DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSDB);
};
} // namespace crypto
#endif // CRYPTO_SCOPED_TEST_NSS_DB_H_

28
crypto/scoped_test_system_nss_key_slot.cc Normal file

@ -0,0 +1,28 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crypto/scoped_test_system_nss_key_slot.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_db.h"
namespace crypto {
ScopedTestSystemNSSKeySlot::ScopedTestSystemNSSKeySlot()
: test_db_(new ScopedTestNSSDB) {
if (!test_db_->is_open())
return;
SetSystemKeySlotForTesting(
ScopedPK11Slot(PK11_ReferenceSlot(test_db_->slot())));
}
ScopedTestSystemNSSKeySlot::~ScopedTestSystemNSSKeySlot() {
SetSystemKeySlotForTesting(ScopedPK11Slot());
}
bool ScopedTestSystemNSSKeySlot::ConstructedSuccessfully() const {
return test_db_->is_open();
}
} // namespace crypto

39
crypto/scoped_test_system_nss_key_slot.h Normal file

@ -0,0 +1,39 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_SCOPED_TEST_SYSTEM_NSS_KEY_SLOT_H_
#define CRYPTO_SCOPED_TEST_SYSTEM_NSS_KEY_SLOT_H_
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "crypto/crypto_export.h"
namespace crypto {
class ScopedTestNSSDB;
// Opens a persistent NSS software database in a temporary directory and sets
// the test system slot to the opened database. This helper should be created in
// tests where no system token is provided by the Chaps module and before
// InitializeTPMTokenAndSystemSlot is called. Then the opened test database will
// be used and the initialization continues as if Chaps had provided this test
// database. In particular, the DB will be exposed by |GetSystemNSSKeySlot| and
// |IsTPMTokenReady| will return true.
// At most one instance of this helper must be used at a time.
class CRYPTO_EXPORT_PRIVATE ScopedTestSystemNSSKeySlot {
public:
explicit ScopedTestSystemNSSKeySlot();
~ScopedTestSystemNSSKeySlot();
bool ConstructedSuccessfully() const;
private:
scoped_ptr<ScopedTestNSSDB> test_db_;
DISALLOW_COPY_AND_ASSIGN(ScopedTestSystemNSSKeySlot);
};
} // namespace crypto
#endif // CRYPTO_SCOPED_TEST_SYSTEM_NSS_KEY_SLOT_H_

1
net/BUILD.gn

@ -1085,6 +1085,7 @@ test("net_unittests") {
"//base/third_party/dynamic_annotations",
"//crypto",
"//crypto:platform",
"//crypto:test_support",
"//net/base/registry_controlled_domains",
"//testing/gmock",
"//testing/gtest",

7
net/base/keygen_handler_unittest.cc

@ -19,8 +19,7 @@
#if defined(USE_NSS)
#include <private/pprthred.h> // PR_DetachThread
#include "crypto/nss_crypto_module_delegate.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_db.h"
#endif
namespace net {
@ -59,8 +58,8 @@ class KeygenHandlerTest : public ::testing::Test {
#if defined(USE_NSS)
handler->set_crypto_module_delegate(
scoped_ptr<crypto::NSSCryptoModuleDelegate>(
new StubCryptoModuleDelegate(
crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()))));
new StubCryptoModuleDelegate(crypto::ScopedPK11Slot(
PK11_ReferenceSlot(test_nss_db_.slot())))));
#endif
return handler.Pass();
}

2
net/cert/nss_cert_database_chromeos_unittest.cc

@ -8,8 +8,8 @@
#include "base/callback.h"
#include "base/message_loop/message_loop_proxy.h"
#include "base/run_loop.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/test_data_directory.h"
#include "net/cert/cert_database.h"
#include "net/test/cert_test_util.h"

13
net/cert/nss_cert_database_unittest.cc

@ -19,9 +19,8 @@
#include "base/strings/string16.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/scoped_test_nss_db.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
@ -59,8 +58,10 @@ class CertDatabaseNSSTest : public testing::Test {
virtual void SetUp() {
ASSERT_TRUE(test_nssdb_.is_open());
cert_db_.reset(new NSSCertDatabase(
crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()),
crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));
crypto::ScopedPK11Slot(
PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */,
crypto::ScopedPK11Slot(
PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */));
public_module_ = cert_db_->GetPublicModule();
// Test db should be empty at start of test.
@ -99,9 +100,7 @@ class CertDatabaseNSSTest : public testing::Test {
CertificateList ListCerts() {
CertificateList result;
CERTCertList* cert_list =
PK11_ListCertsInSlot(cert_db_->GetPublicSlot().get());
CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot());
for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {

2
net/cert/nss_profile_filter_chromeos_unittest.cc

@ -8,9 +8,9 @@
#include <pk11pub.h>
#include <secmod.h>
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/test_data_directory.h"
#include "net/test/cert_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"

1
net/net.gyp

@ -537,6 +537,7 @@
'../base/base.gyp:base_prefs_test_support',
'../base/third_party/dynamic_annotations/dynamic_annotations.gyp:dynamic_annotations',
'../crypto/crypto.gyp:crypto',
'../crypto/crypto.gyp:crypto_test_support',
'../testing/gmock.gyp:gmock',
'../testing/gtest.gyp:gtest',
'../third_party/zlib/zlib.gyp:zlib',

1
net/ssl/client_cert_store_chromeos_unittest.cc

@ -13,6 +13,7 @@
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/rsa_private_key.h"
#include "crypto/scoped_test_nss_chromeos_user.h"
#include "net/base/test_data_directory.h"
#include "net/cert/cert_type.h"
#include "net/cert/x509_certificate.h"