Change the Chrome OS PKCS #11 module from libopencryptoki.so to libchaps.so.
This CL is part of a larger effort to replace opencryptoki as the PKCS #11 layer in Chrome OS. In this first phase, libchaps.so forwards requests to a daemon (chapsd) which loads opencryptoki to service the requests. You can find the Chaps design doc here: https://docs.google.com/a/google.com/document/d/1TQFc6GABKa1JgwUx2hIcxAHQ329fkd03yYlGxhfHQlQ/edit
Change-Id: I42962c4703413039641b6ede40caaf0c97ab900e
BUG=chromium-os:21005
TEST=* Ensure previously existing certs still exist.
* Import new cert and private key from PKCS12 file.
Review URL: http://codereview.chromium.org/8527006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@110435 0039d316-1c4b-4281-b951-d872f2087c98
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 6bebd0d6..53602c3 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -55,9 +55,9 @@
#if defined(OS_CHROMEOS)
const char kNSSDatabaseName[] = "Real NSS database";
-// Constants for loading opencryptoki.
-const char kOpencryptokiModuleName[] = "opencryptoki";
-const char kOpencryptokiPath[] = "/usr/lib/opencryptoki/libopencryptoki.so";
+// Constants for loading the Chrome OS TPM-backed PKCS #11 library.
+const char kChapsModuleName[] = "Chaps";
+const char kChapsPath[] = "libchaps.so";
// Fake certificate authority database used for testing.
static const FilePath::CharType kReadOnlyCertDB[] =
@@ -245,7 +245,7 @@
tpm_token_info_delegate_.reset(info_delegate);
}
- // This is called whenever we want to make sure opencryptoki is
+ // This is called whenever we want to make sure Chaps is
// properly loaded, because it can fail shortly after the initial
// login while the PINs are being initialized, and we want to retry
// if this happens.
@@ -255,16 +255,16 @@
return false;
// If everything is already initialized, then return true.
- if (opencryptoki_module_ && tpm_slot_)
+ if (chaps_module_ && tpm_slot_)
return true;
if (tpm_token_info_delegate_->IsTokenReady()) {
- // This tries to load the opencryptoki module so NSS can talk to
- // the hardware TPM.
- if (!opencryptoki_module_) {
- opencryptoki_module_ = LoadModule(
- kOpencryptokiModuleName,
- kOpencryptokiPath,
+ // This tries to load the Chaps module so NSS can talk to the hardware
+ // TPM.
+ if (!chaps_module_) {
+ chaps_module_ = LoadModule(
+ kChapsModuleName,
+ kChapsPath,
// trustOrder=100 -- means it'll select this as the most
// trusted slot for the mechanisms it provides.
// slotParams=... -- selects RSA as the only mechanism, and only
@@ -272,7 +272,7 @@
// time, or after a timeout).
"trustOrder=100 slotParams=(1={slotFlags=[RSA] askpw=only})");
}
- if (opencryptoki_module_) {
+ if (chaps_module_) {
// If this gets set, then we'll use the TPM for certs with
// private keys, otherwise we'll fall back to the software
// implementation.
@@ -373,7 +373,7 @@
#if defined(OS_CHROMEOS)
// Make sure that if EnableTPMTokenForNSS has been called that we
- // have successfully loaded opencryptoki.
+ // have successfully loaded Chaps.
if (tpm_token_info_delegate_.get() != NULL) {
if (EnsureTPMTokenReady()) {
return PK11_ReferenceSlot(tpm_slot_);
@@ -407,7 +407,7 @@
friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
NSSInitSingleton()
- : opencryptoki_module_(NULL),
+ : chaps_module_(NULL),
software_slot_(NULL),
test_slot_(NULL),
tpm_slot_(NULL),
@@ -522,10 +522,10 @@
SECMOD_DestroyModule(root_);
root_ = NULL;
}
- if (opencryptoki_module_) {
- SECMOD_UnloadUserModule(opencryptoki_module_);
- SECMOD_DestroyModule(opencryptoki_module_);
- opencryptoki_module_ = NULL;
+ if (chaps_module_) {
+ SECMOD_UnloadUserModule(chaps_module_);
+ SECMOD_DestroyModule(chaps_module_);
+ chaps_module_ = NULL;
}
SECStatus status = NSS_Shutdown();
@@ -596,7 +596,7 @@
scoped_ptr<TPMTokenInfoDelegate> tpm_token_info_delegate_;
#endif
- SECMODModule* opencryptoki_module_;
+ SECMODModule* chaps_module_;
PK11SlotInfo* software_slot_;
PK11SlotInfo* test_slot_;
PK11SlotInfo* tpm_slot_;
