NSS: PKCS 11 password prompt.

chrome/browser/dom_ui/options/certificate_manager_handler.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/dom_ui/options/certificate_manager_handler.h"
 
 #include "app/l10n_util.h"
 #include "app/l10n_util_collator.h"
 #include "base/file_util.h"  // for FileAccessProvider
 #include "base/safe_strerror_posix.h"
 #include "base/string_number_conversions.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_thread.h"  // for FileAccessProvider
 #include "chrome/browser/certificate_manager_model.h"
 #include "chrome/browser/certificate_viewer.h"
 #include "chrome/browser/gtk/certificate_dialogs.h"
 #include "chrome/browser/tab_contents/tab_contents.h"
 #include "chrome/browser/tab_contents/tab_contents_view.h"
+#include "chrome/browser/ui/pk11_password_dialog.h"
 #include "grit/generated_resources.h"
+#include "net/base/pk11_slot.h"
 #include "net/base/x509_certificate.h"
 
 namespace {
 
 static const char kKeyId[] = "id";
 static const char kSubNodesId[] = "subnodes";
 static const char kNameId[] = "name";
 static const char kReadOnlyId[] = "readonly";
 static const char kIconId[] = "icon";
 static const char kSecurityDeviceId[] = "device";
@@ skipping 489 matching lines @@
       L"CertificateManager.exportPersonalAskPassword");
 }
 
 void CertificateManagerHandler::ExportPersonalPasswordSelected(
     const ListValue* args) {
   if (!args->GetString(0, &password_)){
     dom_ui_->CallJavascriptFunction(L"CertificateRestoreOverlay.dismiss");
     ImportExportCleanup();
     return;
   }
+
+  // Currently, we don't support exporting more than one at a time.  If we do,
+  // this would need some cleanup to handle unlocking multiple slots.
+  DCHECK_EQ(selected_cert_list_.size(), 1U);
+
+  // TODO(mattm): do something smarter about non-extractable keys
+  browser::UnlockCertSlotIfNecessary(
+      selected_cert_list_[0].get(),
+      browser::kPK11PasswordCertExport,
+      "",  // unused.
+      NewCallback(this,
+                  &CertificateManagerHandler::ExportPersonalSlotsUnlocked));
+}
+
+void CertificateManagerHandler::ExportPersonalSlotsUnlocked() {
   std::string output;
   int num_exported = certificate_manager_model_->cert_db().ExportToPKCS12(
       selected_cert_list_,
       password_,
       &output);
   if (!num_exported) {
     dom_ui_->CallJavascriptFunction(L"CertificateRestoreOverlay.dismiss");
     ShowError(
         l10n_util::GetStringUTF8(IDS_CERT_MANAGER_PKCS12_EXPORT_ERROR_TITLE),
         l10n_util::GetStringUTF8(IDS_CERT_MANAGER_UNKNOWN_ERROR));
@@ skipping 48 matching lines @@
     ImportExportCleanup();
     return;
   }
   file_access_provider_->StartRead(
       file_path_,
       &consumer_,
       NewCallback(this, &CertificateManagerHandler::ImportPersonalFileRead));
 }
 
 void CertificateManagerHandler::ImportPersonalFileRead(
     int read_errno, std::string data) {

[wtc, 2010/12/15 20:54:36]

Should the second argument be
  const std::string& data
?

[mattm, 2011/01/12 01:22:07]

Unfortunately it can't, since it has to match the type returned by the
CancelableRequest, and that can't be a reference since it is returning a
temporary.  This should probably be refactored to have the caller pass in the
buffer to write to, but like you mention below, it's a pretty rare operation on
relatively small files.

   if (read_errno) {
     ImportExportCleanup();
     dom_ui_->CallJavascriptFunction(L"CertificateRestoreOverlay.dismiss");
     ShowError(
         l10n_util::GetStringUTF8(IDS_CERT_MANAGER_PKCS12_IMPORT_ERROR_TITLE),
         l10n_util::GetStringFUTF8(IDS_CERT_MANAGER_READ_ERROR_FORMAT,
                                   UTF8ToUTF16(safe_strerror(read_errno))));
     return;
   }
-  int result = certificate_manager_model_->ImportFromPKCS12(data, password_);
+
+  data_ = data;

[wtc, 2010/12/15 20:54:36]

It's too bad we have to copy the data.  If it's too much
work to avoid this copying, don't worry about it since this
is an uncommon operation.

+
+  // TODO(mattm): allow user to choose a slot to import to.
+  net::PK11SlotList slots;
+  certificate_manager_model_->cert_db().ListTokensForPKCS12(&slots);
+  slot_ = slots[0];

[wtc, 2010/12/15 20:54:36]

IMPORTANT: Is the first slot (slots[0]) the right slot to use
for not only Chrome but also the unit tests?

[mattm, 2011/01/12 01:22:07]

It should be fine for chrome, even chromeos, since it requests only RW slots, so
it won't be confused by the ro slot that chromeos has.

For unittests it could be a problem, bu unfortunately I don't currently have
unittests for the domui parts.

+
+  browser::UnlockSlotIfNecessary(
+      slot_.get(),
+      browser::kPK11PasswordCertImport,
+      "",  // unused.
+      NewCallback(this,
+                  &CertificateManagerHandler::ImportPersonalSlotUnlocked));
+}
+
+void CertificateManagerHandler::ImportPersonalSlotUnlocked() {
+  int result = certificate_manager_model_->ImportFromPKCS12(
+      slot_, data_, password_);
   ImportExportCleanup();
   dom_ui_->CallJavascriptFunction(L"CertificateRestoreOverlay.dismiss");
   switch (result) {
     case net::OK:
       break;
     case net::ERR_PKCS12_IMPORT_BAD_PASSWORD:
       ShowError(
           l10n_util::GetStringUTF8(IDS_CERT_MANAGER_PKCS12_IMPORT_ERROR_TITLE),
           l10n_util::GetStringUTF8(IDS_CERT_MANAGER_BAD_PASSWORD));
       // TODO(mattm): if the error was a bad password, we should reshow the
       // password dialog after the user dismisses the error dialog.
       break;
     default:
       ShowError(
           l10n_util::GetStringUTF8(IDS_CERT_MANAGER_PKCS12_IMPORT_ERROR_TITLE),
           l10n_util::GetStringUTF8(IDS_CERT_MANAGER_UNKNOWN_ERROR));
       break;
   }
 }
 
 void CertificateManagerHandler::CancelImportExportProcess(
     const ListValue* args) {
   ImportExportCleanup();
 }
 
 void CertificateManagerHandler::ImportExportCleanup() {
   file_path_.clear();
   password_.clear();
+  data_.clear();
   selected_cert_list_.clear();
   select_file_dialog_ = NULL;
+  slot_ = NULL;
 }
 
 void CertificateManagerHandler::ImportServer(const ListValue* args) {
   select_file_dialog_ = SelectFileDialog::Create(this);
   ShowCertSelectFileDialog(
       select_file_dialog_.get(),
       SelectFileDialog::SELECT_OPEN_FILE,
       FilePath(),
       GetParentWindow(),
       reinterpret_cast<void*>(IMPORT_SERVER_FILE_SELECTED));
@@ skipping 244 matching lines @@
   StringValue error_value(error);
   dom_ui_->CallJavascriptFunction(L"CertificateImportErrorOverlay.show",
                                   title_value,
                                   error_value,
                                   cert_error_list);
 }
 
 gfx::NativeWindow CertificateManagerHandler::GetParentWindow() const {
   return dom_ui_->tab_contents()->view()->GetTopLevelNativeWindow();
 }