NSS: PKCS 11 password prompt.

net/base/keygen_handler.h

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_KEYGEN_HANDLER_H_
 #define NET_BASE_KEYGEN_HANDLER_H_
 #pragma once
 
 #include <string>
 
+#include "base/scoped_ptr.h"
+#include "build/build_config.h"
 #include "googleurl/src/gurl.h"
 
+namespace base {
+class PK11BlockingPasswordDelegate;

[wtc, 2010/12/15 20:54:36]

Nit: put this forward declaration inside #if defined(USE_NSS).

[mattm, 2011/01/12 01:22:07]

Done.

+};
+
 namespace net {
 
 // This class handles keypair generation for generating client
 // certificates via the <keygen> tag.
 // <http://dev.w3.org/html5/spec/Overview.html#the-keygen-element>
 // <https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag>
 
 class KeygenHandler {
  public:
   // Creates a handler that will generate a key with the given key size and
   // incorporate the |challenge| into the Netscape SPKAC structure. The request
   // for the key originated from |url|.
-  inline KeygenHandler(int key_size_in_bits,
-                       const std::string& challenge,
-                       const GURL& url);
+  KeygenHandler(int key_size_in_bits,
+                const std::string& challenge,
+                const GURL& url);
+  ~KeygenHandler();
 
   // Actually generates the key-pair and the cert request (SPKAC), and returns
   // a base64-encoded string suitable for use as the form value of <keygen>.
   std::string GenKeyAndSignChallenge();
 
   // Exposed only for unit tests.
   void set_stores_key(bool store) { stores_key_ = store;}
 
+#if defined(USE_NSS)
+  // On NSS, the token may be unauthenticated. We pass the blocking delegate for

[wtc, 2010/12/15 20:54:36]

Question: does this mean there is also a non-blocking
password delegate type?

Nit: this comment should make it clearer that it's OK to
block because GenKeyAndSignChallenge runs on a worker thread.
The comment says "for simplicity", which may confuse people
into thinking we made a trade-off for simplicity.

[mattm, 2011/01/12 01:22:07]

no, just the alternate strategy of using the non-blocking UnlockSlotIfNecessary
instead of a password delegate.
done.

+  // simplicity; GenKeyAndSignChallenge will block on generating a key anyway,
+  // so this is used on a worker thread. Takes ownership of the delegate.
+  void set_pk11_password_delegate(base::PK11BlockingPasswordDelegate* delegate);
+#endif  // defined(USE_NSS)
+
  private:
   int key_size_in_bits_;  // key size in bits (usually 2048)
   std::string challenge_;  // challenge string sent by server
   GURL url_;  // the URL that requested the key
   bool stores_key_;  // should the generated key-pair be stored persistently?
+#if defined(USE_NSS)
+  // The callback for requesting a password to the PKCS#11 store.

[wtc, 2010/12/15 20:54:36]

Nit: store => token

[mattm, 2011/01/12 01:22:07]

Done.

+  scoped_ptr<base::PK11BlockingPasswordDelegate> pk11_password_delegate_;
+#endif  // defined(USE_NSS)
 };
 
-KeygenHandler::KeygenHandler(int key_size_in_bits,
-                             const std::string& challenge,
-                             const GURL& url)
-    : key_size_in_bits_(key_size_in_bits),
-      challenge_(challenge),
-      url_(url),
-      stores_key_(true) {
-}
-
 }  // namespace net
 
 #endif  // NET_BASE_KEYGEN_HANDLER_H_