NSS: PKCS 11 password prompt.

net/base/keygen_handler_nss.cc

Index: net/base/keygen_handler_nss.cc
diff --git a/net/base/keygen_handler_nss.cc b/net/base/keygen_handler_nss.cc
index 215244c7e56af2d2bbe3ca4a1ea5923e1e74cb49..a3505c40db45de5473d74a27af7c8cd1dfc54697 100644
--- a/net/base/keygen_handler_nss.cc
+++ b/net/base/keygen_handler_nss.cc
@@ -4,6 +4,11 @@
 
 #include "net/base/keygen_handler.h"
 
+#include "base/crypto/pk11_blocking_password_delegate.h"
+#include "base/crypto/scoped_nss_types.h"
+#include "base/logging.h"
+#include "base/nss_util.h"
+#include "base/nss_util_internal.h"
 #include "net/third_party/mozilla_security_manager/nsKeygenHandler.h"
 
 // PSM = Mozilla's Personal Security Manager.
@@ -12,8 +17,30 @@ namespace psm = mozilla_security_manager;
 namespace net {
 
 std::string KeygenHandler::GenKeyAndSignChallenge() {
+  // Ensure NSS is initialized.
+  base::EnsureNSSInit();
+
+  // TODO(mattm): allow choosing which slot to generate and store the key?
+  base::ScopedPK11Slot slot(base::GetDefaultNSSKeySlot());
+  if (!slot.get()) {
+    LOG(ERROR) << "Couldn't get internal key slot!";
+    return std::string();
+  }
+
+  // Authenticate to the token.
+  if (SECSuccess != PK11_Authenticate(slot.get(), PR_TRUE,
+                                      pk11_password_delegate_.get())) {
+    LOG(ERROR) << "Couldn't authenticate to internal key slot!";
+    return std::string();
+  }
+
   return psm::GenKeyAndSignChallenge(key_size_in_bits_, challenge_, url_,
-                                     stores_key_);
+                                     slot.get(), stores_key_);
+}
+
+void KeygenHandler::set_pk11_password_delegate(
+    base::PK11BlockingPasswordDelegate* delegate) {
+  pk11_password_delegate_.reset(delegate);
 }
 
 }  // namespace net