NSS: PKCS 11 password prompt.

chrome/browser/ui/pk11_password_dialog_nss.cc

Index: chrome/browser/ui/pk11_password_dialog_nss.cc
diff --git a/chrome/browser/ui/pk11_password_dialog_nss.cc b/chrome/browser/ui/pk11_password_dialog_nss.cc
new file mode 100644
index 0000000000000000000000000000000000000000..8fff2b12e5dbc2fcdd6888bff4949e3e54c2c40d
--- /dev/null
+++ b/chrome/browser/ui/pk11_password_dialog_nss.cc
@@ -0,0 +1,117 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ui/pk11_password_dialog.h"
+
+#include <pk11pub.h>
+
+#include "base/logging.h"
+#include "chrome/browser/browser_thread.h"
+#include "net/base/pk11_slot.h"
+#include "net/base/x509_certificate.h"
+
+namespace {
+
+// Basically an asynchronous implementation of NSS's PK11_DoPassword.

[wtc, 2010/12/15 20:54:36]

Please note that we're missing a side effect of PK11_DoPassword: the
nssTrustDomain_UpdateCachedTokenCerts
call for an "unfriendly" slot:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap...

This may or may not matter.

[mattm, 2011/01/12 01:22:07]

Added a note.

+class SlotUnlocker {
+ public:
+  SlotUnlocker(net::PK11Slot* slot,
+               browser::PK11PasswordReason reason,
+               const std::string& host,
+               Callback0::Type* callback);
+
+  void Start();
+
+ private:
+  void GotPassword(const char* password);
+  void Done();
+
+  scoped_refptr<net::PK11Slot> slot_;
+  browser::PK11PasswordReason reason_;
+  std::string host_;
+  Callback0::Type* callback_;
+  PRBool retry_;
+};
+
+SlotUnlocker::SlotUnlocker(net::PK11Slot* slot,
+                           browser::PK11PasswordReason reason,
+                           const std::string& host,
+                           Callback0::Type* callback)
+    : slot_(slot),
+      reason_(reason),
+      host_(host),
+      callback_(callback),
+      retry_(PR_FALSE) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+}
+
+void SlotUnlocker::Start() {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+
+  ShowPK11PasswordDialog(
+      slot_->GetTokenName(),
+      retry_,
+      reason_,
+      host_,
+      NewCallback(this, &SlotUnlocker::GotPassword));
+}
+
+void SlotUnlocker::GotPassword(const char* password) {
+  // TODO(mattm): PK11_DoPassword has something about PK11_Global.verifyPass.
+  // Do we need it?
+  // http://mxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11auth.c#577

[Evan Stade, 2010/12/10 04:17:04]

80 (i think people will still understand the url with a line break)

[mattm, 2011/01/12 01:22:07]

The style guide has an exception for long urls

+
+  if (!password) {
+    // User cancelled entering password.  Oh well.
+    Done();
+    return;
+  }
+
+  // TODO(mattm): handle protectedAuthPath
+  SECStatus rv = PK11_CheckUserPassword(slot_->os_slot_handle(),
+                                        password);
+  if (rv == SECWouldBlock) {
+    // Incorrect password.  Try again.
+    retry_ = PR_TRUE;
+    Start();
+    return;
+  }
+
+  // Correct password (SECSuccess) or too many attempts/other failure
+  // (SECFailure).  Either way we're done.
+  Done();
+}
+
+void SlotUnlocker::Done() {
+  callback_->Run();
+  delete this;
+}
+
+}  // namespace
+
+namespace browser {
+
+void UnlockSlotIfNecessary(net::PK11Slot* slot,
+                               browser::PK11PasswordReason reason,
+                               const std::string& host,
+                               Callback0::Type* callback) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  if (PK11_NeedLogin(slot->os_slot_handle()) &&
+      !PK11_IsLoggedIn(slot->os_slot_handle(), NULL)) {

[wtc, 2010/12/15 20:54:36]

Please add a comment to note that we can pass NULL as the
second (wincx) argument to PK11_IsLoggedIn because we don't
call PK11_SetIsLoggedInFunc.  That argument is only used
by PK11_Global.isLoggedIn.

[mattm, 2011/01/12 01:22:07]

Done.

+    (new SlotUnlocker(slot, reason, host, callback))->Start();
+  } else {
+    callback->Run();
+  }
+}
+
+void UnlockCertSlotIfNecessary(net::X509Certificate* cert,
+                               browser::PK11PasswordReason reason,
+                               const std::string& host,
+                               Callback0::Type* callback) {
+  scoped_refptr<net::PK11Slot> slot(net::PK11Slot::CreateFromHandle(
+      cert->os_cert_handle()->slot));
+  UnlockSlotIfNecessary(slot.get(), reason, host, callback);
+}
+
+}  // namespace browser