NSS: PKCS 11 password prompt.

net/base/keygen_handler.h

Index: net/base/keygen_handler.h
diff --git a/net/base/keygen_handler.h b/net/base/keygen_handler.h
index 5ca6027ba2c3164f3a0ba1b86f522c507876a58c..cd3da7653244be121e51b0a7bb034e73f90d510f 100644
--- a/net/base/keygen_handler.h
+++ b/net/base/keygen_handler.h
@@ -8,8 +8,14 @@
 
 #include <string>
 
+#include "base/scoped_ptr.h"
+#include "build/build_config.h"
 #include "googleurl/src/gurl.h"
 
+namespace base {
+class PK11BlockingPasswordDelegate;

[wtc, 2010/12/15 20:54:36]

Nit: put this forward declaration inside #if defined(USE_NSS).

[mattm, 2011/01/12 01:22:07]

Done.

+};
+
 namespace net {
 
 // This class handles keypair generation for generating client
@@ -22,9 +28,10 @@ class KeygenHandler {
   // Creates a handler that will generate a key with the given key size and
   // incorporate the |challenge| into the Netscape SPKAC structure. The request
   // for the key originated from |url|.
-  inline KeygenHandler(int key_size_in_bits,
-                       const std::string& challenge,
-                       const GURL& url);
+  KeygenHandler(int key_size_in_bits,
+                const std::string& challenge,
+                const GURL& url);
+  ~KeygenHandler();
 
   // Actually generates the key-pair and the cert request (SPKAC), and returns
   // a base64-encoded string suitable for use as the form value of <keygen>.
@@ -33,22 +40,24 @@ class KeygenHandler {
   // Exposed only for unit tests.
   void set_stores_key(bool store) { stores_key_ = store;}
 
+#if defined(USE_NSS)
+  // On NSS, the token may be unauthenticated. We pass the blocking delegate for

[wtc, 2010/12/15 20:54:36]

Question: does this mean there is also a non-blocking
password delegate type?

Nit: this comment should make it clearer that it's OK to
block because GenKeyAndSignChallenge runs on a worker thread.
The comment says "for simplicity", which may confuse people
into thinking we made a trade-off for simplicity.

[mattm, 2011/01/12 01:22:07]

no, just the alternate strategy of using the non-blocking UnlockSlotIfNecessary
instead of a password delegate.
done.

+  // simplicity; GenKeyAndSignChallenge will block on generating a key anyway,
+  // so this is used on a worker thread. Takes ownership of the delegate.
+  void set_pk11_password_delegate(base::PK11BlockingPasswordDelegate* delegate);
+#endif  // defined(USE_NSS)
+
  private:
   int key_size_in_bits_;  // key size in bits (usually 2048)
   std::string challenge_;  // challenge string sent by server
   GURL url_;  // the URL that requested the key
   bool stores_key_;  // should the generated key-pair be stored persistently?
+#if defined(USE_NSS)
+  // The callback for requesting a password to the PKCS#11 store.

[wtc, 2010/12/15 20:54:36]

Nit: store => token

[mattm, 2011/01/12 01:22:07]

Done.

+  scoped_ptr<base::PK11BlockingPasswordDelegate> pk11_password_delegate_;
+#endif  // defined(USE_NSS)
 };
 
-KeygenHandler::KeygenHandler(int key_size_in_bits,
-                             const std::string& challenge,
-                             const GURL& url)
-    : key_size_in_bits_(key_size_in_bits),
-      challenge_(challenge),
-      url_(url),
-      stores_key_(true) {
-}
-
 }  // namespace net
 
 #endif  // NET_BASE_KEYGEN_HANDLER_H_