NSS: PKCS 11 password prompt.

base/nss_util.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/nss_util.h"
 #include "base/nss_util_internal.h"
 
 #include <nss.h>
 #include <plarena.h>
 #include <prerror.h>
@@ skipping 11 matching lines @@
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
 
 // USE_NSS means we use NSS for everything crypto-related.  If USE_NSS is not
 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
 // use NSS for crypto or certificate verification, and we don't use the NSS
 // certificate and key databases.
 #if defined(USE_NSS)
+#include "base/crypto/pk11_blocking_password_delegate.h"
 #include "base/environment.h"
 #include "base/lock.h"
 #include "base/scoped_ptr.h"
 #endif  // defined(USE_NSS)
 
 namespace base {
 
 namespace {
 
 #if defined(USE_NSS)
@@ skipping 20 matching lines @@
 FilePath GetInitialConfigDirectory() {
 #if defined(OS_CHROMEOS)
   static const FilePath::CharType kReadOnlyCertDB[] =
       FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
   return FilePath(kReadOnlyCertDB);
 #else
   return GetDefaultConfigDirectory();
 #endif  // defined(OS_CHROMEOS)
 }
 
+// This callback for NSS forwards all requests to a caller-specified
+// PK11BlockingPasswordDelegate object.
+char* PK11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) {
+  base::PK11BlockingPasswordDelegate* delegate =
+      reinterpret_cast<base::PK11BlockingPasswordDelegate*>(arg);
+  if (delegate) {
+    bool cancelled = false;
+    std::string password = delegate->RequestPassword(PK11_GetTokenName(slot),
+                                                     retry != PR_FALSE,
+                                                     &cancelled);
+    if (cancelled)
+      return NULL;
+    char* result = PORT_Strdup(password.c_str());
+    password.replace(0, password.size(), password.size(), 0);
+    return result;
+  }
+  DLOG(ERROR) << "PK11 password requested with NULL arg";
+  return NULL;
+}
+
 // NSS creates a local cache of the sqlite database if it detects that the
 // filesystem the database is on is much slower than the local disk.  The
 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
 // (NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=578561).  So we set
 // the NSS environment variable NSS_SDB_USE_CACHE to "yes" to override NSS's
 // detection when database_dir is on NFS.  See http://crbug.com/48585.
 //
 // TODO(wtc): port this function to other USE_NSS platforms.  It is defined
 // only for OS_LINUX simply because the statfs structure is OS-specific.
 void UseLocalCacheOfNSSDatabaseIfNFS(const FilePath& database_dir) {
@@ skipping 158 matching lines @@
       LOG(WARNING) << "Initialize NSS without a persistent database "
                       "(~/.pki/nssdb).";
       status = NSS_NoDB_Init(NULL);
       if (status != SECSuccess) {
         LOG(ERROR) << "Error initializing NSS without a persistent "
                       "database: NSS error code " << PR_GetError();
         return;
       }
     }
 
+    PK11_SetPasswordFunc(PK11PasswordFunc);
+
     // If we haven't initialized the password for the NSS databases,
     // initialize an empty-string password so that we don't need to
     // log in.
     PK11SlotInfo* slot = PK11_GetInternalKeySlot();
     if (slot) {
       // PK11_InitPin may write to the keyDB, but no other thread can use NSS
       // yet, so we don't need to lock.
       if (PK11_NeedUserInit(slot))
         PK11_InitPin(slot, NULL, NULL);
       PK11_FreeSlot(slot);
@@ skipping 127 matching lines @@
   exploded.millisecond  = prxtime.tm_usec / 1000;
 
   return Time::FromUTCExploded(exploded);
 }
 
 PK11SlotInfo* GetDefaultNSSKeySlot() {
   return g_nss_singleton.Get().GetDefaultKeySlot();
 }
 
 }  // namespace base