NSS: PKCS 11 password prompt.

This was based off of davidben's WIP cl http://codereview.chromium.org/3186021/show. BUG=42073 TEST=add password to NSS DB with "certutil -d sql:.pki/nssdb -W", try client auth, <keygen>, cert manager Review URL: http://codereview.chromium.org/5686002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@71281 0039d316-1c4b-4281-b951-d872f2087c98
author: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-01-13 01:48:43 +0000
committer: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-01-13 01:48:43 +0000
commit: 88b9db7d713a9e156fa66694844c4d98ee48d875 (patch)
tree: a06b93ff3319bc3512051372ecadd693ebeeaf80 /base
parent: 6fd024b93e4a708a767c1892e5091e3585a5c72f (diff)
download: chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.zip
chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.tar.gz
chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.tar.bz2
3 files changed, 58 insertions, 0 deletions
diff --git a/base/base.gypi b/base/base.gypi
index f241967a..27ec764 100644
--- a/base/base.gypi
+++ b/base/base.gypi
@@ -565,6 +565,7 @@
         'crypto/encryptor_nss.cc',
         'crypto/encryptor_openssl.cc',
         'crypto/encryptor_win.cc',
+        'crypto/pk11_blocking_password_delegate.h',
         'crypto/rsa_private_key.h',
         'crypto/rsa_private_key.cc',
         'crypto/rsa_private_key_mac.cc',
diff --git a/base/crypto/pk11_blocking_password_delegate.h b/base/crypto/pk11_blocking_password_delegate.h
new file mode 100644
index 0000000..c9eb35c
--- /dev/null
+++ b/base/crypto/pk11_blocking_password_delegate.h
@@ -0,0 +1,34 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_CRYPTO_PK11_BLOCKING_PASSWORD_DELEGATE_H_
+#define BASE_CRYPTO_PK11_BLOCKING_PASSWORD_DELEGATE_H_
+#pragma once
+
+#include <string>
+
+namespace base {
+
+// PK11_SetPasswordFunc is a global setting.  An implementation of
+// PK11BlockingPasswordDelegate should be passed as the user data argument
+// (|wincx|) to relevant NSS functions, which the global password handler will
+// call to do the actual work.
+class PK11BlockingPasswordDelegate {
+ public:
+  virtual ~PK11BlockingPasswordDelegate() {}
+
+  // Requests a password to unlock |slot_name|. The interface is
+  // synchronous because NSS cannot issue an asynchronous
+  // request. |retry| is true if this is a request for the retry
+  // and we previously returned the wrong password.
+  // The implementation should set |*cancelled| to true if the user cancelled
+  // instead of entering a password, otherwise it should return the password the
+  // user entered.
+  virtual std::string RequestPassword(const std::string& slot_name, bool retry,
+                                      bool* cancelled) = 0;
+};
+
+}
+
+#endif  // BASE_CRYPTO_PK11_BLOCKING_PASSWORD_DELEGATE_H_
diff --git a/base/nss_util.cc b/base/nss_util.cc
index b411422..8fdede3 100644
--- a/base/nss_util.cc
+++ b/base/nss_util.cc
@@ -29,6 +29,7 @@
 // use NSS for crypto or certificate verification, and we don't use the NSS
 // certificate and key databases.
 #if defined(USE_NSS)
+#include "base/crypto/pk11_blocking_password_delegate.h"
 #include "base/environment.h"
 #include "base/lock.h"
 #include "base/scoped_ptr.h"
@@ -69,6 +70,26 @@ FilePath GetInitialConfigDirectory() {
 #endif  // defined(OS_CHROMEOS)
 }
 
+// This callback for NSS forwards all requests to a caller-specified
+// PK11BlockingPasswordDelegate object.
+char* PK11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) {
+  base::PK11BlockingPasswordDelegate* delegate =
+      reinterpret_cast<base::PK11BlockingPasswordDelegate*>(arg);
+  if (delegate) {
+    bool cancelled = false;
+    std::string password = delegate->RequestPassword(PK11_GetTokenName(slot),
+                                                     retry != PR_FALSE,
+                                                     &cancelled);
+    if (cancelled)
+      return NULL;
+    char* result = PORT_Strdup(password.c_str());
+    password.replace(0, password.size(), password.size(), 0);
+    return result;
+  }
+  DLOG(ERROR) << "PK11 password requested with NULL arg";
+  return NULL;
+}
+
 // NSS creates a local cache of the sqlite database if it detects that the
 // filesystem the database is on is much slower than the local disk.  The
 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
@@ -247,6 +268,8 @@ class NSSInitSingleton {
       }
     }
 
+    PK11_SetPasswordFunc(PK11PasswordFunc);
+
     // If we haven't initialized the password for the NSS databases,
     // initialize an empty-string password so that we don't need to
     // log in.
author	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-01-13 01:48:43 +0000
committer	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-01-13 01:48:43 +0000
commit	88b9db7d713a9e156fa66694844c4d98ee48d875 (patch)
tree	a06b93ff3319bc3512051372ecadd693ebeeaf80 /base
parent	6fd024b93e4a708a767c1892e5091e3585a5c72f (diff)
download	chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.zip chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.tar.gz chromium_src-88b9db7d713a9e156fa66694844c4d98ee48d875.tar.bz2