bug 119500, PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported Patch contributed by Petr Kostka r=rrelyea, sr=kengert, a=dsicore Addon Patch to provide dummy implementations for gtk-embedding and camino. r=mark, sr=jst
--- a/embedding/browser/gtk/src/EmbedCertificates.cpp
+++ b/embedding/browser/gtk/src/EmbedCertificates.cpp
@@ -227,16 +227,24 @@ EmbedCertificates::ChooseToken(
PRUint32 aCount,
PRUnichar **aTokenChosen,
PRBool *aCanceled)
{
*aCanceled = PR_FALSE;
return NS_OK;
}
+NS_IMETHODIMP
+EmbedCertificates::DisplayProtectedAuth(
+ nsIInterfaceRequestor *aCtx,
+ nsIProtectedAuthThread *runnable)
+{
+ return NS_OK;
+}
+
/* boolean ConfirmKeyEscrow (in nsIX509Cert escrowAuthority); */
NS_IMETHODIMP
EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retval)
{
*_retval = PR_TRUE;
return NS_OK;
}
--- a/security/manager/locales/en-US/chrome/pippki/pippki.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.dtd
@@ -118,8 +118,13 @@
<!ENTITY createCertInfo.title "Generating A Private Key">
<!ENTITY createCertInfo.msg1 "Key Generation in progress… This may take a few minutes….">
<!ENTITY createCertInfo.msg2 "Please wait…">
<!-- Form Signing confirmation prompt -->
<!ENTITY formSigning.title "Text Signing Request">
<!ENTITY formSigning.cert "Signing Certificate">
<!ENTITY formSigning.confirmPassword "To confirm you agree to sign this text message using your selected certificate, please confirm by entering the master password:">
+
+<!-- Strings for protectedAuth dialog -->
+<!ENTITY protectedAuth.title "Protected Token Authentication">
+<!ENTITY protectedAuth.msg "Please authenticate to the token. Authentication method depends on the type of your token.">
+<!ENTITY protectedAuth.tokenName.label "Token:">
--- a/security/manager/pki/resources/jar.mn
+++ b/security/manager/pki/resources/jar.mn
@@ -61,10 +61,12 @@ pippki.jar:
content/pippki/serverCrlNextupdate.js (content/serverCrlNextupdate.js)
content/pippki/serverCrlNextupdate.xul (content/serverCrlNextupdate.xul)
content/pippki/createCertInfo.xul (content/createCertInfo.xul)
content/pippki/createCertInfo.js (content/createCertInfo.js)
content/pippki/crlImportDialog.xul (content/crlImportDialog.xul)
content/pippki/crlImportDialog.js (content/crlImportDialog.js)
content/pippki/pref-crlupdate.xul (content/pref-crlupdate.xul)
content/pippki/pref-crlupdate.js (content/pref-crlupdate.js)
+ content/pippki/protectedAuth.xul (content/protectedAuth.xul)
+ content/pippki/protectedAuth.js (content/protectedAuth.js)
content/pippki/formsigning.xul (content/formsigning.xul)
content/pippki/formsigning.js (content/formsigning.js)
--- a/security/manager/pki/src/nsNSSDialogs.cpp
+++ b/security/manager/pki/src/nsNSSDialogs.cpp
@@ -18,16 +18,17 @@
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 2001
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Terry Hayes <thayes@netscape.com>
* Javier Delgadillo <javi@netscape.com>
+ * Petr Kostka <petr.kostka@st.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
@@ -57,17 +58,19 @@
#include "nsIX509CertDB.h"
#include "nsILocaleService.h"
#include "nsIDateTimeFormat.h"
#include "nsDateTimeFormatCID.h"
#include "nsNSSDialogs.h"
#include "nsPKIParamBlock.h"
#include "nsIKeygenThread.h"
+#include "nsIProtectedAuthThread.h"
#include "nsNSSDialogHelper.h"
+#include "nsIWindowWatcher.h"
#include "nsIX509CertValidity.h"
#include "nsICRLInfo.h"
#define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties"
/* ==== */
nsNSSDialogs::nsNSSDialogs()
@@ -553,8 +556,49 @@ nsNSSDialogs::ConfirmKeyEscrow(nsIX509Ce
nsCOMPtr<nsIDialogParamBlock> dlgParamBlock = do_QueryInterface(block);
rv = dlgParamBlock->GetInt(1, &status);
if (status) {
*_retval = PR_TRUE;
}
return rv;
}
+
+NS_IMETHODIMP
+nsNSSDialogs::DisplayProtectedAuth(nsIInterfaceRequestor *aCtx, nsIProtectedAuthThread *runnable)
+{
+ // We cannot use nsNSSDialogHelper here. We cannot allow close widget
+ // in the window because protected authentication is interruptible
+ // from user interface and changing nsNSSDialogHelper's static variable
+ // would not be thread-safe
+
+ nsresult rv = NS_ERROR_FAILURE;
+
+ // Get the parent window for the dialog
+ nsCOMPtr<nsIDOMWindowInternal> parent = do_GetInterface(aCtx);
+
+ nsCOMPtr<nsIWindowWatcher> windowWatcher =
+ do_GetService("@mozilla.org/embedcomp/window-watcher;1", &rv);
+ if (NS_FAILED(rv))
+ return rv;
+
+ nsCOMPtr<nsIDOMWindowInternal> activeParent;
+ if (!parent)
+ {
+ nsCOMPtr<nsIDOMWindow> active;
+ windowWatcher->GetActiveWindow(getter_AddRefs(active));
+ if (active)
+ {
+ active->QueryInterface(NS_GET_IID(nsIDOMWindowInternal), getter_AddRefs(activeParent));
+ parent = activeParent;
+ }
+ }
+
+ nsCOMPtr<nsIDOMWindow> newWindow;
+ rv = windowWatcher->OpenWindow(parent,
+ "chrome://pippki/content/protectedAuth.xul",
+ "_blank",
+ "centerscreen,chrome,modal,titlebar,close=no",
+ runnable,
+ getter_AddRefs(newWindow));
+
+ return rv;
+}
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -91,16 +91,17 @@ XPIDLSRCS = \
nsIPK11Token.idl \
nsIPKCS11ModuleDB.idl \
nsIPKCS11Module.idl \
nsICRLManager.idl \
nsISMimeCert.idl \
nsICipherInfo.idl \
nsIStreamCipher.idl \
nsIKeyModule.idl \
+ nsIProtectedAuthThread.idl \
nsIDataSignatureVerifier.idl \
$(NULL)
ifdef MOZ_XUL
XPIDLSRCS += nsICertTree.idl
endif
include $(topsrcdir)/config/rules.mk
--- a/security/manager/ssl/public/nsITokenDialogs.idl
+++ b/security/manager/ssl/public/nsITokenDialogs.idl
@@ -15,16 +15,17 @@
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 2001
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Terry Hayes <thayes@netscape.com>
+ * Petr Kostka <petr.kostka@st.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
@@ -33,22 +34,31 @@
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nsISupports.idl"
interface nsIInterfaceRequestor;
+interface nsIProtectedAuthThread;
[scriptable, uuid(bb4bae9c-39c5-11d5-ba26-00108303b117)]
interface nsITokenDialogs : nsISupports
{
void ChooseToken(in nsIInterfaceRequestor ctx,
[array, size_is(count)] in wstring tokenNameList,
in unsigned long count,
out wstring tokenName,
out boolean canceled);
+
+ /**
+ * displayProtectedAuth - displays notification dialog to the user
+ * that he is expected to authenticate to the token using its
+ * "protected authentication path" feature
+ */
+ void displayProtectedAuth(in nsIInterfaceRequestor ctx,
+ in nsIProtectedAuthThread runnable);
};
%{C++
#define NS_TOKENDIALOGS_CONTRACTID "@mozilla.org/nsTokenDialogs;1"
%}
--- a/security/manager/ssl/src/Makefile.in
+++ b/security/manager/ssl/src/Makefile.in
@@ -59,16 +59,17 @@ PACKAGE_FILE = pipnss.pkg
CPPSRCS = \
nsNSSCleaner.cpp \
nsCertOverrideService.cpp \
nsRecentBadCerts.cpp \
nsPSMBackgroundThread.cpp \
nsSSLThread.cpp \
nsCertVerificationThread.cpp \
nsCipherInfo.cpp \
+ nsProtectedAuthThread.cpp \
nsNSSCallbacks.cpp \
nsNSSComponent.cpp \
nsNSSErrors.cpp \
nsNSSIOLayer.cpp \
nsSSLStatus.cpp \
nsNSSModule.cpp \
nsSSLSocketProvider.cpp \
nsTLSSocketProvider.cpp \
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -19,16 +19,17 @@
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1998
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Brian Ryner <bryner@brianryner.com>
* Terry Hayes <thayes@netscape.com>
* Kai Engert <kengert@redhat.com>
+ * Petr Kostka <petr.kostka@st.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
@@ -50,16 +51,18 @@
#include "nsCOMPtr.h"
#include "nsAutoPtr.h"
#include "nsIServiceManager.h"
#include "nsReadableUtils.h"
#include "nsIPrompt.h"
#include "nsProxiedService.h"
#include "nsIInterfaceRequestor.h"
#include "nsIInterfaceRequestorUtils.h"
+#include "nsProtectedAuthThread.h"
+#include "nsITokenDialogs.h"
#include "nsCRT.h"
#include "nsNSSShutDown.h"
#include "nsIUploadChannel.h"
#include "nsSSLThread.h"
#include "nsThreadUtils.h"
#include "nsAutoLock.h"
#include "nsIThread.h"
#include "nsIWindowWatcher.h"
@@ -625,16 +628,72 @@ void nsHTTPListener::send_done_signal()
{
nsAutoLock locker(mLock);
mWaitFlag = PR_FALSE;
PR_NotifyAllCondVar(mCondition);
}
}
+static char*
+ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIInterfaceRequestor *ir)
+{
+ char* protAuthRetVal = nsnull;
+
+ // Get protected auth dialogs
+ nsITokenDialogs* dialogs = 0;
+ nsresult nsrv = getNSSDialogs((void**)&dialogs,
+ NS_GET_IID(nsITokenDialogs),
+ NS_TOKENDIALOGS_CONTRACTID);
+ if (NS_SUCCEEDED(nsrv))
+ {
+ nsProtectedAuthThread* protectedAuthRunnable = new nsProtectedAuthThread();
+ if (protectedAuthRunnable)
+ {
+ NS_ADDREF(protectedAuthRunnable);
+
+ protectedAuthRunnable->SetParams(slot);
+
+ nsCOMPtr<nsIProtectedAuthThread> runnable = do_QueryInterface(protectedAuthRunnable);
+ if (runnable)
+ {
+ nsrv = dialogs->DisplayProtectedAuth(ir, runnable);
+
+ // We call join on the thread,
+ // so we can be sure that no simultaneous access will happen.
+ protectedAuthRunnable->Join();
+
+ if (NS_SUCCEEDED(nsrv))
+ {
+ SECStatus rv = protectedAuthRunnable->GetResult();
+ switch (rv)
+ {
+ case SECSuccess:
+ protAuthRetVal = PK11_PW_AUTHENTICATED;
+ break;
+ case SECWouldBlock:
+ protAuthRetVal = PK11_PW_RETRY;
+ break;
+ default:
+ protAuthRetVal = nsnull;
+ break;
+
+ }
+ }
+ }
+
+ NS_RELEASE(protectedAuthRunnable);
+ }
+
+ NS_RELEASE(dialogs);
+ }
+
+ return protAuthRetVal;
+}
+
char* PR_CALLBACK
PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
PRUnichar *password = nsnull;
PRBool value = PR_FALSE;
nsIInterfaceRequestor *ir = static_cast<nsIInterfaceRequestor*>(arg);
nsCOMPtr<nsIPrompt> proxyPrompt;
@@ -685,16 +744,19 @@ PK11PasswordPrompt(PK11SlotInfo* slot, P
// Finally, get a proxy for the nsIPrompt
NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
NS_GET_IID(nsIPrompt),
prompt,
NS_PROXY_SYNC,
getter_AddRefs(proxyPrompt));
}
+ if (PK11_ProtectedAuthenticationPath(slot))
+ return ShowProtectedAuthPrompt(slot, ir);
+
nsAutoString promptString;
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
if (NS_FAILED(rv))
return nsnull;
const PRUnichar* formatStrings[1] = { ToNewUnicode(NS_ConvertUTF8toUTF16(PK11_GetTokenName(slot))) };
rv = nssComponent->PIPBundleFormatStringFromName("CertPassPrompt",