bug 119500, PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported Patch contributed by Petr Kostka r=rrelyea, sr=kengert, a=dsicore Addon Patch to provide dummy implementations for gtk-embedding and camino. r=mark, sr=jst
authorkaie@kuix.de
Tue, 04 Dec 2007 23:34:55 -0800
changeset 8756 516938132524413ad7218f270d86f59f4ab3d86d
parent 8755 2d4fff75907c2922bed08cf99a4c1318b2d14e1b
child 8757 47ab0e49c3313d988235077393d59df0b43710f8
push idunknown
push userunknown
push dateunknown
reviewersrrelyea, kengert, dsicore, mark, jst
bugs119500
milestone1.9b2pre
bug 119500, PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported Patch contributed by Petr Kostka r=rrelyea, sr=kengert, a=dsicore Addon Patch to provide dummy implementations for gtk-embedding and camino. r=mark, sr=jst
embedding/browser/gtk/src/EmbedCertificates.cpp
security/manager/locales/en-US/chrome/pippki/pippki.dtd
security/manager/pki/resources/jar.mn
security/manager/pki/src/nsNSSDialogs.cpp
security/manager/ssl/public/Makefile.in
security/manager/ssl/public/nsITokenDialogs.idl
security/manager/ssl/src/Makefile.in
security/manager/ssl/src/nsNSSCallbacks.cpp
--- a/embedding/browser/gtk/src/EmbedCertificates.cpp
+++ b/embedding/browser/gtk/src/EmbedCertificates.cpp
@@ -227,16 +227,24 @@ EmbedCertificates::ChooseToken(
   PRUint32 aCount,
   PRUnichar **aTokenChosen,
   PRBool *aCanceled)
 {
   *aCanceled = PR_FALSE;
   return NS_OK;
 }
 
+NS_IMETHODIMP
+EmbedCertificates::DisplayProtectedAuth(
+  nsIInterfaceRequestor *aCtx,
+  nsIProtectedAuthThread *runnable)
+{
+  return NS_OK;
+}
+
 /* boolean ConfirmKeyEscrow (in nsIX509Cert escrowAuthority); */
 NS_IMETHODIMP
 EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retval)
 {
   *_retval = PR_TRUE;
   return NS_OK;
 }
 
--- a/security/manager/locales/en-US/chrome/pippki/pippki.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.dtd
@@ -118,8 +118,13 @@
 <!ENTITY createCertInfo.title "Generating A Private Key">
 <!ENTITY createCertInfo.msg1 "Key Generation in progress… This may take a few minutes….">
 <!ENTITY createCertInfo.msg2 "Please wait…">
 
 <!-- Form Signing confirmation prompt -->
 <!ENTITY formSigning.title "Text Signing Request">
 <!ENTITY formSigning.cert "Signing Certificate">
 <!ENTITY formSigning.confirmPassword "To confirm you agree to sign this text message using your selected certificate, please confirm by entering the master password:">
+
+<!-- Strings for protectedAuth dialog -->
+<!ENTITY protectedAuth.title "Protected Token Authentication">
+<!ENTITY protectedAuth.msg "Please authenticate to the token. Authentication method depends on the type of your token.">
+<!ENTITY protectedAuth.tokenName.label "Token:">
--- a/security/manager/pki/resources/jar.mn
+++ b/security/manager/pki/resources/jar.mn
@@ -61,10 +61,12 @@ pippki.jar:
     content/pippki/serverCrlNextupdate.js    (content/serverCrlNextupdate.js)
     content/pippki/serverCrlNextupdate.xul   (content/serverCrlNextupdate.xul)
     content/pippki/createCertInfo.xul        (content/createCertInfo.xul)
     content/pippki/createCertInfo.js         (content/createCertInfo.js)
     content/pippki/crlImportDialog.xul       (content/crlImportDialog.xul)
     content/pippki/crlImportDialog.js        (content/crlImportDialog.js)
     content/pippki/pref-crlupdate.xul        (content/pref-crlupdate.xul)
     content/pippki/pref-crlupdate.js         (content/pref-crlupdate.js)
+    content/pippki/protectedAuth.xul         (content/protectedAuth.xul)
+    content/pippki/protectedAuth.js          (content/protectedAuth.js)
     content/pippki/formsigning.xul           (content/formsigning.xul)
     content/pippki/formsigning.js            (content/formsigning.js)
--- a/security/manager/pki/src/nsNSSDialogs.cpp
+++ b/security/manager/pki/src/nsNSSDialogs.cpp
@@ -18,16 +18,17 @@
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2001
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Terry Hayes <thayes@netscape.com>
  *   Javier Delgadillo <javi@netscape.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -57,17 +58,19 @@
 #include "nsIX509CertDB.h"
 #include "nsILocaleService.h"
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 
 #include "nsNSSDialogs.h"
 #include "nsPKIParamBlock.h"
 #include "nsIKeygenThread.h"
+#include "nsIProtectedAuthThread.h"
 #include "nsNSSDialogHelper.h"
+#include "nsIWindowWatcher.h"
 #include "nsIX509CertValidity.h"
 #include "nsICRLInfo.h"
 
 #define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties"
 
 /* ==== */
 
 nsNSSDialogs::nsNSSDialogs()
@@ -553,8 +556,49 @@ nsNSSDialogs::ConfirmKeyEscrow(nsIX509Ce
   nsCOMPtr<nsIDialogParamBlock> dlgParamBlock = do_QueryInterface(block);
   rv = dlgParamBlock->GetInt(1, &status);
  
   if (status) {
     *_retval = PR_TRUE;
   } 
   return rv;
 }
+
+NS_IMETHODIMP
+nsNSSDialogs::DisplayProtectedAuth(nsIInterfaceRequestor *aCtx, nsIProtectedAuthThread *runnable)
+{
+    // We cannot use nsNSSDialogHelper here. We cannot allow close widget
+    // in the window because protected authentication is interruptible
+    // from user interface and changing nsNSSDialogHelper's static variable
+    // would not be thread-safe
+    
+    nsresult rv = NS_ERROR_FAILURE;
+    
+    // Get the parent window for the dialog
+    nsCOMPtr<nsIDOMWindowInternal> parent = do_GetInterface(aCtx);
+    
+    nsCOMPtr<nsIWindowWatcher> windowWatcher = 
+        do_GetService("@mozilla.org/embedcomp/window-watcher;1", &rv);
+    if (NS_FAILED(rv))
+        return rv;
+    
+    nsCOMPtr<nsIDOMWindowInternal> activeParent;
+    if (!parent)
+    {
+        nsCOMPtr<nsIDOMWindow> active;
+        windowWatcher->GetActiveWindow(getter_AddRefs(active));
+        if (active)
+        {
+            active->QueryInterface(NS_GET_IID(nsIDOMWindowInternal), getter_AddRefs(activeParent));
+            parent = activeParent;
+        }
+    }
+    
+    nsCOMPtr<nsIDOMWindow> newWindow;
+    rv = windowWatcher->OpenWindow(parent,
+        "chrome://pippki/content/protectedAuth.xul",
+        "_blank",
+        "centerscreen,chrome,modal,titlebar,close=no",
+        runnable,
+        getter_AddRefs(newWindow));
+    
+    return rv;
+}
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -91,16 +91,17 @@ XPIDLSRCS = \
     nsIPK11Token.idl \
     nsIPKCS11ModuleDB.idl \
     nsIPKCS11Module.idl \
     nsICRLManager.idl \
     nsISMimeCert.idl \
     nsICipherInfo.idl \
     nsIStreamCipher.idl \
     nsIKeyModule.idl \
+    nsIProtectedAuthThread.idl \
     nsIDataSignatureVerifier.idl \
     $(NULL)
 
 ifdef MOZ_XUL
 XPIDLSRCS += nsICertTree.idl
 endif
 
 include $(topsrcdir)/config/rules.mk
--- a/security/manager/ssl/public/nsITokenDialogs.idl
+++ b/security/manager/ssl/public/nsITokenDialogs.idl
@@ -15,16 +15,17 @@
  *
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2001
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Terry Hayes <thayes@netscape.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -33,22 +34,31 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "nsISupports.idl"
 
 interface nsIInterfaceRequestor;
+interface nsIProtectedAuthThread;
 
 [scriptable, uuid(bb4bae9c-39c5-11d5-ba26-00108303b117)]
 interface nsITokenDialogs : nsISupports
 {
   void ChooseToken(in nsIInterfaceRequestor ctx,
                    [array, size_is(count)] in wstring tokenNameList,
                    in unsigned long count,
                    out wstring tokenName,
                    out boolean canceled);
+
+    /**
+    * displayProtectedAuth - displays notification dialog to the user 
+    * that he is expected to authenticate to the token using its
+    * "protected authentication path" feature
+    */
+  void displayProtectedAuth(in nsIInterfaceRequestor ctx,
+                            in nsIProtectedAuthThread runnable);
 };
 
 %{C++
 #define NS_TOKENDIALOGS_CONTRACTID "@mozilla.org/nsTokenDialogs;1"
 %}
--- a/security/manager/ssl/src/Makefile.in
+++ b/security/manager/ssl/src/Makefile.in
@@ -59,16 +59,17 @@ PACKAGE_FILE = pipnss.pkg
 CPPSRCS = 				\
 	nsNSSCleaner.cpp                \
 	nsCertOverrideService.cpp   \
 	nsRecentBadCerts.cpp \
 	nsPSMBackgroundThread.cpp       \
 	nsSSLThread.cpp                 \
 	nsCertVerificationThread.cpp    \
 	nsCipherInfo.cpp \
+	nsProtectedAuthThread.cpp \
 	nsNSSCallbacks.cpp		\
 	nsNSSComponent.cpp		\
 	nsNSSErrors.cpp			\
 	nsNSSIOLayer.cpp		\
 	nsSSLStatus.cpp		\
 	nsNSSModule.cpp			\
 	nsSSLSocketProvider.cpp		\
 	nsTLSSocketProvider.cpp		\
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -19,16 +19,17 @@
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 1998
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Brian Ryner <bryner@brianryner.com>
  *   Terry Hayes <thayes@netscape.com>
  *   Kai Engert <kengert@redhat.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -50,16 +51,18 @@
 #include "nsCOMPtr.h"
 #include "nsAutoPtr.h"
 #include "nsIServiceManager.h"
 #include "nsReadableUtils.h"
 #include "nsIPrompt.h"
 #include "nsProxiedService.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
+#include "nsProtectedAuthThread.h"
+#include "nsITokenDialogs.h"
 #include "nsCRT.h"
 #include "nsNSSShutDown.h"
 #include "nsIUploadChannel.h"
 #include "nsSSLThread.h"
 #include "nsThreadUtils.h"
 #include "nsAutoLock.h"
 #include "nsIThread.h"
 #include "nsIWindowWatcher.h"
@@ -625,16 +628,72 @@ void nsHTTPListener::send_done_signal()
 
   {
     nsAutoLock locker(mLock);
     mWaitFlag = PR_FALSE;
     PR_NotifyAllCondVar(mCondition);
   }
 }
 
+static char*
+ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIInterfaceRequestor *ir)
+{
+  char* protAuthRetVal = nsnull;
+
+  // Get protected auth dialogs
+  nsITokenDialogs* dialogs = 0;
+  nsresult nsrv = getNSSDialogs((void**)&dialogs, 
+                                NS_GET_IID(nsITokenDialogs), 
+                                NS_TOKENDIALOGS_CONTRACTID);
+  if (NS_SUCCEEDED(nsrv))
+  {
+    nsProtectedAuthThread* protectedAuthRunnable = new nsProtectedAuthThread();
+    if (protectedAuthRunnable)
+    {
+      NS_ADDREF(protectedAuthRunnable);
+
+      protectedAuthRunnable->SetParams(slot);
+      
+      nsCOMPtr<nsIProtectedAuthThread> runnable = do_QueryInterface(protectedAuthRunnable);
+      if (runnable)
+      {
+        nsrv = dialogs->DisplayProtectedAuth(ir, runnable);
+              
+        // We call join on the thread,
+        // so we can be sure that no simultaneous access will happen.
+        protectedAuthRunnable->Join();
+              
+        if (NS_SUCCEEDED(nsrv))
+        {
+          SECStatus rv = protectedAuthRunnable->GetResult();
+          switch (rv)
+          {
+              case SECSuccess:
+                  protAuthRetVal = PK11_PW_AUTHENTICATED;
+                  break;
+              case SECWouldBlock:
+                  protAuthRetVal = PK11_PW_RETRY;
+                  break;
+              default:
+                  protAuthRetVal = nsnull;
+                  break;
+              
+          }
+        }
+      }
+
+      NS_RELEASE(protectedAuthRunnable);
+    }
+
+    NS_RELEASE(dialogs);
+  }
+
+  return protAuthRetVal;
+}
+  
 char* PR_CALLBACK
 PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
   nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_OK;
   PRUnichar *password = nsnull;
   PRBool value = PR_FALSE;
   nsIInterfaceRequestor *ir = static_cast<nsIInterfaceRequestor*>(arg);
   nsCOMPtr<nsIPrompt> proxyPrompt;
@@ -685,16 +744,19 @@ PK11PasswordPrompt(PK11SlotInfo* slot, P
     // Finally, get a proxy for the nsIPrompt
     NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
                          NS_GET_IID(nsIPrompt),
                          prompt,
                          NS_PROXY_SYNC,
                          getter_AddRefs(proxyPrompt));
   }
 
+  if (PK11_ProtectedAuthenticationPath(slot))
+    return ShowProtectedAuthPrompt(slot, ir);
+
   nsAutoString promptString;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
 
   if (NS_FAILED(rv))
     return nsnull; 
 
   const PRUnichar* formatStrings[1] = { ToNewUnicode(NS_ConvertUTF8toUTF16(PK11_GetTokenName(slot))) };
   rv = nssComponent->PIPBundleFormatStringFromName("CertPassPrompt",