void nsProtectedAuthThread::Run(void) { // Login with null password. This call will also do C_Logout() but // it is harmless here mLoginResult = PK11_CheckUserPassword(mSlot, 0); nsIObserver *observer = nsnull; PR_Lock(mMutex); mLoginReady = PR_TRUE; mIAmRunning = PR_FALSE; // Forget the slot if (mSlot) { PK11_FreeSlot(mSlot); mSlot = 0; } if (!mStatusObserverNotified) { observer = mStatusObserver; } mStatusObserver = nsnull; mStatusObserverNotified = PR_TRUE; PR_Unlock(mMutex); if (observer) observer->Observe(nsnull, "operation-completed", nsnull); }
NS_IMETHODIMP nsPK11Token::CheckPassword(const nsACString& password, bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); SECStatus srv = PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get()); if (srv != SECSuccess) { *_retval = false; PRErrorCode error = PR_GetError(); if (error != SEC_ERROR_BAD_PASSWORD) { /* something really bad happened - throw an exception */ return mozilla::psm::GetXPCOMFromNSSError(error); } } else { *_retval = true; } return NS_OK; }
NS_IMETHODIMP nsPK11Token::CheckPassword(const char16_t *password, bool *_retval) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; SECStatus srv; int32_t prerr; NS_ConvertUTF16toUTF8 aUtf8Password(password); srv = PK11_CheckUserPassword(mSlot, const_cast<char *>(aUtf8Password.get())); if (srv != SECSuccess) { *_retval = false; prerr = PR_GetError(); if (prerr != SEC_ERROR_BAD_PASSWORD) { /* something really bad happened - throw an exception */ return NS_ERROR_FAILURE; } } else { *_retval = true; } return NS_OK; }
bool nss_change_password(PK11SlotInfo* slot, const char* oldpass, const char* newpass) { SECStatus rv; const char *oldpw = NULL, *newpw = NULL; oldpw = oldpass; newpw = newpass; if (PK11_NeedUserInit(slot)) { rv = PK11_InitPin(slot, (char*)NULL, (char*)newpw); return true; } if (PK11_CheckUserPassword(slot, (char*)oldpw) != SECSuccess) { std::cerr<<"Invalid password to nss db"<<std::endl; return false; } if (PK11_ChangePW(slot, (char*)oldpw, (char*)newpw) != SECSuccess) { std::cerr<<"Failed to change password of nss db"<<std::endl; return false; } std::cout<<"Succeeded to change password"<<std::endl; return true; }
/* * CreatePk11PinStore */ int CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin) { int err = PIN_SUCCESS; Pk11PinStore *store; do { store = (Pk11PinStore*)malloc(sizeof(Pk11PinStore)); if (store == 0) { err = PIN_NOMEMORY; break; } /* Low-level init */ store->key = 0; store->params = 0; store->crypt = 0; /* Use the tokenName to find a PKCS11 slot */ store->slot = PK11_FindSlotByName((char *)tokenName); if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; } /* Check the password/PIN. This allows access to the token */ { SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin); if (rv == SECSuccess) ; else if (rv == SECWouldBlock) { /* NSS returns a blocking error when the pin is wrong */ err = PIN_INCORRECTPW; break; } else { err = PIN_SYSTEMERROR; break; } } /* Find the mechanism that this token can do */ { const mech_item *tp; store->mech = 0; for(tp = table;tp < &table[MECH_TABLE_SIZE];tp++) { if (PK11_DoesMechanism(store->slot, tp->type)) { store->mech = (mech_item *)tp; break; } } /* Default to a mechanism (probably on the internal token */ if (store->mech == 0) { store->mech = &dflt_mech; } } /* Generate a key and parameters to do the encryption */ #if NSS_VMAJOR >= 3 && (NSS_VMINOR <= 9 || (NSS_VMINOR <= 10 && NSS_VPATCH == 0)) store->key = PK11_KeyGen(store->slot, store->mech->type, 0, 0, 0); #else store->key = PK11_TokenKeyGenWithFlags(store->slot, store->mech->type, NULL, 0, NULL, CKF_ENCRYPT|CKF_DECRYPT, PR_FALSE, NULL); #endif if (store->key == 0) { /* PR_SetError(xxx); */ err = PIN_SYSTEMERROR; break; } store->params = PK11_GenerateNewParam(store->mech->type, store->key); if (store->params == 0) { err = PIN_SYSTEMERROR; break; } /* Compute the size of the encrypted data including necessary padding */ { int blocksize = PK11_GetBlockSize(store->mech->type, 0); store->length = strlen(pin)+1; /* Compute padded size - 0 means stream cipher */ if (blocksize != 0) { store->length += blocksize - (store->length % blocksize); } store->crypt = (unsigned char *)malloc(store->length); if (!store->crypt) { err = PIN_NOMEMORY; break; } } /* Encrypt */ { unsigned char *plain; PK11Context *ctx; SECStatus rv; int outLen; plain = (unsigned char *)malloc(store->length); if (!plain) { err = PIN_NOMEMORY; break; } /* Pad with 0 bytes */ memset(plain, 0, store->length); strcpy((char *)plain, pin); ctx = PK11_CreateContextBySymKey(store->mech->type, CKA_ENCRYPT, store->key, store->params); if (!ctx) { err = PIN_SYSTEMERROR; break; } do { rv = PK11_CipherOp(ctx, store->crypt, &outLen, store->length, plain, store->length); if (rv) break; rv = PK11_Finalize(ctx); } while(0); PK11_DestroyContext(ctx, PR_TRUE); memset(plain, 0, store->length); free(plain); if (rv) err = PIN_SYSTEMERROR; } } while(0); if (err) { DestroyPk11PinStore(store); store = 0; } *out = store; return err; }
/* * SVRCORE_CreatePk11PinStore */ SVRCOREError SVRCORE_CreatePk11PinStore( SVRCOREPk11PinStore **out, const char *tokenName, const char *pin) { SVRCOREError err; SVRCOREPk11PinStore *store; do { err = SVRCORE_Success; store = (SVRCOREPk11PinStore*)malloc(sizeof *store); if (store == 0) { err = SVRCORE_NoMemory_Error; break; } /* Low-level init */ store->slot = 0; store->key = 0; store->params = 0; store->crypt = 0; /* Use the tokenName to find a PKCS11 slot */ store->slot = PK11_FindSlotByName((char *)tokenName); if (store->slot == 0) { err = SVRCORE_NoSuchToken_Error; break; } /* Check the password/PIN. This allows access to the token */ { SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin); if (rv == SECSuccess) ; else if (rv == SECWouldBlock) { err = SVRCORE_IncorrectPassword_Error; break; } else { err = SVRCORE_System_Error; break; } } /* Find the mechanism that this token can do */ { const mech_item *tp; store->mech = 0; for(tp = table;tp < &table[MECH_TABLE_SIZE];tp++) { if (PK11_DoesMechanism(store->slot, tp->type)) { store->mech = tp; break; } } /* Default to a mechanism (probably on the internal token */ if (store->mech == 0) store->mech = &dflt_mech; } /* Generate a key and parameters to do the encryption */ store->key = PK11_TokenKeyGenWithFlags(store->slot, store->mech->type, 0, 0, 0, CKF_ENCRYPT|CKF_DECRYPT, 0, 0); if (store->key == 0) { /* PR_SetError(xxx); */ err = SVRCORE_System_Error; break; } store->params = PK11_GenerateNewParam(store->mech->type, store->key); if (store->params == 0) { err = SVRCORE_System_Error; break; } /* Compute the size of the encrypted data including necessary padding */ { int blocksize = PK11_GetBlockSize(store->mech->type, 0); store->length = strlen(pin)+1; /* Compute padded size - 0 means stream cipher */ if (blocksize != 0) { store->length += blocksize - (store->length % blocksize); } store->crypt = (unsigned char *)malloc(store->length); if (!store->crypt) { err = SVRCORE_NoMemory_Error; break; } } /* Encrypt */ { unsigned char *plain; PK11Context *ctx; SECStatus rv; int outLen; plain = (unsigned char *)malloc(store->length); if (!plain) { err = SVRCORE_NoMemory_Error; break; } /* Pad with 0 bytes */ memset(plain, 0, store->length); strcpy((char *)plain, pin); ctx = PK11_CreateContextBySymKey(store->mech->type, CKA_ENCRYPT, store->key, store->params); if (!ctx) { err = SVRCORE_System_Error; break; } do { rv = PK11_CipherOp(ctx, store->crypt, &outLen, store->length, plain, store->length); if (rv) break; rv = PK11_Finalize(ctx); } while(0); PK11_DestroyContext(ctx, PR_TRUE); memset(plain, 0, store->length); free(plain); if (rv) err = SVRCORE_System_Error; } } while(0); if (err) { SVRCORE_DestroyPk11PinStore(store); store = 0; } *out = store; return err; }
/************************************************************************ * * C h a n g e P W */ Error ChangePW(char *tokenName, char *pwFile, char *newpwFile) { char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL; PK11SlotInfo *slot; Error ret = UNSPECIFIED_ERR; PRBool matching; slot = PK11_FindSlotByName(tokenName); if (!slot) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName); return NO_SUCH_TOKEN_ERR; } /* Get old password */ if (!PK11_NeedUserInit(slot)) { if (pwFile) { oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile); if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]); ret = BAD_PW_ERR; goto loser; } } else if (PK11_NeedLogin(slot)) { for (matching = PR_FALSE; !matching;) { oldpw = SECU_GetPasswordString(NULL, "Enter old password: "******"Enter new password: "******"Re-enter new password: "); if (strcmp(newpw, newpw2)) { PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]); PORT_ZFree(newpw, strlen(newpw)); PORT_ZFree(newpw2, strlen(newpw2)); } else { matching = PR_TRUE; } } } /* Change the password */ if (PK11_NeedUserInit(slot)) { if (PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); ret = CHANGEPW_FAILED_ERR; goto loser; } } else { if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); ret = CHANGEPW_FAILED_ERR; goto loser; } } PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName); ret = SUCCESS; loser: if (oldpw) { PORT_ZFree(oldpw, strlen(oldpw)); } if (newpw) { PORT_ZFree(newpw, strlen(newpw)); } if (newpw2) { PORT_ZFree(newpw2, strlen(newpw2)); } PK11_FreeSlot(slot); return ret; }