NS_IMETHODIMP nsPK11Token::NeedsLogin(bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); *_retval = PK11_NeedLogin(mSlot.get()); return NS_OK; }
nsresult KeyService::Init() { // Bring up psm nsCOMPtr<nsISupports> nss = do_GetService("@mozilla.org/psm;1"); SECStatus sv; mSlot = PK11_GetInternalKeySlot(); if (PK11_NeedUserInit(mSlot)) { NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(mSlot)); nsCOMPtr<nsITokenPasswordDialogs> dialogs; dialogs = do_GetService(NS_TOKENPASSWORDSDIALOG_CONTRACTID); if (!dialogs) return NS_ERROR_FAILURE; PRBool cancelled; nsresult rv = dialogs->SetPassword(nsnull, tokenName.get(), &cancelled); NS_ENSURE_SUCCESS(rv, rv); if (cancelled) return NS_ERROR_FAILURE; } if (PK11_NeedLogin(mSlot)) { sv = PK11_Authenticate(mSlot, PR_TRUE, NULL); if (sv != SECSuccess) return NS_ERROR_FAILURE; } return NS_OK; }
int get_slot_login_required(pkcs11_handle_t *h) { if (h->slot == NULL) { DBG("Login failed: No Slot selected"); return -1; } return PK11_NeedLogin(h->slot); }
NS_IMETHODIMP nsPK11Token::GetHasPassword(bool* hasPassword) { NS_ENSURE_ARG_POINTER(hasPassword); // PK11_NeedLogin returns true if the token is currently configured to require // the user to log in (whether or not the user is actually logged in makes no // difference). *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get()); return NS_OK; }
NS_IMETHODIMP nsPKCS11Slot::GetStatus(uint32_t *_retval) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (PK11_IsDisabled(mSlot)) *_retval = SLOT_DISABLED; else if (!PK11_IsPresent(mSlot)) *_retval = SLOT_NOT_PRESENT; else if (PK11_NeedLogin(mSlot) && PK11_NeedUserInit(mSlot)) *_retval = SLOT_UNINITIALIZED; else if (PK11_NeedLogin(mSlot) && !PK11_IsLoggedIn(mSlot, nullptr)) *_retval = SLOT_NOT_LOGGED_IN; else if (PK11_NeedLogin(mSlot)) *_retval = SLOT_LOGGED_IN; else *_retval = SLOT_READY; return NS_OK; }
NS_IMETHODIMP nsPK11Token::NeedsLogin(bool *_retval) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsresult rv = NS_OK; *_retval = PK11_NeedLogin(mSlot); return rv; }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; pphrase_arg_t *parg = NULL; parg = (pphrase_arg_t *) malloc(sizeof(*parg)); parg->retryCount = 0; parg->data = conn->data; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized.\n"); } else { failf(conn->data, "The token %s has not been initialized.", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, parg); if(SECSuccess != ret) { if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } parg->retryCount = 0; /* reset counter to 0 for the next token */ PK11_FreeSlot(slot); } free(parg); return status; }
SECStatus InitPKCS11(void) { PK11SlotInfo *keySlot; PK11_SetPasswordFunc(SECU_GetModulePassword); keySlot = PK11_GetInternalKeySlot(); if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) { if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) { printf ("Initializing the PINs failed.\n"); return SECFailure; } } PK11_FreeSlot(keySlot); return SECSuccess; }
PK11SlotInfo *lsw_nss_get_authenticated_slot(lsw_nss_buf_t err) { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); if (slot == NULL) { snprintf(err, sizeof(lsw_nss_buf_t), "no internal key slot"); return NULL; } if (PK11_IsFIPS() || PK11_NeedLogin(slot)) { SECStatus status = PK11_Authenticate(slot, PR_FALSE, lsw_return_nss_password_file_info()); if (status != SECSuccess) { const char *token = PK11_GetTokenName(slot); snprintf(err, sizeof(lsw_nss_buf_t), "authentication of \"%s\" failed", token); PK11_FreeSlot(slot); return NULL; } } return slot; }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized"); } else { failf(conn->data, "The token %s has not been initialized", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, conn->data->set.str[STRING_KEY_PASSWD]); if(SECSuccess != ret) { if(PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } PK11_FreeSlot(slot); } return status; }
nsresult LocalCertService::LoginToKeySlot() { nsresult rv; // Get access to key slot UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); } // If no user password yet, set it an empty one if (PK11_NeedUserInit(slot.get())) { rv = MapSECStatus(PK11_InitPin(slot.get(), "", "")); if (NS_FAILED(rv)) { return rv; } } // If user has a password set, prompt to login if (PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr)) { // Switching to XPCOM to get the UI prompt that PSM owns nsCOMPtr<nsIPK11TokenDB> tokenDB = do_GetService(NS_PK11TOKENDB_CONTRACTID); if (!tokenDB) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIPK11Token> keyToken; tokenDB->GetInternalKeyToken(getter_AddRefs(keyToken)); if (!keyToken) { return NS_ERROR_FAILURE; } // Prompt the user to login return keyToken->Login(false /* force */); } return NS_OK; }
static CERTCertList *get_all_root_certs(void) { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); if (slot == NULL) return NULL; if (PK11_NeedLogin(slot)) { SECStatus rv = PK11_Authenticate(slot, PR_TRUE, lsw_return_nss_password_file_info()); if (rv != SECSuccess) return NULL; } CERTCertList *allcerts = PK11_ListCertsInSlot(slot); if (allcerts == NULL) return NULL; CERTCertList *roots = CERT_NewCertList(); CERTCertListNode *node; for (node = CERT_LIST_HEAD(allcerts); !CERT_LIST_END(node, allcerts); node = CERT_LIST_NEXT(node)) { if (CERT_IsCACert(node->cert, NULL) && node->cert->isRoot) { CERT_DupCertificate(node->cert); CERT_AddCertToListTail(roots, node->cert); } } CERT_DestroyCertList(allcerts); if (roots == NULL || CERT_LIST_EMPTY(roots)) return NULL; return roots; }
NS_IMETHODIMP LocalCertService::GetLoginPromptRequired(bool* aRequired) { nsresult rv; // Get access to key slot UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); } // If no user password yet, set it an empty one if (PK11_NeedUserInit(slot.get())) { rv = MapSECStatus(PK11_InitPin(slot.get(), "", "")); if (NS_FAILED(rv)) { return rv; } } *aRequired = PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr); return NS_OK; }
nsresult nsNSSCertificate::MarkForPermDeletion() { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; // make sure user is logged in to the token nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); if (PK11_NeedLogin(mCert->slot) && !PK11_NeedUserInit(mCert->slot) && !PK11_IsInternal(mCert->slot)) { if (SECSuccess != PK11_Authenticate(mCert->slot, true, ctx)) { return NS_ERROR_FAILURE; } } mPermDelete = true; return NS_OK; }
static SECStatus SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert, char *outFileName, SECOidTag hashAlgTag, int ascii, char *slotName, char *url, secuPWData *pwdata) { PK11SlotInfo *slot = NULL; PRFileDesc *outFile = NULL; SECStatus rv; SignAndEncodeFuncExitStat errCode; PORT_Assert(signCrl && (!ascii || outFileName)); if (!signCrl || (ascii && !outFileName)) { SECU_PrintError(progName, "invalid args for function " "SignAndStoreCrl\n"); return SECFailure; } if (!slotName || !PL_strcmp(slotName, "internal")) slot = PK11_GetInternalKeySlot(); else slot = PK11_FindSlotByName(slotName); if (!slot) { SECU_PrintError(progName, "can not find requested slot"); return SECFailure; } if (PK11_NeedLogin(slot)) { rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) goto loser; } rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode); if (rv != SECSuccess) { char* errMsg = NULL; switch (errCode) { case noKeyFound: errMsg = "No private key found of signing cert"; break; case noSignatureMatch: errMsg = "Key and Algorithm OId are do not match"; break; default: case failToEncode: errMsg = "Failed to encode crl structure"; break; case failToSign: errMsg = "Failed to sign crl structure"; break; case noMem: errMsg = "Can not allocate memory"; break; } SECU_PrintError(progName, "%s\n", errMsg); goto loser; } if (outFileName) { outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR); if (!outFile) { SECU_PrintError(progName, "unable to open \"%s\" for writing\n", outFileName); goto loser; } } rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url); if (rv != SECSuccess) { SECU_PrintError(progName, "fail to save CRL\n"); } loser: if (outFile) PR_Close(outFile); if (slot) PK11_FreeSlot(slot); return rv; }
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions, secuPWData *pwdata) { CERTSignedCrl *crl = NULL; SECItem crlDER; PK11SlotInfo* slot = NULL; int rv; #if defined(DEBUG_jp96085) PRIntervalTime starttime, endtime, elapsed; PRUint32 mins, secs, msecs; #endif crlDER.data = NULL; /* Read in the entire file specified with the -f argument */ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (rv != SECSuccess) { SECU_PrintError(progName, "unable to read input file"); return (SECFailure); } decodeOptions |= CRL_DECODE_DONT_COPY_DER; slot = PK11_GetInternalKeySlot(); if (PK11_NeedLogin(slot)) { rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) goto loser; } #if defined(DEBUG_jp96085) starttime = PR_IntervalNow(); #endif crl = PK11_ImportCRL(slot, &crlDER, url, type, NULL, importOptions, NULL, decodeOptions); #if defined(DEBUG_jp96085) endtime = PR_IntervalNow(); elapsed = endtime - starttime; mins = PR_IntervalToSeconds(elapsed) / 60; secs = PR_IntervalToSeconds(elapsed) % 60; msecs = PR_IntervalToMilliseconds(elapsed) % 1000; printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs); #endif if (!crl) { const char *errString; rv = SECFailure; errString = SECU_Strerror(PORT_GetError()); if ( errString && PORT_Strlen (errString) == 0) SECU_PrintError (progName, "CRL is not imported (error: input CRL is not up to date.)"); else SECU_PrintError (progName, "unable to import CRL"); } else { SEC_DestroyCrl (crl); } loser: if (slot) { PK11_FreeSlot(slot); } return (rv); }
/************************************************************************ * * C h a n g e P W */ Error ChangePW(char *tokenName, char *pwFile, char *newpwFile) { char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL; PK11SlotInfo *slot; Error ret = UNSPECIFIED_ERR; PRBool matching; slot = PK11_FindSlotByName(tokenName); if (!slot) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName); return NO_SUCH_TOKEN_ERR; } /* Get old password */ if (!PK11_NeedUserInit(slot)) { if (pwFile) { oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile); if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]); ret = BAD_PW_ERR; goto loser; } } else if (PK11_NeedLogin(slot)) { for (matching = PR_FALSE; !matching;) { oldpw = SECU_GetPasswordString(NULL, "Enter old password: "******"Enter new password: "******"Re-enter new password: "); if (strcmp(newpw, newpw2)) { PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]); PORT_ZFree(newpw, strlen(newpw)); PORT_ZFree(newpw2, strlen(newpw2)); } else { matching = PR_TRUE; } } } /* Change the password */ if (PK11_NeedUserInit(slot)) { if (PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); ret = CHANGEPW_FAILED_ERR; goto loser; } } else { if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); ret = CHANGEPW_FAILED_ERR; goto loser; } } PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName); ret = SUCCESS; loser: if (oldpw) { PORT_ZFree(oldpw, strlen(oldpw)); } if (newpw) { PORT_ZFree(newpw, strlen(newpw)); } if (newpw2) { PORT_ZFree(newpw2, strlen(newpw2)); } PK11_FreeSlot(slot); return ret; }