security/manager/ssl/nsPK11TokenDB.cpp

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
   2  *
   3  * This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6 #include "nsPK11TokenDB.h"
   7
   8 #include <string.h>
   9
  10 #include "ScopedNSSTypes.h"
  11 #include "mozilla/Casting.h"
  12 #include "mozilla/Unused.h"
  13 #include "mozilla/Logging.h"
  14 #include "nsISupports.h"
  15 #include "nsNSSCertHelper.h"
  16 #include "nsNSSComponent.h"
  17 #include "nsPromiseFlatString.h"
  18 #include "nsReadableUtils.h"
  19 #include "nsServiceManagerUtils.h"
  20 #include "prerror.h"
  21 #include "secerr.h"
  22
  23 extern mozilla::LazyLogModule gPIPNSSLog;
  24
  25 NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token)
  26
  27 nsPK11Token::nsPK11Token(PK11SlotInfo* slot) : mUIContext(new PipUIContext()) {
  28   MOZ_ASSERT(slot);
  29   mSlot.reset(PK11_ReferenceSlot(slot));
  30   mIsInternalCryptoToken =
  31       PK11_IsInternal(mSlot.get()) && !PK11_IsInternalKeySlot(mSlot.get());
  32   mIsInternalKeyToken = PK11_IsInternalKeySlot(mSlot.get());
  33   mSeries = PK11_GetSlotSeries(slot);
  34   mozilla::Unused << refreshTokenInfo();
  35 }
  36
  37 nsresult nsPK11Token::refreshTokenInfo() {
  38   if (mIsInternalCryptoToken) {
  39     nsresult rv;
  40     if (PK11_IsFIPS()) {
  41       rv = GetPIPNSSBundleString("Fips140TokenDescription", mTokenName);
  42     } else {
  43       rv = GetPIPNSSBundleString("TokenDescription", mTokenName);
  44     }
  45     if (NS_FAILED(rv)) {
  46       return rv;
  47     }
  48   } else if (mIsInternalKeyToken) {
  49     nsresult rv = GetPIPNSSBundleString("PrivateTokenDescription", mTokenName);
  50     if (NS_FAILED(rv)) {
  51       return rv;
  52     }
  53   } else {
  54     mTokenName.Assign(PK11_GetTokenName(mSlot.get()));
  55   }
  56
  57   CK_TOKEN_INFO tokInfo;
  58   nsresult rv = mozilla::MapSECStatus(PK11_GetTokenInfo(mSlot.get(), &tokInfo));
  59   if (NS_FAILED(rv)) {
  60     return rv;
  61   }
  62
  63   // Set the Manufacturer field
  64   if (mIsInternalCryptoToken || mIsInternalKeyToken) {
  65     rv = GetPIPNSSBundleString("ManufacturerID", mTokenManufacturerID);
  66     if (NS_FAILED(rv)) {
  67       return rv;
  68     }
  69   } else {
  70     const char* ccManID =
  71         mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(tokInfo.manufacturerID);
  72     mTokenManufacturerID.Assign(
  73         ccManID, strnlen(ccManID, sizeof(tokInfo.manufacturerID)));
  74     mTokenManufacturerID.Trim(" ", false, true);
  75   }
  76
  77   // Set the Hardware Version field
  78   mTokenHWVersion.Truncate();
  79   mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.major);
  80   mTokenHWVersion.Append('.');
  81   mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.minor);
  82
  83   // Set the Firmware Version field
  84   mTokenFWVersion.Truncate();
  85   mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.major);
  86   mTokenFWVersion.Append('.');
  87   mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.minor);
  88
  89   // Set the Serial Number field
  90   const char* ccSerial =
  91       mozilla::BitwiseCast<char*, CK_CHAR*>(tokInfo.serialNumber);
  92   mTokenSerialNum.Assign(ccSerial,
  93                          strnlen(ccSerial, sizeof(tokInfo.serialNumber)));
  94   mTokenSerialNum.Trim(" ", false, true);
  95
  96   return NS_OK;
  97 }
  98
  99 nsresult nsPK11Token::GetAttributeHelper(const nsACString& attribute,
 100                                          /*out*/ nsACString& xpcomOutParam) {
 101   // Handle removals/insertions.
 102   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
 103     nsresult rv = refreshTokenInfo();
 104     if (NS_FAILED(rv)) {
 105       return rv;
 106     }
 107   }
 108
 109   xpcomOutParam = attribute;
 110   return NS_OK;
 111 }
 112
 113 NS_IMETHODIMP
 114 nsPK11Token::GetTokenName(/*out*/ nsACString& tokenName) {
 115   return GetAttributeHelper(mTokenName, tokenName);
 116 }
 117
 118 NS_IMETHODIMP
 119 nsPK11Token::GetIsInternalKeyToken(/*out*/ bool* _retval) {
 120   NS_ENSURE_ARG_POINTER(_retval);
 121   *_retval = mIsInternalKeyToken;
 122   return NS_OK;
 123 }
 124
 125 NS_IMETHODIMP
 126 nsPK11Token::GetTokenManID(/*out*/ nsACString& tokenManufacturerID) {
 127   return GetAttributeHelper(mTokenManufacturerID, tokenManufacturerID);
 128 }
 129
 130 NS_IMETHODIMP
 131 nsPK11Token::GetTokenHWVersion(/*out*/ nsACString& tokenHWVersion) {
 132   return GetAttributeHelper(mTokenHWVersion, tokenHWVersion);
 133 }
 134
 135 NS_IMETHODIMP
 136 nsPK11Token::GetTokenFWVersion(/*out*/ nsACString& tokenFWVersion) {
 137   return GetAttributeHelper(mTokenFWVersion, tokenFWVersion);
 138 }
 139
 140 NS_IMETHODIMP
 141 nsPK11Token::GetTokenSerialNumber(/*out*/ nsACString& tokenSerialNum) {
 142   return GetAttributeHelper(mTokenSerialNum, tokenSerialNum);
 143 }
 144
 145 NS_IMETHODIMP
 146 nsPK11Token::IsLoggedIn(bool* _retval) {
 147   NS_ENSURE_ARG_POINTER(_retval);
 148   *_retval = PK11_IsLoggedIn(mSlot.get(), 0);
 149   return NS_OK;
 150 }
 151
 152 NS_IMETHODIMP
 153 nsPK11Token::Login(bool force) {
 154   nsresult rv;
 155   bool test;
 156   rv = this->NeedsLogin(&test);
 157   if (NS_FAILED(rv)) return rv;
 158   if (test && force) {
 159     rv = this->LogoutSimple();
 160     if (NS_FAILED(rv)) return rv;
 161   }
 162   rv = setPassword(mSlot.get(), mUIContext);
 163   if (NS_FAILED(rv)) return rv;
 164
 165   return mozilla::MapSECStatus(
 166       PK11_Authenticate(mSlot.get(), true, mUIContext));
 167 }
 168
 169 NS_IMETHODIMP
 170 nsPK11Token::LogoutSimple() {
 171   // PK11_Logout() can fail if the user wasn't logged in beforehand. We want
 172   // this method to succeed even in this case, so we ignore the return value.
 173   mozilla::Unused << PK11_Logout(mSlot.get());
 174   return NS_OK;
 175 }
 176
 177 NS_IMETHODIMP
 178 nsPK11Token::LogoutAndDropAuthenticatedResources() {
 179   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 180
 181   nsresult rv = LogoutSimple();
 182
 183   if (NS_FAILED(rv)) return rv;
 184
 185   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
 186   if (NS_FAILED(rv)) return rv;
 187
 188   return nssComponent->LogoutAuthenticatedPK11();
 189 }
 190
 191 NS_IMETHODIMP
 192 nsPK11Token::Reset() {
 193   return mozilla::MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr));
 194 }
 195
 196 NS_IMETHODIMP
 197 nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit) {
 198   NS_ENSURE_ARG_POINTER(aNeedsUserInit);
 199   *aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
 200   return NS_OK;
 201 }
 202
 203 NS_IMETHODIMP
 204 nsPK11Token::CheckPassword(const nsACString& password, bool* _retval) {
 205   NS_ENSURE_ARG_POINTER(_retval);
 206   SECStatus srv =
 207       PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get());
 208   if (srv != SECSuccess) {
 209     *_retval = false;
 210     PRErrorCode error = PR_GetError();
 211     if (error != SEC_ERROR_BAD_PASSWORD) {
 212       /* something really bad happened - throw an exception */
 213       return mozilla::psm::GetXPCOMFromNSSError(error);
 214     }
 215   } else {
 216     *_retval = true;
 217   }
 218   return NS_OK;
 219 }
 220
 221 NS_IMETHODIMP
 222 nsPK11Token::InitPassword(const nsACString& initialPassword) {
 223   const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
 224   // PSM initializes the sqlite-backed softoken with an empty password. The
 225   // implementation considers this not to be a password (GetHasPassword returns
 226   // false), but we can't actually call PK11_InitPin again. Instead, we call
 227   // PK11_ChangePW with the empty password.
 228   bool hasPassword;
 229   nsresult rv = GetHasPassword(&hasPassword);
 230   if (NS_FAILED(rv)) {
 231     return rv;
 232   }
 233   if (!PK11_NeedUserInit(mSlot.get()) && !hasPassword) {
 234     return mozilla::MapSECStatus(
 235         PK11_ChangePW(mSlot.get(), "", passwordCStr.get()));
 236   }
 237   return mozilla::MapSECStatus(
 238       PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
 239 }
 240
 241 NS_IMETHODIMP
 242 nsPK11Token::ChangePassword(const nsACString& oldPassword,
 243                             const nsACString& newPassword) {
 244   // PK11_ChangePW() has different semantics for the empty string and for
 245   // nullptr. In order to support this difference, we need to check IsVoid() to
 246   // find out if our caller supplied null/undefined args or just empty strings.
 247   // See Bug 447589.
 248   return mozilla::MapSECStatus(PK11_ChangePW(
 249       mSlot.get(),
 250       oldPassword.IsVoid() ? nullptr : PromiseFlatCString(oldPassword).get(),
 251       newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get()));
 252 }
 253
 254 NS_IMETHODIMP
 255 nsPK11Token::GetHasPassword(bool* hasPassword) {
 256   NS_ENSURE_ARG_POINTER(hasPassword);
 257   // PK11_NeedLogin returns true if the token is currently configured to require
 258   // the user to log in (whether or not the user is actually logged in makes no
 259   // difference).
 260   *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
 261   return NS_OK;
 262 }
 263
 264 NS_IMETHODIMP
 265 nsPK11Token::NeedsLogin(bool* _retval) {
 266   NS_ENSURE_ARG_POINTER(_retval);
 267   *_retval = PK11_NeedLogin(mSlot.get());
 268   return NS_OK;
 269 }
 270
 271 /*=========================================================*/
 272
 273 NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB)
 274
 275 NS_IMETHODIMP
 276 nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval) {
 277   NS_ENSURE_ARG_POINTER(_retval);
 278   mozilla::UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
 279   if (!slot) {
 280     return NS_ERROR_FAILURE;
 281   }
 282
 283   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get());
 284   token.forget(_retval);
 285
 286   return NS_OK;
 287 }