configure PKCS#11 strings in PSM.

r=javi

security/manager/ssl/resources/locale/en-US/pipnss.properties

@@ -22,3 +22,11 @@
 SignedBy=Signed by %S
 CertPassPrompt=Please enter the Personal Security Password for the PSM Private Keys security device.
 RootCertModuleName=Builtin Roots Module
+ManufacturerID=Mozilla.org
+LibraryDescription=PSM Internal Crypto Services
+TokenDescription=PSM Generic Crypto Services
+PrivateTokenDescription=PSM Private Keys
+SlotDescription=PSM Internal Cryptographic Services Version 4.0
+PrivateSlotDescription=PSM User Private Key and Certificate Services
+FipsSlotDescription=PSM Internal FIPS-140-1 Cryptographic Services
+FipsPrivateSlotDescription=PSM FIPS-140-1 User Private Key Services

security/manager/ssl/src/nsNSSComponent.cpp

@@ -43,6 +43,9 @@
 #include "ssl.h"
 #include "sslproto.h"
 #include "secmod.h"
+extern "C" {
+#include "pkcs11.h"
+}
 
 #ifdef PR_LOGGING
 PRLogModuleInfo* gPIPNSSLog = nsnull;
@@ -121,6 +124,7 @@ nsNSSComponent::GetPIPNSSBundleString(const PRUnichar *name,
     nsresult rv = mPIPNSSBundle->GetStringFromName(name, &ptrv);
     if (NS_SUCCEEDED(rv)) {
       outString = ptrv;
+      return NS_OK;
     } else {
       outString.SetLength(0);
     }
@@ -128,7 +132,7 @@ nsNSSComponent::GetPIPNSSBundleString(const PRUnichar *name,
   } else {
     outString.SetLength(0);
   }
-  return NS_OK;
+  return NS_ERROR_FAILURE;
 }
 
 void
@@ -193,6 +197,87 @@ nsNSSComponent::InstallLoadableRoots()
   }
 }
 
+#define SHORT_PK11_STRING 33
+#define LONG_PK11_STRING  65
+
+char *
+nsNSSComponent::GetPK11String(const PRUnichar *name, PRUint32 len)
+{
+  nsresult rv;
+  nsString nsstr;
+  char *tmpstr = NULL;
+  char *str = NULL;
+  int tmplen;
+  str = (char *)PR_Malloc(len+1);
+  rv = GetPIPNSSBundleString(name, nsstr);
+  if (NS_FAILED(rv)) return NULL;
+  tmpstr = nsstr.ToNewCString();
+  if (!tmpstr) return NULL;
+  tmplen = strlen(tmpstr);
+  memcpy(str, tmpstr, tmplen);
+  memset(str + tmplen, ' ', len - tmplen);
+  str[len] = '\0';
+  PR_Free(tmpstr);
+  return str;
+}
+
+nsresult
+nsNSSComponent::ConfigureInternalPKCS11Token()
+{
+  char *manufacturerID             = NULL;
+  char *libraryDescription         = NULL;
+  char *tokenDescription           = NULL;
+  char *privateTokenDescription    = NULL;
+  char *slotDescription            = NULL;
+  char *privateSlotDescription     = NULL;
+  char *fipsSlotDescription        = NULL;
+  char *fipsPrivateSlotDescription = NULL; 
+
+  manufacturerID = GetPK11String(NS_LITERAL_STRING("ManufacturerID"), 
+                                 SHORT_PK11_STRING);
+  if (manufacturerID == NULL) goto loser;
+  libraryDescription = GetPK11String(NS_LITERAL_STRING("LibraryDescription"), 
+                                     SHORT_PK11_STRING);
+  if (libraryDescription == NULL) goto loser;
+  tokenDescription = GetPK11String(NS_LITERAL_STRING("TokenDescription"), 
+                                   SHORT_PK11_STRING);
+  if (tokenDescription == NULL) goto loser;
+  privateTokenDescription = 
+                    GetPK11String(NS_LITERAL_STRING("PrivateTokenDescription"), 
+                                  SHORT_PK11_STRING);
+  if (privateTokenDescription == NULL) goto loser;
+  slotDescription = GetPK11String(NS_LITERAL_STRING("SlotDescription"), 
+                                  LONG_PK11_STRING);
+  if (slotDescription == NULL) goto loser;
+  privateSlotDescription = 
+                     GetPK11String(NS_LITERAL_STRING("PrivateSlotDescription"), 
+                                   LONG_PK11_STRING);
+  if (privateSlotDescription == NULL) goto loser;
+  fipsSlotDescription = GetPK11String(NS_LITERAL_STRING("FipsSlotDescription"),
+                                      LONG_PK11_STRING);
+  if (fipsSlotDescription == NULL) goto loser;
+  fipsPrivateSlotDescription = 
+                 GetPK11String(NS_LITERAL_STRING("FipsPrivateSlotDescription"), 
+                               LONG_PK11_STRING);
+  if (fipsPrivateSlotDescription == NULL) goto loser;
+
+  PK11_ConfigurePKCS11(manufacturerID, libraryDescription, tokenDescription,
+                       privateTokenDescription, slotDescription, 
+                       privateSlotDescription, fipsSlotDescription, 
+                       fipsPrivateSlotDescription, 0, 0);
+  return NS_OK;
+loser:
+  PR_Free(manufacturerID);
+  PR_Free(libraryDescription);
+  PR_Free(tokenDescription);
+  PR_Free(privateTokenDescription);
+  PR_Free(slotDescription);
+  PR_Free(privateSlotDescription);
+  PR_Free(fipsSlotDescription);
+  PR_Free(fipsPrivateSlotDescription); 
+  return NS_ERROR_FAILURE;
+}
+
 nsresult
 nsNSSComponent::InitializePIPNSSBundle()
 {
@@ -277,6 +362,7 @@ nsNSSComponent::Init()
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to create pipnss bundle.\n"));
     return rv;
   }      
+  ConfigureInternalPKCS11Token();
   InstallLoadableRoots();
   return rv;
 }
@@ -296,11 +382,19 @@ nsNSSComponent::DisplaySecurityAdvisor()
   return NS_ERROR_FAILURE; // not implemented
 }
 
+typedef enum {
+    PSMCertificateUnknown = -1,
+    PSMCertificateCACert,
+    PSMCertificateServerCert,
+    PSMCertificateUserCert,
+    PSMCertificateEmailCert
+} PSMCertificateType;
+
 class CertDownloader : public nsIStreamListener
 {
 public:
   CertDownloader() {NS_ASSERTION(PR_FALSE, "don't use this constructor."); }
-  CertDownloader(PRInt32 type);
+  CertDownloader(PSMCertificateType type);
   virtual ~CertDownloader();
   
   NS_DECL_ISUPPORTS
@@ -310,11 +404,11 @@ protected:
   char* mByteData;
   PRInt32 mBufferOffset;
   PRInt32 mContentLength;
-  PRInt32 mType;
+  PSMCertificateType mType;
 };
 
 
-CertDownloader::CertDownloader(PRInt32 type)
+CertDownloader::CertDownloader(PSMCertificateType type)
   : mByteData(nsnull),
     mType(type)
 {
@@ -392,7 +486,6 @@ CertDownloader::OnStopRequest(nsIChannel* channel,
    
 */
 
-
 NS_IMETHODIMP
 nsNSSComponent::HandleContent(const char * aContentType,
                               const char * aCommand,
@@ -406,20 +499,20 @@ nsNSSComponent::HandleContent(const char * aContentType,
   nsresult rv = NS_OK;
   if (!aChannel) return NS_ERROR_NULL_POINTER;
   
-  PRUint32 type = (PRUint32) -1;
+  PSMCertificateType type;
   
   if (!nsCRT::strcasecmp(aContentType, "application/x-x509-ca-cert"))
-    type = 1;  //CA cert
+    type = PSMCertificateCACert;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-server-cert"))
-    type =  2; //Server cert
+    type = PSMCertificateServerCert;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-user-cert"))
-    type =  3; //User cert
+    type = PSMCertificateUserCert;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-email-cert"))
-    type =  4; //Someone else's email cert
+    type = PSMCertificateEmailCert;
+  else
+    type = PSMCertificateUnknown;
   
-  if (type != (PRUint32) -1) {
+  if (type != PSMCertificateUnknown) {
-    // I can't directly open the passed channel cause it fails :-(
-    
     nsCOMPtr<nsIURI> uri;
     rv = aChannel->GetURI(getter_AddRefs(uri));
     if (NS_FAILED(rv)) return rv;

security/manager/ssl/src/nsNSSComponent.h

@@ -97,6 +97,8 @@ private:
 
   void InstallLoadableRoots();
   nsresult InitializePIPNSSBundle();
+  nsresult ConfigureInternalPKCS11Token();
+  char * GetPK11String(const PRUnichar *name, PRUint32 len);
 
   nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
   static PRBool mNSSInitialized;