Fix for Bug 74340 r=mcgreer, sr=blizzard

Add the crypto object back to PSM 2.

security/manager/pki/resources/content/escrowWarn.js

@@ -0,0 +1,65 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 2001 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *  Javier Delgadillo <javi@netscape.com>
+ */
+
+
+const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
+const nsIPKIParamBlock    = Components.interfaces.nsIPKIParamBlock;
+const nsIX509Cert         = Components.interfaces.nsIX509Cert;
+
+var dialogParams;
+var pkiParams;
+var cert=null;
+
+function onLoad()
+{
+  pkiParams    = window.arguments[0].QueryInterface(nsIPKIParamBlock);
+  dialogParams = pkiParams.QueryInterface(nsIDialogParamBlock);
+ 
+  var isupports = pkiParams.getISupportAtIndex(1);
+  cert = isupports.QueryInterface(nsIX509Cert); 
+  var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
+  var dispName = cert.commonName;
+  if (dispName == null)
+    dispName = cert.windowTitle;
+
+  var msg = bundle.formatStringFromName("escrowFinalMessage",
+                                        [dispName], 1);
+  setText("message1",msg);
+}
+
+function doOK()
+{
+  dialogParams.SetInt(1,1);
+  window.close();
+}
+
+function doCancel()
+{
+  dialogParams.SetInt(1,0);
+  window.close();
+}
+
+function viewCert()
+{
+  cert.view();
+}

security/manager/pki/resources/content/escrowWarn.xul

@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+<!--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   -
+   -
+   - Contributor(s):
+   -  Javier Delgadillo <javi@netscape.com>
+   -  Bob Lord <lord@netscape.com>
+  -->
+
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+
+<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
+
+<window
+  id="escrowWarnDialog" title="&escrowWarn.title;"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"      
+  debug="false"
+  height="280"
+  width="400"
+  onload="onLoad();"
+>
+<script src="chrome://global/content/strres.js" />
+<script src="pippki.js" />
+<script src="escrowWarn.js" />
+
+<box orient="vertical" style="margin: 5px;" flex="1">
+
+  <html>&escrowWarn.message1;</html>
+  <separator/>
+  <html>&escrowWarn.benefit1;</html>
+  <separator/>
+  <html>&escrowWarn.message2;</html>
+  <separator/>
+  <html id="message1" />
+  <box>
+  <button id="examineCert-button" class="dialog" label="&examineCert.label;"
+     onclick="viewCert();"/> 
+  </box>
+  <separator/>
+  <box>
+  <button id="ok-button" class="dialog" label="&ok.label;"
+     style="width: 10ex" onclick="doOK();" disabled="false"/> 
+  <button id="cancel-button" class="dialog" label="&cancel.label;"
+     style="width: 10ex" onclick="doCancel();" /> 
+  <button id="help-button" class="dialog" label="&help.label;"
+    style="width: 10ex" onclick="" /> 
+  </box>
+</box>
+</window>

security/manager/pki/resources/jar.mn

@@ -32,7 +32,7 @@ pippki.jar:
     content/pippki/serverCertExpired.xul     (content/serverCertExpired.xul)
     content/pippki/serverCertExpired.js      (content/serverCertExpired.js)
     content/pippki/clientauthask.xul	     (content/clientauthask.xul)
-    content/pippki/clientauthask.js			 (content/clientauthask.js)
+    content/pippki/clientauthask.js          (content/clientauthask.js)
     content/pippki/certViewer.xul            (content/certViewer.xul)
     content/pippki/certDump.xul              (content/certDump.xul)
     content/pippki/device_manager.xul        (content/device_manager.xul)
@@ -40,6 +40,8 @@ pippki.jar:
     content/pippki/load_device.xul           (content/load_device.xul)
     content/pippki/choosetoken.xul           (content/choosetoken.xul)
     content/pippki/choosetoken.js            (content/choosetoken.js)
+    content/pippki/escrowWarn.xul            (content/escrowWarn.xul)
+    content/pippki/escrowWarn.js             (content/escrowWarn.js)
     content/pippki/pref-validation.xul       (content/pref-validation.xul)
     content/pippki/pref-validation.js        (content/pref-validation.js)
     locale/en-US/pippki/contents.rdf         (locale/en-US/contents.rdf)

security/manager/pki/resources/locale/en-US/pippki.dtd

@@ -93,3 +93,11 @@
 
 <!ENTITY chooseToken.title  "Choose Token Dialog">
 <!ENTITY chooseToken.message1 "Please choose a token.">
+
+<!ENTITY escrowWarn.title "Encryption Key Copy">
+<!ENTITY escrowWarn.message1 "Important: This certificate authority has asked to make a backup of your encryption private key.">
+<!ENTITY escrowWarn.benefit1 "The benefit is that if you lose access to your encryption private key, you can request a copy from this certificate authority.">
+<!ENTITY escrowWarn.message2 "However, your encryption private key will be stored by the certificate authority, and could be used to read your encrypted email or documents without your permission.">
+
+
+

security/manager/pki/resources/locale/en-US/pippki.properties

@@ -75,6 +75,8 @@ pageInfo_Privacy_Weak2=Low-grade encryption may allow some unauthorized people t
 certDetails=Certificate Details:
 notPresent=<Not Part Of Certificate>
 
+escrowFinalMessage=You should click OK only if you trust "%S" to protect your encryption private key.
+
 #Token Manager
 loadPK11TokenDialog=Choose a PKCS#11 device to load
 devinfo_label=Label

security/manager/pki/src/nsNSSDialogs.cpp

@@ -111,13 +111,14 @@ nsNSSDialogs::~nsNSSDialogs()
 {
 }
 
-NS_IMPL_THREADSAFE_ISUPPORTS7(nsNSSDialogs, nsINSSDialogs, 
+NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSDialogs, nsINSSDialogs, 
                                             nsITokenPasswordDialogs,
                                             nsISecurityWarningDialogs,
                                             nsIBadCertListener,
                                             nsICertificateDialogs,
                                             nsIClientAuthDialogs,
-                                            nsITokenDialogs);
+                                            nsITokenDialogs,
+                                            nsIDOMCryptoDialogs);
 
 nsresult
 nsNSSDialogs::Init()
@@ -784,3 +785,36 @@ nsNSSDialogs::ChooseToken(nsIInterfaceRequestor *aCtx, const PRUnichar **aTokenL
   return rv;
 }
 
+/* boolean ConfirmKeyEscrow (in nsIX509Cert escrowAuthority); */
+NS_IMETHODIMP 
+nsNSSDialogs::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retval)
+                                     
+{
+  *_retval = PR_FALSE;
+
+  nsresult rv;
+
+  nsCOMPtr<nsIPKIParamBlock> block = do_CreateInstance(kPKIParamBlockCID);
+  if (!block)
+    return NS_ERROR_FAILURE;
+
+  rv = block->SetISupportAtIndex(1, escrowAuthority);
+  if (NS_FAILED(rv))
+    return rv;
+
+  rv = nsNSSDialogHelper::openDialog(nsnull,
+                                     "chrome://pippki/content/escrowWarn.xul",
+                                     block);
+
+  if (NS_FAILED(rv))
+    return rv;
+
+  PRInt32 status=0;
+  nsCOMPtr<nsIDialogParamBlock> dlgParamBlock = do_QueryInterface(block);
+  rv = dlgParamBlock->GetInt(1, &status);
+ 
+  if (status) {
+    *_retval = PR_TRUE;
+  } 
+  return rv;
+}

security/manager/pki/src/nsNSSDialogs.h

@@ -42,7 +42,8 @@ class nsNSSDialogs
   public nsISecurityWarningDialogs,
   public nsICertificateDialogs,
   public nsIClientAuthDialogs,
-  public nsITokenDialogs
+  public nsITokenDialogs,
+  public nsIDOMCryptoDialogs
 {
 public:
   NS_DECL_ISUPPORTS
@@ -53,6 +54,7 @@ public:
   NS_DECL_NSICERTIFICATEDIALOGS
   NS_DECL_NSICLIENTAUTHDIALOGS
   NS_DECL_NSITOKENDIALOGS
+  NS_DECL_NSIDOMCRYPTODIALOGS
   nsNSSDialogs();
   virtual ~nsNSSDialogs();
 

security/manager/ssl/public/nsINSSDialogs.idl

@@ -156,11 +156,24 @@ interface nsIClientAuthDialogs : nsISupports
 [scriptable, uuid(bb4bae9c-39c5-11d5-ba26-00108303b117)]
 interface nsITokenDialogs : nsISupports
 {
-	void ChooseToken(in nsIInterfaceRequestor ctx,
-                  [array, size_is(count)] in wstring tokenNameList,
-                  in PRUint32 count,
-                  out wstring tokenName,
-                  out boolean canceled);
+  void ChooseToken(in nsIInterfaceRequestor ctx,
+                   [array, size_is(count)] in wstring tokenNameList,
+                   in PRUint32 count,
+                   out wstring tokenName,
+                   out boolean canceled);
+};
+
+[scriptable, uuid(1f8fe77e-1dd2-11b2-8dd2-e55f8d3465b8)]
+interface nsIDOMCryptoDialogs : nsISupports
+{
+  /**
+   * This method is used to warn the user the web site is
+   * trying to escrow the generated private key.  This 
+   * method should return true if the user wants to proceed
+   * and false if the user cancels the action.
+   */
+  boolean ConfirmKeyEscrow(in nsIX509Cert escrowAuthority);
+
 };
 
 /**

security/manager/ssl/resources/locale/en-US/pipnss.properties

@@ -127,5 +127,19 @@ PKCS12PasswordInvalid=Could not decode PKCS#12 file.  Perhaps the password you e
 PKCS12DecodeErr=Failed to decode the file.  Either it is not in PKCS#12 format, has been corrupted, or the password you entered was incorrect.
 PKCS12UnknownErrRestore=Failed to restore the PKCS#12 file for unknown reasons.
 PKCS12UnknownErrBackup=Failed to backup the PKCS#12 file for unknown reasons.
+AddModulePrompt=Are you sure you want to install this security module?
+AddModuleName=Module Name: %S
+AddModulePath=Path: %S
+AddModuleSuccess=A new security module has been installed
+AddModuleFailure=Unable to add module
+AddModuleDup=Security Module already exists
+DelModuleBadName=Invalid module name.
+DelModuleWarning=Are you sure you want to delete this security module?
+DelModuleError=Unable to delete module
+DelModuleIntSuccess=Internal security module successfully deleted
+DelModuleExtSuccess=External security module successfully deleted
+ForcedBackup1=You should make a password-protected backup copy of your new security certificate and its associated private key.
+ForcedBackup2=If you ever lose access to your private key by forgetting your personal security password, or by experiencing file corruption, you can restore this private key and certificate from this backup copy.
+ForcedBackup3=To make a copy, click OK. If possible, you should save your backup copy on a floppy disk that you keep in a safe location.
 UnknownCertIssuer=(Unknown Issuer)
 UnknownCertOrg=(Unknown Organization)

security/manager/ssl/src/Makefile.in

@@ -63,6 +63,7 @@ CPPSRCS = 				\
 	nsNSSASN1Object.cpp		\
 	nsCertOutliner.cpp              \
 	nsKeygenHandler.cpp		\
+	nsCrypto.cpp			\
         nsPKCS11Slot.cpp                \
 	$(NULL)
 
@@ -77,9 +78,11 @@ INCLUDES	+=	\
 
 EXTRA_DSO_LDOPTS += \
 		$(MOZ_COMPONENT_LIBS) \
+		$(MOZ_JS_LIBS) \
 		$(NULL)
 
 EXTRA_LIBS	+= \
+	$(DIST)/lib/libcrmf.$(LIB_SUFFIX) \
         $(DIST)/lib/libssl.$(LIB_SUFFIX) \
         $(DIST)/lib/libnss.$(LIB_SUFFIX) \
         $(DIST)/lib/libssl.$(LIB_SUFFIX) \
@@ -92,7 +95,6 @@ EXTRA_LIBS	+= \
         $(DIST)/lib/libpk11wrap.$(LIB_SUFFIX) \
         $(DIST)/lib/libsoftoken.$(LIB_SUFFIX) \
         $(DIST)/lib/libcertdb.$(LIB_SUFFIX) \
-        $(DIST)/lib/libswfci.$(LIB_SUFFIX) \
         $(DIST)/lib/libfreebl.$(LIB_SUFFIX) \
         $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
         $(DIST)/lib/libdbm.$(LIB_SUFFIX) \

security/manager/ssl/src/makefile.win

@@ -56,6 +56,7 @@ LINCS = $(LINCS)     \
     $(NULL)
 
 LLIBS   = \
+    $(DIST)/lib/crmf.lib \
     $(DIST)/lib/ssl.lib \
     $(DIST)/lib/nss.lib \
     $(DIST)/lib/ssl.lib \
@@ -71,6 +72,7 @@ LLIBS   = \
     $(DIST)/lib/dbm.lib \
     $(LIBNSPR) \
     $(DIST)\lib\xpcom.lib \
+    $(DIST)\lib\js3250.lib \
     $(NULL)
 
 EXPORTS = \
@@ -91,6 +93,7 @@ OBJS = \
     .\$(OBJDIR)\nsKeygenHandler.obj \
     .\$(OBJDIR)\nsCertOutliner.obj \
     .\$(OBJDIR)\nsNSSASN1Object.obj \
+    .\$(OBJDIR)\nsCrypto.obj \
     .\$(OBJDIR)\nsPKCS11Slot.obj \
     $(NULL)
 

security/manager/ssl/src/nsCrypto.h

@@ -0,0 +1,95 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 2001 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *  Javier Delgadillo <javi@netscape.com>
+ */
+#ifndef _nsCrypto_h_
+#define _nsCrypto_h_
+#include "nsCOMPtr.h"
+#include "nsIDOMCRMFObject.h"
+#include "nsIDOMCrypto.h"
+#include "nsIDOMPkcs11.h"
+#include "nsString.h"
+#include "jsapi.h"
+#include "nsIPrincipal.h"
+
+#define NS_CRYPTO_CLASSNAME "Crypto JavaScript Class"
+#define NS_CRYPTO_CID \
+  {0x929d9320, 0x251e, 0x11d4, { 0x8a, 0x7c, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
+
+#define NS_PKCS11_CLASSNAME "Pkcs11 JavaScript Class"
+#define NS_PKCS11_CID \
+  {0x74b7a390, 0x3b41, 0x11d4, { 0x8a, 0x80, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
+
+#define PSM_VERSION_STRING "2.0"
+
+class nsIPSMComponent;
+class nsIDOMScriptObjectFactory;
+class nsIEventQueue;
+
+
+class nsCRMFObject : public nsIDOMCRMFObject
+{
+public:
+  nsCRMFObject();
+  virtual ~nsCRMFObject();
+
+  NS_DECL_NSIDOMCRMFOBJECT
+  NS_DECL_ISUPPORTS
+
+  nsresult init();
+
+  nsresult SetCRMFRequest(char *inRequest);
+private:
+
+  nsString mBase64Request;
+};
+
+
+class nsCrypto: public nsIDOMCrypto
+{
+public:
+  nsCrypto();
+  virtual ~nsCrypto();
+  nsresult init();
+  
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIDOMCRYPTO
+
+  static nsIPrincipal* GetScriptPrincipal(JSContext *cx);
+  static nsIEventQueue* GetUIEventQueue();
+};
+
+class nsPkcs11 : public nsIDOMPkcs11
+{
+public:
+  nsPkcs11();
+  virtual ~nsPkcs11();
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIDOMPKCS11
+
+};
+
+#endif //_nsCrypto_h_
+
+
+
+

security/manager/ssl/src/nsKeygenHandler.cpp

@@ -199,6 +199,14 @@ nsKeygenFormProcessor::Init()
 
 nsresult
 nsKeygenFormProcessor::GetSlot(PRUint32 aMechanism, PK11SlotInfo** aSlot)
+{
+  return GetSlotWithMechanism(aMechanism,m_ctx,aSlot);
+}
+
+nsresult
+GetSlotWithMechanism(PRUint32 aMechanism, 
+                     nsIInterfaceRequestor *m_ctx,
+                     PK11SlotInfo** aSlot)
 {
     PK11SlotList * slotList = nsnull;
     PRUnichar** tokenNameList = nsnull;
@@ -366,8 +374,8 @@ found_match:
       switch (keyGenMechanism) {
         case CKM_RSA_PKCS_KEY_PAIR_GEN:
             rsaParams.keySizeInBits = keysize;
-            rsaParams.pe = 65537L;
-            algTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+            rsaParams.pe = DEFAULT_RSA_KEYGEN_PE;
+            algTag = DEFAULT_RSA_KEYGEN_ALG;
             params = &rsaParams;
             break;
         case CKM_DSA_KEY_PAIR_GEN:

security/manager/ssl/src/nsKeygenHandler.h

@@ -32,6 +32,14 @@ typedef struct SECKeySizeChoiceInfoStr {
     int size;
 } SECKeySizeChoiceInfo;
 
+nsresult GetSlotWithMechanism(PRUint32 mechanism,
+                              nsIInterfaceRequestor *ctx,
+                              PK11SlotInfo **retSlot);
+
+#define DEFAULT_RSA_KEYGEN_PE 65537L
+#define DEFAULT_RSA_KEYGEN_ALG SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
+
+
 class nsKeygenFormProcessor : public nsIFormProcessor { 
 public: 
   nsKeygenFormProcessor(); 

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: nsNSSCertificate.cpp,v 1.24 2001-05-15 19:12:44 mcgreer%netscape.com Exp $
+ * $Id: nsNSSCertificate.cpp,v 1.25 2001-05-15 23:15:08 javi%netscape.com Exp $
  */
 
 #include "prmem.h"
@@ -2217,7 +2217,7 @@ done:
   return (srv) ? NS_ERROR_FAILURE : NS_OK;
 }
 
-static char *
+char *
 default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx)
 {   
   nsresult rv;

security/manager/ssl/src/nsNSSCertificate.h

@@ -95,4 +95,10 @@ private:
 
 };
 
+// Use this function to generate a default nickname for a user
+// certificate that is to be imported onto a token.
+char *
+default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx);
+
+
 #endif /* _NS_NSSCERTIFICATE_H_ */

security/manager/ssl/src/nsNSSComponent.cpp

@@ -697,12 +697,12 @@ nsresult
 getNSSDialogs(void **_result, REFNSIID aIID)
 {
   nsresult rv;
-  nsISupports *result;
+  nsCOMPtr<nsISupports> result;
   nsCOMPtr<nsISupports> proxiedResult;
 
   rv = nsServiceManager::GetService(kNSSDialogsContractId, 
                                     NS_GET_IID(nsINSSDialogs),
-                                    &result);
+                                    getter_AddRefs(result));
   if (NS_FAILED(rv)) 
     return rv;
 
@@ -714,9 +714,11 @@ getNSSDialogs(void **_result, REFNSIID aIID)
                               aIID, result, PROXY_SYNC,
                               getter_AddRefs(proxiedResult));
 
-  rv = proxiedResult->QueryInterface(aIID, _result);
+  if (!proxiedResult) {
+    return NS_ERROR_FAILURE;
+  }
 
-  NS_RELEASE(result);
+  rv = proxiedResult->QueryInterface(aIID, _result);
 
   return rv;
 }

security/manager/ssl/src/nsNSSModule.cpp

@@ -40,6 +40,10 @@
 #include "nsPKCS11Slot.h"
 #include "nsNSSCertificate.h"
 #include "nsCertOutliner.h"
+#include "nsCrypto.h"
+//For the NS_CRYPTO_CONTRACTID define
+#include "nsDOMCID.h"
+
 
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsNSSComponent, Init)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecureBrowserUIImpl)
@@ -51,6 +55,9 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsPKCS11ModuleDB)
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(CertContentListener, init)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSCertificateDB)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsCertOutliner)
+NS_GENERIC_FACTORY_CONSTRUCTOR(nsCrypto)
+NS_GENERIC_FACTORY_CONSTRUCTOR(nsPkcs11)
+
 
 static nsModuleComponentInfo components[] =
 {
@@ -171,8 +178,23 @@ static nsModuleComponentInfo components[] =
     NS_CERTOUTLINER_CID,
     NS_CERTOUTLINER_CONTRACTID,
     nsCertOutlinerConstructor
+  },
+
+  {
+    NS_PKCS11_CLASSNAME,
+    NS_PKCS11_CID,
+    NS_PKCS11_CONTRACTID,
+    nsPkcs11Constructor
+  },
+
+  {
+    NS_CRYPTO_CLASSNAME,
+    NS_CRYPTO_CID,
+    NS_CRYPTO_CONTRACTID,
+    nsCryptoConstructor
   }
 
+
 };
 
 NS_IMPL_NSGETMODULE("NSS", components);