bug 119500, PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported

Patch contributed by Petr Kostka
r=rrelyea, sr=kengert, a=dsicore
Addon Patch to provide dummy implementations for gtk-embedding and camino.
r=mark, sr=jst

camino/src/browser/SecurityDialogs.mm

@@ -614,6 +614,14 @@ SecurityDialogs::ChooseToken(nsIInterfaceRequestor *ctx, const PRUnichar **token
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
+/* void DisplayProtectedAuth (in nsIInterfaceRequestor ctx, in nsIProtectedAuthThread runnable); */
+NS_IMETHODIMP
+SecurityDialogs::DisplayProtectedAuth(nsIInterfaceRequestor *ctx, nsIProtectedAuthThread *runnable)
+{
+  NSLog(@"DisplayProtectedAuth not implemented");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
 // nsIDOMCryptoDialogs
 /* boolean ConfirmKeyEscrow (in nsIX509Cert escrowAuthority); */
 NS_IMETHODIMP

embedding/browser/gtk/src/EmbedCertificates.cpp

@@ -232,6 +232,14 @@ EmbedCertificates::ChooseToken(
   return NS_OK;
 }
 
+NS_IMETHODIMP
+EmbedCertificates::DisplayProtectedAuth(
+  nsIInterfaceRequestor *aCtx,
+  nsIProtectedAuthThread *runnable)
+{
+  return NS_OK;
+}
+
 /* boolean ConfirmKeyEscrow (in nsIX509Cert escrowAuthority); */
 NS_IMETHODIMP
 EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retval)

security/manager/locales/en-US/chrome/pippki/pippki.dtd

@@ -123,3 +123,8 @@
 <!ENTITY formSigning.title "Text Signing Request">
 <!ENTITY formSigning.cert "Signing Certificate">
 <!ENTITY formSigning.confirmPassword "To confirm you agree to sign this text message using your selected certificate, please confirm by entering the master password:">
+
+<!-- Strings for protectedAuth dialog -->
+<!ENTITY protectedAuth.title "Protected Token Authentication">
+<!ENTITY protectedAuth.msg "Please authenticate to the token. Authentication method depends on the type of your token.">
+<!ENTITY protectedAuth.tokenName.label "Token:">

security/manager/pki/resources/content/protectedAuth.js

@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Petr Kostka.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+function onLoad()
+{
+    protectedAuthThread = window.arguments[0].QueryInterface(Components.interfaces.nsIProtectedAuthThread);
+
+    if (!protectedAuthThread) 
+    {
+        window.close();
+        return;
+    }
+
+    try
+    {
+        var tokenName = protectedAuthThread.getTokenName();
+
+        var tag = document.getElementById("tokenName");
+        tag.setAttribute("value",tokenName);
+
+        setCursor("wait");
+  
+        protectedAuthThread.login(window);
+
+    } catch (exception)
+    {
+        window.close();
+        return;
+    }
+}
+
+function onClose()
+{
+    setCursor("default");
+}

security/manager/pki/resources/content/protectedAuth.xul

@@ -0,0 +1,62 @@
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is mozilla.org code.
+   -
+   - The Initial Developer of the Original Code is
+   - Petr Kostka.
+   - Portions created by the Initial Developer are Copyright (C) 2007
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the LGPL or the GPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+
+<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
+
+<window
+  id="protectedAuth" title="&protectedAuth.title;"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"      
+  onload="onLoad();"
+  onclose="onClose();"
+>
+<script type="application/x-javascript" src="chrome://global/content/strres.js" />
+<script type="application/x-javascript" src="pippki.js" />
+<script type="application/x-javascript" src="protectedAuth.js" />
+<script type="application/x-javascript" src="chrome://help/content/help.js" />
+
+<vbox style="margin: 5px; max-width: 50em;">
+
+  <description>&protectedAuth.msg;</description>
+
+  <hbox>
+         <description>&protectedAuth.tokenName.label;</description>
+         <description id="tokenName"></description>
+  </hbox>
+
+</vbox>
+</window>

security/manager/pki/resources/jar.mn

@@ -66,5 +66,7 @@ pippki.jar:
     content/pippki/crlImportDialog.js        (content/crlImportDialog.js)
     content/pippki/pref-crlupdate.xul        (content/pref-crlupdate.xul)
     content/pippki/pref-crlupdate.js         (content/pref-crlupdate.js)
+    content/pippki/protectedAuth.xul         (content/protectedAuth.xul)
+    content/pippki/protectedAuth.js          (content/protectedAuth.js)
     content/pippki/formsigning.xul           (content/formsigning.xul)
     content/pippki/formsigning.js            (content/formsigning.js)

security/manager/pki/src/nsNSSDialogs.cpp

@@ -23,6 +23,7 @@
  * Contributor(s):
  *   Terry Hayes <thayes@netscape.com>
  *   Javier Delgadillo <javi@netscape.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -62,7 +63,9 @@
 #include "nsNSSDialogs.h"
 #include "nsPKIParamBlock.h"
 #include "nsIKeygenThread.h"
+#include "nsIProtectedAuthThread.h"
 #include "nsNSSDialogHelper.h"
+#include "nsIWindowWatcher.h"
 #include "nsIX509CertValidity.h"
 #include "nsICRLInfo.h"
 
@@ -558,3 +561,44 @@ nsNSSDialogs::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retval)
   } 
   return rv;
 }
+
+NS_IMETHODIMP
+nsNSSDialogs::DisplayProtectedAuth(nsIInterfaceRequestor *aCtx, nsIProtectedAuthThread *runnable)
+{
+    // We cannot use nsNSSDialogHelper here. We cannot allow close widget
+    // in the window because protected authentication is interruptible
+    // from user interface and changing nsNSSDialogHelper's static variable
+    // would not be thread-safe
+    
+    nsresult rv = NS_ERROR_FAILURE;
+    
+    // Get the parent window for the dialog
+    nsCOMPtr<nsIDOMWindowInternal> parent = do_GetInterface(aCtx);
+    
+    nsCOMPtr<nsIWindowWatcher> windowWatcher = 
+        do_GetService("@mozilla.org/embedcomp/window-watcher;1", &rv);
+    if (NS_FAILED(rv))
+        return rv;
+    
+    nsCOMPtr<nsIDOMWindowInternal> activeParent;
+    if (!parent)
+    {
+        nsCOMPtr<nsIDOMWindow> active;
+        windowWatcher->GetActiveWindow(getter_AddRefs(active));
+        if (active)
+        {
+            active->QueryInterface(NS_GET_IID(nsIDOMWindowInternal), getter_AddRefs(activeParent));
+            parent = activeParent;
+        }
+    }
+    
+    nsCOMPtr<nsIDOMWindow> newWindow;
+    rv = windowWatcher->OpenWindow(parent,
+        "chrome://pippki/content/protectedAuth.xul",
+        "_blank",
+        "centerscreen,chrome,modal,titlebar,close=no",
+        runnable,
+        getter_AddRefs(newWindow));
+    
+    return rv;
+}

security/manager/ssl/public/Makefile.in

@@ -96,6 +96,7 @@ XPIDLSRCS = \
     nsICipherInfo.idl \
     nsIStreamCipher.idl \
     nsIKeyModule.idl \
+    nsIProtectedAuthThread.idl \
     nsIDataSignatureVerifier.idl \
     $(NULL)
 

security/manager/ssl/public/nsIProtectedAuthThread.idl

@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Petr Kostka.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+#include "nsIDOMWindowInternal.idl"
+
+/**
+ * nsIProtectedAuthThread
+ *  This is used to communicate with the thread login on to 
+ *  a token with CKF_PROTECTED_AUTHENTICATION_PATH set.
+ */
+[scriptable, uuid(45334489-3d30-47c6-920b-0a55a313aebf)]
+interface nsIProtectedAuthThread : nsISupports
+{
+  /**
+   * login - run the thread
+   *   A user interface implementing this interface needs to
+   *   call this method as soon as the message to the user is
+   *   displayed. This will trigger login operation. No user 
+   *   cancellation is possible during login operation.
+   */
+  void login(in nsIDOMWindowInternal dialog);
+
+  /**
+   * Gets token to be logged in name.
+   */
+  wstring getTokenName();
+};
+
+%{ C++
+// {45334489-3D30-47c6-920B-0A55A313AEBF}
+#define NS_PROTECTEDAUTHTHREAD_CID \
+{ 0x45334489, 0x3d30, 0x47c6, { 0x92, 0x0b, 0x0a, 0x55, 0xa3, 0x13, 0xae, 0xbf } }
+#define NS_PROTECTEDAUTHTHREAD_CONTRACTID "@mozilla.org/security/protectedauththread;1"
+%}

security/manager/ssl/public/nsITokenDialogs.idl

@@ -20,6 +20,7 @@
  *
  * Contributor(s):
  *   Terry Hayes <thayes@netscape.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -38,6 +39,7 @@
 #include "nsISupports.idl"
 
 interface nsIInterfaceRequestor;
+interface nsIProtectedAuthThread;
 
 [scriptable, uuid(bb4bae9c-39c5-11d5-ba26-00108303b117)]
 interface nsITokenDialogs : nsISupports
@@ -47,6 +49,14 @@ interface nsITokenDialogs : nsISupports
                    in unsigned long count,
                    out wstring tokenName,
                    out boolean canceled);
+
+    /**
+    * displayProtectedAuth - displays notification dialog to the user 
+    * that he is expected to authenticate to the token using its
+    * "protected authentication path" feature
+    */
+  void displayProtectedAuth(in nsIInterfaceRequestor ctx,
+                            in nsIProtectedAuthThread runnable);
 };
 
 %{C++

security/manager/ssl/src/Makefile.in

@@ -64,6 +64,7 @@ CPPSRCS = 				\
 	nsSSLThread.cpp                 \
 	nsCertVerificationThread.cpp    \
 	nsCipherInfo.cpp \
+	nsProtectedAuthThread.cpp \
 	nsNSSCallbacks.cpp		\
 	nsNSSComponent.cpp		\
 	nsNSSErrors.cpp			\

security/manager/ssl/src/nsNSSCallbacks.cpp

@@ -24,6 +24,7 @@
  *   Brian Ryner <bryner@brianryner.com>
  *   Terry Hayes <thayes@netscape.com>
  *   Kai Engert <kengert@redhat.com>
+ *   Petr Kostka <petr.kostka@st.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -55,6 +56,8 @@
 #include "nsProxiedService.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
+#include "nsProtectedAuthThread.h"
+#include "nsITokenDialogs.h"
 #include "nsCRT.h"
 #include "nsNSSShutDown.h"
 #include "nsIUploadChannel.h"
@@ -630,6 +633,62 @@ void nsHTTPListener::send_done_signal()
   }
 }
 
+static char*
+ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIInterfaceRequestor *ir)
+{
+  char* protAuthRetVal = nsnull;
+
+  // Get protected auth dialogs
+  nsITokenDialogs* dialogs = 0;
+  nsresult nsrv = getNSSDialogs((void**)&dialogs, 
+                                NS_GET_IID(nsITokenDialogs), 
+                                NS_TOKENDIALOGS_CONTRACTID);
+  if (NS_SUCCEEDED(nsrv))
+  {
+    nsProtectedAuthThread* protectedAuthRunnable = new nsProtectedAuthThread();
+    if (protectedAuthRunnable)
+    {
+      NS_ADDREF(protectedAuthRunnable);
+
+      protectedAuthRunnable->SetParams(slot);
+      
+      nsCOMPtr<nsIProtectedAuthThread> runnable = do_QueryInterface(protectedAuthRunnable);
+      if (runnable)
+      {
+        nsrv = dialogs->DisplayProtectedAuth(ir, runnable);
+              
+        // We call join on the thread,
+        // so we can be sure that no simultaneous access will happen.
+        protectedAuthRunnable->Join();
+              
+        if (NS_SUCCEEDED(nsrv))
+        {
+          SECStatus rv = protectedAuthRunnable->GetResult();
+          switch (rv)
+          {
+              case SECSuccess:
+                  protAuthRetVal = PK11_PW_AUTHENTICATED;
+                  break;
+              case SECWouldBlock:
+                  protAuthRetVal = PK11_PW_RETRY;
+                  break;
+              default:
+                  protAuthRetVal = nsnull;
+                  break;
+              
+          }
+        }
+      }
+
+      NS_RELEASE(protectedAuthRunnable);
+    }
+
+    NS_RELEASE(dialogs);
+  }
+
+  return protAuthRetVal;
+}
+  
 char* PR_CALLBACK
 PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
   nsNSSShutDownPreventionLock locker;
@@ -690,6 +749,9 @@ PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
                          getter_AddRefs(proxyPrompt));
   }
 
+  if (PK11_ProtectedAuthenticationPath(slot))
+    return ShowProtectedAuthPrompt(slot, ir);
+
   nsAutoString promptString;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
 

security/manager/ssl/src/nsProtectedAuthThread.cpp

@@ -0,0 +1,189 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Petr Kostka.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "pk11func.h"
+#include "nsCOMPtr.h"
+#include "nsProxiedService.h"
+#include "nsString.h"
+#include "nsReadableUtils.h"
+#include "nsProtectedAuthThread.h"
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsProtectedAuthThread, nsIProtectedAuthThread)
+
+static void PR_CALLBACK nsProtectedAuthThreadRunner(void *arg)
+{
+    nsProtectedAuthThread *self = static_cast<nsProtectedAuthThread *>(arg);
+    self->Run();
+}
+
+nsProtectedAuthThread::nsProtectedAuthThread()
+: mMutex(nsnull)
+, mStatusDialogPtr(nsnull)
+, mIAmRunning(PR_FALSE)
+, mStatusDialogClosed(PR_FALSE)
+, mLoginReady(PR_FALSE)
+, mThreadHandle(nsnull)
+, mSlot(0)
+, mLoginResult(SECFailure)
+{
+    NS_INIT_ISUPPORTS();
+    mMutex = PR_NewLock();
+}
+
+nsProtectedAuthThread::~nsProtectedAuthThread()
+{
+    if (mMutex)
+        PR_DestroyLock(mMutex);
+
+    if (mStatusDialogPtr)
+    {
+        NS_RELEASE(mStatusDialogPtr);
+    }
+}
+
+NS_IMETHODIMP nsProtectedAuthThread::Login(nsIDOMWindowInternal *statusDialog)
+{
+    if (!mMutex)
+        return NS_ERROR_FAILURE;
+    
+    if (!statusDialog )
+        return NS_ERROR_FAILURE;
+
+    if (!mSlot)
+        // We need pointer to the slot
+        return NS_ERROR_FAILURE;
+    
+    nsCOMPtr<nsIDOMWindowInternal> wi;
+    NS_GetProxyForObject( NS_PROXY_TO_MAIN_THREAD,
+                          nsIDOMWindowInternal::GetIID(),
+                          statusDialog,
+                          NS_PROXY_SYNC | NS_PROXY_ALWAYS,
+                          getter_AddRefs(wi));
+
+    PR_Lock(mMutex);
+    
+    if (mIAmRunning || mLoginReady) {
+        PR_Unlock(mMutex);
+        return NS_OK;
+    }
+
+    mStatusDialogPtr = wi;
+    NS_ADDREF(mStatusDialogPtr);
+    wi = 0;
+    
+    mIAmRunning = PR_TRUE;
+    
+    mThreadHandle = PR_CreateThread(PR_USER_THREAD, nsProtectedAuthThreadRunner, static_cast<void*>(this), 
+        PR_PRIORITY_NORMAL, PR_LOCAL_THREAD, PR_JOINABLE_THREAD, 0);
+    
+    // bool thread_started_ok = (threadHandle != nsnull);
+    // we might want to return "thread started ok" to caller in the future
+    NS_ASSERTION(mThreadHandle, "Could not create nsProtectedAuthThreadRunner thread\n");
+    
+    PR_Unlock(mMutex);
+    
+    return NS_OK;
+}
+
+NS_IMETHODIMP nsProtectedAuthThread::GetTokenName(PRUnichar **_retval)
+{
+    PR_Lock(mMutex);
+
+    // Get token name
+    *_retval = UTF8ToNewUnicode(nsDependentCString(PK11_GetTokenName(mSlot)));
+
+    PR_Unlock(mMutex);
+
+    return NS_OK;
+}
+
+
+void nsProtectedAuthThread::SetParams(PK11SlotInfo* aSlot)
+{
+    PR_Lock(mMutex);
+
+    mSlot = (aSlot) ? PK11_ReferenceSlot(aSlot) : 0;
+    
+    PR_Unlock(mMutex);
+}
+
+SECStatus nsProtectedAuthThread::GetResult()
+{
+    return mLoginResult;
+}
+
+void nsProtectedAuthThread::Run(void)
+{
+    // Login with null password. This call will also do C_Logout() but 
+    // it is harmless here
+    mLoginResult = PK11_CheckUserPassword(mSlot, 0);
+    
+    nsIDOMWindowInternal *windowToClose = 0;
+    
+    PR_Lock(mMutex);
+    
+    mLoginReady = PR_TRUE;
+    mIAmRunning = PR_FALSE;
+
+    // Forget the slot
+    if (mSlot)
+    {
+        PK11_FreeSlot(mSlot);
+        mSlot = 0;
+    }
+    
+    if (!mStatusDialogClosed)
+    {
+        windowToClose = mStatusDialogPtr;
+    }
+        
+    mStatusDialogPtr = 0;
+    mStatusDialogClosed = PR_TRUE;
+    
+    PR_Unlock(mMutex);
+    
+    if (windowToClose)
+        windowToClose->Close();
+}
+
+void nsProtectedAuthThread::Join()
+{
+    if (!mThreadHandle)
+        return;
+    
+    PR_JoinThread(mThreadHandle);
+    mThreadHandle = nsnull;
+}

security/manager/ssl/src/nsProtectedAuthThread.h

@@ -0,0 +1,83 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Petr Kostka.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSPROTECTEDAUTHTHREAD_H_
+#define NSPROTECTEDAUTHTHREAD_H_
+
+#include "keyhi.h"
+#include "nspr.h"
+
+#include "nsIProtectedAuthThread.h"
+
+class nsProtectedAuthThread : public nsIProtectedAuthThread
+{
+private:
+    PRLock      *mMutex;
+
+    nsIDOMWindowInternal*   mStatusDialogPtr;
+
+    PRBool      mIAmRunning;
+    PRBool      mStatusDialogClosed;
+    PRBool      mLoginReady;
+
+    PRThread    *mThreadHandle;
+
+    // Slot to do authentication on
+    PK11SlotInfo*   mSlot;
+
+    // Result of the authentication
+    SECStatus       mLoginResult;
+
+public:
+
+    nsProtectedAuthThread();
+    virtual ~nsProtectedAuthThread();
+
+    NS_DECL_ISUPPORTS
+    NS_DECL_NSIPROTECTEDAUTHTHREAD
+
+    // Sets parameters for the thread
+    void SetParams(PK11SlotInfo *slot);
+
+    // Gets result of the protected authentication operation
+    SECStatus GetResult();
+
+    void Join(void);
+
+    void Run(void);
+};
+
+#endif // NSPROTECTEDAUTHTHREAD_H_