cackey.js at [a67fe2704f]

File build/chrome/cackey.js artifact 3ee1c2da74 part of check-in a67fe2704f


/*
 * CACKey ChromeOS chrome.certificateProvider Implementation
 */

function onCertificatesRejected(rejectedCerts) {
	// If certificates were rejected by the API, log an error, for example.
	console.error(rejectedCerts.length + ' certificates were rejected.');
	return;
}

/*
 * Handle for the CACKey NaCl Target
 */
var cackeyHandle = null;

/*
 * Handle and ID for outstanding callbacks
 */
var cackeyOutstandingCallbacks = {}
var cackeyOutstandingCallbackCounter = -1;

/*
 * Communication with the PIN entry window
 */
var pinWindowPINValue = "";
var pinWindowPreviousHandle = null;

/*
 * Messages that may need to be retried after getting a PIN
 */
var cackeyMessagesToRetry = [];

/*
 * Stored PIN for a given certificate
 */
var cackeyCertificateToPINMap = {};

/*
 * Compute a text-based handle for a certificate to be hashed by
 */
function cackeyCertificateToPINID(certificate) {
	var id;
	var certificateArray;

	id = "";

	certificateArray = new Uint8Array(certificate);

	certificateArray.map(
		function(byte) {
			id += ("0" + byte.toString(16)).slice(-2);
		}
	);

	delete certificateArray;

	return(id);
}

/*
 * Handle a response from the NaCl side regarding certificates available
 */
function cackeyMessageIncomingListCertificates(message, chromeCallback) {
	var idx;
	var certificates = [];

	for (idx = 0; idx < message.certificates.length; idx++) {
		certificates.push(
			{
				certificate: message.certificates[idx],
				supportedHashes: ['SHA1', 'SHA256']
			}
		);
	}

	chromeCallback(certificates,
		function(rejectedCerts) {
			if (chrome.runtime.lastError) {
				return;
			}

			if (rejectedCerts.length !== 0) {
				onCertificatesRejected(rejectedCerts);
			}

			return;
		}
	);
}

/*
 * Handle a response from the NaCl side regarding signing a message
 */
function cackeyMessageIncomingSignMessage(message, chromeCallback) {
	var payload;

	payload = message.signedData;

	chromeCallback(payload);
}

/*
 * Handle an incoming message from the NaCl side and pass it off to
 * one of the handlers above for actual formatting and passing to
 * the callback
 *
 * If an error occured, invoke the callback with no arguments.
 */
function cackeyMessageIncoming(messageEvent) {
	var nextFunction = null;
	var chromeCallback = null;

	if (messageEvent.data.target != "cackey") {
		return;
	}

	console.log("START MESSAGE");
	console.log(messageEvent.data);
	console.log("END MESSAGE");

	/*
	 * If we failed for some reason and we have a certificate in the original
	 * request then forget any PIN associated with that certificate
	 */
	if (messageEvent.data.status != "success") {
		if (messageEvent.data.originalrequest.certificate) {
			delete cackeyCertificateToPINMap[cackeyCertificateToPINID(messageEvent.data.originalrequest.certificate)];
		}
	}

	if (messageEvent.data.id == null) {
		return;
	}

	chromeCallback = cackeyOutstandingCallbacks[messageEvent.data.id];

	if (chromeCallback == null) {
		console.log("[cackey] Discarding outdated message");

		return;
	}

	switch (messageEvent.data.status) {
		case "error":
			console.error("[cackey] Failed to execute command '" + messageEvent.data.command + "': " + messageEvent.data.error);

			chromeCallback();

			break;
		case "retry":
			/*
			 * Add the new request to the queue of events to process when the PIN
			 * prompt is terminated.
			 */
			cackeyMessagesToRetry.push(messageEvent);

			if (pinWindowPreviousHandle) {
				/*
				 * An existing PIN entry is in progress
				 * Just add the request to the queue (above) and wait
				 */

				return;
			}

			/*
			 * Set the handle to an invalid (but non-null) value until the window
			 * is created in case we are invoked again soon.
			 */
			pinWindowPreviousHandle = "invalid";

			chrome.app.window.create("pin.html", {
				"id": "cackeyPINEntry",
				"resizable": false,
				"alwaysOnTop": true,
				"focused": true,
				"visibleOnAllWorkspaces": true,
				"innerBounds": {
					"width": 350,
					"minWidth": 350,
					"height": 135,
					"minHeight": 135
				}
			}, function(pinWindow) {
				/*
				 * Set the PIN value to blank
				 */
				pinWindowPINValue = "";

				if (!pinWindow) {
					console.log("[cackey] No window was provided for PIN entry, this will not go well.");

					return;
				}

				pinWindowPreviousHandle = pinWindow;

				pinWindow.drawAttention();
				pinWindow.focus();

				/*
				 * Register a handler to handle the window being closed without
				 * having sent anything
				 */
				pinWindow.onClosed.addListener(function() {
					var messageIdx;

					pinWindowPreviousHandle = null;

					for (messageIdx = 0; messageIdx < cackeyMessagesToRetry.length; messageIdx++) {
						var tmpMessageEvent;

						tmpMessageEvent = cackeyMessagesToRetry[messageIdx];

						if (pinWindowPINValue == "") {
							console.log("[cackey] The PIN dialog was closed without gathering a PIN, treating it as a failure.");

							tmpMessageEvent.data.status = "error";
							tmpMessageEvent.data.error = "PIN window closed without a PIN being provided";

							cackeyMessageIncoming(tmpMessageEvent);
						} else {
							tmpMessageEvent.data.originalrequest.pin = pinWindowPINValue;

							cackeyCertificateToPINMap[cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate)] = pinWindowPINValue;

							cackeyHandle.postMessage(tmpMessageEvent.data.originalrequest);
						}
					}


					/*
					 * Delete the existing handle and create a new one
					 */
					delete cackeyMessagesToRetry;

					cackeyMessagesToRetry = [];

					/*
					 * We are done fetching the user PIN, clear the value
					 */
					pinWindowPINValue = "";

					return;
				})

				/*
				 * Pass this message off to the other window so that it may resubmit the request.
				 */
				pinWindow.contentWindow.parentWindow = window;
				pinWindow.contentWindow.messageEvent = messageEvent;

				return;
			});

			/*
			 * We return here instead of break to avoid deleting the callback
			 * entry.
			 */
			return;
		case "success":
			switch (messageEvent.data.command) {
				case "listcertificates":
					nextFunction = cackeyMessageIncomingListCertificates;

					break;
				case "sign":
					nextFunction = cackeyMessageIncomingSignMessage;

					break;
			}

			break;
	}

	if (nextFunction != null) {
		nextFunction(messageEvent.data, chromeCallback);
	}

	delete cackeyOutstandingCallbacks[messageEvent.data.id];

	return;
}

/*
 * Handler for messages from Chrome related to listing certificates
 */
function cackeyListCertificates(chromeCallback) {
	var callbackId;

	console.log("[cackey] Asked to provide a list of certificates -- throwing that request over to the NaCl side... ");

	callbackId = cackeyOutstandingCallbackCounter + 1;

	cackeyHandle.postMessage(
		{
			'target': "cackey",
			'command': "listcertificates",
			'id': callbackId
		}
	);

	cackeyOutstandingCallbackCounter = callbackId;
	cackeyOutstandingCallbacks[callbackId] = chromeCallback;

	console.log("[cackey] Thrown.");

	return;
}

/*
 * Handler for messages from Chrome related to signing a hash of some sort
 */
function cackeySignMessage(signRequest, chromeCallback) {
	var callbackId;
	var command;
	var certificateId;
	var digest, digestHeader;

	/*
	 * Prefix the digest with the ASN.1 header required of it
	 */
	switch (signRequest.hash) {
		case "SHA-1":
			digestHeader = new Uint8Array([0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14]);
			break;
		case "SHA-256":
			digestHeader = new Uint8Array([0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20]);
			break;
		case "MD5_SHA1":
			digestHeader = new Uint8Array();
			break;
		default:
			console.error("[cackey] Asked to sign a message with a hash we do not support: " + signRequest.hash);

			chromeCallback();

			return;
	}

	digest = new Uint8Array(digestHeader.length + signRequest.digest.byteLength);
	digest.set(digestHeader, 0);
	digest.set(new Uint8Array(signRequest.digest), digestHeader.length);

	delete digestHeader;

	console.log("[cackey] Asked to sign a message -- throwing that request over to the NaCl side... ");

	callbackId = cackeyOutstandingCallbackCounter + 1;

	command = {
		'target': "cackey",
		'command': "sign",
		'id': callbackId,
		'certificate': signRequest.certificate,
		'data': digest.buffer
	};

	certificateId = cackeyCertificateToPINID(command.certificate);

	if (cackeyCertificateToPINMap[certificateId]) {
		command.pin = cackeyCertificateToPINMap[certificateId];
	}

	cackeyHandle.postMessage(command);

	cackeyOutstandingCallbackCounter = callbackId;
	cackeyOutstandingCallbacks[callbackId] = chromeCallback;

	console.log("[cackey] Thrown.");

	return;
}

/*
 * Finish performing initialization that must wait until we have loaded the CACKey module
 */
function cackeyInitLoaded(messageEvent) {
	console.log("[cackey] Loaded CACKey PNaCl Module");

	/* Register listeners with Chrome */
	if (chrome.certificateProvider) {
		chrome.certificateProvider.onCertificatesRequested.addListener(cackeyListCertificates);
		chrome.certificateProvider.onSignDigestRequested.addListener(cackeySignMessage);
	}

	/*
	 * Initialize CACKey with the correct handle to talk to the Google Smartcard Manager App
	 */
	cackeyHandle.postMessage(
		{
			"target": "cackey",
			"command": "init",
			"smartcardManagerAppId": "khpfeaanjngmcnplbdlpegiifgpfgdco"
		}
	);

	/*
	 * Start the Google PCSC Interface
	 */
	new GoogleSmartCard.PcscNacl(cackeyHandle);


	return;
}

/*
 * Initialize CACKey and the PCSC library from Google
 */
function cackeyInit() {
	var elementEmbed;

	/* Log that we are operational */
	console.log("[cackey] cackeyInit(): Called.");

	/*
	 * Create a handler for starting the application UI
	 */
	chrome.app.runtime.onLaunched.addListener(function() {
		chrome.app.window.create('ui.html', {
			"id": "cackeyUI",
			"focused": true,
			"innerBounds": {
				"width": 350,
				"minWidth": 350,
				"height": 135,
				"minHeight": 135
			}
		});
	});

	/* Verify that we can register callbacks */
	if (!chrome.certificateProvider) {
		if (!GoogleSmartCard.IS_DEBUG_BUILD) {
			console.error("[cackey] This extension only works on ChromeOS!");

			return;
		} else {
			console.log("[cackey] This extension only works on ChromeOS, but you appear to be debugging it -- trying anyway.");
		}
	}

	if (cackeyHandle != null) {
		console.log("[cackey] cackeyInit(): Already initialized.  Returning.");

		return;
	}

	elementEmbed = document.createElement('embed');
	elementEmbed.type = "application/x-pnacl";
	elementEmbed.width = 0;
	elementEmbed.height = 0;
	elementEmbed.src = "cackey.nmf";
	elementEmbed.id = "cackeyModule";
	elementEmbed.addEventListener('error', function(messageEvent) { console.error("Error loading CACKey PNaCl Module: " + messageEvent.data); }, true);
	elementEmbed.addEventListener('load', cackeyInitLoaded, true);
	elementEmbed.addEventListener('message', cackeyMessageIncoming, true);

	cackeyHandle = elementEmbed;

	document.body.appendChild(cackeyHandle)

	console.log("[cackey] cackeyInit(): Completed.  Returning.");
}

/* Initialize CACKey */
cackeyInit();