Check-in [8a375324e9]
Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | ssh-agent-ui
Files: files | file ages | folders
SHA1: 8a375324e966de01d89048be253014c70304d209
User & Date: rkeene on 2019-06-06 21:56:46
Other Links: branch diff | manifest | tags
Context
2019-06-06
21:56
Merged in trunk Leaf check-in: 8a375324e9 user: rkeene tags: ssh-agent-ui
2019-06-05
21:38
Added a toggle for disabling the Chrome PIN dialog check-in: 2a4f67952b user: rkeene tags: trunk
18:12
Work on getting an SSH agent UI going check-in: 4ce30d9e04 user: rkeene tags: ssh-agent-ui
Changes

Modified build/chrome/cackey.js from [d291048f9c] to [21d583c591].

1
2
3
4
5
6
7
8
9
10








11
12
13
14
15
16
17
/*
 * CACKey ChromeOS chrome.certificateProvider Implementation
 */

function onCertificatesRejected(rejectedCerts) {
	// If certificates were rejected by the API, log an error, for example.
	console.error(rejectedCerts.length + ' certificates were rejected.');
	return;
}









/*
 * Handle for the CACKey NaCl Target
 */
var cackeyHandle = null;
var cackeyPCSCHandle = null;
var cackeyPCSCHandleUsable = false;
var cackeyPCSCHandleLastUsed = (new Date()).getTime();










>
>
>
>
>
>
>
>







1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/*
 * CACKey ChromeOS chrome.certificateProvider Implementation
 */

function onCertificatesRejected(rejectedCerts) {
	// If certificates were rejected by the API, log an error, for example.
	console.error(rejectedCerts.length + ' certificates were rejected.');
	return;
}

/*
 * Optional features for CACKey
 */
var cackeyFeatures = {
	customPINPrompt: true,
	useChromePINDialog: true
};

/*
 * Handle for the CACKey NaCl Target
 */
var cackeyHandle = null;
var cackeyPCSCHandle = null;
var cackeyPCSCHandleUsable = false;
var cackeyPCSCHandleLastUsed = (new Date()).getTime();
175
176
177
178
179
180
181






















































182
183
184
185
186
187
188
				return;
			}

			cackeyCertificateToPINMapUpdateLastUsed(null);
		}, 900000);
	}
}























































/*
 * Handle an incoming message from the NaCl side and pass it off to
 * one of the handlers above for actual formatting and passing to
 * the callback
 *
 * If an error occured, invoke the callback with no arguments.







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
				return;
			}

			cackeyCertificateToPINMapUpdateLastUsed(null);
		}, 900000);
	}
}

/*
 * Handle redispatching requests after receiving a PIN
 */
function cackeyPINPromptCompleted(pinValue) {
	var tmpMessageEvent;

	for (messageIdx = 0; messageIdx < cackeyMessagesToRetry.length; messageIdx++) {
		tmpMessageEvent = cackeyMessagesToRetry[messageIdx];

		if (pinValue == "") {
			if (goog.DEBUG) {
				console.log("[cackey] The PIN dialog was closed without gathering a PIN, treating it as a failure.");
			}

			tmpMessageEvent.data.status = "error";
			tmpMessageEvent.data.error = "PIN window closed without a PIN being provided";

			cackeyMessageIncoming(tmpMessageEvent);
		} else {
			tmpMessageEvent.data.originalrequest.pin = pinValue;

			cackeyCertificateToPINMap[cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate)] = {}
			cackeyCertificateToPINMap[cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate)].pin = pinValue;
			cackeyCertificateToPINMapUpdateLastUsed(cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate));

			chromeCallback = null;
			if (tmpMessageEvent.data.id) {
				if (cackeyOutstandingCallbacks) {
					chromeCallback = cackeyOutstandingCallbacks[tmpMessageEvent.data.id];
				}
			}

			cackeyInitPCSC(function() {
				cackeyHandle.postMessage(tmpMessageEvent.data.originalrequest);
			}, function() {
				if (chromeCallback) {
					chromeCallback();
				}

				if (tmpMessageEvent.data.id && cackeyOutstandingCallbacks[tmpMessageEvent.data.id]) {
					delete cackeyOutstandingCallbacks[tmpMessageEvent.data.id];
				}
			});
		}
	}

	/*
	 * Delete the existing handle and create a new one
	 */
	delete cackeyMessagesToRetry;

	cackeyMessagesToRetry = [];
}

/*
 * Handle an incoming message from the NaCl side and pass it off to
 * one of the handlers above for actual formatting and passing to
 * the callback
 *
 * If an error occured, invoke the callback with no arguments.
258
259
260
261
262
263
264

265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285








































286
287
288





289
290



291
292


293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377

			/*
			 * Set the handle to an invalid (but non-null) value until the window
			 * is created in case we are invoked again soon.
			 */
			pinWindowPreviousHandle = "invalid";


			chrome.app.window.create("pin.html", {
				"id": "cackeyPINEntry",
				"resizable": false,
				"alwaysOnTop": true,
				"focused": true,
				"visibleOnAllWorkspaces": true,
				"innerBounds": {
					"width": 350,
					"minWidth": 350,
					"height": 135,
					"minHeight": 135
				}
			}, function(pinWindow) {
				/*
				 * Set the PIN value to blank
				 */
				pinWindowPINValue = "";

				if (!pinWindow) {
					console.error("[cackey] No window was provided for PIN entry, this will not go well.");









































					return;
				}






				pinWindowPreviousHandle = pinWindow;




				pinWindow.drawAttention();
				pinWindow.focus();



				/*
				 * Register a handler to handle the window being closed without
				 * having sent anything
				 */
				pinWindow.onClosed.addListener(function() {
					var messageIdx;
					var chromeCallback;

					pinWindowPreviousHandle = null;

					for (messageIdx = 0; messageIdx < cackeyMessagesToRetry.length; messageIdx++) {
						var tmpMessageEvent;

						tmpMessageEvent = cackeyMessagesToRetry[messageIdx];

						if (pinWindowPINValue == "") {
							if (goog.DEBUG) {
								console.log("[cackey] The PIN dialog was closed without gathering a PIN, treating it as a failure.");
							}

							tmpMessageEvent.data.status = "error";
							tmpMessageEvent.data.error = "PIN window closed without a PIN being provided";

							cackeyMessageIncoming(tmpMessageEvent);
						} else {
							tmpMessageEvent.data.originalrequest.pin = pinWindowPINValue;

							cackeyCertificateToPINMap[cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate)] = {}
							cackeyCertificateToPINMap[cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate)].pin = pinWindowPINValue;

							cackeyCertificateToPINMapUpdateLastUsed(cackeyCertificateToPINID(tmpMessageEvent.data.originalrequest.certificate));

							chromeCallback = null;
							if (tmpMessageEvent.data.id) {
								if (cackeyOutstandingCallbacks) {
									chromeCallback = cackeyOutstandingCallbacks[tmpMessageEvent.data.id];
								}
							}

							cackeyInitPCSC(function() {
								cackeyHandle.postMessage(tmpMessageEvent.data.originalrequest);
							}, function() {
								if (chromeCallback) {
									chromeCallback();
								}

								if (tmpMessageEvent.data.id && cackeyOutstandingCallbacks[tmpMessageEvent.data.id]) {
									delete cackeyOutstandingCallbacks[tmpMessageEvent.data.id];
								}
							});
						}
					}


					/*
					 * Delete the existing handle and create a new one
					 */
					delete cackeyMessagesToRetry;

					cackeyMessagesToRetry = [];

					/*
					 * We are done fetching the user PIN, clear the value
					 */
					pinWindowPINValue = "";

					return;
				})

				/*
				 * Pass this message off to the other window so that it may resubmit the request.
				 */
				pinWindow.contentWindow.parentWindow = window;
				pinWindow.contentWindow.messageEvent = messageEvent;

				return;
			});

			/*
			 * We return here instead of break to avoid deleting the callback
			 * entry.
			 */
			return;
		case "success":







>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

|
|
>
>
>
>
>
|

>
>
>
|
<
>
>
|
<
<
<
<
<
<
<



<
<
|
<
|
<
<
<
|

<
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
|
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<







320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402

403
404
405







406
407
408


409

410



411
412


413


























414
415


























416
417
418
419
420
421
422

			/*
			 * Set the handle to an invalid (but non-null) value until the window
			 * is created in case we are invoked again soon.
			 */
			pinWindowPreviousHandle = "invalid";

			if (messageEvent.data.originalrequest.signRequestId === null || cackeyFeatures.useChromePINDialog === false) {
				chrome.app.window.create("pin.html", {
					"id": "cackeyPINEntry",
					"resizable": false,
					"alwaysOnTop": true,
					"focused": true,
					"visibleOnAllWorkspaces": true,
					"innerBounds": {
						"width": 350,
						"minWidth": 350,
						"height": 135,
						"minHeight": 135
					}
				}, function(pinWindow) {
					/*
					 * Set the PIN value to blank
					 */
					pinWindowPINValue = "";
	
					if (!pinWindow) {
						console.error("[cackey] No window was provided for PIN entry, this will not go well.");
	
						return;
					}
	
					pinWindowPreviousHandle = pinWindow;

					pinWindow.drawAttention();
					pinWindow.focus();
	
					/*
					 * Register a handler to handle the window being closed without
					 * having sent anything
					 */
					pinWindow.onClosed.addListener(function() {
						var messageIdx;
						var chromeCallback;
						var pinValue;
	
						pinWindowPreviousHandle = null;

						/*
						 * We are done fetching the user PIN, clear the value
						 */
						pinValue = pinWindowPINValue;
						pinWindowPINValue = "";

						cackeyPINPromptCompleted(pinValue);
	
						return;
					})
	
					/*
					 * Pass this message off to the other window so that it may resubmit the request.
					 */
					pinWindow.contentWindow.parentWindow = window;
					pinWindow.contentWindow.messageEvent = messageEvent;

					if (cackeyFeatures.customPINPrompt) {
						pinWindow.contentWindow.pinprompt = messageEvent.data.pinprompt;
					}
	
					return;
				});
			} else {
				chrome.certificateProvider.requestPin({
					signRequestId: messageEvent.data.originalrequest.signRequestId,
					requestType: "PIN"
				}, function(userInfo) {
					var destroyError;
					var pinValue = "";

					try {
						chrome.certificateProvider.stopPinRequest({
							signRequestId: messageEvent.data.originalrequest.signRequestId
						}, function() {});

					} catch (destroyError) {
						/* Do nothing, we don't care if it fails really */
					}








					pinWindowPreviousHandle = null;



					if (userInfo && userInfo.userInput) {

						pinValue = userInfo.userInput;



					}



					return(cackeyPINPromptCompleted(pinValue));


























				});
			}



























			/*
			 * We return here instead of break to avoid deleting the callback
			 * entry.
			 */
			return;
		case "success":
484
485
486
487
488
489
490




491
492
493
494
495
496
497
 */
function cackeySignMessage(signRequest, chromeCallback) {
	var callbackId;
	var command;
	var certificateId;
	var digest, digestHeader;
	var promiseHandle = null, promiseResolve, promiseReject;





	if (!chromeCallback) {
		/*
		 * If no callback supplied, arrange for a promise to be returned instead
		 */
		promiseHandle = new Promise(function(resolve, reject) {
			promiseResolve = resolve;







>
>
>
>







529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
 */
function cackeySignMessage(signRequest, chromeCallback) {
	var callbackId;
	var command;
	var certificateId;
	var digest, digestHeader;
	var promiseHandle = null, promiseResolve, promiseReject;

	if (signRequest.signRequestId === undefined || signRequest.signRequestId === null) {
		signRequest.signRequestId = null;
	}

	if (!chromeCallback) {
		/*
		 * If no callback supplied, arrange for a promise to be returned instead
		 */
		promiseHandle = new Promise(function(resolve, reject) {
			promiseResolve = resolve;
543
544
545
546
547
548
549

550
551
552
553
554
555
556
	}

	callbackId = ++cackeyOutstandingCallbackCounter;

	command = {
		'target': "cackey",
		'command': "sign",

		'id': callbackId,
		'certificate': signRequest.certificate,
		'data': digest.buffer
	};

	certificateId = cackeyCertificateToPINID(command.certificate);








>







592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
	}

	callbackId = ++cackeyOutstandingCallbackCounter;

	command = {
		'target': "cackey",
		'command': "sign",
		'signRequestId': signRequest.signRequestId,
		'id': callbackId,
		'certificate': signRequest.certificate,
		'data': digest.buffer
	};

	certificateId = cackeyCertificateToPINID(command.certificate);

Modified build/chrome/manifest.json.in from [6924f71c75] to [49dbf65404].

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{
	"manifest_version": 2,
	"name": "CACKey",
	"short_name": "CACKey",
	"version": "@PACKAGE_VERSION@.10",

	"description": "US Department of Defense Common Access Card (CAC) and US NIST SP 800-73 Personal Identity Verification (PIV) card support.",

	"icons": {
		"128": "icon.png"
	},

	"app": {
		"background": {
			"scripts": [
				"google-pcsc.js",
				"jsrsasign.js",
				"options.js",
				"ssh-agent.js",
				"cackey.js"
			],
			"persistent": false
		}
	},

	"permissions": [
		"certificateProvider",
		"storage",
		"alwaysOnTopWindows"
	],

	"externally_connectable": {
		"ids": [
			"pnhechapfaindjhompbnflcldabbghjo",
			"okddffdblfhhnmhodogpojmfkjmhinfp"
		]
	}
}




|
<

<



<












<













1
2
3
4
5

6

7
8
9

10
11
12
13
14
15
16
17
18
19
20
21

22
23
24
25
26
27
28
29
30
31
32
33
34
{
	"manifest_version": 2,
	"name": "CACKey",
	"short_name": "CACKey",
	"version": "@PACKAGE_VERSION@.11",

	"description": "US Department of Defense Common Access Card (CAC) and US NIST SP 800-73 Personal Identity Verification (PIV) card support.",

	"icons": {
		"128": "icon.png"
	},

	"app": {
		"background": {
			"scripts": [
				"google-pcsc.js",
				"jsrsasign.js",
				"options.js",
				"ssh-agent.js",
				"cackey.js"
			],
			"persistent": false
		}
	},

	"permissions": [
		"certificateProvider",
		"storage",
		"alwaysOnTopWindows"
	],

	"externally_connectable": {
		"ids": [
			"pnhechapfaindjhompbnflcldabbghjo",
			"okddffdblfhhnmhodogpojmfkjmhinfp"
		]
	}
}

Modified build/chrome/ssh-agent.js from [7141592f34] to [f9156a50f9].

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/*
 * CACKey SSH Agent for ChromeOS
 */

cackeySSHAgentApprovedApps = [
	"pnhechapfaindjhompbnflcldabbghjo",
	"okddffdblfhhnmhodogpojmfkjmhinfp"
];

/*
 * XXX:TODO: Expose UI for this
 */
cackeySSHAgentFeatures = {
	enabled: true,
	includeKeys: true,
	includeCerts: true,
	legacy: false
};

/*
 * Feature support checking













|







1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/*
 * CACKey SSH Agent for ChromeOS
 */

cackeySSHAgentApprovedApps = [
	"pnhechapfaindjhompbnflcldabbghjo",
	"okddffdblfhhnmhodogpojmfkjmhinfp"
];

/*
 * XXX:TODO: Expose UI for this
 */
cackeySSHAgentFeatures = {
	enabled: false,
	includeKeys: true,
	includeCerts: true,
	legacy: false
};

/*
 * Feature support checking